Hello everybody. Today we will see about Zabbix toggleids sql injection exploit. First things first, what’s Zabbix. It is an enterprise open source monitoring software for networks and applications designed to monitor and track the status of various network services, servers, and other network hardware.
Zabbix uses MySQL, PostgreSQL, SQLite, Oracle or IBM DB2 to store data. Its backend is written in C and the web frontend is written in PHP. It has a web based interface and can be installed in both Linux and Windows. It boasts of over 13,000 downloads per week.
Zabbix version 3.0.3 suffers from SQL injection which can be exploited to steal the credentials. Let’s see how this exploit works. Start Metasploit and load the module as shown below.
As you can see, we need to set only one option “RHOST” which is the IP address of the target running Zabbix. Once you set the target, check whether its vulnerable or not using the “check” command.
Once we know target is vulnerable, executing the exploit using command “run” downloads the current usernames and password hashes from database to a JSON file. We can crack these password hashes and login into the Zabbix instance. See how to crack hashes with Kali Linux.
How to stay safe?
There are patches available. Please update.
Hello aspiring hackers. In many hacking scenarios, we encounter hashes. To those newbies who have no idea what hashes are, they are encrypted text ( literarlly we can’t call it text ). Normally they are used to encrypt passwords for website users, operating system users etc. Today our tutorial is about cracking hashes.
For this howto, we will use NewsP Free News Script 1.4.7 which had a credential disclosure vulnerability as shown below. Imagine we got the username and password hash as shown below. The only thing that stops me from accessing the website is password in encrypted format.
The first step in cracking hashes is to identify the type of hash we are cracking. Kali Linux has an inbuilt tool to identify the type of hash we are cracking. It’s hash-identifier. Open a terminal and type command hash-identifier.
Enter the hash we need to crack as shown above and hit ENTER. It will show the possible hash type as shown below. In our case, it is MD5 or a variant of it.
We can also use another tool hashid for similar purpose. It’s syntax is as shown below.
We know what the type of hash is. Now, it’s time to crack the hash.We will use a tool called ‘findmyhash’. To use this tool, we need to specify the hash type ( which we already know ) and hash after it as shown below. This tool tries to crack the hash by using various online hash crackers available.
After successfully cracking the hash, it will display us the corresponding password as shown below. In our case, the password is admin.
Hello friends. Today we will see two exploits: credential disclosure and arbitrary text file download in WebNMS Framework server 5.2. To those newbies who don’t know what WebNMS Framework Server is, it is an industry-leading framework for building network management applications and has over 25,000 deployments worldwide.Its latest version consists two vulnerabilities : credential disclosure and arbitrary text file download.
First let us see the credential disclosure exploit. Start Metasploit and load the exploit as shown below. Type command “show options” to check its options. This server runs on port 9090.
Set the target and run the exploit. It will download the credentials and store it in a file as shown below.
The next vulnerability is arbitrary text file download. Load the exploit and see its options. It is automatically set to download shadow file in Linux.
Before running the exploit type command “info” to see the information about this exploit. As you can see below, it can only download text files and if it is a Windows instance the file should be in the same directory of WebNMS.
Since we are running WebNMS framework server on a Windows machine, I have created a text file called secret.txt in the same directory. Let us try the exploit now. Set the target address, file path as shown below and run the exploit. We can see that the file has benn successfully downloaded and saved in a directory.
Good Evening friends. Today we will see how to hack a remote Windows system using a vulnerability in a RAT. RAT stands for Remote Access Trojan and is a type of malware. It works when a hacker sends a malicious file to the victim and he clicks on it. When victim clicks the malicious file, it sends a connection back to the hacker’s machine. The Hacker can control the victim’s machine using command & control server. Using RAT’s, the hacker can
- Block mouses and keyboards
- Change the desktop wallpapers
- Downloads, uploads, deletes, and rename files
- Destroys hardware by overclocking
- Drop viruses and worms
- Edit Registry
- Use your internet connection to perform denial of service attacks (DoS)
- Format drives
- Steal passwords, credit card numbers
- Alter your web browser’s homepage
- Hide desktop icons, task bar and file
(Data from Wikipedia )
The picture given below should explain the scenario. More about RATs later.
You can see the command and control server of Poison Ivy RAT below . Poison Ivy is one of the popular RAT’s and many variants of it are still active. It was used in RSA SecureID attack. Poison Ivy RAT 2.1.x versions suffer from a stack buffer overflow vulnerability. Using this vulnerability, the machines running C&C server can be hacked. So here, its a case of hacker getting hacked.
We will learn more about RATS in our next howtos. But now let us see how to hack a Windows machine running a PoisonIvy C&C server with PoisonIvy buffer overflow exploit. Open Metasploit and load the exploit as shown below. The only option necessary is RHOST. As shown below, this RAT runs on port number 3460. Set the RHOST and check whether the target is vulnerable.
Now, as the target is vulnerable, set the payload and hit on Run. You should get the meterpreter on the remote machine as shown below.
Good afternoon friends. Today we will see hacking Advantech Webaccess Dashboard 8.0 with Metasploit. Advantech WebAccess is a 100% web based SCADA software. It is a cross-platform, cross-browser data access experience and a user interface based on HTML5 technology. With WebAccess, users can build an information management platform and improve the effectiveness of vertical markets development and management.
SCADA (Supervisory Control And Data Acquisition) is a system for remote monitoring and control that operates with coded signals over communication channels. Vulnerabilities in SCADA systems are considered very serious as they are used in monitoring various industrial and infrastructure processes like power generation, water treatment, oil and gas pipelines, electrical power transmission and distribution, wind farms and large communication systems.
