-
Posts
106 -
Joined
-
Last visited
Posts posted by pierre
-
-
$ zipinfo 42.zip Archive: 42.zip Zip file size: 42838 bytes, number of entries: 16 -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib 0.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib 1.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib 2.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib 3.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib 4.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib 5.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib 6.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib 7.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib 8.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib 9.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib a.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib b.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib c.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib d.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib e.zip -rw-a-- 6.3 fat 34902 Bx u099 00-Mar-28 21:40 lib f.zip 16 files, 558432 bytes uncompressed, 40192 bytes compressed: 92.8%
I don't think I can go deeper without any extraction..
-
Hello,
I was trying to make a 42.zip bomb which is a :
" A file that is only 42,374 bytes (42KB). When unzipped it becomes 4,503,599,626,321,920 bytes (4.5 Peta Bytes)!!! "
Me I can only achieve a 1Mb zip file that almost contain 1Gb txt file:
$ zip bomb.zip bomb_1G.txt adding: bomb_1G.txt (deflated 100%) $ du -h bomb.zip 948K bomb.zip $ zipinfo bomb.zip Archive: bomb.zip Zip file size: 970656 bytes, number of entries: 1 -rw-r--r-- 3.0 unx 1000000000 tx defN 18-Jun-21 06:12 bomb_1G.txt 1 file, 1000000000 bytes uncompressed, 970484 bytes compressed: 99.9%
Do you know how I could achieve a better "bomb" with less space ?
Regards
-
Yes it is...
Also I got the free version and each time I restart burp the extension has been removed and I got to install it again...
Have you got a solution for having the extension be remaining on burpsuite even after a restart ?
I would have create a burp project but I can't with the free version...
EDIT: I think I have to run burpsuite as root for installing an extension because the installation is at /usr/bin which requires admin privileges for write anything.
-
Hello,
I am trying install the extension "wsdler" for exploiting web services.
(https://portswigger.net/bappstore/594a49bb233748f2bc80a9eb18a2e08f)
But during the installation in Burp, I got an error :
And the details:
Have you got any clue how to resolve this issue ?
I don't think it is a space allocation problem because the extension don't exceed 1 Mo.. And I really don't know how to deal with a permission problem !
Thanks
EDIT: solved, just need to launch burp along with "root" right
-
Hello,
I would like to block ping sweep which permitts determine whether a host is up or not by sending TCP SYN packet.
But if the host has a webserver supposed to be reachable, how can I block TCP SYN packet ?
Regards, -
Ah ok, though it was related to any "Microsoft CVE nomenclature".
Indeed, "Microsoft Security Bulletin"
Thanks :)
-
Ok so for this point above:
This update security that patchs the vulnerability MS16-047 is ID 3149090, and it also patch the vuln MS16-007 (that was originally pactchs with the update security 3121918).
-> So it is recommanded to apply the security update 3149090 to patch both MS16-047 & MS16-007
Is that so ?
-
Yes but I did not understand " in any chain of superseded updates".
So it can be translate by :
"The security update ID for patching the ms16-047 vulnerability"
-
Hello,
I was working on Windows vulnerabilities.
By looking at a security bulletin, I did not understand a column.
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-047
See:
What does it mean "Updates replaced", and specifically the huge number "3121918" ? (related with the vulnerability name)
Thanks
-
But the SSL session ID don't change from the two request (even if Iknow you are talking about TCP session ID):
I even get a warning message because the same session keys seem to be re-used !
But a new handshake is occuring, so why is the same session id and key (symetric primary key ?) generated again to cipher the exchange ?
-
Hello,
I am working around the HTTPS protocol.
I made two request with my web browser:
1- request the login page
2-send my credential toward the server
I was inspecting my network mark, but I discover the HTTPS handshake is made each time the client (web browser) is making a web request. As you can see:
Is it a normal behaviour ? Making a new secret primary key each time isn't too weighty ?
I thought only one primary key was created at the outcome of the handshake and then use each time a new web request was made.
Feel free to explain me :)
Thanks
-
Ok we agree for determining a single word, login or password.
But now the number of possibilities for the combination of credentials login:password, that are between 6 and 8 characters long, is:
P = [(62 ^ 6) + (62 ^ 6) + (62 ^ 8)] x 2 ?
-
Hello,
I have a doubt on a math calculation regarding bruteforce operation.
If I have to look for credential (login+password) between 6 and 8 characters long, mixing lowercase/uppercase/numeric, the right number of possibilities is:
P = [(26+26+10)6 + (26+26+10)7 + (26+26+10)8] * 2 ?
Thanks :)
-
Ok I should inspect the server side to know why my injection works.
-
Hello,
I am looking toward blind SQL injection recently :)
Indeed, in a login:pwd interface I hit a right mail usermane along with this as a password:
test'-SLEEP(5)#
Blind SQLi isn't suppose to guess the password by triyng each letters like:
test'-(SELECT * FROM (SELECT(SLEEP(20)))a)-'
test'-(SELECT * FROM (SELECT(SLEEP(20)))b)-'
?
