OK, so I showed you how to
perform some basic SQLi previously,
but there will be times that it starts off working and then you find yourself
facing a FORBIDDEN page (403 Error) or Not Acceptable. Typically you can find the vulnerable
page, find the column count and then when you switch to use the UNION SELECT
statement you get the errors starting up. This is typically due to the server
side rules that are filtering out your request. This is often referred to as
the Web Application Firewall or WAF, but don’t worry as there are ways we can
beat them. You can get pretty creative with the methods used but for now I will
show how to use comments to bypass the filters, sometimes referred to as inline
comments or C comments.
Double
Query
Works exactly the same as error based injection but, the Error Based Query will
be doubled as a single query statement.
So that we again successfully get an error message.
Determine when we should use error or double query Injection.
you switch over to union select statements the page then returns an error saying something like:
Case 1:
The Used Select Statements Have Different Number Of Columns.
Case 2:
Unknown column 1;
Case 3:
Nothing returns at all. And you can't find the columns on the web content.
Then you can also use error based Injection.
Error Based
By injecting a specific query, i will show you this later in the tutorial. We
get an error message returning in the page.
This msg actually gives us sensitive database information. That's why we call
this error based SQL injection.
Determine
when we should use error or double query Injection.
you switch over to union select statements the page then returns an error
saying something like:
Case 1:
The
Used Select Statements Have Different Number Of Columns.
Case
2:
Unknown
column 1;
Case
3:
Nothing
returns at all. And you can't find the columns on the web content.
Then you can also use error based Injection.
########################################################
#
Exploit Title : Mybb Ajaxfs
Plugin Sql Injection vulnerability
# Author : Iranian Exploit DataBase
# Discovered By : IeDb
# Software Link : http://mods.mybb.com/download/ajax-forum-stat-v-2
# Security Risk : High
# Tested on : Linux
# Dork : inurl:ajaxfs.php
# Author : Iranian Exploit DataBase
# Discovered By : IeDb
# Software Link : http://mods.mybb.com/download/ajax-forum-stat-v-2
# Security Risk : High
# Tested on : Linux
# Dork : inurl:ajaxfs.php
########################################################
Details
+++++++++++++++++++++++++++++++++++++++++++++
Product : PrettyPhoto Plugin
Security-Risk : Moderate
Remote-Exploit : yes
Company : RHAINFOSEC
Website : http://services.rafayhackingarticles.net
Vendor-URL : https://github.com/scaron/prettyphoto
Vendor-Status : informed
Advisory-Status : published
+++++++++++++++++++++++++++++++++++++++++++++
Product : PrettyPhoto Plugin
Security-Risk : Moderate
Remote-Exploit : yes
Company : RHAINFOSEC
Website : http://services.rafayhackingarticles.net
Vendor-URL : https://github.com/scaron/prettyphoto
Vendor-Status : informed
Advisory-Status : published
############################################################
#Title : Wordpress iThemes2 Themes Arbitrary File Upload
#Author : DevilScreaM
#Date : 11/20/2013 - 20 November 2013
#Category : Web Applications
#Type : PHP
#Vendor : http://themify.me/
#Link : http://themify.me/themes/ithemes2
#Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
#Author : DevilScreaM
#Date : 11/20/2013 - 20 November 2013
#Category : Web Applications
#Type : PHP
#Vendor : http://themify.me/
#Link : http://themify.me/themes/ithemes2
#Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber | Indonesian Coder
#Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Xrwrr | Rec0ded |
#Tested : Mozila, Chrome, Opera -> Windows & Linux
#Vulnerabillity : Arbitrary File Upload
############################################################
#Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Xrwrr | Rec0ded |
#Tested : Mozila, Chrome, Opera -> Windows & Linux
#Vulnerabillity : Arbitrary File Upload
############################################################
##############################################################
#Title : Wordpress Suco Themes Arbitrary File Upload
#Author : DevilScreaM
#Date : 11/20/2013 - 20 November 2013
#Category : Web Applications
#Type : PHP
#Vendor : http://themify.me/
#Link : http://themify.me/themes/suco
#Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
#Author : DevilScreaM
#Date : 11/20/2013 - 20 November 2013
#Category : Web Applications
#Type : PHP
#Vendor : http://themify.me/
#Link : http://themify.me/themes/suco
#Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber | Indonesian Coder
#Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Xrwrr | Rec0ded |
#Tested : Mozila, Chrome, Opera -> Windows & Linux
#Vulnerabillity : Arbitrary File Upload
#Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Xrwrr | Rec0ded |
#Tested : Mozila, Chrome, Opera -> Windows & Linux
#Vulnerabillity : Arbitrary File Upload
################################################################
#########################################################
#
Exploit Title : phpliteadmin
<= 1.9.3 Remote PHP Code Injection Vulnerability
#
Google Dork : inurl:phpliteadmin.php
(Default PW: admin)
#
Vendor Homepage : http://code.google.com/p/phpliteadmin/
# Vendor Status :
Informed
#
Software Link : http://phpliteadmin.googlecode.com/files/phpliteadmin_v1-9-3.zip
#
Version : 1.9.3
#
Tested on : Windows and Linux
#########################################################
Document
Title:
+++++++++++++++++++++++++++++++++++++++++
PayPal Inc Bug Bounty #42 - Persistent POST Inject Vulnerability
References (Source):
+++++++++++++++++++++++++++++++++++++++++
http://www.vulnerability-lab.com/get_content.php?id=801
PayPal Security UID: kxy1ea5ech
Release Date:
+++++++++++++++++++++++++++++++++++++++++
2013-11-18
Vulnerability Laboratory ID (VL-ID):
+++++++++++++++++++++++++++++++++++++++++
801
Common Vulnerability Scoring System:
+++++++++++++++++++++++++++++++++++++++++
3.5
###########################################################
# Exploit
Title : Ruckus Wireless
Zoneflex 2942 Wireless Access Point vulnerable to Authentication bypass
# Date : 10/10/2013
# Exploit Author : myexploit
# Homepage : http://www.ruckuswireless.com/
# Version : 2942 Wireless Access Point version 9.6.0.0.267
# CVE : CVE-2013-5030
# Date : 10/10/2013
# Exploit Author : myexploit
# Homepage : http://www.ruckuswireless.com/
# Version : 2942 Wireless Access Point version 9.6.0.0.267
# CVE : CVE-2013-5030
###########################################################
OPTOMISE
SYSTEM Ltd (UK Ministry of Defence and emergency services) Full Directory
Information Disclosure/ Persistent
XSS /
Time Line Vulnerability************************
04-11-2013 Security Advisory
07-11-2013 Ask About the Issues -> Not Reponse
14-11-2013 Ask About the Issues-> Not Response -> Not Fixed
18-11-2013 Full Disclosure
XSS /
Time Line Vulnerability************************
04-11-2013 Security Advisory
07-11-2013 Ask About the Issues -> Not Reponse
14-11-2013 Ask About the Issues-> Not Response -> Not Fixed
18-11-2013 Full Disclosure
########################################################
# Exploit
Title : TinyMCE v3.2.x <= (AuthBypass/ShellUpload)
