Ankit Kumar Agarwal » script

Javascrit injections

Ankit Kumar Agarwal — Sun, 12 Oct 2008 11:45:00 +0000

Today I have brought for you another type of exploit of browser that is Javascript Injection. Javascript injection is a nifty little technique that allows you to alter a sites contents without actually leaving the site. This can be very usefull when say, you need to spoof the server by editing some form options. Examples will be explained throughout.

Injection Basics

Javascript injections are run from the URL bar of the page you are visiting. To use them, you must first completly empty the URL from the URL bar. That means no http:// or whatever.

Javascript is run from the URL bar by using the javascript: protocol. In this tutorial I will only teach you the bare bones of using this, but if you are a Javascript guru, you can expand on this using plain old javascript.

The two commands covered in this tutorial are the alert(); and void(); commands. These are pretty much all you will need in most situations. For your first javascript, you will make a simple window appear, first go to any website and then type the following into your URL bar:

javascript:alert(‘Hello, World’);

You should get a little dialog box that says “Hello, World”. This will be altered later to have more practical uses.

You can also have more than one command run at the same time:

javascript:alert(‘Hello’); alert(‘World’);

This would pop up a box that said ‘Hello’ and than another that says ‘World’.

Cookie Editing

First off, check to see if the site you are visiting has set any cookies by using this script:

javascript:alert(document.cookie);

This will pop up any information stored in the sites cookies. To edit any information, we make use of the void(); command.

javascript:void(document.cookie=”Field = myValue”);

Would either make the field “authorized” or edit it to say “yes”… now wheter or not this does anything of value depends on the site you are injecting it on.

It is also useful to tack an alert(document.cookie); at the end of the same line to see what effect your altering had.

Form Editing

Sometimes, to edit values sent to a given website through a form, you can simply download that html and edit it slightly to allow you to submit what you want. However, sometimes the website checks to see if you actually submitted it from the website you were supposed to. To get around this, we can just edit the form straight from javascript. Note: The changes are only temporary, so it’s no tuse trying to deface a site through javascript injection like this.

Every form on a given webpage (unless named otherwise) is stored in the forms[x] array… where “x” is the number, in order from top to bottom, of all the forms in a page. Note that the forms start at 0, so the first form on the page would actually be 0, and the second would be 1 and so on. Lets take this example:

Note:Since this is the first form on the page, it is forms[0]

Say this form was used to email, say vital server information to the admin of the website. You can’t just download the script and edit it because the submit.php page looks for a referer. You can check to see what value a certain form element has by using this script:

javascript:alert(document.forms[0].to.value)

This is similar to the alert(document.cookie); discussed previously. In this case, It would pop up an alert that says “admin@website.com”

So here’s how to Inject your email into it. You can use pretty much the same technique as the cookies editing shown earlier:

javascript:void(document.forms[0].to.value=”email@nhacks.com”)

This would change the email of the form to be “email@nhacks.com”. Then you could use the alert(); script shown above to check your work. Or you can couple both of these commands on one line.

credits:unknown

All About FTP

Ankit Kumar Agarwal — Sun, 12 Oct 2008 11:27:00 +0000

FTP
Index of this post

About FTP
Windows FTP
Unix FTP
FTP commands
Technical Support

About FTP

FTP is short for File Transfer Protocol,And here is the rest of it. this page contains additional information about the FTP command and help using that command in Unix and MS-DOS (Windows). See our FTP section in our dictionary for a complete definition on FTP.

Windows FTP

From the MS-DOS prompt or shell type in FTP, once typed in you will have access to the FTP command line. In this command line type:

open ftp.address.domain

Where address is the name of the server and the domain is the domain such as .COM, .NET… In addition, the IP address can be typed in, such as 255.255.255.0.

Once connected you will be asked for a username and password; if done successfully, you will have access to transfer files between computers.

Unix FTP

Unix FTP is used much like Windows; from a command prompt or shell, type in FTP, from FTP you should be able to log into a server, providing you have the proper access.

FTP Commands

Depending upon the version of FTP and the operating system being used, each of the below commands may or may not work. Generally typing -help or a ? will list the commands available to you.

