[42.zip bomb]

Haha it will crash out my computer for sure if I do an extract !

Futhermore I might understand that there is 16 layers of zip files, each ones containing zip files and so on..

But still don't know how they manage to only have a 42 Kb zip file whereas me who nearly have a 1 Mb zip file that only contains 1 Gb.....

[42.zip bomb]

$ zipinfo 42.zip
Archive:  42.zip
Zip file size: 42838 bytes, number of entries: 16
-rw-a--     6.3 fat    34902 Bx u099 00-Mar-28 21:40 lib 0.zip
-rw-a--     6.3 fat    34902 Bx u099 00-Mar-28 21:40 lib 1.zip
-rw-a--     6.3 fat    34902 Bx u099 00-Mar-28 21:40 lib 2.zip
-rw-a--     6.3 fat    34902 Bx u099 00-Mar-28 21:40 lib 3.zip
-rw-a--     6.3 fat    34902 Bx u099 00-Mar-28 21:40 lib 4.zip
-rw-a--     6.3 fat    34902 Bx u099 00-Mar-28 21:40 lib 5.zip
-rw-a--     6.3 fat    34902 Bx u099 00-Mar-28 21:40 lib 6.zip
-rw-a--     6.3 fat    34902 Bx u099 00-Mar-28 21:40 lib 7.zip
-rw-a--     6.3 fat    34902 Bx u099 00-Mar-28 21:40 lib 8.zip
-rw-a--     6.3 fat    34902 Bx u099 00-Mar-28 21:40 lib 9.zip
-rw-a--     6.3 fat    34902 Bx u099 00-Mar-28 21:40 lib a.zip
-rw-a--     6.3 fat    34902 Bx u099 00-Mar-28 21:40 lib b.zip
-rw-a--     6.3 fat    34902 Bx u099 00-Mar-28 21:40 lib c.zip
-rw-a--     6.3 fat    34902 Bx u099 00-Mar-28 21:40 lib d.zip
-rw-a--     6.3 fat    34902 Bx u099 00-Mar-28 21:40 lib e.zip
-rw-a--     6.3 fat    34902 Bx u099 00-Mar-28 21:40 lib f.zip
16 files, 558432 bytes uncompressed, 40192 bytes compressed:  92.8%

I don't think I can go deeper without any extraction..

[42.zip bomb]

Hello,

I was trying to make a 42.zip bomb which is a :

" A file that is only 42,374 bytes (42KB). When unzipped it becomes 4,503,599,626,321,920 bytes (4.5 Peta Bytes)!!! "

Me I can only achieve a 1Mb zip file that almost contain 1Gb txt file:

$ zip bomb.zip bomb_1G.txt

  adding: bomb_1G.txt (deflated 100%)

$ du -h bomb.zip

948K            bomb.zip

$ zipinfo bomb.zip

Archive:  bomb.zip

Zip file size: 970656 bytes, number of entries: 1

-rw-r--r--  3.0 unx 1000000000 tx defN 18-Jun-21 06:12 bomb_1G.txt

1 file, 1000000000 bytes uncompressed, 970484 bytes compressed:  99.9%

Do you know how I could achieve a better "bomb" with less space ?

Regards

[[burpsuite] Error during extension installation]

Yes it is...

Also I got the free version and each time I restart burp the extension has been removed and I got to install it again...

Have you got a solution for having the extension be remaining on burpsuite even after a restart ?

I would have create a burp project but I can't with the free version...

EDIT: I think I have to run burpsuite as root for installing an extension because the installation is at /usr/bin which requires admin privileges for write anything.

[[burpsuite] Error during extension installation]

Hello,

I am trying install the extension "wsdler" for exploiting web services.

(https://portswigger.net/bappstore/594a49bb233748f2bc80a9eb18a2e08f)

But during the installation in Burp, I got an error :

And the details:

Have you got any clue how to resolve this issue ?

I don't think it is a space allocation problem because the extension don't exceed 1 Mo.. And I really don't know how to deal with a permission problem !

