pierre

Haha it will crash out my computer for sure if I do an extract ! Futhermore I might understand that there is 16 layers of zip files, each ones containing zip files and so on.. But still don't know how they manage to only have a 42 Kb zip file whereas me who nearly have a 1 Mb zip file that only contains 1 Gb.....

$ zipinfo 42.zip Archive: 42.zip Zip file size: 42838 bytes, number of entries: 16 -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib 0.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib 1.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib 2.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib 3.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib 4.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib 5.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib 6.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib 7.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib 8.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib 9.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib a.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib b.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib c.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib d.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib e.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib f.zip 16 files, 558432 bytes uncompressed, 40192 bytes compressed: 92.8% I don't think I can go deeper without any extraction..

Hello, I was trying to make a 42.zip bomb which is a : " A file that is only 42,374 bytes (42KB). When unzipped it becomes 4,503,599,626,321,920 bytes (4.5 Peta Bytes)!!! " Me I can only achieve a 1Mb zip file that almost contain 1Gb txt file: $ zip bomb.zip bomb_1G.txt adding: bomb_1G.txt (deflated 100%) $ du -h bomb.zip 948K bomb.zip $ zipinfo bomb.zip Archive: bomb.zip Zip file size: 970656 bytes, number of entries: 1 -rw-r--r-- 3.0 unx 1000000000 tx defN 18-Jun-21 06:12 bomb_1G.txt 1 file, 1000000000 bytes uncompressed, 970484 bytes compressed: 99.9% Do you know how I could achieve a better "bomb" with less space ? Regards

Yes it is... Also I got the free version and each time I restart burp the extension has been removed and I got to install it again... Have you got a solution for having the extension be remaining on burpsuite even after a restart ? I would have create a burp project but I can't with the free version... EDIT: I think I have to run burpsuite as root for installing an extension because the installation is at /usr/bin which requires admin privileges for write anything.

Hello, I am trying install the extension "wsdler" for exploiting web services. (https://portswigger.net/bappstore/594a49bb233748f2bc80a9eb18a2e08f) But during the installation in Burp, I got an error : And the details: Have you got any clue how to resolve this issue ? I don't think it is a space allocation problem because the extension don't exceed 1 Mo.. And I really don't know how to deal with a permission problem ! Thanks EDIT: solved, just need to launch burp along with "root" right

Hello, I would like to block ping sweep which permitts determine whether a host is up or not by sending TCP SYN packet. But if the host has a webserver supposed to be reachable, how can I block TCP SYN packet ? Regards,

Ah ok, though it was related to any "Microsoft CVE nomenclature". Indeed, "Microsoft Security Bulletin" Thanks :)

Ok so for this point above: This update security that patchs the vulnerability MS16-047 is ID 3149090, and it also patch the vuln MS16-007 (that was originally pactchs with the update security 3121918). -> So it is recommanded to apply the security update 3149090 to patch both MS16-047 & MS16-007 Is that so ?

Yes but I did not understand " in any chain of superseded updates". So it can be translate by : "The security update ID for patching the ms16-047 vulnerability"

Hello, I was working on Windows vulnerabilities. By looking at a security bulletin, I did not understand a column. https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-047 See: What does it mean "Updates replaced", and specifically the huge number "3121918" ? (related with the vulnerability name) Thanks

But the SSL session ID don't change from the two request (even if Iknow you are talking about TCP session ID): I even get a warning message because the same session keys seem to be re-used ! But a new handshake is occuring, so why is the same session id and key (symetric primary key ?) generated again to cipher the exchange ?

Hello, I am working around the HTTPS protocol. I made two request with my web browser: 1- request the login page 2-send my credential toward the server I was inspecting my network mark, but I discover the HTTPS handshake is made each time the client (web browser) is making a web request. As you can see: Is it a normal behaviour ? Making a new secret primary key each time isn't too weighty ? I thought only one primary key was created at the outcome of the handshake and then use each time a new web request was made. Feel free to explain me :) Thanks

Ok we agree for determining a single word, login or password. But now the number of possibilities for the combination of credentials login:password, that are between 6 and 8 characters long, is: P = [(62 ^ 6) + (62 ^ 6) + (62 ^ 8)] x 2 ?

