All the information on this page is for educational purposes only. The owner of the blog, nor Blogger, nor anyone associated with this blog can be held liable for illegal activities brought by this blog

Friday, February 10, 2012

WEBINAR

I will be hosting a
WEBINAR!!!


During the webinar we will be discussing a variety of hacking techniques and methods as well as answering your questions.

Dates will be available soon.

Please comment if you will be able to attend the webinar.

(For those of you who do not know, a webinar is an online seminar, basically, you join in with your comuter and have the ability to ask questions and interact)

See you soon. 

Monday, January 30, 2012

A Double Tutorial - CSRF & SQL Column Truncation

So today we have a double tutorial...

We will be looking at 2 new hacking methods:
CSRF (Cross Site Request Forgery)
&
SQL Column Truncation

To begin we will look at CSRF, now CSRF is basically a hybrid between XSS (Cross Site Scripting) and LFI (Local File Inclusion)

Side Note: We will be looking at those 2 vulnerabilities at a later stage, this technique is very simple and straight forward, so a tutorial on XSS prior to this is not really necessary.

In CSRF, the victim is basically sent to a different page without his knowledge.

Say we have a website with a form that allows us to edit our profile, normally comprising of:
  • Avatar
  • Password
  • Email Address
  • Interests
  • etc
Remember, an image stored on a website is always stored on a server and the image is retrieved every time that image loads... 

Now say our form is set up with a text box as to where you must insert your server address for your new avatar, you need to instead of giving a server address, insert a script that will allow you to alter details of your profile.

So the first thing you will need to do, after logging in and navigating to the edit profile page, is to view the source code of the edit page.

You will notice that the form action has something similar to  
.edit/profile.php
or something to that effect
So to begin with insert that line(the form action) into the avatar text box, next you insert a ?, so the text in the text box will be:
.edit/profile.php?

The question mark is always followed by a parameter and the parameter is whatever we want to edit on the profile, so next you need to view the source code again, and look for the line that allows you to change your password and see what it's name is, remember that as that is our parameter:
.edit/profile.php?password

Now finally, add an "=" afterwards directly followed by what you would like the password to be, for example:
.edit/profile.php?password=hacked

Now, lets imagine that a victim, for example Admin, goes to view your password for some reason, when the victim's browser goes to retrieve the image (the edit page we set) it will execute the edit profile page as the victim which would change whatever information we set it to change as, in this case, the password.

This will edit any user who views your image's information.
Typically, the password access you will gain will be that of a robot or spider, but with that access, you have a very good chance that gaining admin rights will now be relatively easy.


Next up is....


***SQL COLUMN TRUNCATION***


SQL Column Truncation is also a very simple and effective technique that can be used to hack websites.
Basically, SQL Column Truncation gives you the ability to duplicate usernames in an SQL database and therefore giving you access to that user account.

To begin, let us imagine that you have discovered that the admin's username is Admin, now, regardless of the password, you will be able to log in as Admin and also make use of administrative rights, to do this you need to understand a few things first.

An SQL database does not recognize spaces, that is why on many website registrations, your username and password may not contain a space, in SQL, a space is completely ignored, for example:

Hacking is awesome
will be stored as
Hackingisawesome

Also, the database table will have rules set that will determine how many characters may be stored in a cell, if that number is exceeded, the additional characters will be dropped and only the allowed number of characters will be stored, for example:

If the database only allows for 10 characters in the cell, and a user attempts to insert 15 characters, the first 10 will be stored and the last 5 numbers will be dropped, for example:

CookieMonster

will be stored as

CookieMons

"ter" has been dropped as they have exceeded the maximum amount of characters allowed to be stored.

Now, go to register a new account, next you need to view the source of the page, as there is a character limit added onto the SQL database, the web master would have added in HTML code to the username text box a maximum number limit, say you have discovered this to be 10.

In the textbox, insert Admin followed by 5 spaces, as Admin is 5 characters long and adding another 5 spaces will make the username 10 characters in total, the text box will restrict you from adding in any more characters.

Please Note: For the next step I will be using Tamper Data (a firefox add-on), if you would like information on how to do this without using Tamper Data, comment below.

Open Tamper Data and start the tamper, tamper the request that will submit your registration form and then add an x to the end of your "Admin     " string, therefore, you will now have this:
Admin     x

(The x is there because if it wasn't there, the username would never be passed to the SQL database, because the moment the spaces were removed it would notice the duplicate data - The x can be any other character)

Now when that username is submitted, the entire username will be added to the cell (because of the x it is not equal to admin), but because it is 11 characters, which is too large for the database to handle, according to the rules set by the admin, the database will drop the additional characters, in this case, x.

After the character has been dropped, the database will now remove the spaces and store "Admin" as the final string, but because it is actually "Admin     x", the database does not recognize it as Admin.