Multiple Vulnerabilites
#
Author : KedAns-Dz
# Platform : PHP / WebApp
# Cat/Tag : Shell / File Upload , Auth Bypassing , Multiple
# Platform : PHP / WebApp
# Cat/Tag : Shell / File Upload , Auth Bypassing , Multiple
# TinyMCE v3.2.7 or ..X is suffer from Multiple vuln's / bug :p
# Remote Attacker can bypassin auth and upload files , shell's etc...
# 1st try with this dork :
# google dork : allinurl:/plugins/imagemanager/pages/im/index.html
########################################################
# 1st try with this dork :
# google dork : allinurl:/plugins/imagemanager/pages/im/index.html
########################################################
#############################################################
#Exploit
Title : WP
Front-End Repository Manager Arbitrary File Upload Vulnerability
# Author : DaOne aka MockingBird
# Vendor Homepage : http://wordpress.org/plugins/wp-front-end-repository/
# Download link : http://downloads.wordpress.org/plugin/wp-front-end-repository.1.1.zip
# Version : 1.1
# Category : webapps/php
# Google dork : inurl:wp-content/plugins/wp-front-end-repository
#############################################################
# Author : DaOne aka MockingBird
# Vendor Homepage : http://wordpress.org/plugins/wp-front-end-repository/
# Download link : http://downloads.wordpress.org/plugin/wp-front-end-repository.1.1.zip
# Version : 1.1
# Category : webapps/php
# Google dork : inurl:wp-content/plugins/wp-front-end-repository
#############################################################
###############################################################
# Exploit Title : WordPress Project 10 Themes - Remote File Upload Vulnerability
# Author : Byakuya
# Date : 11/18/2013
# Vendor Homepage : http://themeforest.net/
# Themes Link : http://themeforest.net/item/project-10-magazine-theme/2513938
# Affected Version : v1.0
# Infected File : upload-handler.php
# Category : webapps/php
# Google dork : inurl:/wp-content/themes/project10-theme/
# Tested on : Windows/Linux
###############################################################
# Exploit Title : WordPress Project 10 Themes - Remote File Upload Vulnerability
# Author : Byakuya
# Date : 11/18/2013
# Vendor Homepage : http://themeforest.net/
# Themes Link : http://themeforest.net/item/project-10-magazine-theme/2513938
# Affected Version : v1.0
# Infected File : upload-handler.php
# Category : webapps/php
# Google dork : inurl:/wp-content/themes/project10-theme/
# Tested on : Windows/Linux
###############################################################
Advisory
ID : HTB23180
Product : Tweet Blender Wordpress Plugin
Vendor : kirilln
Vulnerable Version(s) : 4.0.1 and probably prior
Tested Version : 4.0.1
Advisory Publication : October 25, 2013 [without technical details]
Vendor Notification : October 25, 2013
Vendor Patch : November 13, 2013
Public Disclosure : November 15, 2013
Vulnerability Type : Cross-Site Scripting [CWE-79]
CVE Reference : CVE-2013-6342
Risk Level : Low
CVSSv2 Base Score : 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status : Fixed by Vendor
Discovered and Provided : High-Tech Bridge Security Research Lab (
https://www.htbridge.com/advisory/ )
#
Exploit Title: Facebook URL open Redirection
# Date: 05/11/2013 - 01/01/1435
# Exploit Author: The Black Devils " Asesino04"
# Vendor Homepage: http://www.facebook.com/
# Tested on: Mozilla firefox
1 . DES ( Unix )
[ + ] Used in Linux and the like .
[ + ] Length : 13 Characters .
[ + ] Description : The first two characters are
the salt ( random characters , in our example the salt is string "Iv.")
Followed by the hash .
[ + ] Example : IvS7aeT4NzQPM
2 . Domain Cached Credentials
[ + ] Used to cache the windows domain passwords .
[ + ] Length : 16 bytes (32 characters)
[ + ] Algorithm : MD4(MD4(Unicode($pass)).
Unicode(strtolower($username)))
[ + ] Example : Admin :
b474d48cdfc4974d86ef4d24904cdd91
For
when you want to steal someone's session cookies but you don't want to raise
the alarm!
What/why?
Stealing cookies isn't complicated, but sometimes it can be tricky depending on
what is filtered from your JS injection. It can be made much harder if your aim
is to steal them silently without the person knowing.
POST
HTTP method XSS exploitation without the target filling out a form... SILENTLY
What's
POST method XSS?
A cross-site scripting vulnerability that is exploited by sending the input
from a form to the vulnerable website via POST HTTP method (so it could be a
search box on a site that uses POST not GET).
How
does exploitation differ from GET method XSS?
When a GET request is made, the request is sent over HTTP in the form: website.com/search.php?keyword=whatever.
When a POST request is made, the request is sent over HTTP in the form:
website.com/search.php
(the content, e.g keyword=whatever, is sent in the body as part of the HTTP
request rather than as part of the URL).
With that in mind, the typical reflected XSS attack can't be sent to the target
like normal:
website.com/search.php?keyword="><script>evil-javascript</script>
With POST method, the user actually has to fill out a form on your evil-site,
and usually click "submit" which allows evil-site to then send the
user along with the POST request to the target website. The contents of the
POST request will contain the javascript payload and end up running.
During
a website audit, upload forms and other interactive 'user-content' driven
facilities are often found to be protected by client side and/or server side
security checks. This tutorial presents the methods that can be used to
circumvent these security checks. In this case we're specifically considering
image uploads that allow JPG files in particular.