Hello, I have a doubt on a math calculation regarding bruteforce operation. If I have to look for credential (login+password) between 6 and 8 characters long, mixing lowercase/uppercase/numeric, the right number of possibilities is: P = [(26+26+10)6 + (26+26+10)7 + (26+26+10)8] * 2 ? Thanks :)

Ok I should inspect the server side to know why my injection works.

Hello, I am looking toward blind SQL injection recently :) Indeed, in a login:pwd interface I hit a right mail usermane along with this as a password: test'-SLEEP(5)# Then I land in the account interface !! I don't take it at all.. Blind SQLi isn't suppose to guess the password by triyng each letters like: test'-(SELECT * FROM (SELECT(SLEEP(20)))a)-' test'-(SELECT * FROM (SELECT(SLEEP(20)))b)-' ? Thanks :)

Yes but rights are limited as well: osboxes@osboxes:~$ ls -l /proc/self/environ -r-------- 1 osboxes osboxes 0 Jul 31 10:20 /proc/self/environ

Yes I am under www-data user and www-data is not in the adm user group as well so it is logical if I can't see apache file. Here is apache2 right: osboxes@osboxes:/var/log/apache2$ ls -l /var/log/ drwxr-x--- 2 root adm 4096 Jul 25 09:48 apache2 So because /var/log/apache2 is not readlable to all, so file inside are not as well even if there pointed as chmod 777 ? Oops I thought that your module was implemented in metasploit :)

By the way, the same applies to a CSRF vulnerable page that sent parameters through the POST method.. The exploit (forgered malicious URL) become much more complicated here..

Yes it is a vulnerable VM :) 2 points : 1- I can't view /var/log/apache2/error.log osboxes@osboxes:/var/log/apache2$ ls -l error.log -rw-r----- 1 root adm 18735 Jul 24 10:21 error.log Even if I change to chmod 777 eorr.log, it still can't be displayed.. But I can display /etc/passwd through my LFI with these right associated: osboxes@osboxes:/var/log/apache2$ ls -l /etc/passwd -rw-r--r-- 1 root root 1978 Dec 7 2016 /etc/passwd So I don't know why I can display error.log.. 2-I don't find your metasploit module msf > use multi/http/lfi_scan_include [-] Failed to load module: multi/http/lfi_scan_include msf > search lfi_scan [!] Module database cache not built yet, using slow search msf > use multi/http/lfi_scan_include [-] Failed to load module: multi/http/lfi_scan_include Do I need any particular installation to get it ?

Whap means "server out" ? The txt file with PHP code stored on the server don't execute PHP but display the PHP code Only the RFI permits execute PHP code in a txt file No special entry add in .htaccess appart "php flag magic quotes gpc" The PHP code in the txt file (in RFI case) is executed because the txt file is include with include function in index.php ? Is that so ?

Hello, I was wondering how could my server execute PHP code through a txt file ! Here is the flowgraph: Because when I make a request directly on the server with http://192.168.1.1/echo.txt , it prompts: <?php echo "test"; ?> But with a RFI it works ! Do you know why ??

Thanks for your answer. What I will retain is that Reflected XSS vulnerability via POST method can't be exploited (or harder) throught "the malicious URL forged and sent to a victim" method. (As opposite from the XSS reflected vulnerability via GET method exploited by sending a milicious URL to a victim.) Regards,

I see but the site is supposed to be malicious by default (or has been modified by a hacker) Tks :)

Hello, I was wondering how can an attacker exploit an XSS reflected vulnerability detected via POST method. Indeed, a malicious link can't be crafted and sent to the victim.. Can you shed light on this to me if it possible ? tks :)