SQL Injection - Bypass WAF

OK, so I showed you how to perform some basic SQLi previously, but there will be times that it starts off working and then you find yourself facing a FORBIDDEN page (403 Error) or Not Acceptable. Typically you can find the vulnerable page, find the column count and then when you switch to use the UNION SELECT statement you get the errors starting up. This is typically due to the server side rules that are filtering out your request. This is often referred to as the Web Application Firewall or WAF, but don’t worry as there are ways we can beat them. You can get pretty creative with the methods used but for now I will show how to use comments to bypass the filters, sometimes referred to as inline comments or C comments.

SQL Injection - Using Double Query Injection

Double Query
Works exactly the same as error based injection but, the Error Based Query will be doubled as a single query statement. 
So that we again successfully get an error message.


Determine when we should use error or double query Injection.

you switch over to union select statements the page then returns an error saying something like:

Case 1:
The Used Select Statements Have  Different Number Of Columns.
Case 2:
Unknown column 1;
Case 3:
Nothing returns at all. And you can't find the columns on the web content.
Then you can also use error based Injection.

SQL Injection - Error Based

Error Based

By injecting a specific query, i will show you this later in the tutorial. We get an error message returning in the page.
This msg actually gives us sensitive database information. That's why we call this error based SQL injection.


Determine when we should use error or double query Injection.


you switch over to union select statements the page then returns an error saying something like:


Case 1:

The Used Select Statements Have  Different Number Of Columns.
Case 2:
Unknown column 1;
Case 3:
Nothing returns at all. And you can't find the columns on the web content.
Then you can also use error based Injection.


MyBB Ajaxfs SQL Injection

########################################################
# Exploit Title            : Mybb Ajaxfs Plugin Sql Injection vulnerability
# Author                     : Iranian Exploit DataBase
# Discovered By       : IeDb
# Software Link        : http://mods.mybb.com/download/ajax-forum-stat-v-2
# Security Risk         : High
# Tested on               : Linux
# Dork                        : inurl:ajaxfs.php
########################################################

WordPress Pretty Photo Cross Site Scripting

Details
+++++++++++++++++++++++++++++++++++++++++++++
Product               : PrettyPhoto Plugin
Security-Risk      : Moderate
Remote-Exploit  : yes
Company            : RHAINFOSEC
Website               : http://services.rafayhackingarticles.net
Vendor-URL       : https://github.com/scaron/prettyphoto
Vendor-Status    : informed
Advisory-Status  : published

WordPress iThemes2 Shell Upload

############################################################
#Title                : Wordpress iThemes2 Themes Arbitrary File Upload
#Author            : DevilScreaM
#Date               : 11/20/2013 - 20 November 2013
#Category        : Web Applications
#Type               : PHP
#Vendor           : http://themify.me/
#Link                 : http://themify.me/themes/ithemes2
#Greetz             : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
                             Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber | Indonesian Coder
#Thanks           : ShadoWNamE | gruberr0r | Win32Conficker | Xrwrr | Rec0ded |
#Tested            : Mozila, Chrome, Opera -> Windows & Linux
#Vulnerabillity  : Arbitrary File Upload
############################################################

WordPress Suco Shell Upload

##############################################################
#Title               : Wordpress Suco Themes Arbitrary File Upload
#Author           : DevilScreaM
#Date              : 11/20/2013 - 20 November 2013
#Category      : Web Applications
#Type              : PHP
#Vendor          : http://themify.me/
#Link               : http://themify.me/themes/suco
#Greetz           : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
                           Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber | Indonesian Coder
#Thanks          : ShadoWNamE | gruberr0r | Win32Conficker | Xrwrr | Rec0ded |
#Tested          : Mozila, Chrome, Opera -> Windows & Linux
#Vulnerabillity : Arbitrary File Upload
################################################################

phpliteadmin <= 1.9.3 Remote PHP Code Injection Vulnerability Exploit

#########################################################
# Exploit Title               : phpliteadmin <= 1.9.3 Remote PHP Code Injection Vulnerability
# Google Dork             : inurl:phpliteadmin.php (Default PW: admin)
# Vendor Status          : Informed
# Version                     : 1.9.3
# Tested on                  : Windows and Linux
######################################################### 

PayPal Billsafe Cross Site Scripting

Document Title:
+++++++++++++++++++++++++++++++++++++++++
PayPal Inc Bug Bounty #42 - Persistent POST Inject Vulnerability

References (Source):
+++++++++++++++++++++++++++++++++++++++++
http://www.vulnerability-lab.com/get_content.php?id=801

PayPal Security UID: kxy1ea5ech

Release Date:
+++++++++++++++++++++++++++++++++++++++++
2013-11-18

Vulnerability Laboratory ID (VL-ID):
+++++++++++++++++++++++++++++++++++++++++
801

