07-28-2014, 10:14 PM
// Advanced Hacking Techniques //
Contents:
- Intro
- Tools You Need
- Local File Inclusion (LFI) with Log Poisioning
- Cookie Poisioning
- Unrestricted File Upload and Filter Bypass
- Exploiting $_SERVER['PHP_SELF']
- Conclusion
// Intro //
Hidden Content
Hello, @APPLEZ here. Some of you may know me as 0verlord, but you can call me either one. I've decided to share with you some of my personal favorite exploits. Enjoy!
As a web developer, you must be extremely careful as you code. If you forget to sanitize only one field or input on your site, it could be fatal. These are only a few of my favorite exploits, I find them very fun to accomplish. If you would like me to do a tutorial on any other exploits, please post below! Another noteworthy comment: If you do actually get a server shelled, and a website administrator deletes it, don't worry! Odds are, they don't even know how you got it there in the first place; a whopping 63% of website owners don't even know how you did it. Lets continue on, but please keep in mind 0day.red nor I am responsible with what you do with this information, it's for educational purposes ONLY!
// Tools You Need //
[To see links please register here]
[To see links please register here]
[To see links please register here]
[To see links please register here]
- A VPN (Not a free vpn, a vpn with NO LOGS like
[To see links please register here]
)
[To see links please register here]
// Local File Inclusion (With Log Poisoning) //This is my favorite exploit, by far. The goal of this is to first find the path of the error log, generate an error within the server with a spoofed user agent with your php payload, then finally access the log file and your php payload will execute, allowing you to upload a shell, exploit kit, or simply deface the website. This will not work on all sites, if you wondering. As always, details of this exploit with vary from site to site; not all sites have the same directories or log file names. Lets start by explaining the basics of LFI:
1) Find a vulnerable site
Here are a few LFI google dorks for you to get started:
Hidden Content
2) Test for vulnerability
You've found a site with a URL similar to this:
Hidden Content
You now need to edit the URL (after &file=) to look like this:
Hidden Content
If it is vulnerable, some of the page should be replaced with some text similar to this:
Hidden Content
You may ask yourself, "HOLY SHIT! WTF HAPPENED?!?!?" The answer is simple.
../ tells the server you want to move up one directory. You want to move all the way up to the root directory, so you may need to add many of those.
/etc/passwd is a file that at one time held the username and hashed password of every user on the system, but those days are gone. There's not much of a use for this file, except to test your LFI.
You now can read any file on the server! But unless there's a particularly juicy file on the server you want to see, it may seem that LFI is pretty damn useless. That is not the case.
3) Find an error log file
This step is very vital to taking this exploit to the next level. An error log file may contain a persons IP, location, user-agent, and may reveal additional vulnerabilities on the site. But for out purposes, we will inject the log file with a php payload.
Here are a few locations as to where it may be:
Hidden Content
After you find the log file, you're golden! All you must do now is generate an error, and spoof some of the data you send to the server. For this you'll be using tamper data.
3) Delivering the payload
I cannot tell you every detail on how to do this; it requires trial and error (hopefully error :D ) There are numerous ways to deliver an error to a site. I'll be using SQLi to throw an error, for an example. You will be needing Tamper Data, mentioned near the beginning of the thread.
Now, you have the SQLi vulnerability, but for this purpose we will not be exploiting it, just using it to create the error. Simply open tamper data, start the tamper, run your SQLied URL, and a pop up box will appear. Click tamper. Now, in the user-agent field, replace your user-agent with you php payload. You can simply write a script to get cmd access, an upload script, or even your entire shell (I wouldn't recommend it though). Finally, tap that submit button, smoke a joint, and celebrate your success. The last step is to navigate to the log file once more, and your php payload should be executed.
// Cookie Poisoning //Here is a 7 minute video to help explain what this is, and how to exploit it. Instead of using wtfever he's using on a very old windows computer, you can use Live HTTP Headers and Tamper Data.
Basically, some websites store some information in your cookies, which should never be allowed client sided. It's a fairly simple exploit, and takes some really noobish coding for a site to be vulnerable. This isn't limited to only changing fields in you cookie; you can also do SQLi and XSS, depending on the situation. With that being said, it's quite hard to tell you exactly what to do, since every website is most likely going to have different formats of cookies. Cookie poisoning is often overlooked; would you think someone could SQL inject your site with a mere cookie? If anyone needs additional information about this, feel free to post below with your question.
// Unrestricted File Upload and Filter Bypass //Unrestricted file upload is just what it seems to be, the ability to upload any type of file, including php. There are tons of ways to do it, but I'll only review a few. This exploit is usually used in conjunction with FPD (Full Path Disclosure) to locate the file you uploaded.
Method 1: JavaScript
In some cases, the input is sanitized by using javascript. You should NEVER do that. To bypass, simply disable javascript on your browser.
Method 2: The Null Byte
You have discovered that the input is not sanitized by javascript, but by php. If only you could change the extension on you shell to a filetype accepted by the server, then make it disappear. Luckly, you CAN! The null byte, %00, makes the site disregard everything following it.
Example:
Hidden Content
changes to:
Hidden Content
When uploaded, the .png part will be discarded. The null byte is a great tool for many types of filter bypass, including bypassing LFI filters.
Example:
Hidden Content
Method 3: File header verification
This is where the server scans the file for its header, to identify what type of file it is. If the header matches anything in the filetype whitelist, it will be uploaded. If not, you'll have to do a little bit more work.
Step 1:
Lets say the server only allows png files. Using the last method, and combining it with this one, you should still be able to upload your shell. First, you need to find any png file.
Step 2:
Open the file with notepad++ (or another IDE). Now, copy and paste your shell at the very bottom of the file. Save the file as c99.php%00.png. The code may or may not be executed, it depends on the settings in the phpinfo.ini file. In some cases, it will work, and it's a very sneaky way of bypassing filters.
// Exploitation of $_SERVER['PHP_SELF'] //$_SERVER['PHP_SELF'] is a variable in php that simply contains the current url of the webpage.
Example:
Current page:
Hidden Content
The $_SERVER['PHP_SELF'] variable contains:
Hidden Content
To exploit this, all you have to do is add your malicious code to the end of the url.
Example:
Hidden Content
the PHP_SELF variable will contain and echo:
Hidden Content
Since most of the time $_SERVER['PHP_SELF'] is being echoed as an href for a button, the server will print out the directory, then print AND execute the malicious code. You can also do XSS with this.
//Conclusion //If you have any questions, comments, suggestions, corrections, or concerns, feel free to either PM me or post below. If I have posted this in the wrong section, an admin will surely correct it.I hope you learned a thing or two. This thread will be revised and edited, maybe even added on to, if needed. I hope you enjoy this as much as I did!
Thanks for reading,
~APPLEZ a.k.a. 0verlord <3