The version 8.0 of this Adavantech Webaccess suffers from arbitrary file upload vulnerability. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess and that too without the need of authentication. Start Metasploit and load the exploit as shown below.
Set the target IP address and check whether the target is vulnerable.
If the target is vulnerable a shown above, set the required payload. We are trying to get a shell in our target.
Execute the exploit by typing command “run”. The exploit will run and …………
a command shell will be opened on our target as shown below. See it was very easy to get into a SCADA system.
Good evening friends. “PCMan’s FTP Server is a free software mainly designed for beginners not familiar with computer, hoping that it can make setting up a basic FTP server very easily. Functionality and security are not the major concern. Usability, however, is the most important concern” according to their makers. However version 0.7 of this software has a Buffer Overflow vulnerability for which exploit has been released by Metasploit. First of all, we need to perform enumeration to find services in our targets. To know more about enumeration, read this. Now let’s see Hacking PCMAN FTP Server with Metasploit.
Start Metasploit and load the exploit. as shown below.
Set the IP address of our target as shown below. Check the payloads by typing command “show payloads”.
Choose any payload you require. I am choosing the meterpreter payload. Check if our target is vulnerable using the “check” command.
Next execute our exploit by typing command “run”. You will successfully get the meterpreter session on the target. The only downfall with this exploit is it is only working on Windows XP. Happy hacking.
Good morning friends. Today we will see how to hack Easy File sharing HTTP Server 7.2 with Metasploit. Easy File Sharing HTTP server is a is a Windows program that allows you to host a secure peer-to-peer and web-based file sharing system without any additional software or services. It doesn’t require additional HTML page design. It allows you to run a web site on your own PC, share photos, movies, videos and music/MP3 files securely. It also allows visitors to upload/download files easily through web-based interfaces. A recent version of this software i.e 7.2 has a SEH overflow vulnerability which can be exploited by crackers to spawn a shell in the target system. If you have gone through my previous howto’s you should be well aware how to find the vulnerable targets but in some cases we may require enumeration of our target machines. Read this to know more about enumeration. Now let’s see hacking Easy File Sharing HTTP Server 7.2 with Metasploit. Start Metasploit and load the module as shown below.
The only option it requires is the RHOST. Needless to say it is the IP address of our target. Set the target and check the payloads this exploit supports.
Set the payload you want. I have set the below payload.
Type command “show options” to check whether all options are set.
It’s time to run the exploit. Type command “run” and if all goes well, you will get a shell in the remote system. Happy hacking.
Good Evening friends. Today we will see how to exploit a vulnerability in the recent version of a popular program Atutor with Metasploit. This vulnerability exists in the most recent version released, i.e Atutor 2.2.1. For those newbies who don’t know what is atutor, it is an Open Source Web-based Learning Content Management System (LCMS) designed with accessibility and adaptability in mind. It boasts of 216 downloads per week from Sourceforge itself. There are two vulnerabilities present in the version mentioned above. We will exploit a SQL injection vulnerability in this howto. So let’s get onto hacking atutor 2.2.1 with Metasploit. Start Metasploit and load the exploit as shown below.
Set the required options. For present, we will only need the target IP address. Check if your target is vulnerable or not as shown below.
Type command “show payloads” and choose the required payload. I chose the payload below. Once again, type command “show options” and set the attacker system’s( i.e our system’s ) IP address which I am not gonna show below.
Run the exploit by typing command “run”. The exploit will run and a command shell will be opened into the target system as shown below. ( Watch out for the easter egg which we will use in our future howto’s).
To know about the target system, type commands as shown below. Happy hacking.
Good evening friends. Today we will see how to exploit PHP utility belt remote code execution vulnerability. All the credit for this exploit goes to one “WICS” of exploit-db.com. The exploit is shown below. Here in this howto, I will just show you how to use this exploit. For those guys who don’t know what PHP Utiltiy belt is, it is PHP utility belt is a ” set of tools for PHP developers. We can just install it in a browser-accessible directory and have at it.”
Here is video version of this howto. If you want textual version scroll down.
This is how php utility belt can be set up as shown below.
Before we try our exploit, let’s try to access a file known as “info.php” through the url as shown below. You will get an error as shown below.
Now enter the given PHP code as shown below and hit on “Run”. This is our remote command execution exploit.
Now once again try to access the file you tried to access above. you should get the file listed as shown below. Hence we successfully did a remote command execution.
NOTE: This is for education purpose only
Good Evening friends, today we will see about arbitrary file access vulnerability in Kodi 15. For those guys who have no idea what Kodi is, it is “an award-winning free and open source cross-platform software media player and entertainment hub for HTPCs. Kodi can be used to play almost all popular audio and video formats around.” We will exploit a LFI vulnerability in its web interface.
Before we start, let me make clear that the credit for finding this vulnerability goes to one “MICHAEL PRONK” of exploit-db. I am just showing how to use that exploit. The exploit is shown below.
Ok, now let’s see it in real time. Open Shodan ( which means you should have an account there ) and search for “title:kodi os:linux” as shown below. We are searching for all Linux machines with Kodi installed on them. The results will be as shown below.
Now open any one interface. It should look like below. Kodi, by default runs on port 8080.
Now we will try to access the passwd file available in this Linux machines. Just after port number, try this query
as shown below. You should get the contents of passwd file as shown below.
Here’s another example.