Finally, log in as Admin with the password you just set at registration and you will find that you are logged in with administrative rights.

--- Final Summary ---

Both these methods will get you admin access, the first thing that you should do after gaining access, should be to go and clear your logs.

Also remember, that when using the CSRF method that the victim WILL discover the password change the next time he attempts to log in, so you will have to log in immediately and attempt to grant yourself admin rights (There are multiple ways to achieve this)

Now, using the SQL column Truncation method, on the other hand, is a lot less likely to be discovered, but still is a possibility, you should also try and grant another one of your accounts admin rights and use your Admin account sparingly, also, you would have a better chance of remaining undiscovered if you clear the logs every time you log in as Admin.

Although, if the administrator were to check or clean the database, your database account may be discovered.

Well I hope you enjoyed this tutorial and please feel free to comment.
Peace Out!!!

Techno Master

Wednesday, December 28, 2011

Calling ALL Hackers

So, I know its been a really long time since my last post, but I have been really busy with exams and travelling and my website and starting my business etc...


Anyway, I am thinking about having a LEGAL hacking competition, all those who are interested please let me know by commenting on this post, details will follow according to the interest levels



Post again soon guys

Monday, November 7, 2011

JavaScript Injections

JavaScript Injections

Ok, sorry it took so long to post this guys, but it's really difficult to balance college, work, running a blog, etc. Anyway, today we will discuss JavaScript injections and then also poisonous cookies.

Injection Basics

JavaScript injections are run from the URL bar of the page you are visiting. To use them you must first completely empty the URL from the URL bar. That means no http:// or whatever.

JavaScript is run from the URL bar using the javascript: protocol. I will only be showing you the basics of this, but if you already know javascript, you can expand on this using plain old javascript.

The two commands covered in this blog post are the alert(); and the void(); commands. These are pretty much all you will need in most situations. For your first JavaScript, you will make a simple window appear, first go to any website and then type the following into your URL bar:
javascript:alert('Hello, World');
You should get a little diagram box that says "Hello, World". This will be altered later to have more practical uses.

You can also have more than one command run at the same time:
javascript:alert('Hello'); alert('World');
This would pop up a box that said "Hello" and then another that says "World".

Cookie Editing

First off, check to see if the site you are visiting has set any cookies by using this script:
javascript:alert(document.cookie);
This will pop up any information stored in the site's cookies. To edit any information, we make use of the void(); command:
javascript:void(document.cookie="Field = myValue");
This command can either alter existing information or create entirely new values. Replace "Field" with either an existing field found using the alert(document.cookie); command, or insert your very own value. Then replace "myValue" with whatever you want the field to be. For example:
javascript:void(document.cookie="Authorized=yes");
Would either make the field "Authorized" or edit it to say "yes"... now whether or not this does anything of value depends on the site you are injecting it into.



Now its time for some...

Cookie Poisoning

A poisonous cookie is a user - edited cookie poisoned to perform a malicious attack. You can poison cookies with various different methods, e.g,  scripts, SQL injections .

Here I will show you an example using SQL injections:

javascript:void(document.cookie="pass=' or 1=1--");

This will bypass login and you will either see a list of usernames or log in.

Thanks
Hope you enjoyed this article

Techno Master 

Tuesday, October 25, 2011

Combining Files

Combining Files

Today I will show you how to combine files together using the Command Prompt, this can be very useful for hacking sites that are vulnerable to LFI(Local File Intrusion).

Firstly we will need to create documents to combine together:

(Note: These files are just example files, the files can be anything you want)

Firstly I will create an image file named: picture.jpg
Secondly, I will create a text file named: test.txt
Lastly, I will create a rar file named: combination.rar

Ok, next, create a folder and store all files to be combined in this folder

C:\Combine

Next step is to open Command Prompt
(Click Start, Run, type 'cmd' or 'command' - without the quotes', click enter)

Once in command prompt, go to the file where your files are stored

cd C:\Combine

You will now see the directory on display

C:\Combine>

Next, type copy /b

(The /b ensures the files are copied as binary files)

Type in, without the quotes, the following:

copy /b picture.jpg + test.txt + combination.rar  newfile.jpg
press enter

The last file name is the name of the new file with combined files, you can chose this name
If you view this file normally, you will see a standard image, using the open with command to view the file using the appropriate program will reveal the hidden files.

Hope you enjoyed this

Peace Out

Techno Master





Saturday, October 22, 2011

SQL Injection Attack - A Step-by-step video tutorial

Ok guys, continuing off of yesterday's blog of the SQL attack, we now have a step-by-step video tutorial, we are using the same methods and site as in the previous, this will just give you a better understanding of what is happening. Enjoy and don't forget to comment.