Common Vulnerability Scoring System:
+++++++++++++++++++++++++++++++++++++++++
3.5

Ruckus Wireless Zoneflex 2942 Wireless Access Point Vulnerable to Authentication Bypass

###########################################################
# Exploit Title      : Ruckus Wireless Zoneflex 2942 Wireless Access Point vulnerable to Authentication bypass
# Date                  : 10/10/2013
# Exploit Author   : myexploit
# Homepage       : http://www.ruckuswireless.com/
# Version             : 2942 Wireless Access Point version 9.6.0.0.267
# CVE                  : CVE-2013-5030
###########################################################

Optomise System Ltd XSS / Information Disclosure

OPTOMISE SYSTEM Ltd (UK Ministry of Defence and emergency services) Full Directory Information Disclosure/ Persistent
XSS /

Time Line Vulnerability************************
04-11-2013 Security Advisory
07-11-2013 Ask About the Issues -> Not Reponse
14-11-2013 Ask About the Issues-> Not Response -> Not Fixed
18-11-2013 Full Disclosure

TinyMCE v3.2.x <= (AuthBypass/ShellUpload) Multiple Vulnerabilites

########################################################
# Exploit Title  : TinyMCE v3.2.x <= (AuthBypass/ShellUpload) Multiple Vulnerabilites
# Author          : KedAns-Dz
# Platform       : PHP / WebApp
# Cat/Tag       : Shell / File Upload , Auth Bypassing , Multiple
# TinyMCE v3.2.7 or ..X is suffer from Multiple vuln's / bug :p
# Remote Attacker can bypassin auth and upload files , shell's etc...
# 1st try with this dork :
# google dork : allinurl:/plugins/imagemanager/pages/im/index.html
########################################################

WP Front-End Repository Manager Arbitrary File Upload Vulnerability

#############################################################
#Exploit Title                   : WP Front-End Repository Manager Arbitrary File Upload Vulnerability
# Author                           : DaOne aka MockingBird
# Vendor Homepage     : http://wordpress.org/plugins/wp-front-end-repository/
# Download link              : http://downloads.wordpress.org/plugin/wp-front-end-repository.1.1.zip
# Version                         : 1.1
# Category                       : webapps/php
# Google dork                 : inurl:wp-content/plugins/wp-front-end-repository

#############################################################

WordPress Project 10 Themes Remote File Upload Vulnerability

###############################################################
# Exploit Title               : WordPress Project 10 Themes - Remote File Upload Vulnerability
# Author                        : Byakuya
# Date                           : 11/18/2013
# Vendor Homepage  : http://themeforest.net/
# Themes Link             : http://themeforest.net/item/project-10-magazine-theme/2513938
# Affected Version       : v1.0
# Infected File               : upload-handler.php
# Category                    : webapps/php
# Google dork               : inurl:/wp-content/themes/project10-theme/
# Tested on                   : Windows/Linux
###############################################################

WordPress Tweet Blender 4.0.1 CSS

Advisory ID                         : HTB23180
Product                               : Tweet Blender Wordpress Plugin
Vendor                                : kirilln
Vulnerable Version(s)       : 4.0.1 and probably prior
Tested Version                  : 4.0.1
Advisory Publication         : October 25, 2013  [without technical details]
Vendor Notification           : October 25, 2013 
Vendor Patch                     : November 13, 2013 
Public Disclosure              : November 15, 2013 
Vulnerability Type              : Cross-Site Scripting [CWE-79]
CVE Reference                 : CVE-2013-6342
Risk Level                           : Low 
CVSSv2 Base Score        : 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status                   : Fixed by Vendor
Discovered and Provided : High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

Facebook Open Redirection

# Exploit Title: Facebook URL open Redirection
# Date: 05/11/2013 - 01/01/1435
# Exploit Author: The Black Devils " Asesino04"
# Vendor Homepage: http://www.facebook.com/      
# Tested on: Mozilla firefox

Type of Hash

1 . DES ( Unix )
[ + ] Used in Linux and the like .
[ + ] Length : 13 Characters .
[ + ] Description : The first two characters are the salt ( random characters , in our example the salt is string "Iv.") Followed by the hash .
[ + ] Example : IvS7aeT4NzQPM

2 . Domain Cached Credentials
[ + ] Used to cache the windows domain passwords .
[ + ] Length : 16 bytes (32 characters)
[ + ] Algorithm : MD4(MD4(Unicode($pass)). Unicode(strtolower($username)))
[ + ] Example : Admin : b474d48cdfc4974d86ef4d24904cdd91

Cookie Logger Script - for Silently Stealing Website Cookies


For when you want to steal someone's session cookies but you don't want to raise the alarm!