Each security measure numbered below will be briefly discussed and paired with
an appropriate bypass method, this tutorial aims to provide a complete'ish
solution.
download WZCooK
Let’s
Play!
1.
Make sure you are in the area that is locked Wifi
2.
Open the application wzcook.exe
3.
Wait a few moments until the set password and the name of Wifi
4.
Press [CTRL] + [C] to move data to the directory C: \ wepkeys.txt
5.
That password on the WEP Key
6.
Copy Paste password
7.
click the Connect
#Title : Wordpress Make A Statement
Themes CSRF File Upload Vulnerability
#Author : DevilScreaM
#Date : 11/17/2013 - 17
November 2013
#Category : Web Applications
#Type : PHP
#Version : 1.x.x
#Vendor :
http://themes.mas.gambit.ph/
#Greetz : 0day-id.com |
newbie-security.or.id | Borneo Security | Indonesian Security
Indonesian Hacker | Indonesian
Exploiter | Indonesian Cyber | Indonesian Coder
#Thanks : ShadoWNamE | gruberr0r |
Win32Conficker | Xrwrr | Rec0ded |
#Tested : Mozila, Chrome, Opera
-> Windows & Linux
#Vulnerabillity : CSRF
#Title
: Wordpress Amplus Themes
CSRF File Upload Vulnerability
#Author : DevilScreaM
#Date : 11/17/2013 - 17
November 2013
#Category : Web Applications
#Type : PHP
#Vendor : http://themeforest.net
#Download :
http://themeforest.net/item/amplus-responsive-multilingual-wordpress-theme/
#Greetz : 0day-id.com |
newbie-security.or.id | Borneo Security | Indonesian Security
Indonesian Hacker | Indonesian
Exploiter | Indonesian Cyber | Indonesian Coder
#Thanks : ShadoWNamE | gruberr0r |
Win32Conficker | Xrwrr | Rec0ded |
#Tested : Mozila, Chrome, Opera
-> Windows & Linux
#Vulnerabillity : CSRF
#Title : Wordpress Dimension Themes CSRF File Upload Vulnerability
#Author : DevilScreaM
#Date : 11/17/2013 - 17 November 2013
#Category : Web Applications
#Type : PHP
#Vendor : http://themeforest.net
#Download : http://themeforest.net/item/dimension-retina-responsive-multipurpose-theme/
#Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
#Author : DevilScreaM
#Date : 11/17/2013 - 17 November 2013
#Category : Web Applications
#Type : PHP
#Vendor : http://themeforest.net
#Download : http://themeforest.net/item/dimension-retina-responsive-multipurpose-theme/
#Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
Indonesian Hacker | Indonesian Exploiter |
Indonesian Cyber | Indonesian Coder
#Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Xrwrr | Rec0ded |
#Tested : Mozila, Chrome, Opera -> Windows & Linux
#Vulnerabillity : CSRF
#Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Xrwrr | Rec0ded |
#Tested : Mozila, Chrome, Opera -> Windows & Linux
#Vulnerabillity : CSRF
#Title : Wordpress Euclid V1 Themes CSRF File Upload Vulnerability
#Author : DevilScreaM
#Date : 11/17/2013 - 17 November 2013
#Category : Web Applications
#Type : PHP
#Version : 1.x.x
#Vendor : http://freelancewp.com
#Download : http://freelancewp.com/wordpress-theme/euclid/
#Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
Indonesian Hacker | Indonesian Exploiter |
Indonesian Cyber | Indonesian Coder
#Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Xrwrr | Rec0ded |
#Tested : Mozila, Chrome, Opera -> Windows & Linux
#Vulnerabillity
: CSRF
CVE-2013-6225:
Security Advisory – Curesec Research Team
1.