-
On 26/07/2017 at 4:30 AM, i8igmac said:
Did you try /proc/self/environ ?
Yes but rights are limited as well:
osboxes@osboxes:~$ ls -l /proc/self/environ
-r-------- 1 osboxes osboxes 0 Jul 31 10:20 /proc/self/environ -
Yes I am under www-data user and www-data is not in the adm user group as well so it is logical if I can't see apache file.
Here is apache2 right:
osboxes@osboxes:/var/log/apache2$ ls -l /var/log/
drwxr-x--- 2 root adm 4096 Jul 25 09:48 apache2So because /var/log/apache2 is not readlable to all, so file inside are not as well even if there pointed as chmod 777 ?
Oops I thought that your module was implemented in metasploit :)
-
By the way, the same applies to a CSRF vulnerable page that sent parameters through the POST method..
The exploit (forgered malicious URL) become much more complicated here..
-
Yes it is a vulnerable VM :)
2 points :
1- I can't view /var/log/apache2/error.log
osboxes@osboxes:/var/log/apache2$ ls -l error.log
-rw-r----- 1 root adm 18735 Jul 24 10:21 error.logEven if I change to chmod 777 eorr.log, it still can't be displayed..
But I can display /etc/passwd through my LFI with these right associated:
osboxes@osboxes:/var/log/apache2$ ls -l /etc/passwd
-rw-r--r-- 1 root root 1978 Dec 7 2016 /etc/passwdSo I don't know why I can display error.log..
2-I don't find your metasploit module
msf > use multi/http/lfi_scan_include
[-] Failed to load module: multi/http/lfi_scan_include
msf > search lfi_scan
[!] Module database cache not built yet, using slow searchmsf > use multi/http/lfi_scan_include
[-] Failed to load module: multi/http/lfi_scan_includeDo I need any particular installation to get it ?
-
16 hours ago, digininja said:
The reason your server (192.168.1.1) won't execute it is because it doesn't know to pass .txt through the php engine, assign that extension and it will.
It will break your RFI example though as you will server out just the word test rather than the full source.
Whap means "server out" ?
15 hours ago, digip said:PHP normally only executes files with the .php extension. Saving as text, should render the file as text as expected. An RFI attack executes the text as PHP, if the RFI enabled script on the server is not filtering for file type and blanket runs whatever is sent to it, which is not good.
The source code of the site running the vulnerable RFI script is more than likely calling whatever is fed as an include and running it as php. If it doesn't filter for remote files(or even local ones probably if it allows RFI) in theory it should work both as RFI and LFI when pointed at the right file to read in. Viewing the file itself will only run as PHP if the system with PHP on it has a mime type set to run text files as PHP, which depends how the web server is configured. This can be done by adding a few lines in an htaccess file on apache for example and would allow running txt files as executable php.
The txt file with PHP code stored on the server don't execute PHP but display the PHP code
Only the RFI permits execute PHP code in a txt file
No special entry add in .htaccess appart "php flag magic quotes gpc"
13 hours ago, i8igmac said:The RFI is a vulnerability that exist in a index.php file.
the php code in your vulnerable php File is executing the code from your echo.txt file.
The vuln.php file is using Include_once(echo.txt)
the most common exploit of this technique might be log poisoning. If you can write php code to any log file then you could execute your own php code. with the url inclusion method
vuln.php?PAGE=../etc/log/FTP_error.log%00
The PHP code in the txt file (in RFI case) is executed because the txt file is include with include function in index.php ? Is that so ?
-
Hello,
I was wondering how could my server execute PHP code through a txt file !
Here is the flowgraph:
Because when I make a request directly on the server with http://192.168.1.1/echo.txt , it prompts:
<?php
echo "test";
?>
But with a RFI it works !
Do you know why ??
-
Thanks for your answer.
What I will retain is that Reflected XSS vulnerability via POST method can't be exploited (or harder) throught "the malicious URL forged and sent to a victim" method.
(As opposite from the XSS reflected vulnerability via GET method exploited by sending a milicious URL to a victim.)
Regards,
-
I see but the site is supposed to be malicious by default (or has been modified by a hacker)
Tks :)
-
Hello,
I was wondering how can an attacker exploit an XSS reflected vulnerability detected via POST method.
Indeed, a malicious link can't be crafted and sent to the victim..
Can you shed light on this to me if it possible ?
tks :)
42.zip bomb
in Security
Posted · Edited by pierre
Haha it will crash out my computer for sure if I do an extract !
Futhermore I might understand that there is 16 layers of zip files, each ones containing zip files and so on..
But still don't know how they manage to only have a 42 Kb zip file whereas me who nearly have a 1 Mb zip file that only contains 1 Gb.....