What/why? Stealing cookies isn't complicated, but sometimes it can be tricky depending on what is filtered from your JS injection. It can be made much harder if your aim is to steal them silently without the person knowing.

Exploiting POST Method XSS Silently


POST HTTP method XSS exploitation without the target filling out a form... SILENTLY

What's POST method XSS?

A cross-site scripting vulnerability that is exploited by sending the input from a form to the vulnerable website via POST HTTP method (so it could be a search box on a site that uses POST not GET).

How does exploitation differ from GET method XSS?
When a GET request is made, the request is sent over HTTP in the form: website.com/search.php?keyword=whatever.

When a POST request is made, the request is sent over HTTP in the form:
website.com/search.php

(the content, e.g keyword=whatever, is sent in the body as part of the HTTP request rather than as part of the URL).

With that in mind, the typical reflected XSS attack can't be sent to the target like normal:

website.com/search.php?keyword="><script>evil-javascript</script> 
With POST method, the user actually has to fill out a form on your evil-site, and usually click "submit" which allows evil-site to then send the user along with the POST request to the target website. The contents of the POST request will contain the javascript payload and end up running. 

How to Shell a Server via Image Upload and Bypass Extension + Real Image Verification


During a website audit, upload forms and other interactive 'user-content' driven facilities are often found to be protected by client side and/or server side security checks. This tutorial presents the methods that can be used to circumvent these security checks. In this case we're specifically considering image uploads that allow JPG files in particular.

Each security measure numbered below will be briefly discussed and paired with an appropriate bypass method, this tutorial aims to provide a complete'ish solution.

WiFi Hack in Windows


download WZCooK
Let’s Play!
1. Make sure you are in the area that is locked Wifi
2. Open the application wzcook.exe
3. Wait a few moments until the set password and the name of Wifi
4. Press [CTRL] + [C] to move data to the directory C: \ wepkeys.txt
5. That password on the WEP Key
6. Copy Paste password

7. click the Connect

WordPress Make A Statement CSRF


#Title              : Wordpress Make A Statement Themes CSRF File Upload Vulnerability
#Author          : DevilScreaM
#Date             : 11/17/2013 - 17 November 2013
#Category      : Web Applications
#Type             : PHP
#Version        : 1.x.x
#Vendor         : http://themes.mas.gambit.ph/
#Greetz          : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
                          Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber | Indonesian Coder
#Thanks        : ShadoWNamE | gruberr0r | Win32Conficker | Xrwrr | Rec0ded |
#Tested          : Mozila, Chrome, Opera -> Windows & Linux
#Vulnerabillity : CSRF

WordPress Amplus CSRF


#Title              : Wordpress Amplus Themes CSRF File Upload Vulnerability
#Author          : DevilScreaM
#Date             : 11/17/2013 - 17 November 2013
#Category      : Web Applications
#Type             : PHP
#Vendor         : http://themeforest.net
#Download    : http://themeforest.net/item/amplus-responsive-multilingual-wordpress-theme/
#Greetz          : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
                          Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber | Indonesian Coder
#Thanks         : ShadoWNamE | gruberr0r | Win32Conficker | Xrwrr |  Rec0ded |
#Tested          : Mozila, Chrome, Opera -> Windows & Linux
#Vulnerabillity : CSRF

WordPress Dimension CSRF

#Title           : Wordpress Dimension Themes CSRF File Upload Vulnerability
#Author       : DevilScreaM
#Date          : 11/17/2013 - 17 November 2013
#Category  : Web Applications
#Type          : PHP
#Vendor      : http://themeforest.net
#Download : http://themeforest.net/item/dimension-retina-responsive-multipurpose-theme/
#Greetz       : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
      Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber | Indonesian Coder
#Thanks      : ShadoWNamE | gruberr0r | Win32Conficker | Xrwrr |  Rec0ded |
#Tested       : Mozila, Chrome, Opera -> Windows & Linux
#Vulnerabillity : CSRF

WordPress Euclid CSRF

#Title           : Wordpress Euclid V1 Themes CSRF File Upload Vulnerability
#Author       : DevilScreaM
#Date          : 11/17/2013 - 17 November 2013
#Category   : Web Applications
#Type          : PHP
#Version      : 1.x.x
#Vendor       : http://freelancewp.com
#Download  : http://freelancewp.com/wordpress-theme/euclid/
#Greetz        : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
                        Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber | Indonesian Coder
#Thanks       : ShadoWNamE | gruberr0r | Win32Conficker | Xrwrr | Rec0ded |
#Tested       : Mozila, Chrome, Opera -> Windows & Linux
#Vulnerabillity : CSRF