Introduction
Advisory
ID : Cure-2013-1007
Advisory
URL : https://www.curesec.com/de/veroeffentlichungen
/advisories.html
Blog
URL : https://cureblog.de/2013/11/remote-code-execution-in-livezilla/
Affected
Product : LiveZilla version 5.0.1.4
Affected
Systems : Linux/Windows
Fixed
in : 5.1.0.0
Fixed
Version Link :
https://www.livezilla.net/downloads/pubfiles/LiveZilla_5.1.0.0_Full.exe
Vendor
Contact : support@livezilla.net
Vulnerability
Type : Remote Code Execution / Local
File Inclusion
Remote
Exploitable : Yes
Reported
to vendor : 18.10.2013
Disclosed
to public : 15.11.2013
Release
mode : Coordinated release
CVE : CVE-2013-6225
Credentials : crt@curesec.com
Written in: Perl &
converted to executable
More powerful
More options
More lists
New Box
Sounds added
Ener site url : Insert
site url in the blank field.
Enable Response time :
This option enables the response time.If you leave it off the default response
time is 50 seconds.
Select time to Response :
Select the response time to any request to server.If the request exceeds the
time you specify and does not response it passes to the next path.
Select User Angend : This
option is important because it helps us to choose which browser will see the
server. So the server can not understand if the applications are from program.
Select Method : Here you
have the choice of method and source code.
Kali Linux is a
GPL-compliant Linux distribution built by penetration testers for penetration
testers with development staff consisting of individuals spanning different
languages, regions, industries, and nationalities.
The evolution of Kali took
place over many years of development, penetration tests, and unprecedented help
from the security community. Kali Linux originally started with earlier
versions of live Linux distributions called BackTrack, Whoppix, IWHAX, and Auditor.
When it was initially
developed, Kali was designed to be an all-in-one live CD to be used on security
audits and was specifically crafted to not leave any remnants of itself on the
system. With millions of downloads, it has become the most widely adopted
penetration testing framework in existence and is used by the security
community all over the world.
RFI
Stands For Remote File Inclusionis. RFI is a type of vulnerability That is most
often found on websites. It allows a Hacker to include a remote file, usually
through a script on the web server. The vulnerability occurs due to the use of
user-supplied input without proper validation. This can lead to something as
minimal as outputting the contents of the file, but depending on the severity,
to list a few it can lead to:
1. Data Theft/Manipulation.
2. Code execution on the web server.
3. Denial
of Service (DoS).
4. Code execution on the client-side such as JavaScript which
can lead to other attacks such as cross site scripting (XSS).
LFI
Stands For "Local File Inclusion".LFI is a type of web-application
security vulnerability. LFI is only one of many web-application security
vulnerabilities. Web-applications is applications(in other words:
pages/websites) you can view and interact with in your web browser. In This
Tutorial I will show you how to Deface a website using LFI Vunerability.
First
of all You need Two Things
1. You will need FireFox
2. TamperData Addon For Firefox
LFI
allows you to include a local file (which means, that the file is stored on the
server) and run it in a webscript.
In this
Tutorial we are going to upload a shell by accessing the proc/self/environ.
Let's Get Started:
Step 1: First you have to download This ASP Shell
Step 2: Now Open http://www.google.com and enter this dork (This Dork is for Finding DNN vulnerable sites)
DNN Dorks:
inurl:/tabid/36/language/en-US/Default.aspx
OR
inurl:/Fck/fcklinkgallery.aspx
Things you can do with google
Find
Botnets
Find
People/Info/DoX
Find
Vulnerable Sites
View
Deleted Files/Sites
Finding
things you're not supposed to
Obtaining
things for free
Today I'm going to be showing you how to do all of these and more and how to
protect yourself against them.
Here again new 0day of
WHMCS.
It's affect the Version 5.2.8 ( Current Version)
Again shit poor coding in new version of WHMCS .
Epicness not over . They make same mistake in
/includes/dbfunctions.php
We can manipulate the GET/POST variables and end up with something like $key
= array('sqltype' => 'TABLEJOIN', 'value' = '[SQLI]');
By using this Vulnerability we can also change the /configuration.php to
whatever we want.
John the Ripper adalah program untuk mendekripsi password. Meskipun
memiliki banyak
fungsi kita akan melihat menggunakannya sebagai decryper untuk file password
Anda miliki.
Kami akan melihat File Password yang Anda telah mengenakan Hard Disk Anda
PERSIAPAN
1. Download versi yang benar dari JTR, gunakan win32 untuk Win 95/98
2. Ekstrak file zip ke Direktori sebuah
3. Pastikan Anda memiliki File Password Anda dalam direktori yang sama