Thanks

EDIT: solved, just need to launch burp along with "root" right

[Block ping sweep but still having server HTTP service reachable]

Hello,

I would like to block ping sweep which permitts determine whether a host is up or not by sending TCP SYN packet.
But if the host has a webserver supposed to be reachable, how can I block TCP SYN packet ?

Regards,

[Windows security updates explanation]

Ah ok, though it was related to any "Microsoft CVE nomenclature".

Indeed, "Microsoft Security Bulletin"

Thanks :)

[Windows security updates explanation]

Ok so for this point above:

This update security that patchs the vulnerability MS16-047 is ID 3149090, and it also patch the vuln MS16-007 (that was originally pactchs with the update security 3121918).

-> So it is recommanded to apply the security update 3149090 to patch both MS16-047 & MS16-007

Is that so ?

[Windows security updates explanation]

Yes but I did not understand " in any chain of superseded updates".

So it can be translate by :

"The security update ID for patching the ms16-047 vulnerability"

[Windows security updates explanation]

Hello,

I was working on Windows vulnerabilities.

By looking at a security bulletin, I did not understand a column.

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-047

See:

What does it mean "Updates replaced", and specifically the huge number "3121918" ? (related with the vulnerability name)

Thanks

[[HTTPS] a handshake at each request ?]

But the SSL session ID don't change from the two request (even if Iknow you are talking about TCP session ID):

I even get a warning message because the same session keys seem to be re-used !

But a new handshake is occuring, so why is the same session id and key (symetric primary key ?) generated again to cipher the exchange ?

[[HTTPS] a handshake at each request ?]

Hello,

I am working around the HTTPS protocol.

I made two request with my web browser:

1- request the login page

2-send my credential toward the server

I was inspecting my network mark, but I discover the HTTPS handshake is made each time the client (web browser) is making a web request. As you can see:

Is it a normal behaviour ? Making a new secret primary key each time isn't too weighty ?

I thought only one primary key was created at the outcome of the handshake and then use each time a new web request was made.

Feel free to explain me :)

Thanks

[[Bruteforce] math calculation]

Ok we agree for determining a single word, login or password.

But now the number of possibilities for the combination of credentials login:password, that are between 6 and 8 characters long, is:

P = [(62 ^ 6) + (62 ^ 6) + (62 ^ 8)] x 2 ?

[[Bruteforce] math calculation]

Hello,

I have a doubt on a math calculation regarding bruteforce operation.

If I have to look for credential (login+password) between 6 and 8 characters long, mixing lowercase/uppercase/numeric, the right number of possibilities is:

P = [(26+26+10)6 + (26+26+10)7 + (26+26+10)8] * 2 ?

Thanks :)

[Blind SQL injection]

Ok I should inspect the server side to know why my injection works.

[Blind SQL injection]

Hello,

I am looking toward blind SQL injection recently :)

Indeed, in a login:pwd interface I hit a right mail usermane along with this as a password:

test'-SLEEP(5)#

Then I land in the account interface !! I don't take it at all..

Blind SQLi isn't suppose to guess the password by triyng each letters like:

test'-(SELECT * FROM (SELECT(SLEEP(20)))a)-'

test'-(SELECT * FROM (SELECT(SLEEP(20)))b)-'

?

Thanks :)

[Server execute PHP code through a txt file..]

On 26/07/2017 at 4:30 AM, i8igmac said:

Did you try /proc/self/environ ?

Yes but rights are limited as well:

osboxes@osboxes:~$ ls -l /proc/self/environ
-r-------- 1 osboxes osboxes 0 Jul 31 10:20 /proc/self/environ

[Server execute PHP code through a txt file..]

Yes I am under www-data user and www-data is not in the adm user group as well so it is logical if I can't see apache file.

Here is apache2 right:

osboxes@osboxes:/var/log/apache2$ ls -l /var/log/
drwxr-x--- 2 root              adm    4096 Jul 25 09:48 apache2

So because /var/log/apache2 is not readlable to all, so file inside are not as well even if there pointed as chmod 777 ?

