PHP Command Injection Vulnerability in Web applications

Create a new PHP file, name it test_command_injection.php, and save it inside Apache’s htdocs directory:

<?php
if(isset($_GET['filename']))
{
	$filename = $_GET['filename'];
	if(file_exists($filename))
	{
		unlink($filename);
	}
}

Open your favorite browser and open url: http://localhost/test_command_injection.php?filename=path_to_file_4_deletion

As you can see you could delete any file in the system if you provide the right path..

Dnsrecon – Kali Linux

Open your Kali linux distribution..

Enumerate a domain

dnsrecon -d example.com

Test all NS Servers in a domain for misc zone transfers

dnsrecon -d example.com -t axfr

Help!

Version: 0.8.8
Usage: dnsrecon.py <options>
 
Options:
   -h, --help                  Show this help message and exit
   -d, --domain      <domain>  Domain to Target for enumeration.
   -r, --range       <range>   IP Range for reverse look-up brute force in formats (first-last)
                               or in (range/bitmask).
   -n, --name_server <name>    Domain server to use, if none is given the SOA of the
                               target will be used
   -D, --dictionary  <file>    Dictionary file of sub-domain and hostnames to use for
                               brute force.
   -f                          Filter out of Brute Force Domain lookup records that resolve to
                               the wildcard defined IP Address when saving records.
   -t, --type        <types>   Specify the type of enumeration to perform:
                               std      To Enumerate general record types, enumerates.
                                        SOA, NS, A, AAAA, MX and SRV if AXRF on the
                                        NS Servers fail.
 
                               rvl      To Reverse Look Up a given CIDR IP range.
 
                               brt      To Brute force Domains and Hosts using a given
                                        dictionary.
 
                               srv      To Enumerate common SRV Records for a given 
 
                                        domain.
 
                               axfr     Test all NS Servers in a domain for misconfigured
                                        zone transfers.
 
                               goo      Perform Google search for sub-domains and hosts.
 
                               snoop    To Perform a Cache Snooping against all NS 
                                        servers for a given domain, testing all with
                                        file containing the domains, file given with -D
                                        option.
 
                               tld      Will remove the TLD of given domain and test against
                                        all TLD's registered in IANA
 
                               zonewalk Will perform a DNSSEC Zone Walk using NSEC Records.
 
   -a                          Perform AXFR with the standard enumeration.
   -s                          Perform Reverse Look-up of ipv4 ranges in the SPF Record of the
                               targeted domain with the standard enumeration.
   -g                          Perform Google enumeration with the standard enumeration.
   -w                          Do deep whois record analysis and reverse look-up of IP
                               ranges found thru whois when doing standard query.
   -z                          Performs a DNSSEC Zone Walk with the standard enumeration.
   --threads          <number> Number of threads to use in Range Reverse Look-up, Forward
                               Look-up Brute force and SRV Record Enumeration
   --lifetime         <number> Time to wait for a server to response to a query.
   --db               <file>   SQLite 3 file to save found records.
   --xml              <file>   XML File to save found records.
   --iw                        Continua bruteforcing a domain even if a wildcard record resolution is 
                               discovered.
   -c, --csv          <file>   Comma separated value file.
   -j, --json         <file>   JSON file.
   -v                          Show attempts in the bruteforce modes.

Collect emails using kali linux

> Run your Kali Linux
> Open a terminal
> Type:

theharvester -d mydomain.com -b all

> Hit enter and wait for results.

How to generate shellcode from custom exe in metasploit

To use a custom exe as a payload or to use your custom exe in a document or excel file, you have to “convert” your exe to shellcode. To accomplish this:

1> Run Kali Linux

2> Open a terminal window

3> Type

msfconsole

and hit enter

4> Type

use payload/generic/custom

and hit enter

5> Choose your custom exe:

set PAYLOADFILE /root/Desktop/mycustomexe.exe

6> Choose optionally a name-title:

set PAYLOADSTR mycustomexe

7> Type

generate

and hit enter

 

OWASP Xenotix XSS Exploit Framework

OWASP Xenotix XSS Exploit Framework is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. It provides Zero False Positive scan results with its unique Triple Browser Engine (Trident, WebKit, and Gecko) embedded scanner. It is claimed to have the world’s 2nd largest XSS Payloads of about 1500+ distinctive XSS Payloads for effective XSS vulnerability detection and WAF Bypass. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes highly offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation.