Livezilla Code Execution / LFI

CVE-2013-6225: Security Advisory – Curesec Research Team

1. Introduction

Advisory ID               : Cure-2013-1007
Advisory URL           : https://www.curesec.com/de/veroeffentlichungen
/advisories.html
Blog URL                  : https://cureblog.de/2013/11/remote-code-execution-in-livezilla/
Affected Product      : LiveZilla version 5.0.1.4
Affected Systems     : Linux/Windows
Fixed in                      : 5.1.0.0
Fixed Version Link   :
https://www.livezilla.net/downloads/pubfiles/LiveZilla_5.1.0.0_Full.exe
Vendor Contact        : support@livezilla.net
Vulnerability Type     : Remote Code Execution / Local File Inclusion
Remote Exploitable : Yes
Reported to vendor  : 18.10.2013
Disclosed to public  : 15.11.2013
Release mode          : Coordinated release
CVE                           : CVE-2013-6225
Credentials                : crt@curesec.com

1337 Admin Page Finder v5



Written in: Perl & converted to executable

More powerful
More options
More lists
New Box
Sounds added

Ener site url : Insert site url in the blank field.
Enable Response time : This option enables the response time.If you leave it off the default response time is 50 seconds.
Select time to Response : Select the response time to any request to server.If the request exceeds the time you specify and does not response it passes to the next path.
Select User Angend : This option is important because it helps us to choose which browser will see the server. So the server can not understand if the applications are from program.
Select Method : Here you have the choice of method and source code.

Kali Linux


Kali Linux is a GPL-compliant Linux distribution built by penetration testers for penetration testers with development staff consisting of individuals spanning different languages, regions, industries, and nationalities.
The evolution of Kali took place over many years of development, penetration tests, and unprecedented help from the security community. Kali Linux originally started with earlier versions of live Linux distributions called BackTrack, Whoppix, IWHAX, and Auditor.
When it was initially developed, Kali was designed to be an all-in-one live CD to be used on security audits and was specifically crafted to not leave any remnants of itself on the system. With millions of downloads, it has become the most widely adopted penetration testing framework in existence and is used by the security community all over the world.



Cut the Rope

Visit this link to play game. Enjoy!
http://www.cuttherope.ie/

RFI Basic Tutorial

RFI Stands For Remote File Inclusionis. RFI is a type of vulnerability That is most often found on websites. It allows a Hacker to include a remote file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file, but depending on the severity, to list a few it can lead to:
       1. Data Theft/Manipulation.
       2. Code execution on the web server.
       3. Denial of Service (DoS).
     4. Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS).

LFI Method 1

LFI Stands For "Local File Inclusion".LFI is a type of web-application security vulnerability. LFI is only one of many web-application security vulnerabilities. Web-applications is applications(in other words: pages/websites) you can view and interact with in your web browser. In This Tutorial I will show you how to Deface a website using LFI Vunerability. 

First of all You need Two Things
     1. You will need FireFox 
     2. TamperData Addon For Firefox

LFI allows you to include a local file (which means, that the file is stored on the server) and run it in a webscript.

In this Tutorial we are going to upload a shell by accessing the proc/self/environ. 

DNN Hacking Tutorial

Let's Get Started:
Step 1: First you have to download This ASP Shell


Step 2: Now Open  http://www.google.com and enter this dork (This Dork is for Finding DNN vulnerable sites)



DNN Dorks:


inurl:/tabid/36/language/en-US/Default.aspx
OR
inurl:/Fck/fcklinkgallery.aspx

Using Google for Hacking

Things you can do with google

Find Botnets
Find People/Info/DoX
Find Vulnerable Sites
View Deleted Files/Sites
Finding things you're not supposed to
Obtaining things for free


Today I'm going to be showing you how to do all of these and more and how to protect yourself against them.


WHMCS 5.2.8 SQLI Vulnerability (0day)


Here again new 0day of WHMCS.
It's affect the Version 5.2.8 ( Current Version)

Again shit poor coding in new version of WHMCS .
Epicness not over . They make same mistake in

/includes/dbfunctions.php
We can manipulate the GET/POST variables and end up with something like $key = array('sqltype' => 'TABLEJOIN', 'value' = '[SQLI]');

By using this Vulnerability we can also change the /configuration.php to whatever we want.

John the Ripper


John the Ripper adalah program untuk mendekripsi password. Meskipun memiliki banyak
fungsi kita akan melihat menggunakannya sebagai decryper untuk file password
Anda miliki.
Kami akan melihat File Password yang Anda telah mengenakan Hard Disk Anda

PERSIAPAN

1. Download versi yang benar dari JTR, gunakan win32 untuk Win 95/98
2. Ekstrak file zip ke Direktori sebuah
3. Pastikan Anda memiliki File Password Anda dalam direktori yang sama


[ PLAYGROUND ]

Indonesian Coder || Codenesia || Exploit Database || Exploit ID || HN Community || devilzc0de || Packet Storm || cxsecurity