Oops I thought that your module was implemented in metasploit :)

 

[exploit XSS reflected through POST method]

By the way, the same applies to a CSRF vulnerable page that sent parameters through the POST method..

The exploit (forgered malicious URL) become much more complicated here..

[Server execute PHP code through a txt file..]

Yes it is a vulnerable VM :)

2 points :

1- I can't view /var/log/apache2/error.log

osboxes@osboxes:/var/log/apache2$ ls -l error.log
-rw-r----- 1 root adm 18735 Jul 24 10:21 error.log

Even if I change to chmod 777 eorr.log, it still can't be displayed..

But I can display /etc/passwd through my LFI with these right associated:

osboxes@osboxes:/var/log/apache2$ ls -l /etc/passwd
-rw-r--r-- 1 root root 1978 Dec  7  2016 /etc/passwd

So I don't know why I can display error.log..

2-I don't find your metasploit module

msf > use multi/http/lfi_scan_include
[-] Failed to load module: multi/http/lfi_scan_include
msf > search lfi_scan
[!] Module database cache not built yet, using slow search

msf > use multi/http/lfi_scan_include
[-] Failed to load module: multi/http/lfi_scan_include

Do I need any particular installation to get it ?

[Server execute PHP code through a txt file..]

16 hours ago, digininja said:

The reason your server (192.168.1.1) won't execute it is because it doesn't know to pass .txt through the php engine, assign that extension and it will.

It will break your RFI example though as you will server out just the word test rather than the full source.

Whap means "server out" ?

 

15 hours ago, digip said:

PHP normally only executes files with the .php extension. Saving as text, should render the file as text as expected. An RFI attack executes the text as PHP, if the RFI enabled script on the server is not filtering for file type and blanket runs whatever is sent to it, which is not good.

The source code of the site running the vulnerable RFI script is more than likely calling whatever is fed as an include and running it as php. If it doesn't filter for remote files(or even local ones probably if it allows RFI) in theory it should work both as RFI and LFI when pointed at the right file to read in. Viewing the file itself will only run as PHP if the system with PHP on it has a mime type set to run text files as PHP, which depends how the web server is configured. This can be done by adding a few lines in an htaccess file on apache for example and would allow running txt files as executable php.

The txt file with PHP code stored on the server don't execute PHP but display the PHP code

Only the RFI permits execute PHP code in a txt file

No special entry add in .htaccess appart "php flag magic quotes gpc"

13 hours ago, i8igmac said:

The RFI is a vulnerability that exist in a index.php file.

 

the php code in your vulnerable php File is executing the code from your echo.txt file.

 

The vuln.php file is using Include_once(echo.txt)

 

the most common exploit of this technique might be log poisoning. If you can write php code to any log file then you could execute your own php code. with the url inclusion method 

vuln.php?PAGE=../etc/log/FTP_error.log%00

The PHP code in the txt file (in RFI case) is executed because the txt file is include with include function in index.php ? Is that so ?

[Server execute PHP code through a txt file..]

Hello,

I was wondering how could my server execute PHP code through a txt file !

Here is the flowgraph:

Because when I make a request directly on the server with http://192.168.1.1/echo.txt , it prompts:

<?php

echo "test";

?>

But with a RFI it works !

Do you know why ??

[exploit XSS reflected through POST method]

Thanks for your answer.

What I will retain is that Reflected XSS vulnerability via POST method can't be exploited (or harder) throught "the malicious URL forged and sent to a victim" method.

(As opposite from the XSS reflected vulnerability via GET method exploited by sending a milicious URL to a victim.)

Regards,

[exploit XSS reflected through POST method]

I see but the site is supposed to be malicious by default (or has been modified by a hacker)

Tks :)

[exploit XSS reflected through POST method]

Hello,

 

I was wondering how can an attacker exploit an XSS reflected vulnerability detected via POST method.

Indeed, a malicious link can't be crafted and sent to the victim..

Can you shed light on this to me if it possible ?

 

tks :)