SCANNER MODULES

  • Manual Mode Scanner
  • Auto Mode Scanner
  • DOM Scanner
  • Multiple Parameter Scanner
  • POST Request Scanner
  • Header Scanner
  • Fuzzer
  • Hidden Parameter Detector

INFORMATION GATHERING MODULES

  • WAF Fingerprinting
  • Victim Fingerprinting
  • Browser Fingerprinting
  • Browser Features Detector
  • Ping Scan
  • Port Scan
  • Internal Network Scan

EXPLOITATION MODULES

  • Send Message
  • Cookie Thief
  • Phisher
  • Tabnabbing
  • Keylogger
  • HTML5 DDoSer
  • Load File
  • Executable Drive By
  • JavaScript Shell
  • Reverse HTTP WebShell
  • Drive-By Reverse Shell
  • Metasploit Browser Exploit
  • Firefox Reverse Shell Addon (Persistent)
  • Firefox Session Stealer Addon (Persistent)
  • Firefox Keylogger Addon (Persistent)
  • Firefox DDoSer Addon (Persistent)
  • Firefox Linux Credential File Stealer Addon (Persistent)
  • Firefox Download and Execute Addon (Persistent)

UTILITY MODULES

  • WebKit Developer Tools
  • Payload Encoder
  • JavaScript Beautify
  • Hash Calculator
  • Hash Detector

 

Download

 

Defeat web trackers

Ghostery sees the “invisible” web, detecting trackers, web bugs, pixels, and beacons placed on web pages by Facebook, Google Analytics, and over 1,000 other ad networks, behavioral data providers, web publishers – all companies interested in your activity. After showing you who operates behind the scenes, Ghostery also gives you the opportunity to learn more about each company it identifies, including links to their privacy policy and opt-out options. Ghostery allows you to block scripts from companies that you don’t trust, delete local shared objects, and even block images and iframes.

Download for Firefox

 

Firefox Anti-phishing addon

WorldIP is a Firefox Geo Add-on with security features and advanced network tools, anti-phishing mechanisms and protects against DNS spoofing and fake sites. It provides also all DNS records for a domain, the real location of the web server, the country and extended information about the datacenter.

WorldIP provides the following information:
– all IP addresses of the server (IPv4 and IPv6), Reverse DNS, web-server
– all DNS entries for domains (A,AAAA,MX,NS,SPF,TXT,SOA,CNAME,PTR), their TTL
– real country, flag
– data center, provider, autonomous system (AS)
– your external IP address, ISP and change log (by time or when changing proxy)

– ping and traceroute from all continents (around 40 servers worldwide). Advanced traceroutes with three protocols simultaneously (TCP/UDP/ICMP)
– ping and traceroute from your computer
– links to Looking Glasses of 43 global providers (by provider name or by country/city)
– whois, BGP connections on bgp.he.net

– verification of compliance of the website with the IP address, protection against DNS spoofing/DNS hijacking. These attacks are used by different viruses and trojans, some unscrupulous providers, governments and security agencies.

DNS attacks redirect legitimate traffic to a fake website, or when proxying traffic in the Man-in-the-Middle (MitM) attacks for different purposes such as
– stealing passwords
– listening to internet traffic
– providing falsified information
– intercepting online banking transactions
– for censorship

For more, visit the plugin’s home page: https://www.wipmania.com/plugins/

To download add-on for firefox: https://addons.mozilla.org/el/firefox/addon/worldip/

 

Anti-Forensics – Delete UserAssist History

Windows Explorer maintains a list of frequently programs executed and shortcuts opened on a Windows machine in the UserAssist registry entries. This is achieved by maintaining a count of application use and last execution date and time in each users NTUSER.DAT registry file.

UserAssist registry key :

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

Under UserAssist key there are two subkeys named,

{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} and {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}

if you use Windows 7.

To delete UserAssist history, you have to delete the two subkeys Count that you will find under {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} and {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} respectively.

 

Memory Protection Feature

Data Execution Prevention (DEP) is a memory protection feature available in modern operating systems, Linux, Mac OS X, iOS, Microsoft Windows and Android. DEP allows memory pages to be designated as non-executable. Its duty is to prevent the content of a region of memory to be executed as instructions by a program, service, device driver, etc. With DEP enabled, pages belonging to stack, data segments and heep are protected against exploits. An application receives an exception with the status code STATUS_ACCESS_VIOLATION if it tries to execute code from a page that is marked as non-executable.