Command
Information
! Using this command you will have the capability of toggling back and forth between the operating system and ftp. Once back in the operating system generally typing exit will take you back to the FTP command line.
? Access the Help screen.
abor Abort Transfer
append Append text to a local file.
ascii Switch to ASCII transfer mode
bell Turns bell mode on / off.
binary Switches to binary transfer mode.
bye Exits from FTP.
cd Changes directory.
cdup Change to parent directory on remote system
close Exits from FTP.
cwd Change working directory on remote system
dele Delete file on remote system
delete Deletes a file.
debug Sets debugging on / off.
dir Lists files if connected.

dir -C = Will list the files in wide format.
dir -1 = Lists the files in bare format in alphabetic order
dir -r = Lists directory in reverse alphabetic order.
dir -R = Lists all files in current directory and sub directories.
dir -S = Lists files in bare format in alphabetic order.
disconnect Exits from FTP.
get Get file from the computer connected to.
glob Sets globbing on / off.
hash Sets hash mark printing on / off
help Access the Help screen and displays information about command if command typed after help.
lcd Displays local directory or if path typed after lcd will change local directory.
list Send a list of file names in the current directory on the remote system on the data connection.
literal Sends command line
ls Lists files if connected.
mdelete Multiple delete
mdir Lists contents of multiple remote directories
mget Get multiple files
mkd Make directory.
mkdir Make directory.
mls Lists contents of multiple remote directories.
mode Specifies the transfer mode. Available parameters are generally S, B or C.
mput Sent multiple files
nlst Send a full directory listing of the current directory on the remote system on the data connection.
open Opens address.
pass Supplies a user password.
port Specify the client port number.
prompt Enables/disables prompt.
put Send one file
pwd Print working directory
quit Exits from FTP.
quote Send arbitrary ftp command
recv Receive file
retr Get file from remote system.
remotehelp Get help from remote server
rename Renames a file
rmdir Removes a directory
send Send single file
status Shows status of currently enabled / disabled options
trace Toggles packet tracing
type Set file transfer type
user Send new user information
verbose Sets verbose on / off.

TECHNICAL SUPPORT

How do I send and receive files once connected in MS-DOS FTP?

To get files from the server and place them in your current working directory, on the machine you are working, type:

get myfile.htm

Where myfile.htm is the name of the file you wish to get from the computer connected to.

To send a file from your computer to the computer you are connected to (providing you have proper rights and the file exists in the current working directory), type:

send myfile.htm

Where myfile.htm is the name of the file that exists in the current directory; if you cannot recall the name of the file, use the ! command to temporally get back to a MS-DOS prompt; once you have located the file name, type exit to get back to the location you left in FTP.

In MS-DOS FTP I am only able to send files in the directory that I typed FTP in.

Set the LCD, for example, if you want to send files that are in the C:\Windows directory, type:

LCD c:\windows

How do I download multiple files from an FTP server?

Use the mget command, which is short for multiple get. Using the mget command you can get multiple files by using wildcards. For example, ” mget *.* ” would get all files in the current directory.

By default, prompting would be enabled; if you wish to get all files without being prompted, use the “prompt” command to disable/enable prompting.

When attempting to connect to an FTP address, receiving “10061″ error

This error is caused when the server is refusing the connection.

Attempt to connect to an alternate FTP address.

If you are able to connect to other FTP addresses, it is likely the site generating the error 10061 is refusing to accept your connection because of security privileges or because it is not an FTP server.

If you are unable to connect to any address, it is likely an issue with the network or computer configuration.

1. Ensure that the network configuration settings are properly setup as well as FTP rights.
2. Verify that the firewall is properly setup to accept FTP access.

How to create a Windows FTP script

Create a text document with commands used when in FTP. Below is an example of what such a script may look like:

open ftp.domain.com
username
password
cd public_html
dir
get file.txt
bye

The above script will log into the ftp site ftp.domain.com. Once connected, it will enter the username and then the password (substitute username for your username and password for your password). Once logged in, the script then goes into the public_html directory, gets a directory listing and then uses the get command to get the file called file.txt. Once the file is received, it logs off using the bye command.

Once the script file has been created, for example, if it was called script.txt, to execute this script with ftp you would type:

ftp -s:script.txt

credits:-unknown