Important Sites:

Download vulnerable web environment:
 http://www.securityoverride.com/infusions/pro_download_panel/download.php?did=33

Friday, October 21, 2011

SQL Attack

*Only sites which users have the rights to or have been given special permission may be hacked, I accept no responsibility and can not be accountable for any illegal acts that take place in conjunction with the information on this blog*


So as I said, today's blog will be about SQL Attacks - I will be using a site created by CrashOverron setup on my localhost, to download the files to use the site, visit:

http://securityoverride.com/infusions/pro_download_panel/download.php?did=33

Ok, so I will be giving a step-by-step guide with screen shots(video will be uploaded tomorrow)

Step 1: Discover a website that utilize an SQL database


Here is a site with an SQL database

Step 2: Test the site for vulnerabilities

You start by typing in a logical statement at the end of the URL:
http://localhost/fake/index.php?page=products&id=1%20and%201=1--

As you will see in the screenshot below, the page has not changed compared to the original screen





Next, we will type an illogical statement at the end of the URL:
http://localhost/fake/index.php?page=products&id=1%20and%201=0--

 As you will now see, there has been quite a drastic change to the page. This confirms that there is definitely a SQL vulnerability on this website.

Step 3: Find total number of columns

Next, we need to discover how many columns the SQL table has. To determine this, we use the ORDER BY command, by adding ORDER BY n (where n represents a number) we can determine how many columns there are

If there is no error then increase n by 1, continue to do so until you receive an error

Once you have received an error, take n - 1 = x

x = number of columns in the SQL table

(There is a possibility that there may be many many columns, if that is the case change your increment from 1 to 10, for example, until you can determine the exact number of columns)

Step 4: Display table names

You  will now need to display all the table names so you can choose which table to use, firstly change 'id=1' to 'id=-1', we do this because there is no data in the array position, then add this to the URL:
union select 1,2,3,4 from information_schema.tables--

Union is basically the command that alerts the SQL tables it is needed
Select is the command to select certain information
1,2,3,4 is the amount of columns we have (all numbers MUST be entered)
from is telling the SQL database where to collect information from
information_schema is the MySQL master tool
.tables tells the information_schema that we are going to be interacting with tables
-- all SQL commands will need to end with double dash

so, no that we have that, you should see something similar to:

Now the numbers on screen are the only numbers you may edit, chose one and stick with it, in our case we will chose 2.

Now, substitute the number you chose for 'table_name' (without the quotes)



union select 1,table_name,3,4 from information_schema.tables--

you should now see a list of table names, scroll down until you see the tables you are dealing with(you should be able to work out which are human created tables):



So now we have two table names:
  1. users
  2. products
We will now be using the users table as this will obviously have user information in and more than likely passwords

Step 5: Display column names

Now that we know what table_name we want, we can start working on column name, column names are just as easily retrieved, just add
union select 1,column_name,3,4 from information_schema.columns--
after the 'id=-1'

Here we have substituted our chosen number, in our case 2, with column_name and changed information_schema.tables to information_schema.columns.

Now you will see a list of column names, unfortunately, it is for the wrong table

Not to worry, just add in the WHERE clause, the WHERE clause tells the SQL database which source to take data from

union select 1,column_name,3,4 from information_schema.columns where table_name='users'--

we add 'where table_name='users'--' to the URL, this tell the query to pull data from the table with the table_name users

 and we should get something similar to :


Some sites have magic quotes set up, in that case adding "table_name='users'--" will not work because the site will not allow the addition of quotes, in those cases we use the char() command, in the char() command just put the ASCII value of the table name as CSV(Comma Separated Values) between the brackets - this will be discussed more in the video -

Step 6: Reaping your rewards

Now it is finally time for you to be rewarded for all your hard work, there are two ways to do this next step, the quick way and the long way, first I will show you the long way as to ensure you understand what we are actually doing...


Substitute a column name with column_name, for example,

union select 1,user,3,4 from users--

you no longer need the information_schema command as the query is already running from the users table, we will now see a list of users


Now do the same for passwords, but substitute column_name with 'pass'

union select 1,pass,3,4 from users--

You will now see a list of passwords,
Use the user name from the first request, along with the password from the second request to log in.

The short method is to use the concat() command, in the concat() command, you request more than one column at a time - more details in video -

union select 1,concat(user,0x3A,pass),3,4 from users--

You can keep adding as much information as you need either by concatenating or by asking for each individually

(0x3A is the hex value for a colon :)

this will display as:
user: password


Remember the user name and passwords and proceed to login screen.

Step 8: Logging in

Ok, so I have shown you how to collect usernames and password and other information, now you need to log in,

Take note of a username and password and proceed to login screen


You will now be logged in as that user having full access to this account as if you were the account owner

Hope my tutorial was well understood, if you have any question or other input please comment.

A video of the SQL attackhas been created and will be uploaded as soon as the editing has been completed.

Thanks for checking out my blog and thanks again to CrashOverron for the website

See ya

Techno Master
 
Back To Top