DEP runs in two modes: hardware-enforced DEP for CPUs that can mark memory pages as nonexecutable, and software-enforced DEP with limited protection for CPUs that do not have hardware support. Software-enforced DEP does not protect against execution of code in data pages, but counters SEH overwrite, another type of attack.

DEP was introduced on Linux in 2004 (kernel 2.6.8), on Windows in 2004 with Windows XP Service Pack 2, while Apple introduced DEP when they moved to x86 in 2006.

Hardware-enforced DEP enables the NX bit on compatible CPUs, through the automatic use of PAE kernel in 32-bit Windows and the native support on 64-bit kernels. Windows Vista DEP works by marking certain parts of memory as being intended to hold only data, which the NX or XD bit enabled processor then understands as non-executable. This helps prevent buffer overflow attacks from succeeding. In Windows, from version Vista, whether DEP is enabled or disabled for a particular process can be viewed on the Processes tab in the Windows Task Manager.

Software DEP (with no NX bit) is what Microsoft calls their enforcement of “Safe Structured Exception Handling”. Software DEP/SafeSEH simply checks when an exception is raised to make sure that the exception is registered in a function table for the application, and requires the program to be built with it. However, even though it creates an impression that software DEP is related to the prevention of executing code in data pages, it is a different form of protection.

In Microsoft Windows if an x86 processor supports DEP, and the system’s BIOS supports it and it has been enabled, either by the manufacturer or the user,[5] then the NX features are turned on in Windows, on a limited “OptIn” basis. (PAE must also be enabled in 32-bit Windows.) This setting provides protection only for a limited set of Windows system and binary files. To achieve full protection, the user must choose either “OptOut” (“turn on DEP for all program services except those I select”), covering all programs and processes not specifically exempted, or “AlwaysOn”, covering all. These are configurable through the System Properties interface. If DEP is not supported by the particular x86 processor used, no protection is given. Intel’s IA-64 architecture also has a form of NX, supported by Windows.

OptIn: DEP is enabled for system modules only (user application must explicitly opt in)

OptOut: DEP is enabled for all modules (user application must explicitly opt out)

AlwaysOn: enables DEP for all applications

AlwaysOff: disables DEP for all applications

How to view current system policy

Open command line, change directory to %systemroot%\system32 and execute:

bcdedit.exe /enum all | findstr "nx"

How to set DEP policy

bcdedit.exe /set nx AlwaysOn

How to examine DEP status for an application
1. Download Process Explorer
2. Run it
3. Edit displayed columns to add DEP status column. (Menu->View->Select Columns..)

Retrieve MX records

nslookup is a command-line administrative tool for testing and troubleshooting DNS servers.

The syntax for noninteractive mode is:

nslookup [-option] [hostname] [server]

Parameters
Commands:   (identifiers are shown in uppercase, [] means optional)

 NAME            – print info about the host/domain NAME using default
                   server
 NAME1 NAME2     – as above, but use NAME2 as server
 help or ?       – print info on common commands
 set OPTION      – set an option

    all                 – print options, current server and host
    [no]debug           – print debugging information
    [no]d2              – print exhaustive debugging information
    [no]defname         – append domain name to each query
    [no]recurse         – ask for recursive answer to query
    [no]search          – use domain search list
    [no]vc              – always use a virtual circuit
    domain=NAME         – set default domain name to NAME
    srchlist=N1[/N2/.../N6] – set domain to N1 and search list to N1, N2,
                          and so on
    root=NAME           – set root server to NAME
    retry=X             – set number of retries to X
    timeout=X           – set initial time-out interval to X seconds
    type=X              – set query type (for example, A, ANY, CNAME, MX,
                          NS, PTR, SOA, SRV)
    querytype=X         – same as type
                – set query class (for example, IN (Internet), ANY)
    [no]msxfr           – use MS fast zone transfer
    ixfrver=X           – current version to use in IXFR transfer request

 server NAME     – set default server to NAME, using current default server
 lserver NAME    – set default server to NAME, using initial server
 finger [USER]   – finger the optional NAME at the current default host
 root            – set current default server to the root
 ls [opt] DOMAIN [> FILE] – list addresses in DOMAIN (optional: output to
                  FILE)

    -a          –  list canonical names and aliases
    -d          –  list all records
    -t TYPE     –  list records of the given type (for example, A, CNAME,
                   MX, NS, PTR, and so on)

 view FILE       – sort an ‘ls’ output file and view it with pg
 exit            – exit the program

Query MX Records

nslookup -type=mx example.com 8.8.8.8